Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label APK Files. Show all posts

New APK Scam: Protect Your Bank Account from Fraudsters


 


Punjab and Sind Bank (PSB) recently issued a public notice alerting customers to a new scam involving fraudulent messages and malicious APK files. This scam threatens grave  financial losses if customers do not take proper precautions.

How the APK Scam Works

Step 1: Creating Panic with Fake Messages

Scammers initiate the fraud by sending text messages that mimic legitimate bank communications. These messages claim that recipients must update their Know Your Customer (KYC) information to avoid having their bank accounts blocked. The fraudulent messages create a sense of urgency, making recipients more likely to follow the instructions.

Kaushik Ray, Chief Operating Officer of Whizhack Technologies, explains that these messages exploit users' fears and desires, bypassing rational judgement. The goal is to trick recipients into downloading a malicious APK file, a common format for Android apps.

Step 2: Installing Malicious APK Files

Once recipients are convinced by the false narrative, they are instructed to download and install an APK file. These files often contain malware. Upon installation, the malware grants hackers access and control over the victim's mobile device.

Step 3: Executing Cyber Attacks

With control of the device, hackers can perform various malicious activities. These include installing a keylogger to capture sensitive information like banking credentials and passwords, launching ransomware attacks that lock the device until a ransom is paid, and accessing the clipboard to steal copied information such as account numbers.

How to Protect Yourself from APK Scams

To protect against these scams, PSB advises customers to take the following precautions:

1. Avoid Downloading Files from Unknown Sources: Only download apps from trusted sources like the Google Play Store.

2. Do Not Click on Suspicious Links: Be wary of links received in unsolicited messages, even if they appear to be from your bank.

3. Block and Report Suspicious Contacts: If you receive a suspicious message, block the sender and report it to your bank or relevant authorities.

4. Never Share Personal Information Online: Do not disclose personal or financial information to unverified sources.

Why APK Scams Target Android Users

Ray highlights that this scam primarily targets Android users because APK files are specific to Android devices. iOS devices, which use a different file format called IPA, generally have stricter controls against installing third-party apps, making them less vulnerable to this type of attack. However, iOS users should remain vigilant against phishing and other scams.

Real-Life Impacts of the APK Scam

Imagine receiving a message that your bank account will be frozen if you do not update your KYC information immediately. This could lead to panic about how you will pay for everyday expenses like groceries, school fees, or utility bills. Scammers exploit this fear to convince people to download the malicious APK file, giving them access to your device and your money.

Stay alert, verify the authenticity of messages, and protect your personal information to safeguard your financial assets.


EvilVideo Exploit: Telegram Zero-Day Vulnerability Allows Disguised APK Attacks

 

A recent zero-day vulnerability in Telegram for Android, dubbed ‘EvilVideo,’ has been exploited by attackers to send malicious Android APK payloads disguised as video files. This significant security flaw was first brought to light when a threat actor named ‘Ancryno’ started selling the exploit on June 6, 2024, on the Russian-speaking XSS hacking forum. 

The vulnerability affected Telegram versions 10.14.4 and older. ESET researchers discovered the flaw after a proof-of-concept demonstration was shared on a public Telegram channel, allowing them to analyze the malicious payload. They confirmed that the exploit worked on Telegram v10.14.4 and older, naming it ‘EvilVideo.’ The vulnerability was responsibly disclosed to Telegram by ESET researcher Lukas Stefanko on June 26 and again on July 4, 2024. Telegram responded on July 4, indicating that they were investigating the report. 

Subsequently, they patched the vulnerability in version 10.14.5, released on July 11, 2024. This timeline suggests that threat actors had at least five weeks to exploit the zero-day vulnerability before it was patched. While it remains unclear if the flaw was actively exploited in attacks, ESET shared a command and control server (C2) used by the payloads at ‘infinityhackscharan.ddns[.]net.’ BleepingComputer identified two malicious APK files using that C2 on VirusTotal that masqueraded as Avast Antivirus and an ‘xHamster Premium Mod.’ 

The EvilVideo zero-day exploit specifically targeted Telegram for Android. It allowed attackers to create specially crafted APK files that, when sent to other users on Telegram, appeared as embedded videos. ESET believes the exploit used the Telegram API to programmatically create a message showing a 30-second video preview. The channel participants received the payload on their devices once they opened the conversation. 

For users who had disabled the auto-download feature, a single tap on the video preview was enough to initiate the file download. When users attempted to play the fake video, Telegram suggested using an external player, which could lead recipients to tap the “Open” button, executing the payload. Despite the threat actor’s claim that the exploit was “one-click,” the multiple clicks, steps, and specific settings required for a successful attack significantly reduced the risk. ESET tested the exploit on Telegram’s web client and Telegram Desktop and found that it didn’t work on these platforms, as the payload was treated as an MP4 video file. 

Telegram’s fix in version 10.14.5 now correctly displays the APK file in the preview, preventing recipients from being deceived by files masquerading as videos. Users who recently received video files requesting an external app to play via Telegram are advised to perform a filesystem scan using a mobile security suite to locate and remove any malicious payloads.

Thousands of Malicious Android Apps are Employing Covert APKs to Bypass Security

 

To avoid malware detection, threat actors are employing Android Package (APK) files with unknown or unsupported compression algorithms.

That's according to findings from Zimperium, which discovered 3,300 artefacts using such compression algorithms in the wild. 71 of the discovered samples can be successfully loaded into the operating system. 

There is no evidence that the apps were ever available on the Google Play Store, implying that they were disseminated through alternative channels, most likely through untrustworthy app stores or social engineering to fool users into sideloading them. 

The APK files employ "a technique that limits the possibility of decompiling the application for a large number of tools, reducing the possibilities of being analysed," security researcher Fernando Ortega explained. "In order to do that, the APK (which is in essence a ZIP file), is using an unsupported decompression method." 

The benefit of this approach is that it can withstand decompilation tools while still being installed on Android devices with operating systems older than Android 9 Pie. 

The Texas-based cybersecurity company claimed that after reading Joe Security's post on X (formerly Twitter) in June 2023 about an APK file that had this behaviour, it began its own investigation. 

There are two ways that Android packages can use the ZIP format: one without compression and the other with the DEFLATE algorithm. The key finding in this study is that APKs compressed using unsupported techniques cannot be installed on devices running Android versions lower than 9, while they may be used without issue on subsequent versions. 

Zimperium also found that malware developers intentionally corrupt APK files by giving them filenames longer than 256 characters and creating corrupt AndroidManifest.xml files to trigger analysis tools to crash. 

The revelation comes just after Google revealed how threat actors were using a method known as versioning to get around the Play Store's malware detections and target Android users. 

Safety measures 

Thankfully, there are several procedures you can take to safeguard your phone from malicious Android apps. The first and most significant piece of advice is to stay away from sideloading apps unless it is unavoidable. There are a few peculiar situations in which you might need to sideload an app for work or to make a certain product work, but other than that, you shouldn't install any apps from unknown sources. 

As a general guideline, you should only download apps from the Play Store or other authorised app shops like the Samsung Galaxy Store or Amazon Appstore. Sometimes malicious software does manage to slip through the gaps, which is why it pays to do your research before installing any new app by reading reviews and looking into the app's developers.

FancyBear: Hackers Use PowerPoint Files to Deliver Malware

 

FancyBear: Hackers Use PowerPoint Files to Deliver Malware Cluster25 researchers have recently detected a threat group, APT28, also known as FancyBear, and attributed it to the Russian GRU (Main Intelligence Directorate of the Russian General Staff). The group has used a new code execution technique that uses mouse movement in Microsoft PowerPoint, to deliver Graphite malware.
 
According to the researchers, the threat campaign has been actively targeting organizations and individuals in the defense and government organizations of the European Union and East European countries. The cyber espionage campaign is believed to be still active.
 

Methodology of Threat Actor

 
The threat actor allegedly entices victims with a PowerPoint file claiming to be associated with the Organization for Economic Cooperation (OECD).
 
This file includes two slides, with instructions in English and French to access the translation feature in zoom. Additionally, it incorporates a hyperlink that plays a trigger for delivering a malicious PowerShell script that downloads a JPEG image carrying an encrypted DLL file.
 
The resulting payload, Graphite malware is in Portable Executable (PE) form, which allows the malware operator to load other malwares into the system memory.
 
“The code execution runs a PowerShell script that downloads and executes a dropper from OneDrive. The latter downloads a payload that extracts and injects in itself a new PE (Portable Executable) file, that the analysis showed to be a variant of a malware family known as Graphite, that uses the Microsoft Graph API and OneDrive for C&C communications.” States Cluster25, in its published analysis.
 
The aforementioned Graphite malware is a fileless malware that is deployed in-memory only and is used by malware operators to deliver post-exploitation frameworks like Empire. Graphite malware’s purpose is to allow the attacker to deploy other malwares into the system memory.
 
 
Based on the discovered metadata, according to Cluster25, the hackers have been preparing for the cyber campaign between January and February. However, the URLs used in the attacks were active in August and September.
 
With more hacker groups attempting to carry out such malicious cyber campaigns, the government and private sectors must deploy more powerful solutions to prevent future breaches and cyber attacks to safeguard their organizations.

The Hacking Group 'ModifiedElephant' Remained Undetected

 

SentinelLabs' IT security researchers have discovered information of growing cyber-attacks (APT) wherein the threat actors have been targeting human rights activists, free speech advocates, professors, and lawyers in India using readily available trojans via spear-phishing since 2012. The group known as ModifiedElephant has been found to be planting 'incriminating evidence' on the devices of its targets. 

"The goal for ModifiedElephant is long-term espionage which sometimes ends with the transmission of evidence – files that implicate the victim in criminal offenses – prior to conveniently synchronized arrests," stated Tom Hegel, a threat researcher at SentinelOne. According to the research, over the previous decade, ModifiedElephant hackers have been attacking their victims with spearphishing emails containing malicious file attachments, with their methods becoming more complex over time. 

Spearphishing is the technique of emailing victims that appear to come from a trustworthy source in order to either divulge sensitive information or install malware on their computers. ModifiedElephant usually uses infected Files to spread malware to its victims. The particular mechanism and content included in malicious files have varied over time, according to SentinelOne, the timeline has been given below: 
  • 2013 – An adversary sends malware via email attachments with phony double extensions (file.pdf.exe). 
  • 2015 – The group switches to encryption key RAR attachments including legitimate luring documents that hide malware execution signals. 
  • 2019 – Updated Elephant begins hosting malware-distribution sites and takes advantage of cloud hosting capabilities, transitioning from phony papers to malicious URLs.
  • 2020 – attackers circumvent identification by skipping scans by using big RAR files (300 MB).

The CVE-2012-0158, CVE-2014-1761, CVE-2013-3906, and CVE-2015-1641 exploits, according to SentinelOne, were frequently utilized in luring documents, which attacked Microsoft Office Suite programs. 

Modified Elephant is not seen using any customized backdoors in its operational history, indicating the group isn't particularly sophisticated. NetWire and DarkComet, two publicly available remote access trojans extensively utilized by lower-tier hackers, were the principal malware used in the campaigns. 

ModifiedElephant's Visual Basic keylogger hasn't changed since 2012, and it's been open-source on hacking forums all that time. SentinelLabs remarks on the tool's history, pointing out that it no longer works on recent OS versions. The Android virus is likewise a commodity trojan that is distributed to users in order of an APK, luring them in by appearing like a news app or a secure messaging tool.

Android Devices being Targeted by Flubot

 

The National Cyber Security Centre of Finland (NCSC-FI) has recently released a "severe alert" over a major campaign targeting the nation's Android users with Flubot banking malware delivered through text messages sent out by hacked devices. 

This is the second greatest Flubot operation to strike Finland this year, with a previous set of cyberattacks SMS spamming thousands of Finns each day from early June to mid-August 2021. The latest spam campaign, like the previous one, has a voicemail theme, encouraging recipients to click a link that will enable them to retrieve a voicemail message or a message from the mobile operator. 

Rather than being made to open a voicemail, SMS recipients are led to malicious websites that push APK installers to install the Flubot banking virus on their Android devices. 

“According to our current estimate, approximately 70,000 messages have been sent in the last 24 hours. If the current campaign is as aggressive as the one in the summer, we expect the number of messages to increase to hundreds of thousands in the coming days. There are already dozens of confirmed cases where devices have been infected," the Finnish National Cyber Security Centre said in the alert issued on Friday. 

"We managed to almost eliminate FluBot from Finland at the end of summer thanks to cooperation among the authorities and telecommunications operators. The currently active malware campaign is a new one because the previously implemented control measures are not effective," said NCSC-FI information security adviser Aino-Maria Väyrynen. 

Those who have been affected should do a factory reset on their Android device to remove the virus. When iOS users get FluBot messages and click on the associated link, they will be forwarded to fraud and phishing websites rather than being forced to install an app. 

FluBot, once installed on a device, may browse the contacts list, spam texts to other individuals, read messages, steal credit card information and passwords as they are typed into apps, install other apps, and engage in other nefarious activities. Android users who get Flubot spam messages or emails should avoid opening attached links or downloading files shared through the link to their cellphones. 

The virus family has also been discovered on other websites, where anybody can come into contact with the harmful code. Netcraft, a provider of internet services, announced on Monday that it had discovered nearly 10,000 websites that were disseminating FluBot malware.

Android Malware BrazKing Makes a Comeback as a Stealthier Banking Trojan

 

The Android banking trojan BrazKing has returned, this time with dynamic banking overlays and a new implementation trick that allows it to operate without seeking potentially dangerous permissions. IBM Trusteer researchers analyzed a new malware sample they discovered outside of the Play Store, on sites where individuals end up after getting smishing (SMS) messages. These HTTPS sites notify potential victims that their Android version is outdated and offer an APK that would supposedly update them to the most recent version. 

BrazKing took advantage of the accessibility service in the previous version to figure out which app the user had accessed. When the malware recognized the launch of a targeted banking app, it displayed an overlay screen pulled from a hardcoded URL on top of the real app. It now makes a live call to the attacker's server, requesting those matches. The virus now detects which app is being used on the server-side, and it sends on-screen material to the C2 on a regular basis. Credential grabbing is then initiated by the C2 server rather than by a command from the malware. 

The added agility here is that the attacker can choose or avoid the following action based on the victim's IP address (Brazilian/other) or whether the malware is being run on an emulator. They have the ability to change what is returned. They can change the target list at any time without having to change the malware.  

BrazKing loads the fake screen's URL from the C2 into a webview in a window when it displays its overlay screen. Users can open links within apps using Android System webview without having to exit the app. When adding the webview from within the accessibility service, BrazKing utilizes TYPE_ACCESSIBILITY_OVERLAY as the type of window. 

Internal resources are protected in the new version of BrazKing by performing an XOR operation using a hardcoded key and then encoding them with Base64. Although analysts can rapidly reverse these procedures, they nonetheless aid the malware's ability to remain undetected when nested in the victim's device. If the user tries to remove the malware, it rapidly taps the 'Back' or 'Home' buttons to stop it. 

When a user tries to start an antivirus app in the hopes of scanning and removing malware, the same method is performed. As Android's security tightens, malware developers quickly adapt to deliver stealthier versions of their tools, as shown by BrazKing's progression.

Malware through PDF Attachments..?





A recent malicious campaign discovers the delivery of PDF documents to the users as an attachment through phishing messages in order for them to download a malicious Android executable file.

The PDFs utilize various ways such as “To open this document, update the adobe reader” or “To unlock this document press below button" to grab the user's attention. At the point when the user finally perform the requested click activity on that document, a malevolent APK (Android executable) file is downloaded from a link that was present in that PDF, which further downloads original Adobe Reader.


This malware additionally has the ability to peruse contacts, read, the browser bookmarks, and key-logging and to inhibit the background processes.

It distinguishes whether the phone is rooted or non-rooted and proceeds accordingly at the same time gathering information on the longitude and latitude  data while tracking SMS notifications and call status'  and then sending the information to the servers controlled by the attackers.


It is therefore recommended for the users to abstain from downloading applications from the third-party application stores or links and other connections given in SMSs or emails. Also to avoid opening mails and attachments from obscure sources and to dependably keep 'Unknown Sources' disabled as enabling this option permits the installation certain applications from obscure sources.

But more importantly, to keep the device OS and mobile security application always updated in order to protect their privacy.