Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Android Malware. Show all posts
Telegram
Android Malware Fake Apps FireScam malware Social Media Telegram

FireScam Malware Targets Android Users via Fake Telegram Premium App

Android Malware 'FireScam' Poses As Telegram Premium to Steal User Data


A newly discovered Android malware, FireScam, is being distributed through phishing websites on GitHub, masquerading as a premium version of the Telegram application. These malicious sites impersonate RuStore, a Russian app marketplace, to deceive users into downloading the infected software.

How FireScam Operates

RuStore, launched by Russian tech giant VK (VKontakte) in May 2022, was developed as an alternative to Apple's App Store and Google Play following Western sanctions that restricted Russian users' access to global platforms. This marketplace hosts apps that comply with Russian regulations and operates under the oversight of the Russian Ministry of Digital Development.

According to security researchers at CYFIRMA, attackers have set up a fraudulent GitHub page mimicking RuStore. This fake website delivers a dropper module named GetAppsRu.apk. Once installed, the dropper requests extensive permissions, allowing it to scan installed applications, access device storage, and install additional software. It then downloads and executes the main malware payload, disguised as Telegram Premium.apk. This secondary payload enables the malware to monitor notifications, read clipboard data, access SMS and call information, and collect other sensitive details.

FireScam’s Advanced Capabilities

Once activated, FireScam presents users with a deceptive WebView-based Telegram login page designed to steal credentials. The malware communicates with Firebase Realtime Database, allowing stolen data to be uploaded instantly. It also assigns unique identifiers to compromised devices, enabling hackers to track them.

Stolen data is temporarily stored before being filtered and transferred to another location, ensuring that traces are erased from Firebase. Additionally, FireScam establishes a persistent WebSocket connection with the Firebase command-and-control (C2) server, enabling real-time command execution. This allows attackers to:

  • Request specific data from the infected device
  • Install additional payloads
  • Modify surveillance parameters
  • Initiate immediate data uploads

Furthermore, the malware can:

  • Monitor screen activity and app usage
  • Track changes in screen on/off states
  • Log keystrokes, clipboard data, and credentials stored in password managers
  • Intercept and steal e-commerce payment details

How to Stay Safe

While the identity of FireScam’s operators remains unknown, CYFIRMA researchers warn that the malware exhibits advanced evasion techniques and poses a serious threat to users. To minimize the risk of infection, users should:

  • Avoid downloading apps from unverified sources, especially those claiming to be premium versions of popular software.
  • Exercise caution when opening links from unknown sources.
  • Regularly review and restrict app permissions to prevent unauthorized data access.
  • Use reliable security solutions to detect and block malware threats.

As attackers continue refining their tactics, staying vigilant against phishing campaigns and suspicious downloads is essential to protecting personal and financial data.


Read more »
preinstalled malware
Android Malware BadBox threat digital frame vulnerabilities infected Android devices malware media player malware preinstalled malware

Malware Found Preinstalled on 30,000 Android Devices in Germany

 

A concerning cybersecurity issue has surfaced in Germany, where investigators uncovered that nearly 30,000 Android devices were sold with preinstalled malware.

The malware, dubbed “BadBox,” resides in the device firmware and affects various internet-enabled devices, including digital picture frames and media players operating on outdated Android versions, according to the Federal Office for Information Security (BSI).

“In all cases known to the BSI, the BadBox malware was already installed on the respective devices when they were purchased,” the agency confirmed in its report.

Once active, the malware can repurpose infected devices into tools for cybercriminals, enabling them to exploit home internet networks to launch attacks. It can also download additional malware and conduct fraudulent activities by accessing websites and ads in the background.

To mitigate the threat, the BSI has employed a method called “sinkholing,” which redirects internet traffic from compromised devices to servers controlled by the government. This measure prevents the malware from connecting to the hackers’ command systems.

“There is no acute danger for these devices as long as the BSI maintains the sinkholing measure,” the agency reassured. Nonetheless, users are strongly urged to disconnect any infected devices from the internet. Telecommunications companies in Germany are assisting by notifying affected users through IP address tracking.

The exact products impacted by this issue remain unidentified, leaving questions about how the malware was preinstalled. The BSI also warned that similar malware risks could affect tablets and smartphones.

This isn’t the first instance of preloaded malware on consumer electronics. Last year, a security researcher discovered an Android TV box sold on Amazon with hidden malware. The BSI advises consumers to prioritize security when purchasing electronics, emphasizing the importance of safety features, official manufacturer support, and updated operating systems.

Google also addressed the issue, clarifying:
“These off-brand devices discovered to be infected were not Play Protect certified Android devices. If a device isn't Play Protect certified, Google doesn’t have a record of security and compatibility test results.”

The company added, “Play Protect certified Android devices undergo extensive testing to ensure quality and user safety. To help you confirm whether or not a device is built with Android TV OS and Play Protect certified, our Android TV website provides the most up-to-date list of partners. You can also take these steps to check if your device is Play Protect certified.”

This incident underscores the need for heightened awareness when purchasing electronics, particularly from lesser-known brands, to ensure devices meet security and quality standards.
Read more »
OCR
Android Malware Android Users Data Privacy Mobile Security OCR

Novel Android Malware Employs OCR to Steal Crypto Wallet Keys From Images

 

A novel mobile malware operation dubbed SpyAgent has surfaced targeting Android device users in South Korea. According to an investigation by McAfee Labs researcher SangRyol Ryu, the malware "targets mnemonic keys by scanning for images on your device that might contain them," and it has expanded its targeting footprint to include the UK.

The campaign uses fake Android apps to deceive users into installing them. These apps seem like real banking, government, streaming, and utility apps. As many as 280 fake apps have been uncovered since the start of the year.

It all begins with SMS messages with booby-trapped links directing users to download the apps in question in the form of APK files published on fraudulent websites. Once installed, they will request intrusive permissions to extract data from the devices. 

The most prominent feature is its ability to employ optical character recognition (OCR) to steal mnemonic keys, which are recovery or seed phrases that allow users to restore access to their bitcoin wallets. Unauthorised access to the mnemonic keys could allow attackers to gain control of the victims' wallets and drain all of the funds stored in them. 

According to McAfee Labs, the command-and-control (C2) infrastructure had major security flaws that permitted unauthorised access to the site's root directory as well as the exposure of victim data. 

The server also has an administrator panel, which serves as a one-stop shop for remotely controlling the infected devices. The appearance of an Apple iPhone running iOS 15.8.2 with the system language set to Simplified Chinese ("zh") in the panel indicates that it may also target iOS users. 

"Originally, the malware communicated with its command-and-control (C2) server via simple HTTP requests," the researchers explained. "While this method was effective, it was also relatively easy for security tools to track and block." "In a significant tactical shift, the malware has now adopted WebSocket connections for its communications. This upgrade allows for more efficient, real-time, two-way interactions with the C2 server and helps it avoid detection by traditional HTTP-based network monitoring tools.” 

The finding comes a little more than a month after Group-IB disclosed another Android remote access trojan (RAT) known as CraxsRAT, which has been targeting Malaysian banking users since at least February 2024 via phishing websites. It's worth noting that CraxsRAT campaigns have already been found to target Singapore by April 2023.
Read more »
Technology
Android Malware NFC NGate Payments Technology

Is Tap-to-Pay Dangerous? How New Android Malware Exploits NFC Technology

Is Tap-to-Pay Dangerous? How New Android Malware Exploits NFC Technology

Tap-to-pay technology, which allows users to make quick transactions with a simple tap of their smartphone, has become increasingly popular. However, with convenience comes risk. A recent discovery of a new Android malware by ESET, known as NGate, has raised significant concerns about the security of tap-to-pay transactions. This blog will delve into how this malware operates, the potential risks it poses, and how users can protect themselves.

Understanding NGate Malware

NGate is a sophisticated piece of malware designed to exploit the Near Field Communication (NFC) technology used in tap-to-pay transactions. NFC allows devices to communicate wirelessly when they are close to each other, making it ideal for contactless payments. However, this same technology can be manipulated by malicious actors to steal sensitive financial information.

How NGate Works

The NGate malware is typically spread through social engineering and phishing tactics. Attackers often disguise the malware as legitimate banking apps or other trusted applications. Once a user unknowingly installs the malware, it begins to operate in the background, capturing sensitive information.

One of the most alarming features of NGate is its ability to clone contactless credit and debit cards. By exploiting the NFC feature, the malware can intercept and replicate the data transmitted during a tap-to-pay transaction. This cloned data can then be used by attackers to make unauthorized transactions, effectively draining the victim’s bank account.

The Impact of NGate

The implications of NGate are far-reaching. With the ability to clone contactless payment cards, attackers can carry out fraudulent transactions without the victim’s knowledge. This not only leads to financial loss but also undermines trust in tap-to-pay technology.

Moreover, the spread of NGate highlights the evolving tactics of cybercriminals. As technology advances, so do the methods used by attackers. This underscores the importance of staying vigilant and adopting robust security measures.

Protecting Yourself from NGate

  • Always download apps from official app stores like Google Play. Be cautious of apps that request unnecessary permissions or seem suspicious.
  • Use built-in security features on your smartphone, such as biometric authentication and two-factor authentication (2FA). These add an extra layer of protection.
  • Keep your device and apps updated. Security patches are often released to address vulnerabilities that could be exploited by malware.
  • Be cautious of unsolicited messages or emails that prompt you to download apps or provide personal information. Verify the source before taking any action.
  • Regularly check your bank statements and transaction history for any unauthorized activity. Report any suspicious transactions to your bank immediately.

Read more »
NGate
Android Malware malware NFC NFC Payment NGate

Protecting Your Wallet: Understanding NGate Android Malware

Protecting Your Wallet: Understanding NGate Android Malware

A new and sophisticated malware has emerged, targeting the increasingly popular Near Field Communication (NFC) payment systems. Known as NGate, this Android malware has been discovered by ESET Research and poses a significant risk to users’ financial security. This blog delves into the workings of NGate, its implications, and measures to protect against such threats.

Understanding NGate Malware

NGate is a type of malware designed to exploit the NFC capabilities of Android devices. NFC technology allows for contactless payments, making transactions quick and convenient. However, this convenience comes with its own set of vulnerabilities. 

NGate malware leverages these vulnerabilities by relaying NFC data from victims’ payment cards through their mobile phones to an attacker’s device at an ATM. This process enables the attacker to clone the card and withdraw money without the victim’s knowledge.

How NGate Operates

The operation of NGate malware is both ingenious and alarming. Once the malware infects an Android device, it gains access to the NFC functionality. When a victim uses their phone for an NFC transaction, the malware captures the payment card data and transmits it to the attacker’s device. 

The attacker, equipped with a device capable of receiving NFC signals, can then use this data to create a clone of the victim’s card. This cloned card can be used to withdraw cash from ATMs or make unauthorized purchases.

The Implications of NGate

Increased Vulnerability of Contactless Payments 

As contactless payments become more widespread, the potential for exploitation by cybercriminals also increases. NGate demonstrates how easily NFC technology can be manipulated for malicious purposes.

Financial Losses

Victims of NGate malware can suffer significant financial losses. Unauthorized transactions and cash withdrawals can drain bank accounts, leading to financial distress and the arduous process of disputing fraudulent charges.

Erosion of Trust

The success of digital payment systems relies heavily on user trust. Incidents like those involving NGate can erode this trust, making users hesitant to adopt new technologies and potentially slowing down the progress of digital financial services.

Protecting Against NGate and Similar Threats

1. Regular Software Updates: Keeping your Android device’s software up to date is crucial. Manufacturers often release security patches that address known vulnerabilities. Regular updates can help protect your device from malware like NGate.

2. Use Trusted Security Software: Installing reputable antivirus and anti-malware software can provide an additional layer of protection. These programs can detect and remove malicious software before it can cause harm.

3. Be Cautious with App Permissions: Pay close attention to the permissions requested by apps. If an app requests access to NFC functionality without a clear reason, it could be a red flag. Only grant permissions that are necessary for the app’s functionality.

4. Monitor Financial Statements: Regularly reviewing your bank and credit card statements can help you quickly identify any unauthorized transactions. Early detection is key to minimizing financial losses.

Read more »
SMS Phishing
Android Malware Bank Accounts Cyber Attacks Italy Malware attacks Mobile Cyber Attacks SMS Phishing

New Android Malware BingoMod Targets Financial Data and Wipes Devices

 

Malware has long been a significant threat to online security, serving as a backdoor entry for cybercriminals. Despite Google’s efforts to keep the Play Store free of malicious apps and deliver timely Android security patches, some attackers manage to bypass these defenses, stealing money and personal information from unsuspecting victims. 

Recently, a new malware named BingoMod has been identified targeting Android devices, stealing financial data and wiping them clean. BingoMod, discovered by researchers at cybersecurity firm Cleafy, uses a technique called smishing (SMS phishing) to infiltrate devices. This method involves sending a malware-laden link to the victim’s device, which, when clicked, installs the BingoMod app (version 1.5.1) disguised as a legitimate mobile security tool like AVG AntiVirus & Security. 

Once installed, the app requests access to device accessibility services, allowing it to steal login credentials, take screenshots, and intercept SMS messages. This information is then sent to the threat actor, providing near real-time access to the device’s functions. BingoMod leverages Android’s media projection APIs, which handle screencasting requests, to gather displayed information and bypass security measures like two-factor authentication (2FA). The malware is currently targeting devices in Italy, stealing up to 15,000 Euros in each transaction. 

However, experts at Cleafy believe the malware could spread to other markets, as it is still in active development. The malware’s evasive techniques enable it to avoid detection by reputable security tools like VirusTotal. It conceals its activities using fake notifications and screen overlays while stealing money and data in the background. If the BingoMod app is granted device administrator privileges, the attackers can remotely wipe the device, although Cleafy notes this would only clear the external storage. 

To avoid falling victim to smishing attacks like BingoMod, it is crucial never to click on links from unverified sources, especially those claiming to be important. Install apps only from reputable sources like the Google Play Store and set up passkeys for an additional layer of biometric security. A Google spokesperson told Android Police that Play Protect already safeguards Android users from known versions of this malware by blocking the app or showing a warning, even if the malicious app wasn’t downloaded from the Play Store. Additionally, using a password manager can help keep your credentials safe and alert you to recent data breaches that could compromise your accounts. 

By staying vigilant and following these best practices, you can protect your device from BingoMod and other malicious threats, ensuring your financial data and personal information remain secure.
Read more »
User Privacy
Android Malware data security File Encryption Mobile Security Ransomware User Privacy

Beware of This Dangerous Android malware As It Can Hold Your Phone Hostage

 

A brand-new Android malware has been discovered in the wild that is capable of evading antivirus apps, stealing a tonne of private and financial information, and even encrypting all of the contents on an infected smartphone by using ransomware. 

According to a recent report from the cybersecurity company CloudSEK, this new Android malware, known as "Daam" by its experts, poses a serious threat to the greatest Android phones due to its advanced capabilities. 

As of right now, CloudSEK has discovered the Daam malware in the APK or Android app installation files for the Psiphon, Boulders, and Currency Pro apps, which appear to be sideloaded apps that the Daam malware uses to infect Android smartphones. Psiphon is a VPN programme; Boulders is a smartphone game; and Currency Pro is, as its name implies, a currency converter. 

Your Android phone may be infected with the Daam malware if you installed any of these apps via sideloading rather than through approved app stores like the Google Play Store. The malware can evade detection by antivirus software, and it may already have locked the files on your smartphone by using ransomware, so there may not be a simple remedy. 

File encryption 

The Daam malware is quite complex and has a variety of features intended to steal your data and jeopardise your privacy. For instance, the malware is capable of recording all active VoIP and phone calls, including WhatsApp calls. However, it can also steal your smartphone's files and even contacts. Surprisingly, the Daam malware can not only collect information from your existing contacts but also from newly added contacts. 

The hackers behind this malware campaign's command and control (C&C) server get all of the data that Daam has stolen before sending it back. It's important to note that after installation, dangerous apps used to spread malware request access to private device permissions in order to virtually completely control your Android smartphone. 

As if having all of this private information stolen wasn't bad enough, the Daam malware also encrypts all of the files on an infected Android smartphone using the AES encryption algorithm without getting permission from the user. The device password or PIN on a smartphone can also be changed at the same moment, locking you out totally. 

Mitigation tips

Normally, protecting yourself from mobile malware would only require installing one of the top Android antivirus programmes and turning on Google Play Protect on your phone. 

In this instance, though, the Daam malware was made to evade antivirus apps. Because of this, the best method to safeguard yourself against it is to be extra cautious while downloading new programmes. Although sideloading apps may be practical, doing so puts your Android smartphone at risk of becoming infected with malware. For this reason, you should only download apps from authorised Android app shops. Similar to this, you should still read reviews and check an app's rating before installing it because bad apps occasionally manage to get past Google's security checks.

At the same time, you should refrain from clicking any links sent to your smartphone by email or text message from unidentified senders. These links may take you to malicious websites that could trick you into installing malware or use phishing to collect your information. 

Although the Daam malware is relatively new, it is already quite capable of data theft and making life tough for Android smartphone owners. Because of this, we'll probably continue to hear about it.
Read more »
User Privacy
Android Malware Banking Trojan Crypto Apps data security Mobile Security User Privacy

Beware of this Android Banking Trojan that Steals Banking Credentials

 

A financial trojan called "Godfather" which is capable of stealing account credentials from more than 400 different banking and cryptocurrency apps is presently targeting Android users in 16 other countries. 

According to a recent report from the cybersecurity company Group-IB, the Godfather trojan, which was initially uncovered by ThreatFabric back in March of last year, has been dramatically upgraded and updated since then. 

In a second report, the dark web and cybercrime monitoring company Cyble describes how Godfather is also being disseminated in Turkey through a malicious app that has been downloaded 10 million times and pretends to be a well-known music application. 

Godfather is thought to be the replacement for Anubis, a well-known and widely-used banking Trojan before it lost the capacity to get past updated Android defenses, BleepingComputer reported. 

Banking and cryptocurrency apps on the hit list 

The banking trojan has targeted users of more than 400 apps since it first debuted last year, including 215 banking apps, 94 cryptocurrency wallets, and 110 crypto trading platforms. The malware also targeted 49 banking apps in the US, 31 in Turkey, 30 in Spain, 22 in Canada, 20 in France, 19 in Germany, and 17 in the UK, among other nations. 

Surprisingly, Group-IB discovered a section in Godfather's code that stops the malware from aiming for users from former Soviet Union nations and users in Russia, indicating that its developers speak Russian. The malware checks the system language on an Android device after installation to see if it is Russian, Azerbaijani, Armenian, Belarusian, Kazakh, Kyrgyz, Moldovan, Uzbek, or Tajik. If so, Godfather shuts down and doesn't attempt to steal any stored cryptocurrency or banking accounts.

Modus operandi 

Godfather attempts to acquire persistence on an Android phone after being installed via a malicious app or file by impersonating Google Protect. Once you download an app from the Google Play Store, this genuine software begins to execute. 

The banking trojan then claims to be "scanning" when, in fact, it is hiding its icon from the list of installed apps and creating a pinned "Google Project" notice. Because of this, malware is more likely to blend into the background and is more challenging to remove. 

A targeted user goes about their normal activities because Godfather's symbol is missing. To steal user passwords and empty their accounts, the malware then applies false overlays to well-known banking and cryptocurrency apps. Additionally, Godfather employs a smart tactic to direct people to phishing websites. It accomplishes this by displaying a fake notification that impersonates one of its smartphone's loaded banking or cryptocurrency apps. 

In addition to stealing credentials, the malware is able to record a user's screen, launch keyloggers to capture their keystrokes, route calls to get around two-factor authentication (2FA), and send SMS messages from infected devices. 

Mitigation Tips 

Installing new apps from a third party other than the Google Play Store or other official app stores like the Amazon App Store or Samsung Galaxy Store puts you at risk for Godfather and other Android malware. While sideloading apps could be alluring, since they are uploaded without any security checks, they may be infected with malware and other viruses. 

Additionally, make sure Google Play Protect is turned on so that it can scan both new and old apps for malware. However, you might also want to download one of the top Android antivirus apps for additional security.
Read more »
Tactics
Android Malware Apps Banking Trojan BRATA malware phishing Tactics

This Android-wiping Malware is Evolving into a Constant Threat

 

The threat actors responsible for the BRATA banking trojan have refined their techniques and enhanced the malware with data-stealing capabilities. Cleafy, an Italian mobile security business, has been following BRATA activity and has discovered variations in the most recent campaigns that lead to extended persistence on the device. 

"The modus operandi now fits into an Advanced Persistent Threat (APT) activity pattern. This term is used to describe an attack campaign in which criminals establish a long-term presence on a targeted network to steal sensitive information," explains Cleafy in a report this week.

The malware has also been modified with new phishing tactics, new classes for requesting further device permissions, and the inclusion of a second-stage payload from the command and control (C2) server. BRATA malware is also more focused, as researchers determined that it concentrates on one financial institution at a time and only switches to another when countermeasures render its attacks ineffective.

For example, instead of getting a list of installed applications and retrieving the appropriate injections from the C2, BRATA now comes pre-loaded with a single phishing overlay. This reduces harmful network traffic as well as interactions with the host device. 

In a later version, BRATA gains greater rights to transmit and receive SMS, which can aid attackers in stealing temporary codes such as one-time passwords (OTPs) and two-factor authentication (2FA) that banks send to their clients. After nesting into a device, BRATA retrieves a ZIP archive containing a JAR ("unrar.jar") package from the C2 server. 

This keylogging utility tracks app-generated events and records them locally on the device along with the text contents and a timestamp. Cleafy's analysts discovered that this tool is still in its early stages of development. The researchers believe the author's ultimate purpose is to exploit the Accessibility Service to obtain data from other apps. 

BRATA's development 

In 2019, BRATA emerged as a banking trojan capable of screen capture, app installation, and turning off the screen to make the device look powered down. BRATA initially appeared in Europe in June 2021, utilising bogus anti-spam apps as a lure and employing fake support personnel who duped victims and fooled them into handing them entire control of their devices. 

In January 2022, a new version of BRATA appeared in the wild, employing GPS tracking, several C2 communication channels, and customised versions for different locations. Cleafy has discovered a new project: an SMS stealer app that talks with the same C2 infrastructure as the current BRATA version and the shift in tactics. 

It uses the same structure and class names as BRATA but appears to be limited to syphoning brief text messages. It currently targets the United Kingdom, Italy, and Spain. To intercept incoming SMS messages, the application requests that the user designate it as the default messaging app, as well as authorization to access contacts on the device. 

For the time being, it's unclear whether this is only an experiment in the BRATA team' to produce smaller apps focused on certain roles. What is obvious is that BRATA continues to evolve at a two-month interval. It is critical to be watchful, keep your device updated, and avoid installing apps from unapproved or dubious sources.
Read more »
WhatsApp
Android Malware BRATA Data Hacking data steal malware Ransomware Security WhatsApp

This Android Malware Wipes Your Device After Stealing Data

 

The BRATA Android malware has been updated to include additional functions such as GPS tracking and the ability to execute a factory reset on the device. 

The Android RAT BRATA (the term originates from 'Brazilian RAT Android') was founded in 2019 by Kaspersky security professionals and was used to eavesdrop on Brazilian users. In January 2019, the BRATA RAT was discovered circulating over WhatsApp and SMS communications. 

The RAT was distributed both through Google's official Play Store and through alternative Android app marketplaces. The majority of the infected apps masquerade as an update to the popular instant messaging service WhatsApp, claiming to fix the CVE-2019-3568 vulnerability in the app. The malware will begin keylogging after it has infected the victim's device, adding real-time streaming features to it. 

To connect with other apps on the victim's device, the malware makes use of the Android Accessibility Service function. Many instructions are supported by BRATA, including unlocking the victims' devices, gathering device information, shutting off the device's screen to run tasks in the background, executing any specific application, uninstalling itself, and removing any infection traces. 

Researchers from security firm Cleafy discovered a new variation affecting Android banking users in Europe in December 2021, with the goal of stealing their passwords. The same researchers have now discovered a new version that has the new features mentioned above. 

The Android RAT's current version is aimed at e-banking users in the United Kingdom, Poland, Italy, Spain, China, and Latin America. It uses custom overlay pages to target specific banking applications and steal users’ PINs. All the versions employ the same obfuscation strategies, allowing the danger to remain undetected. 

The following is a list of new features in the most recent BRATA releases: 

• Capability to perform the device factory reset: it appears that TAs are leveraging this feature to erase any trace, right after an unauthorized wire transfer attempt. 
• GPS tracking capability 
• Capability to use multiple communication channels (HTTP and TCP) between the device and the C2 server to keep a persistent connection. 
• Capability to continuously monitor the victim’s bank application through VNC and keylogging techniques. 

Researchers believe that the factory reset option enables threat actors to erase all signs of a hack once it has been completed or when the application detects that it is running in a virtual environment for analysis. 

The report stated, “this mechanism represents a kill switch for this malware. In fact, it was also observed that this function is executed in two cases: 
• A bank fraud has been completed successfully. In this way, the victim is going to lose even more time before understanding that a malicious action happened. 
• The application is installed in a virtual environment. BRATA tries to prevent dynamic analysis through the execution of this feature.” 

The BRATA RAT's recent evolution implies that threat actors are working to improve it in order to broaden its target demographic.
Read more »
User Security
Android Malware Malicious Android Apps Mobile Security User Security

Notorious ‘Joker’ Malware Infects Google Play App with 500,000 Downloads

 

An Android app with more than half a million downloads from the Google Play app store has been discovered hosting malware that secretly transmits users’ contact lists to an attacker-controlled server and signs them up for expensive subscriptions without their knowledge.

Cybersecurity researchers at Pradeo discovered the Joker malware in a messaging-focused app called Color Message which Google has now removed from its official Android app marketplace. The malicious app claimed to make user SMS texting more fun with new emojis. In addition, the researchers have observed the Joker malware replicating clicks in order to generate revenue from malicious ads and connecting to servers hosted in Russia.

“Our analysis of the Color Message application through the Pradeo Security engine shows that it accesses users’ contact list and exfiltrates it over the network,” mobile security firm Pradeo stated. 

“Simultaneously, the application automatically subscribes to unwanted paid services unbeknownst to users. To make it difficult to be removed, the application has the capability to hide its icon once installed.” 

The reviews of the malicious app on the Play Store indicated that some users have observed the unauthorized behavior, with complaints about being charged for services they didn't request access to. Google Play Store has already banned the app from the store. However, the app still poses security concerns for those users who had downloaded it in the past and are advised by researchers to uninstall the app immediately. 

Joker, since its discovery in 2017, has been a notorious fleeceware that is hard to notice because of the tiny footprint of its code and the techniques its developers use to stash it. Over the past few years, the malware has been identified lurking in hundreds of apps downloaded by millions of people and performing an array of malicious activities, including billing fraud and intercepting SMS messages, contact details, and device information of users.

"We are [sic] committed to ensuring that the app is as useful and efficient as possible. For that reason, we reserve the right to make changes to the app or to charge for its services, at any time and for any reason. We will never charge you for the app or its services without making it very clear to you exactly what you're paying for,” the developers behind Color Message state in their terms and conditions.
Read more »
Netflix
Android Malware Financial Credentials Instagram Mobile Security Netflix

Users of Netflix, Instagram, and Twitter are all Targeted by the MasterFred Malware

 

MasterFred is a new Android malware that steals credit card information from Netflix, Instagram, and Twitter users via bogus login overlays. With unique fake login overlays in several languages, this new Android banking virus also targets bank clients. In June 2021, a MasterFred sample was uploaded to VirusTotal for the first time, and it was discovered in June. One week ago, malware analyst Alberto Segura released a second sample online, claiming that it was deployed against Android users in Poland and Turkey. 

Avast Threat Labs researchers uncovered APIs given by the built-in Android Accessibility service to show the malicious overlays after examining the new malware. "By utilizing the Application Accessibility toolkit installed on Android by default, the attacker is able to use the application to implement the Overlay attack to trick the user into entering credit card information for fake account breaches on both Netflix and Twitter," Avast said. 

Malware creators have been utilizing the Accessibility service to simulate taps and traverse the Android UI to install their payloads, download and install other malware, and do various background operations for a long time. MasterFred, on the other hand, stands out in a few ways. One of them is that the malicious apps that transmit malware to Android devices also include HTML overlays that display bogus login forms and collect financial information from users. 

The malware also sends the stolen data to Tor network servers controlled by its operator via the Onion.ws dark web gateway (aka Tor2Web proxy). Because at least one of the malicious apps bundled with the MasterFred banker was recently available in Google's Play Store, it's safe to assume that MasterFred's operators are also distributing this new malware through third-party stores.

"We can say that at least one application was delivered via Google play. We believe that it has been removed already," Avast's research team said. 

Another Android malware was identified in September that managed to infect over 10 million devices in over 70 countries. GriftHorse is the name of the malware, which was found by researchers at mobile security firm Zimperium. GriftHorse's success, according to Zimperium researchers, Aazim Yaswant and Nipun Gupta, is due to the malware's "code quality, which uses a wide range of websites (194 domains), malicious apps, and developer identities to infect people and avoid detection for as long as possible."
Read more »
Mobile Virus
Android Malware Hacking Mobile Mobile Security Mobile Virus

Kaspersky Lab has reported about Android viruses designed to steal money automatically

Viktor Chebyshev, a leading researcher of mobile threats at Kaspersky Lab, spoke in an interview with Russian newspaper Izvestia about Android Trojans that automatically interact with banking applications. After infiltrating the smartphone, Trojans motivate the user to open the application of a particular credit institution and log in to it. And then the malware automatically clicks the necessary "buttons" for the money transfer. This happens so quickly that the victim does not have time to suspect anything by visual signs.

"The developers of such Trojans thoroughly study the structure of the target banking application. Attackers find out that there is a "Login" button in the application and in which area of the screen it is displayed. They know that after clicking on "Log in", fields for entering a username and password appear. And then there is a money transfer button. Based on this information, attackers create a Trojan that uses the documented capabilities of Android for malicious purposes, which allows it to automatically click buttons in the banking application,” the expert said.

At the moment, Kaspersky Lab knows only about one case of the spread of such a virus. However, the expert believes that soon there will be more such viruses since they are very convenient for cybercriminals.

In addition, mister Chebyshev was asked which platform users are more at risk of encountering banking Trojans. He responded that Android. According to the expert, 99.9% of mobile financial threats target Android.

The expert stressed that Russia remains in the top ten countries in terms of the share of users who have faced financial attacks. He added that mobile threats are still active and continue to develop since it is difficult to find both victims and attackers.

Read more »
Security Alert
Android Malware Android Users Joker malware malware Security Alert

Joker Malware Targeting Android Users Again

 

Recently Joker virus has been discovered in a few Google Play Store apps. The malware infiltrates a user's device through applications, collects data, and then subscribes these users to premium memberships without the individual's consent or agreement. 

Since three years, the Joker Trojan malware has been discovered in Google Play Store apps. In July 2020, the Joker virus infected over 40 Android apps available on Google Play Store, forcing Google to remove the compromised apps from the Play Store. Users' data is stolen, including SMS, contact lists, device information, OTPs, and other major data.

Quick Heal Security Labs recently discovered 8 Joker malware on the Google Play Store. These eight apps were reported to Google, and the company has since deleted them all from its store. 

The following are the eight apps that have recently been discovered to be infected with the Joker Trojan virus and should be deleted from any Android device: 
-Auxiliary Message 
-Fast Magic SMS 
-Free CamScanner 
-Super Message 
-Element Scanner 
-Go Messages 
-Travel Wallpapers 
-Super SMS 

Through SMS messages, contact lists, and device information, the Joker Trojan collects information from the victim's device. The Trojan then interacts discreetly with advertising websites and, without the victim's knowledge, subscribes them to premium services. 

According to the Quick Heal report, these applications request notification access at launch, which is then utilised to obtain notification data. After that, the programme takes SMS data from the notification and requests Contacts access. When permission is granted, the app makes and manages phone calls. Afterwards, it keeps working without displaying any suspicious attacks to the user. 

“Joker is one of the most prominent malware families that continually targets Android devices. Despite awareness of this particular malware, it keeps finding its way into Google’s official application market by employing changes in its code, execution methods, or payload-retrieving techniques. This spyware is designed to steal SMS messages, contact lists, and device information along with silently signing up the victim for premium wireless application protocol (WAP) services,” Zcaler stated in a blog post.
Read more »
Phishing Attack
Android Malware Cybersecurity phishing Phishing Attack

Android Malware, FakeSpy Spying on Users' Banking Information Acting as Postal Services


A new Android malware, FakeSpy that can potentially steal an individual's banking details, read contact lists, application, and account information along with other personal data, is seen to be spreading across the globe. Earlier, the Android malware was targeting limited regions; the new campaign propagating the malware spreads itself using SMS phishing attacks.

The Android malware was originally discovered in 2017 while it was attacking users in Japan and South Korea, however, now security researchers have identified more potent variants of the malware attacking users in various countries like United States, Germany, France, Taiwan, United Kingdom, and China to name a few.

FakeSpy, labeled as 'the information stealer', is evolving rapidly, undergoing active development that can be seen in the weekly release of new variants of malware with different levels of potential and evasion capabilities.

"The malware authors seem to be putting a lot of effort into improving this malware, bundling it with numerous new upgrades that make it more sophisticated, evasive, and well-equipped. These improvements render FakeSpy one of the most powerful information stealers on the market. We anticipate this malware to continue to evolve with additional new features; the only question now is when we will
see the next wave," Security researchers at Cybereason told.

The tailored attacks are being found to be linked with a financially motivated Korean-or Chinese-speaking cybercriminal group known as 'Roaming Mantis' that had been involved in other similar operations, according to the research carried out by researchers at Cybereason.

FakeSpy is operating with the agenda of making financial gains through stolen credentials and banking information of users, the campaign includes sending postal-themed messages to the targeted user's contacts.

While giving insights into the attack, Assaf Dahan, senior director and head of threat research at Cybereason told ZDNet, "We are under the impression that this attack is what we often refer to as "spray and pray." I don't believe they are aimed at a particular individual, but instead, the threat actors try their luck, casting a rather wide net, and waiting for someone to take a bite."

"We see new developments and features added to the code all the time, so my guess is that business is good for them," he further added.
Read more »
Mobile Malware
Android Android Malware Coronavirus malware Mobile Malware

Android users may face hacker attacks under the guise of applications about coronavirus


Cybercriminals attack users of Android mobile devices using malicious applications disguised as legitimate information software about the new COVID-19 coronavirus infection. After installing the malicious app, the hacker gained control of the victim's Android device through access to calls, SMS, calendar, files, contacts, microphone, and camera.

Hackers continue to exploit people's fear of spreading the virus: malicious applications were found by experts on sites with domains associated with the coronavirus. Researchers have not yet discovered such applications on the Google Play Store.

Experts report that the apps were created using the Metasploit tool used for penetration testing. This software allows anyone with basic computer knowledge to create malicious applications in just 15 minutes: it’s enough to configure Metasploit for your goal, select the exploit and payload.

Such applications can easily gain control of the device. After launching on a device running on the Android operating system, the application hides the icon from the screen so that it is more difficult to detect and remove it.

Vasily Diaghilev, head of Check Point Software Technologies representative office in Russia and the CIS, says that in the current situation, the most alarming thing is how quickly and easily malicious applications can be created and reminds us of the need to follow the rules of digital hygiene.

Check Point researchers previously reported that more than 30,103 new coronavirus-related domains were registered in the past few weeks, of which 0.4% (131) were malicious and 9% (2,777) were suspicious. In total, since January 2020, more than 51 thousand domains associated with the coronavirus have been registered.
Read more »
Mobile Malware
Android Android Malware Check Point Google Play Store malware Mobile Malware

Check Point: 56 apps from the Google Play Store hide a new dangerous malware


Check Point experts have identified a new family of malware in the Google Play Store. It was installed in 56 Google Play Store apps that have been downloaded almost a million times by users worldwide. 24 apps among the damaged 56 are children's games, as well as utilities such as calculators, translators, cooking apps and others. As it is specified, applications emulate the behavior of a real user.

Tekya malware uses the MotionEvent mechanism in Android that simulates a click on an ad banner (first discovered in 2019) to simulate user actions and generate clicks.

Imitating the actions of a real person does not allow the program or a third-party observer to understand the presence of fraud. This helps hackers to attack online stores, make fraudulent ads, promote advertising, promote sites in search engine results, and also serve to carry out banking operations and other illegal actions.

During the research, Tekya went unnoticed by the VirusTotal and Google Play Protect programs.
Hackers created copies of official popular apps to attract an audience, mostly children since most apps with Tekya malware are children's games.

However, the good news is that all infected apps have already been removed from the Google Play.
This case shows that malicious app features can still be found in Google Play. Users have access to almost 3 million apps in the Google Play Store, and hundreds of new ones are downloaded daily, making it difficult to check the security of each individual app.

Although Google is taking steps to ensure security and prevent malicious activity on the Google Play Store, hackers are finding ways to access users' devices through the app store. So, in February, the Haken family of malware was installed on more than 50 thousand Android devices through various applications that initially seemed safe.
Read more »
Russian Cyber Security
Android Malware malware Russia Russian Cyber Security

Russian banks discovered a new virus to steal money


From this year, hackers began to use new viruses that can enter the bank’s application on a mobile device and withdraw money from the victim’s account. Two Russian banks have already reported on this type of fraud.

Hackers use a new type of attack for the Android operating system. Fraudsters disguise viruses as applications or distribute them as links. After downloading and installing such a file, the virus begins to perform its functions without the user's knowledge. The programs are able to automatically transfer money from the victim's account to cybercriminals through the available mobile banking application.
Group-IB specialists first discovered such an attack in the spring of 2019. Then the new mobile Trojan Gustuff was modified, which appeared in December 2018 and created by a Russian-speaking hacker. This type of virus, experts noted, threatened only 100 foreign banks.

A new type of Trojan attacked at least two Russian banks in 2019 - Moscow Credit Bank and Post Bank. Representatives of the first noted that there are few cases of theft. The second confirmed one-time problems and talked about preventing fraud.

"From July 2018 to June 2019, hackers were able to steal 110 million rubles (1,7 million $) with the help of Trojans for Android," reported Group-IB.
However, compared to the same period last year, the indicator fell by 43%. It is reported that now hackers have mainly switched to the international market and only in rare cases continue to modify the application to attack the Russians.

According to the representative of Group-IB, the activity of Trojans in Russia decreased after the detention of the owners of the largest Android botnets, as a result of which hackers switched to the international market.

"However, some attackers modify applications and sell Trojans for subsequent attacks on users in Russia. This is a rare practice."

Earlier, the head of the Computer Security Association, Roman Romachev, said that data leaks will continue until banks become responsible for this.
Read more »
malware
Android Malware malware

Experts found a fraudulent network that infected about 800 thousand Android phones in the Russian Federation


A large-scale hacker attack was discovered, the victims of which were about 800 thousand smartphones in Russia. Criminals managed to get access to several million Euros in the Bank accounts of Russians.

It is clarified that Avast specialists determined that the Russian smartphones were attacked by a banking botnet that collects information and personal data. The infection has occurred since 2016.

It turned out that all infected devices were connected to Geost. As a result, attackers were able to remotely control the gadget. Hackers could send and receive SMS messages. The dangerous program was disguised as various banking services and social media applications, so it was easy to download it. The main targets of the Trojan were five banks located in Russia and Android devices.

Geost botnet used 13 command and control servers to launch hundreds of malicious domains. It was possible to expose it because of the mistake made by the scammers. They used a proxy network created by the malware HtBot, in which information was not encrypted. So, experts were able to find personal correspondence of criminals, which mentioned money laundering.

According to Avast employee Anna Shirokova, the company managed to gain access to the correspondence of cybercriminals and malware. "We got a really unprecedented idea of how such groups work," Shirokova shares her success. In total, experts studied eight months of correspondence, which was attended by 29 of the attackers.

The exact amount of theft is not called. Avast also did not specify who exactly was involved in the creation of the botnet.

According to researchers, the Geost botnet could control several billion rubles in the accounts of victims.

Earlier, E Hacking News reported that International company Group-IB has recorded a new Android Trojan campaign, the victims of which are customers of 70 banks, payment systems, web-wallets in the Russian Federation and the CIS. The potential damage from the Trojan, called FANTA, amounted to at least 35 million rubles ($547,000). According to the company, the Trojan is aimed, in particular, at users who place purchase and sale advertisements on a Russian classified advertisements website Avito.
Read more »
malware
Android Android Malware Group-IB Information Security News malware

Avito users were targeted by a dangerous Android Trojan


International company Group-IB, which specializes in the prevention of cyber attacks, has recorded a new Android Trojan campaign, the victims of which are customers of 70 banks, payment systems, web-wallets in the Russian Federation and the CIS. The potential damage from the Trojan, called FANTA, amounted to at least 35 million rubles ($547,000).

FANTA belongs to the Flexnet malware family, which is known to experts since 2015 and studied in detail. The Trojan and its associated infrastructure are constantly evolving: attackers are developing more effective distribution schemes, adding new functionality to more effectively steal money from infected devices and bypass security measures.

According to the company, the Trojan is aimed, in particular, at users who place purchase and sale advertisements on a Russian classified advertisements website Avito.

Attackers find contact details of sellers in a network, and after a while the victim receives personalised SMS about the transfer of full cost of goods to his account. The message contains a link where sellers can find payment details. Then the link opens a phishing page on the Avito website, which notifies the seller of the purchase and contains a description of his goods and the amount received from the sale of the goods. After clicking on the "Continue" bottom, FANTA malware disguised as the Avito application is downloaded to the phone.

The receipt of bank card data is carried out in a standard way for Android Trojans: the user opens phishing site that disguises as legitimate mobile banking application where the victim enters their bank card details", the Group-IB described the scheme of attackers.

Moreover, FANTA analyzes which apps are running on the infected device. Experts found that in addition to demonstrating pre-prepared phishing pages, FANTA also reads the notifications text about 70 banking applications, fast payment systems and e-wallets. In addition, an important feature of FANTA, which the creators paid special attention, is the bypass of anti-virus tools.

According to Group-IB, the latest attack was aimed at Russian — speaking users, most of the infected devices are located in Russia, a smaller part is in Ukraine, Kazakhstan and Belarus.
It's interesting to note that FANTA developers are able to hack the devices of users of about 30 different Internet services, such as AliExpress, Youla, Pandao, Aviasales, Booking, Trivago, as well as taxi and car sharing services.

Earlier in another Russian service of free ads Youla stated that the company plan to completely remove the display numbers, keeping all communications within the service.
Read more »
Subscribe to: Posts (Atom)