Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Android Malware. Show all posts
Telegram
Android Malware Fake Apps FireScam malware Social Media Telegram

FireScam Malware Targets Android Users via Fake Telegram Premium App

Android Malware 'FireScam' Poses As Telegram Premium to Steal User Data


A newly discovered Android malware, FireScam, is being distributed through phishing websites on GitHub, masquerading as a premium version of the Telegram application. These malicious sites impersonate RuStore, a Russian app marketplace, to deceive users into downloading the infected software.

How FireScam Operates

RuStore, launched by Russian tech giant VK (VKontakte) in May 2022, was developed as an alternative to Apple's App Store and Google Play following Western sanctions that restricted Russian users' access to global platforms. This marketplace hosts apps that comply with Russian regulations and operates under the oversight of the Russian Ministry of Digital Development.

According to security researchers at CYFIRMA, attackers have set up a fraudulent GitHub page mimicking RuStore. This fake website delivers a dropper module named GetAppsRu.apk. Once installed, the dropper requests extensive permissions, allowing it to scan installed applications, access device storage, and install additional software. It then downloads and executes the main malware payload, disguised as Telegram Premium.apk. This secondary payload enables the malware to monitor notifications, read clipboard data, access SMS and call information, and collect other sensitive details.

FireScam’s Advanced Capabilities

Once activated, FireScam presents users with a deceptive WebView-based Telegram login page designed to steal credentials. The malware communicates with Firebase Realtime Database, allowing stolen data to be uploaded instantly. It also assigns unique identifiers to compromised devices, enabling hackers to track them.

Stolen data is temporarily stored before being filtered and transferred to another location, ensuring that traces are erased from Firebase. Additionally, FireScam establishes a persistent WebSocket connection with the Firebase command-and-control (C2) server, enabling real-time command execution. This allows attackers to:

  • Request specific data from the infected device
  • Install additional payloads
  • Modify surveillance parameters
  • Initiate immediate data uploads

Furthermore, the malware can:

  • Monitor screen activity and app usage
  • Track changes in screen on/off states
  • Log keystrokes, clipboard data, and credentials stored in password managers
  • Intercept and steal e-commerce payment details

How to Stay Safe

While the identity of FireScam’s operators remains unknown, CYFIRMA researchers warn that the malware exhibits advanced evasion techniques and poses a serious threat to users. To minimize the risk of infection, users should:

  • Avoid downloading apps from unverified sources, especially those claiming to be premium versions of popular software.
  • Exercise caution when opening links from unknown sources.
  • Regularly review and restrict app permissions to prevent unauthorized data access.
  • Use reliable security solutions to detect and block malware threats.

As attackers continue refining their tactics, staying vigilant against phishing campaigns and suspicious downloads is essential to protecting personal and financial data.


Read more »
preinstalled malware
Android Malware BadBox threat digital frame vulnerabilities infected Android devices malware media player malware preinstalled malware

Malware Found Preinstalled on 30,000 Android Devices in Germany

 

A concerning cybersecurity issue has surfaced in Germany, where investigators uncovered that nearly 30,000 Android devices were sold with preinstalled malware.

The malware, dubbed “BadBox,” resides in the device firmware and affects various internet-enabled devices, including digital picture frames and media players operating on outdated Android versions, according to the Federal Office for Information Security (BSI).

“In all cases known to the BSI, the BadBox malware was already installed on the respective devices when they were purchased,” the agency confirmed in its report.

Once active, the malware can repurpose infected devices into tools for cybercriminals, enabling them to exploit home internet networks to launch attacks. It can also download additional malware and conduct fraudulent activities by accessing websites and ads in the background.

To mitigate the threat, the BSI has employed a method called “sinkholing,” which redirects internet traffic from compromised devices to servers controlled by the government. This measure prevents the malware from connecting to the hackers’ command systems.

“There is no acute danger for these devices as long as the BSI maintains the sinkholing measure,” the agency reassured. Nonetheless, users are strongly urged to disconnect any infected devices from the internet. Telecommunications companies in Germany are assisting by notifying affected users through IP address tracking.

The exact products impacted by this issue remain unidentified, leaving questions about how the malware was preinstalled. The BSI also warned that similar malware risks could affect tablets and smartphones.

This isn’t the first instance of preloaded malware on consumer electronics. Last year, a security researcher discovered an Android TV box sold on Amazon with hidden malware. The BSI advises consumers to prioritize security when purchasing electronics, emphasizing the importance of safety features, official manufacturer support, and updated operating systems.

Google also addressed the issue, clarifying:
“These off-brand devices discovered to be infected were not Play Protect certified Android devices. If a device isn't Play Protect certified, Google doesn’t have a record of security and compatibility test results.”

The company added, “Play Protect certified Android devices undergo extensive testing to ensure quality and user safety. To help you confirm whether or not a device is built with Android TV OS and Play Protect certified, our Android TV website provides the most up-to-date list of partners. You can also take these steps to check if your device is Play Protect certified.”

This incident underscores the need for heightened awareness when purchasing electronics, particularly from lesser-known brands, to ensure devices meet security and quality standards.
Read more »
OCR
Android Malware Android Users Data Privacy Mobile Security OCR

Novel Android Malware Employs OCR to Steal Crypto Wallet Keys From Images

 

A novel mobile malware operation dubbed SpyAgent has surfaced targeting Android device users in South Korea. According to an investigation by McAfee Labs researcher SangRyol Ryu, the malware "targets mnemonic keys by scanning for images on your device that might contain them," and it has expanded its targeting footprint to include the UK.

The campaign uses fake Android apps to deceive users into installing them. These apps seem like real banking, government, streaming, and utility apps. As many as 280 fake apps have been uncovered since the start of the year.

It all begins with SMS messages with booby-trapped links directing users to download the apps in question in the form of APK files published on fraudulent websites. Once installed, they will request intrusive permissions to extract data from the devices. 

The most prominent feature is its ability to employ optical character recognition (OCR) to steal mnemonic keys, which are recovery or seed phrases that allow users to restore access to their bitcoin wallets. Unauthorised access to the mnemonic keys could allow attackers to gain control of the victims' wallets and drain all of the funds stored in them. 

According to McAfee Labs, the command-and-control (C2) infrastructure had major security flaws that permitted unauthorised access to the site's root directory as well as the exposure of victim data. 

The server also has an administrator panel, which serves as a one-stop shop for remotely controlling the infected devices. The appearance of an Apple iPhone running iOS 15.8.2 with the system language set to Simplified Chinese ("zh") in the panel indicates that it may also target iOS users. 

"Originally, the malware communicated with its command-and-control (C2) server via simple HTTP requests," the researchers explained. "While this method was effective, it was also relatively easy for security tools to track and block." "In a significant tactical shift, the malware has now adopted WebSocket connections for its communications. This upgrade allows for more efficient, real-time, two-way interactions with the C2 server and helps it avoid detection by traditional HTTP-based network monitoring tools.” 

The finding comes a little more than a month after Group-IB disclosed another Android remote access trojan (RAT) known as CraxsRAT, which has been targeting Malaysian banking users since at least February 2024 via phishing websites. It's worth noting that CraxsRAT campaigns have already been found to target Singapore by April 2023.
Read more »
Technology
Android Malware NFC NGate Payments Technology

Is Tap-to-Pay Dangerous? How New Android Malware Exploits NFC Technology

Is Tap-to-Pay Dangerous? How New Android Malware Exploits NFC Technology

Tap-to-pay technology, which allows users to make quick transactions with a simple tap of their smartphone, has become increasingly popular. However, with convenience comes risk. A recent discovery of a new Android malware by ESET, known as NGate, has raised significant concerns about the security of tap-to-pay transactions. This blog will delve into how this malware operates, the potential risks it poses, and how users can protect themselves.

Understanding NGate Malware

NGate is a sophisticated piece of malware designed to exploit the Near Field Communication (NFC) technology used in tap-to-pay transactions. NFC allows devices to communicate wirelessly when they are close to each other, making it ideal for contactless payments. However, this same technology can be manipulated by malicious actors to steal sensitive financial information.

How NGate Works

The NGate malware is typically spread through social engineering and phishing tactics. Attackers often disguise the malware as legitimate banking apps or other trusted applications. Once a user unknowingly installs the malware, it begins to operate in the background, capturing sensitive information.

One of the most alarming features of NGate is its ability to clone contactless credit and debit cards. By exploiting the NFC feature, the malware can intercept and replicate the data transmitted during a tap-to-pay transaction. This cloned data can then be used by attackers to make unauthorized transactions, effectively draining the victim’s bank account.

The Impact of NGate

The implications of NGate are far-reaching. With the ability to clone contactless payment cards, attackers can carry out fraudulent transactions without the victim’s knowledge. This not only leads to financial loss but also undermines trust in tap-to-pay technology.

Moreover, the spread of NGate highlights the evolving tactics of cybercriminals. As technology advances, so do the methods used by attackers. This underscores the importance of staying vigilant and adopting robust security measures.

Protecting Yourself from NGate

  • Always download apps from official app stores like Google Play. Be cautious of apps that request unnecessary permissions or seem suspicious.
  • Use built-in security features on your smartphone, such as biometric authentication and two-factor authentication (2FA). These add an extra layer of protection.
  • Keep your device and apps updated. Security patches are often released to address vulnerabilities that could be exploited by malware.
  • Be cautious of unsolicited messages or emails that prompt you to download apps or provide personal information. Verify the source before taking any action.
  • Regularly check your bank statements and transaction history for any unauthorized activity. Report any suspicious transactions to your bank immediately.

Read more »
NGate
Android Malware malware NFC NFC Payment NGate

Protecting Your Wallet: Understanding NGate Android Malware

Protecting Your Wallet: Understanding NGate Android Malware

A new and sophisticated malware has emerged, targeting the increasingly popular Near Field Communication (NFC) payment systems. Known as NGate, this Android malware has been discovered by ESET Research and poses a significant risk to users’ financial security. This blog delves into the workings of NGate, its implications, and measures to protect against such threats.

Understanding NGate Malware

NGate is a type of malware designed to exploit the NFC capabilities of Android devices. NFC technology allows for contactless payments, making transactions quick and convenient. However, this convenience comes with its own set of vulnerabilities. 

NGate malware leverages these vulnerabilities by relaying NFC data from victims’ payment cards through their mobile phones to an attacker’s device at an ATM. This process enables the attacker to clone the card and withdraw money without the victim’s knowledge.

How NGate Operates

The operation of NGate malware is both ingenious and alarming. Once the malware infects an Android device, it gains access to the NFC functionality. When a victim uses their phone for an NFC transaction, the malware captures the payment card data and transmits it to the attacker’s device. 

The attacker, equipped with a device capable of receiving NFC signals, can then use this data to create a clone of the victim’s card. This cloned card can be used to withdraw cash from ATMs or make unauthorized purchases.

The Implications of NGate

Increased Vulnerability of Contactless Payments 

As contactless payments become more widespread, the potential for exploitation by cybercriminals also increases. NGate demonstrates how easily NFC technology can be manipulated for malicious purposes.

Financial Losses

Victims of NGate malware can suffer significant financial losses. Unauthorized transactions and cash withdrawals can drain bank accounts, leading to financial distress and the arduous process of disputing fraudulent charges.

Erosion of Trust

The success of digital payment systems relies heavily on user trust. Incidents like those involving NGate can erode this trust, making users hesitant to adopt new technologies and potentially slowing down the progress of digital financial services.

Protecting Against NGate and Similar Threats

1. Regular Software Updates: Keeping your Android device’s software up to date is crucial. Manufacturers often release security patches that address known vulnerabilities. Regular updates can help protect your device from malware like NGate.

2. Use Trusted Security Software: Installing reputable antivirus and anti-malware software can provide an additional layer of protection. These programs can detect and remove malicious software before it can cause harm.

3. Be Cautious with App Permissions: Pay close attention to the permissions requested by apps. If an app requests access to NFC functionality without a clear reason, it could be a red flag. Only grant permissions that are necessary for the app’s functionality.

4. Monitor Financial Statements: Regularly reviewing your bank and credit card statements can help you quickly identify any unauthorized transactions. Early detection is key to minimizing financial losses.

Read more »
SMS Phishing
Android Malware Bank Accounts Cyber Attacks Italy Malware attacks Mobile Cyber Attacks SMS Phishing

New Android Malware BingoMod Targets Financial Data and Wipes Devices

 

Malware has long been a significant threat to online security, serving as a backdoor entry for cybercriminals. Despite Google’s efforts to keep the Play Store free of malicious apps and deliver timely Android security patches, some attackers manage to bypass these defenses, stealing money and personal information from unsuspecting victims. 

Recently, a new malware named BingoMod has been identified targeting Android devices, stealing financial data and wiping them clean. BingoMod, discovered by researchers at cybersecurity firm Cleafy, uses a technique called smishing (SMS phishing) to infiltrate devices. This method involves sending a malware-laden link to the victim’s device, which, when clicked, installs the BingoMod app (version 1.5.1) disguised as a legitimate mobile security tool like AVG AntiVirus & Security. 

Once installed, the app requests access to device accessibility services, allowing it to steal login credentials, take screenshots, and intercept SMS messages. This information is then sent to the threat actor, providing near real-time access to the device’s functions. BingoMod leverages Android’s media projection APIs, which handle screencasting requests, to gather displayed information and bypass security measures like two-factor authentication (2FA). The malware is currently targeting devices in Italy, stealing up to 15,000 Euros in each transaction. 

However, experts at Cleafy believe the malware could spread to other markets, as it is still in active development. The malware’s evasive techniques enable it to avoid detection by reputable security tools like VirusTotal. It conceals its activities using fake notifications and screen overlays while stealing money and data in the background. If the BingoMod app is granted device administrator privileges, the attackers can remotely wipe the device, although Cleafy notes this would only clear the external storage. 

To avoid falling victim to smishing attacks like BingoMod, it is crucial never to click on links from unverified sources, especially those claiming to be important. Install apps only from reputable sources like the Google Play Store and set up passkeys for an additional layer of biometric security. A Google spokesperson told Android Police that Play Protect already safeguards Android users from known versions of this malware by blocking the app or showing a warning, even if the malicious app wasn’t downloaded from the Play Store. Additionally, using a password manager can help keep your credentials safe and alert you to recent data breaches that could compromise your accounts. 

By staying vigilant and following these best practices, you can protect your device from BingoMod and other malicious threats, ensuring your financial data and personal information remain secure.
Read more »
User Privacy
Android Malware data security File Encryption Mobile Security Ransomware User Privacy

Beware of This Dangerous Android malware As It Can Hold Your Phone Hostage

 

A brand-new Android malware has been discovered in the wild that is capable of evading antivirus apps, stealing a tonne of private and financial information, and even encrypting all of the contents on an infected smartphone by using ransomware. 

According to a recent report from the cybersecurity company CloudSEK, this new Android malware, known as "Daam" by its experts, poses a serious threat to the greatest Android phones due to its advanced capabilities. 

As of right now, CloudSEK has discovered the Daam malware in the APK or Android app installation files for the Psiphon, Boulders, and Currency Pro apps, which appear to be sideloaded apps that the Daam malware uses to infect Android smartphones. Psiphon is a VPN programme; Boulders is a smartphone game; and Currency Pro is, as its name implies, a currency converter. 

Your Android phone may be infected with the Daam malware if you installed any of these apps via sideloading rather than through approved app stores like the Google Play Store. The malware can evade detection by antivirus software, and it may already have locked the files on your smartphone by using ransomware, so there may not be a simple remedy. 

File encryption 

The Daam malware is quite complex and has a variety of features intended to steal your data and jeopardise your privacy. For instance, the malware is capable of recording all active VoIP and phone calls, including WhatsApp calls. However, it can also steal your smartphone's files and even contacts. Surprisingly, the Daam malware can not only collect information from your existing contacts but also from newly added contacts. 

The hackers behind this malware campaign's command and control (C&C) server get all of the data that Daam has stolen before sending it back. It's important to note that after installation, dangerous apps used to spread malware request access to private device permissions in order to virtually completely control your Android smartphone. 

As if having all of this private information stolen wasn't bad enough, the Daam malware also encrypts all of the files on an infected Android smartphone using the AES encryption algorithm without getting permission from the user. The device password or PIN on a smartphone can also be changed at the same moment, locking you out totally. 

Mitigation tips

Normally, protecting yourself from mobile malware would only require installing one of the top Android antivirus programmes and turning on Google Play Protect on your phone. 

In this instance, though, the Daam malware was made to evade antivirus apps. Because of this, the best method to safeguard yourself against it is to be extra cautious while downloading new programmes. Although sideloading apps may be practical, doing so puts your Android smartphone at risk of becoming infected with malware. For this reason, you should only download apps from authorised Android app shops. Similar to this, you should still read reviews and check an app's rating before installing it because bad apps occasionally manage to get past Google's security checks.

At the same time, you should refrain from clicking any links sent to your smartphone by email or text message from unidentified senders. These links may take you to malicious websites that could trick you into installing malware or use phishing to collect your information. 

Although the Daam malware is relatively new, it is already quite capable of data theft and making life tough for Android smartphone owners. Because of this, we'll probably continue to hear about it.
Read more »
User Privacy
Android Malware Banking Trojan Crypto Apps data security Mobile Security User Privacy

Beware of this Android Banking Trojan that Steals Banking Credentials

 

A financial trojan called "Godfather" which is capable of stealing account credentials from more than 400 different banking and cryptocurrency apps is presently targeting Android users in 16 other countries. 

According to a recent report from the cybersecurity company Group-IB, the Godfather trojan, which was initially uncovered by ThreatFabric back in March of last year, has been dramatically upgraded and updated since then. 

In a second report, the dark web and cybercrime monitoring company Cyble describes how Godfather is also being disseminated in Turkey through a malicious app that has been downloaded 10 million times and pretends to be a well-known music application. 

Godfather is thought to be the replacement for Anubis, a well-known and widely-used banking Trojan before it lost the capacity to get past updated Android defenses, BleepingComputer reported. 

Banking and cryptocurrency apps on the hit list 

The banking trojan has targeted users of more than 400 apps since it first debuted last year, including 215 banking apps, 94 cryptocurrency wallets, and 110 crypto trading platforms. The malware also targeted 49 banking apps in the US, 31 in Turkey, 30 in Spain, 22 in Canada, 20 in France, 19 in Germany, and 17 in the UK, among other nations. 

Surprisingly, Group-IB discovered a section in Godfather's code that stops the malware from aiming for users from former Soviet Union nations and users in Russia, indicating that its developers speak Russian. The malware checks the system language on an Android device after installation to see if it is Russian, Azerbaijani, Armenian, Belarusian, Kazakh, Kyrgyz, Moldovan, Uzbek, or Tajik. If so, Godfather shuts down and doesn't attempt to steal any stored cryptocurrency or banking accounts.

Modus operandi 

Godfather attempts to acquire persistence on an Android phone after being installed via a malicious app or file by impersonating Google Protect. Once you download an app from the Google Play Store, this genuine software begins to execute. 

The banking trojan then claims to be "scanning" when, in fact, it is hiding its icon from the list of installed apps and creating a pinned "Google Project" notice. Because of this, malware is more likely to blend into the background and is more challenging to remove. 

A targeted user goes about their normal activities because Godfather's symbol is missing. To steal user passwords and empty their accounts, the malware then applies false overlays to well-known banking and cryptocurrency apps. Additionally, Godfather employs a smart tactic to direct people to phishing websites. It accomplishes this by displaying a fake notification that impersonates one of its smartphone's loaded banking or cryptocurrency apps. 

In addition to stealing credentials, the malware is able to record a user's screen, launch keyloggers to capture their keystrokes, route calls to get around two-factor authentication (2FA), and send SMS messages from infected devices. 

Mitigation Tips 

Installing new apps from a third party other than the Google Play Store or other official app stores like the Amazon App Store or Samsung Galaxy Store puts you at risk for Godfather and other Android malware. While sideloading apps could be alluring, since they are uploaded without any security checks, they may be infected with malware and other viruses. 

Additionally, make sure Google Play Protect is turned on so that it can scan both new and old apps for malware. However, you might also want to download one of the top Android antivirus apps for additional security.
Read more »
Subscribe to: Posts (Atom)