Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Android Trojan. Show all posts

TrickMo Android Trojan Abuses Accessibility Services for On-Device Financial Scam

 

Cybersecurity experts discovered a new form of the TrickMo banking trojan, which now includes advanced evasion strategies and the ability to create fraudulent login screens and steal banking credentials. 

This sophisticated malware employs malicious ZIP files and JSONPacker to obstruct analysis and detection efforts. TrickMo, discovered by CERT-Bund in September 2019, has a history of targeting Android smartphones, with a special focus on German users, in order to acquire one-time passwords (OTPs) and other two-factor authentication (2FA) credentials for financial fraud. The trojan is believed to be the work of the now-defunct TrickBot e-crime gang, which is known for constantly enhancing its obfuscation and anti-analysis features. 

Screen recording, keystroke logging, SMS and photo harvesting, remote control for on-device fraud, and exploiting Android's accessibility services API for HTML overlay attacks and device gestures are some of the main capabilities of the TrickMo version. In addition, the malware could automatically accept permissions, handle notifications to steal or conceal login codes, and intercept SMS messages.

A malicious dropper app that mimics the Google Chrome web browser is used to spread the malware. Users are prompted to upgrade Google Play Services upon installation. In the case that the user agrees, an APK with the TrickMo payload is downloaded and set up pretending to be "Google Services." Next, the user is prompted to allow this program to use accessibility features, which gives them full control over the device. 

TrickMo can use accessibility services to disable critical security features, stop system upgrades, and hinder app uninstallation. Misconfigurations in the malware's command-and-control (C2) server made 12 GB of sensitive data, including credentials and photos, available without authentication. 

This exposed data is vulnerable to exploitation by other threat actors for identity theft, unauthorised account access, financial transfers, and fraudulent transactions. The security breakdown highlights a severe operational security failure by the threat actors, increasing the risk to victims. The exposed private data can be utilised to create convincing phishing emails, resulting in additional information disclosure or malicious acts.

New Chameleon Android Trojan Can Bypass Biometric Security

 

A brand new variant of the Chameleon Android malware has been discovered in the wild, featuring new characteristics, the most notable of which is the ability to bypass fingerprint locks.

The Chameleon Android banking malware first appeared in early 2023, primarily targeting mobile banking apps in Australia and Poland, but it has since propagated to other countries, including the UK and Italy. The trojan employs multiple loggers but has limited functionality. 

Earlier versions of Chameleon could perform actions on the victim's behalf, allowing those behind the malware to carry out account and device takeover attacks. Chameleon has usually leveraged the Android Accessibility Service to extract sensitive data from endpoints and mount overlay attacks, ThreatFabric researchers explained.

The updated version, on the other hand, has two new features: the ability to circumvent biometric prompts and the ability to display an HTML page to allow accessibility service in devices that use Android 13's "Restricted Settings" feature. According to the researchers, the new Chameleon variant's complexity and adaptability have been enhanced, making it a more potent threat in the constantly evolving field of mobile banking trojans. 

The new Chameleon variation starts by determining whether the operating system is Android 13 or newer. If it is, the malware prompts the user to enable accessibility services, even guiding the user through the procedure.Once completed, the malware is able to perform unauthorised acts on the user's behalf. 

While this is a common feature across malware families, what makes this particular aspect intriguing is the ability to disrupt the targeted device's biometric processes and get around fingerprint locks.

The method uses the AccessibilityEvent system-level event for Android and the KeyguardManager application programming interface to determine the screen and keyguard state based on UI changes. Keyguard is an Android system component that controls security features on devices, including screen lock and authentication mechanisms. 

The malware assesses the state of the keyguard in terms of various locking techniques, such as pattern, PIN, or password. When specific requirements are met, the malware will use the AccessibilityEvent action to switch from biometric to PIN authentication. This gets around the biometric question, allowing the trojan to unlock the device whenever it wants. 

The method is believed to offer those behind the malware with two advantages: the ability to simplify the theft of PINs, passwords, or graphical keys by bypassing biometric data via keylogging functionalities, and the ability to open devices using previously acquired PINs or passwords.

“The emergence of the new Chameleon banking trojan is another example of the sophisticated and adaptive threat landscape within the Android ecosystem,” the researchers concluded. “Evolving from its earlier iteration, this variant demonstrates increased resilience and advanced new features.”

Thousands of Malicious Android Apps are Employing Covert APKs to Bypass Security

 

To avoid malware detection, threat actors are employing Android Package (APK) files with unknown or unsupported compression algorithms.

That's according to findings from Zimperium, which discovered 3,300 artefacts using such compression algorithms in the wild. 71 of the discovered samples can be successfully loaded into the operating system. 

There is no evidence that the apps were ever available on the Google Play Store, implying that they were disseminated through alternative channels, most likely through untrustworthy app stores or social engineering to fool users into sideloading them. 

The APK files employ "a technique that limits the possibility of decompiling the application for a large number of tools, reducing the possibilities of being analysed," security researcher Fernando Ortega explained. "In order to do that, the APK (which is in essence a ZIP file), is using an unsupported decompression method." 

The benefit of this approach is that it can withstand decompilation tools while still being installed on Android devices with operating systems older than Android 9 Pie. 

The Texas-based cybersecurity company claimed that after reading Joe Security's post on X (formerly Twitter) in June 2023 about an APK file that had this behaviour, it began its own investigation. 

There are two ways that Android packages can use the ZIP format: one without compression and the other with the DEFLATE algorithm. The key finding in this study is that APKs compressed using unsupported techniques cannot be installed on devices running Android versions lower than 9, while they may be used without issue on subsequent versions. 

Zimperium also found that malware developers intentionally corrupt APK files by giving them filenames longer than 256 characters and creating corrupt AndroidManifest.xml files to trigger analysis tools to crash. 

The revelation comes just after Google revealed how threat actors were using a method known as versioning to get around the Play Store's malware detections and target Android users. 

Safety measures 

Thankfully, there are several procedures you can take to safeguard your phone from malicious Android apps. The first and most significant piece of advice is to stay away from sideloading apps unless it is unavoidable. There are a few peculiar situations in which you might need to sideload an app for work or to make a certain product work, but other than that, you shouldn't install any apps from unknown sources. 

As a general guideline, you should only download apps from the Play Store or other authorised app shops like the Samsung Galaxy Store or Amazon Appstore. Sometimes malicious software does manage to slip through the gaps, which is why it pays to do your research before installing any new app by reading reviews and looking into the app's developers.

Is Malware The Reason Your Smartphone Keyboard is Not Working?


A user is required to be utilizing a function keyboard if he wants to use a smartphone for social media posting, web browsing, or communication with a friend. 

Most problems, faced when a smartphone is not functioning properly, can be resolved by resetting the device, deleting the cache, or installing an alternative keyboard app. But, what if none of that is helpful?

Malware Might Cause Keyboard Malfunctions 

While Android phones are apparently more vulnerable to malwares than any iOS, iPhones as well are vulnerable. If your smartphone’s keyboard glitches, lags, takes a long time to display on the screen or does not respond when you hit the keys, your smartphone may be infected by malware. 

Smartphone keyboards may as well turn malfunctional due to malware since it generally affects the entire device. Malware may cause various issues, like overeating, lags and crashes, a decreased battery life, etc. A user’s personal data and privacy could also be compromised, depending on the kind of malware. 

Malware frequently utilizes a significant amount of computing power; this is what initially causes the performance issues. Since the operating system of your smartphone is impacted, the malware will ultimately affect all the programs installed in it, plus the default keyboard apps. 

What Types of Mobile Malware Would Cause Keyboard Issues? 

A Trojan horse, which is malware imposing as a legit program, is one of the examples. More such malwares may include adware (malware displaying unwanted advertisements), spyware (malware that records information without consent), worms (malicious programs replicating themselves), and cryptojackers.

Cryptojacking attack includes threat actor accessing a targeted device to mine cryptocurrency. Thus, if a smartphone is attacked by a cryptojacker, its processing power would be utilized in order to solve cryptographic equations and create virtual currency for someone else. This would ultimately make the keyboard glitch, resulting in a variety of performance difficulties. 

How to Remove Malware from Smartphones?

If a user suspects malware, that is responsible for affecting a keyboard, the initial caution he should take is by installing and programming an anti-virus software. There are numerous free anti-virus softwares available to users in all major app stores. Although not all would aid in removing the malicious program, they could be utilized to at least detect the malwares. 

Users may as well look out for any unfamiliar or suspicious apps on their phones if they do not remember installing the same. Since there is a good chance for these apps to be deploying malware on your phones. Thus, these apps must immediately be removed, followed by monitoring your device with an antivirus program. 

If none of this works, users are left with one option, i.e. master reset or factory reset. This would eventually restore the affected smartphone to its initial state when it was first powered up. However, this will lead your device to compromise its entire data, unless it is backed up somewhere so that you could retrieve it once the reset is successfully executed.  

New Malware Applications Gets 2 Million Downloads in Google Play


Android users should be cautious, since threat actors are increasingly using certain forms of trojan software, and consequently, two million malicious app installations on the Google Play store were reported. 

Once downloaded, the applications mentioned above might be able to download further apps to the victim's phone and even send the user prompt notifications to lead them to more mistakes. 

Here are the most recent malware app types to watch out for: 

What Is Android.Spy.4498? 

The largest malware groups in the last month (by far) were Android.Spy.4498 and Android.Spy.5106, Dr. Web antivirus discovers.

These applications are variations of a similar trojan and their purpose is to steal the contents of other app notifications on the device where the trojan has been download. These specific ones can also download new applications and ask users to install them as well, or they can display additional dialogue boxes. 

“This malicious [Android.Spy.4498 trojan] is capable of hijacking the contents of other apps’ notifications, which can cause leaks of confidential and sensitive data,” Dr. Web antivirus told. 

These trojans have reportedly been more successful than those that only offer "obnoxious advertising," according to Dr. Web. 

But, before you install a new utility app, consider it again because you do not want either type of infection.

The new malware applications are disguising themselves under different names, one of them went by the name "Fast Cleaner & Cooling Master" and claimed to be an OS optimization programme. Others include legitimate utility titles like “Volume,” “Music Equalizer,” “Bluetooth device auto-connect,” and the strangely lengthy title of “Bluetooth & Wi-Fi & USB driver.” These names appear to be intended to prey on less tech-savvy customers, who may just be looking for a way to plug into a USB port. 

How can You Avoid Downloading Android Malware? 

One of the most reliable ways to secure yourself from these scams is to refrain from downloading any apps that are not from a well-established brand, which only raises the winner-takes-all stakes that most apps today face. 

Other online safety measures a user can utilize include employing VPN or any antivirus software, but even these tools would turn unproductive to prevent the virus that you yourself have downloaded. It is thus better for any online user to just evade downloading any suspicious application.

SharkBot Android Trojan Resurfaces On Google Play Store

 

Check Point researchers have unearthed multiple malicious Android apps on the Google Play Store posing as an antivirus applications to deploy the SharkBot Android trojan. 

The malicious banking trojan was initially spotted in November last year when it was only being deployed via third-party application stores. The primary motive was on initiating illegal money transfers via Automatic Transfer Systems (ATS) by auto-filling fields in authentic applications. 

Last month, NCC Group reported that multiple SharkBot droppers had infiltrated Google Play, all of which showed similar code and behavior. The first SharkBot dropper discovered in Google Play masqueraded as antivirus solutions. It was identified as a downgraded version of the trojan containing only minimum features, but capable of fetching and installing the full version at a later date. 

Apparently, on March 9th, Google removed four apps in question, and a few days after that, another SharkBot dropper was identified. The app was reported right away, so no installations for this one. The same happened on March 22 and 27. Those new droppers got removed from Google Play due to quick discovery. 

According to Check Point researchers, they identified a total of seven droppers in Google Play, published from developer accounts that were active in late 2021, and which had some of their applications removed from the store. However, these malicious apps have been already installed more than 15,000 times before the takedown from the store. 

Once installed on an Android device, SharkBot exploits Android's Accessibility Services permissions to present fake overlay windows on top of legitimate banking apps. Thus, when victims enter their usernames and passwords in the windows that mimic benign credential input forms, the stolen data is sent to a malicious server. 

“What is interesting and different from the other families is that SharkBot likely uses ATS to also bypass multi-factor authentication mechanisms, including behavioral detection like bio-metrics, while at the same time it also includes more classic features to steal user’s credentials,” NCC Group stated. 

The malicious Android trojan also employs geofencing features and bypassing techniques, which makes it unique from other mobile banking viruses. The particular features include ignoring the users from China. Romania, Russia, Ukraine, Belarus, India. The majority of victims reside in Italy and the United Kingdom.

Android Malware in Google Play Stealing Victim's Data

 

Cyber threat intelligence warned the users that an Android banking malware ‘TeaBot’ stealing users' private data and SMS messages has been downloaded thousands of times via Google Play Store. According to the experts, 'TeaBot,' is an Android banking trojan that first came to be known at the beginning of 2021 as a trojan designed to steal victims' text messages. 

According to the online fraud management and prevention solution Cleafy, in the initial phase, TeaBot was distributed through smashing campaigns using a predefined list of lures, such as VLC Media Player, TeaTV, DHL and UPS, and others. 

Following the incident, the researchers said that "In the last months, we detected a major increase of targets which now count more than 400 applications, including banks, crypto exchanges/wallets, and digital insurance, and new countries such as Russia, Hong Kong, and the US." 

From February, TeaBot Trojan has started supporting new foreign languages including Russian, Mandarin Chinese, and Slovak. It helps cybercriminals in displaying custom messages during the installation phases. 

On February 21, the Threat Intelligence and Incident Response (TIR) team from Cleafy has detected an application and published it on the official Google Play Store, which was acting as a dropper application delivering TeaBot with a fake update procedure. Once downloaded by the user, the dropper will ask them to update immediately through a popup message. 

"The dropper lies behind a common QR Code & Barcode Scanner and it has been downloaded more than 10,000 times. All the reviews display the app as legitimate and well-functioning," the team added.

Purple Fox Backdoor Identified in Malicious Telegram Installers

 

A novel technique to target computer systems has been discovered. According to a report published by joint efforts between Minerva Labs cybersecurity team, and a MalwareHunterTeam, trojanized installers of the Telegram messaging application are being circulated online to distribute the Purple Fox malware, a Windows-based rootkit that is used to install further malicious payloads on compromised devices. 

The installer for the malicious Telegram application is a compiled AutoIt script called "Telegram Desktop.exe" that drops two files, the legitimate Telegram installer, and a malicious downloader. While the legitimate Telegram installer dropped alongside the downloader isn't implemented, the AutoIT program does run the downloader TextInputh.exe. 

When executed, TextInputh.exe designs a folder named ("1640618495") under the C:\Users\Public\Videos\ directory, and then establishes a connection to the C2 to download a 7z utility and a RAR archive (1.rar). The archive contains the payload and the configuration files, while the 7z program unpack .RAR archives and a file used to load a malicious reflectively.DLL.

The next step includes the creation of a registry key to enable persistence on a compromised device, and five further files are dropped into the ProgramData folder to perform functions, including shutting down a wide spectrum of antivirus processes before Purple Fox is eventually executed.

The Purple Fox Trojan comes in two Windows variants i.e. 32-bit and 64-bit. In March last year, Guardicore Labs uncovered novel worm capabilities integrated into the malware, and thousands of susceptible servers were hijacked to host payloads of Purple Fox. 

Last year in October, a new backdoor named FoxSocket was discovered by Trend Micro researchers, which is believed to be a new inclusion to the existing abilities of the malware. The Purple Fox malware is going to be on the radar of security researchers for a while. It has a unique worm functionality and also contains a rootkit. It also employs stealth and has upgraded backdoors. This makes it worth observing and that is why many are keeping tabs on any developments. 

"The beauty of this attack is that every stage is separated to a different file which is useless without the entire file set," the researchers explained. "This helps the attacker protect his files from AV detection."

New Android Trojan SharkBot is Targeting Banking Apps to Steal Financial Credentials

 

Cybersecurity researchers have uncovered a new Android trojan that can circumvent multi-factor authentication on banking apps, putting users' financial data and money at risk.

Dubbed "SharkBot" by Cleafy researchers, the Android malware has been spotted in assaults across Europe and the United States to siphon credentials from smartphones using the Google Android operating system.

"The main goal of SharkBot is to initiate money transfers from the compromised devices via Automatic Transfer Systems (ATS) technique bypassing multi-factor authentication mechanisms (e.g., SCA)," the researchers from cyber security firm Cleafy said in a report.

"Once SharkBot is successfully installed in the victim's device, attackers can obtain sensitive banking information through the abuse of Accessibility Services, such as credentials, personal information, current balance, etc., but also to perform gestures on the infected device." 

According to researchers, SharkBot is modular malware that belongs to the next generation of mobile malware able to perform attacks based on the Automatic Transfer System (ATS) system. The android trojan is equipped with several features, such as the ability to block legitimate banking communications sent via SMS, enable keylogging, and secure full remote control of the exploited devices.

Additionally, the malware poses as a media player, live TV, or data recovery apps and prompts users with rogue pop-ups to grant it wide permissions only to steal private details. Where it stands apart is the exploitation of accessibility settings to carry out ATS attacks, which allow the operators to "auto-fill fields in legitimate mobile banking apps and initiate money transfers from the compromised devices to a money mule network controlled by the cybercriminals." 

The Android trojan employs different anti-analysis and detection techniques to bypass multi-factor authentication on banking apps, including running emulator checks, encrypting command-and-control communications with a remote server, and concealing the app's icon from the home screen post-installation. Till now, no samples of the malware have been spotted on the Google Play Store, depicting that the malicious apps are installed on the users' devices either via sideloading or social engineering techniques.

"The discovery of SharkBot in the wild show mobile malware are quickly finding new ways to perform fraud, trying to bypass behavioral detection countermeasures put in place by multiple banks and financial services during the last years," the researchers stated.