Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Android Users. Show all posts
OCR
Android Malware Android Users Data Privacy Mobile Security OCR

Novel Android Malware Employs OCR to Steal Crypto Wallet Keys From Images

 

A novel mobile malware operation dubbed SpyAgent has surfaced targeting Android device users in South Korea. According to an investigation by McAfee Labs researcher SangRyol Ryu, the malware "targets mnemonic keys by scanning for images on your device that might contain them," and it has expanded its targeting footprint to include the UK.

The campaign uses fake Android apps to deceive users into installing them. These apps seem like real banking, government, streaming, and utility apps. As many as 280 fake apps have been uncovered since the start of the year.

It all begins with SMS messages with booby-trapped links directing users to download the apps in question in the form of APK files published on fraudulent websites. Once installed, they will request intrusive permissions to extract data from the devices. 

The most prominent feature is its ability to employ optical character recognition (OCR) to steal mnemonic keys, which are recovery or seed phrases that allow users to restore access to their bitcoin wallets. Unauthorised access to the mnemonic keys could allow attackers to gain control of the victims' wallets and drain all of the funds stored in them. 

According to McAfee Labs, the command-and-control (C2) infrastructure had major security flaws that permitted unauthorised access to the site's root directory as well as the exposure of victim data. 

The server also has an administrator panel, which serves as a one-stop shop for remotely controlling the infected devices. The appearance of an Apple iPhone running iOS 15.8.2 with the system language set to Simplified Chinese ("zh") in the panel indicates that it may also target iOS users. 

"Originally, the malware communicated with its command-and-control (C2) server via simple HTTP requests," the researchers explained. "While this method was effective, it was also relatively easy for security tools to track and block." "In a significant tactical shift, the malware has now adopted WebSocket connections for its communications. This upgrade allows for more efficient, real-time, two-way interactions with the C2 server and helps it avoid detection by traditional HTTP-based network monitoring tools.” 

The finding comes a little more than a month after Group-IB disclosed another Android remote access trojan (RAT) known as CraxsRAT, which has been targeting Malaysian banking users since at least February 2024 via phishing websites. It's worth noting that CraxsRAT campaigns have already been found to target Singapore by April 2023.
Read more »
Scam
Android Users APK Files bank account cyber attack Financial Fraud KYC Scam

New APK Scam: Protect Your Bank Account from Fraudsters


 


Punjab and Sind Bank (PSB) recently issued a public notice alerting customers to a new scam involving fraudulent messages and malicious APK files. This scam threatens grave  financial losses if customers do not take proper precautions.

How the APK Scam Works

Step 1: Creating Panic with Fake Messages

Scammers initiate the fraud by sending text messages that mimic legitimate bank communications. These messages claim that recipients must update their Know Your Customer (KYC) information to avoid having their bank accounts blocked. The fraudulent messages create a sense of urgency, making recipients more likely to follow the instructions.

Kaushik Ray, Chief Operating Officer of Whizhack Technologies, explains that these messages exploit users' fears and desires, bypassing rational judgement. The goal is to trick recipients into downloading a malicious APK file, a common format for Android apps.

Step 2: Installing Malicious APK Files

Once recipients are convinced by the false narrative, they are instructed to download and install an APK file. These files often contain malware. Upon installation, the malware grants hackers access and control over the victim's mobile device.

Step 3: Executing Cyber Attacks

With control of the device, hackers can perform various malicious activities. These include installing a keylogger to capture sensitive information like banking credentials and passwords, launching ransomware attacks that lock the device until a ransom is paid, and accessing the clipboard to steal copied information such as account numbers.

How to Protect Yourself from APK Scams

To protect against these scams, PSB advises customers to take the following precautions:

1. Avoid Downloading Files from Unknown Sources: Only download apps from trusted sources like the Google Play Store.

2. Do Not Click on Suspicious Links: Be wary of links received in unsolicited messages, even if they appear to be from your bank.

3. Block and Report Suspicious Contacts: If you receive a suspicious message, block the sender and report it to your bank or relevant authorities.

4. Never Share Personal Information Online: Do not disclose personal or financial information to unverified sources.

Why APK Scams Target Android Users

Ray highlights that this scam primarily targets Android users because APK files are specific to Android devices. iOS devices, which use a different file format called IPA, generally have stricter controls against installing third-party apps, making them less vulnerable to this type of attack. However, iOS users should remain vigilant against phishing and other scams.

Real-Life Impacts of the APK Scam

Imagine receiving a message that your bank account will be frozen if you do not update your KYC information immediately. This could lead to panic about how you will pay for everyday expenses like groceries, school fees, or utility bills. Scammers exploit this fear to convince people to download the malicious APK file, giving them access to your device and your money.

Stay alert, verify the authenticity of messages, and protect your personal information to safeguard your financial assets.


Read more »
Vulnerabilities and Exploits
Android Users Chat GPT Fake ChatGPT Apps Google Play Store Unauthorized access Vulnerabilities and Exploits

Beware of Fake ChatGPT Apps: Android Users at Risk

In recent times, the Google Play Store has become a breeding ground for fraudulent applications that pose a significant risk to Android users. One alarming trend that has come to light involves the proliferation of fake ChatGPT apps. These malicious apps exploit unsuspecting users and gain control over their Android phones and utilize their phone numbers for nefarious scams.

Several reports have highlighted the severity of this issue, urging users to exercise caution while downloading such applications. These fake ChatGPT apps are designed to mimic legitimate AI chatbot applications, promising advanced conversational capabilities and personalized interactions. However, behind their seemingly harmless facade lies a web of deceit and malicious intent.

These fake apps employ sophisticated techniques to deceive users and gain access to their personal information. By requesting permissions during installation, such as access to contacts, call logs, and messages, they exploit the trust placed in them by unsuspecting users. Once granted these permissions, the apps can hijack an Android phone, potentially compromising sensitive data and even initiating unauthorized financial transactions.

One major concern associated with these fraudulent apps is their ability to utilize phone numbers for scams. With access to a user's contacts and messages, these apps can initiate fraudulent activities, including spamming contacts, sending phishing messages, and even making unauthorized calls or transactions. This not only puts the user's personal information at risk but also jeopardizes the relationships and trust they have built with their contacts.

To protect themselves from falling victim to such scams, Android users must remain vigilant. Firstly, it is crucial to verify the authenticity of an app before downloading it from the Google Play Store. Users should pay attention to the developer's name, ratings, and reviews. Furthermore, they should carefully review the permissions requested by the app during installation, ensuring they align with the app's intended functionality.

Google also plays a vital role in combating this issue. The company must enhance its app review and verification processes to identify and remove fake applications promptly. Implementing stricter guidelines and employing advanced automated tools can help weed out these fraudulent apps before they reach unsuspecting users.

In addition, user education is paramount. Tech companies and cybersecurity organizations should actively spread awareness about the risks of fake apps and provide guidance on safe app usage. This can include tips on verifying app authenticity, understanding permission requests, and regularly updating and patching devices to protect against vulnerabilities.

As the prevalence of fake ChatGPT apps continues to rise, Android users must remain cautious and informed. By staying vigilant, exercising due diligence, and adopting preventive measures, users can safeguard their personal information and contribute to curbing the proliferation of these fraudulent applications. The battle against fake apps requires a collaborative effort, with users, app stores, and tech companies working together to ensure a safer digital environment for all.
Read more »
User Privacy
Android Users Iranian hackers Mobile Security Spyware User Privacy

Iranian Hackers Employ Novel RatMilad Spyware to Target Enterprise Android Users

 

Earlier this week, threat analysts at mobile security firm Zimperium Inc. zLabs detailed a newly unearthed form of Android spyware leveraged to target enterprise devices in the Middle East. 

Dubbed “RatMilad,” the original version of the spyware was identified as concealing behind a VPN and phone number spoofing app called Text Me. After discovering the spyware, the researchers also spotted a live sample of the malware family distributed through NumRent, an updated version of Text Me.

According to Zimperium, an Iran-based hacker group named AppMilad is distributing the phone spoofing app via links on social media and communication tools like Telegram, luring unsuspecting users into sideloading the app and granting it extensive permissions. Moreover, fraudsters have designed a product website to distribute the app and trick users into believing that it is an authentic app. 

Since the malicious app can trick users into obtaining a broad range of permissions, it can gain access to sensitive device data, such as location and MAC address, and user data, including phone calls, contact numbers, media files, and SMS messages. 

"Once installed and in control, the attackers could access the camera to take pictures, record video, and audio, get precise GPS locations, view pictures from the device, and more," Zimperium researcher Nipun Gupta stated.

Additionally, the hackers can access the camera and microphone of the device, which allows them to record audio/video and capture photos. Other features include collecting clipboard data, SIM information, and performing read/write activities. 

The scale of the infections is unknown, but the cybersecurity firm said it identified the spyware during a failed compromise attempt of a user's enterprise device. A post published on a Telegram channel employed to distribute the malware sample has been viewed over 4,700 times with more than 200 external shares, indicating a limited range.

"The RatMilad spyware and the Iranian-based hacker group AppMilad represent a changing environment impacting mobile device security," Richard Melick, director of mobile threat intelligence at Zimperium, explained. From Pegasus to PhoneSpy, there is a growing mobile spyware market available through legitimate and illegitimate sources, and RatMilad is just one in the mix." 

Prevention tips 

The easiest method to avoid falling victim to fake Android apps employed to propagate spyware and malware is to download new apps from official app stores like the Google Play Store, the Amazon Appstore, and the Samsung Galaxy Store. 

Additionally, the users are recommended to scan the app that is sideloaded onto a device and increase the mobile attack surface leaving data and users at risk.
Read more »
Trojan
Android Banking Trojan Android Users Banking Trojan Cyber Safety Flubot malware Security Teabot Trojan

Threat Actors Blanket Androids with Flubot & Teabot Campaigns

 

Researchers have found a bundle of dynamic campaigns transmitting the Flubot and Teabot trojans through a variety of delivery strategies, with threat actors utilizing smishing and pernicious Google Play applications to target victims with fly-by assaults in different locations across the globe. 

Specialists from Bitdefender Labs said they have caught more than 100,000 malignant SMS messages attempting to transmit Flubot malware since the start of December, as indicated by a report distributed Wednesday. 

During their analysis of Flubot, the team additionally found a QR code-peruser application that has been downloaded more than 100,000 times from the Google Play store and which has disseminated 17 different Teabot variations, they said. 

Flubot and Teabot surfaced on the scene last year as somewhat clear financial trojans that take banking, contact, SMS and different kinds of private information from infected gadgets. Be that as it may, the administrators behind them have interesting strategies for spreading the malware, making them especially nasty and expansive. 
 
Flubot was first founded in April focusing on Android clients in the United Kingdom and Europe using noxious SMS messages that nudged recipients to introduce a "missed package delivery" application, exhibiting a component of the malware that allows attackers to utilize command and control (C2) to send messages to victims. 

This feature permits administrators to rapidly change targets and other malware highlights on the fly, augmenting their assault surface to a worldwide scale without requiring a complex framework. For sure, campaigns later in the year targeted Android users in New Zealand and Finland. 

“These threats survive because they come in waves with different messages and in different time zones,” Bitdefender researchers wrote in the report. 

“While the malware itself remains pretty static, the message used to carry it, the domains that host the droppers, and everything else is constantly changing. For example, in the month between Dec. 1 of last year and Jan. 2 of this year, the malware was highly active in Australia, Germany, Spain, Italy and a few other European countries.”   

Campaigns between Jan. 15 and Jan. 18 then, at that point, moved to different parts of the globe, including Romania, Poland, the Netherlands, Spain and even Thailand, they found. 
 
Attackers likewise spread out past attempting to fool users into thinking they missed a package delivery- what Bitdefender named "fake courier messages" - to disseminate Flubot. However this strategy was available in almost 52% of campaigns specialists noticed, they likewise utilized a trick named "is this you in this video" that is a take-off of a credential-stealing campaign that has been streaming steadily via web-based media in around 25% of noticed missions, analysts wrote. 

“When the victim clicks on the link, it usually redirects them to a fake Facebook login that gives attackers direct access to credentials,” researchers explained. 

Flubot administrators have gotten on this trick and are involving a variety of it in one of the smishing efforts noticed, with clients getting an SMS message that inquires, "Is this you in this video?" researchers noted. In any case, the objective of the mission is very similar: to some way or another trick users into installing the software under some cover. 

“This new vector for banking trojans shows that attackers are looking to expand past the regular malicious SMS messages.”
  
Among different lures, Flubot administrators likewise utilized SMS messages utilizing counterfeit program updates and phoney phone message notices in around 8% of noticed campaigns, separately, analysts stated.
Read more »
SMS Phishing
Android Android Users Cyber Fraud Data-Stealing Iran Mallicious Apps phishing Scam SMS Phishing

Researchers: Iranian Users Beware of Widespread SMS Phishing Campaigns

 

Socially engineered SMS texts are being utilized to install malware on Android smartphones, as part of a large phishing operation that impersonates the Iranian government and social security authorities in order to steal credit card information and funds from victims' bank accounts, 

Unlike other types of banking malware that use overlay attacks to steal sensitive data without the victim's knowledge, the financially motivated operation discovered by Check Point Research is developed to trick victims into handing over their credit card information by sending them a legitimate-looking SMS message with a link that, when clicked, downloads a malware-laced app onto their devices. 

Check Point researcher Shmuel Cohen stated in a new report published Wednesday, "The malicious application not only collects the victim's credit card numbers, but also gains access to their 2FA authentication SMS, and turn[s] the victim's device into a bot capable of spreading similar phishing SMS to other potential victims." 

As per the cybersecurity firm, it discovered hundreds of distinct phishing Android apps masquerading as device tracking apps, Iranian banks, dating and shopping sites, cryptocurrency exchanges, and government-related services, with these botnets sold as a "ready-to-use mobile campaign kit" on Telegram channels for somewhere between $50 and $150. 

The infection chain of the smishing botnet begins with a bogus notification from the Iranian judiciary requesting users to evaluate a fictitious complaint made against the message's receivers. The complaint link takes victims to what appears to be a government website, where they are requested to provide personal information (e.g., name, phone number, etc.) and download an Android APK file. 

Once downloaded, the rogue app not only demands invasive rights to execute operations typically not associated with such government applications, but it also displays a false login page that resembles Sana, the country's electronic judicial notice system, and prompts the victim to pay a $1 payment to proceed. Users who choose to do so are then sent to a bogus payment page that captures the credit card information submitted, while the installed software acts as a covert backdoor to harvest one-time passcodes given by the credit card provider and assist more fraud. 

Furthermore, the malware has a plethora of functionality, including the ability to exfiltrate all SMS messages received by a device to an attacker-controlled server, conceal its icon from the home screen to circumvent attempts to remove the app, deploy extra payloads, and obtain worm-like powers to broaden its attack surface. 

Prevent data breaches 

Cohen explained, "This allows the actors to distribute phishing messages from the phone numbers of typical users instead of from a centralized place and not be limited to a small set of phone numbers that could be easily blocked. This means that technically, there are no 'malicious' numbers that can be blocked by the telecommunication companies or traced back to the attacker." 

To make matters worse, the attackers behind the operation were discovered to have inadequate operational security (OPSEC), enabling any third party to openly access the phone numbers, contacts, SMS messages, and list of any online bots stored on their servers. 

"Stealing 2FA dynamic codes allows the actors to slowly but steadily withdraw significant amounts of money from the victims' accounts, even in cases when due to the bank limitations each distinct operation might garner only tens of dollars." 

"Together with the easy adoption of the 'botnet as a service' business model, it should come as no surprise that the number of such applications for Android and the number of people selling them is growing," he added.
Read more »
Spyware
Android Applications Android Users Critical Data Data Theft Google Play Store Mobile Security Spyware

Alert Android Users: These 23 Apps Found Spying via Mobile Camera

 

A new malware, PhoneSpy, that eavesdrops on Android users, was detected in 23 applications recently,  As of present, none of these applications are available on Google Play Store. 

The malware that has primarily been active in the United Kingdom and Korea, is capable of stealing critical data such as images, call logs, contacts, and messages, as well as obtaining the full list of installed apps, recording audio and video in real-time using the phone's cameras and microphone. It can also extract device information such as the IMEI number, device name, and brand, and even grant remote access to the device. 

Zimperium stated in a statement, “The application is capable of uninstalling any user-installed applications, including mobile security apps. The device’s precise location is available in real-time to the malicious actors, all without the victim knowing. The spyware also enables the threat actor to use phishing pages for harvesting credentials of Facebook, Instagram, Google, and Kakao Talk." 

“PhoneSpy hides in plain sight, disguising itself as a regular application with purposes ranging from learning Yoga to watching TV and videos, or browsing photos," the mobile security agency Zimperium added. 

Since the spyware or any of its shadow applications were listed on the Play Store, experts believe the attackers may have used online traffic redirection or social engineering to spread the malware. The latter is used by cyber thieves to trick device owners into performing voluntary actions. 

If users carefully examine their online traffic habits, they may be able to discover the malware invasion. The PhoneSpy software begins by sending requests for on-device authorization. Once the user has provided these details, attackers can manage and hide the app from the main menu. 

According to Zimperium, Android users should avoid installing apps from third-party app stores. It’s recommended that users only download applications from the Google Play Store. Also, users are suggested to avoid clicking on questionable links or downloading any applications sent by text message or email.
Read more »
User Data
Android App Android Users Huawei Mallicious Apps Mobile Security Spyware User Data

Huawei's App Gallery Hosted Malicious Apps Installed by 9M+ Android Users

 

Around 9.3 million Android devices have been infected with a new type of malware that masquerades as dozens of arcade, shooter, and strategy games on Huawei's AppGallery marketplace in order to gather device information and victims' phone numbers. 

Researchers from Doctor Web discovered the mobile campaign and categorized the trojan as "Android.Cynos.7.origin," simply because it is a modified variant of the Cynos malware. Some of the 190 rogue games discovered were made for Russian-speaking players, while others were made for Chinese or worldwide audiences. 

The applications requested the victims for permission to make and control phone calls once they were installed and then utilized to access and capture their phone numbers as well as other device data including geolocation, mobile network characteristics, and system metadata. 

All of these harmful games are primarily geared at children, who are easy targets for having all of their permissions activated. Huawei has currently uninstalled all of the vulnerable games from its AppGallery app store. If users have a Huawei smartphone and aren't sure if they're infected or not, some of the malicious apps are mentioned below: 
  • “[Команда должна убить боеголовку]” with more than 8000 installs. 
  • “Cat game room” with more than 427000 installs. 
  • “Drive school simulator” with more than 142000 installs. 
  • “[快点躲起来]” with more than 2000000 installs 
Furthermore, the Doctor Web malware analysts have previously warned Huawei about these harmful apps. Doctor Web researchers stated, "At first glance, a mobile phone number leak may seem like an insignificant problem. Yet in reality, it can seriously harm users, especially given the fact that children are the games' main target audience." 

"Even if the mobile phone number is registered to an adult, downloading a child's game may highly likely indicate that the child is the one who actually uses the mobile phone. It is very doubtful that parents would want the above data about the phone to be transferred not only to unknown foreign servers, but to anyone else in general."
Read more »
Subscribe to: Posts (Atom)