Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Fake Apps. Show all posts
Mobile Malware
Bank Information Security Cyber Attacks data security Data Theft Fake Apps Malicious Apps Malware attacks Mobile Malware

Massive Mobile Malware Campaign Targets Indian Banks, Steals Financial Data

 

Zimperium's zLabs research team has uncovered a significant mobile malware campaign that targets Indian banks. First reported on February 5, 2025, this threat was orchestrated by a threat actor called FatBoyPanel. Nearly 900 malware samples are used in the campaign, which is distributed via WhatsApp and uses malicious apps that impersonate banking or government apps to steal private and sensitive financial data from unsuspecting users.  

Once installed, the malicious apps steal the users data, such as credit and debit card information, ATM PINs, Aadhaar card details, PAN card numbers, and mobile banking information. Additionally, the malware uses sophisticated stealth techniques to conceal itself and avoid detection or removal by intercepting SMS messages that contain OTPs. 

By using the reputation and legitimacy of Indian banks and government agencies to trick users into thinking the apps are authentic, this cyberattack is a clear illustration of how threat actors have advanced to a new level. These cybercriminals are deceiving users into downloading malicious apps intended to drain accounts and compromise sensitive data by posing as trustworthy organizations. 

Upon closer examination, the malware can be divided into three different types: hybrid, firebase-exfiltration, and SMS forwarding. Different exfiltration techniques are used by each variant to steal confidential information. By employing live phone numbers to intercept and reroute SMS messages in real time, these Trojan Bankers go beyond standard attacks. By hiding its icon, the malware makes itself even more difficult to remove. 

According to a Zimperium report, more than 1,000 malicious applications were created with the intention of stealing banking credentials. An estimated 50,000 victims were impacted by the campaign, which revealed 2.5GB of financial and personal data kept in 222 unprotected Firebase buckets. Attackers have been able to trick users into divulging extremely sensitive information by using phony government and banking apps that are distributed via WhatsApp. 

This breach has serious repercussions, including the possibility of identity theft, financial loss, and privacy violations for impacted users. In order to assist authorities in locating the cybercriminals responsible for FatBoyPanel, Zimperium has shared the gathered data with them. Users should use security software to identify and eliminate malware, update their devices frequently, and refrain from downloading apps from unidentified sources in order to protect themselves. 

On Thursday, Feb. 20, Zimperium, the global leader in mobile security, will release new research highlighting the evolving landscape of mobile phishing attacks.

As organizations increasingly rely on mobile devices for business operations including BYOD, multi-factor authentication, cloud applications, and mobile-first workflows, mobile phishing is becoming one of the most severe threats to enterprise security. Adversaries are exploiting security gaps in mobile and cloud-based business applications, expanding the attack surface and increasing exposure to credential theft and data compromise.

Zimperium’s latest research provides a data-driven look at how attackers are evolving their tactics to evade detection and why businesses must rethink their security strategies to stay ahead. 

Key findings from the report include: Mishing surge: Activity peaked in August 2024, with over 1,000 daily attack records. Smishing (SMS/text based phishing) attacks dominate globally with 37% in India, 16% in the U.S., and 9% in Brazil. Quishing (QR code phishing) is gaining traction, with notable activity in Japan (17%), the U.S. (15%), and India (11%). Stealthy phishing techniques: 3% of phishing sites use device-specific detection to display harmless content on desktops while delivering malicious phishing payloads exclusively to mobile users. Zimperium’s research emphasizes that traditional anti-phishing solutions designed for desktops are proving inadequate against this shift, making mobile threat defense a critical necessity for organizations worldwide.

The FatBoyPanel campaign emphasizes the need for increased vigilance in an increasingly digital world and the increasing sophistication of cyber threats. Keeping up with online security best practices is crucial to reducing risks and protecting financial and personal information as cybercriminals improve their tactics.
Read more »
Telegram
Android Malware Fake Apps FireScam malware Social Media Telegram

FireScam Malware Targets Android Users via Fake Telegram Premium App

Android Malware 'FireScam' Poses As Telegram Premium to Steal User Data


A newly discovered Android malware, FireScam, is being distributed through phishing websites on GitHub, masquerading as a premium version of the Telegram application. These malicious sites impersonate RuStore, a Russian app marketplace, to deceive users into downloading the infected software.

How FireScam Operates

RuStore, launched by Russian tech giant VK (VKontakte) in May 2022, was developed as an alternative to Apple's App Store and Google Play following Western sanctions that restricted Russian users' access to global platforms. This marketplace hosts apps that comply with Russian regulations and operates under the oversight of the Russian Ministry of Digital Development.

According to security researchers at CYFIRMA, attackers have set up a fraudulent GitHub page mimicking RuStore. This fake website delivers a dropper module named GetAppsRu.apk. Once installed, the dropper requests extensive permissions, allowing it to scan installed applications, access device storage, and install additional software. It then downloads and executes the main malware payload, disguised as Telegram Premium.apk. This secondary payload enables the malware to monitor notifications, read clipboard data, access SMS and call information, and collect other sensitive details.

FireScam’s Advanced Capabilities

Once activated, FireScam presents users with a deceptive WebView-based Telegram login page designed to steal credentials. The malware communicates with Firebase Realtime Database, allowing stolen data to be uploaded instantly. It also assigns unique identifiers to compromised devices, enabling hackers to track them.

Stolen data is temporarily stored before being filtered and transferred to another location, ensuring that traces are erased from Firebase. Additionally, FireScam establishes a persistent WebSocket connection with the Firebase command-and-control (C2) server, enabling real-time command execution. This allows attackers to:

  • Request specific data from the infected device
  • Install additional payloads
  • Modify surveillance parameters
  • Initiate immediate data uploads

Furthermore, the malware can:

  • Monitor screen activity and app usage
  • Track changes in screen on/off states
  • Log keystrokes, clipboard data, and credentials stored in password managers
  • Intercept and steal e-commerce payment details

How to Stay Safe

While the identity of FireScam’s operators remains unknown, CYFIRMA researchers warn that the malware exhibits advanced evasion techniques and poses a serious threat to users. To minimize the risk of infection, users should:

  • Avoid downloading apps from unverified sources, especially those claiming to be premium versions of popular software.
  • Exercise caution when opening links from unknown sources.
  • Regularly review and restrict app permissions to prevent unauthorized data access.
  • Use reliable security solutions to detect and block malware threats.

As attackers continue refining their tactics, staying vigilant against phishing campaigns and suspicious downloads is essential to protecting personal and financial data.


Read more »
Ukraine
Fake Apps malware RSA Ukraine

Malware Targets Ukrainian Military via Fake App

 



Cybersecurity experts said that a malware campaign targeting Ukraine's military personnel has been released. The malware is spread with the help of a fake installer for an app called "Army+." That installer looks perfectly legitimate but embeds malicious code. It will install the Tor browser and use the hidden PowerShell script to carry on malicious activities; this means that there is misuse of the Tor browser for secretive purposes rather than any other purpose that it was used for.


How the Malware Works

The installation process starts with the fake app ArmyPlusInstaller. It launches a decoy application, ArmyPlus.exe, to avoid suspicion. In the background, a hidden script, init.ps1, works to bypass security restrictions on the system.

It would normally block such unauthorized scripts to keep a computer safe. But the malware will play with security settings by means of specific PowerShell commands to have the liberty of working freely. It even reduces the size of the console window to conceal all its actions and create further illusion. It plants files in strategic locations

The malware spreads its files throughout the folders of the system to remain hidden. For instance, the Tor browser files are stored in a directory called OneDriveData, while OpenSSH files, which give the attackers remote access, are kept in a folder called ssh.

This init.ps1 script plays a crucial role as it can pull down and install the Tor browser for use in secret operations. The init.ps1 script establishes communication between the compromised computer and the attacker, giving them an avenue through which to command the system from a stealth position.


Backdoor That Survives Reboot

After installation, it establishes a backdoor through which attackers secretly command the system remotely. The system information is then transmitted along with a public RSA key through Tor to a remote server. The latter facilitates communication from the attackers side encrypted through that public RSA key. In that manner, an attacker is in a position to issue commands, and if they have their ways, may end up commanding at a very high level within the system.


Exploiting User Trust

A devious malware installer masquerading as a program installation. Requesting administrative credentials, which may be granted unwarily by innocent users. Once the visible, front-end app fails, all the malicious instructions are executed on the backhand in silence silently, including accessing and transmitting some sensitive information it has gathered.


Why Is This Important

This incident highlights how cybercriminals exploit everyday tools, like PowerShell and Tor, to hide their attacks. In this way, they mimic legitimate software, making it harder for standard defenses to detect them.

It is a reminder for all of us to download software only from trusted sources and for organizations to regularly update their security measures. Being alert will help prevent such stealthy cyberattacks from succeeding.

This development underlines the increasing nuances in cyber threats in conflict zones as attackers continue to evolve their techniques to evade detection.


Read more »
Malware attacks
AI generated Deepfake AI tools Cyber Attacks data security Data Theft Fake Apps Information Security Malware attacks

Meeten Malware Targets Web3 Workers with Crypto-Stealing Tactics

 


Cybercriminals have launched an advanced campaign targeting Web3 professionals by distributing fake video conferencing software. The malware, known as Meeten, infects both Windows and macOS systems, stealing sensitive data, including cryptocurrency, banking details, browser-stored information, and Keychain credentials. Active since September 2024, Meeten masquerades as legitimate software while compromising users' systems. 
 
The campaign, uncovered by Cado Security Labs, represents an evolving strategy among threat actors. Frequently rebranded to appear authentic, fake meeting platforms have been renamed as Clusee, Cuesee, and Meetone. These platforms are supported by highly convincing websites and AI-generated social media profiles. 
 
How Victims Are Targeted:
  • Phishing schemes and social engineering tactics are the primary methods.
  • Attackers impersonate trusted contacts on platforms like Telegram.
  • Victims are directed to download the fraudulent Meeten app, often accompanied by fake company-specific presentations.

Key behaviors include:
  • Escalates privileges by prompting users for their system password via legitimate macOS tools.
  • Displays a decoy error message while stealing sensitive data in the background.
  • Collects and exfiltrates data such as Telegram credentials, banking details, Keychain data, and browser-stored information.
The stolen data is compressed and sent to remote servers, giving attackers access to victims’ sensitive information. 
 
Technical Details: Malware Behavior on Windows 

On Windows, the malware is delivered as an NSIS file named MeetenApp.exe, featuring a stolen digital certificate for added legitimacy. Key behaviors include:
  • Employs an Electron app to connect to remote servers and download additional malware payloads.
  • Steals system information, browser data, and cryptocurrency wallet credentials, targeting hardware wallets like Ledger and Trezor.
  • Achieves persistence by modifying the Windows registry.
Impact on Web3 Professionals 
 
Web3 professionals are particularly vulnerable as the malware leverages social engineering tactics to exploit trust. By targeting those engaged in cryptocurrency and blockchain technologies, attackers aim to gain access to valuable digital assets. Protective Measures:
  1. Verify Software Legitimacy: Always confirm the authenticity of downloaded software.
  2. Use Malware Scanning Tools: Scan files with services like VirusTotal before installation.
  3. Avoid Untrusted Sources: Download software only from verified sources.
  4. Stay Vigilant: Be cautious of unsolicited meeting invitations or unexpected file-sharing requests.
As social engineering tactics grow increasingly sophisticated, vigilance and proactive security measures are critical in safeguarding sensitive data and cryptocurrency assets. The Meeten campaign underscores the importance of staying informed and adopting robust cybersecurity practices in the Web3 landscape.
Read more »
Trading
Apple cryptocurrency Cyber Fraud Cybersecurity Fake Apps Fraud Google investment phishing Scam Trading

Massive Global Fraud Campaign Exploits Fake Trading Apps on Apple and Google Platforms

 

A recent investigation by Group-IB revealed a large-scale fraud operation involving fake trading apps on the Apple App Store and Google Play Store, as well as phishing sites to deceive victims. The scheme is part of a wider investment scam known as "pig butchering," where fraudsters lure victims into investments by posing as romantic partners or financial advisors.

Victims are manipulated into losing funds, with scammers often requesting additional fees before disappearing with the money.

Group-IB, based in Singapore, noted that the campaign targets victims globally, with reports from regions like Asia-Pacific, Europe, the Middle East, and Africa. The fraudulent apps, created using the UniApp Framework, are labeled under "UniShadowTrade" and have been active since mid-2023, offering promises of quick financial gains.

One app, SBI-INT, even bypassed Apple’s App Store review process, giving it an illusion of legitimacy. The app disguised itself as a tool for algebraic formulas and 3D graphics calculations but was eventually removed from the marketplace.

The app used a technique that checked if the date was before July 22, 2024, and, if so, displayed a fake screen with mathematical formulas. After being taken down, scammers began distributing it via phishing websites for Android and iOS users.

For iOS, downloading the app involved installing a .plist file, requiring users to trust an Enterprise developer profile manually. Once done, the fraudulent app became operational, asking users for their phone number, password, and an invitation code.

After registration, victims went through a six-step process involving identity verification, providing personal details, and agreeing to terms for investments. Scammers then instructed them on which financial instruments to invest in, falsely promising high returns.

When victims tried to withdraw their funds, they were asked to pay additional fees to retrieve their investments, but the funds were instead stolen.

The malware also included a configuration with details about the URL hosting the login page, hidden within the app to avoid detection. One of these URLs was hosted by a legitimate service, TermsFeed, used for generating privacy policies and cookie consent banners.

Group-IB discovered another fake app on the Google Play Store called FINANS INSIGHTS, which had fewer than 5,000 downloads. A second app, FINANS TRADER6, was also linked to the same developer. Both apps targeted countries like Japan, South Korea, Cambodia, Thailand, and Cyprus.

Users are advised to be cautious with links, avoid messages from unknown sources, verify investment platforms, and review apps and their ratings before downloading.
Read more »
Play Store
Advertisement Cyber Security Fake Apps Fraudulent Play Store

HUMAN Team Shuts Down Major Mobile Ad Fraud Scheme

 


In a major development, the HUMAN Satori Threat Intelligence and Research Team has successfully dismantled a vast mobile advertising fraud operation known as "Konfety." This scheme, which generated billions of fake ad requests each day, was designed to deceive both users and advertisers on a large scale.

The Konfety scammers used a mobile advertising tool called CaramelAds to carry out their scheme. They created numerous fake apps, which appeared to be ordinary games on the Google Play Store. These apps were actually just a front for the fraud. The core of the scam involved "evil twin" apps—modified versions of CaramelAds that did not follow privacy regulations and were used to show fraudulent ads.

The fraudulent apps were designed to mimic genuine user activity. They displayed unwanted ads, opened websites without user consent, and used various tactics to create the illusion of legitimate traffic. This allowed the scammers to profit from fake ad views and clicks, deceiving both users and advertisers.

Upon discovering the fraud, the HUMAN team quickly implemented measures to block the fraudulent traffic. They flagged suspicious activity and worked with ad networks to stop the scam. In response, the fraudsters tried to shift their operations to other networks not protected by HUMAN, but their efforts were largely thwarted by HUMAN’s protective measures.

Google Play Protect was crucial in identifying and removing the fraudulent apps. Despite its efforts, the scale of the Konfety scheme highlighted the ongoing challenge of preventing such sophisticated scams. Google continues to monitor and protect users from these threats.

HUMAN’s team developed specific detection techniques for the Konfety scam and shared their findings with other security experts. This collaboration led to a significant reduction in fraudulent ad requests and enhanced overall security in digital advertising.

The successful shutdown of the Konfety fraud needs a heedful of vigilance and cooperation in the fight against online scams. HUMAN’s ongoing efforts to safeguard the integrity of digital advertising are essential as cybercriminals continue to evolve their tactics. This case highlights the need for constant vigilance and industry collaboration to maintain a secure online environment.




Read more »
User Security
Fake Apps FlyGram Privacy Signal Plus Messenger Telegram User Security

Threat of Fake Signal and Telegram Apps: Protecting Your Privacy and Security


In today’s digital age, the use of messaging apps has become an integral part of our daily lives. Apps like Signal and Telegram have gained immense popularity due to their focus on privacy and security. 

However, with the rise in popularity of these apps, there has also been an increase in the number of fake apps that pose as extensions or premium versions of these popular messaging platforms. 

In this blog post, we will discuss the recent discovery of fake Signal and Telegram apps that have been found to sneak malware into thousands of Android phones.

The Discovery

Researchers at the cybersecurity firm ESET recently discovered fake apps in the Google and Samsung app stores that posed as extensions or premium versions of the popular messaging platforms Signal and Telegram. 

These malicious apps, called Signal Plus Messenger and FlyGram, were designed to steal user data. When users took certain actions, these fake apps could pull sensitive information from legitimate Signal and Telegram accounts, including call logs, SMS messages, locations and more.

The Implications

By stealing sensitive information from legitimate Signal and Telegram accounts, these malicious apps can compromise the privacy and security of users’ conversations. 

This can lead to identity theft, financial fraud, and other forms of cybercrime. It is therefore important for users to be vigilant when downloading apps from app stores and to only download apps from trusted sources.

Read more »
OpenAI
ChatGPT Cyber Fraud Cyber Scam Fake Apps Fake ChatGPT Apps Fleeceware OpenAI

Fake ChatGPT Apps may Fraud you out of Your Money


The growing popularity of ChatGPT has given online scammers a good chance to take it as an opportunity to scam its users. Numerous bogus apps have now been released on the Google Play Store and the Apple App Store as a result of the thrill surrounding this popular chatbot.

Cybersecurity firm Sophos has now made the users acknowledge the case of fake ChatGPT apps. It claims that downloading these apps can be risky, that they have almost no functionality, and that they are continually sending advertisements. According to the report, these apps lure unaware users into subscribing for a subscription that can costs hundreds of dollars annually.

How Does the Fake ChatGPT App Scam Work? 

Sophos refers these fake ChatGPT apps as fleeceware, describing them as ones that bombard users with adverts until they give in and purchase the subscription. These apps are purposefully made to only be used for a short period of time after the free trial period ends, causing users to remove them without realizing they are still obligated to make weekly or monthly membership payments.

According to the report, five investigated bogus ChatGPT apps with names like "Chat GBT" were available in order to deceive users and increase their exposure in the Google Play or App Store rankings. The research also claimed that whereas these fake apps charged users ranging from $10 per month to $70 per year, OpenAl's ChatGPT offers key functionality that could be used for free online. Another scam app named Genie lured users into subscribing for $7 weekly or $70 annually, generating $1 million in income over the previous month.

“Scammers have and always will use the latest trends or technology to line their pockets. ChatGPT is no exception," said Sean Gallagher, principal threat researcher, Sophos. "With interest in AI and chatbots arguably at an all-time high, users are turning to the Apple App and Google Play Stores to download anything that resembles ChatGPT. These types of scam apps—what Sophos has dubbed ‘fleeceware’—often bombard users with ads until they sign up for a subscription. They’re banking on the fact that users won’t pay attention to the cost or simply forget that they have this subscription. They’re specifically designed so that they may not get much use after the free trial ends, so users delete the app without realizing they’re still on the hook for a monthly or weekly payment."

While some of the bogus ChatGPT fleeceware have already been tracked and removed from the app stores, they are expected to resurface in the future. Hence, it is recommended for users to stay cautious of these fake apps, and make sure that the apps they are downloading are legitimate.

For users who have already download these apps are advised to follow protocols provided by the App Store or Google Play store on how to “unsubscribe,” since just deleting the bogus apps would not cancel one’s subscription.  

Read more »
Warren Buffett
cryptocurrency Cyber Crime Fake Apps Texas User Privacy Warren Buffett

Fake Crypto Website: Berkshire Hathaway Issues Warning




Warren Buffett's company Berkshire Hathaway Inc. issued a warning to investors on Friday stating that it is not associated with a fictitious cryptocurrency trading website that uses the Berkshire Hathaway brand.

According to the website's creator, a Texas-based broker was established in 2020 to offer investors the chance to earn a fully passive income through investments in cryptocurrency mining.

It concerns alleged client endorsements and claims that the broker is licensed in the US, UK, Cyprus, and South Africa while mispronouncing the names of two authorities. Its email format is different from Buffett's company's.

Buffett has always been wary of cryptocurrencies; despite a change in the public's opinion of bitcoin, Buffett still would not purchase it. He has a bias to view cryptocurrencies as passive investments that holders purchase with the expectation of long-term price growth.

At the Berkshire Hathaway annual shareholders meeting on Saturday, he said that the asset is not productive and produces nothing measurable.

"The entity that owns this web address has no affiliation with Berkshire Hathaway Inc. or its Chairman and CEO, Warren E. Buffett," according to a statement from Buffett's company, which claimed it learned about the website.

It has gained recognition as an investment asset in Western countries, especially during the past year as rates and inflation have increased. People continue to see great potential for its application as digital currency in other areas.

"Assets must provide someone with something in order to be valuable. Additionally, just one type of currency is recognized. You can think of all kinds of things; we can even put up Berkshire coins, but at the end of the day, this is money," remarked Warren Buffett, holding up a $20 bill.

Requests for comment from the website's owner were not immediately answered. Recent months have seen increased scrutiny of cryptocurrencies.

As a result of reports of $10 billion in client, assets were transferred from FTX to Bankman-trading Fried's firm Alameda Research, FTX declared bankruptcy and is now under investigation by American authorities.
Read more »
WhatsApp
Android Apps Data Fake Apps Mobile Phones Mobile Security Safety Scam Security SMS Access WhatsApp

This Unofficial WhatsApp Android App Caught Stealing Users’ Accounts

 

Kaspersky researchers discovered 'YoWhatsApp,' an unofficial WhatsApp Android app that steals access keys for users' accounts. Mod apps are promoted as unofficial versions of genuine apps that include features that the official version does not. 

YoWhatsApp is a fully functional messenger that supports extra features such as customising the interface and blocking access to specific chats. The tainted WhatsApp app requests the same permissions as the original messenger app, such as SMS access.

“To use the WhatsApp mod, users need to log in to their account of the legitimate app. However, along with all the new features, users also receive the Triada Trojan. Having infected the victim, attackers download and run malicious payloads on their device, as well as get hold of the keys to their account on the official WhatsApp app.” reported Kaspersky. 

“Along with the permissions needed for WhatsApp to work properly, this gives them the ability to steal accounts and get money from victims by signing them up for paid subscriptions that they are unaware of.”

This mod instals the Triada Trojan, which is capable of delivering other malicious payloads, issuing paid subscriptions, and even stealing WhatsApp accounts. More than 3,600 users have been targeted in the last two months, according to Kaspersky. The official Snaptube app promoted the YoWhatsApp Android app.

The malicious app was also discovered in the popular Vidmate mobile app, which is designed to save and watch YouTube videos. Unlike Snaptube, the malicious build was uploaded to Vidmate's internal store. YoWhatsApp v2.22.11.75 steals WhatsApp keys, enabling threat actors to take over users' accounts, according to Kaspersky researchers.

In 2021, Kaspersky discovered another modified version of WhatsApp for Android that offered additional features but was used to deliver the Triada Trojan. FMWhatsApp 16.80.0 is the modified version.

The experts also discovered the advertisement for a software development kit (SDK), which included a malicious payload downloader. The FMWhatsapp was created to collect unique device identifiers (Device IDs, Subscriber IDs, MAC addresses) as well as the name of the app package in which they are deployed.

To be protected, the researchers advise:
  • Only install applications from official stores and reliable resources
  • Remembering to check which permissions you give installed applications – some of them can be very dangerous
  • Installing a reliable mobile antivirus on your smartphone, such as Kaspersky Internet Security for Android. It will detect and prevent possible threats.
Kaspersky concluded, “Cybercriminals are increasingly using the power of legitimate software to distribute malicious apps. This means that users who choose popular apps and official installation sources may still fall victim to them. In particular, malware like Triada can steal an IM account, and for example, use it to send unsolicited messages, including malicious spam. The user’s money is also at risk, as the malware can easily set up paid subscriptions for the victim.”


Read more »
Payment Fraud
Digital payment system Fake Apps Google Play Store Malware in Google Play Mobile Security Mobile Security News Payment Fraud

Japanese Payment System Attacked By Fake Security App

A new malware has been observed by the Research team at McAfee Corp. This malware is found to be attacking NTT DOCOMO customers in Japan. 

The malware that is distributed via the Google Play Store pretends to be a legitimate mobile security app, but in reality, it is a fraud malware designed to steal passwords and abuse reverse proxy focusing on NTT DOCOMO mobile service customers. 

The McAfee Cell Analysis team informed Google regarding the notoriety of the malware. In response, Google has made the application unavailable in Google Play Store and removed known Google Drive files that are associated with the malware. In addition to this, Google Play Shield has now alerted the customers by disabling the apps and displaying a warning. 

The malware publishes malicious fake apps on Google Play Store with various developer accounts that appear like some legitimate apps. According to a tweet by Yusuke Osumi, a Security Researcher at Yahoo, the attacker lures the victims into installing the malware in their systems by sending them an SMS message with a Google Play Store link, reportedly sent from overseas. Additionally, they entice the users by displaying a requirement to update their security software. 

This way, the victim ignorantly installs the fraudulent app from Google Play Store and ends up installing the malware. The malware asks the user for a community password but cleverly enough, it claims the password is incorrect, so the user has to enter a more precise password. It does not matter if the password is incorrect or not, as this community password can later be used by the attacker for the NTT DOCOMO fee services and gives way to online funds. 

Thereafter, the malware displays a fake ‘Mobile Security’ structure on the user’s screen; the structure of this Mobile Security structure interestingly resembles that of an outdated display of McAfee cell security. 

How does the malware function

A native library called ‘libmyapp.so’ written in Golang, is loaded through the app execution. When the library is loaded, it attempts to connect with C&C servers utilizing an Internet Socket. WAMP (Internet Software Messaging Protocol) is then employed to speak and initiate Distant Process Calls (DPC). When the link is formulated, the malware transmits the community data and the victim’s phone number, registering the client’s procedural commands. The connection is then processed when the command is received from the server like an Agent. Wherein, the socket is used to transmit the victim’s Community password to the attacker, when the victim enters his network password in the process.

The attacker makes fraudulent purchases using this leaked information. For this, the RPC command ‘toggle_wifi’ switch the victim’s Wi-Fi connection status, and a reverse proxy is provided to the attacker through ‘connect_to’. This would allow connecting the host behind a Community Handle Translation (NAT) or firewall. With the help of a proxy, now the attacker can ship by request through the victim’s community network. 

Along with any other methods that the attackers may use, the malware can also use reverse proxy to acquire a user’s mobile and network information and implement an Agent service with WAMP for fraudulent motives. Thus, it is always advised by Mobile Security Organizations to be careful while entering a password or confidential information into a lesser-known or suspicious application.

Read more »
Malicious actor
API Bug Data Breach Fake Apps Healthcare system HIPAA Malicious actor

A New Regulation Seeks to Secure Non-HIPAA Digital Health Apps

 

A guideline designed and distributed by several healthcare stakeholder groups strives to secure digital health technologies and mobile health apps, the overwhelming majority of which fall outside of HIPAA regulation. 

The Digital Health Assessment Framework was launched on May 2 by the American College of Physicians, the American Telemedicine Association, and the Organization for the Review of Care and Health Applications. The methodology intends to examine the use of digital health technologies while assisting healthcare leaders and patients in assessing the factors about which online health tools to employ. Covered entities must also adopt necessary administrative, physical, and technical protections to preserve the confidentiality, integrity, and availability of electronically protected health information, according to the Health Insurance Portability and Accountability Act Rules. 

Healthcare data security was never more critical, with cyberattacks on healthcare businesses on the rise and hackers creating extremely complex tools and tactics to attack healthcare firms. Before HIPAA, the healthcare field lacked a universally agreed set of security standards or broad obligations for protecting patient information. At the same time, new technologies were advancing, and the healthcare industry began to rely more heavily on electronic information systems to pay claims, answer eligibility issues, give health information, and perform a variety of other administrative and clinical duties. 

Furthermore, the Office for Civil Rights at the Department of Health and Human Services has enhanced HIPAA Rule enforcement, and settlements with covered businesses for HIPAA Rule violations are being reached at a faster rate than ever before. 

"Digital health technologies can provide safe, effective, and interacting access to personalized health and assistance, as well as more convenient care, improve patient-staff satisfaction and achieve better clinical outcomes," said Ann Mond Johnson, ATA CEO, in a statement. "Our goal is to provide faith that the health and wellness devices reviewed in this framework meet quality, privacy, and clinical assurance criteria in the United States," she added. 

Several health apps share personal information with third parties, leaving them prone to hacks. Over 86 million people in the US use a health or fitness app, which is praised for assisting patients in managing health outside of the doctor's office. HIPAA does not apply to any health app which is not advised for use by a healthcare provider. 

The problem is that the evidence strongly suggests the app developers engage in some less-than-transparent methods to compromise patient privacy. Focusing on a cross-sectional assessment of the top tier apps for depression and smoking cessation in the US and Australia, a study published in JAMA in April 2019 found that the majority of health apps share data to third parties, but only a couple disclosed the practice to consumers in one‘s privacy policies. 

Only 16 of the evaluated applications mentioned the additional uses for data sharing, despite the fact that the majority of the apps were forthright about the primary use of its data. 

According to the aforementioned study, nearly half of the apps sent data to a third party yet didn't have a privacy policy. But in more than 80% of cases, data was shared with Google and Facebook for marketing purposes. 

Another study published in the British Medical Journal in March 2019 discovered that the majority of the top 24 health education Android applications in the USA linked user data without explicitly informing users. In 2021, a study conducted by Knight Ink and Approov found that the 30 most popular mHealth apps are highly vulnerable to API hacks, which might result in the exploitation of health data. Only a few app developers were found in violation of the Federal Trade Commission's health breach rule. 

The guideline from ACP, ATA, and ORCHA aims to help the healthcare industry better comprehend product safety. "There has been no clear means to establish if a product is safe to use in a field of 365,000 goods, where the great majority fall outside of existing standards, such as medical device regulations, federal laws, and government counsel," as per the announcement. 

The implementation of digital health, covering condition management, clinical risk assessment, and decision assistance, is hampered by a lack of direction. The guide is a crucial step in identifying and developing digital health technologies which deliver benefits while protecting patient safety, according to ACP President Ryan D. Mire, MD. The guidelines were developed using the clinical expertise of ACP and ATA members, along with ORCHA's app assessment experience.

ACP also launched a pilot test of digital health solutions that were evaluated against the new framework in conjunction with the new framework. Mire hopes that the trial will assist providers to identify the most effective features for recommending high-value digital health technologies to patients and identify potential impediments to extensive digital health adoption.
Read more »
Playstore
Android Android Phone Android Users Fake Apps Mobile Security Playstore

Alert: Android Users Should Delete These 151 Apps Immediately

 

A total of 151 scam applications have been identified and deleted from the Google Play Store, but Android users should double-check that none of them is installed.

Avast, a cybersecurity software company, has detected a massive premium SMS fraud running on the official Google Play Store, according to BGR. It's been termed the UltimaSMS campaign by Avast (because the first scam software uncovered during the investigation was Ultima Keyboard 3D Pro), and it's made up of 151 fraudulent applications that have been downloaded over 10.5 million times in over 80 countries. 

Custom keyboards, QR code scanners, video and photo editors, spam call blockers, camera filters, and games are just some of the applications that are disguised as legitimate tools. However, they all have the same goal in mind: to sign users up for premium SMS services. 

Every app follows the same methodology: The area code and language to use are determined by checking the phone's location, International Mobile Equipment Identity (IMEI), and phone number once it has been installed. Prompts then ask for the user's phone number and, in some instances, their email address. 

This information is then utilised to sign them up for premium SMS services without the user's knowledge. The charges are typical $40 or more each month, and users may not be aware of them for weeks or months. Once an UltimaSMS app has reached its objective, it often stops running or advertises more subscription choices instead of the promised features. The concern is that premium subscriptions will continue to deduct money from users' accounts even if they remove the app. 

Avast compiled a list of all 151 applications involved in the fraud and every Android user should examine it. If anyone has any of these applications installed (or have had them installed in the past), uninstall them immediately. 

However, if anyone notices any unexpected charges, examine the statements and contact the carrier. If users wish to avoid this sort of fraud in the future, then should ask their carrier to disable premium SMS options on the account.
Read more »
Japan Cyber Security
Data Breach data security Fake Apps Japan Cyber Security

New Android Spyware Threat Poses as Antivirus in Japan

 

Japanese cybersecurity intelligence recently identified the latest advanced mutant of the FakeCop info stealer impersonating a legit privacy service provider Android app by NTT Docomo known as ‘Anshin Security.’ 

In the wake of the attack other antivirus service companies are on red alert as spyware acquires a wide range of users’ data by promising protection against the spyware. The fake app offers an anti-virus tool against the spyware but it instead installs malware on the user’s device. 

According to the cybersecurity firm Cyble, spyware sends a malicious APK in phishing links via email or SMS imitating the Japanese company KDDI. Alongside, the malware has also been identified as being recorded on 22 out of 62 AV engines on VirusTotal, which hints at the fact that the malware has been developed to stay hidden across many parameters. 

Hackers collect confidential information of users such as contacts, accounts information, SMS, and apps list. It does not end here, hackers also alter or delete SMSs in the device database, device hardware information (IMEI), and send SMS without the user’s knowledge. 

Further, for users' safety, the organization will look into other antivirus software and flag them as malicious. Users are suggested to remove the current app and use the latest versions of Google Play Protect, activate them. Lastly, users are also recommended to avoid clicking on unidentified links.

Security experts say that supposedly, FakeCop has similar origins as Flubot and Medusa as similar to these two malware, it also employs free dynamic DNS 'duckdns.org' to deliver.
Read more »
WhatsApp
Fake Apps Google Play Store malware Netflix WhatsApp

Fake Netflix App Spreads Malware via WhatsApp Messages

 

Researchers have discovered malware camouflaged as a Netflix application, prowling on the Google Play store, spread through WhatsApp messages. As per a Check Point Research analysis released on Wednesday, the malware took on the appearance of an application called "FlixOnline," which publicized by the means of WhatsApp messages promising "2 Months of Netflix Premium Free Anywhere in the World for 60 days." But once installed, the malware begins stealing information and credentials.

The malware was intended to monitor incoming WhatsApp messages and automatically react to any that the victims get, with the content of the response crafted by the adversaries. The reactions attempted to bait others with the proposal of a free Netflix service, and contained links to a phony Netflix site that phished for credentials and credit card information, analysts said. 

“The app turned out to be a fake service that claims to allow users to view Netflix content from around the world on their mobiles,” according to the analysis. “However, instead of allowing the mobile user to view Netflix content, the application is actually designed to monitor a user’s WhatsApp notifications, sending automatic replies to a user’s incoming messages using content that it receives from a remote server.” Once you install the FlixOnline application from the Play Store, it asks for three sorts of authorizations: screen overlay, battery optimization ignore, and notification. Researchers from Check Point noticed that overlay is utilized by malware to make counterfeit logins and steal client credentials by making counterfeit windows on top of existing applications. 

The malware was additionally able to self-propagate, sending messages to client's WhatsApp contacts and groups with links to the phony application. With that in mind, the computerized messages read, “2 Months of Netflix Premium Free at no cost For REASON OF QUARANTINE (CORONA VIRUS)* Get 2 Months of Netflix Premium Free anywhere in the world for 60 days. Get it now HERE [Bitly link].”

“The malware’s technique is fairly new and innovative,” Aviran Hazum, manager of Mobile Intelligence at Check Point, said in the analysis. “The technique here is to hijack the connection to WhatsApp by capturing notifications, along with the ability to take predefined actions, like ‘dismiss’ or ‘reply’ via the Notification Manager. The fact that the malware was able to be disguised so easily and ultimately bypass Play Store’s protections raises some serious red flags.”
Read more »
Google Play Store
Adware Cyber Fraud Fake Apps Google Play Store

Sneaky Android adware hides its own icon to avoid removal – find out how to get rid of it!



Security researchers at SophosLabs have discovered 15 apps in the Play Store that contain a manipulative strain of adware that hides its own icon in the launcher to avoid being uninstalled by making the process unusually difficult for the users, it disguises itself as a harmless system app. There is a possibility of more such apps being present on the Play Store beside these 15 discovered ones. Some apps of similar nature have gone a step further and were found upon opening the phone’s App Settings page, hidden beneath names and icons that make them appear as legitimate system apps.

Some people tend to download an app, without giving its requirement much of a thought or consideration, the habit may have led you into inadvertently downloading these malicious apps such as QR code reading, free calls and messaging, phone finder, backup utilities and image editor apps which have adware embedded in them and serve no purpose at all other than to generate revenues for the developers by displaying intrusive advertisements. To exemplify, Flash on Calls & Messages – aka Free Calls & Messages is one such app, which shows a fake error message when the user launches it, telling the user that it is incompatible with his device. Then the user is directed to the Google Play Store entry for Google Maps, to mislead the user into believing that the Maps app is the reason for the crash, which is not at all true.

On Google Play Store, most of these camouflaged apps receive negative ratings and reviews which highlight the disappointments and the issues faced by users while using the app. More than 13 lakh phones were populated by these malicious apps, according to SophosLabs.

Quoting Andrew Brandt, principal researcher at SophosLabs, "To stay safe when downloading apps from the Google Play Store, users are advised to read reviews and sort them by most recent and filter out the positive four and five-star reviews with no written text,"

"App developers have, for years, embedded ad-code into their apps as a way to help defray the costs of development, but some developers simply use their apps as a borderline-abusive platform solely to launch ads on mobile devices," he added.

How to get rid of adware apps? 

Referencing from the advise given by Andrew Brandt, "If you suspect that an app you recently installed is hiding its icon in the app tray, tap Settings (the gear menu) and then Apps & Notifications. The most recently opened apps appear in a list at the top of this page."

"If any of those apps use the generic Android icon (which looks like a little greenish-blue Android silhouette) and have generic-sounding names (‘Back Up,’ ‘Update,’ ‘Time Zone Service’) tap the generic icon and then tap ‘Force Stop’ followed by ‘Uninstall.’ A real system app will have a button named ‘Disable’ instead of ‘Uninstall’ and you don’t need to bother disabling it."

"To stay safe when downloading apps from the Google Play Store, users are advised to read reviews and sort them by most recent and filter out the positive four and five-star reviews with no written text,"

"If several reviews mention specific undesirable behavior, it's likely best to avoid that particular app," he says. 
Read more »
User Security
Chinese developers Fake Apps Google malware User Security

Google Takes Down Around 46 Apps by Chinese Developers from its Play Store


Last week, around 46 apps by a Chinese developer, iHandy were taken down by Google from its Play Store. Initially, Google declined to provide reasons for the sudden removal of various security, horoscope, selfie, health and antivirus related apps which were downloaded over millions of times.

However, a total of eight apps were still present on Google’s Play Store, until three more were taken down, as per a Buzzfeed report. The Chinese company, established in the year 2008, claims to have almost 180 million monthly active users in more than 200 countries across the globe. Currently going through investigations, iHandy is one of the world’s largest mobile application developers.

In a conversation with Buzzfeed, iHandy VP Simon Zhu, while expressing how they found Google’s takedown quite unexpected, said “It is an unexpected action from our point of view. We are trying to find out the reasons. Hope the apps will be back to Play Store as soon as possible.”

Notably, Google has taken down apps made by Chinese developers in the past as well for various reasons; in this case, the removal is triggered by deceptive and disruptive ads. In August this year, after Trend Micro discovered malware inside certain apps, Google removed a total of 85 apps from its Play Store, most of these apps were related to gaming or photography and had more than 8 million downloads. The most popular names among these infected apps included, ‘Super Selfie’, ‘Cos Camera’, ‘One Stroke Line Puzzle’ and ‘Pop Camera’.

To exemplify, a very popular app known as ‘Sweet Camera- Selfie Beauty Camera, Filters’ which had over 50 million downloads was also removed in the process and it is not to be found on the Indian Play Store either.

Researchers discovered that all of these infected apps were put on the Play Store via distinct developer accounts and were signed by non-identical digital certificates, but they exhibited the same behaviors and shared a similar code.

Referenced from the statements given by Google’s spokesperson, "Our Google Play developer policies are designed to help create the best experience for users, and we explicitly prohibit deceptive or disruptive ads. When violations are found, we take action,"
Read more »
Malware in Google Play
Android Malware Apps Fake Apps Google Google Play Malware in Google Play

Google removes 16 apps infected by 'Agent Smith' malware

Every now and then, Android keeps getting visited from deadly malware attacks that put user and their data at lots of risks. This time, it's a new malware called Agent Smith and like its name, this malware is sneaky in what it's designed to do - bombard your phone with ads. Agent Smith also has properties to stick to other apps installed on the phone and ensure that the malware infection stays the same. The malware was first detected by Check Point and after working with Google, the infected apps have been removed from Google Play Store.

After it was informed of the infection, Google has identified and removed 16 apps from the Play Store that are known to be infected by Agent Smith. These apps are no longer available for download from the Play Store and there won't be further updates for these apps via the Play Store. However, Google can only remove the app from the Play Store but it can't wipe these apps from an individual's Android phone. Hence, if you have the following apps installed on your Android phone, you should uninstall them immediately.

Ludo Master - New Ludo Game 2019 For Free

Sky Warriors: General Attack

Color Phone Flash - Call Screen Theme

Bio Blast - Infinity Battle Shoot virus

Shooting Jet

Photo Projector

Gun Hero - Gunman Game for Free

Cooking Witch

Blockman Go: Free Realms & Mini Games

Crazy Juicer - Hot Knife Hit Game & Juice Blast

Clash of Virus

Angry Virus

Rabbit Temple

Star Range

Kiss Game: Touch Her Heart

Girl Cloth Xray Scan Simulator

However, Agent Smith can cling on to other popular apps and make it difficult for users to identify which app has been affected by it. Two most popular apps in India include WhatsApp - through which it has infected 1.5 crore Android phones, and Flipkart.
Read more »
Google Play Store
Android Android Applications Apps Fake Apps Google Google Play Store

Over 2,000 malicious apps exists on Play Store

If you thought that the quality control issues plaguing the Google Play Store for Android were finally being ironed out, it couldn't be further from the truth. A two-year-study by the University of Sydney and CSIRO’s Data61 has come to the conclusion that there are at least 2,040 counterfeit apps on Google Play Store. Over 2,000 of those apps impersonated popular games and had malware. The paper, a Multi-modal Neural Embedding Approach for Detecting Mobile Counterfeit Apps, was presented at the World Wide Web Conference in California in May documenting the results.

The study shows that there is a massive number of impersonated popular gaming apps available on Play store. They include fake versions of popular games such as Temple Run, Free Flow and Hill Climb Racing. The study investigated around 1.2 million apps on Google Play Store, available in Android, and identified a set of potential counterfeits for the top 10,000 apps.

Counterfeit apps impersonate popular apps and try to misguide users`. “Many counterfeit apps can be identified once installed. However, even a tech-savvy user may struggle to detect them before installation,” the study says.

It also points out that fake apps are often used by hackers to steal user data or infect a device with malware. “Installing counterfeit apps can lead to a hacker accessing personal data and can have serious consequences like financial losses or identity theft,” reads a blog post by the university.

The study also found that 1,565 asked for at least five dangerous permissions and 1407 had at least five embedded third-party ad libraries.

To investigate these applications on Google Play store the researchers used neural networks.

Google has acknowledged the problem of “malicious apps and developers” in a blog post by Google Play product manager Andrew Ahn on February 13, 2019.

According to Google, the company now removes malicious developers from Play store much faster when compared to previous years. The company says that in 2018 it stopped more malicious apps from entering the store than ever before.

A Google spokesperson, in response to a TOI email, said, “When we find that an app has violated our policies, we remove it from Google Play.”
Read more »
Internet Security.
Fake Apps Fraud Internet Security.

Indian Internet Companies Suffering Fake App Installations




Several companies nowadays spend lump sum amount on making their applications stand out in the midst of the rest. Getting somebody to install a mobile application once can be a challenge, however toss in a touch of little something beneficial and they might be willing to download the application multiple times.

India's biggest mobile payments company Paytm's , senior VP Deepak Abbot says that this is a problem that they encounter on a daily basis and more unbridled on third-party platforms or even ad networks outside Facebook and Google.

As indicated by him, a few systems, lure users to install an application by offering something as irrelevant as cash backs or other benefits, for example, recharge packs.

What's more is that is to avail such incentives,, utilizing different internet addresses or device IDs a few users do install and uninstall such applications numerous times.

As indicated by the official report by the company around 20% of Paytm app downloads are fake, that alludes to users installing and deleting the application without investing any time or energy in it or participating in any exchange, bringing about nil returns on the cost incurred in motivating users to install the application.

Indian internet companies are as of now thinking about a sharp increment in such cases of mobile fraud even as rising traffic to their mobile platforms and driving application installation have turned out to become critical for development in a hyper-competitive environment. 

In a report last year by the US advertising and marketing company TUNE the extortion identified with mobile app installations in India is 1.7 times higher than the worldwide average, with 16.2% of the application installations in the nation being false.

 “India is the No. 1 country in terms of organic and inorganic app installs but we have seen an 85% increase in fraudulent installs of apps in the last one year,” said Sanjay Trisal, country manager, India, at Tel Aviv- “While the incentive for fraud in terms of parameters such as money made per click is much higher in other markets, India is an attractive country for fraudsters due to the sheer volume of installs” headquartered by the mobile marketing analytics and attribution firm AppsFlyer that works with more than 450 companies here including Shopclues, Paytm and Goibibo.
The most prevalent mobile frauds in India include:

·       Click fraud,’ which pertains to an ad network generating fake clicks;
·       Attribution fraud,’ or claiming credit for an app installation even if a user has downloaded the app through organic channels;
·       Device fraud,’ wherein multiple installations are claimed from the same device by changing the device’s unique IMEI number using software;
·       IP fraud,’ which involves multiple clicks from a blacklisted IP address;
·        Incentive fraud,’ wherein users are incentivised to install an app, which doesn’t result in lasting engagement.

 “Everyone is getting smarter, and the worst part is fraud networks wrongly claiming (an app installation to be)… coming from (their) network. That’s the worst part because I am having to pay for a loyal person (user) whom I actually need not be paying for ”said Pawrush Elavia, director, growth and digital, at music streaming company Saavn.

Albeit paying advertisement networks helped the increment of the quantity of new users for Saavn, a few of these clients were neither tuning in to nor spending time on the application, and that was the end point that Elavia acknowledged they needed to fix.

Companies are now adopting to various strategies to counter the hazard but there is yet no full proof solution for it.

Some are putting resources into building misrepresentation detection technologies , while others are banding together with platforms that have practical experience  and specialise in distinguishing such frauds.

Because of this mayhem the Paytm competitor MobiKwik, which had been working with in excess of 25 ad networks to acquire more clients, has turned out to be exceptionally choosy about whom it works with.

 “We have blacklisted a few ad networks, although that is not a permanent solution but we’re also working very closely with attribution companies to detect fraud cases early on, while we want our folks to focus on growth,” said Damandeep Singh Soni, head of marketing and growth at MobiKwik.

With paid marketing channels becoming increasingly unreliable,  internet companies are trimming expenditure on paid channels in a big way too.

Ad networks say they, too, are engaged in battling fraud as they work both with advertisers and publishers. “All major ad networks are working towards a fraud-free system, where they are challenged by increasingly evolving fraudsters on one hand and insufficient transparency from the marketer on the other,” said Dippak Khurana, CEO of ad network Vserv, which is backed by IDG Ventures India and Maverick Capital Ventures.

The company has engaged with independent companies that provide mobile fraud-detection tools. “The challenge is in our category is that if we use the push approach, it doesn’t work because then the uninstalls become really, really high. We have moved away from that approach,” said Sneha Roy, head of marketing at online furniture retailer UrbanLadder that mainly works with Facebook and Google to get past users to install its app again. “We let customers browse through our mobile website and develop some engagement that kind of pushes installs.”

Nevertheless in spite of it all there are still several internet companies, which are trying their level best  to move away from such rabidly chasing new installations and are instead focusing on improving engagement with users.


Read more »
Subscribe to: Posts (Atom)