Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Google Play Store. Show all posts

Necro Trojan Uses Steganography to Attack 11 Million Devices

Necro Trojan Uses Steganography to Attack 11 Million Devices

Necro Trojan, which has recently made headlines for its innovative use of steganography has compromised over 11 million Android devices. This blog delves into the intricacies of this malware, how it works, and its impact on cybersecurity.

Understanding the Necro Trojan

The Necro Trojan, also known as Necro Python, is a versatile and highly adaptive piece of malware. Its primary strength lies in its modular architecture, allowing it to perform various malicious activities. 

These include displaying invisible ads, executing arbitrary code, and subscribing users to premium services without their consent. However, what sets the Necro Trojan apart is its use of steganography—a technique that involves hiding malicious code within seemingly innocuous files, such as images.

The Role of Steganography

Steganography is an ancient practice where hidden messages were concealed within other forms of communication. This technique has been repurposed in the digital age for more scandalous ends. 

The Necro Trojan is a complex, multi-stage Android malware that has managed to infiltrate both Google Play and unofficial app sources, impacting over 11 million devices. It targets popular apps such as Wuta Camera, Max Browser, and modified versions of Spotify, WhatsApp, and Minecraft.

Necro uses advanced evasion techniques, including obfuscation with OLLVM, steganography to conceal payloads in PNG images, and a modular architecture for versatility. The infection process begins with a loader that connects to C2 servers, often utilizing Firebase Remote Config.

The Trojan’s plugins (NProxy, island, web, Happy SDK, Cube SDK, and Tap) perform various tasks, from creating tunnels through victim devices to manipulating ad interactions. Its self-updating capability and use of reflection to integrate privileged WebView instances within processes help it bypass security measures.

How Necro Trojan Impacts Android Devices

The scale of the Necro Trojan’s impact is staggering. With over 11 million Android devices compromised, the malware has demonstrated its ability to spread rapidly and efficiently. 

The consequences for affected users can be severe, ranging from unauthorized financial transactions to significant data breaches. Moreover, the Trojan’s ability to execute arbitrary code means that it can be used to deploy additional malware, further compounding the threat.

MoS Finance Comments Google's Swift Response in Removing 2,200 Deceptive Loan Apps

 


According to the government, over 2,200 fraudulent loan apps have been suspended or removed from Google's Play Store between September 2022 and August 2023, as outlined in a written statement issued by the government on Tuesday. 

As per a written reply to a Rajya Sabha question, Minister of State for Finance Bhagwat K Karad said the government has been in constant contact with the Reserve Bank of India (RBI) and other regulators and stakeholders to control fraudulent loan apps. 

Based on the information provided by MeitY (Ministry of Electronics and Information Technology), it seems that Google has reviewed about 3,500 to 4,000 loan apps between April 2021 and July 2022 and has suspended or removed over 2,500 of those apps from its Play Store during this period. 

It was stated that the Reserve Bank of India has released a set of regulatory guidelines that aim to strengthen the regulatory framework for digital lending and to make sure the customer's safety and well-being are protected, as well as ensuring a safe and secure digital lending ecosystem so that, ultimately, a more secure digital lending environment can be created. 

Several regulatory guidelines have been issued by the Reserve Bank of India on digital lending, according to the minister, aimed at strengthening the regulatory framework for digital lending, improving customer protection, and making the digital lending ecosystem a safer and healthier place to operate. 

The Indian Cyber Crime Coordination Centre (I4C), Ministry of Home Affairs (MHA) has been continuously analysing digital lending apps, he said. The Minister of State of Finance, MoS Karad, revealed that the government has been actively working with regulatory authorities like the Reserve Bank of India to reduce the number of illegal loan apps in the country. 

To mitigate vulnerabilities in the Indian financial system, Karad stressed the need for timely action by the Indian government to maintain cybersecurity preparedness. According to him, one of the efforts in this regard had been the RBI sharing with MeitY an exclusive list of 442 unique digital lending applications for whitelisting, a list which had also been shared with Google and was part of a similar effort. 

In the preceding two and a half years of collaborating with the tech giant, MeitY has removed or suspended over 4,700 fraudulent loan apps from the Google Play Store due to its collaboration with MeitY. The purge was carried out between April 2021 and July 2022 by Karad. After that, another 2,200 apps were removed between September 2022 and August 2023 by Karad. 

As per Karad, about 2,500 loan apps were taken down between April 2021 and July 2022. In addition to that, the minister also pointed out that Google has implemented stricter policies regarding the enforcement of loan apps on its Play Store, only allowing those apps that are created by regulated entities or those that are affiliated with them. 

Aside from this, it was also mentioned that the RBI has issued regulatory guidelines on digital lending in tandem with the actions mentioned above, to enhance customer protection in the digital lending ecosystem by strengthening the regulatory framework and fortifying oversight. As part of its efforts to combat cybercrime, the Indian Cybercrime Coordination Centre (I4C) is actively monitoring digital lending applications under the Ministry of Home Affairs. 

A national cybercrime reporting portal and a dedicated helpline number have been established by the union home ministry to give citizens the ability to report cybercrime incidents, including those related to illegal loan apps. 

The government of India and the Reserve Bank of India have undertaken several awareness initiatives, such as social media safety tips, educational handbooks, and campaigns to combat cybercrime, as part of their efforts to raise public awareness. 

According to the minister, the government will maintain vigilance, take regulatory actions, and conduct awareness campaigns, including e-BAAT, electronic banking awareness and training (e-BAAT) programs run by the Reserve Bank of India, to combat cybercrimes, particularly those relating to fraudulent loan apps. 

Since JanSamarth launched its portal at the end of last year, more than 1,83,903 beneficiaries have applied for loans via the JanSamarth portal, reaching a total of more than 2,10,000 beneficiaries. During 2022-23, Karad reportedly reported 7,25 cases of fraud related to UPI in a separate response. In total, there were 573 crores involved in these fraud cases, which amounts to a large amount of money.

17 Risky Apps Threatening Your Smartphone Security

Users of Google Android and Apple iPhone smartphones have recently received a vital warning to immediately remove certain apps from their devices. The programs that were found to be potentially dangerous have been marked as posing serious concerns to the security and privacy of users.

The alarming revelation comes as experts uncover 17 dangerous apps that have infiltrated the Google Play Store and Apple App Store, putting millions of users at risk of malware and other malicious activities. These apps, primarily disguised as loan-related services, have been identified as major culprits in spreading harmful software.

The identified dangerous apps that demand immediate deletion include:

  1. AA Kredit
  2. Amor Cash
  3. GuayabaCash
  4. EasyCredit
  5. Cashwow
  6. CrediBus
  7. FlashLoan
  8. PréstamosCrédito
  9. Préstamos De Crédito-YumiCash
  10. Go Crédito
  11. Instantáneo Préstamo
  12. Cartera grande
  13. Rápido Crédito
  14. Finupp Lending
  15. 4S Cash
  16. TrueNaira
  17. EasyCash

According to a report by Forbes, the identified apps can compromise sensitive information and expose users to financial fraud. Financial Express also emphasizes the severity of the issue, urging users to take prompt action against these potential threats.

Google's Play Store, known for its extensive collection of applications, has been identified as the main distributor of these malicious apps. A study highlights the need for users to exercise caution while downloading apps from the platform. The study emphasizes the importance of app store policies in curbing the distribution of harmful software.

Apple, recognizing the gravity of the situation, has announced its intention to make changes to the App Store policies. In response to the evolving landscape of threats and the increasing sophistication of malicious actors, the tech giant aims to enhance its security measures and protect its user base.

The urgency of the situation cannot be overstated, as the identified apps can potentially compromise personal and financial information. Users must heed the warnings and take immediate action by deleting these apps from their devices.

The recent discovery of harmful programs penetrating well-known app shops serves as a sobering reminder of the constant dangers inherent in the digital world. Users need to prioritize their internet security and be on the lookout. In an increasingly linked world, it's critical to regularly check installed apps, remain aware of potential threats, and update device security settings.



Google CEO Warns of Potential Security Risks Associated with Sideloading Apps

 

In recent years, sideloading apps, the practice of installing apps from sources outside of official app stores, has gained significant traction. While Android has always embraced this openness, Apple is now facing pressure to follow suit. 

This shift in dynamics is evident in the ongoing legal battle between Google and Epic Games, where Epic Games accuses Google of stifling competition by imposing high fees on app developers.

Google CEO Sundar Pichai has defended Google's stance, citing security concerns associated with sideloading apps. He emphasizes that Google's policies, exemplified by Android's diverse device designs, foster innovation and provide users with choices.

However, Pichai's emphasis on security raises eyebrows, as Android has always been known for its open-source nature and embrace of sideloading. His focus on potential malware infections seems to be a tactic to instill fear among users. In reality, Google's Play Protect feature is only a recent addition for screening sideloaded apps.

Critics argue that sideloading empowers Google with greater control over the apps users can access. While Google maintains that the Play Store provides the highest level of security, a study by Kaspersky Labs contradicts this claim, revealing that over 600 million malicious app downloads occurred from the Google Play Store in 2023 alone.

Apple's staunch opposition to sideloading stems from its desire to retain control over the app distribution process on iPhones. However, both Apple and Google are undoubtedly aware of the 30% commission they charge developers for hosting apps on their respective app stores. This hefty fee has driven companies like Epic Games to explore alternative distribution channels.

The debate over sideloading highlights the growing tension between app developers, app store operators, and users. As the battle for app distribution intensifies, it remains to be seen whether sideloading will become a mainstream practice or remain a niche alternative.

Malware Surge in Google Play: A Threat to Millions

Smartphone users, supposing some degree of security, largely rely on app stores to download software in an era dominated by digital innovations. But new information has revealed an increasingly serious issue: malware has been infiltrated into the Google Play Store, endangering millions of users.

According to a report by Kaspersky, over 600 million malicious app downloads were recorded in 2023 alone, exposing the vulnerability of one of the world's largest app marketplaces. The malware, often disguised as seemingly harmless applications, has successfully bypassed Google's security protocols, raising questions about the effectiveness of current preventive measures.

The malware threat is not new, but the scale and audacity of recent attacks are alarming. Cybercriminals are exploiting popular and common apps to spread malware, as highlighted in a detailed investigation by The Hindu. By injecting malicious code into seemingly innocuous apps, these cybercriminals trick users into downloading and installing malware unknowingly, leading to potential data breaches, identity theft, and other serious consequences.

Google's response to this issue has come under scrutiny, especially considering its claim to have stringent security measures in place. The tech giant's inadvertent approval of malware-infected apps has been dubbed a "goof-up" by experts. Firstpost reported that Google's failure to detect and remove these malicious apps in a timely manner has allowed them to accumulate a staggering number of downloads.

The implications of this cybersecurity lapse extend beyond individual users to corporations and organizations relying on Google Play Store for distributing enterprise applications. The potential for malware to infiltrate corporate networks through compromised devices is a significant threat that cannot be ignored.

Users and tech businesses alike have a responsibility to put cybersecurity first as we navigate an increasingly digital world. When downloading apps, users should be cautious and watchful, making sure to confirm the legitimacy of the developers and carefully reviewing the permissions of each app. To protect their users, digital companies must simultaneously make investments in stronger security measures, evaluate apps carefully, and take prompt action to eliminate any threats that are found.

The rise in malware within the Google Play Store serves as a stark reminder that no digital platform is immune to cyber threats. It is imperative for the tech industry to collaborate and innovate continuously to stay ahead of cybercriminals, ensuring the safety and security of the ever-expanding digital ecosystem. The onus is on all stakeholders to collectively address this escalating challenge and fortify the defenses of our digital future.

Google Removes 22 Malicious Android Apps Exposed by McAfee

Google recently took action against 22 apps that are available on the Google Play Store, which has alarmed Android users. These apps, which have been downloaded over 2.5 million times in total, have been discovered to engage in harmful behavior that compromises users' privacy and severely drains their phone's battery. This disclosure, made by cybersecurity company McAfee, sheds light on the hidden threats that might be present in otherwise innocent programs.

These apps allegedly consumed an inordinate amount of battery life and decreased device performance while secretly running in the background. Users were enticed to install the programs by the way they disguised themselves as various utilities, photo editors, and games. Their genuine intentions, however, were anything but harmless.

Several well-known programs, like 'Photo Blur Studio,' 'Super Smart Cleaner,' and 'Magic Cut Out,' are on the list of prohibited applications. These applications took use of background processes to carry out tasks including sending unwanted adverts, following users without their permission, and even possibly stealing private data. This instance emphasizes the need for caution while downloading apps, especially from sites that might seem reliable, like the Google Play Store.

Google's swift response to remove these malicious apps demonstrates its commitment to ensuring the security and privacy of its users. However, this incident also emphasizes the ongoing challenges faced by app marketplaces in identifying and preventing such threats. While Google employs various security measures to vet apps before they are listed, some malicious software can still evade detection, slipping through the cracks.

As a precautionary measure, users are strongly advised to review the apps currently installed on their Android devices and uninstall any that match the names on the list provided by McAfee. Regularly checking app permissions and reviews can also provide insights into potential privacy concerns.

The convenience of app stores shouldn't take precedence over the necessity of cautious and educated downloading, as this instance offers as a sharp reminder. Users must actively participate in securing their digital life as fraudsters become more skilled. A secure and reliable digital environment will depend on public understanding of cybersecurity issues as well as ongoing efforts from internet behemoths like Google.

Beware of Fake ChatGPT Apps: Android Users at Risk

In recent times, the Google Play Store has become a breeding ground for fraudulent applications that pose a significant risk to Android users. One alarming trend that has come to light involves the proliferation of fake ChatGPT apps. These malicious apps exploit unsuspecting users and gain control over their Android phones and utilize their phone numbers for nefarious scams.

Several reports have highlighted the severity of this issue, urging users to exercise caution while downloading such applications. These fake ChatGPT apps are designed to mimic legitimate AI chatbot applications, promising advanced conversational capabilities and personalized interactions. However, behind their seemingly harmless facade lies a web of deceit and malicious intent.

These fake apps employ sophisticated techniques to deceive users and gain access to their personal information. By requesting permissions during installation, such as access to contacts, call logs, and messages, they exploit the trust placed in them by unsuspecting users. Once granted these permissions, the apps can hijack an Android phone, potentially compromising sensitive data and even initiating unauthorized financial transactions.

One major concern associated with these fraudulent apps is their ability to utilize phone numbers for scams. With access to a user's contacts and messages, these apps can initiate fraudulent activities, including spamming contacts, sending phishing messages, and even making unauthorized calls or transactions. This not only puts the user's personal information at risk but also jeopardizes the relationships and trust they have built with their contacts.

To protect themselves from falling victim to such scams, Android users must remain vigilant. Firstly, it is crucial to verify the authenticity of an app before downloading it from the Google Play Store. Users should pay attention to the developer's name, ratings, and reviews. Furthermore, they should carefully review the permissions requested by the app during installation, ensuring they align with the app's intended functionality.

Google also plays a vital role in combating this issue. The company must enhance its app review and verification processes to identify and remove fake applications promptly. Implementing stricter guidelines and employing advanced automated tools can help weed out these fraudulent apps before they reach unsuspecting users.

In addition, user education is paramount. Tech companies and cybersecurity organizations should actively spread awareness about the risks of fake apps and provide guidance on safe app usage. This can include tips on verifying app authenticity, understanding permission requests, and regularly updating and patching devices to protect against vulnerabilities.

As the prevalence of fake ChatGPT apps continues to rise, Android users must remain cautious and informed. By staying vigilant, exercising due diligence, and adopting preventive measures, users can safeguard their personal information and contribute to curbing the proliferation of these fraudulent applications. The battle against fake apps requires a collaborative effort, with users, app stores, and tech companies working together to ensure a safer digital environment for all.

Mozilla Research Lashes Out Google Over ‘Misleading’ Privacy Labels on Leading Android Apps


An investigation, conducted by the Mozilla Foundation, into the data safety labels and privacy policy on the Google Play Store has exposed some severe loopholes that enable apps like Twitter, TikTok, and Facebook to give inaccurate or misleading information about how user data is shared. 

The study was conducted between the 40 most downloaded Android apps, out of which 20 were free apps and 20 were paid, on Google Play and found that nearly 80% of these apps disclose misleading or false information. 

The following findings were made by the Mozilla researchers: 

  • 16 of these 40 apps including Facebook and Minecraft, had significant discrepancies in their data safety forms and privacy policies. 
  • 15 apps received the intermediate rating, i.e. “Need Improvement” indicating some inconsistencies between the privacy policies and the Data Safety Form. YouTube, Google Maps, Gmail, Twitter, WhatsApp Messenger, and Instagram are some of these applications. 
  • Only six of these 40 apps were granted the “OK” grade. These apps included Candy Crush Saga, Google Play Games, Subway Surfers, Stickman Legends Offline Games, Power Amp Full Version Unlocker, and League of Stickman: 2020 Ninja. 

Google’s Data Privacy Section 

Google apparently launched its data privacy section for the Play Store last year. This section was introduced in an attempt to provide a “complete and accurate declaration” for information gathered by their apps by filling out the Google Data Safety Form. 

Due to certain vulnerabilities in the safety form's honor-based system, such as ambiguous definitions for "collection" and "sharing," and the failure to require apps to report data shared with "service providers," Mozilla claims that these self-reported privacy labels may not accurately reflect what user data is actually being collected. 

In regards to Google’s Data Safety labels, Jen Caltrider, project lead at Mozilla says “Consumers care about privacy and want to make smart decisions when they download apps. Google’s Data Safety labels are supposed to help them do that[…]Unfortunately, they don’t. Instead, I’m worried they do more harm than good.” 

In one instance in the report, Mozilla notes that TikTok and Twitter both confirm that they do not share any user data with the third parties in their Data Safety Forms, despite stating that the data is shared with the third parties in their respective privacy policies. “When I see Data Safety labels stating that apps like Twitter or TikTok don’t share data with third parties it makes me angry because it is completely untrue. Of course, Twitter and TikTok share data with third parties[…]Consumers deserve better. Google must do better,” says Caltrider. 

In response to the claim, Google has been dismissing Mozilla’s study by deeming its grading system inefficient. “This report conflates company-wide privacy policies that are meant to cover a variety of products and services with individual Data safety labels, which inform users about the data that a specific app collects[…]The arbitrary grades Mozilla Foundation assigned to apps are not a helpful measure of the safety or accuracy of labels given the flawed methodology and lack of substantiating information,” says a Google spokesperson. 

Apple, on the other hand, has also been criticized for its developer-submitted privacy labels. The 2021 report from The Washington Post indicates that several iOS apps similarly disclose misleading information, along with several other apps falsely claiming that they did not collect, share, or track user data. 

To address these issues, Mozilla suggests that both Apple and Google adopt an overall, standardized data privacy system across all of their platforms. Mozilla also urges that major tech firms shoulder more responsibility and take enforcement action against apps that fail to give accurate information about data sharing. “Google Play Store’s misleading Data Safety labels give users a false sense of security[…]It’s time we have honest data safety labels to help us better protect our privacy,” says Caltrider.  

Trojan Apps Stole Facebook Credentials From Over 300,000 Android Users

 


In the aftermath of the chaos caused by Schoolyard Bully Trojan, a new malware program for Android phones, more than 300,000 people in 71 countries have been affected. 

This malware is mainly intended to steal Facebook credentials from unsuspecting users. It is disguised as legitimate educational applications designed to trick users into downloading the malware without realizing that they are doing so. 

This week, it was announced that the apps had been removed from the official Google Play Store, where they had been available for download. However, it is still possible to download them from third-party app stores. 

According to Zimperium researchers Nipun Gupta and Aazim Bill SE Yashwant, this trojan uses JavaScript injection to steal Facebook credentials. The method by which it achieves this is by launching the Facebook login page within a WebView, which also includes malicious JavaScript code that encrypts and exfiltrates the user's phone number, email address, and password, which are then forwarded to one of the command-and-control (C2) servers in just one click. 

It is important to note that the Schoolyard Bully Trojan also uses native libraries to avoid detection by antivirus software, such as "libabc. so", for example. 

Aside from Vietnamese-language apps, the malware has also been detected in several other apps from over 70 countries, underscoring the global scope and scale of the problem. 

In a campaign codenamed FlyTrap, Zimperium discovered similar activity in the past year. This involved rogue Android apps delivering spam messages that intended to compromise Facebook accounts through Twitter accounts and Instant Messages. 

In a recent report by Zimperium, Richard Melick, director of mobile threat intelligence at Zimperium, stated that hackers have the potential to wreak havoc if they steal Facebook passwords. It becomes effortless for phishers to exploit friends and other contacts if they can impersonate someone from their legitimate Facebook account. Consequently, they can be tricked into sending money or sensitive information to fraudsters. 

The users' tendency to reuse the same passwords makes them more vulnerable to being attacked by an attacker who can more easily acquire their Facebook password. 

This is to access banking or financial apps, corporate accounts, web browsing, etc. If someone steals one's Facebook password, there is a high likelihood that the same password will also work with other apps or services. 

Social media has become popular with each sector and age group. With a rapidly growing number of social media users, caution while using social media should also be increased. There are several cyber-attack cases where malicious actors attacked the victim’s social media to steal sensitive information. Social media is a necessity in current times, so to use it without being a victim, you need to protect your social media from such attacks. There are some points you can follow: 
  • Prefer using stronger passwords.
  • Use different passwords for different platforms.
  • Enable two-step authentication security.

Malware and Trojans on Android: How to Avoid Them

As a first step, you should avoid installing apps from unofficial app stores and unknown sources. This will prevent your Facebook and other credentials from being stolen by hackers. The ability to sideload apps is one of the perks of using an Android device, but if caution is not exercised, it may result in harm. 

It is also wise to ensure that Google Play Protect is enabled on your Android device. This app can scan newly downloaded apps and other installed apps for malware. Aside from this application, you can also consider using one of the most effective Android antivirus applications to provide additional protection. 

Additionally, before updating any apps on your device, you must be mindful. While Google ensures that the apps it uploads to the Play Store are free of malware and viruses, it is still possible for malicious apps to creep their way into the store. To avoid this, it is recommended to read external reviews of an app before you decide to install it. You can also look at the app's developer before downloading it. 

A Trojan horse, Schoolyard Bully, was prominent on the Internet over four years ago. During that time, it was successful in stealing over 300,000 user credentials from users who were infected with it. Therefore, it is probable that cybercriminals will continue to use Trojan computers to steal passwords and account information from unsuspecting users as long as they continue to exist. 

Harley Trojan Affecting the Users by Impersonating the Applications

 

There are numerous unpatched malwares hidden under the apps in the Google Play Store that seem to be harmless but are actually malicious programs. Google Play Store is an official platform that runs every process with careful monitoring carried out by the moderators. However, some apps may evade the moderator's check since it's not possible to check all the apps before they go live on the platform. 

One such popular malware, called Trojan Subscribers has been discovered by Kaspersky. It affects the users by signing up for paid services without their knowledge. The malware exhibits similarities with the Jocker Trojan subscriber, experts presume that the two have a common origin. 

A trojan is a malicious code or software that gets downloaded onto a system, disguised as an authorized application. 

In the past 3 years, over 190 apps have been found infected with Harly Trojan on the Google play store, and the number of downloads of such apps is more than 4.8 million.  

To spread the virus to different systems, the threat actors download the original applications and place their malicious code into them and later re-upload them to Google Play Store with some other name. 

The attackers play smart by keeping the same features in the app as listed in the description so that the users do not suspect a threat. The impersonating of legitimate apps also provides advertisement. 

The Trojan malware belonging to the Harley family includes a payload inside the application and uses numerous methods to decrypt and execute the payload. 

After the decryption, the Harley gathers information about the user’s device including the mobile network. By connecting to the mobile network, the malware opens up a list of subscription addresses from a C&C server, where it automatically enters the user's mobile number followed by other options to continue the process, including the OTP from messages. As a result, the user ends up with a paid subscription for a service without their knowledge or consent.  

To avoid being a victim of such apps, anti-virus experts suggest looking for reviews of the applications before downloading them. Google has been notified about such apps and asked to remove all the Trojan-infected apps from the platform and devices that are infected with them. 

Japanese Payment System Attacked By Fake Security App

A new malware has been observed by the Research team at McAfee Corp. This malware is found to be attacking NTT DOCOMO customers in Japan. 

The malware that is distributed via the Google Play Store pretends to be a legitimate mobile security app, but in reality, it is a fraud malware designed to steal passwords and abuse reverse proxy focusing on NTT DOCOMO mobile service customers. 

The McAfee Cell Analysis team informed Google regarding the notoriety of the malware. In response, Google has made the application unavailable in Google Play Store and removed known Google Drive files that are associated with the malware. In addition to this, Google Play Shield has now alerted the customers by disabling the apps and displaying a warning. 

The malware publishes malicious fake apps on Google Play Store with various developer accounts that appear like some legitimate apps. According to a tweet by Yusuke Osumi, a Security Researcher at Yahoo, the attacker lures the victims into installing the malware in their systems by sending them an SMS message with a Google Play Store link, reportedly sent from overseas. Additionally, they entice the users by displaying a requirement to update their security software. 

This way, the victim ignorantly installs the fraudulent app from Google Play Store and ends up installing the malware. The malware asks the user for a community password but cleverly enough, it claims the password is incorrect, so the user has to enter a more precise password. It does not matter if the password is incorrect or not, as this community password can later be used by the attacker for the NTT DOCOMO fee services and gives way to online funds. 

Thereafter, the malware displays a fake ‘Mobile Security’ structure on the user’s screen; the structure of this Mobile Security structure interestingly resembles that of an outdated display of McAfee cell security. 

How does the malware function

A native library called ‘libmyapp.so’ written in Golang, is loaded through the app execution. When the library is loaded, it attempts to connect with C&C servers utilizing an Internet Socket. WAMP (Internet Software Messaging Protocol) is then employed to speak and initiate Distant Process Calls (DPC). When the link is formulated, the malware transmits the community data and the victim’s phone number, registering the client’s procedural commands. The connection is then processed when the command is received from the server like an Agent. Wherein, the socket is used to transmit the victim’s Community password to the attacker, when the victim enters his network password in the process.

The attacker makes fraudulent purchases using this leaked information. For this, the RPC command ‘toggle_wifi’ switch the victim’s Wi-Fi connection status, and a reverse proxy is provided to the attacker through ‘connect_to’. This would allow connecting the host behind a Community Handle Translation (NAT) or firewall. With the help of a proxy, now the attacker can ship by request through the victim’s community network. 

Along with any other methods that the attackers may use, the malware can also use reverse proxy to acquire a user’s mobile and network information and implement an Agent service with WAMP for fraudulent motives. Thus, it is always advised by Mobile Security Organizations to be careful while entering a password or confidential information into a lesser-known or suspicious application.

 SideWinder Hackers Have Planted a Bogus Android VPN Program

 

A bogus VPN program for Android smartphones was uploaded on the Google Play Store, along with a proprietary tool that screens users for improved targeting, according to phishing efforts linked to an advanced threat actor known as SideWinder. SideWinder is an APT organization that has been operating since at least 2012 and is thought to be led by an Indian actor with a high level of expertise.

Over 1,000 cyber attacks were ascribed to this gang in the last two years, according to Kaspersky, who praised its persistence and clever obfuscation tactics. Organizations in Pakistan, China, Nepal, and Afghanistan are the principal targets.

The threat actor uses spear-phishing emails to spread malicious ZIP bundles containing RTF or LNK files that install an HTML Application (HTA) payload from a remote server. The adversary uses a pretty big infrastructure that includes over 92 IP addresses, mostly for phishing assaults, and hundreds of domains and subdomains that serve as command and control servers. 

SideWinder, also known by the names, RattleSnake, Razor Tiger, T-APT-04, APT-C-17, and Hardcore Nationalist, was responsible for a recent phishing campaign that targeted both public and commercial sector institutions in Pakistan. 

A phishing document tempting victims with a document advocating "a formal debate of the impact of the US withdrawal from Afghanistan on maritime security" was discovered earlier this year by researchers at cybersecurity firm Group-IB. While the exact purpose of the bogus VPN program is unknown, this isn't the first time SideWinder has gotten around Google Play Store restrictions by publishing malicious apps disguised as utility software.

Trend Micro reported in January 2020 that three malicious applications masquerading as photography and file manager utilities used a security weakness in Android (CVE-2019-2215) to acquire root access and abuse accessibility service rights to gather sensitive data.

Android Trojans are After Financial Apps With Over a Billion Downloads

 

The exploitation of financial apps by trojans has become prevalent, according to a report by Zimperium, a mobile security firm. Trojans are a type of malware that infects users' devices by posing as legitimate and trustworthy programs. The researchers looked at ten separate trojans that are currently active in the open and discovered that they target 639 financial Android apps when combined. 

Once they've infected a device, they leverage Accessibility services to take actions as the user, overlaying login pages on top of authentic banking and finance apps to steal login details, monitoring notifications to capture OTPs, and even carrying out on-device financial fraud. This is particularly concerning because, according to 2021 studies, three out of four Americans use banking applications to conduct their regular financial activities, offering a large target pool for these trojans.

The Google Play Store has slightly over 1 billion downloads of these mobile banking, investment, payment, and cryptocurrency apps combined. PhonePe, which is immensely popular in India and has 100 million downloads on the Play Store, is the targeted application with the most downloads. 

The popular bitcoin exchange software Binance has received 50 million downloads. Cash App is a mobile payment service that is available in the United States and the United Kingdom, with 50 million downloads on Google Play. Even though they don't provide traditional financial services, some banking Trojans target both of these. BBVA, a worldwide online banking platform with tens of millions of downloads, is the most widely marketed application. Seven of the ten most active banking trojans have been found to target this app. 

Additional trojans which were active during the first half of 2021 include the following: 

  • BianLian is a malware that targets Binance, BBVA, and several Turkish apps.
  • Cabassous is after clients from Barclays, CommBank, Halifax, Lloys, and Santander. 
  • Coper may take over accounts from BBVA, Caixa Bank, CommBank, and Santander. 
  • Barclays, Intensa, BancoPosta, and a slew of other Italian apps are among the targets of EventBot. This one uses Microsoft Word or Adobe Flash to hide its true identity. 
  • PayPal, Binance, Cash App, Barclays, BBVA, and CaixaBank may all be affected by the aforementioned Exobot. 
  • FluBot affected BBVA, Caixa, Santander, and several other Spanish apps. 
  • Medusa was a banking app that targeted BBVA, CaixaBank, Ziraat, and Turkish banks. 
  • Binance, BBVA, and Coinbase were all hit by Sharkbot. 
  • PhonePe, Binance, Barclays, Crypto.com, Postepay, Bank of America, Capital One, Citi Mobile, and Coinbase are among the companies targeted by Teabot. 
  • BBVA and a slew of other EU-specific bank apps are among those targeted by Xenomorph. 
The method utilized by these trojans would be that they each have a small target scope and different types of functionality for diverse goals. Because these trojans are concealed among programs available on Android's official app store, users should be cautious and avoid downloading apps from untrustworthy sources. One may take it a step further by using a provider like ExpressVPN.

Google Strengthens Android Security With a New Set of Dev Policy Updates

 

Google has announced several important policy changes for Android app developers that will improve the security of users, Google Play, and the apps available through the service. 
These new developer requirements will be in effect from May 11th through November 1st, 2022, allowing developers plenty of time to adjust. The following are the most important policy changes related to cybersecurity and fraud that will be implemented: 
  • New API level target requirements.
  • Banning of loan apps whose Annual Percentage Rate (APR) is 36% or higher.
  • Prohibiting the abuse of the Accessibility API.
  • New policy changes for the permission to install packages from external sources.
All newly released/published apps must target an Android API level released within one year of the most recent major Android version release starting November 1, 2022. Those who do not comply with this criterion will have their apps banned from the Play Store, Android's official app store. 

Existing apps that do not target an API level within two years of the most recent major Android version will be eliminated from the Play Store and become undiscoverable. This change is intended to compel app developers to follow the tougher API regulations that underpin newer Android releases, such as better permission management and revoking, notification anti-hijacking, data privacy enhancements, phishing detection, splash screen limits, and other features. 

According to Google's blog article on the new policy: "users with the latest devices or those who are fully caught up on Android updates expect to realize the full potential of all the privacy and security protections Android has to offer." 

App developers who require extra time to migrate to more recent API levels can request a six-month extension, albeit this is not guaranteed. Many outdated apps will be forced to adopt better secure methods as a result of this policy change. 

Accessibility API abuse

The Accessibility API for Android enables developers to design apps that are accessible to people with disabilities, enabling the creation of new ways to operate the device using its applications. However, malware frequently exploits this capability to do actions on an Android smartphone without the user's permission or knowledge. As noted below, Google's new policies further restrict how this policy can be applied: 
  • Change user settings without their permission or prevent the ability for users to disable or uninstall any app or service unless authorized by a parent or guardian through a parental control app or by authorized administrators through enterprise management software; 
  • Workaround Android built-in privacy controls and notifications; or
  • Change or leverage the user interface deceptively or otherwise violates Google Play Developer Policies.
Google has also released a policy change that tightens the "REQUEST INSTALL PACKAGES" permission. Many malicious software publishers hide package-fetching technology that downloads malicious modules after installation to have their submission accepted on the Play Store. Users interpret these activities as "request to update" or "download new content," and they either authorise the action when presented with the corresponding prompt or don't notice because it occurs in the background. 

Google aims to narrow this loophole by imposing new permission requirements, bringing light to an area that was previously unregulated. Apps that use this permission must now only fetch digitally signed packages, and self-updates, code modifications, or bundling of APKs in the asset file will still require the user's authorization. For all apps using API level 25 (Android 7.1) or higher, the new REQUEST INSTALL PACKAGES policies will enter into force on July 11th, 2022.

A New Android Banking Trojan Targeting Europeans is Spreading Through Google Play Store

 

A new Android banking malware with over 50,000 installations has been discovered and disseminated via the official Google Play Store, with the purpose of targeting 56 European banks and stealing sensitive information from affected devices. The in-development malware, dubbed Xenomorph by Dutch security firm ThreatFabric, is reported to share similarities with another banking trojan known as Alien while yet being "radically different" in terms of functionality given. 

Alien, a remote access trojan (RAT) with notification sniffing and authenticator-based 2FA stealing features, emerged shortly after the iconic Cerberus malware was decommissioned in August 2020. Other Cerberus forks have been detected in the wild since then, including ERMAC in September 2021. Xenomorph, like Alien and ERMAC, is another Android banking trojan that tries to avoid Google Play Store security by posing as productivity apps like "Fast Cleaner" to deceive unsuspecting victims into installing the malware. 

Fast Cleaner, which has the package name "vizeeva.fast.cleaner" and is still available on the app store, has been most popular in Portugal and Spain, according to Sensor Tower data, with the app making its initial appearance in the Play Store at the end of January 2022. 

This Android Banking malware is still under development and mostly offers the bare minimum of capabilities expected of a modern Android banking trojan. It’s primary attack vector is the use of an overlay attack to steal credentials, along with SMS and Notification interception to log and use potential 2FA tokens. The Accessibility engine that powers this malware, as well as the infrastructure and C2 protocol, have been meticulously developed to be scalable and updatable. 

"Despite being a work-in-progress, Xenomorph is already sporting effective overlays and being actively distributed on official app stores," ThreatFabric's founder and CEO, Han Sahin, said. "In addition, it features a very detailed and modular engine to abuse accessibility services, which in the future could power very advanced capabilities, like ATS." 

The data recorded by this malware's logging capability is vast, and if sent back to the C2 server, it may be used to execute keylogging as well as collect behavioural data on victims and on installed applications, even if they are not on the list of targets. 

In the first stage, the malware sends back a list of installed packages on the device, and then it downloads the necessary overlays to inject based on which targeted application is present on the device. Xenomorph supplied a list of overlay targets that included targets from Spain, Portugal, Italy, and Belgium, as well as some general-purpose applications such as emailing services and cryptocurrency wallets.

10K Victims Infested via Google Play 2FA App Loaded with Banking Trojan

 

The Vultur trojan obtains bank credentials but then requests authorization to inflict even more damage later. 

A fraudulent two-factor authentication (2FA) software has been deleted from Google Play after being available for more than two weeks — but not before it was downloaded more than 10,000 times. The Vultur stealer malware, which targets and swoops down on financial information, is put into the app, which is completely functioning as a 2FA authenticator. 

Researchers at Pradeo warn users who have the malicious app, just named "2FA Authenticator," to delete it straight away since they are still at risk — both from banking-login theft and other assaults made possible by the app's broad over permissions. 

Using open-source Aegis authentication code combined with malicious add-ons, the threat actors constructed an operable and convincing app to mask the malware dropper. According to a Pradeo analysis issued, this enabled it to proliferate unnoticed via Google Play. 

“As a result, the application is successfully disguised as an authentication tool, which ensures it maintains a low profile,” the report added. 

The Vultur banking trojan is installed once the software is downloaded, and it harvests financial and banking data from the affected smartphone, among other things. The Vultur remote access trojan (RAT) malware, initially discovered by ThreatFabric investigators in March, was the first of its type to employ keylogging and screen recording as its main approach for stealing banking data, allowing the organisation to systematize and expand the process of stealing credentials. 

“The actors chose to steer away from the common HTML overlay strategy we usually see in other Android banking trojans: this approach usually requires more time and effort from the actors to steal relevant information from the user. Instead, they chose to simply record what is shown on the screen, effectively obtaining the same end result,” ThreatFabric said at the time. 

According to the Pradeo team, the fake 2FA authenticator also requests device rights that aren't shown in the Google Play profile. The attackers can use those tricksy, enhanced privileges to do things like access user location data so attacks can be aimed at specific regions, disable device lock and password security, download third-party apps, and take control of the device even if the app is shut down, according to the report. 

Once the device is fully hacked, the app installs Vultur, “an advanced and relatively new kind of malware that mostly targets online banking interface to steal users’ credentials and other critical financial information,” the report said. 

Pradeo discovered another sneaky tactic used by the malicious 2FA by acquiring the SYSTEM ALERT WINDOW permission, which allows the application to modify the interfaces of other mobile apps. 

"Very few apps should use this permission; these windows are intended for system-level interaction with the OS," Google stated. 

Despite the fact that the researchers reported their disclosure to Google Play, the malicious 2FA Authenticator app loaded with the banking malware remained accessible for 15 days, according to the Pradeo team.

Android Banking Malware Spreads Using a Bogus Google Play Store Website

 

An Android banking trojan aimed at Itaú Unibanco has used an unusual technique to spread to devices, the actors created a page that looks remarkably similar to Android's official Google Play app store in order to deceive visitors into thinking they are installing the software from a reliable service. The Trojan poses as Itaú Unibanco's official banking app and uses the same icon as the legitimate app. 

Banco Itaú Unibanco S.A. is a Brazilian financial services firm based in São Paulo. Founded in 2008 by the merging of Banco Itaú and Unibanco, Itaú Unibanco is the largest bank in Brazil, as well as the largest in Latin America and the Southern Hemisphere, and the world's 71st largest bank. It is also one of the world's twenty most valuable banks. It has approximately 33,000 service sites worldwide, 3,527 of which are in Brazil, as well as around 28,000 ATMs and 55 million customers. 

When the user clicks on the "Install" button, they are prompted to download the APK, which is the first indication of fraud. Google Play Store apps are always installed through the store interface, never requiring the user to manually download and install programmes. Cyble researchers examined the malware and discovered that when it is executed, it attempts to launch the genuine Itaú app from the Google Play Store. If that is successful, it will utilize the actual app to carry out fraudulent transactions by modifying the user's input fields.

During installation, the software does not request any unsafe permissions, preventing suspicious or risky detection from AV tools. Instead, it intends to use the Accessibility Service, which is all that mobile malware requires to overcome all security on Android systems. According to a recent research by Security Research Labs, "we are currently dealing with an Android malware Accessibility abuse epidemic, and Google has failed to patch the targeted flaw." As a result, only the user has the ability to detect indicators of abuse and stop the infection before it has a chance to cause harm to the device. 

According to the researchers, if you want to enjoy the ease of mobile e-banking, download the app from the bank's official website or the Google Play Store. Furthermore, apply app updates as soon as they become available, and utilize an AV tool from a reliable vendor. Use a strong password and enable multi-factor authentication on the app to ensure optimal account security.

Alert Android Users: These 23 Apps Found Spying via Mobile Camera

 

A new malware, PhoneSpy, that eavesdrops on Android users, was detected in 23 applications recently,  As of present, none of these applications are available on Google Play Store. 

The malware that has primarily been active in the United Kingdom and Korea, is capable of stealing critical data such as images, call logs, contacts, and messages, as well as obtaining the full list of installed apps, recording audio and video in real-time using the phone's cameras and microphone. It can also extract device information such as the IMEI number, device name, and brand, and even grant remote access to the device. 

Zimperium stated in a statement, “The application is capable of uninstalling any user-installed applications, including mobile security apps. The device’s precise location is available in real-time to the malicious actors, all without the victim knowing. The spyware also enables the threat actor to use phishing pages for harvesting credentials of Facebook, Instagram, Google, and Kakao Talk." 

“PhoneSpy hides in plain sight, disguising itself as a regular application with purposes ranging from learning Yoga to watching TV and videos, or browsing photos," the mobile security agency Zimperium added. 

Since the spyware or any of its shadow applications were listed on the Play Store, experts believe the attackers may have used online traffic redirection or social engineering to spread the malware. The latter is used by cyber thieves to trick device owners into performing voluntary actions. 

If users carefully examine their online traffic habits, they may be able to discover the malware invasion. The PhoneSpy software begins by sending requests for on-device authorization. Once the user has provided these details, attackers can manage and hide the app from the main menu. 

According to Zimperium, Android users should avoid installing apps from third-party app stores. It’s recommended that users only download applications from the Google Play Store. Also, users are suggested to avoid clicking on questionable links or downloading any applications sent by text message or email.

Joker Virus is Back, Targeting Android Devices

 

The notorious Joker has made a comeback, according to Belgian police, who cautioned about the Joker Virus that only targets Android smartphones and lurks in numerous apps available on the Google marketplace known as Play Store. 

The Joker malware is among the most tenacious and annoying viruses for Android, and it is even capable of infecting people through the use of the Google Play Store since it is disguised within defenseless apps. This Joker software can completely deplete victims' bank account of all funds. The 'Joker' Trojan infection is part of the Bread malware family, whose primary goal is to hijack cell phone bills and allow activities without the user's knowledge. 

As per experts at cybersecurity firm Quick Heal Security Lab, the Joker virus could access user smartphone's text messages, contact information, and a variety of other data, enabling it to enroll in websites providing premium services. Due to this users face the danger of receiving a large bill from their bank or credit card at the end of the month. 

"This malicious program has been detected in eight Play Store applications that Google has suppressed," stated the Belgian authorities in a statement published on Friday 20th August on their website. 

The 'Joker' malware made headlines in 2017 for attacking and stealing data from its victims while masquerading in several applications. Since that day, Google Play Store defense systems have deleted approximately 1,700 apps containing the 'Joker' malware before they could be installed by users. The 'Joker' virus was discovered in 24 Android applications in September 2020, with over 500 thousand downloads before even being deactivated. It is suspected that more than 30 countries were impacted at the time, along with the United States, Brazil, and Spain. Hackers might take up to $7 (approximately 140 Mexican pesos) per subscription weekly via illicit memberships, an amount that has most certainly escalated in recent months. 

According to La Razón, the cybersecurity firm Zscaler has publicly revealed the names of 16 other apps that, according to its investigation, also include this dangerous code: Private SMS, Hummingbird PDF Converter - Photo to PDF, Style Photo Collage, Talent Photo Editor - Blur focus, Paper Doc Scanner, All Good PDF Scanner, Care Message, Part Message, Blue Scanner, Direct Messenger, One Sentence Translator - Multifunctional Translator, Mint Leaf Message-Your Private Message, Unique Keyboard - Fancy Fonts & Free Emoticons, Tangram App Lock, Desire Translate and Meticulous Scanner. 

Initially, apps infected with 'Joker' or another Malware from any of this family committed SMS fraud but soon began to target electronic payments. These two strategies make use of telephone operators' interaction with suppliers to permit service payment via the mobile bill. Both necessitate device authentication but not human verification, allowing them to automate transactions without requiring any user participation. 

In addition, it is typical for all those impacted by 'Joker' to be unaware of the theft unless they thoroughly study their bank statements. It's because the bank does not detect an evidently 'regular' membership and, in general, the charges are so little that they are not noticed as odd movements, therefore the account holder does not even send a traffic notification. 

Furthermore, the malicious applications that the Google Play Store removed upon discovering that they carried the 'Joker' virus are as follows: Auxiliary Message, Element Scanner, Fast Magic SMS, Free Cam Scanner, Go Messages, Super Message, Super SMS, and Travel Wallpapers.

Google Play is Infested with Fake Crypto Mining Apps

 

Google has deleted eight bogus mobile apps from the Play Store that pretend to be bitcoin cloud-mining apps but are actually designed to trick users into paying for pricey subscription services and engaging in other unlawful acts. Although they may have been removed, Trend Micro researchers discovered that when searching Google Play for the keywords "cloud mining," several problematic applications of the same sort remain. 

“Cloud mining introduces both convenience and cybersecurity risks. Because of the simplicity and agility of cloud computing, it is quick and easy to set up a realistic-looking crypto mining service that is really a scam,” said Ioannis Gasparis, a mobile application security researcher at Lookout, in a report released in July. 

These phoney Android apps target those who want to make money online by persuading them to invest in a cloud-mining company. All eight recently removed apps were found to be infected with one of two malwares: FakeMinerPay and FakeMinerAd. 

“These apps were able to fly under the radar because they don’t actually do anything malicious,” said Ioannis Gasparis. “They are simply shells set up to attract users caught up in the cryptocurrency craze and collect money for services that don’t exist. Purchasing goods or services online always requires a certain degree of trust — these scams prove that cryptocurrency is no exception.”

According to Cifer Fang, a researcher at Trend Micro, these malicious apps merely fool victims into watching adverts, make them pay for subscription services with an average monthly charge of $15, and also encourage them to pay for greater mining capabilities without getting anything in return. 

According to Trend Micro's findings, the apps don't actually mine anything; instead, "fake mining activity on the apps' user interface (UI) is carried out via a local mining simulation module that comprises a counter and certain random operations."

“The app called Daily Bitcoin Rewards – Cloud Based Mining System prompts its users to upgrade their crypto-mining capacity by ‘buying’ their favorite mining machines to earn more coins at a faster rate,” Fang noted. 

Two of the phoney crypto mining apps (Bitcoin [BTC] – Pool Mining Cloud Wallet and Bitcoin 2021), according to Trend Micro's analysis, bombarded their users with adverts with the primary purpose of enticing victims to click.