Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Google Play. Show all posts

Tricky Malware Uses Versioning to Outsmart Google Play Store Scanners

In recent developments, threat actors are using a technique known as "versioning" to evade Google Play Store's malware detection mechanisms, posing a significant risk to Android users. This method allows them to specifically target users and compromise their sensitive information, including credentials, data, and finances. Despite being a known tactic, versioning remains challenging to detect, making it a preferred choice for malicious developers. 

In May, cybersecurity firm ESET uncovered a screen recording app called "iRecorder - Screen Recorder." Surprisingly, the app remained undetected for almost a year on the Play Store before malicious modifications were made to enable covert spying on its users. 

SharkBot, a notorious malware utilizing the DCL method, has been consistently resurfacing on the Play Store. This malware disguises itself as security and utility apps to deceive users. Operating as a financial trojan, SharkBot executes unauthorized money transfers from compromised devices through the Automated Transfer Service (ATS) protocol. 

Here's how the versioning technique works: 

Innocent-looking Initial Release: Malicious developers begin by releasing an app's initial version on the Google Play Store, which appears harmless and successfully passes Google's pre-publication security checks. This initial version is designed to avoid detection by security measures. 

Introduction of Malicious Components: Subsequently, the developers push updates to the app. These updates introduce malicious components into the seemingly harmless app. These malicious components are cleverly hidden, allowing the initial version to pass the security checks while carrying hidden threats. 

Attackers' Controlled Servers: The updates containing the harmful code are delivered to users' devices from servers controlled by the attackers. These servers enable the attackers to dynamically load code (Dynamic Code Loading or DCL) onto the devices without raising any suspicion. 

App as a Backdoor: As a result of the malicious updates, the app effectively becomes a dangerous backdoor on the compromised devices. This grants the attackers unauthorized access and control over the compromised devices, enabling them to exploit sensitive information, compromise security, and carry out further malicious activities. 

According to a report from ThreatFabric, cybercriminals have been exploiting an Android bug to make malicious apps appear harmless. They achieve this by "corrupting components of an app" in a way that the app remains valid as a whole. This allows malicious apps to bypass detection and pose a threat to unsuspecting users. 

The Montana Legislature Banned TikTok

 


A bill introduced in Montana would prevent apps like TikTok from being listed for download on app stores such as Google Play and Apple's App Store. The bill is forwarded to Republican Governor Gianforte for signature. 

TikTok, owned by Chinese investors, continues to be the target of fierce battles. As part of their efforts to address short-form video apps, Montana lawmakers voted on Friday to ban the most popular app from the state. 

Reuters writes that a bill would prevent applications like TikTok from being listed on apps stores, like Google Play or Apple's App Store in Montana. A 54-43 vote in the Montana House of Representatives approved the bill, SB419. Upon signing the bill, Gianforte will ensure it comes into effect in January. Despite the potential for substantial legal challenges, the legislation may still pass. 

However, there is nothing in the bill that makes it illegal for people who already use the app. This is regardless of the enacted law. The bill's original version forced internet providers to block TikTok. However, that particular language was removed, and it is not part of the amended bill. 

A state government has taken the first step in restricting TikTok in response to perceived security concerns since the legislation was passed. A national ban on TikTok seems to be on the cards after some federal lawmakers have called for an end to the app. 

A bill has been introduced targeting TikTok. It outlines the potential penalties imposed on the company if it violates the law daily. In addition to app stores that violate the law, penalties would also apply. As a result, users who access TikTok as part of their routine will not be penalized for doing so. 

As a result of allegations that TikTok's Chinese owner, ByteDance, places US users' personal information at risk for marketing purposes, the app has come under significant scrutiny from US legislators in recent months. Several congressmen have called for American data sharing with the Chinese government at the federal and state level. Last month, a congressional committee grilled TikTok CEO Shou Zi Chew on the issues widely held by the general public on social media.  

Numerous claims are being made against TikTok, including accusations of data theft, data mining, piracy, and data collection. However, TikTok has repeatedly denied these claims. To gain respect among US legislators, TikTok poured more than $1 billion into establishing a database where American users' data would be archived exclusively on Oracle's servers.

As acknowledged by its champions, the bill's supporters have no practical plans for operationalizing this attempt to censor American voices and therefore have no chance of succeeding. It has also been confirmed by TikTok's spokesperson Brooke Oberwetter that a court will decide whether the bill's constitutionality can stand up in court. Brooke hopes that the government of Montana will continue to abuse the First Amendment to keep TikTok users and creators in Montana from earning a living and protecting their rights under the First Amendment. 

Currently, the bill is being sent to the governor to be signed into law. There is a high probability that Republican governor Greg Gianforte will sign it. In Montana, TikTok has been banned from government devices because he previously banned it. Similar executive orders have been enacted by other states to ban the use of the app on devices and networks owned and operated by the government. 

Data safety concerns, surveillance by the Chinese government, and the involvement of minors in "dangerous activities" resulting from TikTok use were cited in the bill, which included a claim that minors were cooking chicken in NyQuil and climbing milk crates as dangerous activities. Critics of the app say that these activities were part of a set of challenges that had become popular. 

As a result of the links that TikTok's parent company, ByteDance, has with TikTok's parent company, the Chinese government has been widely expressed as having a potential risk of accessing user data from TikTok. 

In addition, they worry that this kind of information could be used by Chinese intelligence agencies or propaganda campaigns for their benefit. It is unclear whether the Chinese government has accessed or used any data related to TikTok's US users to influence them, and there has been no public evidence of this. According to Christopher Wray, Director of the FBI, the FBI does not believe many signs would be at first glance if this were to happen if it did happen. 

To make TikTok safer and more sustainable, the US government has called on its Chinese owners to spin off TikTok. In the context of its Project Texas initiative, TikTok says it can address national security concerns by installing a "firewall" around US users' data covering a wide area of cyberspace. 

Despite the uncertainty surrounding Montana's legislation's future, there is still hope for it. TikTok is a member of an industry group called NetChoice, which also has other technology companies in its membership. The group declared Friday that SB419 violates the US Constitution by trying to punish a person without a trial, or so-called "bills of attainment." 

It has been alleged by other civil society organizations that SB419 violates Montanans' rights to free expression as well as their access to information under the First Amendment. Earlier this week, the American Civil Liberties Union sent a letter to members of state legislatures in which the organization made the argument that government restrictions on freedom of speech must meet a high constitutional standard. 

As a result of SB 419, Montanans would be better off without a platform where they could speak out freely and exchange ideas daily; this would be censorship. 

According to the letter, if this becomes a law, it will set a dangerous precedent that government bodies will hold excessive control over Montanans’ access to the internet. According to Lynn Greenky, a First Amendment scholar and associate professor of Communication Studies at Syracuse University, the legislation also refers to "dangerous content" and "dangerous challenges" to TikTok phrases, raising an immediate "red flag" that will trigger a more thorough review of the bill. 

The bill sponsor, Shelley Vance, did not respond to a request for comment immediately after receiving it. In response to a question about Gianforte's comments, Gianforte's spokesperson failed to respond immediately. If the law is passed, the app ban will be implemented before 2024 begins. Several Congressmen are expressing concerns about the app as security concerns rise due to Chinese owners. As part of the Biden administration's warning issued last month, TikTok's parent company ByteDance, based in China, was told to divest ownership of the service or face a ban by the federal government.

Users of Android can Now Save Space by Auto Archiving

 


In an announcement by Chang Liu and Lidia Gaymond, Google Play product managers announced that an upcoming auto-archive feature would be introduced later this month. This feature has been added to make device storage management easier for Android users. As a result of this feature, there is less chance of unintentional app uninstallations, and users can install updated apps without hassle. 

Developers who use the App Bundle to publish their apps can only use auto-archive for their apps. To increase the chances of your app appearing in users' uninstall suggestions, ensure that your app supports archiving. 

If there is insufficient storage for an app to be installed, the device will prompt the user to enable auto-archive. Users can easily turn on auto-archive when opting in, freeing up space on their devices. 

There are several reasons why people uninstall applications, but the most common is to free up space on their devices. 

It has been customary to prompt users to manually uninstall apps when their device's storage nears capacity. This is so that they can make room for updated ones to be installed. Users can save up to nearly 60% of an app's storage space by using the enhanced auto-archiving feature, which allows the app to be deleted and the data is not lost when deleted. 

There was a time when an app would automatically be recommended to be uninstalled when there was not enough space on the device. Android is getting access to the ‘archive’ feature that was worked on by the tech giant.  

In addition to checking and removing unused apps manually from the phone settings, users can also remove them manually from their apps list. Despite this, the uninstallation of an application can lead to the data you entered into it being lost. 

A user installing an Android app will receive a prompt to use the app's auto-archiving feature when the device's storage is running low, and the app is installed on the device. By simply turning on the feature, users can archive all apps no longer in use. They can also delete permissions, temporary files, and alerts created in the past. 

Having app archiving enabled on your device will help you recognize when you lack storage. You can archive apps that you rarely use when it detects space shortage. Your device will automatically archive apps you do not use often if it detects that you don't have enough storage. Personal data will be saved if you download the app again. 

In addition to allowing users to partially remove infrequently used apps from their devices, the auto-archive feature allows the user to preserve the icon for those apps and the data the user has entered for them. It is a visual indication of archiving that the user can see cloud icons on their device when it comes to Archived Apps. As long as the app is still available on Google Play, users can re-download and use the archived app from where they left off by tapping the icon, provided that they wish to continue using the app from where they had left off. 

The process of opting into auto-archive is easy, and the user can do it with just a few clicks. When the user attempts to install a new app on the device, and the device is out of storage, a pop-up window appears asking if the user would like auto-archiving to be enabled. The user can opt-in to auto-archive the unused apps on their device if they wish, allowing the phone's storage to be freed up so that the updated application can be installed.   

Cybercriminals Set Android Apps For Sale for Up to $20K a Piece


Cyber threat actors have lately been targeting the official Google Play app store’s security by developing trojan malwares for existing Android apps, selling the malwares for up to $20,000 a piece on darknet markets. 

In a blog post published on April 10, Kaspersky researchers reported their findings of a thorough analysis of nine of the most well-known Dark Web forums. They discovered a booming market of buyers and sellers exchanging access to botnets, malicious Android applications, and app developer accounts for hundreds of dollars at a time by monitoring activities between 2019 and 2023. 

Some highly valuable products, such as source code that can let a threat actor hack into an existing cryptocurrency or a dating app on Google Play can cost several thousand dollars. 

"It's an infinite cat and mouse game[…]The attackers find a way to bypass security scanners. Then the people developing the security scanners deploy patches to ensure that doesn't happen again. Then the attackers find new flaws. And it goes on and on," says Georgy Kucherin, Kaspersky research with regards to Google’s app security. 

The Marketplace for Google Play Hacks 

Any program that is posted to the Apple or Google app stores undergoes a rigorous inspection. However, according to the Kaspersky researchers “just like any security solution that exists in the world, it's not 100% effective[…]Every scanner contains flaws that threat actors exploit to upload malware to Google Play." 

Commonly, there are two methods by with a hacker attempts to sneak malware onto an app store: 

  • The first method entails publishing a completely safe software to the app store. If it has been approved, or even better, if it has attracted a sizable enough audience, hackers will submit an update that contains the malicious code. 
  • The second involves hackers compromising legitimate app developers, accessing their accounts to upload malware to already-existing programs. With no two-factor authentication and strong password restrictions in place, app developer accounts are more vulnerable to hacking. Credential leaks occasionally enable hackers to accomplish the majority of their goals by giving them access to important company development systems and accounts. 

Moreover, depending on the developer, access to a Google Play account may only cost as little as $60, depending on the developer. However, other, more beneficial accounts, resources, and services have significantly greater costs. 

For example, considering the power they hold, loaders — the software necessary to deploy malicious code into an Android app — can cost big bucks on the darknet markets, ranging up to a whopping $5,000 each for an instance. 

A well-resourced criminal could well go with a premium package, like the source code for a loader. 

 "You can do whatever you want with that — deploy it to as many apps as you want[…]You can modify the code as much as you want, adapting it to your needs. And the original developer of the code may even provide support, like updates for the code, and maybe new ways to bypass security measures," Kucherin explains. 

How Can a Company Protect Itself from Google Play Threats 

The threats posed by Google Play are a cause of great concern to organizations, especially the ones with feeble enterprise security. Kucherin notes that many businesses still have lax bring-your-own-device arrangements in place, which extend the security perimeter outside of corporate networks and right into the hands of its employees. 

"Say an employee installs a malicious app on the phone[…]If this app turns out to be a stealer, cybercriminals can get access to, for example, corporate emails or sensitive corporate data, then they can upload it to their servers and sell it on the Dark Web. Or even worse: An employee might keep their passwords in, for example, their phone's notes app. Then hackers can steal those notes and get access to corporate infrastructure," he explains. 

In order to prevent such severe outcomes, Kucherin suggests two simple precautionary measures: 

One, you can teach the employees cyber-hygiene principles, like not downloading apps that are not trusted. However, this might not suffice, so "another thing you can do — though it's more expensive — is give your employees a separate phone, which they will use only for purposes of work. Those devices will contain a limited number of apps — just the essentials like email, phone, no other apps allowed,” he adds. 

Just as it is for the cybercriminals, you have to pay more to get more, he notes: "Using dedicated work devices is more effective, but more expensive."  

New Phishing Scam Targets User's With Fake ChatGPT Platform

The general population is fascinated with AI chatbots like OpenAI's ChatGPT. Sadly, the popularity of the AI tool has also attracted scammers who use it to carry out extremely complex investment frauds against naive internet users. Nevertheless, security experts warn that ChatGPT and other AI techniques may be used to rapidly and on a much wider scale produce phishing emails and dangerous code.

Bitdefender Antispam Labs claims that the most recent wave of "AI-powered" scams starts with a straightforward unwanted email. In reality, our researchers were instantly drawn to what seemed to be a harmless marketing ploy, and they went on to uncover a complex fraud operation that poses a threat to participants' wallets and identities.

The initiative is currently focused on Denmark, Germany, Australia, Ireland, and the Netherlands.

How does the Scam Operate?

In the past several weeks, fake ChatGPT apps have appeared on the Google Play and Apple App Stores, promising users weekly or monthly memberships to utilize the service. The con artists behind this specific scheme go above and beyond to deceive customers.

Users who click the email's link are taken to a clone of ChatGPT that tempts them with money-making chances that pay up to $10,000 per month 'just on an exclusive ChatGPT platform.'

The recipient must click on an embedded link to access further information because the email itself is short on specifics. They click on this link to be taken to a bogus ChatGPT chatbot, where they are prompted to invest at least €250 and provide their contact information, including phone number, email address, and card details.

The victim is then given access to a copy of ChatGPT, which varies from the original chatbot in that it provides a limited number of pre-written responses to user inquiries. Only a domain that is blacklisted allows access to this chatbot.

It's nothing unusual for scammers to take advantage of popular internet tools or patterns to trick users. Use only the official website to test out the official ChatGPT and its AI-powered text-generating capabilities. Avoid clicking on links you get in unsolicited mail, and be particularly suspicious of investment schemes distributed on behalf of a corporation, which generally are scams.

Mozilla Research Lashes Out Google Over ‘Misleading’ Privacy Labels on Leading Android Apps


An investigation, conducted by the Mozilla Foundation, into the data safety labels and privacy policy on the Google Play Store has exposed some severe loopholes that enable apps like Twitter, TikTok, and Facebook to give inaccurate or misleading information about how user data is shared. 

The study was conducted between the 40 most downloaded Android apps, out of which 20 were free apps and 20 were paid, on Google Play and found that nearly 80% of these apps disclose misleading or false information. 

The following findings were made by the Mozilla researchers: 

  • 16 of these 40 apps including Facebook and Minecraft, had significant discrepancies in their data safety forms and privacy policies. 
  • 15 apps received the intermediate rating, i.e. “Need Improvement” indicating some inconsistencies between the privacy policies and the Data Safety Form. YouTube, Google Maps, Gmail, Twitter, WhatsApp Messenger, and Instagram are some of these applications. 
  • Only six of these 40 apps were granted the “OK” grade. These apps included Candy Crush Saga, Google Play Games, Subway Surfers, Stickman Legends Offline Games, Power Amp Full Version Unlocker, and League of Stickman: 2020 Ninja. 

Google’s Data Privacy Section 

Google apparently launched its data privacy section for the Play Store last year. This section was introduced in an attempt to provide a “complete and accurate declaration” for information gathered by their apps by filling out the Google Data Safety Form. 

Due to certain vulnerabilities in the safety form's honor-based system, such as ambiguous definitions for "collection" and "sharing," and the failure to require apps to report data shared with "service providers," Mozilla claims that these self-reported privacy labels may not accurately reflect what user data is actually being collected. 

In regards to Google’s Data Safety labels, Jen Caltrider, project lead at Mozilla says “Consumers care about privacy and want to make smart decisions when they download apps. Google’s Data Safety labels are supposed to help them do that[…]Unfortunately, they don’t. Instead, I’m worried they do more harm than good.” 

In one instance in the report, Mozilla notes that TikTok and Twitter both confirm that they do not share any user data with the third parties in their Data Safety Forms, despite stating that the data is shared with the third parties in their respective privacy policies. “When I see Data Safety labels stating that apps like Twitter or TikTok don’t share data with third parties it makes me angry because it is completely untrue. Of course, Twitter and TikTok share data with third parties[…]Consumers deserve better. Google must do better,” says Caltrider. 

In response to the claim, Google has been dismissing Mozilla’s study by deeming its grading system inefficient. “This report conflates company-wide privacy policies that are meant to cover a variety of products and services with individual Data safety labels, which inform users about the data that a specific app collects[…]The arbitrary grades Mozilla Foundation assigned to apps are not a helpful measure of the safety or accuracy of labels given the flawed methodology and lack of substantiating information,” says a Google spokesperson. 

Apple, on the other hand, has also been criticized for its developer-submitted privacy labels. The 2021 report from The Washington Post indicates that several iOS apps similarly disclose misleading information, along with several other apps falsely claiming that they did not collect, share, or track user data. 

To address these issues, Mozilla suggests that both Apple and Google adopt an overall, standardized data privacy system across all of their platforms. Mozilla also urges that major tech firms shoulder more responsibility and take enforcement action against apps that fail to give accurate information about data sharing. “Google Play Store’s misleading Data Safety labels give users a false sense of security[…]It’s time we have honest data safety labels to help us better protect our privacy,” says Caltrider.  

SharkBot Malware Returns to Google Play, to Steal Login Credentials

 

A new and updated version of the SharkBot malware has returned to Google's Play Store, targeting Android users' banking logins via apps with tens of thousands of installations. When submitted to Google's automatic review, the malware was found in two Android apps that did not contain any malicious code. SharkBot, on the other hand, is added in an update that takes place after the user installs and launches the dropper apps.

According to a blog post by Fox IT, a division of the NCC Group, the two malicious apps are "Mister Phone Cleaner" and "Kylhavy Mobile Security," which have 60,000 installations combined. Although the two apps have been removed from Google Play, users who have installed them are still at risk and will require to uninstall them manually.

SharkBot has advanced now

SharkBot was discovered in October 2021 by malware analysts at Cleafy, an Italian online fraud management and prevention company. NCC Group discovered the first apps carrying it on Google Play in March 2022.

At the time, the malware was capable of performing overlay attacks, stealing data through keylogging, intercepting SMS messages, and granting threat actors complete remote control of the host device by abusing the Accessibility Services. 

ThreatFabric researchers discovered SharkBot 2 in May 2022, which included a domain generation algorithm (DGA), an updated communication protocol, and completely refactored code. On August 22, Fox-IT researchers discovered a new version of the malware (2.25) that adds the ability to steal cookies from bank account logins.

“Abusing the accessibility permissions, the dropper was able to automatically click all the buttons shown in the UI to install Sharkbot. But this is not the case in this new version of the dropper for Sharkbot. The dropper instead will make a request to the C2 server to directly receive the APK file of Sharkbot. It won’t receive a download link alongside the steps to install the malware using the ‘Automatic Transfer Systems’ (ATS) features, which it normally did,” Fox IT says.

When the dropper app is installed, it contacts the command and control (C2) server and requests the malicious SharkBot APK file. The dropper then notifies the user that an update is available and instructs them to install the APK and grant all necessary permissions. SharkBot stores its hard-coded configuration in encrypted form using the RC4 algorithm to make automated detection more complicated. 

About cookie-loving Sharkbot

SharkBot 2.25 retains the overlay, SMS intercept, remote control, and keylogging systems, but a cookie logger has been added on top of them. When the victim logs into their bank account, SharkBot uses a new command ("logsCookie") to steal their valid session cookie and send it to the C2.

Cookies are useful for account takeovers because they contain software and location information that help bypass fingerprinting checks or, in some cases, the user authentication token itself. Throughout the investigation, Fox IT personnel discovered new SharkBot campaigns in Europe (Spain, Austria, Germany, Poland, and Austria) and the United States. 

The researchers discovered that the malware uses the keylogging feature in these attacks to steal sensitive information directly from the official app it targets. Fox IT expects SharkBot campaigns to continue and the malware to evolve now that an improved version of the malware is available.

Android Apps With 45 Million Installs Used For Data Harvesting SDK

 

Recently, Mobile malware researchers warned about a set of applications available on the Google Play Store that are stealing the private data of users from over 45 million installs of the apps. 

The apps consume credentials of the users through a third-party SDK in which it gets access to the users' capture clipboard content (store very sensitive data, such as crypto wallet recovery seeds, passwords, or credit card numbers), email addresses, GPS data, phone numbers, and even the user’s modem router MAC address and network SSID. This sensitive data could lead to significant privacy risks, the researchers said. 

The famous and most downloaded app applications to be using this SDK to send sensitive data of users are enlisted below:

• Al-Moazin Lite – 10 million installations (phone number, IMEI, router SSID, router MAC address) 
• Speed Camera Radar – 10 million installations (phone number, IMEI, router SSID, router MAC address) 
• WiFi Mouse – 10 million installations (router MAC address) 
• Qibla Compass Ramadan 2022 – 5 million installations (GPS data, router SSID, router MAC address) • QR & Barcode Scanner – 5 million installations (phone number, email address, IMEI, GPS data, router SSID, router MAC address) 
• Handcent Next SMS-Text w/MSS – 1 million installations (email address, IMEI, router SSID, router MAC address) 
• Smart Kit 360 – 1 million installations (email address, IMEI, router SSID, router MAC address) 
• Simple weather & clock widget – 1 million installations (phone number, IMEI, router SSID, router MAC address) 
• Al Quran mp3 – 50 Reciters & Translation Audio – 1 million installations (GPS data, router SSID, router MAC address) 
• Audiosdroid Audio Studio DAW – 1 million installations (phone number, IMEI, GPS data, router SSID, router MAC address) 
• Full Quran MP3 – 50+ Languages & Translation Audio – 1 million installations (GPS data, router SSID, router MAC address) 

In the wake of the security incident, Google removed many applications from the Google Play store after discovering that they contain data harvesting software. Several Muslim prayer apps, a highway-speed-trap detection app, and a QR-code reading app, were installed more than 45 million times, as per the researchers. 

Top Israeli Officials Duped by Bearded Barbie Hackers

 

Cybercriminals appear to be aggressively promoting the Remcos RAT that first appeared in hacking forums in 2016 and was marketed sold, and offered cracks on a variety of websites and forums. In 2017, researchers discovered Remcos being distributed via a malicious PowerPoint slideshow with a CVE-2017-0199 exploit. Remcos RAT is a piece of commercial software which may be purchased online. 

An "elaborate effort" targeting high-profile Israeli individuals working in critical defense, law enforcement, and emergency services sectors has been traced to a threat actor associated with Hamas' cyber warfare section. The Hamas-backed hacker outfit dubbed 'APT-C-23' was discovered catfishing Israeli officials in defense, law enforcement, and government institutions, resulting in the deployment of new malware. 

Before delivering spyware, the campaign uses advanced social engineering techniques like creating phony social media identities and maintaining a strong partnership with the targets. AridViper has previously targeted Palestinian law enforcement, military, or educational institutions, as well as the Israel Security Agency, with spear-phishing assaults (ISA). Researchers from Cisco Talos discovered AridViper assaults against activists involved in the Israel-Palestine conflict in February.

Malicious actors have built several phony Facebook pages utilizing forged credentials and pirated or AI-generated photographs of attractive women, and have used these profiles to approach their targets. The operators have spent months curating these profiles to make them appear legitimate, posting in Hebrew and alike organizations and prominent pages in Israel. The creators of these profiles create a network of friends who are actually people who work in Israel's police, defense forces, emergency services, or government. The opponents recommend transferring the chat to WhatsApp, ostensibly for more privacy, after building the target's trust by talking with individuals for a while. 

The Android app is actually the virus VolatileVenom.The icon is concealed on pre-Android 10 devices; with Android 10, the virus utilizes the Google Play installation icon. When the victim tries to sign into the Wink Chat, an error message appears, stating the app will be deleted. With a wide spectrum of espionage capabilities, VolatileVenom continues to function in the background. 

The malicious actors will eventually email the target a RAR file containing supposedly explicit photographs or videos as part of the catfishing attempts. This RAR file, on the other hand, contains the Barb(ie) installer malware, which installs the BarbWire backdoor. The filename of a sample of Barb(ie) detected by Cybereason is "Windows Notifications," and when it is made to run, it performs basic anti-analysis checks. If the host is deemed appropriate, the downloader links to an integrated C2 server. 

The BarbWire Backdoor is sent by the C2 server. The downloader contains a backup technique for finding a different C2. If the attackers need to modify the C2 from the one inserted, they can simply send an SMS message with the new destination. All inbound SMS messages are intercepted by the downloader. If one is provided by the intruders, it can just extract the new C2 information and install the backdoor. BarbWire steals data from PDFs, Office files, archives, picture files, movies, and photos, among other file types. It also checks for external media, such as a CD-ROM file, implying it's hunting for highly sensitive material which is carried around physically or over the internet. The stolen information is stored in a RAR archive and then sent to the attackers' C2 server. 

APT-C-23 employs several approaches which have been used in previous operations against Israeli targets, but it is constantly evolving with new tools and more intricate social engineering efforts. The lack of overlapping infrastructure distinguishes Operation Bearded Barbie from past missions, indicating the group's goal of avoiding notice. Another escalation for the threat actor is the usage of two backdoors, one for Windows and one for Android, resulting in very active espionage for the compromised targets.

Google Authenticator Codes for Android is Targeted by Nefarious Escobar Banking Trojan

 


'Escobar' virus has resurfaced in the form of a novel threat, this time targeting Google Authenticator MFA codes. 

The spyware, which goes by the package name com.escobar.pablo is the latest Aberebot version which was discovered by researchers from Cyble, a security research firm, who combed through a cybercrime-related forum. Virtual view, phishing overlays, screen captures, text-message captures, and even multi-factor authentication capture are all included in the feature set. 

All of these characteristics are utilized in conjunction with a scheme to steal a user's financial data. This malware even tries to pass itself off as McAfee antivirus software, with the McAfee logo as its icon. It is not uncommon for malware to disguise itself as a security software; in fact, it was recently reported that the malware was installed straight inside of a completely functional 2-factor authentication app. 

The malicious author is leasing the beta version of the malware to a maximum of five customers for $3,000 per month, with threat actors getting three days to test the bot for free. After development, the threat actor intends to raise the malware's price to $5,000. 

Even if the overlay injections are curtailed in some way, the malware has various other capabilities to make it effective against any Android version. In the most recent version, the authors increased the number of aimed banks and financial organizations to 190 entities from 18 countries. 

The malware asks a total of 25 rights, 15 of which are employed nefariously. To name a few, accessibility, audio recording, read SMS, read/write storage, acquiring account lists, disabling keylock, making calls, and accessing precise device locations. Everything the virus captures, including SMS call records, key logs, notifications, and Google Authenticator codes, is sent to the C2 server. 

It is too soon to gauge the popularity of the new Escobar malware among cybercriminals, especially given its exorbitant price. Nonetheless, it has grown in strength to the point that it can now lure a wider audience. 

In general, avoiding the installation of APKs outside of Google Play, utilizing a mobile security application, and ensuring the Google Play Protect is enabled on your device will reduce, the chances of being infected with Android trojans.

Spyware Infests the Microsoft Store with Classic Game Pirates

 



Electron Bot, a malware which infiltrated Microsoft's Official Store via clones of popular games like Subway Surfer and Temple Run, infected approximately 5,000 machines in Sweden, Israel, Spain, and Bermuda. 

Check Point discovered and studied the malware, which is a backdoor to give attackers unlimited control over infected PCs, allowing for remote command processing and real-time interactions. The threat actors' purpose is social media promotion and fraud, which is done by gaining control of social media profiles where Electron Bot allows for new account registration, commenting, and liking. 

An initial Electron Bot variant was uploaded to the Microsoft Store as "Album by Google Photos," published by a faked Google LLC business, and the operation was identified at the end of 2018. The malware, which is named after the Electron programming language, can mimic natural browsing behavior and perform acts as if it were a real website visitor. It accomplishes this by opening a new hidden browser window with the Electron framework's Chromium engine, setting the relevant HTTP headers, rendering the requested HTML page, and lastly performing mouse actions.

Threat actors develop rogue websites and employ search engine optimization strategies to push them to the top of the search results in an SEO poisoning campaign. SEO poisoning is also offered as a service to increase other websites' ranks, in addition to boosting bad sites' SEO rankings. The infection chain starts when the user downloads one of the infected apps from the Microsoft Store, which is otherwise a reliable source of software. When the application is launched, a JavaScript dropper is dynamically loaded in the side to fetch and install the Electron Bot payload. 

The malware links to the C2 (Electron Bot[.]s3[.]eu-central-1[.]amazonaws. com or 11k[.]online), acquires its configuration, and implements any commands in the pipeline at the next system startup. The JS files dumped on the machine's RAM are relatively short and appear to be benign because the major scripts are loaded flexibly at run time. 

Fraud, fleece wear, and financial trojans abound in official app shops. The Xenomorph banking malware was recently found by ThreatFabric, and the most humorous has to be Vultur, a trojan hidden inside a fully functional two-factor authentication (2FA) app which recently infected 10,000 people who downloaded it from Google Play. 

The successful entry of Electron Bot into Microsoft's official app store is only the most recent example of how consumers throw precaution into the breeze whenever a user views a bright new toy on the apps.

GriftHorse Malware has Infected More than 10 Million Android Devices

 

A new malware named GriftHorse is said to have infected over 10 million Android cell phones. According to the research at mobile security firm Zimperium, the threat group has been executing the campaign since November 2020. The GriftHorse malware was propagated through both Google Play and third-party application stores, according to the research group, and it stole "hundreds of millions of Euros" from victims. 

GriftHorse will produce a significant number of notifications and popups when a user downloads any of the malicious programmes, luring consumers in with exceptional discounts or prizes. People who click these are taken to a web page where they must authenticate their phone number in order to gain access to the promotion. 

In actuality, GriftHorse's victims are paying for premium SMS services that cost more than $35 per month. GriftHorse operators are thought to have made anywhere from $1.5 million to $4 million per month with this fraud, and their initial victims are thought to have lost more than $230 if they didn't stop the scam. 

GriftHorse malware has been tracked by Zimperium researchers Aazim Yaswant and Nipun Gupta for months, and they describe it as "one of the most widespread campaigns the zLabs threat research team has encountered in 2021." But, according to the two Zimperium researchers, the GriftHorse developers put a lot of effort into the quality of their malware, using a wide range of websites, malicious apps, and developer personas to infect victims and evade detection as much as possible.

“The level of sophistication, use of novel techniques, and determination displayed by the threat actors allowed them to stay undetected for several months,” Yaswant and Gupta explained. “In addition to a large number of applications, the distribution of the applications was extremely well-planned, spreading their apps across multiple, varied categories, widening the range of potential victims.” 

Handy Translator Pro, Heart Rate and Pulse Tracker, Geospot: GPS Location Tracker, iCare – Find Location, and My Chat Translator are among the popular apps infested with GriftHorse malware. Users in India are also affected, according to the firm. Zimperium, a member of the App Defense Alliance, claimed it alerted Google about all GriftHorse-infected apps, which have since been withdrawn from the Play Store. These apps may, however, still be available in third-party app stores.

Fake Minecraft Modpacks On Google Play Deliver Millions of Abusive Ads and Disrupt Normal Phone Usage

 

Scammers have now begun taking advantage of the Minecraft sandbox video clip game’s wild accomplishment by building Google Play applications.
These applications surface to be Minecraft modpacks, but in its place supply abusive ads, as per researchers. Because Minecraft was designed in Java, it was easy for third-party developers to create compatible applications or these “modpacks” to enhance and customize the gaming experience for players. 

The reason why the game is so popular is basically the fact it builds certain skills within the players which have also been touted by parents and educators as beneficial (especially for kids). Since July, Kaspersky researchers have found more than 20 of these apps and determined that they have been downloaded on more than a million Android devices. 

Among those 15,000 Minecraft mods lurk at least 20 that Kaspersky researchers were able to identify as malicious. Google Play has removed all but five of the malicious titles, Kaspersky said: Zone Modding Minecraft, Textures for Minecraft ACPE, Seeded for Minecraft ACPE, Mods for Minecraft ACPE and Darcy Minecraft Mod are still up and available.

As per Kaspersky, once the modpack malware is installed on the Android device, it only allows itself to be opened once, and once opened, the app is glitchy and useless — exactly how it’s intended to work. 

“The frustrated user closes the app, which promptly vanishes. More precisely, its icon disappears from the smartphone’s menu. Because the ‘modpack’ seemed glitchy from the start, most users, especially kids and teens, won’t waste time looking for it,” a report reads by researchers.

“The sample we examined automatically opened a browser window with ads every two minutes, greatly interfering with normal smartphone use. In addition to the browser, the apps can open Google Play and Facebook or play YouTube videos, depending on the [command-and-control] server’s orders. Whatever the case, the constant stream of full-screen ads makes the phone practically unusable,” the report continued. 

Researchers said reinstalling the browser or messing with the settings would be the next likely troubleshoot, but that won’t get rid of the malware either. 

First, the user needs to identify the malicious app. The device will display a full list of apps under settings, (Settings → Apps and notifications → Show all apps). Delete the app from this list and the malware should be gone.

“Fortunately, the misbehaving modpacks get removed entirely with deletion and do not try to restore themselves.” However, researchers suggest that in order to avoid malicious apps for the parents and kids they should know where to look. For instance, they pointed out that although two of the malicious modpacks have different publishers, the descriptions are identical, “down to the typos.” 

The app ratings also offer a clue something is fishy. Kaspersky pointed out that the average rating was in the three-star neighborhood, but that’s because there were extreme reviews on either end of the spectrum, one-star or five-stars. 



Users complain that the app doesn't work and just deletes itself

“That kind of spread suggests that bots are leaving rave reviews, but real users are very unhappy,” the report added. “Unfortunately, in this case, the cybercriminals are targeting kids and teenagers, who may not pay attention to ratings and reviews before installing an app.”

Google removes 16 apps infected by 'Agent Smith' malware

Every now and then, Android keeps getting visited from deadly malware attacks that put user and their data at lots of risks. This time, it's a new malware called Agent Smith and like its name, this malware is sneaky in what it's designed to do - bombard your phone with ads. Agent Smith also has properties to stick to other apps installed on the phone and ensure that the malware infection stays the same. The malware was first detected by Check Point and after working with Google, the infected apps have been removed from Google Play Store.

After it was informed of the infection, Google has identified and removed 16 apps from the Play Store that are known to be infected by Agent Smith. These apps are no longer available for download from the Play Store and there won't be further updates for these apps via the Play Store. However, Google can only remove the app from the Play Store but it can't wipe these apps from an individual's Android phone. Hence, if you have the following apps installed on your Android phone, you should uninstall them immediately.

Ludo Master - New Ludo Game 2019 For Free

Sky Warriors: General Attack

Color Phone Flash - Call Screen Theme

Bio Blast - Infinity Battle Shoot virus

Shooting Jet

Photo Projector

Gun Hero - Gunman Game for Free

Cooking Witch

Blockman Go: Free Realms & Mini Games

Crazy Juicer - Hot Knife Hit Game & Juice Blast

Clash of Virus

Angry Virus

Rabbit Temple

Star Range

Kiss Game: Touch Her Heart

Girl Cloth Xray Scan Simulator

However, Agent Smith can cling on to other popular apps and make it difficult for users to identify which app has been affected by it. Two most popular apps in India include WhatsApp - through which it has infected 1.5 crore Android phones, and Flipkart.

Most of the Antivirus Android Apps Ineffective and Unreliable



In a report published by AV-Comparatives, an Austrian antivirus testing company, it has been found out that the majority of anti-malware and antivirus applications for Android are untrustworthy and ineffective.

While surveying 250 antivirus applications for Android, the company discovered that only 80 of them detected more than 30% of the 2,000 harmful apps they were tested with. Moreover, a lof of them showed considerably high false alarm rates.

The detailed version of the report showcased that the officials at AV-Comparatives selected 138 companies which are providing anti-malware applications on Google Play. The list included some of the most well-known names like Google Play Protect, Falcon Security Lab, McAfee, Avast, AVG, Symantec, BitDefender, VSAR, DU Master, ESET and various others.

ZDNet noted that the security researchers at AV-Comparatives resorted to manual testing of all the 250 apps chosen for the study instead of employing an emulator. The process of downloading and installing these infectious apps on an Android device was repeated 2,000 times which assisted the researchers in concluding the end result i.e., the majority of those applications are not reliable and effective to detect malware or virus.

However, the study conducted by AV-Comparatives also highlighted that some of the offered antivirus applications can potentially block malicious apps.

As some of the vendors did not bother to add their own package names into the white list, the associated antivirus apps detected themselves as infectious. Meanwhile, some of the antivirus applications were found with wildcards in order to allow packages starting with an extension like "com.adobe" which can easily be exploited by the hackers to breach security.

On a safer side, Google guards by its Play Protect which provides security from viruses on Android by default. Despite that, some users opt for anti-malware apps from third-party app stores or other unknown sources which affect safety on their devices.

The presence of malicious apps on Google Play was also noticed in the past and with the aforementioned study, Android is becoming an unsafe mobile platform.