Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Malicious Android Apps. Show all posts

Google Removes 22 Malicious Android Apps Exposed by McAfee

Google recently took action against 22 apps that are available on the Google Play Store, which has alarmed Android users. These apps, which have been downloaded over 2.5 million times in total, have been discovered to engage in harmful behavior that compromises users' privacy and severely drains their phone's battery. This disclosure, made by cybersecurity company McAfee, sheds light on the hidden threats that might be present in otherwise innocent programs.

These apps allegedly consumed an inordinate amount of battery life and decreased device performance while secretly running in the background. Users were enticed to install the programs by the way they disguised themselves as various utilities, photo editors, and games. Their genuine intentions, however, were anything but harmless.

Several well-known programs, like 'Photo Blur Studio,' 'Super Smart Cleaner,' and 'Magic Cut Out,' are on the list of prohibited applications. These applications took use of background processes to carry out tasks including sending unwanted adverts, following users without their permission, and even possibly stealing private data. This instance emphasizes the need for caution while downloading apps, especially from sites that might seem reliable, like the Google Play Store.

Google's swift response to remove these malicious apps demonstrates its commitment to ensuring the security and privacy of its users. However, this incident also emphasizes the ongoing challenges faced by app marketplaces in identifying and preventing such threats. While Google employs various security measures to vet apps before they are listed, some malicious software can still evade detection, slipping through the cracks.

As a precautionary measure, users are strongly advised to review the apps currently installed on their Android devices and uninstall any that match the names on the list provided by McAfee. Regularly checking app permissions and reviews can also provide insights into potential privacy concerns.

The convenience of app stores shouldn't take precedence over the necessity of cautious and educated downloading, as this instance offers as a sharp reminder. Users must actively participate in securing their digital life as fraudsters become more skilled. A secure and reliable digital environment will depend on public understanding of cybersecurity issues as well as ongoing efforts from internet behemoths like Google.

SharkBot Malware Targets Thousands of Android Users Via Disguised File Manager App

 

Variants of the SharkBot banking trojan were identified in multiple file manager Android applications on the Google Play Store, some of them with thousands of downloads. 

The majority of users who downloaded the trojanized apps were located in the U.K. followed by Italy, Iran, and Germany, security researchers at Bitdefender said in an analysis published this week. 

"The Google Play Store would likely detect a trojan banker uploaded to their repository, so criminals’ resort to more covert methods," reads the advisory. One way is with an app, sometimes legitimate with some of the advertised features, that doubles as a dropper for more insidious malware." 

This was the case with multiple file manager apps, which were disguised as such to justify the request for permission to install external packages from the user. 

The permissions asked by trojanized apps included READ_EXTERNAL_STORAGE, WRITE_EXTERNAL_STORAGE, GET_ACCOUNTS, REQUEST_INSTALL_PACKAGES, QUERY_ALL_PACKAGES, and REQUEST_DELETE_PACKAGES. 

"Of course, that permission is used to download malware," the researchers wrote. "As Google Play apps only need the functionality of a file manager to install another app and the malicious behavior is activated to a restricted pool of users, they are challenging to detect." 

While the applications identified by the researchers are no longer available on the Play Store, they can still be downloaded via multiple third-party stores, making them a huge threat. 

The first app examined by the researchers was 'X-File Manager,' designed by 'Viktor Soft ICe LLC' and counting over 10,000 installs before it was taken down by Google. 'FileVoyager' was the second one, manufactured by 'Julia Soft Io LLC' with nearly 5,000 downloads. 

The researchers discovered two more apps following an identical methodology, but they were never present on the Google Play store. They are called 'Phone AID, Cleaner, Booster' and 'LiteCleaner M' and were identified on the web via third-party app stores. 

The advisory published by the Bitdefender team comes weeks after threat analysts at Cleafy indicated the Android banking Trojan Vultur has reached more than 100,000 downloads on the Google Play Store.

Users who have downloaded the malicious apps are advised to delete them and change their bank account passwords immediately. Additionally, users are recommended to enable Play Store Protect and scan app ratings and reviews before downloading them.

105 million Android Devices were Infected with 'Dark Herring' Invoice Malware


Dark Herring malware was identified by a Zimperium research team, the campaign is estimated to be in the millions of dollars, in monthly increments of $15 per victim. Google has subsequently deleted all 470 fraudulent apps from Play Store, and the scam services have been shut down, however, any user who already has one of the apps loaded could be actively attacked in the future. The apps can also be found in third-party app shops. 

Direct carrier billing (DCB) is a mobile payment technique which adds payments for non-telecom services to a consumer's monthly phone bill. It is used by customers worldwide, particularly in underbanked countries. It's a tempting target for opponents. 

The Dark Herring's long-term success was based on AV anti-detection skills, widespread distribution via a large number of programs, code encryption, and the use of proxy as first-stage URLs.While none of the aforementioned features are novel or surprising, seeing it together in one software program is unusual for Android fraud. Furthermore, the actors used a complex infrastructure which has accepted communications from all 470 application users yet handled each one individually based on a unique identity. 

It has no malicious code in the installed software, but it does have a hard-coded encoded string which refers to a first-stage URL located on Amazon's CloudFront.The server's answer includes links to further JavaScript files housed on Amazon Web Services servers, which are downloaded to the infected device. 

The campaign was able to last so long because the malicious users presented viewers with the expected functionality, an attempt to remain installed on the victims' devices. The Dark Herring applications begin interacting with the authoritarian (C&C) server once it has been installed on a device to send over the victim's IP address, which is used to track the victim for a direct carrier invoicing subscription. 

The victim is sent to a geo-specific webpage, where the user is asked about personal details like phone numbers, ostensibly for verification purposes. However, the victim has no idea, of sending contact information to a subscription plan."The victim does not understand the impact of the crime right away," Zimperium explains, "and the chance of the theft extending for months before discovery is high, with hardly any remedy to get one's money back." 

Given Dark Herring's evident accomplishments, Zimperium believes it is unlikely, the cybersecurity community will hear from this criminal outfit again.

Notorious ‘Joker’ Malware Infects Google Play App with 500,000 Downloads

 

An Android app with more than half a million downloads from the Google Play app store has been discovered hosting malware that secretly transmits users’ contact lists to an attacker-controlled server and signs them up for expensive subscriptions without their knowledge.

Cybersecurity researchers at Pradeo discovered the Joker malware in a messaging-focused app called Color Message which Google has now removed from its official Android app marketplace. The malicious app claimed to make user SMS texting more fun with new emojis. In addition, the researchers have observed the Joker malware replicating clicks in order to generate revenue from malicious ads and connecting to servers hosted in Russia.

“Our analysis of the Color Message application through the Pradeo Security engine shows that it accesses users’ contact list and exfiltrates it over the network,” mobile security firm Pradeo stated. 

“Simultaneously, the application automatically subscribes to unwanted paid services unbeknownst to users. To make it difficult to be removed, the application has the capability to hide its icon once installed.” 

The reviews of the malicious app on the Play Store indicated that some users have observed the unauthorized behavior, with complaints about being charged for services they didn't request access to. Google Play Store has already banned the app from the store. However, the app still poses security concerns for those users who had downloaded it in the past and are advised by researchers to uninstall the app immediately. 

Joker, since its discovery in 2017, has been a notorious fleeceware that is hard to notice because of the tiny footprint of its code and the techniques its developers use to stash it. Over the past few years, the malware has been identified lurking in hundreds of apps downloaded by millions of people and performing an array of malicious activities, including billing fraud and intercepting SMS messages, contact details, and device information of users.

"We are [sic] committed to ensuring that the app is as useful and efficient as possible. For that reason, we reserve the right to make changes to the app or to charge for its services, at any time and for any reason. We will never charge you for the app or its services without making it very clear to you exactly what you're paying for,” the developers behind Color Message state in their terms and conditions.

UltimaSMS Premium Fraud Campaign Exploits Millions of Android Devices

 

Avast researchers have unearthed a global SMS premium fraud campaign on the Google Play Store, dubbed UltimaSMS. Scammers used 151 Android apps with 10.5 million downloads from over 80 countries to trick users into signing up for premium services that can cost up to Rs.3,000 per month depending on their cell carrier and location. 

Scammers used a fake photo editor, spam call blockers, camera filter, games, and other apps and promoted them via Instagram and TikTok channels. Such phony apps were downloaded in large numbers by people in Pakistan, Saudi Arabia, Egypt, UAE, USA, Poland, and many countries in the Middle East. After discovering the fraud, Google has banned 150 malicious apps and also removed them from its PlayStore. 

Upon installing the malicious apps, scammers analyze the user’s location, International Mobile Equipment Identity (IMEI), and phone number to determine the language in which they must communicate with the user. When a user opens the app, a screen is displayed that requests user to enter their phone number, and in some cases, email address to secure access to the app’s advertised service or product. 

Avast researchers named the fraud campaign “UltimaSMS” because one of the first app researchers discovered in May 2021 was called Ultima Keyboard 3D pro. 

“Upon entering the requested details, the user is subscribed to premium SMS services that can charge upwards of $40 per month depending on the country and mobile carrier. Instead of unlocking the apps’ advertised features, which users might assume should happen, the apps will either display further SMS subscriptions options or stop working altogether.” reads the blog post published by Avast.” The sole purpose of the fake apps is to deceive users into signing up for premium SMS subscriptions.”

Tips to protect yourself from fraudulent SMS apps 

• Deactivate the premium SMS option from your carrier. Deactivating this option will nullify the UltimaSMS scam. 
• Make sure to read the reviews before downloading any such app. Reading reviews can help you find out the intent of the app. 
• Unless you trust the app, don't register your mobile number. 
• Read every notification that comes up while installing the app carefully and give any permission only after reading.