Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Malicious Apps. Show all posts

EvilVideo Exploit: Telegram Zero-Day Vulnerability Allows Disguised APK Attacks

 

A recent zero-day vulnerability in Telegram for Android, dubbed ‘EvilVideo,’ has been exploited by attackers to send malicious Android APK payloads disguised as video files. This significant security flaw was first brought to light when a threat actor named ‘Ancryno’ started selling the exploit on June 6, 2024, on the Russian-speaking XSS hacking forum. 

The vulnerability affected Telegram versions 10.14.4 and older. ESET researchers discovered the flaw after a proof-of-concept demonstration was shared on a public Telegram channel, allowing them to analyze the malicious payload. They confirmed that the exploit worked on Telegram v10.14.4 and older, naming it ‘EvilVideo.’ The vulnerability was responsibly disclosed to Telegram by ESET researcher Lukas Stefanko on June 26 and again on July 4, 2024. Telegram responded on July 4, indicating that they were investigating the report. 

Subsequently, they patched the vulnerability in version 10.14.5, released on July 11, 2024. This timeline suggests that threat actors had at least five weeks to exploit the zero-day vulnerability before it was patched. While it remains unclear if the flaw was actively exploited in attacks, ESET shared a command and control server (C2) used by the payloads at ‘infinityhackscharan.ddns[.]net.’ BleepingComputer identified two malicious APK files using that C2 on VirusTotal that masqueraded as Avast Antivirus and an ‘xHamster Premium Mod.’ 

The EvilVideo zero-day exploit specifically targeted Telegram for Android. It allowed attackers to create specially crafted APK files that, when sent to other users on Telegram, appeared as embedded videos. ESET believes the exploit used the Telegram API to programmatically create a message showing a 30-second video preview. The channel participants received the payload on their devices once they opened the conversation. 

For users who had disabled the auto-download feature, a single tap on the video preview was enough to initiate the file download. When users attempted to play the fake video, Telegram suggested using an external player, which could lead recipients to tap the “Open” button, executing the payload. Despite the threat actor’s claim that the exploit was “one-click,” the multiple clicks, steps, and specific settings required for a successful attack significantly reduced the risk. ESET tested the exploit on Telegram’s web client and Telegram Desktop and found that it didn’t work on these platforms, as the payload was treated as an MP4 video file. 

Telegram’s fix in version 10.14.5 now correctly displays the APK file in the preview, preventing recipients from being deceived by files masquerading as videos. Users who recently received video files requesting an external app to play via Telegram are advised to perform a filesystem scan using a mobile security suite to locate and remove any malicious payloads.

Beware of Malicious YouTube Channels Propagating Lumma Stealer

 

Attackers have been propagating a Lumma Stealer variant via YouTube channels that post videos about cracking into popular applications. They prevent detection by Web filters by spreading the malware over open source platforms like MediaFire and GitHub rather than proprietary malicious servers. 

The effort, according to FortiGuard researchers, is reminiscent of an attack that was uncovered in March of last year and employed artificial intelligence (AI) to disseminate step-by-step installation manuals for programmes like Photoshop, Autodesk 3ds Max, AutoCAD, and others without a licence. 

"These YouTube videos typically feature content related to cracked applications, presenting users with similar installation guides and incorporating malicious URLs often shortened using services like TinyURL and Cuttly," Cara Lin, Fortinet senior analyst, wrote in a blog post. 

Modus operandi 

The attack begins with a hacker infiltrating a YouTube account and publishing videos pretending to offer cracked software tips, along with video descriptions carrying malicious URLs. The descriptions also lure users to download a.ZIP file containing malicious content. 

The videos identified by Fortinet were uploaded earlier this year; however, the files on the file-sharing site are regularly updated, and the number of downloads continues to rise, suggesting that the campaign is reaching victims. "This indicates that the ZIP file is always new and that this method effectively spreads malware," Lin stated in a blog post. 

The .ZIP file contains an.LNK file that instructs PowerShell to download a.NET execution file from John1323456's GitHub project "New". The other two repositories, "LNK" and "LNK-Ex," both contain .NET loaders and use Lumma as the final payload.

"The crafted installation .ZIP file serves as an effective bait to deliver the payload, exploiting the user's intention to install the application and prompting them to click the installation file without hesitation," Lin wrote.

The .NET loader is disguised with SmartAssembly, a valid obfuscation technique. The loader then acquires the system's environment value and, after the number of data is correct, loads the PowerShell script. Otherwise, the procedure will depart the programme.

YouTube malware evasion and caution

The malware is designed to prevent detection. The ProcessStartInfo object starts the PowerShell process, which eventually calls a DLL file for the following stage of the attack, which analyses the environment using various methods to avoid detection. The technique entails looking for debuggers, security appliances or sandboxes, virtual machines, and other services or files that could impede a malicious process. 

"After completing all environment checks, the program decrypts the resource data and invokes the 'SuspendThread; function," Lin added. "This function is employed to transition the thread into a 'suspended' state, a crucial step in the process of payload injection.” 

Once launched, Lumma communicates with the command-and-control server (C2) and establishes a connection to transfer compressed stolen data back to the attackers. Lin observed that the variation employed in the campaign is version 4.0, but its exfiltration has been upgraded to use HTTPS to better elude detection. 

On the other hand, infection is trackable. In the publication, Fortinet provided users with a list of indications of compromise (IoCs) and cautionary advice regarding "unclear application sources." According to Fortinet, users should make sure that any applications they download from YouTube or any other platform are from reliable and safe sources.

Thousands of Malicious Android Apps are Employing Covert APKs to Bypass Security

 

To avoid malware detection, threat actors are employing Android Package (APK) files with unknown or unsupported compression algorithms.

That's according to findings from Zimperium, which discovered 3,300 artefacts using such compression algorithms in the wild. 71 of the discovered samples can be successfully loaded into the operating system. 

There is no evidence that the apps were ever available on the Google Play Store, implying that they were disseminated through alternative channels, most likely through untrustworthy app stores or social engineering to fool users into sideloading them. 

The APK files employ "a technique that limits the possibility of decompiling the application for a large number of tools, reducing the possibilities of being analysed," security researcher Fernando Ortega explained. "In order to do that, the APK (which is in essence a ZIP file), is using an unsupported decompression method." 

The benefit of this approach is that it can withstand decompilation tools while still being installed on Android devices with operating systems older than Android 9 Pie. 

The Texas-based cybersecurity company claimed that after reading Joe Security's post on X (formerly Twitter) in June 2023 about an APK file that had this behaviour, it began its own investigation. 

There are two ways that Android packages can use the ZIP format: one without compression and the other with the DEFLATE algorithm. The key finding in this study is that APKs compressed using unsupported techniques cannot be installed on devices running Android versions lower than 9, while they may be used without issue on subsequent versions. 

Zimperium also found that malware developers intentionally corrupt APK files by giving them filenames longer than 256 characters and creating corrupt AndroidManifest.xml files to trigger analysis tools to crash. 

The revelation comes just after Google revealed how threat actors were using a method known as versioning to get around the Play Store's malware detections and target Android users. 

Safety measures 

Thankfully, there are several procedures you can take to safeguard your phone from malicious Android apps. The first and most significant piece of advice is to stay away from sideloading apps unless it is unavoidable. There are a few peculiar situations in which you might need to sideload an app for work or to make a certain product work, but other than that, you shouldn't install any apps from unknown sources. 

As a general guideline, you should only download apps from the Play Store or other authorised app shops like the Samsung Galaxy Store or Amazon Appstore. Sometimes malicious software does manage to slip through the gaps, which is why it pays to do your research before installing any new app by reading reviews and looking into the app's developers.

Over 60K Adware Apps Target Android Devices

Over 60,000 adware apps disguised as cracked versions of popular apps have been discovered, posing a significant threat to Android device users. These malicious apps have been circulating for the past six months, secretly installing adware and compromising user privacy.

The discovery was made by cybersecurity researchers who found that the adware apps were cleverly designed to imitate cracked versions of popular applications, tempting users with promises of free access to premium features. Once installed, these apps exploit their access to the device, displaying intrusive advertisements, redirecting users to potentially harmful websites, and collecting personal information without user consent.

The impact of these adware apps goes beyond annoying ads and pop-ups. They can significantly compromise user privacy and security, as they often have access to sensitive information such as contact lists, location data, and browsing history. Additionally, these apps can drain device resources and slow down performance, causing frustration for users.

The adware apps were distributed through various unofficial app stores and online forums, taking advantage of users' desire to access premium features without paying. Due to their deceptive nature, they managed to evade security measures and make their way onto unsuspecting users' devices.

To protect themselves from these threats, Android device users are advised to follow best practices for app installation. It is crucial to download apps only from official sources such as the Google Play Store, where apps undergo thorough security checks. Users should also be cautious of downloading cracked versions of apps from unauthorized websites or third-party app stores, as these are often breeding grounds for malware.

Furthermore, keeping devices up to date with the latest security patches and regularly scanning for malware using reputable mobile security solutions can help detect and remove any adware apps that may have infiltrated the system.

This incident serves as a reminder of the persistent threats faced by Android users and the need for heightened vigilance when downloading and installing applications. Users must remain cautious, exercise due diligence, and rely on trusted sources for their app needs.


Upsurge in UPI Fraud Cases: How can you Guard Against These Scams

 

India is going digital as more and more individuals use the internet to shop, order food, and complete other activities.

According to a Times of India (TOI) report, in March 2023, Unified Payment Interface (UPI) transactions reached a record high of 865 crores, with a record value of Rs 14.07 lakh crore. The number of transactions totaled 728 crores, which was 18% greater than in February 2023.

However, as UPI transactions have increased, so have instances of online fraud and frauds. More than 95,000 fraud cases using UPI transactions were reported in 2022–2023, up from 84,000 cases in 2021–2022 according to the Union Ministry of Finance. 

Let's focus on UPI frauds in more detail, along with certain precautions you might take.

UPI PIN request 

With the promise of sending money, fraudsters occasionally seduce their victims. To receive the money, they then request that their target enter their UPI PIN. The scammer can easily utilise the victim's UPI PIN to withdraw money if they comply and enter it. Let’s take a look at how UPI scams take place and what you can do to protect yourself. 

“For receiving money, no PIN is required. Anyone asking you for a PIN is a scammer,” Prashant Gautam, DCP of the Intelligence Fusion and Strategic Operations (IFSO) unit of Delhi stated.
 
Customer care fraud 

Fraudsters who pose as customer service representatives are also taken in by the public. A government teacher was recently tricked after calling the number that appeared to be the top search result on Google, thinking it was the Google Pay customer service number. 

The con artist promised to assist the teacher when he complained about inaccurate transactions on the Google Pay app and requested his personal banking information. Following the teacher's disclosure of the information, the fraudster withdrew Rs 2.50 lakh from his bank account.

Cybercriminals will occasionally threaten customers with the blocking of their e-wallet if they do not complete KYC or update their Aadhaar or PAN information under the guise of customer service representatives. Later, "under the guise of verification, they ask the victims to download third-party access apps," the police officer continued, "through which they get remote access to the digital wallets." 

Money sent by 'error' 

Scammers typically send money to their potential targets via UPI apps like Paytm, Google Pay, PhonePe, etc., according to a Delhi Police official, and then contact them to claim that they made a mistake. The cybercriminal then sends the victim a URL and requests that they use it to repay the money. If a person clicks on the link, they lose control of their bank account and digital wallet, which the scammer can then access. 

Prevention tip

Here are three strategies you should learn to use as self-defense against such frauds.

Avoid engaging with fraudsters: Please don't continue if the caller's identity or the source of the information they are sharing are unclear to you or if you are unfamiliar with the number. Especially for food and beverage establishments, be aware of phone numbers listed on public websites as they might not be legitimate. Always confirm someone's identity by checking again. Never forget that your bank will never phone or text you asking for any type of private information. 

Be mindful of the golden rule while receiving payment: No PIN is needed in order to receive money. The 'request money' feature of payment apps is frequently abused by scammers. They will pretend to be interested in purchasing a product you may have posted for sale online. You will NEVER be asked for a PIN if money needs to be debited to your bank account, so keep that in mind at all times. 

Watch out for fake apps: Many fraudulent or malicious apps try to trick you by appearing to be something else. The software will have a similar appearance to the original bank app and be simple to download. Your personal information will be shared with scammers if you unintentionally download and install the bogus app, giving them access to your account and enabling them to steal money. Beware of fake banking apps like Modi Bhim, BHIM Payment-UPI Guide, Bhim Modi App, and BHIM Banking Guide that have been accused of obtaining consumer personal information under the guise of offering a useful service.

Passwords and 2FA Codes Stolen by the Android FluHorse Malware

 


The latest Android malware named 'FluHorse' has been discovered which targets Eastern Asian users with malicious apps that look like legitimate versions with over a million installs and are designed to steal personal data and spread malware. 

Check Point Research suggests that these malicious apps collect sensitive information from your device, including your credentials and the code for your Two-Factor Authentication (2FA) service. 

A person who falls for this trick is likely to give out sensitive personal details that could eventually be misused by criminals like passwords and banking details. 

Several researchers have given the malware the name "FluHorse", reporting that it has been active for a year and its operators still run it. To spread malware, they sent phishing emails to "high-profile" targets informing them that there was a problem with payment and that they would need to download an app to solve the issue.  

One of the most dangerous features of FluHorse is its ability to steal passwords and two-factor authentication codes from malware-infected devices. Additionally, according to Check Point's report on this campaign, most of the app impersonations have over one million installs. 

The emails are used to distribute apps across the globe which include a Taiwanese app that collects tolls to help with traffic, VPBank Neo, a Vietnamese banking app, and an unnamed app that deals with transportation. 

A legal version of each of the first two apps has been downloaded over one million times. In addition, the official version of the third app has been downloaded over one million times. In their study, the researchers found that the operators did not try to duplicate the legitimate apps exactly. Instead, they copied a few windows and mimicked the GUI of the legitimate apps. It is common for a malicious app to display a "system is busy" message to the victim as soon as they enter their account credentials and credit card details to buy time until the attackers can steal the data.  

During the initial stages of phishing emails, high-profile entities such as government officials and other entities concerned with public safety were targeted in some cases.

It was also reported by Check Point that there was malware including an app used by 100,000 people cloned as a transportation app, but the name of the app was not revealed in the report. 

In the case that two-factor authentication codes need to be intercepted and repurposed later for hijacking the accounts, all three fake apps request SMS access during installation. 

To begin an attack using FluHorse, malicious email messages are sent to high-profile targets, urging them to resolve a payment issue as fast as possible.  

In addition, the report stated that, upon installation, each of the three fake apps asked users to provide SMS access to intercept incoming 2FA codes. This is if such hacking was required. 

A fake app mimics an original one, but it lacks any function other than loading a couple of windows and capturing the information from the victim's personal information through forms to be filled out.

The app will display the "system is busy" message for 10 minutes once it has captured the victim's account credentials and credit card details to simulate a real-life situation, while operators act in the background to intercept and use two-factor authentication codes.

In addition to its ability to remain undetected for long periods, one of the most concerning aspects of FluHorse is its ability to be a persistent and dangerous threat. FluHorse attacks begin with targeted and malicious emails sent to high-profile individuals to convince them to resolve a payment issue immediately, as a result of an alleged payment issue. 

Using Employment Offers, North Korean Hackers Target Security Researchers

 

Security experts have been the victim of a hacking campaign by threat actors associated with the North Korean government that use cutting-edge methods and malware in an effort to infiltrate the organizations the targets work for, according to researchers.

As per researchers from security company Mandiant, they first became aware of the activity in June of last year while monitoring a phishing attempt that was aimed at a US-based client in the technology sector. By using three new malware families—Touchmove, Sideshow, and Touchshift—the hackers in this effort aimed to infect targets. In addition, while operating inside the cloud environments of their targets, the hackers in these assaults displayed new ability to evade endpoint detection technologies.

In order to communicate with their victims using WhatsApp, the attackers utilize social engineering to persuade them to do so. It is at this point that the malware payload 'PlankWalk' with a C++ backdoor, which aids in infiltrating the corporate environment of the target, is delivered.

In this operation, Mandiant believed UNC2970 targeted specifically security researchers. The North Korean threat actor, UNC2970, repeatedly breached US and European media organizations, prompting a reaction from Mandiant. In an effort to lure the targets and deceive them into installing the new virus, UNC2970 used spearphishing with a job advertisement theme.

Historically, UNC2970 has sent spearphishing emails with themes of employment recruitment to certain target organizations. The hackers approach their targets over LinkedIn and pose as recruiters for jobs before launching their attack. They eventually switched to WhatsApp to carry on the recruitment process, sharing a Word document with malicious macros.

Mandiant claims that these Word papers may occasionally be styled to fit the job descriptions they are marketing to their targets.The trojanized version of TightVNC is fetched using remote template injection performed by the Word document's macros from infected WordPress websites that act as the attacker's command and control servers.

The malware loads an encrypted DLL into the system's memory once it has been executed using reflection DLL injection.The loaded file is a malware downloader called 'LidShot,'which performs system enumeration and launches PlankWalk, the last payload that establishes a foothold on the compromised device.

Previously, North Korean hackers used phony social media identities that claimed to be vulnerability researchers to target security experts working on vulnerability and exploit development. Companies should also take into account other security measures, such as restricting macros, utilizing privileged identity management, conditional access policies, and security warnings. A dedicated admin account should be used for delicate administration tasks, and a another account should be used for email sending, web browsing, and similar activities.





Threats of Discord Virus: Ways to Eliminate it

Discord has gained popularity as a tool for creating communities of interest since the launch of its chat and VoIP services, notably among gamers. Discord can be exploited, though, similar to any other platform that contains user-generated material. 

It was discovered in 2021 that hackers carried out a number of malware attacks targeting Discord. Cybercriminals use various techniques to spread more than 20 different varieties that have been found. Due to Discord's broad customizability possibilities, common users are vulnerable to attacks inside and outside the chat server. Recent security analysis on Discord has uncovered a number of cyberattack scenarios connected to its chat service, which can be quite risky for users.

How does the Discord virus infiltrate the system?

The common phrase used to describe malware programs exchanged using the official Discord app is 'Discord Virus.' To get Discord users to run malicious software, cybercriminals use a variety of tactics, the pirated version of Discord Nitro is also frequently offered by attackers. 

The Discord software has a premium edition called Discord Nitro that is packed with more sophisticated capabilities. It is important to understand that the Discord Nitro app cannot be cracked because the premium features are delivered over the servers and not embedded into the app.

The system does display a few typical signs that point to the existence of Trojan infection:
  • The CPU is abruptly utilized more than normal
  • The system regularly glitches
  • Malicious pop-ups are constantly flooding browser
  • The user is not asked to initiate the opening of a window
  • Redirection to suspicious or unreliable websites
How to Update and Fix Discord

1. Operate discord as an administrator

Running the application with administrative rights may be a simple way to fix the Discord Update Failure problem. You can download and run the most recent Discord update due to this enabling the updater to change your device.

2. Give the update.Exe file a new name

A bug with the application's update.exe file was discovered by Discord's troubleshooters. For the best chance of successfully updating Discord to the most recent version, try renaming this file.

Copy "C: Users Username AppData" without the quotations and put it into the Windows + R keyboard shortcut. The username should be changed to the username for your local account.

3. Avoid using windows defender

The Discord Update occasionally crashes due to conflicts with Windows 10's default antivirus protections. Disabling Windows Defender will allow you to try updating Discord.

4. Disable your antivirus temporarily

Antivirus programs have a reputation for causing problems on computers by obstructing your internet service or preventing services and apps from operating as intended.

Discord can give rise to predatory behaviors like cyberbullying. Additionally, extreme organizations utilize Discord to recruit new members and keep in touch with them. You should take precautions against malicious users on Discord and never give out your personal information to anyone.

While utilizing the service, Discord provides a list of precautions to take in order to avoid spam and hacking. One recommendation is to create secure passwords that are less likely to be hacked. Additionally, individuals can defend themselves by scanning for suspected phishing attempts. 


Evolution of Malware and Its Ever-Expanding Landscape

 

Whether you are a large corporation or just a regular user, the internet can be deadly. And although digital technologies offer new opportunities, fraudsters are becoming increasingly skilled at exploiting them.

CrowdStrike's 2022 Global Threat Report indicates that there were 82% more ransomware-related data breaches in 2017 than there were in 2016. Iranian hackers who are supported by the government were recently uncovered to have spied on people using phoney VPN apps. Phishing operations are frequently the easier method to strike, like the current one that targeted shoppers over Black Friday. 

All of these assaults have one thing in common: malicious software that is able to get past one or more devices' security measures and harm the users of those devices. That is what is referred to as malware in technical lingo. 

You might be tempted to believe that all you need to do to protect your data is download one of the top antivirus programmes. However, the reality is more complicated when it comes to really safeguard your device from infection. 

Because malware can take many different forms, your security strategy must also be varied. A simple mix of protection software is not the best defence against malware, either. Before you can defeat an adversary, you must understand it. Knowledge and safety measures are the first lines of defence! 

Most Typical Forms of Malware 

Ransomware: When it infects a device, it encrypts the data and systems of the users, making it impossible to access them until a ransom is paid. It frequently spreads through malicious files, and it typically targets companies rather than individuals. 

Spyware: As its name implies, this category of software tries to gather information for secretly monitoring users. Keyloggers are a type of spyware that, for instance, tracks user activity. Spyware frequently accesses devices using both fraudulent and real apps. 

Trojans: These are programmes that appear to be trustworthy while secretly carrying out malicious attacks on users' systems. They can be discovered in a variety of software programmes, such as games or other well-known apps, as well as an attachment to a malicious email. 

Mitigation Tips 

Because there are many various types of malware on the internet that behave differently, an effective defence against it needs to be varied to protect your device from all potential threats. Here are some recommendations you might want to adopt on a regular basis. 

Use a reliable antivirus 

It goes without saying that every user should have a trustworthy antivirus programme installed on their devices, including antivirus for Mac. This is because, before installation, it will ensure that all files and programmes are clean of malware. You may schedule routine scans and adjust monitor settings simultaneously based on your requirements. Just be aware that some malware may manage to evade its control. 

Maintain software updates 

Attacks are frequently launched by cybercriminals using OS and app vulnerabilities. In order to reduce hazards, it is crucial to maintain your system and software updated. To ensure that you don't miss any changes, enable automatic updates. 

Frequently backup your data 

We talked about the risk that cyberattacks like ransomware or file-wiper software pose to your data. While the latter instantly delete all the content on your device, the former frequently prevents you from regaining control of your data even after you agree to pay. Therefore, the best line of defence in case you become targeted is to periodically back up your contents on an external hard drive or encrypted cloud storage. 

Pay attention to warning signs 

Malware may infiltrate your device even if you take precautions and download the proper protection software. In these situations, your chances of reducing the hazards increase with the speed of your response. To find a cure for any sickness, you must pay close attention to the symptoms. These include emails that are sent without your knowledge, your device stalling or crashing, programmes running on their own, an unexpectedly full hard disc, and more.

SharkBot Malware Targets Thousands of Android Users Via Disguised File Manager App

 

Variants of the SharkBot banking trojan were identified in multiple file manager Android applications on the Google Play Store, some of them with thousands of downloads. 

The majority of users who downloaded the trojanized apps were located in the U.K. followed by Italy, Iran, and Germany, security researchers at Bitdefender said in an analysis published this week. 

"The Google Play Store would likely detect a trojan banker uploaded to their repository, so criminals’ resort to more covert methods," reads the advisory. One way is with an app, sometimes legitimate with some of the advertised features, that doubles as a dropper for more insidious malware." 

This was the case with multiple file manager apps, which were disguised as such to justify the request for permission to install external packages from the user. 

The permissions asked by trojanized apps included READ_EXTERNAL_STORAGE, WRITE_EXTERNAL_STORAGE, GET_ACCOUNTS, REQUEST_INSTALL_PACKAGES, QUERY_ALL_PACKAGES, and REQUEST_DELETE_PACKAGES. 

"Of course, that permission is used to download malware," the researchers wrote. "As Google Play apps only need the functionality of a file manager to install another app and the malicious behavior is activated to a restricted pool of users, they are challenging to detect." 

While the applications identified by the researchers are no longer available on the Play Store, they can still be downloaded via multiple third-party stores, making them a huge threat. 

The first app examined by the researchers was 'X-File Manager,' designed by 'Viktor Soft ICe LLC' and counting over 10,000 installs before it was taken down by Google. 'FileVoyager' was the second one, manufactured by 'Julia Soft Io LLC' with nearly 5,000 downloads. 

The researchers discovered two more apps following an identical methodology, but they were never present on the Google Play store. They are called 'Phone AID, Cleaner, Booster' and 'LiteCleaner M' and were identified on the web via third-party app stores. 

The advisory published by the Bitdefender team comes weeks after threat analysts at Cleafy indicated the Android banking Trojan Vultur has reached more than 100,000 downloads on the Google Play Store.

Users who have downloaded the malicious apps are advised to delete them and change their bank account passwords immediately. Additionally, users are recommended to enable Play Store Protect and scan app ratings and reviews before downloading them.

Warning to iPhone and Android Users: 400 Apps Could Leak Data to Hackers

 


Android and iPhone users are being told to delete specific apps from their mobile phones because they could potentially steal their data. 

According to reports, Facebook has issued a warning after discovering an apparent data hack. This appears to have infected more than 400 apps and appears to have been stealing sensitive login information from smartphones. Because these apps offer popular services such as photo editors, games, and VPNs, they can easily remain unnoticed. This is because they tend to advertise themselves as popular services.

The scam apps are designed to obtain sensitive consumer information by asking users to sign in via their Facebook account once the apps have been installed. Hull Live reported that this is being done for them to be able to access their features.

It has been reported that Facebook published a post on its newsroom about a malicious app that asks users to sign in with their Facebook account. This is before they can use its advertised features. If they enter their credentials, the malware steals their usernames and passwords, which is a serious security risk.

In this case, there are official Google Play Store and Apple App Store marketplaces where these applications are available for download. This means that thousands of devices could potentially have been installed on them.

Apple and Google have already removed these apps from their application stores, however, they can still be found on third-party marketplaces, so anyone who had already downloaded the apps could still be targeted if they had done so previously.

According to Facebook, this year, they have identified more than 400 malicious Android and iOS apps that target people across the internet to steal their login information. This is in a bid to gain access to their Facebook accounts.

Apple and Google have been informed of the findings. It is working to assist those who might be affected by these results in learning more about how to remain safe and secure with their online accounts.

According to Facebook, users should take the following steps to fix the problem:

• Reset and create new, stronger passwords. Keep your passwords unique across multiple websites so that you, do not have to reuse them.

• To further protect your account, you should be able to use two-factor authentication. Preferably by using the Authenticator app as a secondary security measure.

• Make sure that you enable log-in alerts in your account settings so you are notified if anyone attempts to gain access to your account.

• Facebook also outlined some red flags that Android and iPhone users should be aware of when choosing an app that is likely to be, fraudulent.

• Users must log in with social media to use the app and, it will only function once they have completed this step.

A Facebook spokesperson added that looking at the number of downloads, ratings, and reviews may help determine whether a particular app is trustworthy.

Harley Trojan Affecting the Users by Impersonating the Applications

 

There are numerous unpatched malwares hidden under the apps in the Google Play Store that seem to be harmless but are actually malicious programs. Google Play Store is an official platform that runs every process with careful monitoring carried out by the moderators. However, some apps may evade the moderator's check since it's not possible to check all the apps before they go live on the platform. 

One such popular malware, called Trojan Subscribers has been discovered by Kaspersky. It affects the users by signing up for paid services without their knowledge. The malware exhibits similarities with the Jocker Trojan subscriber, experts presume that the two have a common origin. 

A trojan is a malicious code or software that gets downloaded onto a system, disguised as an authorized application. 

In the past 3 years, over 190 apps have been found infected with Harly Trojan on the Google play store, and the number of downloads of such apps is more than 4.8 million.  

To spread the virus to different systems, the threat actors download the original applications and place their malicious code into them and later re-upload them to Google Play Store with some other name. 

The attackers play smart by keeping the same features in the app as listed in the description so that the users do not suspect a threat. The impersonating of legitimate apps also provides advertisement. 

The Trojan malware belonging to the Harley family includes a payload inside the application and uses numerous methods to decrypt and execute the payload. 

After the decryption, the Harley gathers information about the user’s device including the mobile network. By connecting to the mobile network, the malware opens up a list of subscription addresses from a C&C server, where it automatically enters the user's mobile number followed by other options to continue the process, including the OTP from messages. As a result, the user ends up with a paid subscription for a service without their knowledge or consent.  

To avoid being a victim of such apps, anti-virus experts suggest looking for reviews of the applications before downloading them. Google has been notified about such apps and asked to remove all the Trojan-infected apps from the platform and devices that are infected with them. 

Google Removes Several Apps From Play Store Distributing Malware

 

Earlier this week, Google blocked dozens of malicious Android apps from the official Play Store that were propagating Joker, Facestealer, and Coper malware families via the virtual marketplace. 

According to the findings from Zscaler ThreatLabz and Pradeo researchers, the Joker spyware exfiltrated SMS messages, contact lists, and device information and lured victims to sign up for premium service subscriptions. 

A total of 54 Joker downloader apps were unearthed by the two cybersecurity firms, with the apps installed cumulatively over 330,000 times. Nearly half of the apps belonged to communication (47.1%) category followed by tools (39.2%), personalization (5.9%), health and, photography. 

“The tools and communication were among the most targeted categories covering the majority of the Joker-infected apps. ThreatLabz discovered daily uploads of apps containing the Joker malware indicating the high activity level and persistence of the adversary group.” reads the blog post published by Zscaler. “Consistent with previous findings, ThreatLabz's latest discoveries belonging to the Joker malware campaign continue to follow similar developer naming patterns and use of familiar techniques.” 

ThreatLabz experts also uncovered multiple apps compromised with the Facestealer and Coper malware. 

The Facestealer spyware was first unearthed in July last year by Dr. Web researchers, and was designed to steal Facebook users’ logins and passwords and authentication tokens. 

The Coper malware is a banking trojan that targets banking applications in Europe, Australia, and South America. The hackers distribute the apps by disguising them as legitimate apps in the Google Play Store. 

“Once downloaded, this app unleashes the Coper malware infection which is capable of intercepting and sending SMS text messages, making USSD (Unstructured Supplementary Service Data) requests to send messages, keylogging, locking/unlocking the device screen, performing overly attacks, preventing uninstalls and generally allowing attackers to take control and execute commands on infected device via remote connection with a C2 server.” continues the report. 

The researchers recommended users to refrain from granting unnecessary permissions to apps and verify their authenticity by checking for developer information, reading reviews, and scrutinizing their privacy policies. If you become a victim of a malicious app from the Play Store, inform Google about it immediately through the support options in your play Store app.

Facestealer Trojan Identified in More than 200 Apps on Google Play

 

Cybersecurity researchers at TrendMicro have identified more than 200 applications on Google Play distributing spyware called Facestealer used to steal user credentials and other sensitive data, including private keys. The worrying thing is that the number and popularity of these types of applications are increasing day by day, with some even being installed over a hundred thousand times. 

Some malicious applications that users should uninstall immediately include: Daily Fitness OL, Enjoy Photo Editor, Panorama Camera, Photo Gaming Puzzle, Swarm Photo, Business Meta Manager, and Cryptomining Farm Your Own Coin. 

Facestealer, first identified by Doctor Web in July 2021, steals Facebook information from users via malicious apps on Google Play, then uses it to infiltrate Facebook accounts, serving purposes such as scams, fake posts, and advertising bots. Similar to the Joker malware, Facestealer changes its code frequently and has multiple variations. 

"Similar to Joker, another piece of mobile malware, Facestealer changes its code frequently, thus spawning many variants," Cifer Fang, Ford Quin, and Zhengyu Dong researchers at Trend Micro stated in a new report. "Since its discovery, the spyware has continuously beleaguered Google Play." 

Since being denounced until now, the malicious apps have continuously appeared on Google Play under different guises. For example, Daily Fitness OL is ostensibly a fitness app, but its main goal is to steal Facebook data. Once the application is launched, it will send a request to download the encryption configuration. When the user logs into Facebook, the application opens a WebView browser to load the URL from the downloaded profile. 

Subsequently, a piece of JavaScript code is embedded in the web page to get the login data. After the user is successfully logged into the account, the application collects the cookie, then encrypts all the personally identifiable information (PII) and sends it to the remote server. 

In addition, TrendMicro researchers unearthed 40 fake cryptocurrency miner apps that are variants of similar apps that they discovered in August 2021. The apps trick users into subscribing to paid services or clicking on advertisements. 

To mitigate the risks, users should carefully read reviews from people who have downloaded them before. However, this is also not the optimal solution because many applications will hire highly appreciated services, for example, Photo Gaming Puzzle is rated 4.5 stars, and Enjoy Photo Editor is rated 4.1 stars. Enjoy Photo Editor surpassed 100,000 downloads before Google kicked it out of PlayStore.

NCSC Warns Of Threats Posed By Malicious Apps

 

A new report by the UK's National Cyber Security Centre (NCSC) has alerted of the threats posed by malicious applications. While most people are familiar with apps downloaded to smartphones, they are also available on everything from smart TVs to smart speakers. 

The government is seeking input on new security and privacy guidelines for applications and app stores. Ian Levy, the NCSC's technical director, stated app stores could do more to improve security. Cybercriminals are currently exploiting vulnerabilities in app stores on all types of linked devices to cause harm,  as per Mr Levy. 

Android phone users downloaded apps containing the Triada and Escobar malware from various third-party app stores last year, according to the FBI.  "This resulted in cyber-criminals remotely taking control of people's phones and stealing their data and money by signing them up for premium subscription services," it said.

The NCSC's report noted that apps "can also be installed on laptops, computers, games consoles, wearable devices (such as smartwatches or fitness trackers), smart TVs, smart speakers (such as Alexa devices), and IoT (internet of things) devices". It includes an example of a security firm illustrating how it could construct a malicious app for a prominent fitness tracker that could be downloaded via a link that seemed legitimate because it used the company's web address. 

Spyware/stalkerware capable of stealing anything from location to personal body data was found in the app. After the security firm alerted the company, it proceeded to rectify the situation. 

 The thirst for applications grew during the pandemic, according to the NCSC research, with the UK app market currently valued at £18.6 billion ($23.2 billion). The government's proposal to ask app retailers to commit to a new code of practice outlining baseline security and privacy requirements is supported by the cyber-security centre. 

"Developers and store operators making apps available to UK users would be covered. This includes Apple, Google, Amazon, Huawei, Microsoft and Samsung," the government stated.

 A new code of practice would require retailers to set up procedures to find and repair security problems more quickly.

Trojanized Apps are Being Employed to Steal Cryptocurrency From iOS and Android Users

 

ESET, an antivirus manufacturer and internet security firm has unearthed and backtracked a sophisticated malicious cryptocurrency campaign that targets mobile devices using Android or iOS operating systems (iPhones). 

According to ESET, malware authors are distributing malicious apps via fake websites, mimicking legitimate wallet services such as Metamask, Coinbase, Trust Wallet, TokenPocket, Bitpie, imToken, and OneKey. Subsequently, attackers use ads placed on legitimate websites with misleading articles to promote the fake websites that distribute these malicious wallet apps. 

Additionally, intermediaries have been recruited via Telegram and Facebook groups, in an attempt to trick unsuspecting visitors into downloading the malicious apps. While the primary motive of the campaign is to exfiltrate users' funds, ESET researchers have mainly noticed Chinese users being targeted but with cryptocurrencies becoming more popular, the firm's researchers expect the methodologies used in it to spread to other markets. 

The campaign tracked since May 2021, seems to be controlled by a single criminal group. The malicious cryptocurrency wallet apps are designed in such a manner that they replicate the same functionality of their original counterparts, while also incorporating malicious code changes that enable the theft of crypto assets. 

"These malicious apps also represent another threat to victims, as some of them send secret victim seed phrases to the attackers' server using an unsecured HTTP connection," Lukáš Štefanko, senior malware researcher at ESET stated. "This means that victims' funds could be stolen not only by the operator of this scheme but also by a different attacker eavesdropping on the same network." 

The Slovak cybersecurity firm said it also uncovered dozens of groups promoting malicious apps on the Telegram messaging app that were, in turn, shared on at least 56 Facebook groups in hopes of landing new distribution partners for the fraudulent campaign. 

The investigation also showed that there are 13 unearthed applications that masquerade as the Jxx Liberty Waller on the Google Play store, all of which have since been removed from the Android app marketplace. However, before the takedown in January, these applications were installed more than 1100 times. "Their goal was simply to tease out the user's recovery seed phrase and send it either to the attackers' server or to a secret Telegram chat group," Štefanko concluded.