Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Play Store. Show all posts

Necro Malware Attacks Google Play Store, Again. Infects 11 Million Devices

Necro Malware Attacks Google Play Store, Again. Infects 11 Million Devices

A new variant of Necro malware loader was found on 11 million Android devices through Google Play in infected SDK supply chain attacks. The re-appearance of Necro malware is a sign of persistent flaws in popular app stores like Google. 

A recent report by Kaspersky suggests the latest version of Necro Trojan was deployed via infected advertising software development kits (SDK) used by Android game mods, authentic apps, and mod variants of famous software, such as Minecraft, Spotify, and WhatsApp. The blog covers key findings from the Kaspersky report, the techniques used by threat actors, and the impact on cybersecurity. 

What is Necro Trojan 

Aka Necro Python, the Necro Trojan is an advanced malware strain active since it first appeared. Malware can perform various malicious activities such as cryptocurrency mining, data theft, and installation of additional payloads. The recent version is more advanced, making it difficult to track and eliminate. 

Distribution of Necro Trojan

Users sometimes want premium or customized options that official versions don't have. But these unofficial mods, such as GB WhatsApp, Spotify+, and Insta Pro can contain malware. Traditionally, threat actors used these mods because they are distributed on unofficial sites that lack moderation. 

However, in the recent trend, experts discovered actors targeting official app stores via infected apps

In the latest case, Trojan authors abused both distribution vectors, a new variant of multi-stage Necro loader compromised modified versions of Spotify, Minecraft, and other famous apps in unofficial sources, and apps in Google Play. "The modular architecture gives the Trojan’s creators a wide range of options for both mass and targeted delivery of loader updates or new malicious modules depending on the infected application,” said the report.

Key Findings

  • The downloaded payloads can display ads in invisible windows, and interact with them. They can also execute arbitrary DEX files, install download apps, open arbitrary links in invisible WebView windows and run JavaScript, run a tunnel via the victim's device, and subscribe to paid services. 
  • The new variant of the Necro loader uses obfuscation to escape detection. 
  • The loader deployed in the app uses steganography tactics to hide payloads 

HUMAN Team Shuts Down Major Mobile Ad Fraud Scheme

 


In a major development, the HUMAN Satori Threat Intelligence and Research Team has successfully dismantled a vast mobile advertising fraud operation known as "Konfety." This scheme, which generated billions of fake ad requests each day, was designed to deceive both users and advertisers on a large scale.

The Konfety scammers used a mobile advertising tool called CaramelAds to carry out their scheme. They created numerous fake apps, which appeared to be ordinary games on the Google Play Store. These apps were actually just a front for the fraud. The core of the scam involved "evil twin" apps—modified versions of CaramelAds that did not follow privacy regulations and were used to show fraudulent ads.

The fraudulent apps were designed to mimic genuine user activity. They displayed unwanted ads, opened websites without user consent, and used various tactics to create the illusion of legitimate traffic. This allowed the scammers to profit from fake ad views and clicks, deceiving both users and advertisers.

Upon discovering the fraud, the HUMAN team quickly implemented measures to block the fraudulent traffic. They flagged suspicious activity and worked with ad networks to stop the scam. In response, the fraudsters tried to shift their operations to other networks not protected by HUMAN, but their efforts were largely thwarted by HUMAN’s protective measures.

Google Play Protect was crucial in identifying and removing the fraudulent apps. Despite its efforts, the scale of the Konfety scheme highlighted the ongoing challenge of preventing such sophisticated scams. Google continues to monitor and protect users from these threats.

HUMAN’s team developed specific detection techniques for the Konfety scam and shared their findings with other security experts. This collaboration led to a significant reduction in fraudulent ad requests and enhanced overall security in digital advertising.

The successful shutdown of the Konfety fraud needs a heedful of vigilance and cooperation in the fight against online scams. HUMAN’s ongoing efforts to safeguard the integrity of digital advertising are essential as cybercriminals continue to evolve their tactics. This case highlights the need for constant vigilance and industry collaboration to maintain a secure online environment.




Google Introduces Badges to Identify Which VPN App has Passed a Security Audit


Google has recently confirmed that they will be introducing an Independent Security Review badge to identify Android VPN apps that have undergone an independent security assessment, taking into account the concerns of users regarding Android cybersecurity. 

The App Defense Alliance was launched last year, in collaboration between Google, ESET, Lookout, and Zimperium in order to tackle Play Store’s malware issues. The Alliance further launched the Mobile Application Security Assessment (MASA) audit. In order to inform customers that the applications they are installing on their phones have been created in accordance with industry mobile security and privacy minimal best practices, software developers can use this method to get their apps independently verified against a global security standard. 

The objective behind the review badge is that if app developers follow this method in order to mitigate any security flaw, it will make it more challenging for hackers to compromise users' devices and, as a result, the quality of apps across the ecosystem will improve.

Applications that have received this badge have successfully undergone a MASA audit. Moreover, in order to maintain the badge every year, app developers will have to go through an additional independent assessment.

Nataliya Stanetsky of the Android Security and Privacy Team states in a Google Security Blog post this week that, “While certification to baseline security standards does not imply that a product is free of vulnerabilities, the badge associated with these validated apps helps users see at-a-glance that a developer has prioritized security and privacy practices and committed to user safety.”

Now, when a user turns to Play Store in search for the best VPN, they will certainly see a banner at the top, leading then to the DATA Safety Section, for them to have a better understanding of the new badges. On clicking on the option ‘learn more,’ the user will further be directed to the App Validation Directory, "a centralized place to view all VPN apps that have been independently security reviewed."

"We've launched this banner beginning with VPN apps due to the sensitive and significant amount of user data these apps handle," Stanetsky explained.

"VPN providers such as NordVPN, Google One, ExpressVPN, and others have already undergone independent security testing and publicly declared the badge showing their good standing with the MASA program," she added. 

These Security Review badges is an effort by Google to make the Data Safety Section a one-stop shop for information on Play Store cybersecurity procedures. Additionally, you may get information on the kind of data that apps are gathering about you, why they are collecting it, and whether or not they are sharing it with outside parties.  

Users' Data is Stolen Through 1.5 million Android Apps


As part of an effort to help users gain a better understanding of what data an app collects before downloading it, Google Play introduced "nutrition labels" with a privacy-focused focus last year. However, researchers have found a way to work around the system and steal user data. This is done by inserting a way to avoid the system. In an article released by Pradeo, a mobile cybersecurity company, cybersecurity analysts discovered two apps on Google Play. 

These apps threatened to send data from users' Android devices to malicious servers based in China as a result of spyware According to the firm, more than ten lakh users globally are affected by spyware-laden applications. According to it, the app's download pages claim it will not collect data about you. 

According to a report released by Google Play Store security analysts, two apps that appear to be file management apps but are spyware have been discovered. 1.5 million Android users risk compromised privacy and security due to this vulnerability. Hence, you must remove these apps as quickly as possible from the latest Android phones that boast some of the most impressive features. 

A leading mobile cybersecurity company, Pradeo, which offers mobile security products, announced this week that its smartphone security app, File Recovery & Data Recovery, has been flagged as malicious. As both apps are produced by the same developer, they are programmed to launch without requiring the user to do anything. Their servers in China quietly store sensitive user information securely sent to them.  

More than one million downloads of File Recovery & Data Recovery have occurred. In Pradeo's report, screenshots of their respective Play Store pages showed that about 500,000 people installed File Manager, based on screenshots taken from the PANDEO website. 

As outlined in their blog post, after analyzing both spyware apps, the researchers determined that both collected personal data from their targets. They sent it to many servers located mainly in China. These apps are considered malicious by the majority of users and are said to threaten their privacy and security, which is an essential point to note. 

Data that has been stolen includes the following:

  1. Contact information is collected by the apps via the device itself and connected accounts, such as email and social media accounts. 
  2. Aside from pictures and audio files, the apps also collect videos and pictures saved on your device. 
  3. By tracking the user's location, spyware can retrieve his or her current position. 
  4. The system collects the mobile country code, network provider name, and SIM code of the SIM provider. This is among other variables. 
  5. There is a capture of the operating system version number. This could potentially be exploited by vulnerabilities similar to those in the Pegasus spyware incident, if one exploited them. 
  6. Spyware can record the model and brand of the device it targets. 

Even though the apps may have a legitimate reason for gathering some of the information above to ensure smooth performance and compatibility with any updated devices. However, most of the information gathered is not required to manage files or recover data. Unfortunately, this company collects data secretly without the user's consent. 

Moreover, Pradeo has added that the home screen icons of the two apps are hidden, so it will be harder to find them and remove them from your device. It is also possible for them to misuse the permissions the user approved during installation. They can restart the device and launch it in the background without the user's knowledge. 

Pradeo speculates that the company used emulators or install farms to create a false impression of trustworthiness to increase its popularity within the game industry. This hypothesis is supported by the fact that there are few user reviews on the Play Store. This is compared to the reported number of users who wrote reviews about the application on the Play Store. 

There is always a recommendation to check user reviews before installing an application. This is done by paying attention to the permissions requested when installing the application, and only trusting applications created by reputable firms.

This whole incident serves as a stern reminder of the persistent cyber tug-of-war waged, with malicious actors constantly advancing their methods. Every user must exercise caution in this digital minefield, especially when downloading apps and navigating them. 

Do not forget to read the permissions of all apps before granting them access to the device as they will always ask for your permission. Further, your security software must be updated, and you should use a secure and complex password. Lastly, it is imperative to remain vigilant against phishing attempts and never click on suspicious links.

Alert! Check if you have these Android Malware Apps Installed With 10M+ Downloads

 

A fresh batch of harmful Android applications containing adware and malware that have been installed on almost 10 million mobile devices has been discovered on the Google Play Store. 

The apps pretend to be picture editors, virtual keyboards, system optimizers, wallpaper changes, and other things. Their primary functionality, however, is to display invasive advertisements, subscribe users to premium services, and hijack victims' social network accounts. 

The Dr Web antivirus team discovered several dangerous applications, which they highlighted in a study published. Google has removed the great majority of the offered applications, however, three remain available for download and installation via the Play Store at the time of writing. Also, if anyone installed any of these applications before they were removed from the Play Store, then will need to manually delete them from the device and conduct an antivirus check to remove any leftovers. 

The latest dangerous Android applications Dr Web found adware apps that are variations on existing families that initially surfaced on the Google Play Store in May 2022. When the applications are installed, they ask for permission to overlay windows over any app and can add themselves to the battery saver's exclusion list, allowing them to run in the background even after the victim shuts the app. Furthermore, they hide their app drawer icons or replace them with anything resembling a fundamental system component, such as "SIM Toolkit."

"This app "killed" my phone. It keep'd crashing , i couldn't even enter password to unlock phone and uninstall it. Eventually, I had to make a complete wipe out (factory reset), to regain phone. DO NOT , install this app !!!!," read a review of the app on the Google Play Store. 

Joker applications, which are infamous for incurring false payments on victims' mobile phones by subscribing them to premium services, are the second kind of harmful apps spotted on the Play Store. Two of the featured applications, 'Water Reminder' and 'Yoga - For Beginner to Advanced,' have 100,000 and 50,000 downloads, respectively, in the Play Store. Both deliver the claimed functionality, but they also execute malicious operations in the background, interacting with unseen or out-of-focus WebView objects and charging consumers. 

Finally, Dr. Web identifies two Facebook account stealers that are disseminated through picture editing applications and use cartoon effects on ordinary images. These applications are 'YouToon - AI Cartoon Effect' and 'Pista - Cartoon Photo Effect,' and they have been downloaded over 1.5 million times in the App Store. 

Android malware will always find a way into the Google Play Store, and apps can occasionally linger there for months, so users should not blindly trust any app or no apps. As a result, it is critical to read user reviews and ratings, visit the developer's website, read the privacy policy, and pay close attention to the permissions sought during installation. 
  • Photo Editor: Beauty Filter (gb.artfilter.tenvarnist)
  • Photo Editor: Retouch & Cutout (de.nineergysh.quickarttwo)
  • Photo Editor: Art Filters (gb.painnt.moonlightingnine)
  • Photo Editor - Design Maker (gb.twentynine.redaktoridea)
  • Photo Editor & Background Eraser (de.photoground.twentysixshot)
  • Photo & Exif Editor (de.xnano.photoexifeditornine)
  • Photo Editor - Filters Effects (de.hitopgop.sixtyeightgx)
  • Photo Filters & Effects (de.sixtyonecollice.cameraroll)
  • Photo Editor : Blur Image (de.instgang.fiftyggfife)
  • Photo Editor : Cut, Paste (de.fiftyninecamera.rollredactor)
  • Emoji Keyboard: Stickers & GIF (gb.crazykey.sevenboard)
  • Neon Theme Keyboard (com.neonthemekeyboard.app)
  • Neon Theme - Android Keyboard (com.androidneonkeyboard.app)
  • Cashe Cleaner (com.cachecleanereasytool.app)
  • Fancy Charging (com.fancyanimatedbattery.app)
  • FastCleaner: Cashe Cleaner (com.fastcleanercashecleaner.app)
  • Call Skins - Caller Themes (com.rockskinthemes.app)
  • Funny Caller (com.funnycallercustomtheme.app)
  • CallMe Phone Themes (com.callercallwallpaper.app)
  • InCall: Contact Background (com.mycallcustomcallscrean.app)
  • MyCall - Call Personalization (com.mycallcallpersonalization.app)
  • Caller Theme (com.caller.theme.slow)
  • Caller Theme (com.callertheme.firstref)
  • Funny Wallpapers - Live Screen (com.funnywallpapaerslive.app)
  • 4K Wallpapers Auto Changer (de.andromo.ssfiftylivesixcc)
  • NewScrean: 4D Wallpapers (com.newscrean4dwallpapers.app)
  • Stock Wallpapers & Backgrounds (de.stockeighty.onewallpapers)
  • Notes - reminders and lists (com.notesreminderslists.app)

WAP Fraud: Google Play Store Removes Android Apps Infected With Joker Malware



Google has now eliminated 17 infected android apps from its google play store. These apps contained the "Joker" malware, according to the findings by experts Zscaler. Joker is among the most effective malware that attacks Android applications.

The malware is infamous in the cybersecurity industry, but it always finds a new way to access Google's play store applications. Joker uses new codes, execution techniques, and retrieving methods to trespass the play store. The malware is used for stealing personal chats, contact information, call logs, and device data. Joker also secretly subscribes to users for premium WAP (wireless application protocol) services.

The research team at Zscaler kept an eye on the Joker spyware and recently noticed that the malware was uploaded continuously on the Google play store. It immediately informed Google about the issue, and the latter removed the 17 WAP apps with Joker malware from Google play store.

The Joker is also known as Bread malware. These infected android apps were uploaded last month on Google play store; however, they couldn't do much damage. Until the experts found these apps, the users downloaded them 1,20,000 times.

The 17 apps found with Joker malware are:
  1. All Good PDF Scanner 
  2. Hummingbird PDF Converter - Photo to PDF 
  3. Blue Scanner 
  4. Paper Doc Scanner 
  5. Part Message 
  6. Desire Translate 
  7. Talent Photo Editor - Blur focus 
  8. Care Message 
  9. Meticulous Scanner 
  10. Style Photo Collage 
  11. One Sentence Translator - Multifunctional Translator 
  12. Private SMS 
  13. Direct Messenger 
  14. Tangram App Lock 
  15. Unique Keyboard - Fancy Fonts and Free Emoticons 
  16. Mint Leaf Message-Your Private Message 
  17. All Good PDF Scanner 
Although the play store has disabled the apps, the users who might have downloaded the apps need to uninstall them manually. The malware uses the 'dropping' technique to avoid getting caught and sneak into google play store.

"We recommend paying close attention to the permission list in the apps that you install on your Android device. Always watch out for the risky permissions related to SMS, call logs, contacts, and more. Reading the comment or reviews on the app page also helps identify compromised apps," says researchers from Zscaler.