Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Zimperium zLabs. Show all posts

Android Trojans are After Financial Apps With Over a Billion Downloads

 

The exploitation of financial apps by trojans has become prevalent, according to a report by Zimperium, a mobile security firm. Trojans are a type of malware that infects users' devices by posing as legitimate and trustworthy programs. The researchers looked at ten separate trojans that are currently active in the open and discovered that they target 639 financial Android apps when combined. 

Once they've infected a device, they leverage Accessibility services to take actions as the user, overlaying login pages on top of authentic banking and finance apps to steal login details, monitoring notifications to capture OTPs, and even carrying out on-device financial fraud. This is particularly concerning because, according to 2021 studies, three out of four Americans use banking applications to conduct their regular financial activities, offering a large target pool for these trojans.

The Google Play Store has slightly over 1 billion downloads of these mobile banking, investment, payment, and cryptocurrency apps combined. PhonePe, which is immensely popular in India and has 100 million downloads on the Play Store, is the targeted application with the most downloads. 

The popular bitcoin exchange software Binance has received 50 million downloads. Cash App is a mobile payment service that is available in the United States and the United Kingdom, with 50 million downloads on Google Play. Even though they don't provide traditional financial services, some banking Trojans target both of these. BBVA, a worldwide online banking platform with tens of millions of downloads, is the most widely marketed application. Seven of the ten most active banking trojans have been found to target this app. 

Additional trojans which were active during the first half of 2021 include the following: 

  • BianLian is a malware that targets Binance, BBVA, and several Turkish apps.
  • Cabassous is after clients from Barclays, CommBank, Halifax, Lloys, and Santander. 
  • Coper may take over accounts from BBVA, Caixa Bank, CommBank, and Santander. 
  • Barclays, Intensa, BancoPosta, and a slew of other Italian apps are among the targets of EventBot. This one uses Microsoft Word or Adobe Flash to hide its true identity. 
  • PayPal, Binance, Cash App, Barclays, BBVA, and CaixaBank may all be affected by the aforementioned Exobot. 
  • FluBot affected BBVA, Caixa, Santander, and several other Spanish apps. 
  • Medusa was a banking app that targeted BBVA, CaixaBank, Ziraat, and Turkish banks. 
  • Binance, BBVA, and Coinbase were all hit by Sharkbot. 
  • PhonePe, Binance, Barclays, Crypto.com, Postepay, Bank of America, Capital One, Citi Mobile, and Coinbase are among the companies targeted by Teabot. 
  • BBVA and a slew of other EU-specific bank apps are among those targeted by Xenomorph. 
The method utilized by these trojans would be that they each have a small target scope and different types of functionality for diverse goals. Because these trojans are concealed among programs available on Android's official app store, users should be cautious and avoid downloading apps from untrustworthy sources. One may take it a step further by using a provider like ExpressVPN.

105 million Android Devices were Infected with 'Dark Herring' Invoice Malware


Dark Herring malware was identified by a Zimperium research team, the campaign is estimated to be in the millions of dollars, in monthly increments of $15 per victim. Google has subsequently deleted all 470 fraudulent apps from Play Store, and the scam services have been shut down, however, any user who already has one of the apps loaded could be actively attacked in the future. The apps can also be found in third-party app shops. 

Direct carrier billing (DCB) is a mobile payment technique which adds payments for non-telecom services to a consumer's monthly phone bill. It is used by customers worldwide, particularly in underbanked countries. It's a tempting target for opponents. 

The Dark Herring's long-term success was based on AV anti-detection skills, widespread distribution via a large number of programs, code encryption, and the use of proxy as first-stage URLs.While none of the aforementioned features are novel or surprising, seeing it together in one software program is unusual for Android fraud. Furthermore, the actors used a complex infrastructure which has accepted communications from all 470 application users yet handled each one individually based on a unique identity. 

It has no malicious code in the installed software, but it does have a hard-coded encoded string which refers to a first-stage URL located on Amazon's CloudFront.The server's answer includes links to further JavaScript files housed on Amazon Web Services servers, which are downloaded to the infected device. 

The campaign was able to last so long because the malicious users presented viewers with the expected functionality, an attempt to remain installed on the victims' devices. The Dark Herring applications begin interacting with the authoritarian (C&C) server once it has been installed on a device to send over the victim's IP address, which is used to track the victim for a direct carrier invoicing subscription. 

The victim is sent to a geo-specific webpage, where the user is asked about personal details like phone numbers, ostensibly for verification purposes. However, the victim has no idea, of sending contact information to a subscription plan."The victim does not understand the impact of the crime right away," Zimperium explains, "and the chance of the theft extending for months before discovery is high, with hardly any remedy to get one's money back." 

Given Dark Herring's evident accomplishments, Zimperium believes it is unlikely, the cybersecurity community will hear from this criminal outfit again.

Protect Your Android Phones from Android 'System Update' Malware

 

Security researchers at Zimperium zLabs have discovered a new ‘sophisticated’ Android malware posing as a software update application. This malware becomes more lethal when it sits stealthily masqueraded as a system update.

Once the malware is downloaded on a device, the victim’s device is registered with the Firebase Command and Control (C2), upon which a hacker can send commands via Firebase messaging service to manage data theft. The process of data exfiltration starts once a condition is fulfilled, including the addition of a new mobile contact, app installation, or a receipt of an SMS text.

“When the victim is using Wi-Fi, all the stolen data from all the folders are sent to the C2, whereas when the victim is using a mobile data connection, only a specific set of data is sent to C2,” security researcher at Zimperium zLabs stated.

According to a report by researchers at Zimperium, this malware has the capability of stealing your data once it is installed into your Android phone. Once in control, cybercriminals can record audio and phone calls, take photos, access WhatsApp texts, steal instant messenger texts, peer into GPS location data, examine the default browser’s bookmarks, search for files with specific extensions, inspect the clipboard data, the content of the notifications, steal SMS texts and call logs, list the downloaded applications and even extract device information. 

Security researchers have termed the malware as ‘FakeSysUpdate’ which is quite capable of concealing its source. Unfortunately, researchers have not detected the source of this malware but advised the Android users to remain vigilant regarding the content on their device. Frequently check for official updates, uninstall all the apps that you feel are necessary, and also avoid installing apps from a third-party source.

In an interview with TechCrunch, Shridhar Mittal, CEO of Zimperium zLabs stated that “it’s easily the most sophisticated attack we’ve seen…I think a lot of time and effort was spent on creating this app. We believe that there are other apps out there like this, and we are trying our very best to find them as soon as possible.”