Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label APK Files. Show all posts

Thousands of Malicious Android Apps are Employing Covert APKs to Bypass Security

 

To avoid malware detection, threat actors are employing Android Package (APK) files with unknown or unsupported compression algorithms.

That's according to findings from Zimperium, which discovered 3,300 artefacts using such compression algorithms in the wild. 71 of the discovered samples can be successfully loaded into the operating system. 

There is no evidence that the apps were ever available on the Google Play Store, implying that they were disseminated through alternative channels, most likely through untrustworthy app stores or social engineering to fool users into sideloading them. 

The APK files employ "a technique that limits the possibility of decompiling the application for a large number of tools, reducing the possibilities of being analysed," security researcher Fernando Ortega explained. "In order to do that, the APK (which is in essence a ZIP file), is using an unsupported decompression method." 

The benefit of this approach is that it can withstand decompilation tools while still being installed on Android devices with operating systems older than Android 9 Pie. 

The Texas-based cybersecurity company claimed that after reading Joe Security's post on X (formerly Twitter) in June 2023 about an APK file that had this behaviour, it began its own investigation. 

There are two ways that Android packages can use the ZIP format: one without compression and the other with the DEFLATE algorithm. The key finding in this study is that APKs compressed using unsupported techniques cannot be installed on devices running Android versions lower than 9, while they may be used without issue on subsequent versions. 

Zimperium also found that malware developers intentionally corrupt APK files by giving them filenames longer than 256 characters and creating corrupt AndroidManifest.xml files to trigger analysis tools to crash. 

The revelation comes just after Google revealed how threat actors were using a method known as versioning to get around the Play Store's malware detections and target Android users. 

Safety measures 

Thankfully, there are several procedures you can take to safeguard your phone from malicious Android apps. The first and most significant piece of advice is to stay away from sideloading apps unless it is unavoidable. There are a few peculiar situations in which you might need to sideload an app for work or to make a certain product work, but other than that, you shouldn't install any apps from unknown sources. 

As a general guideline, you should only download apps from the Play Store or other authorised app shops like the Samsung Galaxy Store or Amazon Appstore. Sometimes malicious software does manage to slip through the gaps, which is why it pays to do your research before installing any new app by reading reviews and looking into the app's developers.

FancyBear: Hackers Use PowerPoint Files to Deliver Malware

 

FancyBear: Hackers Use PowerPoint Files to Deliver Malware Cluster25 researchers have recently detected a threat group, APT28, also known as FancyBear, and attributed it to the Russian GRU (Main Intelligence Directorate of the Russian General Staff). The group has used a new code execution technique that uses mouse movement in Microsoft PowerPoint, to deliver Graphite malware.
 
According to the researchers, the threat campaign has been actively targeting organizations and individuals in the defense and government organizations of the European Union and East European countries. The cyber espionage campaign is believed to be still active.
 

Methodology of Threat Actor

 
The threat actor allegedly entices victims with a PowerPoint file claiming to be associated with the Organization for Economic Cooperation (OECD).
 
This file includes two slides, with instructions in English and French to access the translation feature in zoom. Additionally, it incorporates a hyperlink that plays a trigger for delivering a malicious PowerShell script that downloads a JPEG image carrying an encrypted DLL file.
 
The resulting payload, Graphite malware is in Portable Executable (PE) form, which allows the malware operator to load other malwares into the system memory.
 
“The code execution runs a PowerShell script that downloads and executes a dropper from OneDrive. The latter downloads a payload that extracts and injects in itself a new PE (Portable Executable) file, that the analysis showed to be a variant of a malware family known as Graphite, that uses the Microsoft Graph API and OneDrive for C&C communications.” States Cluster25, in its published analysis.
 
The aforementioned Graphite malware is a fileless malware that is deployed in-memory only and is used by malware operators to deliver post-exploitation frameworks like Empire. Graphite malware’s purpose is to allow the attacker to deploy other malwares into the system memory.
 
 
Based on the discovered metadata, according to Cluster25, the hackers have been preparing for the cyber campaign between January and February. However, the URLs used in the attacks were active in August and September.
 
With more hacker groups attempting to carry out such malicious cyber campaigns, the government and private sectors must deploy more powerful solutions to prevent future breaches and cyber attacks to safeguard their organizations.

The Hacking Group 'ModifiedElephant' Remained Undetected

 

SentinelLabs' IT security researchers have discovered information of growing cyber-attacks (APT) wherein the threat actors have been targeting human rights activists, free speech advocates, professors, and lawyers in India using readily available trojans via spear-phishing since 2012. The group known as ModifiedElephant has been found to be planting 'incriminating evidence' on the devices of its targets. 

"The goal for ModifiedElephant is long-term espionage which sometimes ends with the transmission of evidence – files that implicate the victim in criminal offenses – prior to conveniently synchronized arrests," stated Tom Hegel, a threat researcher at SentinelOne. According to the research, over the previous decade, ModifiedElephant hackers have been attacking their victims with spearphishing emails containing malicious file attachments, with their methods becoming more complex over time. 

Spearphishing is the technique of emailing victims that appear to come from a trustworthy source in order to either divulge sensitive information or install malware on their computers. ModifiedElephant usually uses infected Files to spread malware to its victims. The particular mechanism and content included in malicious files have varied over time, according to SentinelOne, the timeline has been given below: 
  • 2013 – An adversary sends malware via email attachments with phony double extensions (file.pdf.exe). 
  • 2015 – The group switches to encryption key RAR attachments including legitimate luring documents that hide malware execution signals. 
  • 2019 – Updated Elephant begins hosting malware-distribution sites and takes advantage of cloud hosting capabilities, transitioning from phony papers to malicious URLs.
  • 2020 – attackers circumvent identification by skipping scans by using big RAR files (300 MB).

The CVE-2012-0158, CVE-2014-1761, CVE-2013-3906, and CVE-2015-1641 exploits, according to SentinelOne, were frequently utilized in luring documents, which attacked Microsoft Office Suite programs. 

Modified Elephant is not seen using any customized backdoors in its operational history, indicating the group isn't particularly sophisticated. NetWire and DarkComet, two publicly available remote access trojans extensively utilized by lower-tier hackers, were the principal malware used in the campaigns. 

ModifiedElephant's Visual Basic keylogger hasn't changed since 2012, and it's been open-source on hacking forums all that time. SentinelLabs remarks on the tool's history, pointing out that it no longer works on recent OS versions. The Android virus is likewise a commodity trojan that is distributed to users in order of an APK, luring them in by appearing like a news app or a secure messaging tool.

Android Devices being Targeted by Flubot

 

The National Cyber Security Centre of Finland (NCSC-FI) has recently released a "severe alert" over a major campaign targeting the nation's Android users with Flubot banking malware delivered through text messages sent out by hacked devices. 

This is the second greatest Flubot operation to strike Finland this year, with a previous set of cyberattacks SMS spamming thousands of Finns each day from early June to mid-August 2021. The latest spam campaign, like the previous one, has a voicemail theme, encouraging recipients to click a link that will enable them to retrieve a voicemail message or a message from the mobile operator. 

Rather than being made to open a voicemail, SMS recipients are led to malicious websites that push APK installers to install the Flubot banking virus on their Android devices. 

“According to our current estimate, approximately 70,000 messages have been sent in the last 24 hours. If the current campaign is as aggressive as the one in the summer, we expect the number of messages to increase to hundreds of thousands in the coming days. There are already dozens of confirmed cases where devices have been infected," the Finnish National Cyber Security Centre said in the alert issued on Friday. 

"We managed to almost eliminate FluBot from Finland at the end of summer thanks to cooperation among the authorities and telecommunications operators. The currently active malware campaign is a new one because the previously implemented control measures are not effective," said NCSC-FI information security adviser Aino-Maria Väyrynen. 

Those who have been affected should do a factory reset on their Android device to remove the virus. When iOS users get FluBot messages and click on the associated link, they will be forwarded to fraud and phishing websites rather than being forced to install an app. 

FluBot, once installed on a device, may browse the contacts list, spam texts to other individuals, read messages, steal credit card information and passwords as they are typed into apps, install other apps, and engage in other nefarious activities. Android users who get Flubot spam messages or emails should avoid opening attached links or downloading files shared through the link to their cellphones. 

The virus family has also been discovered on other websites, where anybody can come into contact with the harmful code. Netcraft, a provider of internet services, announced on Monday that it had discovered nearly 10,000 websites that were disseminating FluBot malware.

Android Malware BrazKing Makes a Comeback as a Stealthier Banking Trojan

 

The Android banking trojan BrazKing has returned, this time with dynamic banking overlays and a new implementation trick that allows it to operate without seeking potentially dangerous permissions. IBM Trusteer researchers analyzed a new malware sample they discovered outside of the Play Store, on sites where individuals end up after getting smishing (SMS) messages. These HTTPS sites notify potential victims that their Android version is outdated and offer an APK that would supposedly update them to the most recent version. 

BrazKing took advantage of the accessibility service in the previous version to figure out which app the user had accessed. When the malware recognized the launch of a targeted banking app, it displayed an overlay screen pulled from a hardcoded URL on top of the real app. It now makes a live call to the attacker's server, requesting those matches. The virus now detects which app is being used on the server-side, and it sends on-screen material to the C2 on a regular basis. Credential grabbing is then initiated by the C2 server rather than by a command from the malware. 

The added agility here is that the attacker can choose or avoid the following action based on the victim's IP address (Brazilian/other) or whether the malware is being run on an emulator. They have the ability to change what is returned. They can change the target list at any time without having to change the malware.  

BrazKing loads the fake screen's URL from the C2 into a webview in a window when it displays its overlay screen. Users can open links within apps using Android System webview without having to exit the app. When adding the webview from within the accessibility service, BrazKing utilizes TYPE_ACCESSIBILITY_OVERLAY as the type of window. 

Internal resources are protected in the new version of BrazKing by performing an XOR operation using a hardcoded key and then encoding them with Base64. Although analysts can rapidly reverse these procedures, they nonetheless aid the malware's ability to remain undetected when nested in the victim's device. If the user tries to remove the malware, it rapidly taps the 'Back' or 'Home' buttons to stop it. 

When a user tries to start an antivirus app in the hopes of scanning and removing malware, the same method is performed. As Android's security tightens, malware developers quickly adapt to deliver stealthier versions of their tools, as shown by BrazKing's progression.

Malware through PDF Attachments..?





A recent malicious campaign discovers the delivery of PDF documents to the users as an attachment through phishing messages in order for them to download a malicious Android executable file.

The PDFs utilize various ways such as “To open this document, update the adobe reader” or “To unlock this document press below button" to grab the user's attention. At the point when the user finally perform the requested click activity on that document, a malevolent APK (Android executable) file is downloaded from a link that was present in that PDF, which further downloads original Adobe Reader.


This malware additionally has the ability to peruse contacts, read, the browser bookmarks, and key-logging and to inhibit the background processes.

It distinguishes whether the phone is rooted or non-rooted and proceeds accordingly at the same time gathering information on the longitude and latitude  data while tracking SMS notifications and call status'  and then sending the information to the servers controlled by the attackers.


It is therefore recommended for the users to abstain from downloading applications from the third-party application stores or links and other connections given in SMSs or emails. Also to avoid opening mails and attachments from obscure sources and to dependably keep 'Unknown Sources' disabled as enabling this option permits the installation certain applications from obscure sources.

But more importantly, to keep the device OS and mobile security application always updated in order to protect their privacy.