Search This Blog

Showing posts with label Android Apps. Show all posts

Alert! Check if you have these Android Malware Apps Installed With 10M+ Downloads

 

A fresh batch of harmful Android applications containing adware and malware that have been installed on almost 10 million mobile devices has been discovered on the Google Play Store. 

The apps pretend to be picture editors, virtual keyboards, system optimizers, wallpaper changes, and other things. Their primary functionality, however, is to display invasive advertisements, subscribe users to premium services, and hijack victims' social network accounts. 

The Dr Web antivirus team discovered several dangerous applications, which they highlighted in a study published. Google has removed the great majority of the offered applications, however, three remain available for download and installation via the Play Store at the time of writing. Also, if anyone installed any of these applications before they were removed from the Play Store, then will need to manually delete them from the device and conduct an antivirus check to remove any leftovers. 

The latest dangerous Android applications Dr Web found adware apps that are variations on existing families that initially surfaced on the Google Play Store in May 2022. When the applications are installed, they ask for permission to overlay windows over any app and can add themselves to the battery saver's exclusion list, allowing them to run in the background even after the victim shuts the app. Furthermore, they hide their app drawer icons or replace them with anything resembling a fundamental system component, such as "SIM Toolkit."

"This app "killed" my phone. It keep'd crashing , i couldn't even enter password to unlock phone and uninstall it. Eventually, I had to make a complete wipe out (factory reset), to regain phone. DO NOT , install this app !!!!," read a review of the app on the Google Play Store. 

Joker applications, which are infamous for incurring false payments on victims' mobile phones by subscribing them to premium services, are the second kind of harmful apps spotted on the Play Store. Two of the featured applications, 'Water Reminder' and 'Yoga - For Beginner to Advanced,' have 100,000 and 50,000 downloads, respectively, in the Play Store. Both deliver the claimed functionality, but they also execute malicious operations in the background, interacting with unseen or out-of-focus WebView objects and charging consumers. 

Finally, Dr. Web identifies two Facebook account stealers that are disseminated through picture editing applications and use cartoon effects on ordinary images. These applications are 'YouToon - AI Cartoon Effect' and 'Pista - Cartoon Photo Effect,' and they have been downloaded over 1.5 million times in the App Store. 

Android malware will always find a way into the Google Play Store, and apps can occasionally linger there for months, so users should not blindly trust any app or no apps. As a result, it is critical to read user reviews and ratings, visit the developer's website, read the privacy policy, and pay close attention to the permissions sought during installation. 
  • Photo Editor: Beauty Filter (gb.artfilter.tenvarnist)
  • Photo Editor: Retouch & Cutout (de.nineergysh.quickarttwo)
  • Photo Editor: Art Filters (gb.painnt.moonlightingnine)
  • Photo Editor - Design Maker (gb.twentynine.redaktoridea)
  • Photo Editor & Background Eraser (de.photoground.twentysixshot)
  • Photo & Exif Editor (de.xnano.photoexifeditornine)
  • Photo Editor - Filters Effects (de.hitopgop.sixtyeightgx)
  • Photo Filters & Effects (de.sixtyonecollice.cameraroll)
  • Photo Editor : Blur Image (de.instgang.fiftyggfife)
  • Photo Editor : Cut, Paste (de.fiftyninecamera.rollredactor)
  • Emoji Keyboard: Stickers & GIF (gb.crazykey.sevenboard)
  • Neon Theme Keyboard (com.neonthemekeyboard.app)
  • Neon Theme - Android Keyboard (com.androidneonkeyboard.app)
  • Cashe Cleaner (com.cachecleanereasytool.app)
  • Fancy Charging (com.fancyanimatedbattery.app)
  • FastCleaner: Cashe Cleaner (com.fastcleanercashecleaner.app)
  • Call Skins - Caller Themes (com.rockskinthemes.app)
  • Funny Caller (com.funnycallercustomtheme.app)
  • CallMe Phone Themes (com.callercallwallpaper.app)
  • InCall: Contact Background (com.mycallcustomcallscrean.app)
  • MyCall - Call Personalization (com.mycallcallpersonalization.app)
  • Caller Theme (com.caller.theme.slow)
  • Caller Theme (com.callertheme.firstref)
  • Funny Wallpapers - Live Screen (com.funnywallpapaerslive.app)
  • 4K Wallpapers Auto Changer (de.andromo.ssfiftylivesixcc)
  • NewScrean: 4D Wallpapers (com.newscrean4dwallpapers.app)
  • Stock Wallpapers & Backgrounds (de.stockeighty.onewallpapers)
  • Notes - reminders and lists (com.notesreminderslists.app)

Google's Safety Section Will Show What Android Apps Do With the User Data

Earlier this week, Google rolled out a new Data Safety section for Android apps on Play Store to mention the type of data that is collected and given to third parties. It is the users' right to know why their data is collected and if the developer shares user data with a third party. 

Besides this, users should know how application developers are protecting user data when an app is downloaded. The transparency measure, built in accordance with Apple's Privacy Nutrition Labels, was first announced by Google last year in May 2021. 

The Data safety section will show up against all app listings on the digital storefront, presenting a unified view of what kind of data is getting collected, why it's being collected, and how it'll be used, also mentioning what data is shared with the third parties. Moreover, the labels may also show an app's security practices, for instance, data encryption in transit and if the user can ask for the data to be deleted. 

Additionally, it will validate these practices against security standards like Mobile Application Security Verification Standard (MASVS). The feature will probably be rolled out for all users, app developers can expect a deadline of 20 July 2022 to finalize the work and update the users if there is any change in the apps' functionality or data handling practices. 

Data safety may face similar concerns that Apple did, as the system is built entirely on an honor system, which needs app developers, to be honest, and clear about what they'll do with the data, avoiding listing it as inaccurate labels. 

Since then, Apple said that the company will audit labels for authenticity, and make sure that these labels are dependable and don't give the users fake assurance about security. 

"Google, last year, had said that it intends to institute a mechanism in place that requires developers to furnish accurate information and that it will mandate them to fix misrepresentations should it identify instances of policy violations," reports The Hacker News.

Android Malware ‘FlyTrap’ Hacks Facebook Accounts

 

A new Android trojan has been discovered to breach the Facebook accounts of over 10,000 people in at least 144 countries since March 2021 through Google Play Store and other third-party application marketplaces. 

According to a report published by Zimperium's zLabs and shared with The Hacker News, the malware, termed "FlyTrap," is presumed to be a component of a family of trojans that use social engineering techniques to compromise Facebook accounts as part of a session hijacking campaign planned and executed by malicious actors operating out of Vietnam. 

Aazim Yaswant, a Zimperium malware researcher, noted that although the nine infringing apps have been removed from Google Play or, they are still available in third-party app stores, emphasizing the danger of sideloaded applications to mobile endpoints and user data. The following is a list of available apps: 
1. GG Voucher (com.luxcarad.cardid) 
2. Vote European Football (com.gardenguides.plantingfree) 
3. GG Coupon Ads (com.free_coupon.gg_free_coupon) 
4. GG Voucher Ads (com.m_application.app_moi_6) 
5. GG Voucher (com.free.voucher) 
6. Chatfuel (com.ynsuper.chatfuel) 
7. Net Coupon (com.free_coupon.net_coupon) 
8. Net Coupon (com.movie.net_coupon) 
9. EURO 2021 Official (com.euro2021) 

The fraudulent applications claim to provide Netflix and Google AdWords coupon codes, as well as the option to vote for their favorite teams and players at UEFA EURO 2020, which took place between June 11 and July 11, 2021, but only if users log in with their Facebook accounts to vote or obtain the coupon code or credits. 

Once a user logs in, the malicious software can extract the victim's Facebook ID, location, email address, IP address, as well as the cookies and tokens linked with the profile, allowing the attacker to implement disinformation campaigns using the victim's geolocation details or spread the malware further via social engineering tactics such as sending personal messages including links to the trojan. 

This is accomplished by using a technique called JavaScript injection in which the application loads the legitimate URL inside a WebView equipped with the capability to inject JavaScript code and collects all the required information such as cookies, user account credentials, location, and IP address by inserting malicious [JavaScript] code, Yaswant stated. 

While the stolen data is hosted on a command-and-control (C2) server, security vulnerabilities in the C2 server may be leveraged to leak the whole database of stolen session cookies to anybody on the internet, as a result placing the victims at high risk. 

"Malicious threat actors are leveraging common user misconceptions that logging into the right domain is always secure irrespective of the application used to log in," Yaswant further told. "The targeted domains are popular social media platforms and this campaign has been exceptionally effective in harvesting social media session data of users from 144 countries. These accounts can be used as a botnet for different purposes: from boosting the popularity of pages/sites/products to spreading misinformation or political propaganda." 
 
On Monday, Zimperium's head of product marketing for endpoint security, Richard Melick, informed Threatpost that Android users can reduce the risk of infection instantly by ensuring that they don't allow any software from an unauthorized source to be loaded. 

While most Android smartphones have the option turned off by default, social-engineering tactics are “highly effective in tricking users into allowing it,” he stated in an email. To turn off unknown sources on Android, go to settings, security, and make sure the “unknown sources” option is turned off. 

Users should also set up multi-factor authentication (MFA) for all social media accounts, in general, be suspicious about grabby apps, Melick advised.

Updated Joker Malware Floods into Android Apps

 

The Joker mobile virus has made its entry back on Google Play with an increase in malicious Android apps that mask the billing fraud software, according to researchers. It's also employing new techniques to get beyond Google's app vetting process. 

Joker has been hiding in the shadows of genuine programs including camera apps, games, messengers, picture editors, translators, and wallpapers since 2017. Once installed, Joker applications discreetly simulate clicks and intercept SMS messages to sign victims up for unwanted, paid premium services controlled by the attackers - a kind of billing fraud known as "fleeceware". 

Malicious Joker applications are widely available outside of the official Google Play store, and they've been escaping Google Play's safeguards since 2019. This is mostly due to the malware developers' constant modification of their attack approach. As a result, periodic waves of Joker infections have occurred within the official store, including two large outbreaks last year. 

Over 1,800 Android applications infected with Joker have been deleted from the Google Play market in the previous four years, according to Zimperium experts. Since September, at least 1,000 new samples have been discovered in the newest wave, with many of them making their way into the legitimate market. 

According to a Zimperium analysis, “Malicious actors have routinely found new and unique ways to get this malware into both official and unofficial app stores. While they are never long for life in these repositories, the persistence highlights how mobile malware, just like traditional endpoint malware, does not disappear but continues to be modified and advanced in a constant cat-and-mouse game.” 

According to Zimperium, the developers of the most recent versions of Joker, which first appeared in late 2020, are using legitimate developer techniques to “try and hide the actual intent of the payload from traditional, legacy-based mobile security toolsets,” which allows them to escape both device-based security and app store protections. 

Flutter, a Google-developed open-source app development kit that allows developers to create native apps for mobile, web, and desktop from a single codebase, is one way they're accomplishing it. The researchers explained, “Due to the commonality of Flutter, even malicious application code will look legitimate and clean, whereas many scanners are looking for disjointed code with errors or improper assemblies”. 

New techniques: 

Another anti-detection method recently implemented by Joker enthusiasts, according to the research, is the habit of embedding the payload as a.DEX file that may be obfuscated in a variety of ways, such as being encrypted with a number or buried inside a picture via steganography. 

According to researchers, the picture is sometimes stored in authorized cloud repositories or on a remote command-and-control (C2) server in the latter scenario. Other new behaviors include hiding C2 addresses with URL shorteners and decrypting an offline payload using a mix of native libraries. 

The new samples also take further steps to remain covert when a trojanized program is loaded, according to researchers. “After successful installation, the application infected with Joker will run a scan using Google Play APIs to check the latest version of the app in Google Play Store,” researchers explained. 

“If there is no answer, the malware remains silent since it can be running on a dynamic analysis emulator. But if the version found in the store is older than the current version, the local malware payload is executed, infecting the mobile device. If the version in the store is newer than the current one, then the C2s are contacted to download an updated version of the payload.” 

Consumers and enterprises alike at risk:

The apps are appearing in a variety of places, including Google Play and unauthorized third-party markets, as well as other legitimate channels, some for the first time. For example, the official app store for Huawei Android, AppGallery, was recently discovered to be infected with the Joker virus. 

According to Doctor Web, the applications were downloaded to over 538,000 smartphones by unsuspecting users in April. 

Saryu Nayyar, CEO at Gurucul, stated in the email, “Sadly, the Joker malware is no joke. And even more depressing, no dark knight is going to ride in to save users from these malicious apps. Users have to manually clean their devices of this pesky malware. The good news is that it appears the only damage is financial and likely temporary. Users who have been subscribed to premium mobile services as a result of this malware can request refunds for said services since the affected applications are known.” 

Earlier this year, Josh Bohls, CEO and founder at Inkscreen, said that Joker is an issue for businesses as well as people. “These malicious applications can find their way into the enterprise when an infected device is enrolled in a company’s bring-your-own-device (BYOD) program, and suddenly you have a new threat vector,” he told via email.

Beware of Android Apps While Giving Access to Your Mobile Data

 

Have you ever thought about privacy while giving access to the app makers about your contact list, camera, recording, location, calls on your android phone? Or the issue of security and privacy doesn’t matter anymore, especially in the virtual world. 

According to CyberNews, apps in the health and fitness, communications, and productivity sections require the highest number of dangerous permissions on average. 

The most popular requirement of 99% of top android apps is to gain full network access and to view network connections, which permits an app to connect to the Internet, while 72% of apps asked for permission to view wifi connections.

Nearly, 75% of apps ask to read external storage and modify or delete external storage. On the other hand, 36% of apps ask for permission to use your camera such as photography, parenting, dating, etc. Surprisingly, the apps in the categories of gaming, astrology, and personalization also ask for camera permissions. 

Have you guessed the percentage of apps that record your conversations? If not, then the answer is 21%. Yes, out of the top 1020 Android apps nearly 215 asks for microphone access especially the apps in the categories of finance, lifestyle, and wallpapers. 

When it comes to calling, nearly 80 apps out of 1020 Android applications ask for permission to make direct calls. Luckily, most of these apps were from categories like communication, business, and social media. The interesting part is that even apps from the categories of gaming, photography, and wallpapers require access to your contact list. However, you should think twice about giving contact-related access to apps that do not need to use such information.

“It goes without saying that apps from any category might ask for dangerous permissions. For example, you’d expect a communication app to ask for access to your phone book and Android accounts, while a navigation app wouldn’t raise any eyebrows by asking to track your location,” says Vincentas Baubonis, CyberNews security researcher who analyzed the data. 

Four basic steps to minimize the risk 

• Only permit those apps that make sense. For example, if you give apps access to your microphone, they may be listening in, so be aware of what you’re giving them access to. 

• Try to download an app with all permissions disabled, you can still turn on the ones you want individually in the settings. 

• Try to download your apps from the Google play store because it identifies the apps that are potentially dangerous. 

• Turn off your location settings because a large amount of tracking comes from your location settings.