Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Android Apps. Show all posts

Microsoft Uncovers Major Security Flaw in Android Apps with Billions of Downloads

 

Microsoft recently made a troubling discovery regarding the security of numerous Android applications, including some of the most widely used ones, each boasting over 500 million installations. After uncovering a common security weakness, Microsoft promptly notified Google's Android security research team, prompting Google to release new guidance aimed at helping Android app developers identify and rectify the issue. 
 
Among the applications found to be vulnerable were Xiaomi Inc.'s File Manager, boasting over 1 billion installations, and WPS Office, with around 500 million downloads. Although Microsoft confirms that the vendors of these products have since addressed the issue, they caution that there may be other apps out there still susceptible to exploitation due to the same security flaw. 
 
The vulnerability in question pertains to Android applications that share files with other apps. To enable secure sharing, Android employs a feature known as "content provider," which essentially serves as an interface for managing and exposing an app's data to other installed applications on the device. 
 
However, Microsoft's research uncovered a significant oversight in many cases: when an Android app receives a file from another app, it often fails to adequately validate the content. Particularly concerning is the practice of using the filename provided by the sending application to cache the received file within the receiving application's internal data directory. This oversight creates an opportunity for attackers to exploit the system by sending a file with a malicious filename directly to a receiving app, without the user's knowledge or consent. 
 
Typical targets for such file sharing include email clients, messaging apps, networking apps, browsers, and file editors. If a malicious filename is received, the receiving app may unwittingly initialize the file, triggering processes that could lead to compromise. 
 
The potential consequences vary depending on the specific implementation of the Android application. In some scenarios, attackers could exploit the vulnerability to overwrite an app's settings, leading to unauthorized communication with attacker-controlled servers or the theft of user authentication tokens and other sensitive data. In more severe cases, attackers could inject malicious code into a receiving app's native library, enabling arbitrary code execution. 
 
Microsoft and Google have both offered guidance to developers on how to address this issue, emphasizing the importance of validating file content and ensuring the secure handling of shared files. Meanwhile, end users can mitigate the risk by keeping their Android apps up to date and exercising caution when installing apps from sources they trust.

Unused Apps Could Still be Tracking and Collecting User’s Data


While almost everyone in this era is glued to their smartphones for long hours, there still remain several mysteries about the device that are not actively being deduced by the users. So how does one begin to know their phones?

Most of the users are still unaware that even when the apps are not in use, the phone can still track and collect data without them being aware. Fortunately, there is a solution to prevent this from happening.

One may have ten, twenty or even thirty apps on their phones, and there is a possibility that many of these apps remain unused. 

In regards to this, the cybersecurity giant – Kaspersky – warned that apps on a user’s phone that are not being used could still be collecting data about the device owner even if they are not using it.

A recently published memo from the company urged users to delete their old apps, stating: "You probably have apps on your smartphone that you haven't used in over a year. Or maybe even ones you've never opened at all. Not only do they take up your device's memory, but they can also slowly consume internet traffic and battery power."

The security memo continued: "And, most importantly, they clog up your interface and may continue to collect data about your smartphone - and you."

While spring cleaning the phones might not be on the priority list of people, it does not take away its significance. In case a user is concerned about ‘over-sharing’ their data, Kaspersky has shared a ‘one-day rule’ to ease the task of removing unused apps on phones. 

According to the experts, following the practice of merely uninstalling one useless app each day will greatly increase phone performance and free up storage space. By doing this, users will be able to control how their data is used and prevent data harvesting.

To delete an app on the iPhone, users need to find the app on the home screen, touch and hold down the icon and tap “Remove app.” Android users, they need to go to the Google Play store, tap the profile icon in the top right, followed by Manage Apps and Devices > Manage. Tap the name of the app they want to delete and click to uninstall.

Users can still disable pre-installed apps on their phones to prevent them from operating in the background and taking up unnecessary space on the screen, even if they cannot be fully removed from the device.  

Taming Your Android: A Step-Step Guide to Restricting Background App Data

 


It is no secret that Android smartphones are the most popular devices among the young generation because of their ability to give you unlimited possibilities. It is unfortunate that beneath the chic surface of this device lurks an elusive piece of software that is capable of devouring tons of data. As they sneakily gnaw away at user's valuable data, leaving them in the dark as to where it all goes, they stealthily nibble and eat until they disappear. 

Certainly, smartphone users can enjoy a delightful experience with their mobile apps as a result of their rich variety of features. In addition, there are hundreds of types of software, ranging from games to photo editors to video editors to messengers on social media, to educational apps, to music players, to gaming apps, and many others. 

Users will need an Internet connection for most of these apps to give them the best experience, so they must use that data wisely. There is no doubt that data costs can add up quickly when users have several such apps on their devices since the software consumes a large amount of internet data as it runs. 

The best method for solving this problem is to limit how much data can be used by a specific app to make a difference. A method of resolving this problem is to set a restriction on the amount of data that is used by certain apps to prevent data overload. 

Despite Android devices being incredibly versatile and capable of handling a wide variety of tasks, they have the potential to drain user's data plans quite quickly, which is a big problem. The best way to minimize the amount of data they are using is to limit their background data consumption. Even when users are not actively using the app, some apps tend to snare up lots of data regularly. 

The good news is that Android provides a means of stopping any app from using data in the background, so you should not be concerned. It may well be possible to simplify the process and increase your options through the use of third-party apps. 

Depending on the app, some settings are also available that allow you to limit how much data is used, including those that exchange media. By deactivating data-consuming actions like media auto-downloads on WhatsApp, for example, users can reduce the use of their data on the app.

To prevent apps from using user's data in the background when their cell phone is turned off, they should turn off their wireless connection completely. Although this comes with some caveats, such as stopping all their apps from using data and not allowing them to be notified of background updates for the duration of the change, it does negate the cost of data. 

Limiting Background Data for All Applications There is a way users can extend the battery life of their Android devices by restricting background data on their devices. It should be noted that, when users prevent their device from downloading updates for apps, syncing with accounts, checking for new emails, and syncing with accounts, when backgrounds are set to off, the device will not update apps. 

In the end, perhaps one of the most important aspects of restricting background data is that it helps to control the amount of cellular data that is being used. A general rule of thumb is that limiting background data can help ensure that they do not exceed their monthly data allotment if they have a limited data plan. 

Using these steps, users can prevent other apps from accessing data on their Samsung, Google, OnePlus, or any other Android phone by blocking apps from accessing data. While the basic steps tend to be the same no matter which manufacturer your phone belongs to, be aware that the menus may differ based on the manufacturer. 

By swiping down from the top of the screen, users can access the settings of their devices. Once the settings icon is selected, tap it. 

To view data usage on the device, either go to Network & Internet > Data usage or Connections > Data usage, depending on how the user accesses the device. The top of that menu can be seen to display the amount of data the user has used during that session.

To find out how much data each app has been consuming recently, select the App or Mobile data usage option. On the list of most downloaded apps, there is often a preference for the apps that consume the most data. 

Choose the app that consumes the most data from the list. Users will be able to view data usage statistics for that application, including usage statistics for background apps. 

The amount of data that YouTube consumes alone may surprise them. To turn off cellular data consumption for a specific app, tap on the app and turn off the Allow background data usage option. 

Moreover, if allowing data usage is already disabled, then users should turn it off as well if they have not already done so. 

Whenever users' device's data saver is active, the app is not enabled and does not consume mobile data at the same time. Data Usage Warnings and Limits Setting a data warning and usage limit on their Android device can help users avoid costly overage fees. 

When they reach the data warning limit, their device will notify them that they are close to exceeding their data plan. If users continue to use data after reaching the limit, their device will automatically restrict their data usage. 

This means that they may not be able to access certain features, such as streaming video or music, until their next billing cycle.

Users' Data is Stolen Through 1.5 million Android Apps


As part of an effort to help users gain a better understanding of what data an app collects before downloading it, Google Play introduced "nutrition labels" with a privacy-focused focus last year. However, researchers have found a way to work around the system and steal user data. This is done by inserting a way to avoid the system. In an article released by Pradeo, a mobile cybersecurity company, cybersecurity analysts discovered two apps on Google Play. 

These apps threatened to send data from users' Android devices to malicious servers based in China as a result of spyware According to the firm, more than ten lakh users globally are affected by spyware-laden applications. According to it, the app's download pages claim it will not collect data about you. 

According to a report released by Google Play Store security analysts, two apps that appear to be file management apps but are spyware have been discovered. 1.5 million Android users risk compromised privacy and security due to this vulnerability. Hence, you must remove these apps as quickly as possible from the latest Android phones that boast some of the most impressive features. 

A leading mobile cybersecurity company, Pradeo, which offers mobile security products, announced this week that its smartphone security app, File Recovery & Data Recovery, has been flagged as malicious. As both apps are produced by the same developer, they are programmed to launch without requiring the user to do anything. Their servers in China quietly store sensitive user information securely sent to them.  

More than one million downloads of File Recovery & Data Recovery have occurred. In Pradeo's report, screenshots of their respective Play Store pages showed that about 500,000 people installed File Manager, based on screenshots taken from the PANDEO website. 

As outlined in their blog post, after analyzing both spyware apps, the researchers determined that both collected personal data from their targets. They sent it to many servers located mainly in China. These apps are considered malicious by the majority of users and are said to threaten their privacy and security, which is an essential point to note. 

Data that has been stolen includes the following:

  1. Contact information is collected by the apps via the device itself and connected accounts, such as email and social media accounts. 
  2. Aside from pictures and audio files, the apps also collect videos and pictures saved on your device. 
  3. By tracking the user's location, spyware can retrieve his or her current position. 
  4. The system collects the mobile country code, network provider name, and SIM code of the SIM provider. This is among other variables. 
  5. There is a capture of the operating system version number. This could potentially be exploited by vulnerabilities similar to those in the Pegasus spyware incident, if one exploited them. 
  6. Spyware can record the model and brand of the device it targets. 

Even though the apps may have a legitimate reason for gathering some of the information above to ensure smooth performance and compatibility with any updated devices. However, most of the information gathered is not required to manage files or recover data. Unfortunately, this company collects data secretly without the user's consent. 

Moreover, Pradeo has added that the home screen icons of the two apps are hidden, so it will be harder to find them and remove them from your device. It is also possible for them to misuse the permissions the user approved during installation. They can restart the device and launch it in the background without the user's knowledge. 

Pradeo speculates that the company used emulators or install farms to create a false impression of trustworthiness to increase its popularity within the game industry. This hypothesis is supported by the fact that there are few user reviews on the Play Store. This is compared to the reported number of users who wrote reviews about the application on the Play Store. 

There is always a recommendation to check user reviews before installing an application. This is done by paying attention to the permissions requested when installing the application, and only trusting applications created by reputable firms.

This whole incident serves as a stern reminder of the persistent cyber tug-of-war waged, with malicious actors constantly advancing their methods. Every user must exercise caution in this digital minefield, especially when downloading apps and navigating them. 

Do not forget to read the permissions of all apps before granting them access to the device as they will always ask for your permission. Further, your security software must be updated, and you should use a secure and complex password. Lastly, it is imperative to remain vigilant against phishing attempts and never click on suspicious links.

Google Mandates Easy Account Deletion for Android Apps


Google is implementing a new data policy for Android apps that also includes a setting for account deletion to provide customers with more transparency and control over the data. 

The measure would compel app developers to provide users with in-app deletion options while also allowing them to manage app data online. 

"For apps that enable app account creation, developers will soon need to provide an option to initiate account and data deletion from within the app and online," says Bethel Otuteye, senior director of product management for Android App Safety. "This web requirement, which you will link in your Data safety form, is especially important so that a user can request account and data deletion without having to reinstall an app." 

The goal, for the developers, is to provide users with an in-app path and web link resource requesting app account deletion and associated data. App developers must delete any data related to a particular account whenever users submit such a request. 

In addition to this, users will be provided with certain alternatives to selectively delete only portions of the data, such as activity history, images, or videos, instead of completely deleting their accounts. 

The decision was made as lawmakers and privacy groups intensified their scrutiny of Apple, Google, and mobile app developers due to concerns that they were profiling, gathering personal user data, and tracking mobile phone users without consent. 

On June 30, 2022, Apple imposed a similar policy for app makers on its App Store. Apple, unlike Google, does not enforce a web-based alternative for users to remove their accounts; instead, it merely needs developers to provide an in-app path for account deletion. 

The announcement by Google on Thursday of related measures to prevent financial loan application apps from accessing mobile phone images, videos, contacts, geolocation information, and call logs aligns with Otuteye's tweet. On May 31, 2023, that regulation came into force. 

Changes May Take Time 

The policy will be enforced globally with a new set of rules from early 2024, Otuteye said. The first step, she says, will require developers to fill out a data deletion form provided by Google by December 7. The developer appeals for more time and can extend the deadline to May 31, 2024. As for now, Google only requires app developers to provide users with the option to request their data deletion.   

Mozilla Research Lashes Out Google Over ‘Misleading’ Privacy Labels on Leading Android Apps


An investigation, conducted by the Mozilla Foundation, into the data safety labels and privacy policy on the Google Play Store has exposed some severe loopholes that enable apps like Twitter, TikTok, and Facebook to give inaccurate or misleading information about how user data is shared. 

The study was conducted between the 40 most downloaded Android apps, out of which 20 were free apps and 20 were paid, on Google Play and found that nearly 80% of these apps disclose misleading or false information. 

The following findings were made by the Mozilla researchers: 

  • 16 of these 40 apps including Facebook and Minecraft, had significant discrepancies in their data safety forms and privacy policies. 
  • 15 apps received the intermediate rating, i.e. “Need Improvement” indicating some inconsistencies between the privacy policies and the Data Safety Form. YouTube, Google Maps, Gmail, Twitter, WhatsApp Messenger, and Instagram are some of these applications. 
  • Only six of these 40 apps were granted the “OK” grade. These apps included Candy Crush Saga, Google Play Games, Subway Surfers, Stickman Legends Offline Games, Power Amp Full Version Unlocker, and League of Stickman: 2020 Ninja. 

Google’s Data Privacy Section 

Google apparently launched its data privacy section for the Play Store last year. This section was introduced in an attempt to provide a “complete and accurate declaration” for information gathered by their apps by filling out the Google Data Safety Form. 

Due to certain vulnerabilities in the safety form's honor-based system, such as ambiguous definitions for "collection" and "sharing," and the failure to require apps to report data shared with "service providers," Mozilla claims that these self-reported privacy labels may not accurately reflect what user data is actually being collected. 

In regards to Google’s Data Safety labels, Jen Caltrider, project lead at Mozilla says “Consumers care about privacy and want to make smart decisions when they download apps. Google’s Data Safety labels are supposed to help them do that[…]Unfortunately, they don’t. Instead, I’m worried they do more harm than good.” 

In one instance in the report, Mozilla notes that TikTok and Twitter both confirm that they do not share any user data with the third parties in their Data Safety Forms, despite stating that the data is shared with the third parties in their respective privacy policies. “When I see Data Safety labels stating that apps like Twitter or TikTok don’t share data with third parties it makes me angry because it is completely untrue. Of course, Twitter and TikTok share data with third parties[…]Consumers deserve better. Google must do better,” says Caltrider. 

In response to the claim, Google has been dismissing Mozilla’s study by deeming its grading system inefficient. “This report conflates company-wide privacy policies that are meant to cover a variety of products and services with individual Data safety labels, which inform users about the data that a specific app collects[…]The arbitrary grades Mozilla Foundation assigned to apps are not a helpful measure of the safety or accuracy of labels given the flawed methodology and lack of substantiating information,” says a Google spokesperson. 

Apple, on the other hand, has also been criticized for its developer-submitted privacy labels. The 2021 report from The Washington Post indicates that several iOS apps similarly disclose misleading information, along with several other apps falsely claiming that they did not collect, share, or track user data. 

To address these issues, Mozilla suggests that both Apple and Google adopt an overall, standardized data privacy system across all of their platforms. Mozilla also urges that major tech firms shoulder more responsibility and take enforcement action against apps that fail to give accurate information about data sharing. “Google Play Store’s misleading Data Safety labels give users a false sense of security[…]It’s time we have honest data safety labels to help us better protect our privacy,” says Caltrider.  

SpyNote Strikes: Android Spyware Targets Financial Establishments

 

Since at least October 2022, financial institutions have been targeted by a new version of Android malware called SpyNote, which combines spyware and banking trojan characteristics. 

"The reason behind this increase is that the developer of the spyware, who was previously selling it to other actors, made the source code public," ThreatFabric said in a report shared with The Hacker News. "This has helped other actors [in] developing and distributing the spyware, often also targeting banking institutions."

Deutsche Bank, HSBC U.K., Kotak Mahindra Bank, and Nubank are among the notable institutions impersonated by the malware. SpyNote (aka SpyMax) is feature-rich and comes with a slew of capabilities, including the ability to instal arbitrary apps, collect SMS messages, calls, videos, and audio recordings, track GPS locations, and even thwart attempts to uninstall the app. 

It also mimics the behaviour of other banking malware by requesting access to services to extract two-factor authentication (2FA) codes from Google Authenticator and record keystrokes to steal banking credentials.

SpyNote also includes features for stealing Facebook and Gmail passwords and capturing screen content via Android's MediaProjection API.

According to the Dutch security firm, the most recent SpyNote variant (dubbed SpyNote.C) is the first to target banking apps as well as other well-known apps such as Facebook and WhatsApp.

It's also known to pose as the official Google Play Store service and other generic applications ranging from wallpapers to productivity and gaming. The following is a list of some of the SpyNote artefacts, which are mostly delivered via smishing attacks:
  • Bank of America Confirmation (yps.eton.application)
  • BurlaNubank (com.appser.verapp)
  • Conversations_ (com.appser.verapp )
  • Current Activity (com.willme.topactivity)
  • Deutsche Bank Mobile (com.reporting.efficiency)
  • HSBC UK Mobile Banking (com.employ.mb)
  • Kotak Bank (splash.app.main)
  • Virtual SimCard (cobi0jbpm.apvy8vjjvpser.verapchvvhbjbjq)
SpyNote.C is approximated to have been bought by 87 different customers between August 2021 and October 2022 after its developer advertised it through a Telegram channel under the name CypherRat.

Nevertheless, the open-source availability of CypherRat in October 2022 has resulted in a significant rise in the number of samples detected in the wild, implying that several criminal groups are using the malware in their own campaigns.

ThreatFabric also stated that the original author has since begun work on a new spyware project codenamed CraxsRat, which will be available as a paid application with similar features.

"This development is not as common within the Android spyware ecosystem, but is extremely dangerous and shows the potential start of a new trend, which will see a gradual disappearance of the distinction between spyware and banking malware, due to the power that the abuse of accessibility services gives to criminals," the company said.

The revelations resulted after a group of researchers demonstrated EarSpy, a unique attack against Android devices that allows access to audio conversations, indoor locations, and touchscreen inputs by using the smartphones' built-in motion sensors and ear speakers as a side channel.

Alert! Check if you have these Android Malware Apps Installed With 10M+ Downloads

 

A fresh batch of harmful Android applications containing adware and malware that have been installed on almost 10 million mobile devices has been discovered on the Google Play Store. 

The apps pretend to be picture editors, virtual keyboards, system optimizers, wallpaper changes, and other things. Their primary functionality, however, is to display invasive advertisements, subscribe users to premium services, and hijack victims' social network accounts. 

The Dr Web antivirus team discovered several dangerous applications, which they highlighted in a study published. Google has removed the great majority of the offered applications, however, three remain available for download and installation via the Play Store at the time of writing. Also, if anyone installed any of these applications before they were removed from the Play Store, then will need to manually delete them from the device and conduct an antivirus check to remove any leftovers. 

The latest dangerous Android applications Dr Web found adware apps that are variations on existing families that initially surfaced on the Google Play Store in May 2022. When the applications are installed, they ask for permission to overlay windows over any app and can add themselves to the battery saver's exclusion list, allowing them to run in the background even after the victim shuts the app. Furthermore, they hide their app drawer icons or replace them with anything resembling a fundamental system component, such as "SIM Toolkit."

"This app "killed" my phone. It keep'd crashing , i couldn't even enter password to unlock phone and uninstall it. Eventually, I had to make a complete wipe out (factory reset), to regain phone. DO NOT , install this app !!!!," read a review of the app on the Google Play Store. 

Joker applications, which are infamous for incurring false payments on victims' mobile phones by subscribing them to premium services, are the second kind of harmful apps spotted on the Play Store. Two of the featured applications, 'Water Reminder' and 'Yoga - For Beginner to Advanced,' have 100,000 and 50,000 downloads, respectively, in the Play Store. Both deliver the claimed functionality, but they also execute malicious operations in the background, interacting with unseen or out-of-focus WebView objects and charging consumers. 

Finally, Dr. Web identifies two Facebook account stealers that are disseminated through picture editing applications and use cartoon effects on ordinary images. These applications are 'YouToon - AI Cartoon Effect' and 'Pista - Cartoon Photo Effect,' and they have been downloaded over 1.5 million times in the App Store. 

Android malware will always find a way into the Google Play Store, and apps can occasionally linger there for months, so users should not blindly trust any app or no apps. As a result, it is critical to read user reviews and ratings, visit the developer's website, read the privacy policy, and pay close attention to the permissions sought during installation. 
  • Photo Editor: Beauty Filter (gb.artfilter.tenvarnist)
  • Photo Editor: Retouch & Cutout (de.nineergysh.quickarttwo)
  • Photo Editor: Art Filters (gb.painnt.moonlightingnine)
  • Photo Editor - Design Maker (gb.twentynine.redaktoridea)
  • Photo Editor & Background Eraser (de.photoground.twentysixshot)
  • Photo & Exif Editor (de.xnano.photoexifeditornine)
  • Photo Editor - Filters Effects (de.hitopgop.sixtyeightgx)
  • Photo Filters & Effects (de.sixtyonecollice.cameraroll)
  • Photo Editor : Blur Image (de.instgang.fiftyggfife)
  • Photo Editor : Cut, Paste (de.fiftyninecamera.rollredactor)
  • Emoji Keyboard: Stickers & GIF (gb.crazykey.sevenboard)
  • Neon Theme Keyboard (com.neonthemekeyboard.app)
  • Neon Theme - Android Keyboard (com.androidneonkeyboard.app)
  • Cashe Cleaner (com.cachecleanereasytool.app)
  • Fancy Charging (com.fancyanimatedbattery.app)
  • FastCleaner: Cashe Cleaner (com.fastcleanercashecleaner.app)
  • Call Skins - Caller Themes (com.rockskinthemes.app)
  • Funny Caller (com.funnycallercustomtheme.app)
  • CallMe Phone Themes (com.callercallwallpaper.app)
  • InCall: Contact Background (com.mycallcustomcallscrean.app)
  • MyCall - Call Personalization (com.mycallcallpersonalization.app)
  • Caller Theme (com.caller.theme.slow)
  • Caller Theme (com.callertheme.firstref)
  • Funny Wallpapers - Live Screen (com.funnywallpapaerslive.app)
  • 4K Wallpapers Auto Changer (de.andromo.ssfiftylivesixcc)
  • NewScrean: 4D Wallpapers (com.newscrean4dwallpapers.app)
  • Stock Wallpapers & Backgrounds (de.stockeighty.onewallpapers)
  • Notes - reminders and lists (com.notesreminderslists.app)

Google's Safety Section Will Show What Android Apps Do With the User Data

Earlier this week, Google rolled out a new Data Safety section for Android apps on Play Store to mention the type of data that is collected and given to third parties. It is the users' right to know why their data is collected and if the developer shares user data with a third party. 

Besides this, users should know how application developers are protecting user data when an app is downloaded. The transparency measure, built in accordance with Apple's Privacy Nutrition Labels, was first announced by Google last year in May 2021. 

The Data safety section will show up against all app listings on the digital storefront, presenting a unified view of what kind of data is getting collected, why it's being collected, and how it'll be used, also mentioning what data is shared with the third parties. Moreover, the labels may also show an app's security practices, for instance, data encryption in transit and if the user can ask for the data to be deleted. 

Additionally, it will validate these practices against security standards like Mobile Application Security Verification Standard (MASVS). The feature will probably be rolled out for all users, app developers can expect a deadline of 20 July 2022 to finalize the work and update the users if there is any change in the apps' functionality or data handling practices. 

Data safety may face similar concerns that Apple did, as the system is built entirely on an honor system, which needs app developers, to be honest, and clear about what they'll do with the data, avoiding listing it as inaccurate labels. 

Since then, Apple said that the company will audit labels for authenticity, and make sure that these labels are dependable and don't give the users fake assurance about security. 

"Google, last year, had said that it intends to institute a mechanism in place that requires developers to furnish accurate information and that it will mandate them to fix misrepresentations should it identify instances of policy violations," reports The Hacker News.

Android Malware ‘FlyTrap’ Hacks Facebook Accounts

 

A new Android trojan has been discovered to breach the Facebook accounts of over 10,000 people in at least 144 countries since March 2021 through Google Play Store and other third-party application marketplaces. 

According to a report published by Zimperium's zLabs and shared with The Hacker News, the malware, termed "FlyTrap," is presumed to be a component of a family of trojans that use social engineering techniques to compromise Facebook accounts as part of a session hijacking campaign planned and executed by malicious actors operating out of Vietnam. 

Aazim Yaswant, a Zimperium malware researcher, noted that although the nine infringing apps have been removed from Google Play or, they are still available in third-party app stores, emphasizing the danger of sideloaded applications to mobile endpoints and user data. The following is a list of available apps: 
1. GG Voucher (com.luxcarad.cardid) 
2. Vote European Football (com.gardenguides.plantingfree) 
3. GG Coupon Ads (com.free_coupon.gg_free_coupon) 
4. GG Voucher Ads (com.m_application.app_moi_6) 
5. GG Voucher (com.free.voucher) 
6. Chatfuel (com.ynsuper.chatfuel) 
7. Net Coupon (com.free_coupon.net_coupon) 
8. Net Coupon (com.movie.net_coupon) 
9. EURO 2021 Official (com.euro2021) 

The fraudulent applications claim to provide Netflix and Google AdWords coupon codes, as well as the option to vote for their favorite teams and players at UEFA EURO 2020, which took place between June 11 and July 11, 2021, but only if users log in with their Facebook accounts to vote or obtain the coupon code or credits. 

Once a user logs in, the malicious software can extract the victim's Facebook ID, location, email address, IP address, as well as the cookies and tokens linked with the profile, allowing the attacker to implement disinformation campaigns using the victim's geolocation details or spread the malware further via social engineering tactics such as sending personal messages including links to the trojan. 

This is accomplished by using a technique called JavaScript injection in which the application loads the legitimate URL inside a WebView equipped with the capability to inject JavaScript code and collects all the required information such as cookies, user account credentials, location, and IP address by inserting malicious [JavaScript] code, Yaswant stated. 

While the stolen data is hosted on a command-and-control (C2) server, security vulnerabilities in the C2 server may be leveraged to leak the whole database of stolen session cookies to anybody on the internet, as a result placing the victims at high risk. 

"Malicious threat actors are leveraging common user misconceptions that logging into the right domain is always secure irrespective of the application used to log in," Yaswant further told. "The targeted domains are popular social media platforms and this campaign has been exceptionally effective in harvesting social media session data of users from 144 countries. These accounts can be used as a botnet for different purposes: from boosting the popularity of pages/sites/products to spreading misinformation or political propaganda." 
 
On Monday, Zimperium's head of product marketing for endpoint security, Richard Melick, informed Threatpost that Android users can reduce the risk of infection instantly by ensuring that they don't allow any software from an unauthorized source to be loaded. 

While most Android smartphones have the option turned off by default, social-engineering tactics are “highly effective in tricking users into allowing it,” he stated in an email. To turn off unknown sources on Android, go to settings, security, and make sure the “unknown sources” option is turned off. 

Users should also set up multi-factor authentication (MFA) for all social media accounts, in general, be suspicious about grabby apps, Melick advised.

Updated Joker Malware Floods into Android Apps

 

The Joker mobile virus has made its entry back on Google Play with an increase in malicious Android apps that mask the billing fraud software, according to researchers. It's also employing new techniques to get beyond Google's app vetting process. 

Joker has been hiding in the shadows of genuine programs including camera apps, games, messengers, picture editors, translators, and wallpapers since 2017. Once installed, Joker applications discreetly simulate clicks and intercept SMS messages to sign victims up for unwanted, paid premium services controlled by the attackers - a kind of billing fraud known as "fleeceware". 

Malicious Joker applications are widely available outside of the official Google Play store, and they've been escaping Google Play's safeguards since 2019. This is mostly due to the malware developers' constant modification of their attack approach. As a result, periodic waves of Joker infections have occurred within the official store, including two large outbreaks last year. 

Over 1,800 Android applications infected with Joker have been deleted from the Google Play market in the previous four years, according to Zimperium experts. Since September, at least 1,000 new samples have been discovered in the newest wave, with many of them making their way into the legitimate market. 

According to a Zimperium analysis, “Malicious actors have routinely found new and unique ways to get this malware into both official and unofficial app stores. While they are never long for life in these repositories, the persistence highlights how mobile malware, just like traditional endpoint malware, does not disappear but continues to be modified and advanced in a constant cat-and-mouse game.” 

According to Zimperium, the developers of the most recent versions of Joker, which first appeared in late 2020, are using legitimate developer techniques to “try and hide the actual intent of the payload from traditional, legacy-based mobile security toolsets,” which allows them to escape both device-based security and app store protections. 

Flutter, a Google-developed open-source app development kit that allows developers to create native apps for mobile, web, and desktop from a single codebase, is one way they're accomplishing it. The researchers explained, “Due to the commonality of Flutter, even malicious application code will look legitimate and clean, whereas many scanners are looking for disjointed code with errors or improper assemblies”. 

New techniques: 

Another anti-detection method recently implemented by Joker enthusiasts, according to the research, is the habit of embedding the payload as a.DEX file that may be obfuscated in a variety of ways, such as being encrypted with a number or buried inside a picture via steganography. 

According to researchers, the picture is sometimes stored in authorized cloud repositories or on a remote command-and-control (C2) server in the latter scenario. Other new behaviors include hiding C2 addresses with URL shorteners and decrypting an offline payload using a mix of native libraries. 

The new samples also take further steps to remain covert when a trojanized program is loaded, according to researchers. “After successful installation, the application infected with Joker will run a scan using Google Play APIs to check the latest version of the app in Google Play Store,” researchers explained. 

“If there is no answer, the malware remains silent since it can be running on a dynamic analysis emulator. But if the version found in the store is older than the current version, the local malware payload is executed, infecting the mobile device. If the version in the store is newer than the current one, then the C2s are contacted to download an updated version of the payload.” 

Consumers and enterprises alike at risk:

The apps are appearing in a variety of places, including Google Play and unauthorized third-party markets, as well as other legitimate channels, some for the first time. For example, the official app store for Huawei Android, AppGallery, was recently discovered to be infected with the Joker virus. 

According to Doctor Web, the applications were downloaded to over 538,000 smartphones by unsuspecting users in April. 

Saryu Nayyar, CEO at Gurucul, stated in the email, “Sadly, the Joker malware is no joke. And even more depressing, no dark knight is going to ride in to save users from these malicious apps. Users have to manually clean their devices of this pesky malware. The good news is that it appears the only damage is financial and likely temporary. Users who have been subscribed to premium mobile services as a result of this malware can request refunds for said services since the affected applications are known.” 

Earlier this year, Josh Bohls, CEO and founder at Inkscreen, said that Joker is an issue for businesses as well as people. “These malicious applications can find their way into the enterprise when an infected device is enrolled in a company’s bring-your-own-device (BYOD) program, and suddenly you have a new threat vector,” he told via email.

Beware of Android Apps While Giving Access to Your Mobile Data

 

Have you ever thought about privacy while giving access to the app makers about your contact list, camera, recording, location, calls on your android phone? Or the issue of security and privacy doesn’t matter anymore, especially in the virtual world. 

According to CyberNews, apps in the health and fitness, communications, and productivity sections require the highest number of dangerous permissions on average. 

The most popular requirement of 99% of top android apps is to gain full network access and to view network connections, which permits an app to connect to the Internet, while 72% of apps asked for permission to view wifi connections.

Nearly, 75% of apps ask to read external storage and modify or delete external storage. On the other hand, 36% of apps ask for permission to use your camera such as photography, parenting, dating, etc. Surprisingly, the apps in the categories of gaming, astrology, and personalization also ask for camera permissions. 

Have you guessed the percentage of apps that record your conversations? If not, then the answer is 21%. Yes, out of the top 1020 Android apps nearly 215 asks for microphone access especially the apps in the categories of finance, lifestyle, and wallpapers. 

When it comes to calling, nearly 80 apps out of 1020 Android applications ask for permission to make direct calls. Luckily, most of these apps were from categories like communication, business, and social media. The interesting part is that even apps from the categories of gaming, photography, and wallpapers require access to your contact list. However, you should think twice about giving contact-related access to apps that do not need to use such information.

“It goes without saying that apps from any category might ask for dangerous permissions. For example, you’d expect a communication app to ask for access to your phone book and Android accounts, while a navigation app wouldn’t raise any eyebrows by asking to track your location,” says Vincentas Baubonis, CyberNews security researcher who analyzed the data. 

Four basic steps to minimize the risk 

• Only permit those apps that make sense. For example, if you give apps access to your microphone, they may be listening in, so be aware of what you’re giving them access to. 

• Try to download an app with all permissions disabled, you can still turn on the ones you want individually in the settings. 

• Try to download your apps from the Google play store because it identifies the apps that are potentially dangerous. 

• Turn off your location settings because a large amount of tracking comes from your location settings.