Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Android Trojan. Show all posts
WhatsApp Security
Albiriox Android Trojan malware User Privacy WhatsApp Security

Android Users Face New WhatsApp Malware Threat

 

Cybersecurity researchers at security firm Cleafy have issued a warning regarding a high risk malware campaign aimed at Android users via WhatsApp messages that could jeopardize users' cryptocurrency wallets and bank information. The researchers tracked the threat as Albiriox, a new emerging Android malware family being marketed as malware-as-a-service (MaaS) on underground cybercrime forums. 

Modus operandi 

The malware propagate through WhatsApp messages which include links to malicious websites that impersonate Google Play Store pages. Currently, they are impersonating a popular discount retail app, but this could quickly change both in terms of campaigns and targets. Rather than having the app delivered directly, victims are persuaded to submit their phone number, on the premise that an installation link will be sent to them on WhatsApp. 

After users tap on and download the trojanised app, Albiriox is able to take full control of the compromised device. The malware overlays attacks on more than 400 cryptocurrency wallet and banking apps — displaying fake login screens on top of the legitimate apps to capture credentials as users input them. 

Albiriox is an advanced, rapidly evolving malware. The malware also features Vnc-based remote access, which gives the attackers the ability to directly control the infected machines. Initially, campaigns were targeted at Austrian citizens with German-language messages, but is now broadening its reach. The malware is obfuscated with JSONPacker and also it tricks users into allowing the "Install Unknown Apps" permission. When it is running, it contacts its command servers through unencrypted TCP and stays on the bot forever, maintaining active control through a regular series of ping-pong heartbeat messages. 

Mitigation tips

Security experts emphasize that users should never agree to install apps through phone number submission on websites. Any WhatsApp messages requesting app installations should be immediately deleted without clicking links. This distribution method represents exactly why Google is strengthening measures against sideloading, requiring app developers to register and verify their identities.

Cleafy highlights that Albiriox demonstrates the ongoing evolution and increasing sophistication of mobile banking threats. However, users can protect themselves effectively by following several key practices: only install apps from the official Google Play Store, ensure Play Protect is activated, and remain skeptical of any unsolicited installation requests received through messaging apps. 

The campaign highlights broader security concerns affecting WhatsApp and similar platforms, particularly as attackers combine social engineering with technical malware capabilities to compromise both devices and accounts.
Read more »
WhatsApp
Android Trojan Encrypted Chats malware Signal Sturnus WhatsApp

New Android Malware ‘Sturnus’ Bypasses Encrypted Messaging Protections

 

Researchers at MTI Security have unearthed a particularly advanced strain of Android malware called Sturnus, which threatens to compromise the data and security of mobile phone owners. The malware reportedly employs advanced interception techniques to capture data and circumvent even the best application-level encryption, making the security features of popular messaging apps like WhatsApp, Telegram and Signal pointless. 

The Sturnus malware does not need to crack encryption, according to MTI. Instead, it uses a sophisticated trick: the malware takes a screenshot once the messages have been decrypted for viewing.By exploiting a device’s ability to read the on-screen contents in real time, Sturnus can steal private message texts without leaving a trace. This means that scammers can access sensitive chats, and potentially collect personally identifiable information (PII) or financial data if shared in secure chats. 

In addition to message interception, Sturnus employs complex social engineering to steal credentials. The malware is capable to display fake login screens that looks like real banking apps, and can be very convincing. Users can inadvertently provide their information to the hackers if they use their login details on these fake sites. 

Sturnus can also simulate an Android system update screen, making the victim believe a normal update is being installed while malicious operations take place in the background. Perhaps most disturbingly, the researchers warn that Sturnus can also increase its privileges by tracking unlock attempts and recording device passwords or PINs. This allows the malware to gain root access which lets the attackers prevent the victims from removing the malicious code or regaining control of their devices. 

The majority of Sturnus infections detected so far are positively grouped in Southern and Central Europe, according to surveillance and analysis by the cybersecurity firm Threat Fabric. Such a restricted geography suggests that threat actors are still experimenting with the capabilities of the malware and the way it operates before potentially launching a worldwide campaign. 

Experts recommend users of Android to be cautious, refrain from downloading apps from unknown sources and be wary when asked accessibility or overlay permissions to apps they don’t know. But with its progress, Sturnus also exhibits the increasing complexity of Android malware and the difficulty in keeping users safe in a landscape of continuously evolving mobile threats.
Read more »
User Security
Android Trojan Banking Malware Data Privacy Mobile Security User Security

TrickMo Android Trojan Abuses Accessibility Services for On-Device Financial Scam

 

Cybersecurity experts discovered a new form of the TrickMo banking trojan, which now includes advanced evasion strategies and the ability to create fraudulent login screens and steal banking credentials. 

This sophisticated malware employs malicious ZIP files and JSONPacker to obstruct analysis and detection efforts. TrickMo, discovered by CERT-Bund in September 2019, has a history of targeting Android smartphones, with a special focus on German users, in order to acquire one-time passwords (OTPs) and other two-factor authentication (2FA) credentials for financial fraud. The trojan is believed to be the work of the now-defunct TrickBot e-crime gang, which is known for constantly enhancing its obfuscation and anti-analysis features. 

Screen recording, keystroke logging, SMS and photo harvesting, remote control for on-device fraud, and exploiting Android's accessibility services API for HTML overlay attacks and device gestures are some of the main capabilities of the TrickMo version. In addition, the malware could automatically accept permissions, handle notifications to steal or conceal login codes, and intercept SMS messages.

A malicious dropper app that mimics the Google Chrome web browser is used to spread the malware. Users are prompted to upgrade Google Play Services upon installation. In the case that the user agrees, an APK with the TrickMo payload is downloaded and set up pretending to be "Google Services." Next, the user is prompted to allow this program to use accessibility features, which gives them full control over the device. 

TrickMo can use accessibility services to disable critical security features, stop system upgrades, and hinder app uninstallation. Misconfigurations in the malware's command-and-control (C2) server made 12 GB of sensitive data, including credentials and photos, available without authentication. 

This exposed data is vulnerable to exploitation by other threat actors for identity theft, unauthorised account access, financial transfers, and fraudulent transactions. The security breakdown highlights a severe operational security failure by the threat actors, increasing the risk to victims. The exposed private data can be utilised to create convincing phishing emails, resulting in additional information disclosure or malicious acts.
Read more »
malware
Android Trojan Authentication Bypass Biometric Security Data Privacy malware

New Chameleon Android Trojan Can Bypass Biometric Security

 

A brand new variant of the Chameleon Android malware has been discovered in the wild, featuring new characteristics, the most notable of which is the ability to bypass fingerprint locks.

The Chameleon Android banking malware first appeared in early 2023, primarily targeting mobile banking apps in Australia and Poland, but it has since propagated to other countries, including the UK and Italy. The trojan employs multiple loggers but has limited functionality. 

Earlier versions of Chameleon could perform actions on the victim's behalf, allowing those behind the malware to carry out account and device takeover attacks. Chameleon has usually leveraged the Android Accessibility Service to extract sensitive data from endpoints and mount overlay attacks, ThreatFabric researchers explained.

The updated version, on the other hand, has two new features: the ability to circumvent biometric prompts and the ability to display an HTML page to allow accessibility service in devices that use Android 13's "Restricted Settings" feature. According to the researchers, the new Chameleon variant's complexity and adaptability have been enhanced, making it a more potent threat in the constantly evolving field of mobile banking trojans. 

The new Chameleon variation starts by determining whether the operating system is Android 13 or newer. If it is, the malware prompts the user to enable accessibility services, even guiding the user through the procedure.Once completed, the malware is able to perform unauthorised acts on the user's behalf. 

While this is a common feature across malware families, what makes this particular aspect intriguing is the ability to disrupt the targeted device's biometric processes and get around fingerprint locks.

The method uses the AccessibilityEvent system-level event for Android and the KeyguardManager application programming interface to determine the screen and keyguard state based on UI changes. Keyguard is an Android system component that controls security features on devices, including screen lock and authentication mechanisms. 

The malware assesses the state of the keyguard in terms of various locking techniques, such as pattern, PIN, or password. When specific requirements are met, the malware will use the AccessibilityEvent action to switch from biometric to PIN authentication. This gets around the biometric question, allowing the trojan to unlock the device whenever it wants. 

The method is believed to offer those behind the malware with two advantages: the ability to simplify the theft of PINs, passwords, or graphical keys by bypassing biometric data via keylogging functionalities, and the ability to open devices using previously acquired PINs or passwords.

“The emergence of the new Chameleon banking trojan is another example of the sophisticated and adaptive threat landscape within the Android ecosystem,” the researchers concluded. “Evolving from its earlier iteration, this variant demonstrates increased resilience and advanced new features.”
Read more »
User Security
Android Trojan APK Files Data Safety Malicious Apps Mobile Security User Security

Thousands of Malicious Android Apps are Employing Covert APKs to Bypass Security

 

To avoid malware detection, threat actors are employing Android Package (APK) files with unknown or unsupported compression algorithms.

That's according to findings from Zimperium, which discovered 3,300 artefacts using such compression algorithms in the wild. 71 of the discovered samples can be successfully loaded into the operating system. 

There is no evidence that the apps were ever available on the Google Play Store, implying that they were disseminated through alternative channels, most likely through untrustworthy app stores or social engineering to fool users into sideloading them. 

The APK files employ "a technique that limits the possibility of decompiling the application for a large number of tools, reducing the possibilities of being analysed," security researcher Fernando Ortega explained. "In order to do that, the APK (which is in essence a ZIP file), is using an unsupported decompression method." 

The benefit of this approach is that it can withstand decompilation tools while still being installed on Android devices with operating systems older than Android 9 Pie. 

The Texas-based cybersecurity company claimed that after reading Joe Security's post on X (formerly Twitter) in June 2023 about an APK file that had this behaviour, it began its own investigation. 

There are two ways that Android packages can use the ZIP format: one without compression and the other with the DEFLATE algorithm. The key finding in this study is that APKs compressed using unsupported techniques cannot be installed on devices running Android versions lower than 9, while they may be used without issue on subsequent versions. 

Zimperium also found that malware developers intentionally corrupt APK files by giving them filenames longer than 256 characters and creating corrupt AndroidManifest.xml files to trigger analysis tools to crash. 

The revelation comes just after Google revealed how threat actors were using a method known as versioning to get around the Play Store's malware detections and target Android users. 

Safety measures 

Thankfully, there are several procedures you can take to safeguard your phone from malicious Android apps. The first and most significant piece of advice is to stay away from sideloading apps unless it is unavoidable. There are a few peculiar situations in which you might need to sideload an app for work or to make a certain product work, but other than that, you shouldn't install any apps from unknown sources. 

As a general guideline, you should only download apps from the Play Store or other authorised app shops like the Samsung Galaxy Store or Amazon Appstore. Sometimes malicious software does manage to slip through the gaps, which is why it pays to do your research before installing any new app by reading reviews and looking into the app's developers.
Read more »
Smartphone Keyboard
Android Trojan Cryptojacking malware Malware apps Smartphone Keyboard

Is Malware The Reason Your Smartphone Keyboard is Not Working?


A user is required to be utilizing a function keyboard if he wants to use a smartphone for social media posting, web browsing, or communication with a friend. 

Most problems, faced when a smartphone is not functioning properly, can be resolved by resetting the device, deleting the cache, or installing an alternative keyboard app. But, what if none of that is helpful?

Malware Might Cause Keyboard Malfunctions 

While Android phones are apparently more vulnerable to malwares than any iOS, iPhones as well are vulnerable. If your smartphone’s keyboard glitches, lags, takes a long time to display on the screen or does not respond when you hit the keys, your smartphone may be infected by malware. 

Smartphone keyboards may as well turn malfunctional due to malware since it generally affects the entire device. Malware may cause various issues, like overeating, lags and crashes, a decreased battery life, etc. A user’s personal data and privacy could also be compromised, depending on the kind of malware. 

Malware frequently utilizes a significant amount of computing power; this is what initially causes the performance issues. Since the operating system of your smartphone is impacted, the malware will ultimately affect all the programs installed in it, plus the default keyboard apps. 

What Types of Mobile Malware Would Cause Keyboard Issues? 

A Trojan horse, which is malware imposing as a legit program, is one of the examples. More such malwares may include adware (malware displaying unwanted advertisements), spyware (malware that records information without consent), worms (malicious programs replicating themselves), and cryptojackers.

Cryptojacking attack includes threat actor accessing a targeted device to mine cryptocurrency. Thus, if a smartphone is attacked by a cryptojacker, its processing power would be utilized in order to solve cryptographic equations and create virtual currency for someone else. This would ultimately make the keyboard glitch, resulting in a variety of performance difficulties. 

How to Remove Malware from Smartphones?

If a user suspects malware, that is responsible for affecting a keyboard, the initial caution he should take is by installing and programming an anti-virus software. There are numerous free anti-virus softwares available to users in all major app stores. Although not all would aid in removing the malicious program, they could be utilized to at least detect the malwares. 

Users may as well look out for any unfamiliar or suspicious apps on their phones if they do not remember installing the same. Since there is a good chance for these apps to be deploying malware on your phones. Thus, these apps must immediately be removed, followed by monitoring your device with an antivirus program. 

If none of this works, users are left with one option, i.e. master reset or factory reset. This would eventually restore the affected smartphone to its initial state when it was first powered up. However, this will lead your device to compromise its entire data, unless it is backed up somewhere so that you could retrieve it once the reset is successfully executed.  

Read more »
Malware apps
Android Applications Android Trojan Android.Spy.4498 malware Malware apps

New Malware Applications Gets 2 Million Downloads in Google Play


Android users should be cautious, since threat actors are increasingly using certain forms of trojan software, and consequently, two million malicious app installations on the Google Play store were reported. 

Once downloaded, the applications mentioned above might be able to download further apps to the victim's phone and even send the user prompt notifications to lead them to more mistakes. 

Here are the most recent malware app types to watch out for: 

What Is Android.Spy.4498? 

The largest malware groups in the last month (by far) were Android.Spy.4498 and Android.Spy.5106, Dr. Web antivirus discovers.

These applications are variations of a similar trojan and their purpose is to steal the contents of other app notifications on the device where the trojan has been download. These specific ones can also download new applications and ask users to install them as well, or they can display additional dialogue boxes. 

“This malicious [Android.Spy.4498 trojan] is capable of hijacking the contents of other apps’ notifications, which can cause leaks of confidential and sensitive data,” Dr. Web antivirus told. 

These trojans have reportedly been more successful than those that only offer "obnoxious advertising," according to Dr. Web. 

But, before you install a new utility app, consider it again because you do not want either type of infection.

The new malware applications are disguising themselves under different names, one of them went by the name "Fast Cleaner & Cooling Master" and claimed to be an OS optimization programme. Others include legitimate utility titles like “Volume,” “Music Equalizer,” “Bluetooth device auto-connect,” and the strangely lengthy title of “Bluetooth & Wi-Fi & USB driver.” These names appear to be intended to prey on less tech-savvy customers, who may just be looking for a way to plug into a USB port. 

How can You Avoid Downloading Android Malware? 

One of the most reliable ways to secure yourself from these scams is to refrain from downloading any apps that are not from a well-established brand, which only raises the winner-takes-all stakes that most apps today face. 

Other online safety measures a user can utilize include employing VPN or any antivirus software, but even these tools would turn unproductive to prevent the virus that you yourself have downloaded. It is thus better for any online user to just evade downloading any suspicious application.

Read more »
User Security
Android Trojan Antivirus Apps Mobile Security User Security

SharkBot Android Trojan Resurfaces On Google Play Store

 

Check Point researchers have unearthed multiple malicious Android apps on the Google Play Store posing as an antivirus applications to deploy the SharkBot Android trojan. 

The malicious banking trojan was initially spotted in November last year when it was only being deployed via third-party application stores. The primary motive was on initiating illegal money transfers via Automatic Transfer Systems (ATS) by auto-filling fields in authentic applications. 

Last month, NCC Group reported that multiple SharkBot droppers had infiltrated Google Play, all of which showed similar code and behavior. The first SharkBot dropper discovered in Google Play masqueraded as antivirus solutions. It was identified as a downgraded version of the trojan containing only minimum features, but capable of fetching and installing the full version at a later date. 

Apparently, on March 9th, Google removed four apps in question, and a few days after that, another SharkBot dropper was identified. The app was reported right away, so no installations for this one. The same happened on March 22 and 27. Those new droppers got removed from Google Play due to quick discovery. 

According to Check Point researchers, they identified a total of seven droppers in Google Play, published from developer accounts that were active in late 2021, and which had some of their applications removed from the store. However, these malicious apps have been already installed more than 15,000 times before the takedown from the store. 

Once installed on an Android device, SharkBot exploits Android's Accessibility Services permissions to present fake overlay windows on top of legitimate banking apps. Thus, when victims enter their usernames and passwords in the windows that mimic benign credential input forms, the stolen data is sent to a malicious server. 

“What is interesting and different from the other families is that SharkBot likely uses ATS to also bypass multi-factor authentication mechanisms, including behavioral detection like bio-metrics, while at the same time it also includes more classic features to steal user’s credentials,” NCC Group stated. 

The malicious Android trojan also employs geofencing features and bypassing techniques, which makes it unique from other mobile banking viruses. The particular features include ignoring the users from China. Romania, Russia, Ukraine, Belarus, India. The majority of victims reside in Italy and the United Kingdom.
Read more »
Subscribe to: Comments (Atom)