Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Banking Trojan. Show all posts
WhatsApp Malware
Banking Trojan Cyber Threats Cybersecurity Data Breach Fileless Attack Financial Security Malware Campaign Social Engineering WhatsApp Malware

WhatsApp Worm Infects Devices and Compromises User Banking Information

 


There has been a troubling revelation in the cybersecurity community that cybercriminals continue to weaponise trusted digital ecosystems by deploying highly sophisticated malware campaigns that use WhatsApp's messaging platform to infiltrate users throughout Brazil, demonstrating that cybercriminals continue to use trusted digital ecosystems to their advantage. 

This large-scale operation, which was detected on September 29, 2025, exhibits unprecedented technical precision and social engineering skills, manipulating user trust in order to achieve rapid and silent propagation of the virus. There has been an increased use of WhatsApp Web by the attackers in attempts to propagate malicious LNK and ZIP files disguised as harmless attachments sent from compromised contacts. 

The attackers have chosen to send misleading messages that convincingly mimic genuine communication to lure their victims into execution. The moment that an unsuspecting recipient opens a file that contains malware on a desktop system, the malware stealthily executes a fileless infection chain, which is designed to steal credentials from financial institutions as well as cryptocurrency exchanges as they conduct their transactions. 

Researchers have determined that the campaign was linked to a broader operation known as "Water Saci," which shows a level of sophistication and scale not typically seen in regional cybercrime. There is evidence in the code of the malware, Maverick and Sorvepotel, that is code-like to the notorious Coyote Trojan, pointing to a new evolution of Brazilian cybercrime tools that target the thriving ecosystem of digital finance in the country. 

In contrast to typical attacks that are primarily focused on data theft and ransomware deployment, this particular operation places a high value on rapid self-propagation and wide infiltration. 

By cleverly leveraging social relationships, the infection process distributes malicious files through the accounts of already infected users to embed itself deeper into trusted networks as a result. It is estimated that over 400 corporate environments have already been compromised by this threat, and more than 1,000 endpoints have been affected, proving that the campaign's aggressive reach and operational efficiency are evident because command-and-control servers validate each download to ensure that it comes directly from the malware. 

Nevertheless, this technique complicates automated security analysis and network defence, making it significantly more difficult to detect and deter the threat. The malware was written primarily in Portuguese and distributed by localised URLs. As a result of its design, it suggests that a deliberate effort was made to target the individual consumer as well as corporate users in Brazil's rapidly growing cryptocurrency and financial sectors.

Besides the campaign's regional implications, this campaign serves as a stark reminder of the convergence that has been taking place in modern cyberattacks between social manipulation and advanced technical execution. 

With this new wave of WhatsApp-targeted malware exploiting trust, automation, and the interconnectedness of messaging platforms, people are witnessing a concerning shift in the cyber threat landscape, one where they can no longer assume the familiar is safe. It has been reported that the Sorvepotel malware has impacted many sectors throughout Brazil, not just individual users. The malware has penetrated a wide range of sectors throughout the country.

A Trend Micro cybersecurity researcher stated that public and government service organisations have been the most severely affected, followed by manufacturing, technology, education, and construction organisations. However, as attackers continue to refine and expand their tactics, other Latin American countries may soon have to face similar threats. 

Although the current campaign is focusing primarily on Brazil, experts warn that similar threats may soon impact other Latin American countries. There is no doubt that the Sovepotel infection chain is extremely deceptive. It spreads mainly through phishing messages sent via compromised contacts' WhatsApp accounts. It is common for these messages, which appear to come from trusted friends or colleagues, to contain malicious ZIP files, which appear as if they were legitimate files-such as receipts, budget documents, or health-related documents, written in Portuguese. 

These files are aimed at attracting enterprise users rather than casual mobile users, as they are urged to open them on desktop computers. Once the malware has been executed, it will spread automatically through WhatsApp Web, sending mass messages which will not only expedite its spread but will also lead to the suspension of infected accounts for excessive spam activity, as well as the spreading of the malware. 

Several researchers have noticed that, in addition to parallel phishing campaigns through email, attackers may also distribute ZIP files containing similar content from seemingly legitimate corporate addresses, increasing the likelihood of infection. There is already a substantial scale of operation, with over 400 customer environments reported as compromised, which is an indication that the worm has spread rapidly and is extremely effective in its operational aspects. 

By targeting Brazilian financial institutions and cryptocurrency exchanges, the group illustrates a deliberate effort to monetise itself by stealing credentials and gaining unauthorised access to financial resources, even though analysts warn that the same techniques can be adapted to other countries as well. Depending on the severity of the attack, financial consequences can range from immediate unauthorised withdrawals to long-term identity theft and the loss of a victim's reputation. 

Cybersecurity experts, for this reason, emphasise the need to adopt multilayered defence strategies. Educating users and organisations on how to keep them safe requires them to avoid suspicious links, even those shared by familiar contacts, as well as verify their authenticity by using alternative channels for communications. It is crucial to maintain an updated application base, enable two-factor authentication across financial and communication platforms, and keep reputable antivirus software in place to minimise exposure. 

Additionally, it is important to monitor financial accounts for unusual activity and conduct frequent data backups to prevent future losses. It is important to note that research indicates that awareness and education remain the best defences, as they ensure both individuals and organisations are prepared to recognise, resist, and report emerging social engineering threats as soon as they emerge, so they are not caught by surprise.

Based on the technical analysis of the campaign, people have discovered that the infection mechanism in the campaign was highly sophisticated and stealthy in order to evade detection and achieve persistence without leaving any traditional forensic evidence. During the first stage of infection, a victim receives a malicious ZIP archive through WhatsApp Web, which contains a malicious LNK file disguised as a legitimate document. 

These LNK files are often presented by generic names, or they are branded to resemble correspondence from a bank. In the accompanying Portuguese language message, the recipient is advised to open the file on a computer, as it specifies that "visualisations can be performed only on computers," and even suggests Chrome users select the "keep file" option due to the ZIP format of the file. 

When the LNK file has been executed, it launches cmd.exe with embedded commands that trigger a PowerShell script, which is responsible for contacting a remote command and control server via a PowerShell script. Using this server, each request is meticulously verified, allowing downloads only if the "User-Agent" header is detected to be unique to the PowerShell process. 

By doing so, the server effectively blocks unauthorised access and automated analysis attempts, blocking common attacks. Using PowerShell, the embedded .NET file will be decoded and executed as a live assembly by using byte-level manipulation, thereby making the infection completely fileless, because it will be performed entirely in memory.

It is quite hard to reverse engineer this initial loader because it is heavily obfuscated by controlling flow flattening, indirect function calls, and randomised naming conventions. A key part of the malware's function is to download and decrypt two encrypted shellcodes from the C2 server, authenticated by a cryptographic HMAC signature. 

The attacker's custom key — "MaverickZapBot2025SecretKey12345"— generates an API token that allows it to fetch these payloads only. Additionally, the campaign is further protected from external scrutiny by the custom key. 

The decrypted data contains a Doughnut-based loader that is responsible for initiating two distinct execution paths: the first delivers the “MaverickBanker” Trojan, while the second targets the WhatsApp infector module. Subsequent stages continue along this elaborate path. Secondary loaders are responsible for retrieving a .NET assembly named "Maverick.StageOne," a component that will download and execute the WhatsApp infector, a self-propagating component intended to hijack a victim's session and automate the delivery of messages, in an attempt to hijack their data. 

By using open-source automation tools like WPPConnect and Selenium browser drivers, this module can detect an active WhatsApp Web window and begin sending malicious files to the victim's contacts in order to maintain infection. During this stage in Brazilian culture, WhatsApp is referred to as the “ZAP,” a colloquial term referring to its localised development and social engineering techniques. 

Despite the multiple layers of obfuscation used in the malware, analysts have been able to reconstruct the malware's workflow, confirming that the malware has a modular structure, reuses shared functions, and intends to maintain a large-scale self-replication network across multiple interconnected networks, confirming its intent to be able to replicate itself. 

With an intricate combination of automation, encryption, and behavioural evasion, large-scale cybercrime operations are being carried out using everyday communication tools in a manner that represents a new frontier in weaponising these tools. A technical analysis of the Water Saci campaign has demonstrated that an advanced and meticulously engineered infrastructure was used to ensure persistence, propagation, and stealth of the campaign.

During the first stage of the PowerShell script, an Explorer process is secretly launched, which will be used to retrieve further payloads from multiple command-and-control (C2) servers, including the ones hosting zapgrande.com, expansiveuser.com, and sorvetenopote.com. As can be seen from embedded Portuguese-language comments embedded within the code, the threat actor intentionally attempted to weaken the system’s defences by executing commands in Microsoft Defender to disable User Account Control (UAC). 

As a result of the deliberate security modifications, the malware can perform privileged operations uninterrupted, creating an environment where subsequent payloads are not detected. In addition, the campaign delivers one of two distinct payloads, depending on the system profile of the victim: a legitimate Selenium browser automation framework, which is coupled with ChromeDriver, or the more destructive Maverick banking Trojan. 

A Selenium component is used to simulate active browser sessions, enabling attackers to hijack WhatsApp Web accounts for the purpose of distributing malicious files to new victims, leading to the propagation of the worm's self-propagation cycle. Maverick, on the other hand, focuses on credential theft, monitoring user browsing activity to determine how to gain access to Brazilian financial institutions and cryptocurrency exchanges before deploying additional. NET-based malwaretoo harvest sensitive information about their customers. 

Despite the fact that the campaign is quite adaptable to the dual payload mechanism, the researchers from Trend Micro point out that, combined with the campaign's ability to spread independently, this represents a significant escalation in regional cyber threats, and if left unchecked, can easily spread beyond Latin America. 

It is particularly challenging due to the campaign's worm-like nature: after the initial infection, the malware sends further malicious messages to the victim's WhatsApp contacts, creating a fast and exponential infection network based on the social trust that has been established. Because recipients are much more likely to open attachments from familiar sources, this strategy has a dramatic impact on the success rate of the malware. 

In an effort to make the world a more secure place, cybercriminals are increasingly exploiting widely used communication platforms to deliver fileless and evasive attacks, according to experts, which marks a significant change in the global threat landscape. WhatsApp is used extensively across Brazil for personal and professional purposes and is therefore a lucrative target for cybercriminals. Despite the growing threat, researchers have urged organisations to take proactive defensive measures to reduce risks.

It is recommended that administrators disable auto-downloads of media and documents on WhatsApp, implement firewall and endpoint policies restricting file transfers from personal applications, and enforce application whitelisting or containerization in BYOD environments to prevent malicious attacks. 

The importance of employee awareness programs cannot be overstated - users need to be trained in recognising and reporting suspicious attachments and links, even those sent by trusted contacts. Responding quickly to PowerShell execution alerts as well as maintaining updated endpoint security tools can help further contain infections in their earliest stages. 

Experts warn that to be able to fight these kinds of threats, companies must maintain vigilance, implement layers of defences, and foster an organisational culture that fosters awareness -- elements that have become increasingly important as malicious software that thrives on trust and connectivity spreads.

WhatsApp's "Water Saci" operation illustrates how cyber tactics are rapidly transforming the way people manage digital risk in everyday communication due to their rapid advancement. The attackers continue to exploit the familiarity of trusted platforms, so the user and organisation alike must adopt a more comprehensive protective framework that combines technology, awareness, and behavioural caution to protect themselves.

By implementing robust defences such as endpoint monitoring, adaptive threat detection, and strict file transfer controls, it may be possible to reduce exposure to such fileless and socially engineered threats. The reduction of infection rates can also be drastically reduced when the workplace culture is rooted in cybersecurity mindfulness-where verification precedes action.

The strategic collaboration between cybersecurity companies, financial institutions, and policy regulators will be crucial if people are to identify early signs of compromise and neutralise threats before they become a problem. It is important that individuals as well as organisations embed proactive vigilance and shared accountability as part of their digital habits, ensuring that trust in modern communication tools remains a strength instead of a weakness for both parties.

Read more »
Web3 security
Astaroth Trojan Banking Trojan Crypto Credential Theft cryptocurrency security Cyber Threats GitHub malware Malware Steganography Phishing Attack Web3 security

Astaroth Malware Adopts GitHub Infrastructure to Target Crypto Investors

 


A new attack is now underway involving the notorious Astaroth banking Trojan, a banking Trojan which is used to steal cryptocurrency credentials, and cybersecurity researchers at McAfee have discovered that this Trojan exploited the GitHub platform for distribution. This is a worrying revelation that emphasises the increasing sophistication of cybercrime. 

Known for its stealthy and persistent nature, the malware has evolved to make use of GitHub repositories as backup command-and-control centres whenever its primary servers are taken down, thus enabling it to continue operating even under takedown attempts on its primary servers.

A McAfee study found that the campaign is mostly spread through deceptive emails that lure unsuspecting recipients into downloading malicious Windows shortcuts (.lnk) files as a result of these emails. It is believed that the Astaroth malware is silently installed by the malicious executable files. Once these files are executed, they will deeply enslave the victim's system, as soon as they are executed. 

As the Trojan runs quietly in the background, it employs advanced keylogging techniques so that it can steal banking and cryptocurrency credentials, transmitting the stolen information to the attackers' remote infrastructure via the Ngrok reverse proxy. 

In this sophisticated approach, cybercriminals are increasingly utilising legitimate platforms such as GitHub to conceal their tracks, maintain persistence, and extend their reach in the digital finance ecosystem, thereby illustrating how hackers are using legitimate platforms to maintain persistence, conceal their tracks, and expand their reach. 

McAfee Threat Research's investigation revealed that this campaign represents a pivotal shift in the Astaroth Trojan's operational framework, signalling that malware has entered a new age when it comes to adaptability and resilience. A major improvement over its earlier versions is the fact that now the latest variant does not rely on traditional command-and-control (C2) servers to handle its operations. 

As a result, GitHub is using its trusted and legitimate infrastructure to host crucial malware configuration files, allowing it to keep operating even when law enforcement or cybersecurity experts take down its primary servers to maintain uninterrupted activity. Using this strategic transition, Astaroth will be able to dynamically restore its functionality as it draws updates directly from GitHub repositories. 

These attackers have inserted encrypted configuration data into seemingly harmless images uploaded to these repositories that appear harmless by using advanced steganography techniques. A hidden portion of these images contains crucial operational instructions, which the malware retrieves and updates every two hours to update its parameters and evade detection. 

Astaroth exploits GitHub in this way to turn a mainstream development platform into a covert, self-sustaining control system, one that is much more elusive and difficult to counter than traditional C2 systems, making it much easier to use. In their research, researchers identified a highly deceptive infection strategy used by the Astaroth Trojan, involving phishing emails that are constructed in such a way that they seem both genuine and convincing.

As a result of the messages, recipients are enticed to download a Windows shortcut (.lnk) file that, when executed, discreetly installs malware on the host computer. A silent data theft program by Astaroth, which operates quietly behind the scenes, harvests sensitive banking and cryptocurrency credentials from unsuspecting victims by utilising keylogging techniques. 

For the stolen data to reach the attackers, an intermediary channel between the infected device and the command infrastructure is established by the Ngrok reverse proxy, which acts as a proxy between the attackers and the infected device. There is one distinctive aspect of this particular campaign: its adaptability to maintain operational continuity by using GitHub repositories instead of hosting malicious payloads directly. 

As opposed to hosting malicious payloads directly, the attackers use GitHub to store configuration files that direct infected bots to active servers when law enforcement or cybersecurity experts dismantle primary command-and-control systems. According to Abhishek Karnik, McAfee's Director of Threat Research and Response, GitHub's role in the attack chain can be attributed to the fact that it hosts these configuration files, which, in turn, redirect the malware to its active control points, thus ensuring sustained operation despite efforts to remove it. 

A recent Astaroth campaign does not represent the first time the organisation has targeted Brazilian users, a region in which it has repeatedly carried out malicious activities. According to both Google and Trend Micro, similar clusters of activity were detected in 2024, coded PINEAPPLE and Water Makara, which spread the same Trojan through deceptive phishing campaigns. 

As in previous waves, the latest wave of infection follows a comparable infection chain, starting with a convincing phishing email with the DocuSign theme that tricks the recipient into downloading a compressed Windows shortcut (.lnk). When this file is downloaded and opened, it initiates an Astaroth installation process on the compromised system. 

Under the surface of the LNK file, a malicious script is hidden that obfuscates JavaScript, allowing it to retrieve further malicious scripts from an external source. By executing the AutoIt script, which downloads several components from randomly selected hard-coded domains, as well as an AutoIt script, further payloads are executed. 

It is believed that the Astaroth malware will be decrypted and injected into a newly created RegSvc.exe process as a result of this chain of execution, which culminates with the loading of a Delphi-based dynamic link library (DLL). Using the Delphi programming language, Astaroth constantly monitors browser activity, checks for open banking or cryptocurrency websites periodically, and also captures login credentials through keylogging. 

A reverse proxy, such as the Ngrok reverse proxy, facilitates the filtering of stolen credentials, ensuring that sensitive financial information is safely transmitted to the attackers and that immediate detection is avoided. In addition to having far-reaching implications for the cryptocurrency market and the broader digital economy, Astaroth's persistent threat carries far-reaching repercussions as well. Initially, this situation raised the vigilance of users and raised concerns about the reliability of digital asset security, which has increased the level of anxiety in the market.

Financial losses among affected individuals have intensified market anxiety, resulting in a dwindling of confidence among new participants, and thereby slowing adoption rates in the emerging digital finance space. Those kinds of incidents are expected to encourage the development of more stringent cybersecurity protocols on a long-term basis, resulting in exchanges, wallet providers, and blockchain-based businesses investing heavily in proactive defence mechanisms over the long run. 

In general, the market sentiment has remained cautious, as investors are wary of recurring attacks that threaten the perceived safety of cryptocurrencies. In addition to identifying the latest Astaroth campaign, McAfee's Advanced Threat Research team stepped in to report the malicious GitHub repositories that hosted its configuration promptly, as they played a crucial role in uncovering it. 

The collaborative efforts they made resulted in the removal of the repositories and the interruption of the malware's activities for a short period of time. As Director of Threat Research and Response at McAfee, Abhishek Karnik emphasised the widespread nature of the Trojan, particularly in Brazil, but acknowledged that it is still impossible to estimate how much money was stolen, especially in this country.

To reduce exposure, users should be vigilant, avoid opening unsolicited attachments, maintain updated security software, and use two-factor authentication to minimise vulnerability. It should be noted that the resurgence of Astaroth has highlighted a growing class of cyber threats aimed at the rapidly expanding Web3 ecosystem as a whole. 

According to industry experts, the industry's resilience will become increasingly dependent upon robust safeguards such as smart contract audits, decentralised identity frameworks, and cross-industry intelligence sharing as decentralised finance and blockchain applications mature and mature. In their opinion, improving security is a vital component of preventing breaches of data, but it is also essential to restore and sustain user trust. 

While regulators are still refining compliance standards for the digital asset sector, developers, organisations, and users need to work together to create a safe and sustainable crypto environment that is secure. In light of the Astaroth campaign, it is clear that cybercriminals are becoming not only more innovative but they are also more strategic when it comes to exploiting trusted digital ecosystems. 

The line between legitimate and malicious online activity is becoming increasingly blurred. Therefore, both individuals and organisations must become more aware of proactive defences and digital hygiene. As such, evolving threats become more prevalent, organisations must enhance resilience against them by strengthening incident response frameworks, integrating artificial intelligence for real-time threat detection, and investing in zero-trust security models. 

A cryptocurrency user's continuous education is more important than ever, such as recognising red flags for phishing, verifying email authenticity, and securing wallets with multi-factor authentication and hardware-based protection. Furthermore, it will be crucial for cybersecurity researchers to collaborate with technology platforms, regulatory authorities, and other organisations to eliminate the infrastructure that makes these attacks possible.

Ultimately, the fight against threats such as Astaroth transcends immediate containment; it represents an ongoing commitment to bolster digital trust, which is vital to the success of these attacks. In the process of embedding cybersecurity awareness into every layer of the Web3 ecosystem, the industry can transform every attempt at an attack into a catalyst for stronger, more adaptive security standards, which will enable businesses to remain competitive and secure.
Read more »
Fake Apps
Android Android Banking Trojan Android Trojans Banking Trojan Credential Theft Cyber Attacks Fake Apps

Datzbro Android Banking Trojan Targets Seniors With Device-Takeover Attacks

 

Researchers have uncovered a previously undocumented Android banking trojan, dubbed Datzbro, that is being used in device-takeover campaigns aimed squarely at older adults. ThreatFabric, a Dutch mobile security firm, first tied the activity to a social-engineering network in August 2025 after reports emerged of Facebook groups in Australia advertising “active senior trips” that were in fact recruitment channels for the scam. The operation has been observed in multiple countries, including Singapore, Malaysia, Canada, South Africa and the U.K., and relies on community-focused messaging to build trust before delivering malware. 

The attackers create convincing Facebook groups and AI-generated posts promoting local events for seniors. When a target shows interest, operators move the conversation to Facebook Messenger or WhatsApp and push a link to download a so-called community app—usually an APK hosted on a fraudulent domain. Those sites promise event registration and networking features but deliver an installer that either installs Datzbro directly or drops a secondary loader built with an APK-binding service called Zombinder, which helps bypass protections introduced in Android 13 and later. Some evidence suggests the fraudsters are preparing iOS TestFlight lures as well, indicating cross-platform ambitions. 

Analysts have cataloged multiple malicious app package names used to distribute the trojan, from innocuous-sounding “Senior Group” and “Lively Years” to variants masquerading as popular Chinese apps or tools. Once installed, Datzbro grants itself extensive permissions and weaponizes Android accessibility services to perform actions on behalf of the attacker. It can record audio, capture photos, harvest files, log keystrokes and overlay semi-transparent screens to hide malicious activity from victims. A distinctive feature is its “schematic remote control” mode, which reports screen layout, element positions and content back to operators so they can reconstruct interfaces remotely and direct the device as if they were looking over the victim’s shoulder. 

The trojan also filters accessibility event logs for bank or wallet package names and scans for text resembling PINs, passwords or transaction codes. If it finds credentials in cookies or other storage, Datzbro exfiltrates them to the attackers’ back end; it can even steal lock-screen PINs and compromise popular Chinese payment apps such as Alipay and WeChat. ThreatFabric noted Chinese debug strings and a Chinese-language desktop command-and-control application tied to the campaign, suggesting the authors are Chinese-speaking. A compiled C2 client reportedly leaked to public malware repositories, which may accelerate wider abuse by other criminals. 

Datzbro’s discovery comes amid broader mobile-banking malware activity. IBM X-Force has described a related AntiDot campaign called PhantomCall that similarly abuses Android features and sideloaded droppers to bypass modern OS protections, while PRODAFT has documented MaaS-style offerings for actors aiming at global banks. Together, these trends reflect a sustained move toward targeted social engineering that exploits community trust to coax vulnerable users into installing powerful remote-control malware. 

The rapid evolution of these threats underscores the need for heightened public awareness—especially among seniors—tighter app-distribution controls, and stronger defenses around accessibility permissions and sideloaded software.
Read more »
TrickMo
Android Banking Trojan lockscreen malware Pin TrickMo

New TrickMo Variants Exploit Fake Lock Screens to Steal Android PINs

 



A perilous new variant of the Android banking malware TrickMo has been discovered, capable of mimicking the Android lock screen and stealing users' PINs. This comes according to the data compiled by the security firm Zimperium, who made a deep analysis of the malware. The firm said that some 40 new variants of TrickMo have been found in the wild. These are associated with 16 dropper applications and 22 different command and control (C2) servers.

The new report follows earlier research by Cleafy, which had already managed to detect some of these, but not all, variants. TrickMo had been observed used in cyberattacks since September 2019, although it wasn't documented until last year by the IBM X-Force group.


How TrickMo Works to Deceive

One such feature in this new version of TrickMo is the fake Android lock screen designed to further dupe the users into handing over their PIN or unlock pattern. The screen seems like a real one. It actually renders in full-screen mode to mimic the prompt from an original Android. Once the user inputs his credentials, malware will capture that and transmit over to a remote server along with its unique identifier. This will provide thieves with access to the device later, often when it is not actively monitored, allowing them to go on and carry out whatever fraudulent activities they want.

In addition, TrickMo has other malicious abilities-the intercepting of one-time passwords, screen recording, exfiltration of data, and even the remote control of the infected device. Thus, TrickMo is another banking trojan, which mainly operates relying on the stealing of login credentials with the presentation of phishing pages of various banks.


The New Generation of Adaptation Malware

New variants of TrickMo malware attempt to exploit the Accessibility Service permission in Android. As a result, the malware would be able to grab greater control over the device and the possibility of automating different actions without even letting the actual user know about such actions. This is an abuse of accessibility features that grants the malware easier ways for interacting with system prompts, such as giving itself further permissions or making phishing pages appear.

Cyber security experts consider the mature and dynamic capabilities to make TrickMo a most dangerous threat. The phishing screens will be more likely to capture the users, and once the credentials are captured, then hackers can carry out unauthorised transactions using their banking apps or log in to other sensitive accounts.


Large-scale Impact on Victims

Zimperium's research showed that at least 13,000 victims from several countries, such as Canada, United Arab Emirates, Turkey, and Germany, have been affected by the TrickMo malware. The real number of attached devices, however, may be much higher as the malware operates through multiple C2 servers.

It targeted most of the banking applications but has since grown to target many more applications such as VPN services, streaming services, online e-commerce websites, and even social media and enterprise-based platforms. More alarming, it threatens because it can compromise user accounts associated with different kinds of services, not just financial services.


Staying Safe from TrickMo

This spreads through misleading the users into downloading the malicious APK files from unknown sources. To avoid infection, users are not encouraged to click on any links whatsoever-those coming through SMS or direct messages from unknown contacts in particular. Enablement of Google Play Protect is likely to prevent known variants of TrickMo from being installed on Android devices.

The sophistication level of malware like TrickMo tends to keep reminding everyone of the importance of maintaining their software up to date and not to interact with any unfamiliar apps or websites. As it continues to morph into even dangerous forms, cybersecurity experts have kept alerting Android users to be on high alert and ensure that such security features like Google Play Protect are turned on in order to provide a first line of defence against such threats.

Zimperium has taken the noble step in releasing TrickMo's C2 infrastructure details on GitHub, thus being in a better position to help cybersecurity experts and organisations ward off the trojan. It is important to note that while saying so, users are advised to be vigilant and take proper measures to ensure their sensitive information will not be compromised by malicious software such as TrickMo.


Read more »
TrickMo
Banking Security Banking Trojan C2 servers Cyberattack Data Breach device access malware Mobile Threats Security TrickMo

TrickMo Banking Trojan Unveils Advanced Threat Capabilities in Latest Variant

Malware Analyst at Zimperium, Aazim Yaswant, has released an in-depth report on the most recent TrickMo samples, highlighting worrisome new functionalities of this banking trojan. Initially reported by Cleafy in September, this new version of TrickMo employs various techniques to avoid detection and scrutiny, such as obfuscation and manipulating zip files. 

Yaswant’s team discovered 40 variants of TrickMo, consisting of 16 droppers and 22 active Command and Control (C2) servers, many of which remain hidden from the broader cybersecurity community.

Although TrickMo primarily focuses on stealing banking credentials, Yaswant's analysis has exposed more sophisticated abilities. "These features allow the malware to access virtually any data on the device," Yaswant stated. TrickMo is capable of intercepting OTPs, recording screens, remotely controlling the device, extracting data, and misusing accessibility services to gain permissions and perform actions without the user’s approval. Additionally, it can display misleading overlays designed to capture login credentials, enabling unauthorized financial transactions.

A particularly concerning discovery in Yaswant's findings is TrickMo’s ability to steal the device’s unlock pattern or PIN. This enables attackers to bypass security measures and access the device while it is locked. The malware achieves this by mimicking the legitimate unlock screen. “Once the user enters their unlock pattern or PIN, the page transmits the captured data, along with a unique device identifier,” Yaswant explained.

Zimperium’s researchers managed to gain entry to several C2 servers, identifying approximately 13,000 unique IP addresses linked to malware victims. The analysis revealed that TrickMo primarily targets regions such as Canada, the UAE, Turkey, and Germany. Yaswant’s investigation also uncovered millions of compromised records, with the stolen data including not only banking credentials but also access to corporate VPNs and internal websites, posing significant risks to organizations by potentially exposing them to larger-scale cyberattacks.
Read more »
South America
Banking Trojan Cyber Security Cyberthreats Digital Fraud Money Scams phishing South America

Global Resurgence of Grandoreiro Banking Trojan Hitting High

 
The cybercriminal group behind the Grandoreiro banking trojan has re-emerged in a global campaign since March 2024, following a significant law enforcement takedown earlier this year. This large-scale phishing operation targets over 1,500 banks across more than 60 countries, spanning Central and South America, Africa, Europe, and the Indo-Pacific, according to IBM X-ForceIBM X-Force. Originally focused on Latin America, Spain, and Portugal, Grandoreiro’s new campaign signifies a strategic shift after Brazilian authorities disrupted its infrastructure. 

Despite a major takedown in January 2024, which saw the Brazilian Federal Police, Interpol, the Spanish National Police, ESET, and Caixa Bank dismantle the operation and arrest five individuals, the malware has returned with significant upgrades. The phishing emails associated with Grandoreiro masquerade as urgent government payment requests, prompting recipients to click on links that download and execute malicious files. 

Once installed, the trojan interacts with banking apps to facilitate fraudulent transactions, logs keystrokes and captures screenshots to steal banking credentials and sensitive data. It also allows remote system manipulation and file operations by threat actors. A key enhancement in the latest version is a module that captures Microsoft Outlook data and uses compromised email accounts to spread spam. 

Grandoreiro employs the Outlook Security Manager tool to bypass security alerts, enabling seamless interaction with the Outlook client. IBM X-Force reports substantial improvements to the malware’s evasion techniques, including a string decryption method using AES CBC encryption with a unique decoder. The domain generation algorithm (DGA) has been upgraded with multiple seeds to enhance command and control (C2) communications. 

The trojan can also disable security alerts in Outlook and send phishing emails using compromised credentials. The updated Grandoreiro evades execution in several countries, including Poland, the Czech Republic, the Netherlands, and Russia. It also blocks operation on Windows 7 systems in the US without an active antivirus program, demonstrating its resilience and increased persistence. 

To combat the threat of Grandoreiro 

Organizations are advised to prioritize user education on phishing tactics. Employees should be trained to recognize suspicious emails, verify sender legitimacy, and avoid clicking on unknown links or opening untrusted attachments. Robust spam filtering systems at the gateway level can intercept many phishing emails, while behavior-based detection techniques in endpoint security systems can identify and stop harmful activities. As phishing attacks rise, protecting organizations becomes crucial. 

Enhancing user awareness is key, and resources like Phishing Tackle offer tools and training to help users recognize and avoid phishing threats. Despite technological defenses, user education remains vital in minimizing the impact of successful attacks. Consulting with experts can provide valuable insights and tools to strengthen defenses against these persistent threats.
Read more »
malware
Banking Trojan Brokewell Browser Chrome Google malware

Banking Malware "Brokewell" Hacks Android Devices, Steals User Data

Banking Malware "Brokewell" Hacks Android Devices

Security experts have uncovered a new Android banking trojan called Brokewell, which can record every event on the device, from touches and information shown to text input and programs launched.

The malware is distributed via a fake Google Chrome update that appears while using the web browser. Brokewell is in ongoing development and offers a combination of broad device takeover and remote control capabilities.

Brokewell information

ThreatFabric researchers discovered Brokewell while examining a bogus Chrome update page that released a payload, which is a common approach for deceiving unwary users into installing malware.

Looking back at previous campaigns, the researchers discovered that Brokewell had previously been used to target "buy now, pay later" financial institutions (such as Klarna) while masquerading as an Austrian digital authentication tool named ID Austria.

Brokewell's key capabilities include data theft and remote control for attackers.

Data theft 

  • Involves mimicking login windows of targeted programs to steal passwords (overlay attacks).
  • Uses its own WebView to track and collect cookies once a user logs into a valid website.
  • Captures the victim's interactions with the device, such as taps, swipes, and text inputs, to steal data displayed or inputted on it.
  • Collects hardware and software information about the device.
  • Retrieves call logs.
  • determines the device's physical position.
  • Captures audio with the device's microphone.

Device Takeover: 

  • The attacker can see the device's screen in real time (screen streaming).
  • Remotely executes touch and swipe gestures on the infected device.
  • Allows remote clicking on specific screen components or coordinates.
  • Allows for remote scrolling within elements and text entry into specific fields.
  • Simulates physical button presses such as Back, Home, and Recents.
  • Remotely activates the device's screen, allowing you to capture any information.
  • Adjusts brightness and volume to zero.

New threat actor and loader

According to ThreatFabric, the developer of Brokewell is a guy who goes by the name Baron Samedit and has been providing tools for verifying stolen accounts for at least two years.

The researchers identified another tool named "Brokewell Android Loader," which was also developed by Samedit. The tool was housed on one of Brokewell's command and control servers and is utilized by several hackers.

Unexpectedly, this loader can circumvent the restrictions Google imposed in Android 13 and later to prevent misuse of the Accessibility Service for side-loaded programs (APKs).

This bypass has been a problem since mid-2022, and it became even more of a problem in late 2023 when dropper-as-a-service (DaaS) operations began offering it as part of their service, as well as malware incorporating the tactics into their bespoke loaders.

As Brokewell shows, loaders that circumvent constraints to prevent Accessibility Service access to APKs downloaded from suspicious sources are now ubiquitous and widely used in the wild.

Security experts warn that device control capabilities, like as those seen in the Brokewell banker for Android, are in high demand among cybercriminals because they allow them to commit fraud from the victim's device, avoiding fraud evaluation and detection technologies.

They anticipate Brokewell being further improved and distributed to other hackers via underground forums as part of a malware-as-a-service (MaaS) operation.

To avoid Android malware infections, avoid downloading apps or app updates from sources other than Google Play, and make sure Play Protect is always turned on.

Read more »
User Privacy
Banking Trojan Data Safety iPhone Users malware User Privacy

Beware, iPhone Users: iOS GoldDigger Trojan can Steal Face ID and Banking Details

 

Numerous people pick iPhones over Android phones because they believe iPhones are more secure. However, this may no longer be the case due to the emergence of a new banking trojan designed explicitly to target iPhone users.

According to a detailed report by the cybersecurity firm Group-IB, the Android trojan GoldDigger has now been successfully repurposed to target iPhone and iPad users. The company claims that this is the first malware designed for iOS, posing a huge threat by collecting facial recognition data, ID documents, and even SMS. 

The malware, discovered for the first time last October, now has a new version dubbed GoldPickaxe that is optimised for iOS and Android devices. When installed on an iPhone or Android phone, GoldPickaxe can collect facial recognition data, ID documents, and intercepted text messages, all with the goal of making it easier to withdraw funds from banks and other financial apps. To make matters worse, this biometric data is utilised to create AI deepfakes, which allow attackers to mimic victims and gain access to their bank accounts. 

It is vital to note that the GoldPickaxe malware is now targeting victims in Vietnam and Thailand. However, as with other malware schemes, if this one succeeds, the cybercriminals behind it may expand their reach to target iPhone and Android users in the United States, Europe, and the rest of the world. 

Android banking trojans are typically propagated via malicious apps and phishing campaigns. It is more difficult to install a trojan on an iPhone since Apple's ecosystem is more locked off than Google's. However, as hackers often do,they've figured out a way. 

Initially, the malware was disseminated via Apple's TestFlight program, which allows developers to deploy beta app versions without going through the App Store's authorization process. However, after Apple removed it from TestFlight, the hackers shifted to a more complicated way employing a Mobile Device Management (MDM) profile, which is generally used to manage enterprise devices. 

Given how successful a banking trojan like GoldDigger or GoldPickaxe can be, especially since it can target both iPhones and Android phones, this is unlikely to be the last time we hear about this spyware or the hackers behind it. As of now, even the most latest versions of iOS and iPadOS appear to be vulnerable to this Trojan. Group-IB has contacted Apple about the flaw, so a solution is likely in the works.
Read more »
Trojan
Banking Trojan cyber attack Cyber Attacks Malicious Activities Mexico Mispadu Stealer Trojan

New Variant of Banking Trojan Discovered Targeting Mexico

In a recent discovery, cybersecurity researchers from Palo Alto Networks Unit 42 have uncovered a new variant of the stealthy banking Trojan known as Mispadu Stealer. This infostealer is specifically designed to target regions and URLs associated with Mexico, posing a significant threat to users in the region. 

The researchers stumbled upon this new variant while conducting investigations into attacks exploiting the Windows SmartScreen bypass vulnerability CVE-2023-36025. This vulnerability has been a prime target for cybercriminals looking to bypass security measures and infiltrate systems. However, it was addressed by Microsoft in November 2023. 

How You Are Being Attacked?

Essentially, attackers exploit a flaw in Windows SmartScreen, a security feature designed to warn users about potentially harmful downloads. By crafting internet shortcut files (.URL) or hyperlinks that point to malicious content, they can evade SmartScreen's defenses. This evasion tactic hinges on including a parameter that points to a network share rather than a standard URL. Inside the manipulated.URL file is a link leading to a network share controlled by the threat actor, housing a dangerous executable file. 

Since August 2022, Mispadu has been behind numerous spam campaigns, resulting in the theft of over 90,000 bank account credentials. This revelation highlights the significant threat Mispadu poses to the financial security of users across Latin America. However, Mispadu is just one member of a larger family of LATAM banking malware. 

Among its notorious counterparts is Grandoreiro, a formidable threat that has plagued users in the region. Recent efforts by law enforcement authorities in Brazil have resulted in the dismantling of Grandoreiro, offering some relief to users. 

Despite this success, cybersecurity experts warn that the danger from Mispadu and similar malware persists. Users are urged to remain vigilant when dealing with unsolicited emails and to bolster their defenses with robust security measures. By staying informed and implementing proactive strategies, users can better protect themselves against potential attacks.
Read more »
User Privacy
Banking Trojan Data Safety malware Malware Family Online Security User Privacy

Qbot: The Ever Expanding Malware Family

 

Given how widespread malware has become, new "families" of each type are being developed. Qbot, a family of malware that is used to steal data, falls under this category. 

Qbot's history 

As is sometimes the case with malware, Qbot (also referred to as Qakbot, Quakbot, or Pinkslipbot) wasn't identified until it was actually spotted in the wild. In the context of cybersecurity, the phrase "in the wild" describes a situation in which malware spreads unintentionally among targeted devices. As a kind of malware, Qbot is suspected to have existed at least as far back as 2007, making it much older than many of the more well-known varieties now in use. 

Simply because they are ineffective against new technology, several types of malware from the 2000s are no longer in use. But Qbot stands out in this case. Qbot has been running for at least 16 years as of the time of writing, an astonishing longevity for malware. 

Although this has also been interrupted by stretches of inactivity, Qbot has been routinely seen in use in the wild since 2007. In any event, cybercriminals continue to favour it as a choice. 

Qbot has changed throughout time and has been utilised by different hackers for a variety of purposes. Qbot started out as a Trojan, a virus that hides itself inside of software that seems to be safe. Data theft and remote access are only two of the many destructive uses for trojans. More precisely, Qbot targets banking credentials. It is regarded as a banking Trojan as a result. Is this still the case, though? How does Qbot function right now?

Modus operandi

The most notable type of the Qbot that is currently being spotted is an infostealer Trojan. Infostealer Trojans are intended to steal valuable data, including financial information, login passwords, and contact information, as their name implies. This particular strain of Qbot malware is mostly used to steal credentials. Variants of Qbot have also been seen engaging in keylogging, process hooking, and even system attacks using backdoors.

Qbot has been altered to have backdoor capabilities since it was first developed in the 2000s, making it an even greater threat. A backdoor is essentially an unauthorised method of accessing a network or system. Backdoors are frequently used by hackers to conduct their assaults because they provide a simpler entry point. This Qbot variation is referred to as "Backdoor.Qbot." 

Initially, the Trojan-like Emotet virus was used to propagate Qbot. Nowadays, malicious email campaigns using attachments are the main way that Qbot is disseminated. Large quantities of spam are sent during such campaigns to hundreds or even thousands of recipients in the hopes that some of the users who are being targeted would respond. 

Qbot has frequently been seen as a.zip file with an XLS dropper that contains macros inside malicious email attachments. Malware can be installed on a recipient's device if they open a malicious attachment, frequently without their awareness. Exploit kits can also be used to propagate Qbot. These are instruments that help cybercriminals spread malware. 

Exploit kits can identify security flaws in a device's construction and then take advantage of such flaws to get unauthorised access. 

However, things continue even after backdoors and password theft. Operators of Qbots have been crucial Initial Access Brokers. These are cybercriminals who offer other hostile actors system access for sale. Access has been allowed to some very large organizations, including the ransomware-as-a-service provider REvil, in the instance of the Qbot perpetrators. In fact, a number of ransomware partners have been seen employing Qbot to get initial access to systems, giving the malware yet another alarming use.

Qbot is used to target a variety of industries and has surfaced in numerous harmful activities. Qbot has targeted manufacturing enterprises, government agencies, banking websites, healthcare organizations, and more. 2020 data from TrendMicro indicated that 28.1% of Qbot's targets are in the healthcare industry. 

In the same analysis, TrendMicro also noted that the US, China, and Thailand had the greatest rates of Qbot detection in 2020. Qbot is obviously a worldwide danger because it was also frequently detected in Australia, Germany, and Japan. 

Mitigation tips

It's crucial that you are aware of the signs of malicious mail because Qbot is frequently disseminated through spam campaigns. 

Starting with the contents, there are many warning signs that an email may be malicious. It's advisable to avoid clicking any links or attachments from new email addresses until you are certain they can be trusted. You may check a URL's validity on a number of link-checking websites to see whether it is safe to click or not. 

The file extensions.pdf,.exe,.doc,.xls, and.scr are among those that are frequently used to propagate malware. Although not the only file extensions used to spread malware, these are among the most popular kinds, so be on the lookout for them when you receive emails with attached files. 

Additionally, you should exercise caution if an email from a new sender carries a sense of urgency. In order to persuade victims to comply, cybercriminals frequently utilise persuasive language in their emails.
Read more »
User Privacy
Android Malware Banking Trojan Crypto Apps data security Mobile Security User Privacy

Beware of this Android Banking Trojan that Steals Banking Credentials

 

A financial trojan called "Godfather" which is capable of stealing account credentials from more than 400 different banking and cryptocurrency apps is presently targeting Android users in 16 other countries. 

According to a recent report from the cybersecurity company Group-IB, the Godfather trojan, which was initially uncovered by ThreatFabric back in March of last year, has been dramatically upgraded and updated since then. 

In a second report, the dark web and cybercrime monitoring company Cyble describes how Godfather is also being disseminated in Turkey through a malicious app that has been downloaded 10 million times and pretends to be a well-known music application. 

Godfather is thought to be the replacement for Anubis, a well-known and widely-used banking Trojan before it lost the capacity to get past updated Android defenses, BleepingComputer reported. 

Banking and cryptocurrency apps on the hit list 

The banking trojan has targeted users of more than 400 apps since it first debuted last year, including 215 banking apps, 94 cryptocurrency wallets, and 110 crypto trading platforms. The malware also targeted 49 banking apps in the US, 31 in Turkey, 30 in Spain, 22 in Canada, 20 in France, 19 in Germany, and 17 in the UK, among other nations. 

Surprisingly, Group-IB discovered a section in Godfather's code that stops the malware from aiming for users from former Soviet Union nations and users in Russia, indicating that its developers speak Russian. The malware checks the system language on an Android device after installation to see if it is Russian, Azerbaijani, Armenian, Belarusian, Kazakh, Kyrgyz, Moldovan, Uzbek, or Tajik. If so, Godfather shuts down and doesn't attempt to steal any stored cryptocurrency or banking accounts.

Modus operandi 

Godfather attempts to acquire persistence on an Android phone after being installed via a malicious app or file by impersonating Google Protect. Once you download an app from the Google Play Store, this genuine software begins to execute. 

The banking trojan then claims to be "scanning" when, in fact, it is hiding its icon from the list of installed apps and creating a pinned "Google Project" notice. Because of this, malware is more likely to blend into the background and is more challenging to remove. 

A targeted user goes about their normal activities because Godfather's symbol is missing. To steal user passwords and empty their accounts, the malware then applies false overlays to well-known banking and cryptocurrency apps. Additionally, Godfather employs a smart tactic to direct people to phishing websites. It accomplishes this by displaying a fake notification that impersonates one of its smartphone's loaded banking or cryptocurrency apps. 

In addition to stealing credentials, the malware is able to record a user's screen, launch keyloggers to capture their keystrokes, route calls to get around two-factor authentication (2FA), and send SMS messages from infected devices. 

Mitigation Tips 

Installing new apps from a third party other than the Google Play Store or other official app stores like the Amazon App Store or Samsung Galaxy Store puts you at risk for Godfather and other Android malware. While sideloading apps could be alluring, since they are uploaded without any security checks, they may be infected with malware and other viruses. 

Additionally, make sure Google Play Protect is turned on so that it can scan both new and old apps for malware. However, you might also want to download one of the top Android antivirus apps for additional security.
Read more »
User Security
Banking Trojan File Manager Malicious Android Apps Malicious Apps Mobile Security User Privacy User Security

SharkBot Malware Targets Thousands of Android Users Via Disguised File Manager App

 

Variants of the SharkBot banking trojan were identified in multiple file manager Android applications on the Google Play Store, some of them with thousands of downloads. 

The majority of users who downloaded the trojanized apps were located in the U.K. followed by Italy, Iran, and Germany, security researchers at Bitdefender said in an analysis published this week. 

"The Google Play Store would likely detect a trojan banker uploaded to their repository, so criminals’ resort to more covert methods," reads the advisory. One way is with an app, sometimes legitimate with some of the advertised features, that doubles as a dropper for more insidious malware." 

This was the case with multiple file manager apps, which were disguised as such to justify the request for permission to install external packages from the user. 

The permissions asked by trojanized apps included READ_EXTERNAL_STORAGE, WRITE_EXTERNAL_STORAGE, GET_ACCOUNTS, REQUEST_INSTALL_PACKAGES, QUERY_ALL_PACKAGES, and REQUEST_DELETE_PACKAGES. 

"Of course, that permission is used to download malware," the researchers wrote. "As Google Play apps only need the functionality of a file manager to install another app and the malicious behavior is activated to a restricted pool of users, they are challenging to detect." 

While the applications identified by the researchers are no longer available on the Play Store, they can still be downloaded via multiple third-party stores, making them a huge threat. 

The first app examined by the researchers was 'X-File Manager,' designed by 'Viktor Soft ICe LLC' and counting over 10,000 installs before it was taken down by Google. 'FileVoyager' was the second one, manufactured by 'Julia Soft Io LLC' with nearly 5,000 downloads. 

The researchers discovered two more apps following an identical methodology, but they were never present on the Google Play store. They are called 'Phone AID, Cleaner, Booster' and 'LiteCleaner M' and were identified on the web via third-party app stores. 

The advisory published by the Bitdefender team comes weeks after threat analysts at Cleafy indicated the Android banking Trojan Vultur has reached more than 100,000 downloads on the Google Play Store.

Users who have downloaded the malicious apps are advised to delete them and change their bank account passwords immediately. Additionally, users are recommended to enable Play Store Protect and scan app ratings and reviews before downloading them.
Read more »
User Security
Banking Trojan File Share Servers Malicious Payload malware Phishing Campaign User Security

Threat Actors Exploit WeTransfer to Spread Lampion Malware

 

In a new phishing campaign unearthed by Cofense researchers, the Lampion malware is being distributed massively, with hackers exploiting WeTransfer as part of their campaign.

WeTransfer is an internet-based computer file transfer service that can be utilized free of cost, hence it's a no-cost way to circumvent security software that may not detect URLs in emails. 

The malware authors are sending phishing emails from exploited firm accounts requesting customers to download a "Proof of Payment" document from WeTransfer. 

The file sent to the targets is a ZIP archive containing a VBS (Virtual Basic script) file that the user must open in order for the attack to begin. Upon clicking on the file, the script launches a WScript process that manufactures four VBS files with random names. The first is empty, the second has limited functionality, and the third's sole motive is to launch the fourth script. 

According to Cofense researchers, this extra step is unclear, but modular execution approaches are typically preferred for their versatility, allowing easy file swaps. The fourth script initiates a new WScript process that links to two hardcoded URLs to retrieve two DLL files concealed inside password-protected ZIPs. The malicious links lead to Amazon AWS instances. 

The ZIP file password is concealed in the script, so the archives are extracted without user communication. The contained DLL payloads are loaded into memory, allowing Lampion to be stealthily executed on compromised systems. 

Subsequently, the malware initiates extracting data from the computer, and bank accounts, and overlaying its own login forms on login pages. These fake bogus forms are stolen and sent to the hacker when users enter their credentials. 

The Lampion trojan has been active since at least 2019, primarily targeting Spanish-speaking users and employing exploited servers to deploy its malicious ZIPs. 

Last year, the malware was identified exploiting cloud services for hosting the malware for the first time, including Google Drive and pCloud. Recently, in March 2022, Cyware reported an increase in trojan distribution, identifying a hostname link to Bazaar and LockBit operations.

Prevention Tips 

Researchers advised users to apply the following mitigations to defend against malware attacks: 
  • Update software, including operating systems, applications, and firmware frequently 
  • Install OS patches when they are available 
  • Enforce MFA to the greatest extent possible 
  • If you use RDP and/or other potentially risky services, secure and monitor them closely 
  • Employ cryptographic vaults for data safety
Read more »
User Security
Android Spyware Banking Trojan Malicious Apps Mobile Security User Security

Google Removes Several Apps From Play Store Distributing Malware

 

Earlier this week, Google blocked dozens of malicious Android apps from the official Play Store that were propagating Joker, Facestealer, and Coper malware families via the virtual marketplace. 

According to the findings from Zscaler ThreatLabz and Pradeo researchers, the Joker spyware exfiltrated SMS messages, contact lists, and device information and lured victims to sign up for premium service subscriptions. 

A total of 54 Joker downloader apps were unearthed by the two cybersecurity firms, with the apps installed cumulatively over 330,000 times. Nearly half of the apps belonged to communication (47.1%) category followed by tools (39.2%), personalization (5.9%), health and, photography. 

“The tools and communication were among the most targeted categories covering the majority of the Joker-infected apps. ThreatLabz discovered daily uploads of apps containing the Joker malware indicating the high activity level and persistence of the adversary group.” reads the blog post published by Zscaler. “Consistent with previous findings, ThreatLabz's latest discoveries belonging to the Joker malware campaign continue to follow similar developer naming patterns and use of familiar techniques.” 

ThreatLabz experts also uncovered multiple apps compromised with the Facestealer and Coper malware. 

The Facestealer spyware was first unearthed in July last year by Dr. Web researchers, and was designed to steal Facebook users’ logins and passwords and authentication tokens. 

The Coper malware is a banking trojan that targets banking applications in Europe, Australia, and South America. The hackers distribute the apps by disguising them as legitimate apps in the Google Play Store. 

“Once downloaded, this app unleashes the Coper malware infection which is capable of intercepting and sending SMS text messages, making USSD (Unstructured Supplementary Service Data) requests to send messages, keylogging, locking/unlocking the device screen, performing overly attacks, preventing uninstalls and generally allowing attackers to take control and execute commands on infected device via remote connection with a C2 server.” continues the report. 

The researchers recommended users to refrain from granting unnecessary permissions to apps and verify their authenticity by checking for developer information, reading reviews, and scrutinizing their privacy policies. If you become a victim of a malicious app from the Play Store, inform Google about it immediately through the support options in your play Store app.
Read more »
Trojan
Android Banking Trojan malware phishing Software Trojan

This Banking Trojan is Targeting Users of Spanish Financial Services

 

A previously unreported Android banking trojan targeting users of the Spanish financial services business BBVA has been spotted in the wild. 

The malware, named 'Revive' by Italian cybersecurity firm Cleafy and believed to be in its early stages of development, was first discovered on June 15, 2022, and propagated via phishing operations. 

"The name Revive has been chosen since one of the functionality of the malware (called by the [threat actors] precisely 'revive') is restarting in case the malware stops working," Cleafy researchers Federico Valentini and Francesco Iubatti said in a Monday write-up. 

Downloadable from malicious phishing websites ("bbva.appsecureguide[.]com" or "bbva.european2fa[.]com"), the malware impersonates the bank's two-factor authentication (2FA) app as a bait to mislead users into installing the software and is reported to be inspired by open-source spyware dubbed Teardroid, with the authors altering the original source code to integrate new features.

In contrast to other banking malware that are known to target a wide range of financial apps, Revive is targeted for a single target, in this case, the BBVA bank. However, it is similar to its competitors in that it uses Android's accessibility services API to achieve its operational goals. 

Revive is primarily designed to gather the bank's login credentials via lookalike websites and allow account takeover attacks. It also has a keylogger module to record keystrokes and the ability to intercept SMS messages sent by the bank, particularly one-time passwords and two-factor authentication codes. 

"When the victim opens the malicious app for the first time, Revive asks to accept two permissions related to the SMS and phone calls. After that, a clone page (of the targeted bank) appears to the user and if the login credentials are inserted, they are sent to the [command-and-control server] of the TAs," the researchers further stated.

The findings emphasise the importance of exercising caution while installing software from unknown third-party sources.
Read more »
Subscribe to: Comments (Atom)