Search This Blog

Showing posts with label Mallicious Apps. Show all posts

Alert! Check if you have these Android Malware Apps Installed With 10M+ Downloads

 

A fresh batch of harmful Android applications containing adware and malware that have been installed on almost 10 million mobile devices has been discovered on the Google Play Store. 

The apps pretend to be picture editors, virtual keyboards, system optimizers, wallpaper changes, and other things. Their primary functionality, however, is to display invasive advertisements, subscribe users to premium services, and hijack victims' social network accounts. 

The Dr Web antivirus team discovered several dangerous applications, which they highlighted in a study published. Google has removed the great majority of the offered applications, however, three remain available for download and installation via the Play Store at the time of writing. Also, if anyone installed any of these applications before they were removed from the Play Store, then will need to manually delete them from the device and conduct an antivirus check to remove any leftovers. 

The latest dangerous Android applications Dr Web found adware apps that are variations on existing families that initially surfaced on the Google Play Store in May 2022. When the applications are installed, they ask for permission to overlay windows over any app and can add themselves to the battery saver's exclusion list, allowing them to run in the background even after the victim shuts the app. Furthermore, they hide their app drawer icons or replace them with anything resembling a fundamental system component, such as "SIM Toolkit."

"This app "killed" my phone. It keep'd crashing , i couldn't even enter password to unlock phone and uninstall it. Eventually, I had to make a complete wipe out (factory reset), to regain phone. DO NOT , install this app !!!!," read a review of the app on the Google Play Store. 

Joker applications, which are infamous for incurring false payments on victims' mobile phones by subscribing them to premium services, are the second kind of harmful apps spotted on the Play Store. Two of the featured applications, 'Water Reminder' and 'Yoga - For Beginner to Advanced,' have 100,000 and 50,000 downloads, respectively, in the Play Store. Both deliver the claimed functionality, but they also execute malicious operations in the background, interacting with unseen or out-of-focus WebView objects and charging consumers. 

Finally, Dr. Web identifies two Facebook account stealers that are disseminated through picture editing applications and use cartoon effects on ordinary images. These applications are 'YouToon - AI Cartoon Effect' and 'Pista - Cartoon Photo Effect,' and they have been downloaded over 1.5 million times in the App Store. 

Android malware will always find a way into the Google Play Store, and apps can occasionally linger there for months, so users should not blindly trust any app or no apps. As a result, it is critical to read user reviews and ratings, visit the developer's website, read the privacy policy, and pay close attention to the permissions sought during installation. 
  • Photo Editor: Beauty Filter (gb.artfilter.tenvarnist)
  • Photo Editor: Retouch & Cutout (de.nineergysh.quickarttwo)
  • Photo Editor: Art Filters (gb.painnt.moonlightingnine)
  • Photo Editor - Design Maker (gb.twentynine.redaktoridea)
  • Photo Editor & Background Eraser (de.photoground.twentysixshot)
  • Photo & Exif Editor (de.xnano.photoexifeditornine)
  • Photo Editor - Filters Effects (de.hitopgop.sixtyeightgx)
  • Photo Filters & Effects (de.sixtyonecollice.cameraroll)
  • Photo Editor : Blur Image (de.instgang.fiftyggfife)
  • Photo Editor : Cut, Paste (de.fiftyninecamera.rollredactor)
  • Emoji Keyboard: Stickers & GIF (gb.crazykey.sevenboard)
  • Neon Theme Keyboard (com.neonthemekeyboard.app)
  • Neon Theme - Android Keyboard (com.androidneonkeyboard.app)
  • Cashe Cleaner (com.cachecleanereasytool.app)
  • Fancy Charging (com.fancyanimatedbattery.app)
  • FastCleaner: Cashe Cleaner (com.fastcleanercashecleaner.app)
  • Call Skins - Caller Themes (com.rockskinthemes.app)
  • Funny Caller (com.funnycallercustomtheme.app)
  • CallMe Phone Themes (com.callercallwallpaper.app)
  • InCall: Contact Background (com.mycallcustomcallscrean.app)
  • MyCall - Call Personalization (com.mycallcallpersonalization.app)
  • Caller Theme (com.caller.theme.slow)
  • Caller Theme (com.callertheme.firstref)
  • Funny Wallpapers - Live Screen (com.funnywallpapaerslive.app)
  • 4K Wallpapers Auto Changer (de.andromo.ssfiftylivesixcc)
  • NewScrean: 4D Wallpapers (com.newscrean4dwallpapers.app)
  • Stock Wallpapers & Backgrounds (de.stockeighty.onewallpapers)
  • Notes - reminders and lists (com.notesreminderslists.app)

BitRAT Malware Spreading Via Unofficial Microsoft Windows Activators

 

A new BitRAT malware distribution campaign is ongoing, targeting people who want to utilise unauthorised Microsoft licence activators to activate unlicensed Windows OS versions for free. 

BitRAT is a strong remote access trojan that can be purchased for as little as $20 (lifetime access) on cybercrime forums and dark web markets. As a result, each buyer has their own malware dissemination strategy, which may include phishing, watering holes, or trojanized software. Threat actors are delivering BitRAT malware as a Windows 10 Pro licence activator on webhards in a new BitRAT malware distribution campaign identified by AhnLab researchers. 

Webhards are popular online storage services in South Korea that receive a steady stream of visitors via direct download links posted on social media platforms or Discord. Threat actors are increasingly exploiting webhards to deliver malware due to their widespread use in the region. Based on some of the Korean characters in the code snippets and how it was distributed, the actor behind the current BitRAT campaign appears to be Korean. To use Windows 10, one must first purchase and activate a Microsoft licence. 

While there are ways to get Windows 10 for free, one must have a valid Windows 7 licence to do so. Those who don't want to deal with licencing concerns or who don't have a licence to upgrade frequently resort to pirating Windows 10 and using unapproved activators, many of which are infected with malware.'W10DigitalActiviation.exe' is the malicious file presented as a Windows 10 activator in this campaign, and it has a simple GUI with a button to "Activate Windows 10." 

Rather than activating the Windows licence on the host system, the "activator" will download malware from a threat actors' hardcoded command and control server. The retrieved payload is BitRAT, which is installed as 'Software Reporter Tool.exe' in the %TEMP% folder and added to the Startup folder. Exclusions for Windows Defender are also included by the downloader to guarantee that BitRAT is not detected. The downloader deletes itself from the system after the malware installation process is completed, leaving just BitRAT behind. 

BitRAT is marketed as a powerful, low-cost, and versatile malware that can steal a variety of sensitive data from the host computer.BitRAT includes features such as keylogging, clipboard monitoring, camera access, audio recording, credential theft through web browsers, and XMRig coin mining. 

 It also includes a remote control for Windows PCs, hidden virtual network computing (hVNC), and SOCKS4 and SOCKS5 reverse proxy (UDP). On that front, ASEC's investigators discovered considerable code similarities between TinyNuke and its derivative, AveMaria,(Warzone). The RATs' hidden desktop capability is so valuable that some hacking groups, such as the Kimsuky, have included them in their arsenal only to use the hVNC tool.

Researchers: Iranian Users Beware of Widespread SMS Phishing Campaigns

 

Socially engineered SMS texts are being utilized to install malware on Android smartphones, as part of a large phishing operation that impersonates the Iranian government and social security authorities in order to steal credit card information and funds from victims' bank accounts, 

Unlike other types of banking malware that use overlay attacks to steal sensitive data without the victim's knowledge, the financially motivated operation discovered by Check Point Research is developed to trick victims into handing over their credit card information by sending them a legitimate-looking SMS message with a link that, when clicked, downloads a malware-laced app onto their devices. 

Check Point researcher Shmuel Cohen stated in a new report published Wednesday, "The malicious application not only collects the victim's credit card numbers, but also gains access to their 2FA authentication SMS, and turn[s] the victim's device into a bot capable of spreading similar phishing SMS to other potential victims." 

As per the cybersecurity firm, it discovered hundreds of distinct phishing Android apps masquerading as device tracking apps, Iranian banks, dating and shopping sites, cryptocurrency exchanges, and government-related services, with these botnets sold as a "ready-to-use mobile campaign kit" on Telegram channels for somewhere between $50 and $150. 

The infection chain of the smishing botnet begins with a bogus notification from the Iranian judiciary requesting users to evaluate a fictitious complaint made against the message's receivers. The complaint link takes victims to what appears to be a government website, where they are requested to provide personal information (e.g., name, phone number, etc.) and download an Android APK file. 

Once downloaded, the rogue app not only demands invasive rights to execute operations typically not associated with such government applications, but it also displays a false login page that resembles Sana, the country's electronic judicial notice system, and prompts the victim to pay a $1 payment to proceed. Users who choose to do so are then sent to a bogus payment page that captures the credit card information submitted, while the installed software acts as a covert backdoor to harvest one-time passcodes given by the credit card provider and assist more fraud. 

Furthermore, the malware has a plethora of functionality, including the ability to exfiltrate all SMS messages received by a device to an attacker-controlled server, conceal its icon from the home screen to circumvent attempts to remove the app, deploy extra payloads, and obtain worm-like powers to broaden its attack surface. 

Prevent data breaches 

Cohen explained, "This allows the actors to distribute phishing messages from the phone numbers of typical users instead of from a centralized place and not be limited to a small set of phone numbers that could be easily blocked. This means that technically, there are no 'malicious' numbers that can be blocked by the telecommunication companies or traced back to the attacker." 

To make matters worse, the attackers behind the operation were discovered to have inadequate operational security (OPSEC), enabling any third party to openly access the phone numbers, contacts, SMS messages, and list of any online bots stored on their servers. 

"Stealing 2FA dynamic codes allows the actors to slowly but steadily withdraw significant amounts of money from the victims' accounts, even in cases when due to the bank limitations each distinct operation might garner only tens of dollars." 

"Together with the easy adoption of the 'botnet as a service' business model, it should come as no surprise that the number of such applications for Android and the number of people selling them is growing," he added.

Huawei's App Gallery Hosted Malicious Apps Installed by 9M+ Android Users

 

Around 9.3 million Android devices have been infected with a new type of malware that masquerades as dozens of arcade, shooter, and strategy games on Huawei's AppGallery marketplace in order to gather device information and victims' phone numbers. 

Researchers from Doctor Web discovered the mobile campaign and categorized the trojan as "Android.Cynos.7.origin," simply because it is a modified variant of the Cynos malware. Some of the 190 rogue games discovered were made for Russian-speaking players, while others were made for Chinese or worldwide audiences. 

The applications requested the victims for permission to make and control phone calls once they were installed and then utilized to access and capture their phone numbers as well as other device data including geolocation, mobile network characteristics, and system metadata. 

All of these harmful games are primarily geared at children, who are easy targets for having all of their permissions activated. Huawei has currently uninstalled all of the vulnerable games from its AppGallery app store. If users have a Huawei smartphone and aren't sure if they're infected or not, some of the malicious apps are mentioned below: 
  • “[Команда должна убить боеголовку]” with more than 8000 installs. 
  • “Cat game room” with more than 427000 installs. 
  • “Drive school simulator” with more than 142000 installs. 
  • “[快点躲起来]” with more than 2000000 installs 
Furthermore, the Doctor Web malware analysts have previously warned Huawei about these harmful apps. Doctor Web researchers stated, "At first glance, a mobile phone number leak may seem like an insignificant problem. Yet in reality, it can seriously harm users, especially given the fact that children are the games' main target audience." 

"Even if the mobile phone number is registered to an adult, downloading a child's game may highly likely indicate that the child is the one who actually uses the mobile phone. It is very doubtful that parents would want the above data about the phone to be transferred not only to unknown foreign servers, but to anyone else in general."