Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Security
Android API Google Google Play Store Mobile Security Security

Google Strengthens Android Security With a New Set of Dev Policy Updates

 

Google has announced several important policy changes for Android app developers that will improve the security of users, Google Play, and the apps available through the service. 
These new developer requirements will be in effect from May 11th through November 1st, 2022, allowing developers plenty of time to adjust. The following are the most important policy changes related to cybersecurity and fraud that will be implemented: 
  • New API level target requirements.
  • Banning of loan apps whose Annual Percentage Rate (APR) is 36% or higher.
  • Prohibiting the abuse of the Accessibility API.
  • New policy changes for the permission to install packages from external sources.
All newly released/published apps must target an Android API level released within one year of the most recent major Android version release starting November 1, 2022. Those who do not comply with this criterion will have their apps banned from the Play Store, Android's official app store. 

Existing apps that do not target an API level within two years of the most recent major Android version will be eliminated from the Play Store and become undiscoverable. This change is intended to compel app developers to follow the tougher API regulations that underpin newer Android releases, such as better permission management and revoking, notification anti-hijacking, data privacy enhancements, phishing detection, splash screen limits, and other features. 

According to Google's blog article on the new policy: "users with the latest devices or those who are fully caught up on Android updates expect to realize the full potential of all the privacy and security protections Android has to offer." 

App developers who require extra time to migrate to more recent API levels can request a six-month extension, albeit this is not guaranteed. Many outdated apps will be forced to adopt better secure methods as a result of this policy change. 

Accessibility API abuse

The Accessibility API for Android enables developers to design apps that are accessible to people with disabilities, enabling the creation of new ways to operate the device using its applications. However, malware frequently exploits this capability to do actions on an Android smartphone without the user's permission or knowledge. As noted below, Google's new policies further restrict how this policy can be applied: 
  • Change user settings without their permission or prevent the ability for users to disable or uninstall any app or service unless authorized by a parent or guardian through a parental control app or by authorized administrators through enterprise management software; 
  • Workaround Android built-in privacy controls and notifications; or
  • Change or leverage the user interface deceptively or otherwise violates Google Play Developer Policies.
Google has also released a policy change that tightens the "REQUEST INSTALL PACKAGES" permission. Many malicious software publishers hide package-fetching technology that downloads malicious modules after installation to have their submission accepted on the Play Store. Users interpret these activities as "request to update" or "download new content," and they either authorise the action when presented with the corresponding prompt or don't notice because it occurs in the background. 

Google aims to narrow this loophole by imposing new permission requirements, bringing light to an area that was previously unregulated. Apps that use this permission must now only fetch digitally signed packages, and self-updates, code modifications, or bundling of APKs in the asset file will still require the user's authorization. For all apps using API level 25 (Android 7.1) or higher, the new REQUEST INSTALL PACKAGES policies will enter into force on July 11th, 2022.
Read more »
Cyber Crime
Blockchain Crypto Gaming Crypto Theft Cyber Crime

Attackers Exploit WonderHero NFT Gaming Platform

 

WonderHero, a mainstream multi-platform GameFi for iOS and Android devices has deactivated its services after attackers stole nearly $320,000 worth of Binance Coin (BNB). The WND token’s value plummeted by 50% after the information surfaced online. 

WonderHero is one of the many popular games where players earn cryptocurrency and NFT revenue via gameplay. The platform currently has around 11,000 active users. Last week, PeckShield, a top-tier cybersecurity firm notified WonderHero that their platform was breached. To mitigate further damage, the play-to-earn cryptocurrency platform quickly disabled the game and its website before telling users it was aware of the price drop in WonderHero’s coin. 

In an official statement, WonderHero confirmed that “there was an attack on our blockchain bridging system and the attackers managed to get the signature and minted 80 million WND (the in-game cryptocurrency).” 

The company explained that attackers targeted their “cross-chain bridging withdrawal.” A cross-chain bridge permits users to transfer tokens, assets, smart contract instructions, and data between blockchains. In recent months, the cross-chain bridge has become a ripe target for hackers, and exploits in it have led to millions of dollars in losses.

In its announcement, the company promised it would work to address the breach on their cross-chain bridge before auditing the entire system and creating a new smart contract, and “fairly” compensating all of its followers with new tokens based on the amount of WND they owned before the hack. 

“Users can be assured that their HON, WND, NFT, and accounts on Polygon are safe. WonderHero website, marketplace, game, and other services will be temporarily disabled as the team works on the rectification,” the company said. A snapshot of users’ assets on the BNB Chain prior to the attack will be taken. WonderHero is committed to not just making the game fun but also keeping the assets of our players safe and we will spare no effort in doing so. The team will conduct checks and leave no stones unturned.” 

The incident took place just weeks after another play-to-earn cryptocurrency game, Axie Infinity, was hit by an attack that saw attackers steal more than $600 million worth of crypto. In this case, Sky Mavis, the company behind the game was able to raise 150 million dollars to pay the victims of the hack.
Read more »
WordPress
Avast CMS Joomla vulnerability malware Microsoft Phishing Attacks PHP RAT Remote Access Tool Trojan Attacks WordPress

 Hazardous Redirect Web Server Evokes Malicious Campaigns On Over 16,500 Sites

 

Parrot is a novel TDS system for online traffic redirection that runs on a few servers hosting over 16,500 sites from government agencies, universities, adult platforms, and personal blogs. The service was apparently also utilized in the context of various cyber-attacks aiming at diverting victims to phishing or sites which result in malware being installed on the systems. Reportedly, all of this is dependent on individual user characteristics such as location, language, operating system, and browser.

TDS services are purchased by threat actors undertaking malicious campaigns to filter incoming traffic and route it to a final destination which serves harmful material. Advertisers and marketers utilize TDS legitimately. Most TDS services are used regularly by professionals in the marketing industry, which is why there are credible reports demonstrating how similar campaigns were executed in the recent past. 

Security analysts working with Avast have revealed that the Parrot has been identified as they recently made assertions about how the campaign was used for FakeUpdate, which delivered update warnings regarding remote access trojans, sometimes known as RATs, using fake browsers. 

Avast threat experts found Parrot TDS, which is presently being utilized for a campaign called FakeUpdate, which distributes remote access trojans (RATs) via phony browser update alerts. The effort appears to have begun in February 2022, however, there have been traces of Parrot activity dating back to October 2021.

"One of the primary differences between Parrot TDS and other TDS is its broad nature and a large number of possible victims," says Avast in the research. "Apart from servers hosting poorly secured CMS sites, such as WordPress sites, the hijacked websites we discovered appear to have nothing in common."

Avast services prevented more than 600,000 of its users from visiting these compromised sites in March 2022 alone, demonstrating the Parrot redirection gateway's huge reach. The majority of the people who were redirected were from Brazil, India, the United States, Singapore, and Indonesia. 

They have been known to accomplish this by redirecting the victim to special URLs with extensive network profiles and meticulously built software. While the TDS may be primarily focused on the RAT initiative, security experts believe some of the impacted servers also serve as hosts for various phishing sites.  

Those landing sites seem just like a genuine Microsoft login page, prompting visitors to input there login credentials. The best strategy to deal with malicious redirections for web users is to keep an up-to-date internet security solution running at all times. Avast advises administrators of possibly compromised web servers to take the following steps: 

  •  Use an antivirus to scan all files on the webserver. 
  •  Replace all original JavaScript and PHP files on the webserver. 
  •  Use the most recent CMS and plugin versions. 
  •  Look for cron jobs or other automatically executing processes on the webserver. 
  •  Always use unique and strong credentials for all services and accounts, and utilize two-factor authentication whenever possible. 
  • Use some of the security plugins for WordPress and Joomla which are available.
Read more »
Scammers
Blockchain Crypto cryptocurrency Cyber Fraud Frauds Fraudsters Scam Scammers

YouTube Scammers Steal $1.7M in Fake Crypto Giveaway

 

According to Group-IB, a group of online scammers made approximately $1.7 million by promising cryptocurrency giveaways on YouTube. 

The group allegedly aired 36 YouTube videos between February 16 and 18, gaining at least 165,000 views, according to the Singapore-based security company. To give validity to their efforts, they included footage of tech entrepreneurs and crypto enthusiasts like Elon Musk, Brad Garlinghouse, Michael Saylor, Changpeng Zhao, and Cathie Wood. 

According to Group-IB, the channels were either hacked or bought on the black market. They included links to at least 29 websites with instructions on how to double cryptocurrency investments in the streams they built. 

'Investors' were encouraged to send a tiny sum of virtual currency and promised that they would be paid back twice that amount. Some victims were prompted to enter seed phrases to 'link' their wallets, depending on the cryptocurrency and wallet type utilised. 

However, the fraudsters were able to take control of their wallet and withdraw all of their funds as a result of this. The scammers received 281 transactions totalling nearly $1.7 million into their crypto wallets in just three days. The precise number of victims and the overall amount stolen, however, are unknown. 

Group-IB stated, “The fake crypto giveaway scheme is not new, but apparently is still having a moment. Further analysis of the scammers’ domain infrastructure revealed that the 29 websites were part of a massive network of 583 interconnected resources all set up in the first quarter of 2022. Notably, there were three times as many domains registered for this scheme in less than three months of 2022 compared to the whole of last year.” 

Crypto enthusiasts should be wary of freebies and avoid sharing personal information online, according to Group-IB. Users were also encouraged to double-check the authenticity of any promos and use a password manager to store any seed phrases.
Read more »
Windows
C2C Cyber Security DLL PDF Exploits PowerShell SEO Windows

The Wizard of Deception: Jupyter Infostealer

 

Researchers recently discovered a new variant of SolarMarker, a malware family which is mostly transmitted using SEO manipulation to persuade people into downloading malicious documents. SolarMarker uses defense evasion to extract auto-fill data, saved passwords, and stored credit card information from victims' web browsers. It offers extra features which are unusual to be seen in info stealers, such as file transfer and command execution from a C2 server.

Jupyter packaged itself with legal executables when it was first detected towards the end of 2020. When it was run, it revealed a PowerShell script that had been obfuscated. The threat group is improving layers of stealth and obfuscation, such as loading the Jupyter Dynamic-Link Library (.DLL) into memory rather than writing the file to disk. Now, it is frequently packaged in massive Windows® installer packages (.MSI) which can reach 100 MB in size. 

To further conceal its motives, these packages are still integrated with legitimate software and signed with valid digital certificates. The installer will load and seek to install the bundled genuine application after installation. However, buried deep within the Trojan installer's code is a small, extensively obfuscated, and encrypted PowerShell script which runs in the background. 

Jupyter has masked itself as a variety of programs and installers. The malware's main file extension has been changed to.MSI, and it executes its obfuscated PowerShell script via several techniques. Jupyter is usually hosted on phony downloading websites which pose as real hosts. These websites typically offer a free PDF book. These can be accessed accidently by a victim or via a link in a spam email. 

It is often packaged with freeware software and certified with unrevoked digital certificates, making the installation appear more authentic. When the Windows installer package is loaded, it will present an installer pop-up for the targeted legitimate application, while loading data and running in the background. 

Jupyter has deployed itself in a variety of ways in the past campaign. The malware usually has two primary files: 
  • An executable and a Windows PowerShell script that contains the harmful code.
  • Some Jupyter variants have also dumped a temporary file (.TMP) into the victim’s %AppData%\Roaming\Temp\ directory, to construct the normal content of Jupyter's main malicious PowerShell script. 

PowerShell is used by the virus to conceal and execute its harmful code without ever publishing itself to disk on the victim's PC. It avoids writing to disk by loading Jupyter's DLL into memory reflectively. DLLs are usually injected into a process from a file written to a disk. 

Reflective DLL injection is a technique for injecting code into a victim process directly from memory rather than from disk. Because the fully un-obfuscated malware does not live on disk, it necessitates the creation of a persistence mechanism, such as registry keys that reload the malware when the victim machine boots up. As a result, Jupyter DLL is difficult to both identify and use. 

Jupyter's basic PowerShell may be split down into six different phases or components. Each phase aids in the achievement of a given objective, function, or capability. Though many Jupyter samples follow the same procedures, differences in Jupyter's PowerShell code exist, and certain samples have been observed to work in slightly different methods to achieve the same goals. 

One can make a modest tweak to the attacker's PowerShell script to save the assembly to disk instead of loading it into memory. This will also assist us in comprehending the operation of this version of SolarMarker. One can see the decompiled code, as well as the names of the classes and functions, are incorrect. Instead, they appear to be obfuscated. 

The SolarMarker backdoor is a.NET C2 client which uses an encrypted channel to interact with the C2 server. HTTP is used for communication, with POST requests being the most common. The data is secured with RSA encryption and symmetric encryption using the Advanced Encryption Standard (AES). Internal reconnaissance is carried out by the client, who gathers basic information about the victim's system and exfiltrates it through an existing C2 channel. The infostealer module has a structure that is quite identical to the backdoor module we discussed earlier, but it has more features.

By reading files relevant to the target browser, the SolarMarker infostealer module obtains login data, cookies, and web data (auto-fill) from web browsers. To decrypt the credentials, SolarMarker uses the API method CryptUnprotectData (DPAPI). 

The usefulness of behavior-based detectors in reducing the stay time of threats inside a network has been recognized by the security industry in recent years. 
Read more »
User Security
Crypto Cyber Frauds Investment Scam User Security

Australian Consumer Watchdog Reports Massive Surge of Crypto Use in Investment Scams

 

Australians’ losses from investment frauds surged 90% to AU$103 million from the start of the year to March 20, with the Australian Competition and Consumer Commission (ACCC) confirming payments to fraudsters are most often carried out in cryptocurrency. 

Consumer and Fair Trade Executive Managing Director Rami Greiss said that while the increase in the use of crypto follows its growing popularity, it has facets that lend themselves to being exploited by fraudsters. “It’s also the fact that it’s an unregulated product, so there are no controls. There are no institutions that can be roped in to assist. So really, it’s the fact that it’s the wild west,” Greiss explained.

"In relation to scamwatch, we see a number of scams relating to investment schemes, and we are now seeing that the payments in relation to those are now more often by way of cryptocurrency than by way of bank transfer," Gina Cass-Gottlieb, the new president of the ACCC stated. 

According to ACCC, it has received 66 reports of money recovery frauds this year on its website Scamwatch which is a 725 percent increase compared to the same period in 2021. The commission also disclosed that fraudsters target previous scam victims by contacting them and then posing as someone representing a trusted firm such as a law firm, fraud task force, or government agency. 

Subsequently, the fraudsters ask victims to fill out fake paperwork or provide identity documents and seek upfront payments. They may request remote access to computers or smartphones, enabling them to scam their unsuspecting victims. Earlier this year, the Australian government announced it would design a crypto badge of approval to licence intermediaries such as exchanges.

Last week, Australia’s Financial Services Minister Jane Hume stated that the license will include a "fit and proper person" test, and could include anti-hawking measures to prevent cold calling. Hume also explicitly ruled out a ban. 

“Crypto values will go up and down sure as eggs, and the government will not be protecting consumers from market volatility—and nor should they,” she said. But Australian investors will be sure that if they use a licensed Australian exchange, they can trust the exchange will deliver on its commitments to customers and have appropriate protections.”
Read more »
Trojan
Bank Security Banking Trojan Banks malware Trojan

Octo: A New Malware Strain that Targets Banking Institutions

 

Last year, an Android banking malware strain was found in the open, few organizations called it "Coper," belonging to a new family, however, ThreatFabric intelligence hinted it as a direct inheritance of the infamous malware family Exobot. Found in 2016, Exobot used to target financial institutions until 2018, these campaigns were focused in France, Turkey, Thailand, Germany, Japan, and Australia. Following the incident, another "lite" variant surfaced, named ExobotCompact by the developer famous as "Android" on the dark web. 

Analysts from ThreatFabric established a direct connection between ExobotCompact and the latest malware strain, named "ExobotCompact.B." The latest malware strain surfaced in November 2021, named ExobotCompact.D. "We would like to point out that these set of actions that the Trojan is able to perform on victim’s behalf is sufficient to implement (with certain updates made to the source code of the Trojan) an Automated Transfer System (ATS)," says ThreatFabric report. The recent actions by this malware family involve distribution via various malicious apps on Google Play Store. 

The apps were installed more than 50k times, targeting financial organizations around the world, including broad and generic campaigns having a high number of targets, along with focused and narrow campaigns across Europe. Earlier this year, experts noticed a post on a dark web forum, a user was looking for an Octo Android botnet. Later, a direct connection was found between ExobotCompact and Octo. Interestingly, ExobotCompact was updated with various features and rebranded as Octo, bringing remote access capability, therefore letting malicious actors behind the Trojan to perform on-device fraud (ODF). 

ODF is the riskiest, most dangerous fraud threat. Here, transactions begin from the same device that a target uses on a daily basis. Here, anti-fraud programmes are challenged to detect the scam activity with less in number malicious indicators and different fraud done via different channels. ThreatFabric reports, "to establish remote access to the infected device, ExobotCompact.D relies on built-in services that are part of Android OS: MediaProjection for screen streaming and AccessibilityService to perform actions remotely."
Read more »
Google Play
Data Breach Data Harvesting SDK Data Theft Google Play

Android Apps With 45 Million Installs Used For Data Harvesting SDK

 

Recently, Mobile malware researchers warned about a set of applications available on the Google Play Store that are stealing the private data of users from over 45 million installs of the apps. 

The apps consume credentials of the users through a third-party SDK in which it gets access to the users' capture clipboard content (store very sensitive data, such as crypto wallet recovery seeds, passwords, or credit card numbers), email addresses, GPS data, phone numbers, and even the user’s modem router MAC address and network SSID. This sensitive data could lead to significant privacy risks, the researchers said. 

The famous and most downloaded app applications to be using this SDK to send sensitive data of users are enlisted below:

• Al-Moazin Lite – 10 million installations (phone number, IMEI, router SSID, router MAC address) 
• Speed Camera Radar – 10 million installations (phone number, IMEI, router SSID, router MAC address) 
• WiFi Mouse – 10 million installations (router MAC address) 
• Qibla Compass Ramadan 2022 – 5 million installations (GPS data, router SSID, router MAC address) • QR & Barcode Scanner – 5 million installations (phone number, email address, IMEI, GPS data, router SSID, router MAC address) 
• Handcent Next SMS-Text w/MSS – 1 million installations (email address, IMEI, router SSID, router MAC address) 
• Smart Kit 360 – 1 million installations (email address, IMEI, router SSID, router MAC address) 
• Simple weather & clock widget – 1 million installations (phone number, IMEI, router SSID, router MAC address) 
• Al Quran mp3 – 50 Reciters & Translation Audio – 1 million installations (GPS data, router SSID, router MAC address) 
• Audiosdroid Audio Studio DAW – 1 million installations (phone number, IMEI, GPS data, router SSID, router MAC address) 
• Full Quran MP3 – 50+ Languages & Translation Audio – 1 million installations (GPS data, router SSID, router MAC address) 

In the wake of the security incident, Google removed many applications from the Google Play store after discovering that they contain data harvesting software. Several Muslim prayer apps, a highway-speed-trap detection app, and a QR-code reading app, were installed more than 45 million times, as per the researchers. 
Read more »
ransomware restoration
BlackMatter Fendr tool malware ransomware restoration

This Ransomware Sent North Carolina A&T University Rushing to Restore Services

 

Last month, North Carolina A&T State University, the country's largest historically black college, was hit by the ALPHV ransomware group, which forced university staff to rush to restore services. 

Melanie McLellan, an industrial system engineering student, told the school newspaper, The A&T Register “It’s affecting a lot of my classes, especially since I do take a couple of coding classes, my classes have been cancelled. They have been remote, I still haven’t been able to do my assignments.” 

According to the paper, the breach happened during the week of March 7th, when students and professors were on spring break. Wireless connections, Blackboard instruction, single sign-on websites, VPN, Jabber, Qualtrics, Banner Document Management, and Chrome River were among the systems taken down by the attack, and many of them remained down when the student paper reported its story two weeks ago. 

The report came a day after North Carolina A&T appeared on a darknet site that ALPHV uses to name and shame victims in an attempt to persuade them to pay a hefty ransom. ALPHV, also known as Black Cat, is a newcomer to the ransomware-as-a-service sector, in which a core group of developers collaborates with affiliates to infect victims and split any proceeds. 

ALPHV has been characterised by some of its members as a successor to the BlackMatter and REvil ransomware gangs, and experts from security firm Kaspersky released evidence on Thursday that supported up that claim. ALPHV/Black Cat is using an exfiltration technique that was previously only used by BlackMatter, according to Kaspersky, and represents a fresh data point connecting BlackCat with past BlackMatter activities. Earlier, BlackMatter collected data via the Fendr tool before encrypting it on the victim's server. 

Kaspersky researchers wrote, “In the past, BlackMatter prioritized collection of sensitive information with Fendr to successfully support their double coercion scheme, just as BlackCat is now doing, and it demonstrates a practical but brazen example of malware re-use to execute their multi-layered blackmail. The modification of this reused tool demonstrates a more sophisticated planning and development regimen for adapting requirements to target environments, characteristic of a more effective and experienced criminal program.” 

The ALPHV ransomware is uncommon, according to Kaspersky, because it is coded in the Rust programming language. Another peculiarity is that each ransomware executable is written individually for the targeted enterprise, frequently just hours before the infiltration, using previously gathered login credentials hardcoded into the binary. 

Kaspersky researchers discovered two AlPHV breaches, one on a cloud hosting provider in the Middle East and the other against an oil, gas, mining, and construction corporation in South America, according to a blog post published on Thursday. The use of Fendr was discovered by Kaspersky following the second event. ALPHV has also been blamed for breaches at two German energy providers and the luxury fashion label Moncler.

A&T is the seventh US university or college to be hit by the ransomware so far this year, according to Brett Callow, a security analyst at security firm Emsisoft. Callow also said that at least eight school districts have also been hit, disrupting operations at as many as 214 schools.
Read more »
Social Media
E-Commerce FFDroider malware Social Media

FFDroider: A New Malware that Hacks Social Media Accounts

 

FFDroider, a new kind of information stealer has emerged, it steals cookies and credentials from browsers and hacks the target's social media accounts. FFDroider, like any other malware, spreads through software cracks, free software games/apps, and other downloaded files from torrent sites. While installing these downloads, FFDroider will also be initialized, but as a Telegram desktop app disguise to avoid identification. After it's launched, the malware creates "FFDroider" named windows registry key, which eventually led to the naming of this malware. 

FFDroider targets account credentials and cookies stored in browsers like Chrome, Mozilla Firefox, Microsoft edge, and internet explorer. For instance, the malware scans and parses SQLite Credential stores, Chromium SQLite cookies, and decrypts these entries by exploiting Windows Crypt API, particularly, the CryptUnProtectData function. The process is similar to other browsers, with functions such as InternetGetCookieRxW and IEGet ProtectedMode Cookie exploited for stealing the cookies in Microsoft Edge and Internet Explorer. 

"If the authentication is successful on Facebook, for example, FFDroider fetches all Facebook pages and bookmarks, the number of the victim's friends, and their account billing and payment information from the Facebook Ads manager," reports Bleeping Computer. The decryption and stealing of these cookies lead to clear text usernames and passwords, which are later extracted through an HTTP Post request from the C2 server in the malware campaign. 

FFDroider isn't like other passwords hacking Trojans, its operators do not care about all account credentials present in the browsers. On the contrary, the malware operators focus on stealing credentials from social media accounts and e-commerce websites, these include Amazon, Facebook, Instagram, eBay, Etsy, Twitter, and WAX Cloud wallet's portal. Bleeping Computer reports, "after stealing the information and sending everything to the C2, FFDroid focuses on downloading additional modules from its servers at fixed time intervals."
Read more »
User Security
Android Trojan Antivirus Apps Mobile Security User Security

SharkBot Android Trojan Resurfaces On Google Play Store

 

Check Point researchers have unearthed multiple malicious Android apps on the Google Play Store posing as an antivirus applications to deploy the SharkBot Android trojan. 

The malicious banking trojan was initially spotted in November last year when it was only being deployed via third-party application stores. The primary motive was on initiating illegal money transfers via Automatic Transfer Systems (ATS) by auto-filling fields in authentic applications. 

Last month, NCC Group reported that multiple SharkBot droppers had infiltrated Google Play, all of which showed similar code and behavior. The first SharkBot dropper discovered in Google Play masqueraded as antivirus solutions. It was identified as a downgraded version of the trojan containing only minimum features, but capable of fetching and installing the full version at a later date. 

Apparently, on March 9th, Google removed four apps in question, and a few days after that, another SharkBot dropper was identified. The app was reported right away, so no installations for this one. The same happened on March 22 and 27. Those new droppers got removed from Google Play due to quick discovery. 

According to Check Point researchers, they identified a total of seven droppers in Google Play, published from developer accounts that were active in late 2021, and which had some of their applications removed from the store. However, these malicious apps have been already installed more than 15,000 times before the takedown from the store. 

Once installed on an Android device, SharkBot exploits Android's Accessibility Services permissions to present fake overlay windows on top of legitimate banking apps. Thus, when victims enter their usernames and passwords in the windows that mimic benign credential input forms, the stolen data is sent to a malicious server. 

“What is interesting and different from the other families is that SharkBot likely uses ATS to also bypass multi-factor authentication mechanisms, including behavioral detection like bio-metrics, while at the same time it also includes more classic features to steal user’s credentials,” NCC Group stated. 

The malicious Android trojan also employs geofencing features and bypassing techniques, which makes it unique from other mobile banking viruses. The particular features include ignoring the users from China. Romania, Russia, Ukraine, Belarus, India. The majority of victims reside in Italy and the United Kingdom.
Read more »
Subscribe to: Comments (Atom)