Search This Blog

Showing posts with label Android Malwares. Show all posts

Android Malware Steals 1,000 Euros In Around 5 Seconds Via PayPal

Another malware discovered in November masked as a battery enhancement application—called Android Optimization is as of late been brought into highlight to have been customized in such a way so as to send 1,000 euros to cyberthieves by means of PayPal in around 5 seconds and all this without the user being able to stop it.

The malware is being circulated by third party applications therefore making it unavailable in the official Google Play Store.

The malware is depicted as one to sagaciously exploit Google's Accessibility Services, intended to assist individuals with disabilities, to trick users into giving the hackers some control of the phone.

After the malware approaches the user for authorization to "Enable Statistics "in the wake of being installed this empowers the cybercriminals to take control of the phone remotely when the user opens certain applications, for the most part some being: PayPal, Google Play, WhatsApp, Skype, Viber, Gmail, and some other banking applications.

ESET researchers found that the malware can demonstrate users overlay phishing pages made to look like legitimate banking applications, or other well-known applications, such as, Gmail, WhatsApp, Skype and Viber, approaching the users for credit card certifications.

 “The whole process takes about 5 seconds, and for an unsuspecting user, there is no feasible way to intervene in time. The attackers fail only if the user has insufficient PayPal balance and no payment card connected to the account. The malicious Accessibility service is activated every time the PayPal app is launched, meaning the attack could take place multiple times.” wrote ESET researcher Lukas Stefanenko in a blog post.

A video by ESET showing how the malware works

Android Devices with Pre-Installed Malware

The Avast threat Labs have recently discovered pre-installed adware  on a few hundred diverse Android gadget models and versions, also incorporating gadgets from makers like ZTE and Archos.
The adware, analyzed has previously been portrayed by Dr. Web and has been given the name "Cosiloon."

The adware has been on the move for no less than three years, and is hard to remove as it is introduced on the firmware level and utilizes solid obfuscation. Thousands of users are said to have been affected , and in the previous month alone it has been observed that the most recent adaptation of the adware on around 18,000 devices having a place with Avast users situated in excess of 100 nations which includes Russia, Italy, Germany, the UK, and as well as a few users in the U.S.

The adware makes an overlay to display an advertisement over a webpage within the users' browser, it can be observed in the screenshots given below:

Google is taking a shot at fixing the malware's application variations on Android smartphones utilizing internally created strategies and techniques. Despite the fact that there is Google Play Protect, the malware comes pre-installed which makes it harder to address. Google is as of now, contacting various firmware engineers and developers to bring awareness to these concerns and energize in making effective steps likewise.

Anyway it is misty in the matter of how the adware got onto the gadgets, and the malware creators continued updating the control server with new payloads. Then again, Producers likewise kept on delivering new gadgets with the pre-installed dropper.

The payload was updated again on April eighth, 2018 and the name in application launcher changed to "Google Download," and some class names in the code changed likely trying to keep away from discovery.Since the malware is a part of the chipset platform bundle which is reused on different brands also and the chipset being referred to happens to be from MediaTek running different Android variants going from 4.2 to 6.0.

Avast says that some anti-virus applications report the payloads, however the dropper will install them back again immediately, and the dropper itself can't be expelled in that way the gadget will always host a strategy permitting an obscure party to install any application they need on it.

A malicious Whatsapp contact file Changes your contacts name to Priyanka

An android user has reportedly received a malicious Whatsapp contact file which is capable of changing your Whatsapp groups name and contacts name to Priyanka.

A Blogger Shivam reported in his blog that he received a contact file from his relative.  After he added to his contacts,  the file managed to replace the group names with "Priyanka".

It is not clear what exactly the malware is doing other than changing the name.  No one is going to spread a malware without any profits or the malware authors might be fan of "Priyanka Chopra" :P.

Infected whatsapp - Image Credits: TheAndroidSoul

The malware requires user to accept the contact.  So, Users are advised not to add it to your contacts.

Anyone who have the sample of this malicious contact file, please mail us if possible.

Android Banking malware spreads via Smishing (SMS phishing)

A new android banking trojan spotted in the wild that replaces the legitimate South-Korean banking android apps spreads via phishing sms attacks, reports McAfee Labs.

South-Korean bank users are being targeted with a fake message that purportedly coming from Financial Services Commission.  The message asks users to install the new anit-malware protection.

Unwitting user who follows the link provided in the sms and installs the app putting himself at risk.  The malware app silently attempts to uninstall the legitimate south-korean banking apps.  However, the malware is able to uninstall the apps only if the device is rooted.

If the device is not rooted, the malware asks users to uninstall the legitimate app and urge them to install another app with the same icon but with suspicious permission request.

The trojan then asks users to enter the banking credentials such as account number, password, Internet banking ID, social security number.  The collected info is later sent to remote server.

"McAfee Mobile Security detects this threat as Android/FakeBankDropper.A and Android/FakeBank.A and alerts mobile users if it is present".

New Android Trojan makes the Two-step authentication feature insecure

Two-Step authentication feature become insecure system when your android device got infected with a new malware which is capable of intercepting your messages and forwarding them to cybercriminals.

The Trojan, discovered by the Russian antivirus company Dr.Web , spreads as a security certificate that tricks users into thinking it must be installed onto their device.

Once installed, the malware does nothing other than displaying a message stating "Certificate installed successfully and your device is protected now."

But in background, the malware collects your phone information including Device's serial number, IMEI, model, carrier , phone number, OS.  Once the data has been gleaned, it attempts to send the info to the remote server.

After successfully sending the info, the malware awaits instructions from its master.  The cybercriminal behind the malware can now send instructions and control the malware to do the following : intercept and forward sms from specified numbers, send ussd message, show message and more.

This malware makes the Two-step authentication feature insecure because it can read the message sent to your mobile. It means the trojan can get the temporary password sent from Bank or any other sites using the 2-step authentication feature.

Android malwares hosted in Google Play by 'apkdeveloper'

android malware
List of malicious apps hosted by apkdeveloper

Once again, Malicious android apps have been found in Google Play.  A developer named "apkdeveloper" hosted a number of android malware in the Google Play.

The malware author used popular app names for his malicious apps by adding "super" at the end of the name . He also posted fake reviews to lure innocent users into downloading the malware .

"Obviously faked from the app either by asking people to give 5 stars to unlock the game (quite a common trick) or the people that made the app have found a way to publish reviews to the play store automatically. Wouldn't surprise me to be honest." One of the Reddit user's comment reads.

According one of the Reddit comment, the fake apps asked permissions for 'approximate location', 'percise location', 'full network access', 'read phone calls', 'mod or delete data on your sd card', 'find accounts', 'control vibration', ladies, 'run at startup', 'test access to protected storage'.

The malware author has been banned from google Play, after a Reddit post drew attention to the malware infested apps.

We are not sure how many users have been affected by this malicious app. Make sure you didn't install one of these malicious app.

New Android malware helps Cybercriminals to launch DDOS attacks

The Russian antivirus firm Doctor Web has discovered a new Android Trojan that helps Cyber criminals to launch Distributed-denial-of-service(DDOS) attacks. It is also capable of sending sms based on the command received from the hacker.

According to the report, the malware "Android.DDoS.1.origin" likely spreads via Social engineering attacks and disguises itself as a legitimate application from Google.

fake google android malware
Fake Google Play icon
After installation, the malware creates an application icon that look like Google Play icon. If a user taps the fake Google play icon, it will still launch the original Google play. But , in background, it starts malicious activity.

Once the malware is launched, it transmits the victim's phone number to cybercriminal and then waits for further SMS instructions.

From now onwards, the Cyber criminal can launch DDOS attack against any server by sending a command message containing the server and port details.  After receiving the instructions, the malware starts to send packets to the specified address.

The malware reduces the performance of the infected device. The victim will get unexpected bills for accessing Internet and SMS.

Searching for Keyword “Windows Android Drivers” leads to Malware website

CyberCriminals often use SEO poisoning techniques to lure unsuspecting internauts to their malicious websites.  In one recent example, Cyber Criminals targeted Android users by poisoning Yahoo! search result.

Security Researchers at GFI Labs have found that searching for "Windows Android Drivers" points to a malicious website [bestdrivers(dash)11(dot)ru] .

Visiting the Russian site in question automatically downloads a file called "install.exe"- a Trojan file.

Once the file is being executed, the malware modifies the home page of Internet Explorer to malicious domain.

In case victim visit the same Russian site from their android devices, the are redirected to various malicious websites which contain the "android" keyword in the domain name. These sites direct users to fake Google play sites.

Few months back, I discovered that Google Image search result being poisoned and directs me to an infected website. 

"Safe Virus Scan" android app steals contact details

fake android antivirus

A new android malware masquerade as Antivirus app and steals your contact details, warns Symantec researchers. The app spreads via Spam emails.

The app perform fake scans of your Android devices. But, in background, it collects your contact data and uploads to an external site. The app is actually quite convincing and it is difficult to identify anything suspicious about it.

The app spreads via Spam emails. A link in the spam mail leads to a site that hosts the fake app.

"This is a popular method used by scammers to steal contact data in Japan. Some of the spam focuses on introducing apps throughout the whole email, while others only make a small note of the app in an otherwise unrelated email." Symantec researcher said.

" Some mention that the sender has changed email addresses so that the recipient does not feel suspicious about the email being sent from an unknown address."

According to the report, the malware is created by the same group who developed the  Android Trojan horse "Enesoluty".

SMSZombie Trojan infects 500,000 Android Users in China and steals money

Researchers from leading mobile security company, TrustGo , have discovered a new android Trojan that infects around 500,000 android users in china.

The virus dubbed as "SMSZombie" takes advantage of a vulnerability in the China Mobile SMS Payment process to generate unauthorized payments, steal bank card numbers and money transfer receipt information. This new virus also includes some self-protection features that make it difficult to eliminate.

According to TrustGo, the malware is being spread through online forums and has been found in several packages on China’s largest mobile app marketplace, GFan. TrustGo has contacted GFan, but so far, the apps are still readily available and continue to be actively downloaded.

The SMSZombie virus has been hidden in a variety of wallpaper apps and attracts users with provocative titles and pictures. When the user sets the app as the device’s wallpaper, the app will request the user to install additional files associated with the virus. If the user agrees, the virus payload is delivered within a file called “Android System Service.”

Once installed, the virus then tries to obtain administrator privileges on the user’s device. This step cannot be canceled by the user, as the “Cancel” button only reloads the dialog box until the user eventually is forced to select “Activate” to stop the dialog box. These privileges disable users’ ability to delete the app, causing the device to return to the home screen even after choosing to uninstall the app.

Researchers  says that this virus has been used to recharge online gaming accounts via the China Mobile SMS Payment system. Commonly, the victim’s account is charged a relatively low amount to escape detection.

To identify whether a device has been infected with this new and dangerous virus, users should download the TrustGo Antivirus and Mobile Security™ app. For complete instructions on how to permanently eliminate all remnants of the virus code, visit:

ZitMo : New mobile version of Zeus Trojan targets Android and Blackberry

Security Researchers at Kaspersky has discovered a new variant of ZeuS-in-the-Mobile (Zitmo) Trojan that targets Android and Blackberry users. Zitmo is not new one, it is almost 2 years old, but the Blackberry platform has never been actively targeted by malware.

Researchers have found 5 new samples of Zitmo malware; Four of them are for Blackberry and one is for Android.

"And here we have 4 different samples of ZeuS-in-the-Mobile for Blackberry at once: 3 .cod files and 1 .jar file (with one more .cod inside). Yes, finally we’ve got a ZitMo dropper file for Blackberry." Researcher said in the malware report.

"As for Android, there is only one .apk dropper. But this ZeuS-in-the-Mobile for Android has been modified and now looks like a ‘classic’ ZitMo with same commands and logic."

So far the Zitmo samples target users from various European countries (Spain, Poland, Germany, etc). This case is no exception. 

Yahoo! app vulnerability could be behind 'Android botnet'

Earlier this month, Microsoft Engineer ,Terry Zink said he discovered spam was being sent from compromised Yahoo accounts from what looked like an international Android spam botnet.

He stated that the messages all come from Yahoo Mail servers. They are all from compromised Yahoo accounts. They are sending all stock spam, the typical pump and dump variety that we’ve seen for years.  Furthermore, they all have the 'Sent from Yahoo! Mail on Android' text at the bottom of their spam.

Google, however, refuted that the spam were sent from an Android botnet, stating that the spammers behind this may have used infected PCs and fake mobile signature in an attempt to bypass email filters.

Security Researchers at Lookout have identified a security hole in the Yahoo! Mail app for Android, which they believed to be responsible for the so-called mobile spam botnet. Today, Trend Micro experts have confirmed the existence of the vulnerability.

They couldn’t precisely say if the vulnerability is in fact responsible for the spam sent out from mobile phones, but the fact that they independently appoint the same weakness as a possible cause makes this scenario even more plausible.

The vulnerability discovered by the researchers allow an attacker to gain access to a user’s Yahoo! Mail cookie.

This bug stems from the communication between Yahoo! mail server and Yahoo! Android mail client. By gaining this cookie, the attacker can use the compromised Yahoo! Mail account to send specially-crafted messages. The said bug also enables an attacker to gain access to user’s inbox and messages.

Boxer SMS Trojan poses as Firefox for Android

Recently, Mozilla has launched Firefox 14 for devices that run an Android OS. Cyber-criminals turned the event to their advantage and started masquerading an SMS Trojan as the Firefox.

Security Researchers at GFI Lab ,spotted an Android application posing as the popular Web browser Firefox and is hosted on several Russian websites. The Android application files (.APK) users can download from them not only vary in file names but also in file sizes.

GFI VIPRE Mobile Security detects the malicious apps as Trojan.AndroidOS.Boxer.d.

The typical Boxer malware appears to be a legitimate app that users can download. Once installed, it loads a Rules page on the phone and asks users to accept it. The app then sends a premium SMS message to any of these numbers: 2855, 3855, 7151, or 8151. The Rules page discloses (in small text) that users will be billed for sending a premium SMS message. Boxer then directs users to the actual website where the legitimate app can be downloaded after claiming that it has successfully activated.

However, this particular variant doesn’t give any details regarding its true purpose. This variant sends the premium SMS message, “5975+3480758+x+a”, to the aforementioned numbers. Lastly, it loads instead of directing users to the actual download site.

Researchers believe that this may be a tactic to make users think that the application is defective. They might download and install the fake software again, allowing Boxer to perform its malicious tasks more than once.

Experts Bypass Google's automated malware scanner (Android Bouncer)

Security researchers Jon Oberheide and Charlie Miller have identified security flaw in the Google’s automated malware detection system(Android Bouncer).

Android Bouncer is an automated application scanning service that analyzes apps by running them on Google’s cloud infrastructure and simulating how they will run on an Android device.

Researchers preparing a presentation for this week’s SummerCon conference and demonstrating how Bouncer can be bypassed to slip malicious apps into the Android Market.

"we’re going to submit an application to the Android Market and get a connect-back shell on the Bouncer instance when it attempts its runtime dynamic analysis of our mobile application. This allows us to explore the Bouncer environment with an interactive remote shell." Research said.

After they upload their “malicious” APK to Google Play, they await the connect-back. Once the callback is received, they are able to run a remote interactive shell on an emulated Android device.

Apparently, this allows them to obtain the Bouncer environment’s kernel version, filesystem contents, and other data.

"So this is just one technique to fingerprint the Bouncer environment, allowing a malicious app to appear benign when run within Bouncer, and yet still perform malicious activities when run on a real user’s device."

SmsDetective SMS spying app for Android

TrendMicro researchers have come across a spytool which is currently available on Google Play, that is actively being discussed on certain hacker forums.

This tool’s beta version is available on the site since March 11. An estimated 500 – 1000 users have already downloaded the said spytool, which Trend Micro detects as ANDROIDOS_SMSSPY.DT.

This spytool gathers SMS messages from an infected mobile device and sends these to a remote FTP server at regular times set during the app’s installation.

As the app is still in its beta testing, spying on a mobile device using this tool poses certain challenges. First, it should be installed onto the target device without the victim knowing about it.

 Second, potential attackers would need to setup their own FTP servers, which may be difficult for those with less advanced IT knowledge.

Android Malware masquerade as Adobe Flash Player

Trend Micro researchers spotted an android malware that masquerade as Adobe Flash player app, hosted on Russian domains, similar to the fake Instagram and Angry Birds Space apps.

When users opt to download and install the said fake app, the site connects to another URL to download malicious .APK file, which Trend Micro detects as ANDROIDOS_BOXER.A.

ANDROIDOS_BOXER.A is a premium service abuser, which means it sends messages to premium numbers without the user’s permission, thus leading to unwanted charges.

Researchers also found that there are a number of malicious URLs hosted on the same IP. Based on the naming alone used in these URLs, it appears that Android is a favorite target for cybercriminals behind this scheme.