Deceptive Android applications, disguising themselves as prominent entities such as Google, Instagram, Snapchat, WhatsApp, and X (formerly Twitter), have been detected in the act of pilfering users’ authentication details from compromised devices.
“In a recent report, the SonicWall Capture Labs threat research team highlighted the utilization of renowned Android app logos by this malware to ensnare users, coaxing them into installing the malevolent application onto their devices,” stated the team.
The method of dissemination for this campaign remains ambiguous at present. However, upon installation on users’ smartphones, the app solicits authorization for accessibility services and the device administrator API. The latter, now obsolete, furnishes administrative functionalities at the system level.
Securing these permissions endows the malicious app with dominion over the device, enabling a spectrum of clandestine activities ranging from pilfering data to deploying malware unbeknownst to the victims.
The architecture of the malware is tailored to establish links with a command-and-control (C2) server for command reception, facilitating access to contact databases, SMS exchanges, call records, the roster of installed applications, SMS transmission, initiation of phishing pages via the web browser, and activation of the camera’s flash.
The phishing URLs simulate the login interfaces of esteemed services like Facebook, GitHub, Instagram, LinkedIn, Microsoft, Netflix, PayPal, Proton Mail, Snapchat, Tumblr, X, WordPress, and Yahoo.
This revelation coincides with Symantec, now under Broadcom’s umbrella, cautioning against a social engineering scheme employing WhatsApp as a conduit to propagate a fresh Android malware under the guise of a defense-oriented application.
Symantec elucidated, “Subsequent to successful delivery, the application would embed itself masquerading as a Contacts application. Upon execution, it would petition permissions for SMS, Contacts, Storage, and Telephone, subsequently concealing itself from view.”
This development follows the uncovering of malware campaigns distributing Android banking trojans such as Coper, adept at siphoning sensitive data and presenting counterfeit window overlays, duping users into unwittingly divulging their credentials.
Recently, Finland’s National Cyber Security Centre (NCSC-FI) divulged that smishing messages are being utilized to direct users towards Android malware geared to pilfer banking information.
The attack pattern employs telephone-oriented attack delivery (TOAD), wherein the SMS directives prompt recipients to dial a number concerning a debt collection claim.
Post-call, the scammer on the other end apprises the victim of the message’s deceitful nature, advocating the installation of an antivirus app for device safeguarding.
The caller is instructed to tap a link provided in a subsequent text for installing the purported security software, which in reality, is malware devised to filch online banking credentials and execute unauthorized fund transfers.
Though NCSC-FI refrained from pinpointing the exact Android malware strain utilized, suspicions point towards Vultr, as delineated by NCC Group earlier, utilizing a near-identical modus operandi for device infiltration.
Android-centric malware such as Tambir and Dwphon have surfaced in recent months, equipped with assorted data harvesting capabilities, with the latter targeting mobile devices from Chinese manufacturers, primarily aimed at the Russian market.
“Dwphon, being integrated into the system update application, showcases traits akin to pre-installed Android malware,” affirmed Kaspersky.
The precise infection route remains nebulous, with conjecture leaning towards incorporation of the infected application into firmware via a potential supply chain assault.
Telemetry data scrutinized by the Russian cybersecurity entity evinces a 32% surge in Android users afflicted by banking malware compared to the prior year, escalating from 57,219 to 75,521. Predominantly, these infections have been documented in Turkey, Saudi Arabia, Spain, Switzerland, and India.
“While PC banking malware encounters continue to dwindle, […] the year 2023 witnessed a noteworthy upsurge in users encountering mobile banking Trojans,” Kaspersky underscored.
