Apr 10, 2024NewsroomMobile Security / Spyware

An active Android malware campaign dubbed eXotic Visit has been primarily targeting users in South Asia, particularly those in India and Pakistan, with malware distributed via dedicated websites and Google Play Store.

Slovak cybersecurity firm said the activity, ongoing since November 2021, is not linked to any known threat actor or group. It’s tracking the group behind the operation under the name Virtual Invaders.

“Downloaded apps provide legitimate functionality, but also include code from the open-source Android XploitSPY RAT,” ESET security researcher Lukáš Štefanko said in a technical report released today.

The campaign is said to be highly targeted in nature, with the apps available on Google Play having negligible number of installs ranging from zero to 45. The apps have since been taken down.

The fake-but-functional apps primarily masquerade as messaging services like Alpha Chat, ChitChat, Defcom, Dink Messenger, Signal Lite, TalkU, WeTalk, Wicker Messenger, and Zaangi Chat. Approximately 380 victims are said to have downloaded the apps and created accounts to use them for messaging purposes.

Also employed as part of eXotic Visit are apps such as Sim Info and Telco DB, both of which claim to provide details about SIM owners simply by entering a Pakistan-based phone number. Other applications pass off as a food ordering service in Pakistan as well as a legitimate Indian hospital called Specialist Hospital (now rebranded as Trilife Hospital).

XploitSPY, uploaded to GitHub as early as April 2020 by a user named RaoMK, is associated with an Indian cyber security solutions company called XploitWizer. It has also been described as a fork of another open-source Android trojan called L3MON, which, in turn, draws inspiration from AhMyth.

It comes with a wide gamut of features that allows it to gather sensitive data from infected devices, such as GPS locations, microphone recordings, contacts, SMS messages, call logs, and clipboard content; extract notification details from apps like WhatsApp, Facebook, Instagram, and Gmail; download and upload files; view installed apps; and queue commands.

On top of that, the malicious apps are designed to take pictures and enumerate files in several directories related to screenshots, WhatApp, WhatsApp Business, Telegram, and an unofficial WhatsApp mod known as GBWhatsApp.

“Throughout the years, these threat actors have customized their malicious code by adding obfuscation, emulator detection, hiding of [command-and-control] addresses, and use of a native library,” Štefanko said.

The main purpose of the native library (“defcome-lib.so”) is to keep the C2 server information encoded and hidden from static analysis tools. If an emulator is detected, the app makes use of a fake C2 server to evade detection.

Some of the apps have been propagated through websites specifically created for this purpose (“chitchat.ngrok[.]io”) that provide a link to an Android package file (“ChitChat.apk”) hosted on GitHub. It’s presently not clear how victims are directed to these apps.

“Distribution started on dedicated websites and then even moved to the official Google Play store,” Štefanko concluded. “The purpose of the campaign is espionage and probably is targeting victims in Pakistan and India.”

Apr 03, 2024NewsroomMobile Security / Zero Day

Google has disclosed that two Android security flaws impacting its Pixel smartphones have been exploited in the wild by forensic companies.

The high-severity zero-day vulnerabilities are as follows –

• CVE-2024-29745 – An information disclosure flaw in the bootloader component
• CVE-2024-29748 – A privilege escalation flaw in the firmware component

“There are indications that the [vulnerabilities] may be under limited, targeted exploitation,” Google said in an advisory published April 2, 2024.

While the tech giant did not reveal any other information about the nature of the attacks exploiting these shortcomings, the maintainers of GrapheneOS said they “are being actively exploited in the wild by forensic companies.”

“CVE-2024-29745 refers to a vulnerability in the fastboot firmware used to support unlocking/flashing/locking,” they said in a series of posts on X (formerly Twitter).

“Forensic companies are rebooting devices in After First Unlock state into fastboot mode on Pixels and other devices to exploit vulnerabilities there and then dump memory.”

GrapheneOS noted that CVE-2024-29748 could be weaponized by local attackers to interrupt a factory reset triggered via the device admin API.

The disclosure comes more than two months after the GrapheneOS team revealed that forensic companies are exploiting firmware vulnerabilities that impact Google Pixel and Samsung Galaxy phones to steal data and spy on users when the device is not at rest.

It also urged Google to introduce an auto-reboot feature to make exploitation of firmware flaws more difficult.

Apr 01, 2024NewsroomBotnet / Mobile Security

Several malicious Android apps that turn mobile devices running the operating system into residential proxies (RESIPs) for other threat actors have been observed on the Google Play Store.

The findings come from HUMAN’s Satori Threat Intelligence team, which said the cluster of VPN apps came fitted with a Golang library that transformed the user’s device into a proxy node without their knowledge.

The operation has been codenamed PROXYLIB by the company. The 29 apps in question have since been removed by Google.

Residential proxies are a network of proxy servers sourced from real IP addresses provided by internet service providers (ISPs), helping users hide their actual IP addresses by routing their internet traffic through an intermediary server.

The anonymity benefits aside, they are ripe for abuse by threat actors to not only obfuscate their origins, but also to conduct a wide range of attacks.

“When a threat actor uses a residential proxy, the traffic from these attacks appears to be coming from different residential IP addresses instead of an IP of a data center or other parts of a threat actor’s infrastructure,” security researchers said. “Many threat actors purchase access to these networks to facilitate their operations.”

Some of these networks can be created by malware operators tricking unsuspecting users into installing bogus apps that essentially corral the devices into a botnet that’s then monetized for profit by selling the access to other customers.

The Android VPN apps discovered by HUMAN are designed to establish contact with a remote server, enroll the infected device to the network, and process any request from the proxy network.

Another notable aspect of these apps is that a subset of them identified between May and October 2023 incorporate a software development kit (SDK) from LumiApps, which contains the proxyware functionality. In both cases, the malicious capability is pulled off using a native Golang library.

LumiApps also offers a service that essentially permits users to upload any APK file of their choice, including legitimate applications, and bundle the SDK to it without having to create a user account, which can then be re-downloaded and shared with others.

“LumiApps helps companies gather information that is publicly available on the internet,” the Israeli company says on its website. “It uses the user’s IP address to load several web pages in the background from well-known websites.”

“This is done in a way that never interrupts the user and fully complies with GDPR/CCPA. The web pages are then sent to companies, who use them to improve their databases, offering better products, services, and pricing.”

These modified apps – called mods – are then distributed in and out of the Google Play Store. LumiApps promotes itself and the SDK as an alternative app monetization method to rendering ads.

There is evidence indicating that the threat actor behind PROXYLIB is selling access to the proxy network created by the infected devices through LumiApps and Asocks, a company that advertises itself as a seller of residential proxies.

What’s more, in an effort to bake the SDK into as many apps as possible and expand the size of the botnet, LumiApps offers cash rewards to developers based on the amount of traffic that gets routed through user devices that have installed their apps. The SDK service is also advertised on social media and black hat forums.

Recent research published by Orange Cyberdefense and Sekoia characterized residential proxies as part of a “fragmented yet interconnected ecosystem,” in which proxyware services are advertised in various ways ranging from voluntary contributions to dedicated shops and reselling channels.

“[In the case of SDKs], the proxyware is often embedded in a product or service,” the companies noted. Users may not notice that proxyware will be installed when accepting the terms of use of the main application it is embedded with. This lack of transparency leads to users sharing their Internet connection without a clear understanding.”

The development comes as the Lumen Black Lotus Labs disclosed that end-of-life (EoL) small home/small office (SOHO) routers and IoT devices are being compromised by a botnet known as TheMoon to power a criminal proxy service called Faceless.

The Android banking trojan known as Vultur has resurfaced with a suite of new features and improved anti-analysis and detection evasion techniques, enabling its operators to remotely interact with a mobile device and harvest sensitive data.

“Vultur has also started masquerading more of its malicious activity by encrypting its C2 communication, using multiple encrypted payloads that are decrypted on the fly, and using the guise of legitimate applications to carry out its malicious actions,” NCC Group researcher Joshua Kamp said in a report published last week.

Vultur was first disclosed in early 2021, with the malware capable of leveraging Android’s accessibility services APIs to execute its malicious actions.

The malware has been observed to be distributed via trojanized dropper apps on the Google Play Store, masquerading as authenticator and productivity apps to trick unwitting users into installing them. These dropper apps are offered as part of a dropper-as-a-service (DaaS) operation called Brunhilda.

Other attack chains, as observed by NCC Group, involve the droppers being spread using a combination of SMS messages and phone calls – a technique called telephone-oriented attack delivery (TOAD) – to ultimately serve an updated version of the malware.

“The first SMS message guides the victim to a phone call,” Kamp said. When the victim calls the number, the fraudster provides the victim with a second SMS that includes the link to the dropper: a modified version of the [legitimate] McAfee Security app.”

The initial SMS message aims to induce a false sense of urgency by instructing the recipients to call a number to authorize a non-existent transaction that involves a large sum of money.

Upon installation, the malicious dropper executes three related payloads (two APKs and one DEX file) that register the bot with the C2 server, obtain accessibility services permissions for remote access via AlphaVNC and ngrok, and run commands fetched from the C2 server.

One of the prominent additions to Vultur is the ability to remotely interact with the infected device, including carrying out clicks, scrolls, and swipes, through Android’s accessibility services, as well as download, upload, delete, install, and find files.

In addition, the malware is equipped to prevent the victims from interacting with a predefined list of apps, display custom notifications in the status bar, and even disable Keyguard to bypass lock screen security measures.

“Vultur’s recent developments have shown a shift in focus towards maximizing remote control over infected devices,” Kamp said.

“With the capability to issue commands for scrolling, swipe gestures, clicks, volume control, blocking apps from running, and even incorporating file manager functionality, it is clear that the primary objective is to gain total control over compromised devices.”

The development comes as Team Cymru revealed the Octo (aka Coper) Android banking trojan’s transition to a malware-as-a-service operation, offering its services to other threat actors for conducting information theft.

“The malware offers a variety of advanced features, including keylogging, interception of SMS messages and push notifications, and control over the device’s screen,” the company said.

“It employs various injects to steal sensitive information, such as passwords and login credentials, by displaying fake screens or overlays. Additionally, it utilizes VNC (Virtual Network Computing) for remote access to devices, enhancing its surveillance capabilities.”

Octo campaigns are estimated to have compromised 45,000 devices, primarily spanning Portugal, Spain, Turkey, and the U.S. Some of the other victims are located in France, the Netherlands, Canada, India, and Japan.

The findings also follow the emergence of a new campaign targeting Android users in India that distributes malicious APK packages posing as online booking, billing, and courier services via a malware-as-a-service (MaaS) offering.

The malware “targets theft of banking information, SMS messages, and other confidential information from victims’ devices,” Broadcom-owned Symantec said in a bulletin.

Mar 13, 2024The Hacker NewsFinancial Fraud / Mobile Security

The threat actors behind the PixPirate Android banking trojan are leveraging a new trick to evade detection on compromised devices and harvest sensitive information from users in Brazil.

The approach allows it to hide the malicious app’s icon from the home screen of the victim’s device, IBM said in a technical report published today.

“Thanks to this new technique, during PixPirate reconnaissance and attack phases, the victim remains oblivious to the malicious operations that this malware performs in the background,” security researcher Nir Somech said.

PixPirate, which was first documented by Cleafy in February 2023, is known for its abuse of Android’s accessibility services to covertly perform unauthorized fund transfers using the PIX instant payment platform when a targeted banking app is opened.

The constantly mutating malware is also capable of stealing victims’ online banking credentials and credit card information, as well as capturing keystrokes and intercepting SMS messages to access two-factor authentication codes.

Typically distributed via SMS and WhatsApp, the attack flow entails the use of a dropper (aka downloader) app that’s engineered to deploy the main payload (aka droppee) to pull off the financial fraud.

“Usually, the downloader is used to download and install the droppee, and from this point on, the droppee is the main actor conducting all fraudulent operations and the downloader is irrelevant,” Somech explained.

“In the case of PixPirate, the downloader is responsible not only for downloading and installing the droppee but also for running and executing it. The downloader plays an active part in the malicious activities of the droppee as they communicate with each other and send commands to execute.”

The downloader APK app, once launched, prompts the victim to update the app to either retrieve the PixPirate component from an actor-controlled server or install it if it’s embedded within itself.

What’s changed in the latest version of the droppee is the absence of activity with the action “android.intent.action.Main” and the category “android.intent.category.LAUNCHER” that allows a user to launch an app from the home screen by tapping its icon.

Put differently, the infection chain requires both the downloader and the droppee to work in tandem, with the former responsible for running the PixPirate APK by binding to a service exported by the droppee.

“Later, to maintain persistence, the droppee is also triggered to run by the different receivers that it registered,” Somech said. “The receivers are set to be activated based on different events that occur in the system and not necessarily by the downloader that initially triggered the droppee to run.”

“This technique allows the PixPirate droppee to run and hide its existence even if the victim removes the PixPirate downloader from their device.”

The development comes as Latin American (LATAM) banks have become the target of a new malware called Fakext that employs a rogue Microsoft Edge extension named SATiD to carry out man-in-the-browser and web injection attacks with the goal of grabbing credentials entered in the targeted bank site.

It’s worth noting that SAT ID is a service offered by Mexico’s Tax Administration Service (SAT) to generate and update electronic signatures for filing taxes online.

In select cases, Fakext is engineered to display an overlay that urges the victim to download a legitimate remote access tool by purporting to be the bank’s IT support team, ultimately enabling the threat actors to conduct financial fraud.

The campaign – active since at least November 2023 – singles out 14 banks operating in the region, a majority of which are located in Mexico. The extension has since been taken down from the Edge Add-ons store.

Feb 21, 2024NewsroomNetwork Security / Vulnerability

Cybersecurity researchers have identified two authentication bypass flaws in open-source Wi-Fi software found in Android, Linux, and ChromeOS devices that could trick users into joining a malicious clone of a legitimate network or allow an attacker to join a trusted network without a password.

The vulnerabilities, tracked as CVE-2023-52160 and CVE-2023-52161, have been discovered following a security evaluation of wpa_supplicant and Intel’s iNet Wireless Daemon (IWD), respectively.

The flaws “allow attackers to trick victims into connecting to malicious clones of trusted networks and intercept their traffic, and join otherwise secure networks without needing the password,” Top10VPN said in a new research conducted in collaboration with Mathy Vanhoef, who has previously uncovered Wi-Fi attacks like KRACK, DragonBlood, and TunnelCrack.

CVE-2023-52161, in particular, permits an adversary to gain unauthorized access to a protected Wi-Fi network, exposing existing users and devices to potential attacks such as malware infections, data theft, and business email compromise (BEC). It impacts IWD versions 2.12 and lower.

On the other hand, CVE-2023-52160 affects wpa_supplicant versions 2.10 and prior. It’s also the more pressing of the two flaws owing to the fact that it’s the default software used in Android devices to handle login requests to wireless networks.

That said, it only impacts Wi-Fi clients that aren’t properly configured to verify the certificate of the authentication server. CVE-2023-52161, however, affects any network that uses a Linux device as a wireless access point (WAP).

Successful exploitation of CVE-2023-52160 banks on the prerequisite that the attacker is in possession of the SSID of a Wi-Fi network to which the victim has previously connected. It also requires the threat actor to be in physical proximity to the victim.

“One possible such scenario might be where an attacker walks around a company’s building scanning for networks before targeting an employee leaving the office,” the researchers said.

Major Linux distributions such as Debian (1, 2), Red Hat (1), SUSE (1, 2), and Ubuntu (1, 2) have released advisories for the two flaws. The wpa_supplicant issue has also been addressed in ChromeOS from versions 118 and later, but fixes for Android are yet to be made available.

“In the meantime, it’s critical, therefore, that Android users manually configure the CA certificate of any saved enterprise networks to prevent the attack,” Top10VPN said.

Meta Platforms said it took a series of steps to curtail malicious activity from eight different firms based in Italy, Spain, and the United Arab Emirates (U.A.E.) operating in the surveillance-for-hire industry.

The findings are part of its Adversarial Threat Report for the fourth quarter of 2023. The spyware targeted iOS, Android, and Windows devices.

“Their various malware included capabilities to collect and access device information, location, photos and media, contacts, calendar, email, SMS, social media, and messaging apps, and enable microphone,camera, and screenshot functionality,” the company said.

The eight companies are Cy4Gate/ELT Group, RCS Labs, IPS Intelligence, Variston IT, TrueL IT, Protect Electronic Systems, Negg Group, and Mollitiam Industries.

These firms, per Meta, also engaged in scraping, social engineering, and phishing activity that targeted a wide range of platforms such as Facebook, Instagram, X (formerly Twitter), YouTube, Skype, GitHub, Reddit, Google, LinkedIn, Quora, Tumblr, VK, Flickr, TikTok, SnapChat, Gettr, Viber, Twitch and Telegram.

Specifically, a network of fictitious personas linked to RCS Labs, which is owned by Cy4Gate, is said to have tricked users into providing their phone numbers and email addresses, in addition to clicking on bogus links for conducting reconnaisance.

Another set of now-removed Facebook and Instagram accounts associated with Spanish spyware vendor Variston IT was employed for exploit development and testing, including sharing of malicious links. Last week, reports emerged that the company is shutting down its operations.

Meta also said it identified accounts used by Negg Group to test the delivery of its spyware, as well as by Mollitiam Industries, a Spanish firm that advertises a data collection service and spyware targeting Windows, macOS, and Android, to scrape public information.

Elsewhere, the social media giant actioned on networks from China, Myanmar, and Ukraine exhibiting coordinated inauthentic behavior (CIB) by removing over 2,000 accounts, Pages, and Groups from Facebook and Instagram.

While the Chinese cluster targeted U.S. audiences with content related to criticism of U.S. foreign policy towards Taiwan and Israel and its support of Ukraine, the network originating from Myanmar targeted its own residents with original articles that praised the Burmese army and disparaged the ethnic armed organizations and minority groups.

The third cluster is notable for its use of fake Pages and Groups to post content that supported Ukrainian politician Viktor Razvadovskyi, while also sharing “supportive commentary about the current government and critical commentary about the opposition” in Kazakhstan.

The development comes as a coalition of government and tech companies, counting Meta, have signed an agreement to curb the abuse of commercial spyware to commit human rights abuses.

As countermeasures, the company has introduced new features like enabled Control Flow Integrity (CFI) on Messenger for Android and VoIP memory isolation for WhatsApp in an effort to make exploitation harder and reduce the overall attack surface.

That said, the surveillance industry continues to thrive in myriad, unexpected forms. Last month, 404 Media — building off prior research from the Irish Council for Civil Liberties (ICCL) in November 2023 — unmasked a surveillance tool called Patternz that leverages real-time bidding (RTB) advertising data gathered from popular apps like 9gag, Truecaller, and Kik to track mobile devices.

“Patternz allows national security agencies utilize real-time and historical user advertising generated data to detect, monitor and predict users actions, security threats and anomalies based on users’ behavior, location patterns and mobile usage characteristics, ISA, the Israeli company behind the product claimed on its website.

Then last week, Enea took the wraps off a previously unknown mobile network attack known as MMS Fingerprint that’s alleged to have been utilized by Pegasus-maker NSO Group. This information was included in a 2015 contract between the company and the telecom regulator of Ghana.

While the exact method used remains something of a mystery, the Swedish telecom security firm suspects it likely involves the use of MM1_notification.REQ, a special type of SMS message called a binary SMS that notifies the recipient device of an MMS that’s waiting for retrieval from the Multimedia Messaging Service Center (MMSC).

The MMS is then fetched by means of MM1_retrieve.REQ and MM1_retrieve.RES, with the former being an HTTP GET request to the URL address contained in the MM1_notification.REQ message.

What’s notable about this approach is that user device information such as User-Agent (different from a web browser User-Agent string) and x-wap-profile is embedded in the GET request, thereby acting as a fingerprint of sorts.

“The (MMS) User-Agent is a string that typically identifies the OS and device,” Enea said. “x-wap-profile points to a UAProf (User Agent Profile) file that describes the capabilities of a mobile handset.”

A threat actor looking to deploy spyware could use this information to exploit specific vulnerabilities, tailor their malicious payloads to the target device, or even craft more effective phishing campaigns. That said, there is no evidence that this security hole has been exploited in the wild in recent months.

Feb 19, 2024NewsroomMalware / Mobile Security

The Android banking trojan known as Anatsa has expanded its focus to include Slovakia, Slovenia, and Czechia as part of a new campaign observed in November 2023.

“Some of the droppers in the campaign successfully exploited the accessibility service, despite Google Play’s enhanced detection and protection mechanisms,” ThreatFabric said in a report shared with The Hacker News.

“All droppers in this campaign have demonstrated the capability to bypass the restricted settings for accessibility service in Android 13.” The campaign, in total, involves five droppers with more than 100,000 total installations.

Also known by the name TeaBot and Toddler, Anatsa is known to be distributed under the guise of seemingly innocuous apps on the Google Play Store. These apps, called droppers, facilitate the installation of the malware by circumventing security measures imposed by Google that seek to grant sensitive permissions.

In June 2023, the Dutch mobile security firm disclosed an Anatsa campaign that targeted banking customers in the U.S., the U.K., Germany, Austria, and Switzerland at least since March 2023 using dropper apps that were collectively downloaded over 30,000 times on the Play Store.

Anatsa comes fitted with capabilities to gain full control over infected devices and execute actions on a victim’s behalf. It can also steal credentials to initiate fraudulent transactions.

The latest iteration observed in November 2023 is no different in that one of the droppers masqueraded as a phone cleaner app named “Phone Cleaner – File Explorer” (package name “com.volabs.androidcleaner”) and leveraged a technique called versioning to introduce its malicious behavior.

While the app is no longer available for download from the official storefront for Android, it can still be downloaded via other sketchy third-party sources.

According to statistics available on app intelligence platform AppBrain, the app is estimated to have been downloaded about 12,000 times during the time it was available on the Google Play Store between November 13 and November 27, when it was unpublished.

“Initially, the app appeared harmless, with no malicious code and its accessibility service not engaging in any harmful activities,” ThreatFabric researchers said.

“However, a week after its release, an update introduced malicious code. This update altered the AccessibilityService functionality, enabling it to execute malicious actions such as automatically clicking buttons once it received a configuration from the [command-and-control] server.”

What makes the dropper notable is that its abuse of the accessibility service is tailored to Samsung devices, suggesting that it was designed to exclusively target the company-made handsets at some point, although other droppers used in the campaign have been found to be manufacturer agnostic.

The droppers are also capable of circumventing Android 13’s restricted settings by mimicking the process used by marketplaces to install new applications without having their access to the accessibility service functionalities disabled, as previously observed in the case of dropper services like SecuriDropper.

“These actors prefer concentrated attacks on specific regions rather than a global spread, periodically shifting their focus,” ThreatFabric said. “This targeted approach enables them to concentrate on a limited number of financial organizations, leading to a high number of fraud cases in a short time.”

The development comes as Fortinet FortiGuard Labs detailed another campaign that distributes the SpyNote remote access trojan by imitating a legitimate Singapore-based cryptocurrency wallet service known as imToken to replace destination wallet addresses and with actor-controlled ones and conduct illicit asset transfers.

“Like much Android malware today, this malware abuses the accessibility API,” security researcher Axelle Apvrille said. “This SpyNote sample uses the Accessibility API to target famous crypto wallets.”

Feb 09, 2024NewsroomMobile Security / Cyber Threat

Threat hunters have identified a new variant of Android malware called MoqHao that automatically executes on infected devices without requiring any user interaction.

“Typical MoqHao requires users to install and launch the app to get their desired purpose, but this new variant requires no execution,” McAfee Labs said in a report published this week. “While the app is installed, their malicious activity starts automatically.”

The campaign’s targets include Android users located in France, Germany, India, Japan, and South Korea.

MoqHao, also called Wroba and XLoader (not to be confused with the Windows and macOS malware of the same name), is an Android-based mobile threat that’s associated with a Chinese financially motivated cluster dubbed Roaming Mantis (aka Shaoye).

Typical attack chains commence with package delivery-themed SMS messages bearing fraudulent links that, when clicked from Android devices, lead to the deployment of the malware but redirect victims to credential harvesting pages impersonating Apple’s iCloud login page when visited from an iPhone.

In July 2022, Sekoia detailed a campaign that compromised at least 70,000 Android devices in France. As of early last year, updated versions of MoqHao have been found to infiltrate Wi-Fi routers and undertake Domain Name System (DNS) hijacking, revealing the adversary’s commitment to innovating its arsenal.

The latest iteration of MoqHao continues to be distributed via smishing techniques, but what has changed is that the malicious payload is run automatically upon installation and prompts the victim to grant it risky permissions without launching the app, a behavior previously spotted with bogus apps containing the HiddenAds malware.

What’s also received a facelift is that the links shared in the SMS messages themselves are hidden using URL shorteners to increase the likelihood of the attack’s success. The content for these messages is extracted from the bio (or description) field from fraudulent Pinterest profiles set up for this purpose.

MoqHao is equipped with several features that allow it to stealthily harvest sensitive information like device metadata, contacts, SMS messages, and photos, call specific numbers with silent mode, and enable/disable Wi-Fi, among others.

McAfee said it has reported the findings to Google, which is said to be “already working on the implementation of mitigations to prevent this type of auto-execution in a future Android version.”

The development comes as Chinese cybersecurity firm QiAnXin revealed that a previously unknown cybercrime syndicate named Bigpanzi has been linked to the compromise of Android-based smart TVs and set-top boxes (STBs) in order to corral them into a botnet for conducting distributed denial-of-service (DDoS) attacks.

The operation, active since at least 2015, is estimated to control a botnet comprising 170,000 daily active bots, most of which are located in Brazil. However, 1.3 million distinct Brazilian IP addresses have been associated with Bigpanzi since August 2023.

The infections are made possible by tricking users into installing booby-trapped apps for streaming pirated movies and TV shows through sketchy websites. The campaign was first disclosed by Russian antivirus vendor Doctor Web in September 2023.

“Once installed, these devices transform into operational nodes within their illicit streaming media platform, catering to services like traffic proxying, DDoS attacks, OTT content provision, and pirate traffic,” QiAnXin researchers said.

“The potential for Bigpanzi-controlled TVs and STBs to broadcast violent, terroristic, or pornographic content, or to employ increasingly convincing AI-generated videos for political propaganda, poses a significant threat to social order and stability.”

Feb 08, 2024NewsroomData Protection / Mobile Securit

Google has unveiled a new pilot program in Singapore that aims to prevent users from sideloading certain apps that abuse Android app permissions to read one-time passwords and gather sensitive data.

“This enhanced fraud protection will analyze and automatically block the installation of apps that may use sensitive runtime permissions frequently abused for financial fraud when the user attempts to install the app from an Internet-sideloading source (web browsers, messaging apps or file managers),” the company said.

The feature is designed to examine the permissions declared by a third-party app in real-time and look for those that seek to gain access to sensitive permissions associated with reading SMS messages, deciphering or dismissing notifications from legitimate apps, and accessibility services that have been routinely abused by Android-based malware for extracting valuable information.

As part of the test, users in Singapore who attempt to sideload such apps (or APK files) will be blocked from doing so via Google Play Protect and displayed a pop-up message that reads: “This app can request access to sensitive data. This can increase the risk of identity theft or financial fraud.”

“These permissions are frequently abused by fraudsters to intercept one-time passwords via SMS or notifications, as well as spy on-screen content,” Eugene Liderman, director of the mobile security strategy at Google, said.

The change is part of a collaborative effort to combat mobile fraud, the tech giant said, urging app developers to follow best practices and review their apps’ device permissions to ensure it does not violate the Mobile Unwanted Software principles.

Google, which launched Google Play Protect real-time scanning at the code level to detect novel Android malware in select markets like India, Thailand, Singapore, and Brazil, said the effort allowed it to detect 515,000 new malicious apps and that it issued no less than 3.1 million warnings or blocks of those apps.

The development also comes as Apple announced sweeping changes to the App Store in the European Union to comply with the Digital Markets Act (DMA) ahead of the March 6, 2024, deadline. The changes, including Notarization for iOS apps, are expected to go live with iOS 17.4.

The iPhone maker, however, repeatedly emphasized that distributing iOS apps from alternative app marketplaces exposes E.U. users to “increased privacy and security threats,” and that it does not intend to bring them to other regions.

“This includes new avenues for malware, fraud and scams, illicit and harmful content, and other privacy and security threats,” Apple said. “These changes also compromise Apple’s ability to detect, prevent, and take action against malicious apps on iOS and to support users impacted by issues with apps downloaded outside of the App Store.”