New warning: Millions of mobile phones infected with dangerous malware
NurPhoto via Getty Images
It was updated on September 25th to include advice Google has given to users in response to these new reports, as well as details about another banking Trojan that is now actively targeting Android users.
Google is cleaning up Android. Years of app freebies are coming to an end, users are impacted by the removal of the Play Store and increased restrictions on sideloading, and Play Protect will soon be enhanced with live threat detection in Android 15. All of this is aimed at bridging the gap between iOS and the locked-down iPhone ecosystem.
But users are still frequently warned that very serious risks remain, and two security reports this week have put that very point across. The first, from Kaspersky, warns of the risks from “modified versions of Spotify, WhatsApp, Minecraft, and other apps on Google Play.”
ForbesSamsung’s update miss is bad news for millions of Galaxy smartphone ownersBy Zak Doffman
The researchers are once again highlighting the dangers of the Necro Trojan, which was first reported in 2019. At the time, they said: “We discovered the Trojan in CamScanner, a text recognition app that has been downloaded over 100 million times on Google Play. Now, ‘Necromancer’ has injected new blood into the old Trojan, as more feature-rich versions have been found both in popular apps on Google Play and in various app mods from unofficial sources.”
Kaspersky discovered the Trojan in a Spotify mod distributed outside the Play Store, but also hid in Wuta Camera, saying it “made its way into Google Play, from where the app was downloaded more than 10 million times.”
Wuta Camera – Play Store malware
Kaspersky
The advice is simple: no third-party stores, and even less modding popular apps from unofficial sources. But “apps from Google Play and other official platforms should also be treated with a healthy dose of skepticism. Even popular apps like Wuta Camera, with 10 million downloads, proved powerless against Necro.”
The Trojan has evolved and is much more obfuscated than previous versions, but its purpose remains the same: “It can load and execute any DEX file, install downloaded apps, tunnel into the victim’s device, and potentially even obtain paid subscriptions. It can also display and interact with ads in invisible windows, open arbitrary links, and execute any JavaScript code.”
The second alert comes from Cleafy, which warned in June that it had “identified an unclassified Android banking Trojan, which is a variant of TrickMo but with a new anti-analysis mechanism built in.”
TrickMo is an evolution of the infamous TrickBot, with more advanced obfuscation and proactive masking from analysis to avoid detection. TrickMo was first identified in 2019 and we are again seeing a common pattern of these threats evolving and strengthening as various defensive measures deployed around phones and stores are strengthened.
TrickMo’s bag of tricks is surprisingly extensive and includes:
One-time password (OTP) interception, screen recording and keylogging, remote control functionality, abuse of accessibility services, advanced obfuscation techniques, anti-analysis mechanisms
Again, this is not something you want to have installed on your phone. The malware is distributed through rogue Chrome browser updates, but once installed, it displays a warning message to users urging them to update Google Play services.
According to Cleafy, “The new app is misleadingly named ‘Google Services’ and poses as a legitimate instance of Google Play Services. Upon launch, the app displays a window asking the user to enable accessibility services for the app.” This clever social engineering tactic, disguising malware behind a trusted name, is surprisingly effective.
Play services hijacking
Creefy
The common thread here is clear: don’t trust mods, updates, or even default installs of popular apps from anywhere but the official store. Don’t be fooled by unofficial mods from outside the source, and be wary of official store installs of trivial apps from unfamiliar developers.
Responding to the new report, a Google spokesperson said: “All malicious versions of the apps identified in this report were removed from Google Play prior to the publication of the report. Android users are automatically protected from known versions of this malware by Google Play Protect, which is enabled by default on Android devices with Google Play services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even if they came from sources other than Play.”
Google has assured users that Play Protect protects them from both Necro and TrickMo. It is very important that users ensure that Play Protect is enabled on their devices. Once a threat is confirmed, you will be protected from infection by future instances.
Speaking of new threats, the third report in a short period of time about new Android malware has just been released. Continuing the theme once again, ThreatFabric warns that a new Octo variant is targeting users “under the guise of Google Chrome, NordVPN and Enterprise Europe Network applications.”
Octo itself, part of the Exobot family, is quite well-established, and researchers warn that “the discovery of a new version, dubbed ‘Octo2’ by its creators, could signal a change in the threat landscape and the modus operandi of the attackers behind it.”
Octo2 campaign masquerading as Chrome and NordVPN
Threat Fabric
Again, this is a case of evolving malware rather than an entirely new threat: “The first samples of the Exobot malware family were seen in 2016. At the time, it was a banking Trojan capable of performing overlay attacks and controlling calls, SMS and push notifications.” The evolution of Exobot to “ExobotCompact” (Octo) happened three years later, in 2019.
ThreatFabric said it has detected Octo activity in regions as far apart as Europe, the United States, Canada, the Middle East, Singapore and Australia through malware-as-a-service campaigns. The malware for hire leverages multiple other threat actors and the necessary hardware and obfuscation to accelerate its spread. The new malware variant, Octo2, is expected to seamlessly replace previous versions and leverage existing market channels.
The researchers said: “Octo2’s configuration contains multiple applications and traces of apps that are on the attackers’ radar… That is, if Octo2 detects a push notification from one of the apps on the list, it will intercept it and prevent it from being displayed to the victim. The presence of an app on the list means that cybercriminals are interested in it and are already preparing to attack the user.”
As with other cases, Octo2 uses fake “Google” notification popups to trick Android users into bypassing device restrictions and running the malware. Naturally, this latest version includes significant changes, but the goal remains the same: to steal app-specific banking credentials through targeted attacks.
ForbesNew Warning from Microsoft Windows – Never Do This to Your PC By Zak Doffman
“The emergence of the Octo2 variant signals future challenges for mobile banking security, as its enhanced capabilities and widespread use pose significant risks… Octo2 builds on top of even stronger remote access capabilities and advanced obfuscation techniques, making it harder for security systems to detect and remove, lengthening the malware’s lifespan and potential impact.”
Octo may change, but our advice to users remains the same. Here are some other golden rules to stay safe:
Use only official app stores. Don’t use third-party stores, and don’t change your device’s security settings to load the app. Check the developer in the app’s description. Is it someone you want in your life? Check the reviews. Is it legitimate or contrived? Don’t give apps permissions they don’t need. A flashlight or stargazing app doesn’t need access to your contacts or phone, and don’t give it accessibility permissions that make it easier to control your device unless you need them. Once a month, scan your phone and delete some apps that you no longer need or haven’t used in a long time. Don’t install apps that link to existing apps, like WhatsApp, unless you’re sure they’re legitimate. Check reviews and online articles.
Source link
