A confused woman using her phone, unaware that she's in contact with a scammer attempting to steal her bank card information.

Android Malware Disguises Itself As Popular Apps To Steal Data

Malicious actors are deploying Android malware disguised as popular apps like Google, Instagram, and WhatsApp. This disclosure is linked to another trend, the spread of Android banking malware like Coper. Cybercriminals used the malware campaign to steal sensitive information such as user IDs and passwords.

Malicious Android apps usually mimic recognisable logos and identities to lure innocent users, creating a sense of authenticity. These apps ask users to provide access to Android Accessibility Service and Device Admin Permission after installation.

A malicious Android app has requested administrative access
A malicious Android app has requested administrative access (SonicWall Capture Labs)

Unfortunately, granting these requests unknowingly gives the malicious program full control of the device. This allows malware to carry out a variety of malicious operations, including covert data theft and malware deployment, all without the victim’s knowledge.

The malware is designed to establish a connection with a command-and-control (C2) server so that it may receive and execute commands. This enables the malware to access a variety of data, including contact lists, SMS messages, call records, and the list of loaded apps. It can also control the camera flashlight, launch phishing pages on the web browser, and send SMS messages.

Moreover, the application redirects visitors to fake login pages that mimic well-known services like Netflix, PayPal, LinkedIn, Facebook, GitHub, Instagram, Microsoft, X, WordPress, and Yahoo. This tactic prompts users to input their username and password.

Phishing techniques used by fraudulent HTML pages to lure users
Phishing techniques used by fraudulent HTML pages to lure users (SonicWall Capture Labs)

This discovery follows the alerts from Cyfirma and Symantec, which are both owned by Broadcom, regarding a social engineering attack. The scam uses WhatsApp to spread new Android malware.

Symantec further said in a statement:
Upon successful delivery, the application would install itself under the guise of a Contacts application. Upon execution, the app would request permissions for SMS, Contacts, Storage, and Telephone and subsequently remove itself from view.

Cybercriminals can use compromised online accounts to steal personal information or even execute fraud. This is especially true when the accounts include sensitive data.

Consider a scenario where hackers gain access to a victim’s Microsoft credentials. Attackers might cause chaos if the victim keeps important papers such as driver’s licenses, passports, or Social Security numbers on OneDrive.

The Rise of Android Banking malware

Malware attacks, like the Coper banking trojan, have been on the rise these days, with the goal of compromising Android smartphones. Cybercriminals design the malware to steal sensitive information. They achieve this by showing fake display overlays, which deceive victims into unintentionally giving their credentials.

In a recent research, Finland’s National Cybersecurity Centre (NCSC-FI) highlighted the use of smishing messages to trick users into installing Android malware aimed to steal financial information.

The attack chain uses a technique known as telephone-oriented attack delivery (TOAD). SMS texts direct users to call a predetermined number regarding a claimed debt collection issue. When fraudsters call, they warn victims that the message is fraudulent and propose that they install a malware removal program on their smartphone for protection.

Scammers further convince the caller to click on a link in a second text message that claims to install security software. However, this URL directs users to malware meant to steal online banking credentials and make unauthorised financial transactions.

Recently, Android-based malware such as Tambir and Dwphon emerged, showing different device-gathering capabilities. The creators of Dwphon, particularly designed for Chinese mobile models, aim it largely at the Russian market.

Google has taken several security measures over the years to decrease the chance of fraudulent applications appearing on the Play Store. Despite these precautions, users must exercise caution while downloading new apps on their Android phones.

Activate Google Play Protect to improve the Android phone’s security and protect it from malicious apps. This integrated security application checks for malwares in all of your installed programmes as well as any recently downloaded ones.

At Phishing Tackle, we know all too well that security technology is often left incorrectly configured, demonstrated by our free Domain Spoofing Test which currently gets past around 50% of users security systems.

Security Awareness Training remains one of the most cost-effective methods of boosting cyber-security within your business. Have a look at our free Click-Prone® Test to find out how many of your staff are susceptible to a phishing attack and learn how you can reduce this number today.

Recent posts