The Hacker News Logo
Subscribe to Newsletter

The Hacker News - Cybersecurity News and Analysis: Android

Warning — 5 New Trojanized Android Apps Spying On Users In Pakistan

Warning — 5 New Trojanized Android Apps Spying On Users In Pakistan

January 12, 2021Ravie Lakshmanan
Cybersecurity researchers took the wraps off a new spyware operation targeting users in Pakistan that leverages trojanized versions of legitimate Android apps to carry out covert surveillance and espionage. Designed to masquerade apps such as the Pakistan Citizen Porta l, a Muslim prayer-clock app called Pakistan Salat Time , Mobile Packages Pakistan , Registered SIMs Checker , and TPL Insurance , the malicious variants have been found to obfuscate their operations to stealthily download a payload in the form of an Android Dalvik executable (DEX) file. "The DEX payload contains most of the malicious features, which include the ability to covertly exfiltrate sensitive data like the user's contact list and the full contents of SMS messages," Sophos threat researchers Pankaj Kohli and Andrew Brandt said. "The app then sends this information to one of a small number of command-and-control websites hosted on servers located in eastern Europe." Interestingly, t
Experts Sound Alarm On New Android Malware Sold On Hacking Forums

Experts Sound Alarm On New Android Malware Sold On Hacking Forums

January 12, 2021Ravie Lakshmanan
Cybersecurity researchers have exposed the operations of an Android malware vendor who teamed up with a second threat actor to market and sell a remote access Trojan (RAT) capable of device takeover and exfiltration of photos, locations, contacts, and messages from popular apps such as Facebook, Instagram, WhatsApp, Skype, Telegram, Kik, Line, and Google Messages. The vendor, who goes by the name of " Triangulum " in a number of darknet forums, is alleged to be a 25-year-old man of Indian origin, with the individual opening up shop to sell the malware three years ago on June 10, 2017, according to an analysis published by Check Point Research today. "The product was a mobile RAT, targeting Android devices and capable of exfiltration of sensitive data from a C&C server, destroying local data – even deleting the entire OS, at times," the researchers said. An Active Underground Market for Mobile Malware Piecing together Triangulum's trail of activities, t
Iranian RANA Android Malware Also Spies On Instant Messengers

Iranian RANA Android Malware Also Spies On Instant Messengers

December 07, 2020Ravie Lakshmanan
A team of researchers today unveiled previously undisclosed capabilities of an Android spyware implant—developed by a sanctioned Iranian threat actor—that could let attackers spy on private chats from popular instant messaging apps, force Wi-Fi connections, and auto-answer calls from specific numbers for purposes of eavesdropping on conversations. In  September , the US Department of the Treasury imposed sanctions on APT39 (aka Chafer, ITG07, or Remix Kitten) — an Iranian threat actor backed by the country's Ministry of Intelligence and Security (MOIS) — for carrying out malware campaigns targeting Iranian dissidents, journalists, and international companies in the telecom and travel sectors. Coinciding with the sanctions, the Federal Bureau of Investigation (FBI) released a public threat analysis  report  describing several tools used by Rana Intelligence Computing Company, which operated as a front for the malicious cyber activities conducted by the APT39 group. Formally lin
Several Unpatched Popular Android Apps Put Millions of Users at Risk of Hacking

Several Unpatched Popular Android Apps Put Millions of Users at Risk of Hacking

December 03, 2020Ravie Lakshmanan
A number of high-profile Android apps are still using an unpatched version of Google's widely-used app update library, potentially putting the personal data of hundreds of millions of smartphone users at risk of hacking. Many popular apps, including Grindr, Bumble, OkCupid, Cisco Teams, Moovit, Yango Pro, Microsoft Edge, Xrecorder, and PowerDirector, are still vulnerable and can be hijacked to steal sensitive data, such as passwords, financial details, and e-mails. The bug, tracked as  CVE-2020-8913 , is rated 8.8 out of 10.0 for severity and impacts Android's Play Core Library versions prior to  1.7.2 . Although Google addressed the vulnerability in March,  new findings  from Check Point Research show that many third-party app developers are yet to integrate the new Play Core library into their apps to mitigate the threat fully. "Unlike server-side vulnerabilities, where the vulnerability is patched completely once the patch is applied to the server, for client-side
China's Baidu Android Apps Caught Collecting Sensitive User Data

China's Baidu Android Apps Caught Collecting Sensitive User Data

November 24, 2020Ravie Lakshmanan
Two popular Android apps from Chinese tech giant Baidu were temporarily unavailable on the Google Play Store in October after they were caught collecting sensitive user details. The two apps in question— Baidu Maps and Baidu Search Box —were found to collect device identifiers, such as the International Mobile Subscriber Identity (IMSI) number or MAC address, without users' knowledge, thus making them  potentially trackable  online. The  discovery  was made by network security firm Palo Alto Networks, who notified both Baidu and Google of their findings, after which the search company pulled the apps on October 28, citing "unspecified violations."  As of writing, a compliant version of Baidu Search Box has been restored to the Play Store on November 19, while Baidu Maps remains unavailable until the unresolved issues highlighted by Google are fixed. A separate app named Homestyler was also found to collect private information from users' Android devices. Accord
Facebook Messenger Bug Lets Hackers Listen to You Before You Pick Up the Call

Facebook Messenger Bug Lets Hackers Listen to You Before You Pick Up the Call

November 20, 2020Ravie Lakshmanan
Facebook has patched a bug in its widely installed Messenger app for Android that could have allowed a remote attacker to call unsuspecting targets and listen to them before even they picked up the audio call. The flaw was discovered and reported to Facebook by  Natalie Silvanovich  of Google's Project Zero bug-hunting team last month on October 6 with a 90-day deadline, and impacts version 284.0.0.16.119 (and before) of Facebook Messenger for Android. In a nutshell, the vulnerability could have granted an attacker who is logged into the app to simultaneously initiate a call and send a specially crafted message to a target who is signed in to both the app as well as another Messenger client such as the web browser. "It would then trigger a scenario where, while the device is ringing, the caller would begin receiving audio either until the person being called answers or the call times out," Facebook's Security Engineering Manager Dan Gurfinkel  said . According t
Google Removes 21 Malicious Android Apps from Play Store

Google Removes 21 Malicious Android Apps from Play Store

October 27, 2020Ravie Lakshmanan
Google has stepped in to remove several Android applications from the official Play Store following the disclosure that the apps in question were found to serve intrusive ads. The findings were  reported  by the Czech cybersecurity firm Avast on Monday, which said the 21 malicious apps (list  here ) were downloaded nearly eight million times from Google's app marketplace. The apps masqueraded as harmless gaming apps and came packed with  HiddenAds  malware, a notorious Trojan known for its capabilities to serve intrusive ads outside of the app. The group behind the operation relies on social media channels to lure users into downloading the apps. Earlier this June, Avast discovered a  similar HiddenAds campaign  involving 47 gaming apps with over 15 million downloads that were leveraged to display device-wide intrusive ads. "Developers of adware are increasingly using social media channels, like regular marketers would," Avast's Jakub Vávra said. "This time
Windows GravityRAT Malware Now Also Targets macOS and Android Devices

Windows GravityRAT Malware Now Also Targets macOS and Android Devices

October 20, 2020Ravie Lakshmanan
A Windows-based remote access Trojan believed to be designed by Pakistani hacker groups to infiltrate computers and steal users' data has resurfaced after a two-year span with retooled capabilities to target Android and macOS devices. According to cybersecurity firm Kaspersky, the malware — dubbed " GravityRAT " — now masquerades as legitimate Android and macOS apps to capture device data, contact lists, e-mail addresses, and call and text logs and transmit them to an attacker-controlled server. First documented by the Indian Computer Emergency Response Team (CERT-In) in August 2017 and subsequently by  Cisco Talos  in April 2018, GravityRAT has been known to target Indian entities and organizations via malware-laced Microsoft Office Word documents at least since 2015. Noting that the threat actor developed at least four different versions of the espionage tool, Cisco said, "the developer was clever enough to keep this infrastructure safe, and not have it blackl
Watch Out — Microsoft Warns Android Users About A New Ransomware

Watch Out — Microsoft Warns Android Users About A New Ransomware

October 12, 2020Ravie Lakshmanan
Microsoft has warned about a new strain of mobile ransomware that takes advantage of incoming call notifications and Android's Home button to lock the device behind a ransom note. The findings concern a variant of a known Android ransomware family dubbed "MalLocker.B" which has now resurfaced with new techniques, including a novel means to deliver the ransom demand on infected devices as well as an obfuscation mechanism to evade security solutions. The development comes amid a huge surge in ransomware attacks against critical infrastructure across sectors, with a 50% increase in the daily average of ransomware attacks in the last three months compared to the first half of the year, and cybercriminals increasingly incorporating double extortion in their playbook. MalLocker has been known for being hosted on malicious websites and circulated on online forums using various social engineering lures by masquerading as popular apps, cracked games, or video players. Pre
Beware: New Android Spyware Found Posing as Telegram and Threema Apps

Beware: New Android Spyware Found Posing as Telegram and Threema Apps

October 01, 2020Ravie Lakshmanan
A hacking group known for its attacks in the Middle East, at least since 2017, has recently been found impersonating legitimate messaging apps such as Telegram and Threema to infect Android devices with a new, previously undocumented malware. "Compared to the versions documented in 2017, Android/SpyC23.A has extended spying functionality, including reading notifications from messaging apps, call recording and screen recording, and new stealth features, such as dismissing notifications from built-in Android security apps," cybersecurity firm ESET  said  in a Wednesday analysis. First detailed by Qihoo 360 in 2017 under the moniker  Two-tailed Scorpion (aka APT-C-23 or Desert Scorpion), the mobile malware has been deemed "surveillanceware" for its abilities to spy on the devices of targeted individuals, exfiltrating call logs, contacts, location, messages, photos, and other sensitive documents in the process. In 2018, Symantec discovered a  newer variant  of the
Major Instagram App Bug Could've Given Hackers Remote Access to Your Phone

Major Instagram App Bug Could've Given Hackers Remote Access to Your Phone

September 24, 2020Ravie Lakshmanan
Ever wonder how hackers can hack your smartphone remotely? In a report shared with The Hacker News today, Check Point researchers disclosed details about a  critical vulnerability  in Instagram's Android app that could have allowed remote attackers to take control over a targeted device just by sending victims a specially crafted image. What's more worrisome is that the flaw not only lets attackers perform actions on behalf of the user within the Instagram app—including spying on victim's private messages and even deleting or posting photos from their accounts—but also execute arbitrary code on the device. According to an  advisory  published by Facebook, the heap overflow security issue (tracked as CVE-2020-1895 , CVSS score: 7.8) impacts all versions of the Instagram app prior to 128.0.0.26.128, which was released on February 10 earlier this year. "This [flaw] turns the device into a tool for spying on targeted users without their knowledge, as well as enabling
Android 11 — 5 New Security and Privacy Features You Need to Know

Android 11 — 5 New Security and Privacy Features You Need to Know

September 18, 2020Anchit Sharma
After a long wait and months of beta testing, Google last week finally released Android 11 , the latest version of the Android mobile operating system—with features offering billions of its users more control over their data security and privacy. Android security is always a hot topic and almost always for the wrong reason, including Google's failure to prevent malicious apps from being distributed through the Play Store, over-claim of permissions by apps, and privacy leakages. Though most of such issues can be avoided as long as users take advantage of already available features and a little common sense, most users are still not aware of or following basic security practices. According to Google's latest announcement, the latest Android 11 OS includes a few new built-in measures designed to keep users' data secure by default, increase transparency, and offer better control. Instead of diving deep into smaller or more extensive changes, we have summarized some critica
New Android Flaw Affecting Over 1 Billion Phones Let Attackers Hijack Apps

New Android Flaw Affecting Over 1 Billion Phones Let Attackers Hijack Apps

May 26, 2020Mohit Kumar
Remember Strandhogg? A security vulnerability affecting Android that malicious apps can exploit to masquerade as any other app installed on a targeted device to display fake interfaces to the users, tricking them into giving away sensitive information. Late last year, at the time of its public disclosure, researchers also confirmed that some attackers were already exploiting the flaw in the wild to steal users' banking and other login credentials, as well as to spy on their activities. The same team of Norwegian cybersecurity researchers today unveiled details of a new critical vulnerability (CVE-2020-0096) affecting the Android operating system that could allow attackers to carry out a much more sophisticated version of Strandhogg attack. Dubbed ' Strandhogg 2.0 ,' the new vulnerability affects all Android devices, except those running the latest version, Android Q / 10, of the mobile operating system—which, unfortunately, is running on only 15-20% of the total
Over 4000 Android Apps Expose Users' Data via Misconfigured Firebase Databases

Over 4000 Android Apps Expose Users' Data via Misconfigured Firebase Databases

May 12, 2020Ravie Lakshmanan
More than 4,000 Android apps that use Google's cloud-hosted Firebase databases are 'unknowingly' leaking sensitive information on their users, including their email addresses, usernames, passwords, phone numbers, full names, chat messages and location data. The investigation, led by Bob Diachenko from Security Discovery in partnership with Comparitech, is the result of an analysis of 15,735 Android apps, which comprise about 18 percent of all apps on Google Play store. "4.8 percent of mobile apps using Google Firebase to store user data are not properly secured, allowing anyone to access databases containing users' personal information, access tokens, and other data without a password or any other authentication," Comparitech said. Acquired by Google in 2014, Firebase is a popular mobile application development platform that offers a variety of tools to help third-party app developers build apps, securely store app data and files, fix issues, and ev
Change This Browser Setting to Stop Xiaomi from Spying On Your Incognito Activities

Change This Browser Setting to Stop Xiaomi from Spying On Your Incognito Activities

May 05, 2020Ravie Lakshmanan
If you own a Xiaomi smartphone or have installed the Mi browser app on any of your other brand Android device, you should enable a newly introduced privacy setting immediately to prevent the company from spying on your online activities. The smartphone maker has begun rolling out an update to its Mi Browser/Mi Browser Pro (v12.1.4) and Mint Browser (v3.4.3) after concerns were raised over its practice of transmitting web browsing histories and device metadata to the company servers. The new privacy setting now allows Mi Browser users to disable aggregated data collection feature while in Incognito Mode, but it bears noting that it's not enabled by default. The option can be accessed by tapping the settings icon in the browser > Incognito mode settings > and then disable 'Enhanced incognito mode,' as shown in an attached screenshot below. Mint Browser and Mi Browser Pro have been downloaded more than 15 million times from Google Play to date. The devel
Watch Out: Android Apps in Google Play Store Capitalizing on Coronavirus Outbreak

Watch Out: Android Apps in Google Play Store Capitalizing on Coronavirus Outbreak

March 26, 2020Ravie Lakshmanan
Preying on public fears, the ongoing coronavirus outbreak is proving to be a goldmine of opportunity for attackers to stage a variety of malware attacks, phishing campaigns, and create scam sites and malicious tracker apps. Now in a fresh twist, third-party Android app developers too have begun to take advantage of the situation to use coronavirus-related keywords in their app names, descriptions, or in the package names so as to drop malware, perpetrate financial theft and rank higher in Google Play Store searches related to the topic. "Most malicious apps found are bundle threats that range from ransomware to SMS-sending malware, and even spyware designed to clean out the contents of victims' devices for personal or financial data," Bitdefender researchers said in a telemetry analysis report shared with The Hacker News. The find by Bitdefender is the latest in an avalanche of digital threats piggybacking on the coronavirus pandemic. Using Coronavirus-Relat
TrickBot Mobile App Bypasses 2‐Factor Authentication for Net Banking Services

TrickBot Mobile App Bypasses 2‐Factor Authentication for Net Banking Services

March 25, 2020Ravie Lakshmanan
The malware authors behind TrickBot banking Trojan have developed a new Android app that can intercept one-time authorization codes sent to Internet banking customers via SMS or relatively more secure push notifications, and complete fraudulent transactions. The Android app, called " TrickMo " by IBM X-Force researchers, is under active development and has exclusively targeted German users whose desktops have been previously infected with the TrickBot malware. "Germany is one of the first attack turfs TrickBot spread to when it first emerged in 2016," IBM researchers said. "In 2020, it appears that TrickBot's vast bank fraud is an ongoing project that helps the gang monetize compromised accounts." The name TrickMo is a direct reference to a similar kind of Android banking malware called ZitMo that was developed by Zeus cybercriminal gang in 2011 to defeat SMS-based two-factor authentication. The development is the latest addition in the ars
Online Courses and Software

Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.