The Hacker News Logo
Subscribe to Newsletter
CrowdSec

The Hacker News - Most Trusted Cyber Security and Computer Security Analysis: Android

Fake Indian Banking Rewards Apps Targeting Android Users with Info-stealing Malware

Fake Indian Banking Rewards Apps Targeting Android Users with Info-stealing Malware

September 23, 2022Ravie Lakshmanan
An SMS-based phishing campaign is targeting customers of Indian banks with information-stealing malware that masquerades as a rewards application. The Microsoft 365 Defender Research Team said that the messages contain links that redirect users to a sketchy website that triggers the download of the fake banking rewards app for ICICI Bank. "The malware's RAT capabilities allow the attacker to intercept important device notifications such as incoming messages, an apparent effort to catch two-factor authentication (2FA) messages often used by banking and financial institutions," researchers Shivang Desai, Abhishek Pustakala, and Harshita Tripathi  said . Additionally, the malware is equipped with the ability to steal SMSes, potentially enabling the attacker to swipe 2FA codes sent as text messages and gain unauthorized access to victim accounts. Like other social engineering attacks, familiar brand logos and names are used in the smishing message as well as the rogue a
Researchers Find New Android Spyware Campaign Targeting Uyghur Community

Researchers Find New Android Spyware Campaign Targeting Uyghur Community

September 06, 2022Ravie Lakshmanan
A previously undocumented strain of Android spyware with extensive information gathering capabilities has been found disguised as a book likely designed to target the  Uyghur community  in China. The malware comes under the guise of a book titled " The China Freedom Trap ," a biography written by the exiled Uyghur leader Dolkun Isa. "In light of the ongoing conflict between the Government of the People's Republic of China and the Uyghur community, the malware disguised as the book is a lucrative bait employed by threat actors (TAs) to spread malicious infection in the targeted community," cybersecurity firm Cyble  said  in a report published Monday. The existence of the malware samples, which come with the package name " com.emc.pdf ," was first disclosed by researchers from the  MalwareHunterTeam  late last month. Distributed outside of the official Google Play Store, the app, once installed and opened, displays a few pages of the book, includi
Fake Antivirus and Cleaner Apps Caught Installing SharkBot Android Banking Trojan

Fake Antivirus and Cleaner Apps Caught Installing SharkBot Android Banking Trojan

September 05, 2022Ravie Lakshmanan
The notorious Android banking trojan known as  SharkBot  has once again made an appearance on the Google Play Store by masquerading as antivirus and cleaner apps. "This new dropper doesn't rely on Accessibility permissions to automatically perform the installation of the dropper Sharkbot malware," NCC Group's Fox-IT  said  in a report. "Instead, this new version asks the victim to install the malware as a fake update for the antivirus to stay protected against threats." The apps in question, Mister Phone Cleaner and Kylhavy Mobile Security, have over 60,000 installations between them and are designed to target users in Spain, Australia, Poland, Germany, the U.S., and Austria - Mister Phone Cleaner (com.mbkristine8.cleanmaster, 50,000+ downloads) Kylhavy Mobile Security (com.kylhavy.antivirus, 10,000+ downloads) The  droppers  are designed to drop a new version of SharkBot,  dubbed V2  by Dutch security firm ThreatFabric, which features an updated co
Over 1,800 Android and iOS Apps Found Leaking Hard-Coded AWS Credentials

Over 1,800 Android and iOS Apps Found Leaking Hard-Coded AWS Credentials

September 01, 2022Ravie Lakshmanan
Researchers have identified 1,859 apps across Android and iOS containing hard-coded Amazon Web Services (AWS) credentials, posing a major security risk. "Over three-quarters (77%) of the apps contained valid AWS access tokens allowing access to private AWS cloud services," Symantec's Threat Hunter team, a part of Broadcom Software, said in a  report  shared with The Hacker News. Interestingly, a little more than 50% of the apps were found using the same AWS tokens found in other apps maintained by other developers and companies, highlighting a supply chain issue with serious implications. "The AWS access tokens could be traced to a shared library, third-party SDK, or other shared component used in developing the apps," the researchers said. These credentials are typically used for downloading appropriate resources necessary for the app's functions as well as accessing configuration files and authenticating to other cloud services. To make matters wors
Microsoft Discover Severe ‘One-Click’ Exploit for TikTok Android App

Microsoft Discover Severe 'One-Click' Exploit for TikTok Android App

September 01, 2022Ravie Lakshmanan
Microsoft on Wednesday disclosed details of a now-patched "high severity vulnerability" in the TikTok app for Android that could let attackers take over accounts when victims clicked on a malicious link. "Attackers could have leveraged the vulnerability to hijack an account without users' awareness if a targeted user simply clicked a specially crafted link," Dimitrios Valsamaras of the Microsoft 365 Defender Research Team  said  in a write-up. Successful exploitation of the flaw could have permitted malicious actors to access and modify users' TikTok profiles and sensitive information, leading to the unauthorized exposure of private videos. Attackers could also have abused the bug to send messages and upload videos on behalf of users. The issue, addressed in version 23.7.3, impacts two flavors of its Android app com.ss.android.ugc.trill (for East and Southeast Asian users) and com.zhiliaoapp.musically (for users in other countries except for India, wher
Researchers Find Counterfeit Phones with Backdoor to Hack WhatsApp Accounts

Researchers Find Counterfeit Phones with Backdoor to Hack WhatsApp Accounts

August 22, 2022Ravie Lakshmanan
Budget Android device models that are counterfeit versions associated with popular smartphone brands are harboring multiple trojans designed to target WhatsApp and WhatsApp Business messaging apps. The malware, which Doctor Web first came across in July 2022, were discovered in the system partition of at least four different smartphones: P48pro, radmi note 8, Note30u, and Mate40, was "These incidents are united by the fact that the attacked devices were copycats of famous brand-name models," the cybersecurity firm  said  in a report published today. "Moreover, instead of having one of the latest OS versions installed on them with the corresponding information displayed in the device details (for example, Android 10), they had the long outdated 4.4.2 version." Specifically, the tampering concerns two files "/system/lib/libcutils.so" and "/system/lib/libmtd.so" that are modified in such a manner that when the libcutils.so system library is us
New Amazon Ring Vulnerability Could Have Exposed All Your Camera Recordings

New Amazon Ring Vulnerability Could Have Exposed All Your Camera Recordings

August 19, 2022Ravie Lakshmanan
Retail giant Amazon patched a high-severity security issue in its Ring app for Android in May that could have enabled a rogue application installed on a user's device to access sensitive information and camera recordings. The Ring app for Android has over 10 million downloads and enables users to monitor video feeds from smart home devices such as video doorbells, security cameras, and alarm systems. Amazon acquired the doorbell maker for about $1 billion in 2018. Application security firm Checkmarx  explained  it identified a cross-site scripting (XSS) flaw that it said could be weaponized as part of an attack chain to trick victims into installing a malicious app. The app can then be used to get hold of the user's Authorization Token, that can be subsequently leveraged to extract the session cookie by sending this information alongside the device's hardware ID, which is also encoded in the token, to the endpoint "ring[.]com/mobile/authorize." Armed with th
Cybercriminals Developing BugDrop Malware to Bypass Android Security Features

Cybercriminals Developing BugDrop Malware to Bypass Android Security Features

August 17, 2022Ravie Lakshmanan
In a sign that malicious actors continue to find ways to work around Google Play Store security protections, researchers have spotted a previously undocumented Android dropper trojan that's currently in development. "This new malware tries to abuse devices using a novel technique, not seen before in Android malware, to spread the extremely dangerous  Xenomorph  banking trojan, allowing criminals to perform On-Device Fraud on victim's devices," ThreatFabric's Han Sahin said in a statement shared with The Hacker News. Dubbed  BugDrop  by the Dutch security firm, the  dropper app  is explicitly designed to defeat new features introduced in the upcoming version of Android that aim to make it difficult for malware to request Accessibility Services privileges from victims. ThreatFabric attributed the dropper to a cybercriminal group known as "Hadoken Security," which is also behind the creation and distribution of the  Xenomorph and Gymdrop  Android malwa
SOVA Android Banking Trojan Returns With New Capabilities and Targets

SOVA Android Banking Trojan Returns With New Capabilities and Targets

August 15, 2022Ravie Lakshmanan
The SOVA Android banking trojan is continuing to be actively developed with upgraded capabilities to target no less than 200 mobile applications, including banking apps and crypto exchanges and wallets, up from 90 apps when it started out. That's according to the latest findings from Italian cybersecurity firm Cleafy, which found newer versions of the malware sporting functionality to intercept two-factor authentication (2FA) codes, steal cookies, and expand its targeting to cover Australia, Brazil, China, India, the Philippines, and the U.K. SOVA, meaning Owl in Russian, came to light in  September 2021  when it was observed striking financial and shopping apps from the U.S. and Spain for harvesting credentials through overlay attacks by taking advantage of Android's Accessibility services. In less than a year, the trojan has also acted as a foundation for another Android malware called  MaliBot  that's designed to target online banking and cryptocurrency wallet custo
Meta Cracks Down on Cyber Espionage Operations in South Asia Abusing Facebook

Meta Cracks Down on Cyber Espionage Operations in South Asia Abusing Facebook

August 08, 2022Ravie Lakshmanan
Facebook parent company Meta disclosed that it took action against two espionage operations in South Asia that leveraged its social media platforms to distribute malware to potential targets. The first set of activities is what the company described as "persistent and well-resourced" and undertaken by a hacking group tracked under the moniker Bitter APT (aka APT-C-08 or T-APT-17) targeting individuals in New Zealand, India, Pakistan, and the U.K. "Bitter used various malicious tactics to target people online with social engineering and infect their devices with malware," Meta  said  in its Quarterly Adversarial Threat Report. "They used a mix of link-shortening services, malicious domains, compromised websites, and third-party hosting providers to distribute their malware." The attacks involved the threat actor creating fictitious personas on the platform, masquerading as attractive young women in a bid to build trust with targets and lure them into cl
Over a Dozen Android Apps on Google Play Store Caught Dropping Banking Malware

Over a Dozen Android Apps on Google Play Store Caught Dropping Banking Malware

July 29, 2022Ravie Lakshmanan
A malicious campaign leveraged seemingly innocuous Android dropper apps on the Google Play Store to compromise users' devices with  banking   malware . These 17 dropper apps, collectively dubbed  DawDropper  by Trend Micro, masqueraded as productivity and utility apps such as document scanners, QR code readers, VPN services, and call recorders, among others. All these apps in question have been removed from the app marketplace. "DawDropper uses Firebase Realtime Database, a third-party cloud service, to evade detection and dynamically obtain a payload download address," the researchers  said . "It also hosts malicious payloads on GitHub." Droppers are apps designed to sneak past Google's Play Store security checks, following which they are used to download more potent and intrusive malware on a device, in this case,  Octo  (Coper),  Hydra ,  Ermac , and  TeaBot . Attack chains involved the DawDropper malware establishing connections with a Firebase Re
These 28+ Android Apps with 10 Million Downloads from the Play Store Contain Malware

These 28+ Android Apps with 10 Million Downloads from the Play Store Contain Malware

July 27, 2022Ravie Lakshmanan
As many as 30 malicious Android apps with cumulative downloads of nearly 10 million have been found on the Google Play Store distributing adware. "All of them were built into various programs, including image-editing software, virtual keyboards, system tools and utilities, calling apps, wallpaper collection apps, and others," Dr.Web  said  in a Tuesday write-up. While masquerading as innocuous apps, their primary goal is to request permissions to show windows over other apps and run in the background in order to serve intrusive ads. To make it difficult for the victims to detect and uninstall the apps, the adware trojans hide their icons from the list of installed apps in the home screen or replace the icons with others that are likely to be less noticed (e.g., SIM Toolkit). Some of these apps also offer the advertised features, as observed in the case of two apps: "Water Reminder- Tracker & Reminder" and "Yoga- For Beginner to Advanced." However
Roaming Mantis Financial Hackers Targeting Android and iPhone Users in France

Roaming Mantis Financial Hackers Targeting Android and iPhone Users in France

July 25, 2022Ravie Lakshmanan
The mobile threat campaign tracked as  Roaming Mantis  has been linked to a new wave of compromises directed against French mobile phone users, months after it expanded its targeting to include European countries. No fewer than 70,000 Android devices are said to have been infected as part of the active malware operation, Sekoia said in a report published last week. Attack chains involving  Roaming Mantis , a financially motivated Chinese threat actor, are known to either deploy a piece of banking trojan named MoqHao (aka XLoader) or redirect iPhone users to credential harvesting landing pages that mimic the iCloud login page. "MoqHao (aka Wroba, XLoader for Android) is an Android remote access trojan (RAT) with information-stealing and backdoor capabilities that likely spreads via SMS," Sekoia researchers  said . It all starts with a phishing SMS, a technique known as smishing, enticing users with package delivery-themed messages containing rogue links, that, when clic
Google Bringing the Android App Permissions Section Back to the Play Store

Google Bringing the Android App Permissions Section Back to the Play Store

July 22, 2022Ravie Lakshmanan
Google on Thursday said it's backtracking on a  recent change  that removed the app permissions list from the Google Play Store for Android across both the mobile app and the web. "Privacy and transparency are core values in the Android community," the Android Developers team  said  in a series of tweets. "We heard your feedback that you find the app permissions section in Google Play useful, and we've decided to reinstate it. The app permissions section will be back shortly." To that end, in addition to showcasing the new Data safety section that offers users a simplified summary of an app's data collection, processing, and security practices, Google also intends to highlight all the permissions required by the app to make sense of its "ability to access specific restricted data and actions." The reinstatement comes as the internet giant moved to swap out the apps permission section with the newer Data safety labels last week ahead of the
Google Adds Support for DNS-over-HTTP/3 in Android to Keep DNS Queries Private

Google Adds Support for DNS-over-HTTP/3 in Android to Keep DNS Queries Private

July 20, 2022Ravie Lakshmanan
Google on Tuesday officially announced support for DNS-over-HTTP/3 (DoH3) for Android devices as part of a Google Play system update designed to keep DNS queries private. To that end, Android smartphones running Android 11 and higher are expected to use DoH3 instead of DNS-over-TLS ( DoT ), which was incorporated into the mobile operating system with Android 9.0. DoH3 is also an alternative to DNS-over-HTTPS ( DoH ), a mechanism for carrying out remote Domain Name System (DNS) resolution through an encrypted connection, effectively preventing third parties from snooping on users' browsing activities. HTTP/3 , the first major upgrade to the hypertext transfer protocol since HTTP/2 was introduced in May 2015, is designed to use a new transport layer protocol called  QUIC  that's already supported by major browsers such as Google Chrome, Microsoft Edge, Mozilla Firefox, and Apple Safari. The low-latency protocol, developed by Google in 2012, relies on the User Datagram Prot
Russian Hackers Tricked Ukrainians with Fake "DoS Android Apps to Target Russia"

Russian Hackers Tricked Ukrainians with Fake "DoS Android Apps to Target Russia"

July 20, 2022Ravie Lakshmanan
Russian threat actors capitalized on the  ongoing conflict  against Ukraine to distribute Android malware camouflaged as an app for pro-Ukrainian hacktivists to launch distributed denial-of-service (DDoS) attacks against Russian sites. Google Threat Analysis Group (TAG) attributed the malware to Turla, an advanced persistent threat also known as Krypton, Venomous Bear, Waterbug, and Uroburos, and linked to Russia's Federal Security Service (FSB). "This is the first known instance of Turla distributing Android-related malware," TAG researcher Billy Leonard  said . "The apps were not distributed through the Google Play Store, but hosted on a domain controlled by the actor and disseminated via links on third party messaging services." It's worth noting that the  onslaught  of  cyberattacks  in the immediate aftermath of Russia's unprovoked invasion of Ukraine prompted the latter to  form an IT Army  to stage counter-DDoS attacks against Russian website
Several New Play Store Apps Spotted Distributing Joker, Facestealer and Coper Malware

Several New Play Store Apps Spotted Distributing Joker, Facestealer and Coper Malware

July 19, 2022Ravie Lakshmanan
Google has taken steps to ax dozens of fraudulent apps from the official Play Store that were spotted propagating Joker, Facestealer, and Coper malware families through the virtual marketplace. While the Android storefront is considered to be a trusted source for discovering and installing apps, bad actors have repeatedly found ways to sneak past security barriers erected by Google in hopes of luring unsuspecting users into downloading malware-laced apps. The latest findings from  Zscaler ThreatLabz  and  Pradeo  are no different. "Joker is one of the most  prominent malware families  targeting Android devices," researchers Viral Gandhi and Himanshu Sharma said in a Monday report. "Despite public awareness of this particular malware, it keeps finding its way into Google's official app store by regularly modifying the malware's trace signatures including updates to the code, execution methods, and payload-retrieving techniques." Categorized as  fleecewa
Google Removes "App Permissions" List from Play Store for New "Data Safety" Section

Google Removes "App Permissions" List from Play Store for New "Data Safety" Section

July 16, 2022Ravie Lakshmanan
Following the launch of a new "Data safety" section for Android apps on the Play Store, Google appears to be readying to remove the app permissions list from both the mobile app and the web. The change was  highlighted  by Esper's Mishaal Rahman earlier this week. The  Data safety  section, which Google began rolling out in late April 2022, is the company's answer to Apple's Privacy Nutrition Labels in iOS, allowing users to have a unified view of an app's data collection and processing practices. To that end, third-party app developers are required to furnish the required details by July 20, 2022. With this deadline now approaching next week, the tech giant has taken the step of entirely removing the permissions section. The decision also appears to be a hasty one, as a number of popular apps such as Facebook, Messenger, Instagram, WhatsApp, Amazon (including Amazon Prime Video), DuckDuckGo, Discord, and PhonePe are yet to populate their Data safety sec
Microsoft Warns About Evolving Capabilities of Toll Fraud Android Malware Apps

Microsoft Warns About Evolving Capabilities of Toll Fraud Android Malware Apps

July 01, 2022Ravie Lakshmanan
Microsoft has detailed the evolving capabilities of toll fraud malware apps on Android, pointing out its "complex multi-step attack flow" and an improved mechanism to evade security analysis. Toll fraud belongs to a category of billing fraud wherein malicious mobile applications come with hidden subscription fees, roping in unsuspecting users to premium content without their knowledge or consent. It's also different from other  fleeceware threats  in that the malicious functions are only carried out when a compromised device is connected to one of its target network operators. "It also, by default, uses cellular connection for its activities and forces devices to connect to the mobile network even if a Wi-Fi connection is available," Dimitrios Valsamaras and Sang Shin Jung of the Microsoft 365 Defender Research Team  said  in an exhaustive analysis. "Once the connection to a target network is confirmed, it stealthily initiates a fraudulent subscription
Online Courses and Software

Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.