Android | Breaking Cybersecurity News | The Hacker News

The threat actors behind the Windows banking malware known as Casbaneiro has been attributed as behind a novel Android trojan called  BrasDex  that has been observed targeting Brazilian users as part of an ongoing multi-platform campaign. BrasDex features a "complex keylogging system designed to abuse Accessibility Services to extract credentials specifically from a set of Brazilian targeted apps, as well as a highly capable Automated Transfer System ( ATS ) engine," ThreatFabric  said  in a report published last week. The Dutch security firm said that the command-and-control (C2) infrastructure used in conjunction with BrasDex is also being used to control  Casbaneiro , which is known to strike banks and cryptocurrency services in Brazil and Mexico. The  hybrid Android and Windows malware campaign  is estimated to have resulted in thousands of infections to date. BrasDex, which masquerades as a banking app for Banco Santander, is also emblematic of a new trend that in

Researchers have shed light on a new hybrid malware campaign targeting both Android and Windows operating systems in a bid to expand its pool of victims. The attacks entail the use of different malware such as  ERMAC ,  Erbium ,  Aurora , and  Laplas , according to a  ThreatFabric report  shared with The Hacker News. "This campaign resulted in thousands of victims," the Dutch cybersecurity company said, adding, "Erbium stealer successfully exfiltrated data from more then 1,300 victims." The ERMAC infections commence with a fraudulent website that claims to offer Wi-Fi authorization software for Android and Windows that, when installed, comes with features to steal seed phrases from crypto wallets and other sensitive data. ThreatFabric said it also found a number of malicious apps that were trojanized versions of legitimate apps like Instagram, with the operators using them as droppers to deliver the obfuscated malicious payload. The rogue apps, dubbed Zombin

It comes as no surprise that today's cyber threats are orders of magnitude more complex than those of the past. And the ever-evolving tactics that attackers use demand the adoption of better, more holistic and consolidated ways to meet this non-stop challenge. Security teams constantly look for ways to reduce risk while improving security posture, but many approaches offer piecemeal solutions – zeroing in on one particular element of the evolving threat landscape challenge – missing the forest for the trees.  In the last few years, Exposure Management has become known as a comprehensive way of reigning in the chaos, giving organizations a true fighting chance to reduce risk and improve posture. In this article I'll cover what Exposure Management is, how it stacks up against some alternative approaches and why building an Exposure Management program should be on  your 2024 to-do list. What is Exposure Management?  Exposure Management is the systematic identification, evaluation,

Platform certificates used by Android smartphone vendors like Samsung, LG, and MediaTek have been found to be abused to sign malicious apps. The findings were first  discovered and reported  by Google reverse engineer Łukasz Siewierski on Thursday. "A platform certificate is the application signing certificate used to sign the 'android' application on the system image," a report filed through the Android Partner Vulnerability Initiative ( AVPI )  reads . "The 'android' application runs with a highly privileged user id – android.uid.system – and holds system permissions, including permissions to access user data." This effectively means that a rogue application signed with the same certificate can gain the highest level of privileges as the Android operating system, permitting it to harvest all kinds of sensitive information from a compromised device. The list of malicious Android app packages that have abused the certificates is below - com.

Multiple unpatched vulnerabilities have been discovered in three Android apps that allow a smartphone to be used as a remote keyboard and mouse. The apps in question are Lazy Mouse , PC Keyboard , and Telepad , which have been cumulatively downloaded over two million times from the Google Play Store. Telepad is no longer available through the app marketplace but can be downloaded from its website. Lazy Mouse (com.ahmedaay.lazymouse2 and com.ahmedaay.lazymousepro) PC Keyboard (com.beapps.pckeyboard) Telepad (com.pinchtools.telepad) While these apps function by connecting to a server on a desktop and transmitting to it the mouse and keyboard events, the Synopsys Cybersecurity Research Center (CyRC)  found  as many as seven flaws related to weak or missing authentication, missing authorization, and insecure communication. The issues (from CVE-2022-45477 through CVE-2022-45483), in a nutshell, could be exploited by a malicious actor to execute arbitrary commands sans authenticati

More than 300,000 users across 71 countries have been victimized by a new Android threat campaign called the  Schoolyard Bully Trojan . Mainly designed to steal Facebook credentials, the malware is camouflaged as legitimate education-themed applications to lure unsuspecting users into downloading them. The apps, which were available for download from the official Google Play Store, have now been taken down. That said, they still continue to be available on third-party app stores. "This trojan uses JavaScript injection to steal the Facebook credentials," Zimperium researchers Nipun Gupta and Aazim Bill SE Yaswant said in a report shared with The Hacker News. It achieves this by launching Facebook's login page in a WebView, which also embeds within it malicious JavasCript code to exfiltrate the user's phone number, email address, and password to a configured command-and-control (C2) server. The Schoolyard Bully Trojan further makes use of native libraries such

A malicious Android SMS application discovered on the Google Play Store has been found to stealthily harvest text messages with the goal of creating accounts on a wide range of platforms like Facebook, Google, and WhatsApp. The app, named  Symoo  (com.vanjan.sms), had over 100,000 downloads and functioned as a relay for transmitting messages to a server, which advertises an account creation service. This is achieved by using the phone numbers associated with the infected devices as a means to gather the one-time password that's typically sent to verify the user when setting up new accounts. "The malware asks the phone number of the user in the first screen," security researcher Maxime Ingrao, who discovered the malware,  said , while also requesting for SMS permissions. "Then it pretends to load the application but remains all the time on this page, it is to hide the interface of the received SMS and that the user does not see the SMS of subscriptions to the va

A set of five medium-severity security flaws in Arm's Mali GPU driver has continued to remain unpatched on Android devices for months, despite fixes released by the chipmaker. Google Project Zero, which discovered and reported the bugs, said Arm addressed the shortcomings in July and August 2022. "These fixes have not yet made it downstream to affected Android devices (including Pixel, Samsung, Xiaomi, Oppo, and others)," Project Zero researcher Ian Beer  said  in a report. "Devices with a Mali GPU are currently vulnerable." The vulnerabilities, collectively tracked under the identifiers  CVE-2022-33917  (CVSS score: 5.5) and  CVE-2022-36449  (CVSS score: 6.5), concern a case of improper memory processing, thereby allowing a non-privileged user to gain access to freed memory. The second flaw, CVE-2022-36449, can be further weaponized to write outside of buffer bounds and disclose details of memory mappings, according to an  advisory  issued by Arm. The lis

The cyber espionage group known as Bahamut has been attributed as behind a highly targeted campaign that infects users of Android devices with malicious apps designed to extract sensitive information. The activity, which has been active since January 2022, entails distributing rogue VPN apps through a fake SecureVPN website set up for this purpose, Slovak cybersecurity firm ESET  said  in a new report shared with The Hacker News. At least eight different variants of the spyware apps have been discovered to date, with them being trojanized versions of legitimate VPN apps like SoftVPN and OpenVPN . None of these apps are available on Google Play Store. The tampered apps and their updates are pushed to users through the fraudulent website. It's also suspected that the targets are carefully selected, since launching the app requires the victim to enter an activation key to enable the features. This implies the use of an undetermined distribution vector, although past evidence s

The Android banking fraud malware known as SharkBot has reared its head once again on the official Google Play Store, posing as file managers to bypass the app marketplace's restrictions. A majority of the users who downloaded the rogue apps are located in the U.K. and Italy, Romanian cybersecurity company Bitdefender  said  in an analysis published this week. SharkBot, first  discovered  towards the end of 2021 by Cleafy, is a  recurring   mobile   threat  distributed both on the Google Play Store and other third-party app stores. One of the trojan's primary goals is to initiate money transfers from compromised devices via a technique called "Automatic Transfer System" ( ATS ), in which a transaction triggered via a banking app is intercepted to swap the payee account with an actor-controlled account in the background. It's also capable of serving a fake login overlay when users attempt to open legitimate banking apps, stealing the credentials in the proce

Internet behemoth Google on Tuesday said it plans to roll out Privacy Sandbox for Android in beta to mobile devices running Android 13 starting early next year. "The Privacy Sandbox Beta will be available for ad tech and app developers who wish to test the ads-related APIs as part of their solutions," the company  said . To that end, developers will need to complete an enrollment process in order to utilize the ads-related APIs, including  Topics ,  FLEDGE , and  Attribution Reporting . Topics, which  replaced  Federated Learning of Cohorts (FLoC) earlier this year, aims to categorize user interests under different "topics" based on their device web browsing history. These inferred interests are then shared with marketers to serve targeted ads. FLEDGE and Attribution reporting, on the other hand, enable custom audience targeting and help measure  ad conversions  without relying on cross-party user identifiers, respectively. Organizations can also request acce

Google has removed two new malicious dropper apps that have been detected on the Play Store for Android, one of which posed as a lifestyle app and was caught distributing the Xenomorph banking malware. "Xenomorph is a trojan that steals credentials from banking applications on users' devices," Zscaler ThreatLabz researchers Himanshu Sharma and Viral Gandhi  said  in an analysis published Thursday. "It is also capable of intercepting users' SMS messages and notifications, enabling it to steal one-time passwords and multi-factor authentication requests." The cybersecurity firm said it also found an expense tracker app that exhibited similar behavior, but noted that it couldn't extract the URL used to fetch the malware artifact. The two malicious apps are as follows - Todo: Day manager (com.todo.daymanager) 経費キーパー (com.setprice.expenses) Both the apps function as a dropper, meaning the apps themselves are harmless and are a conduit to retrieve t

Cybersecurity researchers are warning of "massive phishing campaigns" that distribute five different malware targeting banking users in India. "The bank customers targeted include account subscribers of seven banks, including some of the most well-known banks located in the country and potentially affecting millions of customers," Trend Micro  said  in a report published this week. Some of the targeted banks include Axis Bank, ICICI Bank, and the State Bank of India (SBI), among others. The infection chains all have a common entry point in that they rely on SMS messages containing a phishing link that urge potential victims to enter their personal details and credit card information to supposedly get a tax refund or gain credit card reward points. The smishing attacks, which deliver Elibomi, FakeReward, AxBanker, IcRAT, and IcSpy, are just the latest in a series of similar rewards-themed malware campaigns that have been documented by  Microsoft, Cyble , and  K

Google has resolved a high-severity security issue affecting all Pixel smartphones that could be trivially exploited to unlock the devices. The vulnerability, tracked as  CVE-2022-20465  and reported by security researcher David Schütz in June 2022, was remediated as part of the search giant's  monthly Android update  for November 2022. "The issue allowed an attacker with physical access to bypass the lock screen protections (fingerprint, PIN, etc.) and gain complete access to the user's device," Schütz, who was awarded $70,000 for the lock screen bypass,  said  in a write-up of the flaw. The problem, per the researcher, is rooted in the fact that lock screen protections are completely defeated when following a specific sequence of steps - Supply incorrect fingerprint three times to disable biometric authentication on the locked device Hot swap  the SIM card in the device with an attacker-controlled SIM that has a PIN code set up Enter incorrect SIM pin thric

A set of four Android apps released by the same developer has been discovered directing victims to malicious websites as part of an adware and information-stealing campaign. The apps, published by a developer named  Mobile apps Group  and currently available on the Play Store, have been collectively downloaded over one million times. According to  Malwarebytes , the websites are designed to generate revenues through pay-per-click ads, and worse, prompt users to install cleaner apps on their phones with the goal of deploying additional malware. The list of apps is as follows - Bluetooth App Sender (com.bluetooth.share.app) - 50,000+ downloads Bluetooth Auto Connect (com.bluetooth.autoconnect.anybtdevices) - 1,000,000+ downloads Driver: Bluetooth, Wi-Fi, USB (com.driver.finder.bluetooth.wifi.usb) - 10,000+ downloads Mobile transfer: smart switch (com.mobile.faster.transfer.smart.switch) - 1,000+ downloads It's no surprise that malicious apps have  devised new ways  to ge

A previously undocumented Android spyware campaign has been found striking Persian-speaking individuals by masquerading as a seemingly harmless VPN application. Russian cybersecurity firm Kaspersky is tracking the campaign under the moniker  SandStrike . It has not been attributed to any particular threat group. "SandStrike is distributed as a means to access resources about the  Bahá'í religion  that are banned in Iran," the company noted in its  APT trends report  for the third quarter of 2022. While the app is ostensibly designed to provide victims with a VPN connection to bypass the ban, it's also configured to covertly siphon data from the victims' devices, such as call logs, contacts, and even connect to a remote server to fetch additional commands. The booby-trapped VPN service, while fully functional, is said to be distributed via a Telegram channel controlled by the adversary. Links to the channel are also advertised on fabricated social media acco

Five malicious dropper Android apps with over 130,000 cumulative installations have been discovered on the Google Play Store distributing banking trojans like  SharkBot  and  Vultur , which are capable of stealing financial data and performing on-device fraud. "These droppers continue the unstopping evolution of malicious apps sneaking to the official store," Dutch mobile security firm ThreatFabric told The Hacker News in a statement. "This evolution includes following newly introduced policies and masquerading as file managers and overcoming limitations by side-loading the malicious payload through the web browser." Targets of these  droppers  include 231 banking and cryptocurrency wallet apps from financial institutions in Italy, the U.K., Germany, Spain, Poland, Austria, the U.S., Australia, France, and the Netherlands. Dropper apps on official app stores like Google Play have  increasingly   become  a popular and efficient technique to distribute banking m

As many as 16 malicious apps with over 20 million cumulative downloads have been taken down from the Google Play Store after they were caught committing mobile ad fraud. The  Clicker  malware masqueraded as seemingly harmless utilities like cameras, currency/unit converters, QR code readers, note-taking apps, and dictionaries, among others, in a bid to trick users into downloading them, cybersecurity firm McAfee  said . The list of offending apps is as follows - High-Speed Camera (com.hantor.CozyCamera) - 10,000,000+ downloads Smart Task Manager (com.james.SmartTaskManager) - 5,000,000+ downloads Flashlight+ (kr.caramel.flash_plus) - 1,000,000+ downloads 달력메모장 (com.smh.memocalendar) - 1,000,000+ downloads K-Dictionary (com.joysoft.wordBook) - 1,000,000+ downloads BusanBus (com.kmshack.BusanBus) - 1,000,000+ downloads Flashlight+ (com.candlencom.candleprotest) - 500,000+ downloads Quick Note (com.movinapp.quicknote) - 500,000+ downloads Currency Converter (com.smartwho.Sma

An unofficial version of the popular WhatsApp messaging app called YoWhatsApp has been observed deploying an Android trojan known as Triada. The goal of the malware is to steal the keys that "allow the use of a WhatsApp account  without the app ," Kaspersky  said  in a new report. "If the keys are stolen, a user of a malicious WhatsApp mod can lose control over their account." YoWhatsApp offers the ability for users to lock chats, send messages to unsaved numbers, and customize the app with a variety of theming options. It's also said to share overlaps with other modded WhatsApp clients such as FMWhatsApp and HeyMods. The Russian cybersecurity company said it found the malicious functionality in YoWhatsApp version 2.22.11.75. Typically spread through fraudulent ads on Snaptube and Vidmate, the app, upon installation, requests the victims to grant it permissions to access SMS messages, enabling the malware to enroll them to paid subscriptions without their

Malicious actors are resorting to voice phishing (vishing) tactics to dupe victims into installing Android malware on their devices, new research from ThreatFabric reveals. The Dutch mobile security company said it identified a network of phishing websites targeting Italian online-banking users that are designed to get hold of their contact details. Telephone-oriented attack delivery (TOAD), as the social engineering technique is called, involves calling the victims using previously collected information from the fraudulent websites. The caller, who purports to be a support agent for the bank, instructs the individual on the other end of the call to install a security app and grant it extensive permissions, when, in reality, it's malicious software intended to gain remote access or conduct financial fraud. In this case, it leads to the deployment of an Android malware dubbed  Copybara , a mobile trojan first detected in November 2021 and is primarily used to perform on-devic

Google on Wednesday officially rolled out support for passkeys, the next-generation authentication standard, to both Android and Chrome. "Passkeys are a significantly safer replacement for passwords and other phishable authentication factors," the tech giant  said . "They cannot be reused, don't leak in server breaches, and protect users from phishing attacks." The feature was  first announced  in May 2022 as part of a broader push to support a common passwordless sign-in standard. Passkeys, established by the FIDO Alliance and also backed by  Apple and Microsoft , aim to replace standard passwords with unique digital keys that are stored locally on the device. To that end, creating a passkey requires confirmation from the end-user about the account that will be used to log in to the online service, followed by using their biometric information or the  device   passcode . Signing in to a website on a mobile device is also a simple two-step process that en