Android | Breaking Cybersecurity News | The Hacker News

An emerging Android banking trojan dubbed  Nexus  has already been adopted by several threat actors to target 450 financial applications and conduct fraud. "Nexus appears to be in its early stages of development," Italian cybersecurity firm Cleafy  said  in a report published this week. "Nexus provides all the main features to perform ATO attacks (Account Takeover) against banking portals and cryptocurrency services, such as credentials stealing and SMS interception." The trojan, which appeared in various hacking forums at the start of the year, is advertised as a subscription service to its clientele for a monthly fee of $3,000. Details of the malware were  first documented  by Cyble earlier this month. However, there are indications that the malware may have been used in real-world attacks as early as June 2022, at least six months before its official announcement on darknet portals. According to security researcher Rohit Bansal ( @0xrb ) and confirmed by t

A banking trojan dubbed  Mispadu  has been linked to multiple spam campaigns targeting countries like Bolivia, Chile, Mexico, Peru, and Portugal with the goal of stealing credentials and delivering other payloads. The activity, which commenced in August 2022, is currently ongoing, the Ocelot Team from Latin American cybersecurity firm Metabase Q said in a report shared with The Hacker News. Mispadu  (aka URSA) was  first documented  by ESET in November 2019, describing its ability to perpetrate monetary and credential theft and act as a backdoor by taking screenshots and capturing keystrokes. "One of their main strategies is to compromise legitimate websites, searching for vulnerable versions of WordPress, to turn them into their command-and-control server to spread malware from there, filtering out countries they do not wish to infect, dropping different type of malware based on the country being infected," researchers Fernando García and Dan Regalado said. It's a

The introduction of Open AI's ChatGPT was a defining moment for the software industry, touching off a GenAI race with its November 2022 release. SaaS vendors are now rushing to upgrade tools with enhanced productivity capabilities that are driven by generative AI. Among a wide range of uses, GenAI tools make it easier for developers to build software, assist sales teams in mundane email writing, help marketers produce unique content at low cost, and enable teams and creatives to brainstorm new ideas.  Recent significant GenAI product launches include Microsoft 365 Copilot, GitHub Copilot, and Salesforce Einstein GPT. Notably, these GenAI tools from leading SaaS providers are paid enhancements, a clear sign that no SaaS provider will want to miss out on cashing in on the GenAI transformation. Google will soon launch its SGE "Search Generative Experience" platform for premium AI-generated summaries rather than a list of websites.  At this pace, it's just a matter of a short time befo

An Android voice phishing (aka vishing) malware campaign known as FakeCalls has reared its head once again to target South Korean users under the guise of over 20 popular financial apps. "FakeCalls malware possesses the functionality of a Swiss army knife, able not only to conduct its primary aim but also to extract private data from the victim's device," cybersecurity firm Check Point said . FakeCalls was previously documented by Kaspersky in April 2022, describing the malware's capabilities to imitate phone conversations with a bank customer support agent. In the observed attacks, users who install the rogue banking app are enticed into calling the financial institution by offering a fake low-interest loan. At the point where the phone call actually happens, a pre-recorded audio with instructions from the real bank is played. Simultaneously, the malware conceals the phone number with the bank's legitimate number to give the impression that a conversation

A new variant of the Android banking trojan named Xenomorph has surfaced in the wild, latest findings from ThreatFabric reveal. Named " Xenomorph 3rd generation " by the Hadoken Security Group, the threat actor behind the operation, the updated version comes with new features that allow it to perform financial fraud in a seamless manner. "This new version of the malware adds many new capabilities to an already feature-rich Android banker, most notably the introduction of a very extensive runtime engine powered by Accessibility services, which is used by actors to implement a complete  ATS framework ," the Dutch security firm  said  in a report shared with The Hacker News. Xenomorph  first came to light  a year ago in February 2022, when it was found to target 56 European banks through  dropper apps  published on the Google Play Store. In contrast, the latest iteration of the banker – which has a dedicated website advertising its features – is designed to targe

A suspected Pakistan-aligned advanced persistent threat (APT) group known as  Transparent Tribe  has been linked to an ongoing cyber espionage campaign targeting Indian and Pakistani Android users with a backdoor called  CapraRAT . "Transparent Tribe distributed the Android CapraRAT backdoor via trojanized secure messaging and calling apps branded as MeetsApp and MeetUp," ESET  said  in a report shared with The Hacker News. As many as 150 victims, likely with military or political leanings, are estimated to have been targeted, with the malware (APK package name " com.meetup.chat ") available to download from fake websites that masquerade as the official distribution centers of these apps. It's being suspected that the targets are lured through a honeytrap romance scam wherein the threat actor approaches the victims via another platform and persuades them to install the malware-laced apps under the pretext of "secure" messaging and calling. Howeve

An older version of Shein's  Android application  suffered from a bug that periodically captured and transmitted clipboard contents to a remote server. The Microsoft 365 Defender Research Team said it  discovered  the problem in  version 7.9.2  of the app that was released on December 16, 2021. The issue has since been addressed as of May 2022. Shein, originally named ZZKKO, is a Chinese online fast fashion retailer based in Singapore. The app, which is currently at version 9.0.0, has over 100 million downloads on the Google Play Store. The tech giant  said  it's not "specifically aware of any malicious intent behind the behavior," but noted that the function isn't necessary to perform tasks on the app. It further pointed out that launching the application after copying any content to the device clipboard automatically triggered an HTTP POST request containing the data to the server "api-service[.]shein[.]com." To mitigate such privacy risks, Goo

Google said it's working with ecosystem partners to harden the security of firmware that interacts with Android. While the Android operating system runs on what's called the application processor (AP), it's just one of the many processors of a system-on-chip ( SoC ) that cater to various tasks like cellular communications and multimedia processing. "Securing the Android Platform requires going beyond the confines of the Application Processor," the Android team  said . "Android's defense-in-depth strategy also applies to the firmware running on  bare-metal environments  in these microcontrollers, as they are a critical part of the attack surface of a device." The tech giant said the goal is to bolster the security of software running on these secondary processors (i.e., firmware) and make it harder to exploit vulnerabilities over the air to achieve remote code execution within the Wi-Fi SoC or the cellular baseband. To that end, Google noted tha

An investigation into data safety labels for Android apps available on the Google Play Store has uncovered "serious loopholes" that allow apps to provide misleading or outright false information. The  study , conducted by the Mozilla Foundation as part of its  *Privacy Not Included  initiative, compared the privacy policies and labels of the 20 most popular paid apps and the 20 most popular free apps on the app marketplace. It  found  that, in roughly 80% of the apps reviewed, "the labels were false or misleading based on discrepancies between the apps' privacy policies and the information apps self-reported on Google's  Data safety form ." "The apps aren't self-reporting accurately enough to give the public any meaningful reassurance about the safety and privacy of their data," Mozilla further said, adding consumers are being led to "believe these apps are doing a better job protecting their privacy than they are." Three of the

Suspected North Korean nation-state actors targeted a journalist in South Korea with a malware-laced Android app as part of a social engineering campaign. The findings come from South Korea-based non-profit Interlab, which coined the new malware  RambleOn . The malicious functionalities include the "ability to read and leak target's contact list, SMS, voice call content, location and others from the time of compromise on the target," Interlab threat researcher Ovi Liber  said  in a report published this week. The spyware camouflages as a secure chat app called Fizzle ( ch.seme ), but in reality, acts as a conduit to deliver a next-stage payload hosted on pCloud and Yandex. The chat app is said to have been sent as an Android Package (APK) file over WeChat to the targeted journalist on December 7, 2022, under the pretext of wanting to discuss a sensitive topic. The primary purpose of RambleOn is to function as a loader for another APK file ( com.data.WeCoin ) while

Google announced on Tuesday that it's officially rolling out  Privacy Sandbox on Android  in beta to eligible mobile devices running Android 13. "The Privacy Sandbox Beta provides new APIs that are designed with privacy at the core, and don't use identifiers that can track your activity across apps and websites," the search and advertising giant  said . "Apps that choose to participate in the Beta can use these APIs to show you relevant ads and measure their effectiveness." Devices that have been selected for the Beta test will have a Privacy Sandbox section within Settings so as to allow users to control their participation as well as view and manage their top interests as determined by the  Topics API  to serve relevant ads. The initial  Topics taxonomy  is set to include somewhere between a few hundred and a few thousand topics,  according to Google , and will be human-curated to exclude sensitive topics. The Beta test is expected to start off with

A new Android banking trojan has set its eyes on Brazilian financial institutions to commit fraud by leveraging the PIX payments platform. Italian cybersecurity company Cleafy, which discovered the malware between the end of 2022 and the beginning of 2023, is tracking it under the name PixPirate. "PixPirate belongs to the newest generation of Android banking trojan, as it can perform ATS ( Automatic Transfer System ), enabling attackers to automate the insertion of a malicious money transfer over the instant payment platform PIX, adopted by multiple Brazilian banks," researchers Francesco Iubatti and Alessandro Strino  said . It is also the latest addition in a long list of Android banking malware to abuse the operating system's accessibility services API to carry out its nefarious functions, including disabling Google Play Protect, intercepting SMS messages, preventing uninstallation, and serving rogue ads via push notifications. Besides stealing passwords entered

Threat actors associated with the Roaming Mantis attack campaign have been observed delivering an updated variant of their patent mobile malware known as Wroba to infiltrate Wi-Fi routers and undertake Domain Name System ( DNS ) hijacking. Kaspersky, which carried out an  analysis  of the malicious artifact, said the feature is designed to target specific Wi-Fi routers located in South Korea. Roaming Mantis, also known as Shaoye, is a long-running financially motivated operation that singles out Android smartphone users with malware capable of stealing bank account credentials as well as harvesting other kinds of sensitive information. Although primarily  targeting the Asian region  since 2018, the hacking crew was detected  expanding  its  victim range  to include France and Germany for the first time in early 2022 by camouflaging the malware as the Google Chrome web browser application. The attacks leverage smishing messages as the initial intrusion vector of choice to deliver

The threat actor behind the  BlackRock  and  ERMAC  Android banking trojans has unleashed yet another malware for rent called  Hook  that introduces new capabilities to access files stored in the devices and create a remote interactive session. ThreatFabric, in a  report  shared with The Hacker News, characterized Hook as a novel ERMAC fork that's advertised for sale for $7,000 per month while featuring "all the capabilities of its predecessor." "In addition, it also adds to its arsenal Remote Access Tooling (RAT) capabilities, joining the ranks of families such as  Octo  and  Hydra , which are capable performing a full Device Take Over (DTO), and complete a full fraud chain, from PII exfiltration to transaction, with all the intermediate steps, without the need of additional channels," the Dutch cybersecurity firm said. A majority of the financial apps targeted by the malware are located in the U.S., Spain, Australia, Poland, Canada, Turkey, the U.K., Fran

A variant of the infamous Dridex banking malware has set its sights on Apple's macOS operating system using a previously undocumented infection method, according to latest research. It has "adopted a new technique to deliver documents embedded with malicious macros to users without having to pretend to be invoices or other business-related files," Trend Micro researcher Armando Nathaniel Pedragoza  said  in a technical report. Dridex , also called Bugat and Cridex, is an information stealer that's known to harvest sensitive data from infected machines and deliver and execute malicious modules. It's attributed to an e-crime group known as Evil Corp (aka Indrik Spider). The malware is also considered to be a successor of  Gameover Zeus , itself a follow-up to another banking trojan called Zeus. Previous Dridex campaigns targeting Windows have  leveraged  macro-enabled Microsoft Excel documents sent via phishing emails to deploy the payload. A law enforcement o

Popular instant messaging service WhatsApp has launched support for proxy servers in the latest version of its Android and iOS apps, letting users circumvent government-imposed censorship and internet shutdowns. "Choosing a proxy enables you to connect to WhatsApp through servers set up by volunteers and organizations around the world dedicated to helping people communicate freely," the Meta-owned company  said . Proxies act as an intermediary between end users and the service provider by routing requests originating from a client to the server and forwarding the response back to the device. Users can  access the option  by navigating to Settings > Storage and Data > Proxy > Use Proxy and entering a trusted proxy server address. WhatsApp, which is used by more than two billion users across the world, has also made available a  reference implementation  that can be used to set up a proxy server to help others connect to the service. The company emphasized that

Financial institutions are being targeted by a new version of Android malware called SpyNote at least since October 2022 that combines both spyware and banking trojan characteristics. "The reason behind this increase is that the developer of the spyware, who was previously selling it to other actors, made the source code public," ThreatFabric  said  in a report shared with The Hacker News. "This has helped other actors [in] developing and distributing the spyware, often also targeting banking institutions." Some of the notable institutions that are impersonated by the malware include Deutsche Bank, HSBC U.K., Kotak Mahindra Bank, and Nubank. SpyNote (aka SpyMax) is feature-rich and comes with a plethora of capabilities that allows it to install arbitrary; gather SMS messages, calls, videos, and audio recordings; track GPS locations; and even hinder efforts to uninstall the app. It also follows the modus operandi of other  banking   malware  by requesting for p

Decentralized multi-chain crypto wallet BitKeep on Wednesday confirmed a cyber attack that allowed threat actors to distribute fraudulent versions of its Android app with the goal of stealing users' digital currencies. "With maliciously implanted code, the altered APK led to the leak of user's private keys and enabled the hacker to move funds," BitKeep CEO Kevin Como  said , describing it as a "large-scale hacking incident." According to blockchain security company  PeckShield  and multi-chain blockchain explorer  OKLink , an estimated  $9.9 million  worth of assets have been plundered so far. "Funds stolen are on BNB Chain, Ethereum, TRON and Polygon," BitKeep further  noted  in a series of tweets. "More than 200 addresses on the other three chains were used in the heist, and all funds were transferred to two main addresses in the end." The incident is said to have taken place on December 26, 2022, with the threat actor exploiting

An Android banking trojan known as  GodFather  is being used to target users of more than 400 banking and cryptocurrency apps spanning across 16 countries. This includes 215 banks, 94 crypto wallet providers, and 110 crypto exchange platforms serving users in the U.S., Turkey, Spain, Italy, Canada, and Canada, among others, Singapore-headquartered Group-IB  said  in a report shared with The Hacker News. The malware, like  many   financial   trojans  targeting the Android ecosystem, attempts to steal user credentials by generating convincing overlay screens (aka web fakes) that are served atop target applications. First detected by Group-IB in June 2021 and  publicly disclosed  by ThreatFabric in March 2022, GodFather also packs in native backdoor features that allows it to abuse Android's Accessibility APIs to record videos, log keystrokes, capture screenshots, and harvest SMS and call logs. Group-IB's analysis of the malware has revealed it to be a successor of  Anubis