#1 Trusted Cybersecurity News Platform Followed by 4.50+ million
The Hacker News Logo
Subscribe – Get Latest News
Cloud Security

Google Play Store | Breaking Cybersecurity News | The Hacker News

'eXotic Visit' Spyware Campaign Targets Android Users in India and Pakistan

'eXotic Visit' Spyware Campaign Targets Android Users in India and Pakistan

Apr 10, 2024 Mobile Security / Spyware
An active Android malware campaign dubbed eXotic Visit has been primarily targeting users in South Asia, particularly those in India and Pakistan, with malware distributed via dedicated websites and Google Play Store. Slovak cybersecurity firm said the activity, ongoing since November 2021, is not linked to any known threat actor or group. It's tracking the group behind the operation under the name  Virtual Invaders . "Downloaded apps provide legitimate functionality, but also include code from the open-source Android  XploitSPY RAT ," ESET security researcher Lukáš Štefanko  said  in a technical report released today. The campaign is said to be highly targeted in nature, with the apps available on Google Play having negligible number of installs ranging from zero to 45. The apps have since been taken down. The fake-but-functional apps primarily masquerade as messaging services like Alpha Chat, ChitChat, Defcom, Dink Messenger, Signal Lite, TalkU, WeTalk, Wicker Mes
Malicious Apps Caught Secretly Turning Android Phones into Proxies for Cybercriminals

Malicious Apps Caught Secretly Turning Android Phones into Proxies for Cybercriminals

Apr 01, 2024 Botnet / Mobile Security
Several malicious Android apps that turn mobile devices running the operating system into residential proxies (RESIPs) for other threat actors have been observed on the Google Play Store. The findings come from HUMAN's Satori Threat Intelligence team, which said the cluster of VPN apps came fitted with a Golang library that transformed the user's device into a proxy node without their knowledge. The operation has been codenamed  PROXYLIB  by the company. The 29 apps in question have since been removed by Google. Residential proxies are a network of proxy servers sourced from real IP addresses provided by internet service providers (ISPs), helping users hide their actual IP addresses by routing their internet traffic through an intermediary server. The anonymity benefits aside, they are ripe for abuse by threat actors to not only obfuscate their origins, but also to conduct a wide range of attacks. "When a threat actor uses a residential proxy, the traffic from these
Timing is Everything: The Role of Just-in-Time Privileged Access in Security Evolution

Timing is Everything: The Role of Just-in-Time Privileged Access in Security Evolution

Apr 15, 2024Active Directory / Attack Surface
To minimize the risk of privilege misuse, a trend in the privileged access management (PAM) solution market involves implementing just-in-time (JIT) privileged access. This approach to  privileged identity management  aims to mitigate the risks associated with prolonged high-level access by granting privileges temporarily and only when necessary, rather than providing users with continuous high-level privileges. By adopting this strategy, organizations can enhance security, minimize the window of opportunity for potential attackers and ensure that users access privileged resources only when necessary.  What is JIT and why is it important?   JIT privileged access provisioning  involves granting privileged access to users on a temporary basis, aligning with the concept of least privilege. This principle provides users with only the minimum level of access required to perform their tasks, and only for the amount of time required to do so. One of the key advantages of JIT provisioning
Anatsa Android Trojan Bypasses Google Play Security, Expands Reach to New Countries

Anatsa Android Trojan Bypasses Google Play Security, Expands Reach to New Countries

Feb 19, 2024 Malware / Mobile Security
The Android banking trojan known as  Anatsa  has expanded its focus to include Slovakia, Slovenia, and Czechia as part of a new campaign observed in November 2023. "Some of the droppers in the campaign successfully exploited the accessibility service, despite Google Play's enhanced detection and protection mechanisms," ThreatFabric  said  in a report shared with The Hacker News. "All droppers in this campaign have demonstrated the capability to bypass the restricted settings for accessibility service in Android 13." The campaign, in total, involves five droppers with more than 100,000 total installations. Also known by the name TeaBot and Toddler, Anatsa is known to be distributed under the guise of seemingly innocuous apps on the Google Play Store. These apps, called droppers, facilitate the installation of the malware by circumventing security measures imposed by Google that seek to grant sensitive permissions. In June 2023, the Dutch mobile security firm
cyber security

WATCH: The SaaS Security Challenge in 90 Seconds

websiteAdaptive ShieldSaaS Security / Cyber Threat
Discover how you can overcome the SaaS security challenge by securing your entire SaaS stack with SSPM.
New Sneaky Xamalicious Android Malware Hits Over 327,000 Devices

New Sneaky Xamalicious Android Malware Hits Over 327,000 Devices

Dec 27, 2023 Privacy / App Security
A new Android backdoor has been discovered with potent capabilities to carry out a range of malicious actions on infected devices. Dubbed  Xamalicious  by the McAfee Mobile Research Team, the malware is so named for the fact that it's developed using an open-source mobile app framework called Xamarin and abuses the operating system's accessibility permissions to fulfill its objectives. It's also capable of gathering metadata about the compromised device and contacting a command-and-control (C2) server to fetch a second-stage payload, but only after determining if it fits the bill. The second stage is "dynamically injected as an assembly DLL at runtime level to take full control of the device and potentially perform fraudulent actions such as clicking on ads, installing apps, among other actions financially motivated without user consent," security researcher Fernando Ruiz  said . The cybersecurity firm said it identified 25 apps that come with this active thr
SpyLoan Scandal: 18 Malicious Loan Apps Defraud Millions of Android Users

SpyLoan Scandal: 18 Malicious Loan Apps Defraud Millions of Android Users

Dec 11, 2023 Data Security / Mobile Security
Cybersecurity researchers have discovered 18  malicious loan apps  for Android on the Google Play Store that have been collectively downloaded over 12 million times. "Despite their attractive appearance, these services are in fact designed to defraud users by offering them high-interest-rate loans endorsed with deceitful descriptions, all while collecting their victims' personal and financial information to blackmail them, and in the end gain their funds," ESET  said . The Slovak cybersecurity company is tracking these apps under the name  SpyLoan , noting they are designed to target potential borrowers located in Southeast Asia, Africa, and Latin America. The list of apps, which have now been taken down by Google, is below - AA Kredit: इंस्टेंट लोन ऐप (com.aa.kredit.android) Amor Cash: Préstamos Sin Buró (com.amorcash.credito.prestamo) Oro Préstamo - Efectivo rápido (com.app.lo.go) Cashwow (com.cashwow.cow.eg) CrediBus Préstamos de crédito (com.dinero.profin.pr
Malicious Apps Disguised as Banks and Government Agencies Targeting Indian Android Users

Malicious Apps Disguised as Banks and Government Agencies Targeting Indian Android Users

Nov 21, 2023 Android Security / Cryptocurrency
Android smartphone users in India are the target of a new malware campaign that employs social engineering lures to install fraudulent apps that are capable of harvesting sensitive data. "Using social media platforms like WhatsApp and Telegram, attackers are sending messages designed to lure users into installing a malicious app on their mobile device by impersonating legitimate organizations, such as banks, government services, and utilities," Microsoft threat intelligence researchers Abhishek Pustakala, Harshita Tripathi, and Shivang Desai  said  in a Monday analysis. The ultimate goal of the operation is to capture banking details, payment card information, account credentials, and other personal data. The attack chains involve sharing malicious APK files via social media messages sent on WhatsApp and Telegram by falsely presenting them as banking apps and inducing a sense of urgency by claiming that the targets' bank accounts will be blocked unless they update their permanent a
Google Play Store Highlights 'Independent Security Review' Badge for VPN Apps

Google Play Store Highlights 'Independent Security Review' Badge for VPN Apps

Nov 04, 2023 Mobile Security / Android
Google is rolling out a new banner to highlight the "Independent security review" badge in the Play Store's Data safety section for Android VPN apps that have undergone a Mobile Application Security Assessment ( MASA ) audit. "We've launched this banner beginning with VPN apps due to the sensitive and significant amount of user data these apps handle," Nataliya Stanetsky of the Android Security and Privacy Team  said . MASA allows developers to have their apps independently validated against a global security standard such as the Mobile Application Security Verification Standard ( MASVS ), thereby providing more transparency and enabling users to make informed choices prior to downloading them. The efforts are part of Google's broader push to make the Data safety section a  one-stop   shop  that presents a "unified view of app safety," offering details about the kind of data that's being collected, for what purpose, and if it's be
Millions Infected by Spyware Hidden in Fake Telegram Apps on Google Play

Millions Infected by Spyware Hidden in Fake Telegram Apps on Google Play

Sep 09, 2023 Mobile Security / Spyware
Spyware masquerading as modified versions of Telegram have been spotted in the Google Play Store that's designed to harvest sensitive information from compromised Android devices. According to Kaspersky security researcher Igor Golovin, the apps come with  nefarious features  to capture and exfiltrate names, user IDs, contacts, phone numbers, and chat messages to an actor-controlled server. The activity has been codenamed  Evil Telegram  by the Russian cybersecurity company. The apps have been collectively downloaded millions of times before they were taken down by Google. Their details are as follows - 電報,紙飛機-TG繁體中文版 or 電報,小飛機-TG繁體中文版 (org.telegram.messenger.wab) - 10 million+ downloads TG繁體中文版-電報,紙飛機 (org.telegram.messenger.wab) - 50,000+ downloads 电报,纸飞机-TG简体中文版 (org.telegram.messenger.wob) - 50,000+ downloads 电报,纸飞机-TG简体中文版 (org.tgcn.messenger.wob) - 10,000+ downloads ئۇيغۇر تىلى TG - تېلېگرامما (org.telegram.messenger.wcb) - 100+ downloads The last app on the list tran
Thousands of Android Malware Apps Using Stealthy APK Compression to Evade Detection

Thousands of Android Malware Apps Using Stealthy APK Compression to Evade Detection

Aug 19, 2023 Mobile Security / Malware
Threat actors are using Android Package (APK) files with unknown or unsupported compression methods to elude malware analysis. That's according to findings from Zimperium, which found 3,300 artifacts leveraging such compression algorithms in the wild. 71 of the identified samples can be loaded on the operating system without any problems. There is no evidence that the apps were available on the Google Play Store at any point in time, indicating that the apps were distributed through other means, typically via untrusted app stores or social engineering to trick the victims into sideloading them. The APK files use "a technique that limits the possibility of decompiling the application for a large number of tools, reducing the possibilities of being analyzed," security researcher Fernando Ortega  said . "In order to do that, the APK (which is in essence a ZIP file), is using an unsupported decompression method." The advantage of such an approach is its abilit
Malicious Apps Use Sneaky Versioning Technique to Bypass Google Play Store Scanners

Malicious Apps Use Sneaky Versioning Technique to Bypass Google Play Store Scanners

Aug 03, 2023 Mobile Security / Malware
Threat actors are leveraging a technique called versioning to evade Google Play Store's malware detections and target Android users. "Campaigns using versioning commonly target users' credentials, data, and finances," Google Cybersecurity Action Team (GCAT)  s aid  in its August 2023 Threat Horizons Report shared with The Hacker News. While versioning is not a new phenomenon, it's sneaky and hard to detect. In this method, a developer releases an initial version of an app on the Play Store that passes Google's pre-publication checks, but is later updated with a malware component. This is achieved by pushing an update from an attacker-controlled server to serve malicious code on the end user device using a method called dynamic code loading (DCL), effectively turning the app into a backdoor. Earlier this May, ESET  discovered  a screen recording app named "iRecorder - Screen Recorder" that remained innocuous for nearly a year after it was first
Two Spyware Apps on Google Play with 1.5 Million Users Sending Data to China

Two Spyware Apps on Google Play with 1.5 Million Users Sending Data to China

Jul 08, 2023 Mobile Security / Spyware
Two file management apps on the Google Play Store have been discovered to be spyware, putting the privacy and security of up to 1.5 million Android users at risk. These apps engage in deceptive behaviour and secretly send sensitive user data to malicious servers in China. Pradeo, a leading mobile security company, has uncovered this alarming infiltration. The report shows that both spyware apps, namely File Recovery and Data Recovery (com.spot.music.filedate) with over 1 million installs, and File Manager (com.file.box.master.gkd) with over 500,000 installs, are developed by the same group. These seemingly harmless Android apps use similar malicious tactics and automatically launch when the device reboots without user input. Contrary to what they claim on the Google Play Store, where both apps assure users that no data is collected, Pradeo's analytics engine has found that various personal information is collected without users' knowledge. Stolen data includes contact list
Vishing Goes High-Tech: New 'Letscall' Malware Employs Voice Traffic Routing

Vishing Goes High-Tech: New 'Letscall' Malware Employs Voice Traffic Routing

Jul 07, 2023 Mobile Security / Malware
Researchers have issued a warning about an emerging and advanced form of voice phishing ( vishing ) known as " Letscall ." This technique is currently targeting individuals in South Korea. The criminals behind "Letscall" employ a multi-step attack to deceive victims into downloading malicious apps from a counterfeit Google Play Store website. Once the malicious software is installed, it redirects incoming calls to a call center under the control of the criminals. Trained operators posing as bank employees then extract sensitive information from unsuspecting victims. To facilitate the routing of voice traffic, "Letscall" utilizes cutting-edge technologies such as voice over IP (VOIP) and WebRTC. It also makes use of Session Traversal Utilities for NAT (STUN) and Traversal Using Relays around NAT (TURN) protocols, including Google STUN servers, to ensure high-quality phone or video calls and bypass NAT and firewall restrictions. The "Letscall&quo
Rogue Android Apps Target Pakistani Individuals in Sophisticated Espionage Campaign

Rogue Android Apps Target Pakistani Individuals in Sophisticated Espionage Campaign

Jun 20, 2023 Cyber Espionage / Mobile Security
Individuals in the Pakistan region have been targeted using two rogue Android apps available on the Google Play Store as part of a new targeted campaign. Cybersecurity firm Cyfirma attributed the campaign with moderate confidence to a threat actor known as  DoNot Team , which is also tracked as APT-C-35 and Viceroy Tiger. The espionage activity involves duping Android smartphone owners into downloading a program that's used to extract contact and location data from unwitting victims. "The motive behind the attack is to gather information via the stager payload and use the gathered information for the second-stage attack, using malware with more destructive features," the company  said . DoNot Team  is a suspected India-nexus threat actor that has a reputation for carrying out attacks against various countries in South Asia. It has been active since at least 2016. While an October 2021 report from Amnesty International linked the group's attack infrastructure to
Fleckpe Android Malware Sneaks onto Google Play Store with Over 620,000 Downloads

Fleckpe Android Malware Sneaks onto Google Play Store with Over 620,000 Downloads

May 05, 2023 Mobile Security / Android
A new Android subscription malware named  Fleckpe  has been unearthed on the Google Play Store, amassing more than 620,000 downloads in total since 2022. Kaspersky, which identified 11 apps on the official app storefront, said the malware masqueraded as legitimate photo editing apps, camera, and smartphone wallpaper packs. The apps have since been taken down. The operation primarily targets users from Thailand, although telemetry data gathered by the Russian cybersecurity firm has revealed victims in Poland, Malaysia, Indonesia, and Singapore. The apps further offer the promised functionality to avoid raising red flags, but conceal their real purpose under the hood. The list of the offending apps is as follows - Beauty Camera Plus (com.beauty.camera.plus.photoeditor) Beauty Photo Camera (com.apps.camera.photos) Beauty Slimming Photo Editor (com.beauty.slimming.pro) Fingertip Graffiti (com.draw.graffiti) GIF Camera Editor (com.gif.camera.editor) HD 4K Wallpaper (com.hd.h4ks.
Cybercriminals Turn to Android Loaders on Dark Web to Evade Google Play Security

Cybercriminals Turn to Android Loaders on Dark Web to Evade Google Play Security

Apr 11, 2023 Mobile Security / Malware
Malicious loader programs capable of trojanizing Android applications are being traded on the criminal underground for up to $20,000 as a way to evade Google Play Store defenses. "The most popular application categories to hide malware and unwanted software include cryptocurrency trackers, financial apps, QR-code scanners, and even dating apps," Kaspersky  said  in a new report based on messages posted on online forums between 2019 and 2023. Dropper apps  are the primary means for threat actors looking to sneak malware via the Google Play Store. Such apps often masquerade as seemingly innocuous apps, with malicious updates introduced upon clearing the review process and the applications have amassed a significant user base. This is achieved by using a loader program that's responsible for injecting malware into a clean app, which is then made available for download from the app marketplace. Users who install the tampered app are prompted to grant it intrusive permiss
Even Top-Ranked Android Apps in Google Play Store Provide Misleading Data Safety Labels

Even Top-Ranked Android Apps in Google Play Store Provide Misleading Data Safety Labels

Feb 24, 2023 Privacy / Data Safety
An investigation into data safety labels for Android apps available on the Google Play Store has uncovered "serious loopholes" that allow apps to provide misleading or outright false information. The  study , conducted by the Mozilla Foundation as part of its  *Privacy Not Included  initiative, compared the privacy policies and labels of the 20 most popular paid apps and the 20 most popular free apps on the app marketplace. It  found  that, in roughly 80% of the apps reviewed, "the labels were false or misleading based on discrepancies between the apps' privacy policies and the information apps self-reported on Google's  Data safety form ." "The apps aren't self-reporting accurately enough to give the public any meaningful reassurance about the safety and privacy of their data," Mozilla further said, adding consumers are being led to "believe these apps are doing a better job protecting their privacy than they are." Three of the
Cybersecurity Resources