New Android malware on Play Store disables Play Protect to evade detection

Por  Sudais em 13/01/2020 no site HackHead

This malware disables Google’s only security mechanism against malware-infected apps on the Play Store.

While the Android and iOS fanbase can be found constantly at war over the advantages one offers as compared to the other, there is one place where iOS wins by miles. We are talking about security with the latest malware discovered by Kaspersky Lab among an app on the Play Store. 

Dubbed “Trojan-Dropper.AndroidOS.Shopper.a,” the trojan tricks users into being downloaded by posing with a system icon and a similar name to a legitimate Android application. Once the fish (YOU) takes the bait, it starts with its magic by collecting your device’s sensitive and not-so-sensitive information including the IMEI Number, IMSI number, the network type and the country it is in. 

Once done, it sends the data to its command & control server (C&C) from which attackers behind the campaign can coordinate their future moves. These include tasks such as “Opening links received from the remote server in an invisible window (whereby the malware verifies that the user is connected to a mobile network)” as detailed by researchers.

See: Popular Android Emoji keyboard app makes millions with unauthorized purchases

But this isn’t where it ends. Additionally, the trojan helps boost the popularity of other “sister-malicious-apps” on the Play Store by posting overly optimistic reviews. Leaving the user little to do, it also happens to install certain apps from a third party store named Apkpure[.]com with the victim’s permission. 

How it does this is by abusing an accessibility service present to facilitate the disabled. To prevent any detection, it also disables the “Google Play Protect” which is normally used to protect Android users from such malware.Currently, (as shown above) with the statistics released by researchers, it was revealed that it is the most widespread in Russia with 28.46% of infected users. Brazil and India conveniently follow at 18.70% and 14.23% respectively.

Yet Another Android Malware Infects Over 4.2 Million Google Play Store Users

Swati Khandelwal
Em 14/09/2017 no site The Hacker News

Even after so many efforts by Google, malicious apps somehow managed to fool its Play Store's anti-malware protections and infect people with malicious software.

The same happened once again when at least 50 apps managed to make its way onto Google Play Store and were successfully downloaded as many as 4.2 million times—one of the biggest malware outbreaks.

Security firm Check Point on Thursday published a blog post revealing at least 50 Android apps that were free to download on official Play Store and were downloaded between 1 million and 4.2 million times before Google removed them.

These Android apps come with hidden malware payload that secretly registers victims for paid online services, sends fraudulent premium text messages from victims' smartphones and leaves them to pay the bill—all without the knowledge or permission of users.

Dubbed ExpensiveWall by Check Point researchers because it was found in the Lovely Wallpaper app, the malware comes hidden in free wallpaper, video or photo editing apps. It's a new variant of malware that Mcafee spotted earlier this year on the Play Store.

But what makes ExpensiveWall malware different from its other variants is that it makes use of an advanced obfuscation technique called "packed," which compresses malicious code and encrypts it to evade Google Play Store's built-in anti-malware protections.

The researchers notified Google of the malicious apps on August 7, and the software giant quickly removed all of them, but within few days, the malware re-emerged on the Play Store and infected over 5,000 devices before it was removed four days later, Check Point said.

Here's How ExpensiveWall Malware Works:

Once an app with ExpensiveWall—which researchers think came from a software development kit called GTK—is downloaded on a victim's device, the malicious app asks for user's permission to access the Internet, and send and receive SMS messages.

The internet access is used by the malware to connect the victim's device to the attacker's command and control server, where it sends information on the infected handset, including its location alongside unique hardware identifiers, such as MAC and IP addresses, IMSI and IMEI numbers.

The C&C server then sends the malware a URL, which it opens in an embedded WebView window to download JavaScript code that begins to clock up bills for the victim by sending fraudulent premium SMS messages without their knowledge, and uses the victim's phone number to register for paid services.

However, according to the Check Point researchers, it is still unclear how much revenue was generated via ExpensiveWall's premium SMS scam.

Google's Play Store—Home for Malware

Android malware continues to evolve with more sophisticated and never-seen-before capabilities with every passing day, and spotting them on Google Play Store has become quite a common thing.

Last month, over 500 Android apps with spyware capabilities were found on Play Store, which had been downloaded more than 100 million times.

In July, Lipizzan spyware apps were spotted on Play Store that can steal a whole lot of information on users, including text messages, emails, voice calls, photos, location data, and other files, and spy on them.

In June, more than 800 Xavier-laden apps were discovered on Google Play that had been downloaded millions of times, and the same month researchers found first code injecting rooting malware making rounds on Google Play Store.

A month prior to it, researchers spotted 41 apps on Play Store hidden with the Judy Malware that infected 36.5 million Android devices with malicious ad-click software.

In April, over 40 apps with hidden FalseGuide malware were spotted on Play Store that made 2 Million Android users victims.

Earlier this year, researchers also discovered a new variant of the HummingBad malware, dubbed HummingWhale, hidden in more than 20 apps on Google Play Store, which were downloaded by over 12 Million users.

How to Protect Your Android From Such Malware Apps

Even after Google removed all the malware-tainted apps from its official Play Store marketplace, your smartphones will remain infected with the ExpensiveWall malware until you explicitly uninstall the malicious apps, if you have downloaded any.

Google has recently provided a security feature known as Play Protect that uses machine learning and app usage analysis to automatically remove malicious apps from the affected smartphones to prevent further harm.

However, according to the Check Point researchers, many phones run an older version of Android that does not support the feature, leaving a wide audience open to malware attacks.

You are strongly advised to always keep a good antivirus app on your device that can detect and block any malicious app before it can infect your device, and always keep your device and all apps up-to-date.

Over 500 Android Apps On Google Play Store Found Spying On 100 Million Users

Swati Khandelwal em 22/08/2017 no site The Hackers News

Over 500 different Android apps that have been downloaded more than 100 million times from the official Google Play Store found to be infected with a malicious ad library that secretly distributes spyware to users and can perform dangerous operations.

Since 90 per cent of Android apps is free to download from Google Play Store, advertising is a key revenue source for app developers. For this, they integrate Android SDK Ads library in their apps, which usually does not affect an app's core functionality.

But security researchers at mobile security firm Lookout have discovered a software development kit (SDK), dubbed Igexin, that has been found delivering spyware on Android devices.

Developed by a Chinese company to offer targeted advertising services to app developers, the rogue 'Igexin' advertising software was spotted in more than 500 apps on Google's official marketplace, most of which included:

• Games targeted at teens with as many as 100 million downloads
• Weather apps with as many as 5 million downloads
• Photo editor apps with 5 Million downloads
• Internet radio app with 1 million downloads
• Other apps targeted at education, health and fitness, travel, and emoji

Chinese Advertising Firm Spying On Android Users

The Igexin SDK was designed for app developers to serve targeted advertisements to its users and generate revenue. To do so, the SDK also collects user data to help target interest-based ads.

But besides collecting user data, the Lookout researchers said they found the SDK behaved maliciously after they spotted several Igexin-integrated apps communicating with malicious IP addresses that deliver malware to devices unbeknownst to the creators of apps utilizing it.

"We observed an app downloading large, encrypted files after making a series of initial requests to a REST API at http://sdk[.]open[.]phone[.]igexin.com/api.php, which is an endpoint used by the Igexin ad SDK," the researchers explain in a blog post. 

"This sort of traffic is often the result of malware that downloads and executes code after an initially "clean" app is installed, in order to evade detection."

Once the malware is delivered to infected devices, the SDK can gather logs of users information from their device, and could also remotely install other plugins to the devices, which could record call logs or reveal information about users activities.

How to Protect Your Android From This Malware

Google has since removed all the Android apps utilizing the rogue SDK from its Play Store marketplace, but those who have already installed one such app on their mobile handsets, make sure your device has Google Play Protect.

Play Protect is Google's newly launched security feature that uses machine learning and app usage analysis to remove (uninstall) malicious apps from users Android smartphones to prevent further harm.

In addition, you are strongly advised to always keep a good antivirus application on your device that can detect and block malicious apps before they can infect your device, and always keep your device and apps up-to-date.

Android malware continues to evolve with more sophisticated and never-seen-before capabilities with every passing day. Last month, we saw first Android malware with code injecting capabilities making rounds on Google Play Store.

A few days after that, researchers discovered another malicious Android SDK ads library, dubbed "Xavier," found installed on more than 800 different apps that had been downloaded millions of times from Google Play Store.

Pesquisadores descobrem Trojan para Android distribuído via Google Play

Da Redação PCWorld

Em 12/06/2017

Um novo Cavalo de Troia para aparelhos Android chamou a atenção dos pesquisadores de segurança da Kaspersky Lab na última semana. Distribuído como um jogo pela loja oficial da plataforma, a Google Play Store, o malware consegue obter direito de acesso à raiz do smartphone, segundo a companhia de segurança.

Além disso, a ameaça também pode assumir o controle do aparelho Android ao injetar código malicioso na biblioteca do sistema. Ao conseguir isso, o trojan pode excluir o acesso à raiz, em uma tentativa de evitar a sua detecção.

Segundo a Kaspersky, o Cavalo de Troia em questão já foi baixado mais de 50 mil vezes pela Google Play Store desde o último mês de março. Depois de ficar sabendo da ameaça pela Kaspersky, o Google retirou a ameaça da Play Store.

“Acreditamos ter descoberto esse malware em um estágio bastante precoce. Nossa análise mostra que os módulos maliciosos informam cada movimento aos invasores, e existem técnicas capazes de violar os dispositivos infectados. A rapidez é essencial para evitar um ataque massivo e perigoso”, explica o analista sênior de malware da Kaspersky Lab, Roman Unuchek.

O que fazer

Os usuários que suspeitam ter sido infectados pelo Dvmap devem fazer backup de todos os seus dados e executar uma restauração dos dados de fábrica, conforme a empresa.