Google has removed 60 malware-infected apps from its Play Store, installed by more than 3.3 million bettors, which can be used for all kinds of criminal activities, including credential theft, espionage and even stealing money from the victims.
Zscaler’s ThreatLabZ and security researcher Maxime Ingrao of fraud protection firm Evina discovered the malware-packed downloader apps, including Joker, Facestealer, Coper and Autolycos malware – the latter is a new family, according to Ingrao, who named and discovered Autolycos in eight different apps with over three million downloads on Android devices.
New strain of malware, similar to Joker, steals SMS messages as they are downloaded and unwittingly subscribes users to – and charges them for using – premium wireless application protocol services, Ingrao tweeted.
Found a new malware family that subscribes to premium services 👀8 apps since June 2021, 2 apps still in play store, +3 million installs 💀💀No web views like #Joker but only http requests Let’s call it #Autolycos 👾#Android #malware #Evina pic.twitter.com/SgTfrAUn6H
— Maxime Ingrao (@IngraoMaxime) July 13, 2022
This spyware is designed to steal SMS messages, contact lists, and device information, and to subscribe the victim to premium Wireless Application Protocol (WAP) services.
“It retrieves a JSON on the C2 address: 188.8.131.52/pER/y”, he further explained. “It then executes the urls, for certain steps it executes the urls on a remote browser and returns the result to include it in the requests. This allows it to have no Webview and to be more discreet.”
Additionally, the scammers created ads on Facebook and Instagram to promote the fake apps, Ingrao Noted.
Malicious apps include:
- Vlog Star Video Editor — 1 million downloads
- Creative 3D Launcher — 1 million downloads
- Wow Beauty Camera — 100,000 downloads
- Keyboard Emoji Gif — 100,000 downloads
- Freeglow Camera — 5,000 downloads
- Coco Camera v1.1 — 1,000 downloads
- Funny Camera — 500,000 downloads
- Razer Keyboard and Theme — 50,000 downloads
Joker, Facestealer and Coper resurface
Meanwhile, Zscaler threat hunters said this week that Google removed another 52 malware-infested apps from the Play Store, and 50 of them were used to deploy Joker, which has been an ongoing problem for Google. Android devices. They also discovered Facestealer and Coper malware in two other rogue apps, and these were also booted from the online market.
Apps spreading Joker have been downloaded more than 300,000 times, according to security researchers Viral Gandhi and Himanshu Sharma, who provided a technical analysis of payloads from the three malware families and listed all 50 Joker downloaders in a blog post ThreatLabZ.
“Despite public awareness of this particular malware, it continues to find its way into the official Google app store by regularly modifying the malware’s trace signatures, including code updates, execution and payload recovery techniques,” wrote Gandhi and Sharma.
Once downloaded, Joker malware steals SMS messages, contact lists and device information and also unknowingly subscribes the victim to premium services.
“Most often, threat actors disguise the Joker malware in messaging apps that force users to grant increased access permissions by allowing them to serve as the default SMS app on the user’s phone” , the threat hunters noted. “The malware uses these advanced permissions to perform its operations.”
Additionally, Zscaler discovered that Facestealer was hiding in the now-deleted cam.vanilla.snap app on the Google Play Store, which had 5,000 downloads. This malware targets Facebook users through fake Facebook login pages to steal credentials. And lastly, security team also discovered Coper banking Trojan disguised as Unicc QR Scanner application.
“Once downloaded, this application releases the Coper malware infection which is capable of intercepting and sending SMS text messages, making USSD (Unstructured Supplementary Service Data) requests to send messages, logging keystrokes, locking/unlocking the device screen, performing excessive attacks, preventing uninstalls, and generally allowing attackers to take control and execute commands on an infected device via a remote connection with a C2 server,” wrote Gandhi and Sharma. ®
#Google #removes #apps #infected #malware #million #users #risk