Two-year Old Android Malware Evolves from Spyware to Ransomware
A trojan that has been infecting Android devices for two years has resurfaced as a full-fledged malware capable of stealing financial information and locking the device similar to a ransomware attack, reports from security firm Dr.Web say.
First detected in 2014, the trojan was originally designed as spyware, intercepting, exfiltrating and sending text and MMS messages as well as making phone calls without the user’s knowledge. In 2015, it has evolved into a trojan capable of phishing for credit card credentials using an interface resembling Google Play Store’s. It also siphons log-in credentials needed to access online banking applications to commit theft.
The malware is distributed under seemingly benign and legitimate applications such as Adobe Flash Player. When launched, the user is prompted to grant it administrator privileges to the device. It also keeps track if Wi-Fi and cellular data connection are enabled, and turns them on permanently to keep it connected to its command and control (C&C) server. The malware then sends to its C&C server information such as the device's International Mobile Equipment Identifier number (used to verify device ownership) and device model, system language, network operator, OS version and mobile number.
Configured with a list of online banking applications, the malware monitors if any of those are launched by the user. When detected, the malware downloads a phishing form from its C&C server and places it on top of the running application. The information keyed in by the user is then sent to the cybercriminals, which they use to steal funds from the user’s bank.
Its initial targets were users from Russia and countries from the Commonwealth of Independent States (CIS), but by the start of 2016 the malware has infected at least 40,000 Android mobiles across the world, notably in Turkey, India, Spain, Australia, Germany, France, the U.S., Italy and Britain.
The malware’s latest version creates further damage by adding more functions, such as sending Unstructured Supplementary Service Data (USSD) requests, the protocol used by cellphones to communicate to a mobile service provider’s computers. It also tries to infect more mobiles by sending malicious SMS and MMS messages to contacts tied to the compromised device. More importantly, it sets a password to the device’s screen then modifies and locks the home screen with a note instructing the user the user to pay to unlock the device.
The booming mobile device industry, particularly the advantages of Android OS, makes it a lucrative market for cybercriminals. In fact, it has been noted that compared to 2014, the cumulative number of Android-based malware has doubled by the end of 2015. Just recently, a malware was discovered disguised as a Google Chrome Update. It was reported to mine data such as call logs, SMS messages, browsing history and even financial information before sending it to a remote server. In March, attackers prompted Android users to install a variant of the Marcher Trojan—disguised as an Adobe Flash Installer Package—that stole the users’ banking information. In January, a malicious app for Android OS-based Smart TVs installed backdoors that exploited vulnerabilities in the OS and allowed the device to be hijacked through man-in-the-middle attacks. iOS and Android users were also scammed into divulging Instagram credentials and hijacked their accounts. An Android open source spyware also made the rounds last year.Android OS users are encouraged to follow good security practices to protect their devices, such as disabling app installations for third-party or dubious sources, regularly updating the OS to the latest version to prevent exploits, and strengthening security with mobile software that features malware scanning and detection systems to help mitigate potential threats.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.
- Exposed Container Registries: A Potential Vector for Supply-Chain Attacks
- LockBit, BlackCat, and Clop Prevail as Top RAAS Groups: Ransomware in 1H 2023
- Diving Deep Into Quantum Computing: Modern Cryptography
- Uncovering Silent Threats in Azure Machine Learning Service: Part 2
- The Linux Threat Landscape Report