VTA-004483 – Deceptive Android Apps Impersonate Google, Instagram, WhatsApp to Harvest Credentials
Malicious Android applications, pretending to be Google, Instagram, Snapchat, WhatsApp, and X (previously Twitter), have been detected stealing user credentials from compromised devices. The malware employs well-known Android app icons to deceive users, leading them to unwittingly install the malicious app on their devices. The distribution method for the campaign is currently unknown. However, after the app is installed on users’ phones, it asks for permissions to access the accessibility services and the device administrator API. The latter is a now-deprecated feature that offers device administration functions at the system level. Acquiring these permissions enables the malicious app to take control of the device, enabling it to perform various actions without the users’ awareness, such as data theft and deploying malware. The malware is crafted to connect with a command-and-control (C2) server to receive instructions, granting it access to contact lists, SMS messages, call logs, the list of installed apps, and the ability to send SMS messages. Additionally, it can open phishing pages in the web browser and control the camera flashlight. The phishing URLs imitate the login pages of various popular services, including Facebook, GitHub, Instagram, LinkedIn, Microsoft, Netflix, PayPal, Proton Mail, Snapchat, Tumblr, X, WordPress, and Yahoo. Researchers found a similar attack campaign on Whatsapp where after being successfully delivered as Whatsapp application, the application would install itself while appearing to be a Contacts application. When launched, the app would ask for permissions to access SMS, Contacts, Storage, and Telephone, and then hide itself from the user. Researchers also have discovered a new tactic where smishing messages are used to lead users to Android malware designed to steal banking information. This attack method involves a technique called telephone-oriented attack delivery (TOAD), where SMS messages prompt recipients to call a specified number regarding a debt collection claim. When the call is made, scammers inform the victim that the original message was a scam and advise them to install an antivirus app for protection.They direct the caller to click a link in a follow-up text message to install the supposed security software. However, this “antivirus” is actually malware designed to steal online banking credentials and carry out unauthorized fund transfers.
Severity:
Medium
Attack Surfaces:
Email, Mobile Application, Mobile OS
Tactics:
Command and Control, Credential Access, Execution, Initial Access, Reconnaissance
Techniques:
T1566 – Phishing
T1056 – Input Capture
T1003 – OS Credential Dumping
Indicator of Compromise:
https://otx.alienvault.com/pulse/66427ed2bb01d620da75d37e
References:
1. https://blog.sonicwall.com/en-us/2024/04/android-remote-access-trojan-equipped-to-harvest-credentials/
2. https://www.cyfirma.com/research/new-pakistan-based-cyber-espionage-groups-year-long-campaign-targeting-indian-defense-forces-with-android-malware/
SuperPRO’s Threat Countermeasures Procedures:
1. Download applications only from Google Play store.
2. Verify the developer of the application before installing
3. Do not click on any suspicious link which can redirect to malicious site.
4. Read through the permission requested by the application carefully.
5. Enable multifactor authentication for extra layer of protection
Contributed by: Varrumen