Google has removed 60 malware-infected apps from its Play Store, installed by more than 3.3 million players, that can be used for all sorts of criminal activities, including identity theft, spying, and even stealing money from victims.
Zscaler’s ThreatLabZ and security researcher Maxim Ingrao of anti-fraud firm Evina discovered downloader apps filled with malware, including Joker, Facestealer, Coper and Autolycos – the latter being a new family, according to Ingrao, who named and discovered Autolycos in eight different apps with over three million downloads on Android devices.
A new strain of malware similar to Joker steals SMS messages on download, and unwittingly signs and charges users for using Ingrao’s premium wireless application protocols. tweeted.
A new family of malware has been detected that subscribes to premium services 👀8 apps since June 2021, 2 apps always on the Play Store, +3M installs 💀💀No web browsing like #joker but only http requests Let’s call it #Autolycos 👾#Android #Malware #Evina pic.twitter.com/SgTfrAOn6H
— Maxim Ingrao (@IngraoMaxime) July 13, 2022
This spyware is designed to steal SMS messages, contact lists and device information, and to subscribe the victim to premium wireless application protocol (WAP) services.
“It receives JSON at C2: 18.104.22.168/pER/y,” he explained. “Then it executes the URLs, for some steps it executes the URLs in the remote browser and returns the result to include in requests. This allows him to not have a webview and be more discreet.”
In addition, the scammers created Facebook and Instagram ads to promote fake Ingrao apps. noted.
Malicious applications include:
- Vlog Star Video Editor – 1 million downloads
- Creative 3D Launcher – 1 million downloads
- Wow Beauty Camera – 100,000 downloads
- Gif Emoji Keyboard – 100,000 downloads
- Freeglow camera – 5000 downloads
- Coco Camera v1.1 – 1000 downloads
- Fun Camera – 500,000 downloads
- Razer Keyboard & Theme – 50,000 downloads
Joker, Facestealer and Koper return to the surface
Meanwhile, Zscaler threat hunters said this week that Google removed 52 more malware-infected apps from the Play Store, and 50 of them were used to deploy Joker, an ongoing problem for Android devices. They also found the Facestealer and Coper malware in two other malicious apps that were also downloaded from the online store.
Joker distribution applications have been downloaded over 300,000 times, according to security researchers Viral Gandhi and Himanshu Sharma, who provided a technical payload analysis of three malware families and listed all 50 Joker downloaders in a ThreatLabZ blog post.
“Even though the public is aware of this particular malware, it continues to infiltrate the official Google app store, regularly changing malware trace signatures, including updates to code, execution methods, and payload extraction methods,” Gandhi and Sharma wrote.
Once downloaded, the Joker malware steals SMS messages, contact lists, and device information, and unknowingly subscribes the victim to paid services.
“Most often, attackers disguise Joker malware in messaging apps that require users to grant elevated access permissions, allowing them to serve as the default SMS app on the user’s phone,” threat hunters note. “Malware uses these extended permissions to carry out its operations.”
In addition, Zscaler discovered Facestealer lurking in the now-deleted cam.vanilla.snap app on the Google Play Store, which has been downloaded 5,000 times. This malware targets Facebook users through fake Facebook login pages to steal credentials. And finally, the security service also discovered the Coper banking trojan disguised as the Unicc QR Scanner app.
“Once downloaded, this application launches a Coper malware infection that is capable of intercepting and sending SMS text messages, making USSD (Unstructured Supplementary Service Data) requests to send messages, keylogging, locking/unlocking the device screen, performing over-the-top attacks, preventing removal. and generally allowing attackers to gain control and execute commands on the infected device through a remote connection to the C2 server,” Gandhi and Sharma wrote. ®
#Google #removes #malwareinfected #apps #million #users #risk #Register