Android Archives – Gridinsoft Blog

Google Pixel Devices Shipped with Vulnerable App

Stephanie Adlam — Fri, 16 Aug 2024 18:41:04 +0000

Recent research has uncovered a vulnerable app in the Android package on a whole bunch of Google Pixel smartphones. Devices shipped worldwide since September 2017 may be susceptible to malware deployment by malicious actors. This issue is linked to a pre-installed app called “Showcase.apk”, that is particularly used on showroom devices.

Google Pixel Phones Contain a Vulnerable Pre-Installed App

According to a recent report, Google Pixel devices shipped globally since September 2017 contain a severe vulnerability, latched within a pre-installed app. The application in question, Showcase.apk, can potentially expose millions of users to significant security risks. Researchers at iVerify discovered that this app has excessive system privileges. This enables it to remotely execute code and install arbitrary packages on the device.

Experts from other companies, including Palantir Technologies, and Trail of Bits state that the app poses considerable security risks for several reasons. First, it downloads a configuration file over an unprotected HTTP connection, making the file vulnerable to tampering. This allows attackers to execute code at the system level. The configuration file is downloaded from a single U.S.-based domain hosted on AWS, which further exacerbates the vulnerability. Also, the app is granted excessive privileges, which could have negative implications in certain scenarios, as discussed further.

Potential Exploitation Risks

The said APK file installs the Verizon Retail Demo Mode (“com.customermobile.preload.vzw”), a program developed by Smith Micro, a company specializing in enterprise software. In short, this app is designed to switch the devices into a showroom mode. It includes switching phones into demo mode, disabling certain features to prevent tampering or locking. This app requires nearly three dozen different permissions, including access to location and external storage. While the program itself is not inherently malicious – many companies use similar functionality – its implementation is somewhat different.

The main issue is that the app’s use of an unencrypted HTTP connection makes it vulnerable to “man-in-the-middle” (MitM) attacks. This could allow attackers to eavesdrop on the transferred data and inject their own Internet packages on the fly. This obviously opens gates to malicious code or spyware installation to the attacked device.

The good news is that the app is not enabled by default, meaning there is no potential attack surface unless it is activated. Despite the potential for abuse, there is currently no evidence that this vulnerability has been exploited in the wild. On the other hand, the app’s deep integration into the system firmware means users cannot uninstall it. At the same time, it could be activated if a threat actor gains physical access to the device and enables developer mode. Another possible case is when the phone may be vulnerable “out-of-box” is when one purchases a showroom stock device – large retailers often offer them at a nice discount, at the price of a used smartphone at times.

Google’s Response

Google responded to the research findings by stating that the vulnerability is not related to the Android platform or Pixel devices but rather to a package specifically developed for Verizon demo devices in stores. Additionally, Google emphasized that exploiting this app would require both physical access to the device and the user’s password. The company also noted that the app is not present on the latest Pixel 9 series devices and confirmed that it will be removed from all supported Pixel devices in a future software update. Showroom devices may need this software (or its equivalents) installed manually.

The post Google Pixel Devices Shipped with Vulnerable App appeared first on Gridinsoft Blog.

How to Stop Spam Texts?

Stephanie Adlam — Sun, 21 Jul 2024 12:59:44 +0000

The spam texts can include spam emails and spam calls. These are all unwanted and often annoying text messages whose sender you don’t know. The purpose of such spam is to deceive the user and get his confidential information or draw you into the phishing attempt. These statements are received from a computer programmed to send to an unspecified list of users automatically. Let’s take a look at the tip to stop getting a ton of spam texts, tricks and do’s and don’ts for blocking unwanted texts.

In addition to having an unpleasant motive, these messages can extend malware to your device. According to the Federal Trade Commission, such spam texts are illegal, as the ultimate goal is either to steal or to violate the integrity of the user’s privacy. But for a problem such as spam to not violate your privacy, we will provide you with a guide on using the proper actions and how to block text messages.

While using the Internet, it is impossible to do without annoying forwarding of letters over the network. How to legally retaliate for email spam?

What to do if you receive a spam texts?

1. Don’t reply directly to any spam texts.

Answering a spam message is not just a bad mistake; it is also a sign for an attacker that your account is active, and you can send even more messages of this type. So the least you can do when you see a message that does not concern you is don’t answer it, and that’s it.

2. Do treat your personal information like it’s cash.

Spam texts are designed to cheat out confidential information from you. The last item includes your financial information, statement of how much you earn, social security number, whether you have credits, your passwords, and more. In future, you should know that most legitimate organizations or companies will not ask you to submit such information. Especially if they won’t do it through a simple text message; if you question this type of message, contact the organization from which it is as if you have received the letter and find out exactly whether you need to show such information.

3. Don’t click on any links in the spam Texts.

Often, the content of a spam message will permanently be attached to a link or form to fill in your data. The first and most important thing you need to know is that you shouldn’t click on these links. Because basically, they are malicious. After you click on such links, you can distribute malware to your device. Malware can damage your phone, slow its operation and occupy the entire memory of your device, steal personal data, including photos and videos that are on the phone. It can also lead you to write off money from your operator’s account without your knowledge and others.

More and more phones are being attacked by viruses. How to check if you have viruses on your phone.

4. Do review your cell phone bill regularly.

Don’t forget to check your account on your cell phone. If you find any unnecessary write-offs without your knowledge, then call the phone company and find out why they did this.

5. Check your phone’s settings.

You may have third-party features on your device that will allow you to block the source of unwanted calls and text messages.

For Android phones, click on the three dots in the upper right corner of spam texts. Next, click on this and select “People” and “Options”. Then select “lock”. After that, you will not receive spam text messages from this number.
For iPhones, in the top corner of spam messages, click on “i”. Then click on the number and select “Lock”.

Banning the spam on iOS

Ban the spam on Android

6. Do place a cell phone number on the National Do Not Call Registry.

If you don’t know how to get rid of annoying messages from unknown sources, follow the following advice. Add your phone number to the Federal Trade Commission’s National No Calls Registry, and it will eliminate a vast number of spam calls. Then if you receive a call within 31 days after the number has already been added to the registry – you can contact the FTC.

7. Do check to see if your carrier offers a call-blocking service.

Some third-party services and applications can block phone numbers. You should check all messages received from third-party sources. Send this type of message to 7726 and check if it is spam. Your operator may investigate and take action against the start of this message. Your message to this number is free of charge.

How to protect?

Agree that it is very unpleasant when annoying ads, viruses or other malicious programs regularly appear on a broken smartphone? Try the free Trojan Scanner for Android smartphones, which uses patented scanning technology with daily database updates to help ensure the best virus detection rate on your Android smartphone. Just install and run it, because it does not slow down the system and does not drain the phone’s battery.

The post How to Stop Spam Texts? appeared first on Gridinsoft Blog.

Scam Likely Calls: How to block them?

Stephanie Adlam — Wed, 03 Jul 2024 12:39:36 +0000

Have you ever glanced at your phone and seen the caller ID flash “Scam Likely”? Understanding what this alert means, why it appears, and how you can stop these calls is essential for protecting yourself from potential fraud. Here’s everything you need to know about the “Scam Likely” feature.

What Does “Scam Likely” Mean?

Scam Likely Calls

For customers of T-Mobile, Metro by T-Mobile (formerly MetroPCS), and Sprint (post-T-Mobile merger), “Scam Likely” is an alert that identifies potential spam callers. This feature is a part of T-Mobile’s “Scam Shield” protection, designed to block fraudulent calls before they reach you. This proactive measure is automatically enabled for all subscribers, ensuring you don’t have to tweak settings to benefit from it.

T-Mobile utilizes a comprehensive database of known scam numbers and automatically screens incoming calls against this list. Calls flagged as “Scam Likely” could involve various scam tactics, such as:

Impersonating government officials
Demanding payments via gift cards
Proposing fake tech support solutions
Initiating disruptive robocalls

This identification is managed at the network level, so regardless of whether you use an iPhone, Android, or a basic button phone, you’ll see the “Scam Likely” alert. There’s no need for any additional apps, although the free T-Mobile Scam Shield app is available for those who want extra control over these features.

While the “Scam Likely” system is robust, no system is perfect. There may be instances where legitimate calls are mistakenly labeled as scam. It’s advisable to approach these calls with caution. If you choose to answer, protect your personal information vigilantly. If the call feels suspicious or the caller pressures you, it’s safe to hang up. Genuine callers will likely leave a voicemail if it’s important.

How to Block Scam Calls

Although your carrier may alert you about “Scam Likely” calls, these calls aren’t blocked by default. If you find yourself inundated with unwanted calls, T-Mobile offers a free Scam Blocker feature. Here’s how to activate it:

Open your phone’s dialer app.
Enter the code #662# and make the call to activate the blocking.
To confirm activation, dial #787#.

To deactivate the feature, simply dial #632#.

How to Spot Scam Calls?

Most operators have similar services to combat fraudulent calls. This is due to the STIR/SHAKEN, a set of protocols that allows carriers to fight caller ID spoofing. Thanks to these standards, the operator can display a “Call Verified” message on your phone. This way, he confirms that it has not been spoofed. This feature is now becoming available on more and more devices and carriers as they all work to reduce spam calls.

So, if you’re an AT&T customer, you can download their official software. It’s available for iPhone or Android and contains free spam and fraud blocking features as well as advanced protection that’s available by subscription. And if you use Verizon, a free call filtering service is available as well. To manage this feature, you can also install the Verizon Call Filter app, available for iPhone or for Android. Like AT&T, Verizon also offers a paid subscription to improve this. Other carriers likely provide similar services as well. For more information, visit the store, log in to your account management page, or contact your carrier’s customer service number.

How to Block Calls?

Suppose you are annoyed by a spammer, and your operator does not provide such a service. In this case, you can block the annoying number using the standard tools of the operating system of your device. In addition, there are third-party applications available in the app store that can handle this task. These applications usually have a database of fraudulent numbers and will alert you if an incoming call is potentially unsafe. In addition, these apps allow you to detect and block fraudulent calls, regardless of which carrier you have. The disadvantage of such applications is that they are often paid and require a subscription.

How to Block Scam Calls on Android

If your phone has the default dialler app from Google, it will alert you to potential spammers by default. If your Android device uses a different dialer app, do the following:

Open the dial app and tap the number you want to block.
Click on Details, then select Block number.
Block number” width=”338″ height=”600″ class=”aligncenter size-full wp-image-12730″ />

In addition, you can use a third-party app to filter out spam.

How to Block Scam Calls on iPhone

You can block any number on your iPhone using the built-in blocklist feature. To do this, do the following:

Open the Phone app and tap Recent and press the “i” icon next to the number you need to block.
Scroll down and tap Block this caller.

This straightforward process makes it easy to block unwanted calls directly from your call log, helping you manage your privacy and security on your device.

There is a more radical method that will solve the problem of unwanted calls. Your iPhone has a feature that allows you to silence all calls from unknown numbers. To do this:

Open Settings and scroll down to iPhone.
Tap Silence Unknown Callers.
Toggle it to on.

It’s important to understand that if you turn this on, all calls from numbers that aren’t in your contacts will be rejected automatically. Most people receive legitimate calls from unknown numbers from time to time, such as a meeting reminder or an important call from someone using a friend’s phone. We recommend using this method only in extreme cases, such as if you receive much spam. Otherwise, you might miss important calls.

How to Stop Scam Likely Calls

Protecting your cell phone number is the best way to prevent scam calls. You need to add your number to the National Call Barring Registry to do this. Unfortunately, this does not stop all calls, but it will filter out annoying telemarketing and other such garbage.

You also have to be careful when you’re sharing your number. Nowadays, almost every online ad, account, and other services will ask for your phone number. Plus, in some cases, companies can share your number with affiliates for marketing purposes. So think carefully before sharing your number with anyone online. Instead, you can sign up for a free Google Voice number and use it as an additional method of communication. The plus side of this method is that if you provide this number for all secondary services, you can always disconnect the number and not worry about incoming calls, even if they are spam.

The post Scam Likely Calls: How to block them? appeared first on Gridinsoft Blog.

Two Android Zero-Day Flaws in Google Pixel Exploited

Stephanie Adlam — Fri, 05 Apr 2024 16:04:37 +0000

Google has disclosed that two Android zero-day security vulnerabilities have been detected in its Pixel smartphones. The patch is already available, as Google claimed fixing the flaws in the recent Pixel Update Bulletin. Even worse news is that the flaw is already under exploitation in targeted attacks.

Two Android Zero-Day Flaws Exploited in Targeted Attacks

In a recent announcement, Google released a statement regarding detecting two zero-day security vulnerabilities in its Pixel smartphones. The first vulnerability, CVE-2024-29745 (CVSS 7.2), is an information disclosure flaw in the bootloader component that could compromise data confidentiality. The other one, CVE-2024-29748, is a privilege escalation flaw in the firmware component that can allow unauthorized access and control over the device.

Detailed explanation of new zero-days from GrapheneOS developers

According to Google’s advisory, these vulnerabilities were fixed on April 2, 2024. The original discovery though happened back in early January 2024, by GrapheneOS developers. The good news is that they are subject to limited, targeted exploitation, which means the risk of widespread exploitation is relatively low. Nonetheless, Google urges all Pixel smartphone users to update their devices to the latest software version as soon as possible.

Android Zero-Day Vulnerabilities Exploited in the Wild

Although Google has not provided specifics on the attacks, GrapheneOS developers have indicated active exploitation of this flaw. In addition, CISA has updated its Known Exploited Vulnerabilities Catalog with these vulnerabilities currently being exploited. CVE-2024-29745 is linked to a vulnerability in the fastboot firmware, which supports various device states such as unlocking, flashing, and locking. Threat actors can exploit this flaw to access the devices’ memory without privileges or user interaction.

On the other hand, CVE-2024-29748 presents a different risk. This flaw allows to circumvent the factory reset done by the apps that use device admin API for this. As the result, attackers were able to stop the device from finishing the factory reset, although they need a physical interaction with one. Although Google has addressed a part of the issue, GrapheneOS has pointed out that the reset can still be stopped by cutting power to the device. As a result, GrapheneOS is working on a more comprehensive solution. This includes a stronger duress PIN/password feature and a secure “panic wipe” action that can be executed without requiring a reboot.

Safety Recommendations

As the digital landscape evolves, so does the sophistication of cyber threats. To mitigate these risks, users should manually verify if their devices have the latest software version. Staying informed about security updates and best practices is crucial in safeguarding digital assets against emerging threats. Google’s disclosure serves as a reminder of the ongoing battle for cybersecurity and the need for continuous improvement in defense mechanisms to protect personal information.

The post Two Android Zero-Day Flaws in Google Pixel Exploited appeared first on Gridinsoft Blog.

Xamalicious Trojan Hits Over 327K Android Devices

Stephanie Adlam — Thu, 28 Dec 2023 15:55:51 +0000

A new Android backdoor, dubbed Xamalicious, was discovered by the researchers at the edge of 2023. This malware exhibits potent capabilities to perform malicious actions on infected devices. Malware reportedly exploits Android’s accessibility permissions to gain access to various sources of user data.

What is Xamalicious Malware?

As I’ve said in the introduction, Xamalicious is a backdoor malware designed for Android. It is based on a Xamarin framework, which eventually granted it the name, and some of the abilities. Typically for sophisticated examples of Android malware, it abuses accessbility permissions to gain access to things like clipboard, autofill forms, notifications, messages, and others.

Xamalicious operates in two stages. Initially, it gathers device metadata and contacts a command-and-control (C2) server. This first contact is crucial for determining further steps, as upon sending the initial data, malware masters should decide their further steps. If needed, the malware can deliver other payloads and run them as an assembly DLL at runtime. This enables complete control over the device, potentially leading to fraudulent actions such as ad clicks and unauthorized app installations.

Researchers say about locating the threat within 25, some of which were even distributed through the official Google Play Store since mid-2020. Alarmingly, these apps have been installed at least 327,000 times, affecting users from Western Europe, South and North America and Australia.

Here some of these malicious apps:

Track Your Sleep (com.shvetsStudio.trackYourSleep)
Count Easy Calorie Calculator (com.lakhinstudio.counteasycaloriecalculator)
Sound Volume Extender (com.muranogames.easyworkoutsathome)
3D Skin Editor for PE Minecraft (com.littleray.skineditorforpeminecraft)
Logo Maker Pro (com.vyblystudio.dotslinkpuzzles)
Auto Click Repeater (com.autoclickrepeater.free)
LetterLink (com.regaliusgames.llinkgame)
Essential Horoscope for Android (com.anomenforyou.essentialhoroscope)

Geography of Activity: Xamalicious Malware

Technical aspects

To evade detection, Xamalicious authors have encrypted all communications and data transmissions between the C2 and infected devices. The encryption is not limited to HTTPS protection but extends to JSON Web Encryption tokens. Such tokens use advanced algorithms like RSA-OAEP with 128CBC-HS256. This makes the malware difficult to analyze and detect.

Moreover, the first-stage dropper contains self-update functions for the main Android package file (APK), suggesting that it can be weaponized as spyware or a banking trojan without user interaction.

Android applications written in non-java code with frameworks such as Flutter, react native and Xamarin can provide an additional layer of obfuscation to malware authors that intentionally pick these tools to avoid detection and try to stay under the radar of security vendors and keep their presence on apps markets.the report

How to Protect Against Xamalicious Backdoor?

Xamalicious is not a ground-breaking malware sample, but its dangers should not be underestimated. The fact that it exploits the same Android features is not about its technological obsolescence. “Don’t change what’s working” – hackers stick to this rule, and it works out rather well.

To avoid the infection, exercise caution when downloading apps, especially from unofficial sources. Even more attention should be paid to the permissions you give to the programs. And, to seal the deal, consider running an anti-malware scan on your smartphone, at least once a week. This will ensure your data security.

The post Xamalicious Trojan Hits Over 327K Android Devices appeared first on Gridinsoft Blog.

Malicious Loan Apps in Play Store Decieved 12M Users

Stephanie Adlam — Mon, 11 Dec 2023 22:49:57 +0000

Eighteen malicious loan apps on the Google Play Store, posing as legitimate financial services, have scammed users. They offer high-interest-rate loans while harvesting their personal and financial data for malicious purposes, totaling over 12 million downloads.

18 Malicious Loan Apps Defraud Millions of Android Users

Cybersecurity researchers have exposed 18 malicious loan apps on the Google Play Store. These apps collectively amassed over 12 million downloads. Operating under the guise of legitimate financial services, they have duped users into high-interest-rate loans. Meanwhile, apps surreptitiously harvest victim’s personal and financial data for malicious purposes, which we’ll discuss next. Researchers have christened this operation as SpyLoan.

The malicious apps primarily focus on preying upon potential borrowers in Southeast Asia, Africa, and Latin America. Despite their attractive appearance, these apps are far from genuine financial services; instead, they engage in fraudulent activities that exploit unsuspecting users. Although these apps have been removed from the store, the damage has already been done. The primary infection pathways include SMS messages and social media like Twitter, Facebook, or YouTube. The list of now-removed apps includes:

AA Kredit: इंस्टेंट लोन ऐप (com.aa.kredit.android)
Amor Cash: Préstamos Sin Buró (com.amorcash.credito.prestamo)
Oro Préstamo – Efectivo rápido (com.app.lo.go)
Cashwow (com.cashwow.cow.eg)
CrediBus Préstamos de crédito (com.dinero.profin.prestamo.credito.credit.credibus.loan.efectivo.cash)
ยืมด้วยความมั่นใจ – ยืมด่วน (com.flashloan.wsft)
PréstamosCrédito – GuayabaCash (com.guayaba.cash.okredito.mx.tala)
Préstamos De Crédito-YumiCash (com.loan.cash.credit.tala.prestmo.fast.branch.mextamo)
Go Crédito – de confianza (com.mlo.xango)
Instantáneo Préstamo (com.mmp.optima)
Cartera grande (com.mxolp.postloan)
Rápido Crédito (com.okey.prestamo)
Finupp Lending (com.shuiyiwenhua.gl)
4S Cash (com.swefjjghs.weejteop)
TrueNaira – Online Loan (com.truenaira.cashloan.moneycredit)
EasyCash (king.credit.ng)
สินเชื่อปลอดภัย – สะดวก (com.sc.safe.credit)

Interestingly, these services exist exclusively as apps and work only on smartphones. You won’t find a web version or an official website. This allows attackers to request permission to obtain users’ confidential information stored on the victim’s smartphones.

Dirty Fraud Methods

In the previous paragraph, I emphasized that attackers operate exclusively through mobile devices instead of classic websites. This is because they would not be able to access as much information through a website as they can through a phone. The operators of SpyLoan not only harvest information from compromised devices but also resort to blackmail and harassment tactics. I.E., victims are pressured into making payments under the threat of releasing their private photos and videos on social media platforms (that reminds me of something). This alarming revelation underscores the darker side of the digital lending landscape.

The permissions that applications usually request

Users often have reported instances of fraud and coercion. For example, a user from Nigeria, in a message posted on the Google Play Help Community, accused EasyCash of fraudulent lending practices, including exorbitant interest rates and threats of blackmail. Additionally, the apps deploy misleading privacy policies to justify extensive permissions, including access to media files, camera, calendar, contacts, call logs, and SMS messages. This revelation coincides with the resurgence of TrickMo, an Android banking trojan masquerading as a free streaming app. The trojan has enhanced capabilities, including stealing screen content and employing overlay attacks.

Defense Measures and Advice

This SpyLoan incident is not alone but part of a broader scheme dating back to 2020. It adds to over 300 Android and iOS apps uncovered last year. These apps also exploited users’ urgent need for quick cash, trapping them into predatory loan contracts and coercing them into granting access to sensitive information. To mitigate the risks posed by such spyware threats, users are advised to:

Validate the authenticity of offerings. It is not hard to conceal a rip-off as a genuine and beneficial deal. When it comes to financial operations, it is vital to check every element of the offered deal to find catches. Though in some cases, this is not enough – so I’d prefer the second option.
Do your research regarding the service provider. Regardless of how good the offer appears to be, it should come from a benign company. Any mismatches in the information, questionable testimonials, outdated, abandoned or even absent sites – those are the signs of a bad deal. And a perfect reason to review your plans to use their services.
Pay close attention to reviews and permissions before installation. Asking for excessive permissions is a classic catch of quite a few mobile malicious programs. People used to click-through permissions pop-ups during installation, and that is what frauds rely on. Check out what the app asks for, and compare it to the real program functionality. Because why would a financial app ever need continuous access to your microphone?

The post Malicious Loan Apps in Play Store Decieved 12M Users appeared first on Gridinsoft Blog.

SecuriDropper Bypasses Google Play & Android Defenses

Stephanie Adlam — Wed, 08 Nov 2023 22:09:24 +0000

SecuriDropper is a rare example of the Android dropper malware that operates under the dropper-as-a-service (DaaS) model. This malware is raising significant concerns among experts due to its ability to bypass Google’s enhanced security measures and deliver a variety of malicious payloads.

What is SecuriDropper Malware?

SecuriDropper represents the latest evolution in the ever-changing world of cyber threats. It serves as a conduit for cybercriminals to efficiently distribute their malware in a convenient way. This, actually, is a key point of the dropper-as-a-service model. Such innovation enables threat actors to separate the development and execution of an attack from the installation of malware. This trick offers a level of sophistication that is both concerning and challenging to combat.

Two-Stage Infaction Process of SecuriDropper

Dropper malware plays a crucial role in the cybercriminal ecosystem. It acts as a precursor tool designed to provide initial access to the target system. Its primary function is to download and install a malicious payload on the victim’s device, making it a valuable tool for threat actors. This strategic approach allows malicious actors to advertise their services to other criminal groups, creating a lucrative business model.

Distribution of Malicious Payloads

SecuriDropper has been observed distributing a range of malicious payloads, including Android banking trojans such as SpyNote and ERMAC. These trojans are often disguised as legitimate applications and are distributed through deceptive websites and third-party platforms like Discord. The resurgence of Zombinder, another Dropper-as-a-Service tool, has further amplified concerns about the distribution of malware payloads through sideloaded apps.

SecuriDropper is a stark reminder that the fight against cyber threats is an ongoing and evolving battle. As Android continues to implement enhanced security measures, cybercriminals adapt and innovate, finding new ways to infiltrate devices and distribute malware. Dropper-as-a-Service platforms have become powerful tools for malicious actors, posing significant challenges to Android security.

Android 13 Feature Blocks SecuriDropper

Despite quite depressing statements from the above, things are not that bad. Users who got Android 13 updates for their devices are able to counteract SecuriDropper on their own. The new feature called Restricted Settings does what it sounds like to the side-loaded applications.

Restricted Settings Warning Notifications

As the dropper aims at getting excessive permissions, particularly to Accessibility and Notifications, the feature will block such permissions by default. This, however, is an Android 13-only feature, so users of earlier OS versions should be careful when granting permissions.

Folks with the most recent updates should not be reckless either. There is a chance of an infected app in the Google Play Market, which diminishes any anti-side-loaded apps tricks. And since Google hesitates with implementing security features to its official app sources, it remains a source of a threat.

How to Protect Yourself from SecuriDropper

SecuriDropper is a sophisticated Android dropper-as-a-service malware that poses a significant threat to the security of Android devices. To protect yourself from this emerging threat and similar malware, follow these security measures:

Only download applications from official app stores like Google Play Store. These platforms implement stringent security measures to ensure the safety of the apps they host.
Regularly update your Android device’s operating system and installed applications. Software updates often include security patches that address known vulnerabilities.
Install a reputable mobile security solution on your device. These security apps can help detect and remove threats like SecuriDropper from your device.
Be cautious when considering sideloaded apps obtained from unofficial sources. While sideloading offers access to a wider range of apps, it also presents security risks. Ensure you trust the source and origin of sideloaded apps.
Pay close attention to the permissions requested by apps during installation. Avoid granting unnecessary permissions to apps. For example, if a simple flashlight app requests access to your contacts and camera, it may be suspicious.
Regularly backup your important data to a secure location or cloud storage. This ensures you can recover your data in case of a malware infection.

By following these security measures, you can reduce the risk of falling victim to SecuriDropper and other similar threats. Remember that staying vigilant and proactive in protecting your Android device is essential in today’s evolving threat landscape.

The post SecuriDropper Bypasses Google Play & Android Defenses appeared first on Gridinsoft Blog.

Cloud Mining Scams Spread Banking Trojans

Stephanie Adlam — Fri, 16 Jun 2023 11:06:12 +0000

It’s no secret that cybercriminals are increasingly using mobile platforms as an attack vector lately. One example is a new Android malware. It spreads through fake cloud mining scams services and targets cryptocurrency wallets and online banking apps. Analysts dubbed this banking trojan as Roamer, though hackers may use different other malware for such attacks.

What are we talking about?

The era of hype around crypto-mining is over, and the shortage of video cards and mining farms is a thing of the past. Today, cloud computing technology is making it possible to significantly lower the entry threshold into the world of crypto-mining. To start mining Bitcoin, for example, there is no need to buy expensive equipment. Instead, the user can rent computing power from cloud mining companies for a fee. Of course, scammers couldn’t stay away from this niche.

The current fraudulent scheme is as follows: attackers create a phishing website that pretends to provide cloud mining services. Unsuspecting users end up on the website, where they are prompted to download a smartphone app. However, instead of the promised app, the user downloads malware that steals crypto wallet data and other valuable information from their device. It sounds too obvious, but this scheme works if it’s being written about.

How the Cloud Mining Scams scheme works

A team of researchers discovered a phishing website with the address hxxps://cloudmining[.]uk[.]com, which looks like a cloud mining platform. The site has “Create Account” and “Sign In” buttons and links to download a mobile app from Google Play and the App Store for Android and iOS devices, respectively. However, attackers use a trick: when clicking on the “Google Play” link, the user is not redirected to the application page in the store, but a direct download of the .apk file named CloudMining.apk takes place. An experienced user might have noticed the unusualness of this behavior. Still, an ordinary user might not pay attention to it. This is precisely the kind of oversight that attackers are counting on. After downloading the file, the victim gets a malicious software module that aims to steal confidential data from the victim’s device.

Visually, it looks like a real button. However, their functionality does not correspond to what is stated

The Roamer Banking Trojan

The “Roamer” Banking Trojan is a malware that extracts sensitive information from infected devices. It targets various crypto wallets and banking applications. It is distributed through fraudulent websites and employs different themes, such as gaming or shopping mall names and icons. Once installed, the malware exploits the Accessibility Service to extract information from targeted applications. The malware targets the following cryptocurrency wallet and banking applications:

HDFC Bank Mobile Banking App
Bitso
OKX: Buy Bitcoin, ETH, Crypto
TokenPocket Wallet Crypto DeFi
TronLink Pro
Binance: BTC, Crypto, and NFTS
Coinbse: Buy Bitcoin & Ether
aelf Official Wallet
Bitpie Wallet
Trust: Crypto & Bitcoin Wallet
MB Bank
SafePal: Crypto Wallet BTC NFT
KuCoin: BTC, Crypto Exchange

Poloniex Crypto Exchange
MetaMask - Blockchain Wallet
SCB Mobile Banking
ACB One
VCB Digibank
PayPal - Send, Shop, Manage
MSB mBank
VietinBank iPay
Coinbase: Buy Bitcoin & Ether
Bybit: Buy Bitcoin, Trade Crypto
Huobi: Buy Crypto & Bitcoin
imToken: Crypto & DeFi Wallet

Roamer Trojan steals sensitive data, including crypto wallet details and banking credentials. It automatically inserts TA's crypto address into the victim's app and transfers funds to TA's account. In addition, it collects SMS data, files, and location details from infected devices. It can open targeted apps, take screenshots, and initiate screen recording. Stolen data is transmitted to a C&C server.

Telegram channel for phishing distribution

Researchers also found an active telegram channel that began its activity on May 15, 2023, and has more than 5 thousand subscribers. Supposedly, scammers use this channel for their purposes and to attract victims. The channel regularly publishes information about cloud mining schemes and distributes phishing websites hxxps://cloud-miner[.]cc and hxxps://cloud-miner[.]top. Although the latter site has a different design, it also involved cloud mining scams. It offers to download the previously mentioned smartphone app.

A telegram post that contains a phishing link

Another phishing site

These sites have "Sign in" and "Sign up" buttons to give them a realistic look, but they are not just decorative elements. Clicking on these buttons will redirect the user to another phishing site, hxxps://cloud-mining[.]vip, which offers to create an account and mine Tron (TRX). After registering, the user will be prompted to top up their wallet to start mining, a typical scam scheme. As you may have guessed, it simply hijacks your wallet, since the site intendedly lacks any forms protection.

The site asks to refill the account to start mining

Safety tips

The following are tips to help prevent unpleasant experiences with this cyber threat:

Only install software from official app stores. This is the Google Play Store for Android and, for iOS, the App Store. While this doesn't guarantee 100% protection against rogue apps, it significantly reduces the chances. Also, if you are an Android user, ensure that Google Play Protect is turned on.
Use biometric security features such as fingerprints or facial recognition to unlock your mobile device.
Use strong passwords, change them periodically, and use multifactor authentication wherever possible.
Update your device firmware and apps to the latest version to fix vulnerabilities and improve security.
Be wary of links from unknown senders in SMS, messengers, and emails. Don't click on them, especially if they are suspicious.
Never give anyone your banking information or confirmation codes, even if they pretend to be from a bank or other organization.

The post Cloud Mining Scams Spread Banking Trojans appeared first on Gridinsoft Blog.

Android Malware Mimics VPN, Netflix and Over 60k of Other Apps

Stephanie Adlam — Sun, 11 Jun 2023 15:19:11 +0000

Android is an open operating system. This is an advantage and a disadvantage. Cybersecurity technology experts recently discovered a widespread Android malware campaign. And given the scale of this campaign, it looks likely that it has been fully automated.

A few words about Android malware

As we know, the Android operating system is based on the Linux kernel. It was released in 2008, so malicious users had a chance to study it. Despite the misconception that there is no malware on Android, there is much more of it than we think. Actually, among all other mobile OS, Android became a prevalent target for malware creators. Researchers recently found more than 60,000 apps containing adware. While that’s an impressive number, experts say there are far more. Additionally, malware has been thriving for a long time due to a lack of ability to detect it.

Key place where malware is spread is the Google Play Store. Sluggish moderation, together with loyal rules of app uploads, give the crooks almost a carte blanche. Even though there is a security team which checks programs for malware, they physically cannot cope with the sheer volume of uploads to the platform. That is what makes the default – and trusted – applications market for Android such a convenient spot for malware distribution.

How does Android malware work?

According to the analysis, the campaign promotes adware on Android devices for profit. However, the main problem is that attackers can quickly change tactics and redirect users to other types of malware, such as banking Trojans, to steal credentials and financial information or ransomware.

Hidden Android apps

Since API 30, Google has removed the ability to hide app icons on Android once a launcher is registered. So, the malware relies on the user to open the app for the first time. After installation, the app may report a “The app is unavailable in your region. Click “OK” to uninstall”. After clicking “OK,” the app closes but is not uninstalled. Since the malicious application has no icon in the launcher and has a UTF-8 character in the label, it only appears in the list of installed applications. However, it is at the very end by default, so the user is unlikely to pay attention to it. The app registers actions to be called on boot or when the user interacts with the device, and the server can initialize the adware phase at an unknown time interval.

Application without an icon and a name at the very end of the list

Adware behavior

When the user unlocks the phone, the application gets an adware URL from the server and uses the mobile browser to load the ad. The application uses one of the adware libraries included to render a full-screen WebView of an ad. It serves links, notifications, full-screen videos, open tabs in browsers, and more. During monitoring, researchers noticed the application loading ads from the following domains.

ehojam[.]com
publisher-config.unityads.unity3d[.]com
googleads.g.doubleclick.net
adc-ad-assets.adtilt[.]com
wd.adcolony[.]com
adservice.google[.]com
gogomeza[.]com
konkfan[.]com
httpkafka.unityads.unity3d[.]com
auction-load.unityads.unity3d[.]com
kenudo.net
config.unityads.unity3d[.]com
pagead2.googlesyndication[.]com
beahor[.]com
adc3-launch.adcolony[.]com

Worth noting the domains are not necessarily malware-related.

Malicious full-screen ads

Redirect

Furthermore, modified versions of official applications may redirect the user to malicious Web sites. For example, when users open a “modded” app and search for something in Google, they may be redirected to a random ad page. Sometimes, these pages pretend to offer the desired mod as a download, but they contain harmful malware. An example user opens hXXp://crackedapk[.]com/appcoins-wallet-mod-apk/download1/website. Immediately they were redirected to hXXp://1esterdayx[.]com/worjt1e6a5efdf4388a83865ddce977639e28e199d821e?q=appcoins%20wallet%20mod%20apk%20v2.9.0.0%20(free%20purchased/premium%20cracked). This website was actually designed to spread malware.

How did Android malware end up on my smartphone?

First, determine how an app can get on a user’s smartphone. There are some ways to install an app on your smartphone:

Play Store. This method is the safest and most recommended because the download is from an official source.
Third-party sites and sources. This method allows you to install any app downloaded from any site or obtained elsewhere.
Zero Day Vulnerability. As the name suggests, this vulnerability was found by attackers, but the developers do not know about it. This is how the Pegasus spyware was spread.

Although all three variants have a chance to download the malicious application, in the first case, the malicious application is likely to be deleted sooner or later. However, in question, apps with adware were not available on Google Play or other official stores. This means the attackers found another way to convince people to install them. Since Android allows you to install any app from any source, attackers disguised the malware as highly sought-after programs. Often these apps cannot be found in official stores or apps that mimic the real ones published on the Play Store. Most often, malicious applications are disguised as:

Games with unlocked features
Game cracks
Cracked utility programs
YouTube/Instagram without ads
Free VPN
Fake videos
Fake tutorials
Fake security programs
Netflix

Since modified applications are a hot commodity, there are entire websites devoted to these applications. Usually, these are the original applications with unlocked functionality or with a lot of game currency. In addition, these sites may contain applications that are visually similar to the real thing. Of course, the download pages may have fake positive reviews and high ratings.

Safety recommendations

The best advice for Android users is to install apps from the official app store. Also, pay attention to the permissions that the app asks for. For example, suppose you have installed Flashlight, and it asks for access to your phonebook and geo-location. Thus, there is every reason to believe it is malware. Don’t download or install any hacked apps. You can also use our Android scanner to check your device for malware.

The post Android Malware Mimics VPN, Netflix and Over 60k of Other Apps appeared first on Gridinsoft Blog.

Android Malware With Almost 500M Downloads Resides in Google Play

Stephanie Adlam — Thu, 01 Jun 2023 11:12:39 +0000

Millions of Android users may be at risk of a cyberattack because of Android malware, and multiple modifications on Google Play. In a recent blog post, Dr. Web reported that the trojan module, “Android.Spy.SpinOk,”. The module distributes via a marketing software development kit (SDK) on 101 Google Play applications, with over 421,290,300 downloads.

How does the SDK work?

The module is designed to engage users through mini-games, tasks, prizes, and reward drawings. However, upon activation, this Android malware development kit (SDK) connects to a command and control server (C&C) and sends technical details about the affected device. These details include data from Android device sensors like the gyroscope and magnetometer. Attackers can use this data to determine if the malware is in a sandbox environment that security researchers often use to study potentially harmful Android apps. The trojan module also ignores device proxy settings, allowing it to conceal network connections when security teams analyze it.

SDK operation scheme

What do the experts say?

According to Dr. Web, a trojan SDK can execute JavaScript code on web pages containing ads. It allows it to perform various functions, such as obtaining files from the device and copying or substituting clipboard contents. The problem is that many mobile app developers need to thoroughly check the capabilities of the SDKs they integrate into their apps. Malicious actors take advantage of this, making detecting their activity code difficult. Mobile-focused tools that cover static and dynamic analysis are needed to combat this. In addition, the threat actors focus on a niche of Android games that allegedly make money for the player, possibly to observe the transfer of funds or exploit specific files.

Bud Broomhead, CEO at Viakoo, notes that the 421 million-plus downloads figure must accurately reflect how many devices are impacted. Wi-Fi usage may offer some protection, but multiple layers of network security are necessary to reduce significant data exfiltration incidents.

How to protect your device from SDK?

To protect your device, updating infected apps to the latest version available on Google Play is important. This will ensure that the app is clean and safe to use. If the app is unavailable on the Google Play Store, it is best to uninstall it immediately. After uninstalling, scan your device with a mobile antivirus to ensure that all traces of spyware have been removed.

The post Android Malware With Almost 500M Downloads Resides in Google Play appeared first on Gridinsoft Blog.