Android Malware Archives – Gridinsoft Blog Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Wed, 17 Jul 2024 21:43:14 +0000 en-US hourly 1 https://wordpress.org/?v=93374 200474804 BadPack Malware for Android Parasites on APK Installers https://gridinsoft.com/blogs/badpack-malware-for-android/ https://gridinsoft.com/blogs/badpack-malware-for-android/#respond Wed, 17 Jul 2024 21:43:14 +0000 https://gridinsoft.com/blogs/?p=25759 A new research reveals a novel approach at hiding malware in APK installers. Adversaries malform the header of the file, which simultaneously allows circumventing the protection, and also makes the analysis a much harder task than it usually is. Peak of this trick usage happened back in May 2024, but it did not go off… Continue reading BadPack Malware for Android Parasites on APK Installers

The post BadPack Malware for Android Parasites on APK Installers appeared first on Gridinsoft Blog.

]]>
A new research reveals a novel approach at hiding malware in APK installers. Adversaries malform the header of the file, which simultaneously allows circumventing the protection, and also makes the analysis a much harder task than it usually is. Peak of this trick usage happened back in May 2024, but it did not go off the stage completely and may spike up any time.

BadPack Malware Abuses AndroidManifest File

The detailed paper on the BadPack malware shows a rather unusual tactic for analysis evasion. Con actors play with internals of APK files that make the debug/reverse engineering tools impossible to use, and also blocks any real-time analysis. At the same time, the resulting file retains the ZIP archive capabilities – carrying a set of compressed files, that are completely intact and are ready for the attack.

Main role here is after the AndroidManifest.xml file – the cornerstone of running any APK file in Android. It supplies the system with the information on how it should treat the file during execution. Malicious actors modify their APK file in a way that prevents the correct extraction of the Android Manifest. And this is what blocks pretty much any security tool from detecting the attack.

Among the key things frauds play with are compression methods that should describe the way the archive is composed. By reporting one compression option when the file uses the other, or missing the size, it is possible to do the evasion trick, while the operating system will still execute the file as if it was totally OK. And that is the exact reason of concern, as it is in fact a design flaw in the Android runtime mechanism. A more strict order of file checks in quite a substantial number of analysis tools is what makes them fail to process the malicious file.

The example of a malformed file header

Local File Header - Fields
Compression method = 0 (STORE)
Compressed size = 41192 - should be 14417
Uncompressed size = 41192
Data = \x00\x00\x08\x00 ...
Central Directory File Header - Fields
Compression method = 0 (STORE)
Compressed size = 41192 - should be 14417
Uncompressed size = 41192

How Threatening is BadPack Malware?

BadPack malware is a rather concerning find, and PaloAlto’s Unit42 did a great job at describing every bit of the attack. This issue diminishes any typical Android security steps that you would hear on websites. Uploading it to online scanners, and even using local ones to poke around in the code (if you are savvy enough) will show nothing but clean results or errors respectively. And in the selection of cases, this will be enough to make the user think “well, it is probably alright” and run the malicious file.

The question of malicious software that uses this practice is here, too. Nothing effectively stops any kind of cybercriminals from weaponizing this flaw to stay under the radar. And don’t think that Android is not their primary target: there are enough malware families that target this OS specifically. Typically, those are backdoors that form huge botnets, which further perform DDoS attacks or crypto mining.

In attacks on personal devices rather than IoT machines, spyware comes into play. It is common to see this particular malware type packed into some sketchy APK files downloaded from third party sites. But with BadPack, there will be hardly any way to detect the threat before it is too late.

How to protect your smartphone?

With all the problems that I’ve just mentioned, the only really possible solution for avoiding BadPack is to stay away from any questionable Android software sources. Sites that offer cracked games, “useful utilities” or similar less-than-trustworthy stuff are the #1 in this category. Also, be diligent about what permissions you give to the app. With all the described tricks, malware still tries to run as a regular app and retrieve corresponding permissions. So seeing a weather forecast app asking you to allow sending SMS or accessing your phone book should be a huge red flag.

The post BadPack Malware for Android Parasites on APK Installers appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/badpack-malware-for-android/feed/ 0 25759
Android Malware Mimics VPN, Netflix and Over 60k of Other Apps https://gridinsoft.com/blogs/android-malware-mimics-vpn-netflix-and-over-60k-of-other-apps/ https://gridinsoft.com/blogs/android-malware-mimics-vpn-netflix-and-over-60k-of-other-apps/#respond Sun, 11 Jun 2023 15:19:11 +0000 https://gridinsoft.com/blogs/?p=15196 Android is an open operating system. This is an advantage and a disadvantage. Cybersecurity technology experts recently discovered a widespread Android malware campaign. And given the scale of this campaign, it looks likely that it has been fully automated. A few words about Android malware As we know, the Android operating system is based on… Continue reading Android Malware Mimics VPN, Netflix and Over 60k of Other Apps

The post Android Malware Mimics VPN, Netflix and Over 60k of Other Apps appeared first on Gridinsoft Blog.

]]>
Android is an open operating system. This is an advantage and a disadvantage. Cybersecurity technology experts recently discovered a widespread Android malware campaign. And given the scale of this campaign, it looks likely that it has been fully automated.

A few words about Android malware

As we know, the Android operating system is based on the Linux kernel. It was released in 2008, so malicious users had a chance to study it. Despite the misconception that there is no malware on Android, there is much more of it than we think. Actually, among all other mobile OS, Android became a prevalent target for malware creators. Researchers recently found more than 60,000 apps containing adware. While that’s an impressive number, experts say there are far more. Additionally, malware has been thriving for a long time due to a lack of ability to detect it.

Key place where malware is spread is the Google Play Store. Sluggish moderation, together with loyal rules of app uploads, give the crooks almost a carte blanche. Even though there is a security team which checks programs for malware, they physically cannot cope with the sheer volume of uploads to the platform. That is what makes the default – and trusted – applications market for Android such a convenient spot for malware distribution.

How does Android malware work?

According to the analysis, the campaign promotes adware on Android devices for profit. However, the main problem is that attackers can quickly change tactics and redirect users to other types of malware, such as banking Trojans, to steal credentials and financial information or ransomware.

Hidden Android apps

Since API 30, Google has removed the ability to hide app icons on Android once a launcher is registered. So, the malware relies on the user to open the app for the first time. After installation, the app may report a “The app is unavailable in your region. Click “OK” to uninstall”. After clicking “OK,” the app closes but is not uninstalled. Since the malicious application has no icon in the launcher and has a UTF-8 character in the label, it only appears in the list of installed applications. However, it is at the very end by default, so the user is unlikely to pay attention to it. The app registers actions to be called on boot or when the user interacts with the device, and the server can initialize the adware phase at an unknown time interval.

Hidden app screenshot
Application without an icon and a name at the very end of the list

Adware behavior

When the user unlocks the phone, the application gets an adware URL from the server and uses the mobile browser to load the ad. The application uses one of the adware libraries included to render a full-screen WebView of an ad. It serves links, notifications, full-screen videos, open tabs in browsers, and more. During monitoring, researchers noticed the application loading ads from the following domains.

  • ehojam[.]com
  • publisher-config.unityads.unity3d[.]com
  • googleads.g.doubleclick.net
  • adc-ad-assets.adtilt[.]com
  • wd.adcolony[.]com
  • adservice.google[.]com
  • gogomeza[.]com
  • konkfan[.]com
  • httpkafka.unityads.unity3d[.]com
  • auction-load.unityads.unity3d[.]com
  • kenudo.net
  • config.unityads.unity3d[.]com
  • pagead2.googlesyndication[.]com
  • beahor[.]com
  • adc3-launch.adcolony[.]com

Worth noting the domains are not necessarily malware-related.

Malicious full-screen ads screenshot
Malicious full-screen ads

Redirect

Furthermore, modified versions of official applications may redirect the user to malicious Web sites. For example, when users open a “modded” app and search for something in Google, they may be redirected to a random ad page. Sometimes, these pages pretend to offer the desired mod as a download, but they contain harmful malware. An example user opens hXXp://crackedapk[.]com/appcoins-wallet-mod-apk/download1/website. Immediately they were redirected to hXXp://1esterdayx[.]com/worjt1e6a5efdf4388a83865ddce977639e28e199d821e?q=appcoins%20wallet%20mod%20apk%20v2.9.0.0%20(free%20purchased/premium%20cracked). This website was actually designed to spread malware.

How did Android malware end up on my smartphone?

First, determine how an app can get on a user’s smartphone. There are some ways to install an app on your smartphone:

  1. Play Store. This method is the safest and most recommended because the download is from an official source.
  2. Third-party sites and sources. This method allows you to install any app downloaded from any site or obtained elsewhere.
  3. Zero Day Vulnerability. As the name suggests, this vulnerability was found by attackers, but the developers do not know about it. This is how the Pegasus spyware was spread.

Although all three variants have a chance to download the malicious application, in the first case, the malicious application is likely to be deleted sooner or later. However, in question, apps with adware were not available on Google Play or other official stores. This means the attackers found another way to convince people to install them. Since Android allows you to install any app from any source, attackers disguised the malware as highly sought-after programs. Often these apps cannot be found in official stores or apps that mimic the real ones published on the Play Store. Most often, malicious applications are disguised as:

  • Games with unlocked features
  • Game cracks
  • Cracked utility programs
  • YouTube/Instagram without ads
  • Free VPN
  • Fake videos
  • Fake tutorials
  • Fake security programs
  • Netflix

Since modified applications are a hot commodity, there are entire websites devoted to these applications. Usually, these are the original applications with unlocked functionality or with a lot of game currency. In addition, these sites may contain applications that are visually similar to the real thing. Of course, the download pages may have fake positive reviews and high ratings.

Safety recommendations

The best advice for Android users is to install apps from the official app store. Also, pay attention to the permissions that the app asks for. For example, suppose you have installed Flashlight, and it asks for access to your phonebook and geo-location. Thus, there is every reason to believe it is malware. Don’t download or install any hacked apps. You can also use our Android scanner to check your device for malware.

The post Android Malware Mimics VPN, Netflix and Over 60k of Other Apps appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/android-malware-mimics-vpn-netflix-and-over-60k-of-other-apps/feed/ 0 15196
Android Malware. Is Malware on Android Phone Possible? https://gridinsoft.com/blogs/android-malware/ https://gridinsoft.com/blogs/android-malware/#comments Wed, 14 Dec 2022 19:09:05 +0000 https://gridinsoft.com/blogs/?p=12604 Android malware is a common name for all malicious software present in Android. This OS appears not only on phones but also on a vast majority of IoT devices. Things like smart fridges, irons, coffee machines, and microwave ovens run Android as well and are vulnerable to the same malicious programs. What is Android malware,… Continue reading Android Malware. Is Malware on Android Phone Possible?

The post Android Malware. Is Malware on Android Phone Possible? appeared first on Gridinsoft Blog.

]]>
Android malware is a common name for all malicious software present in Android. This OS appears not only on phones but also on a vast majority of IoT devices. Things like smart fridges, irons, coffee machines, and microwave ovens run Android as well and are vulnerable to the same malicious programs. What is Android malware, how to detect it and clean your device – let’s figure that out.

What is Android malware?

Generally speaking, malware term explains a lot about the functionality of such software. Those are programs that aim at malicious activity inside of the attacked device. It may range from stealing personal information and spying on the user to spamming advertisements all over the screen. The main difference from malware for computers that appears at a glance is the fact this malware is created and compiled for Android. As a UNIX-like OS, it features system calls and security measures that differ from the ones in Windows. But that still does not create a lot of difference.

Windows UNIX difference
Difference between UNIX and Windows system organisation

The biggest contrast between Windows and Android malware is its spreading form. So-called Trojan viruses are present in both cases, but the use of such a spreading form is not equal. While most malware for Windows comes as a tiny app that hides somewhere in the system, Android malware generally opts for a trojan form. Malignant stuff is available directly at the Google Play Store – a general place to get apps for Android phones. A tiny share of malicious software is spread on forums, as third-party apps that are installed manually. Those things are usually the most dangerous ones.

How dangerous is Android malware?

Same as any other malware. Properties of malicious software types remain the same, regardless of the platform they are launched on. Adware will flood your phone or tablet with numerous banners that will pop up at the most inconvenient moment. Rogue apps will spam you with numerous alerts regarding non-existing issues. Backdoors will grant control of your device to a third party. Stealers and spyware grab any possible kind of information about you and your device.

The two latter categories are worth a separate description since they’re one of the most widespread. Mobile devices, which expose 65% of all Android devices, contain a huge amount of personal information. Actually, while PCs may hold confidential information related to your job or other activity, smartphones keep your very personal information. Hence, targeting spyware upon smartphones is way more resultative and profitable.

Android malware forms

As I have mentioned above, the most common form of Android malware is a trojan. That supposes the use of a disguise of a legit app to deceive the users and force them to install it. Google Play Store has a pretty poor moderation, and cybercriminals exploit it with pleasure. Some malware may remain listed months after being detected and reported to the Google team. And they are hard to distinguish from regular programs – threat actors never disdain to use review spoofing.

Malware in Play Store
Malicious program in the Play Store. Despite numerous reports, it remains undeleted

Another feature that is proper for Android and makes it easier to create malicious applications is Android Studio. It is a free user-friendly IDE that offers zero-code functionality for app creation. Such a thing is convenient when you want to create something exclusively for your purposes, and don’t want to spend a lot of time studying Java. Simultaneously, it grants the scoundrels the ability to quickly create a disguise for their malignant thing. Nonetheless, the most famous and dangerous Android malware examples usually feature well-designed interfaces, rather than a zero-code craft from Android Studio.

Most often disguises

Family trackers, alternative clients for different messengers, navigation apps, and basic utilities – we used to trust such apps. At the same time, they naturally require access to the functions which are useful for malicious use. Tracking the device location, and access to your chats and social media accounts – are you sure that app developers use them properly? Certainly, being paranoid about your privacy is no good as well, but every user should consider the risk of using no-name apps.

In certain cases, malicious programs can ask for rights that differ from their declared functionality. Engineering calculators can barely make use of your gallery. Photo editing software should not have the ability to make calls and access your gallery. However, such misuses are rare – most of the time, hackers try to mask their access to your confidential information under the guise of a legit request.

Here are the most common app types that crooks use as a disguise:

  • GPS tracking software;
  • Navigation apps;
  • SMS spam filters;
  • Alternative clients for Messenger, WhatsApp, Telegram, Twitter, etc.;
  • Alternative contact books;
  • Photo editing apps;
  • Utilities for gaining root access.

How is Android malware promoted?

Creating the app and uploading it to Google Play Store is only a part of the malware spreading process. To make the victims download the virus, crooks should promote it. The most common ways to spread it across the folks are banners in different apps and offers on forums. Other methods include browser redirects with an offer to install “a very popular app”. They may call for different motivations and apply various tricks, but the sole purpose is to force the user to press the “Install” button in the Play Store.

"Install recommended app" pop-up android malware
Malicious pop-up that offers to install a “recommended” program

Malware that uses a more concealed form and does not have a visible app usually gets on users’ devices through third-party sources. Contrary to iOS, Android allows users to install application packages from wherever they get them. And that is a severe security flaw, as you voluntarily download and install malware to your phone.

Some really rare viruses rely upon vulnerability exploitation. In those cases, users are pretty much helpless against these things. Cybersecurity researchers witnessed cases when it was enough to send a message in a social network, and a vulnerable app (or a third-party client) was executing malicious code on its own. Most common cases, however, do not use zero-click exploits and prefer more available breaches. Social engineering remains a very effective way to make the victim act as hackers want to.

Most notorious examples of malware for Android

Among hundreds and thousands of malware examples, only a few of the best malware can be called worth mentioning. Let’s have a look at those favourites – at least the ones that gained fame.

Flubot Stealer

Flubot is an example of stealer malware, that is famous for its spreading way. To deliver it, hackers were using SMS phishing which mimicked the package delivery notification. These SMS contained a malware downloading link and a text or a voice message, that instructed the victims to follow the link. After the successful installation, Flubot accesses the phone book and starts sending the same messages to other victims. That made its spreading exponential. Such a behaviour is similar to what network worms do – with the only difference being that the latter usually use email messages to self-spread.

Flubot trojan pop-up
Pop-up that Flubot uses to install itself

Typical targets within the attacked system are banking and cryptocurrency credentials. As you can imagine, being infected with the Flubot may end up with huge money losses. Despite the fact that Europol managed to capture the key group of distributors, it still appears here and there.

Joker

Joker is a pretty old malware that appeared back in 2017. It got different classifications – from spyware to adware and fleeceware (the sub-specimen of unwanted programs). The key danger it carries is hidden subscriptions its victim agrees voluntarily. In fact, Joker shows dozens of popups that offer the user to claim a reward for the quizzes it never took part in. Clicking through the sites malware throws on the victim, it agrees to subscribe to different paid services online. Further, these services will flood the user’s device with various other scum. For sure, Joker makes its victims suffer for their own money.

This malware spreads through spoofed apps in the Play Store. Crooks may apply to create a stand-alone disguise, as well as mimic some well-known applications, copying their name and description. A lot of apps with Joker inside received over 100,000 installations – so you can imagine its spreadness.

xHelper Downloader

First seen in March 2019, xHelper recommended itself as a tough nut. Contrary to different other malware examples, it featured anti-detection and anti-removal capabilities that made it hard to deal with. It was integrating so deeply into the system that even factory resets were useless for its removal. By the end of the year of 2019, it became enormously widespread and was listed as the most prevalent malware. For the first 6 months of its activity, xHelper scored over 45,000 victims.

The key functionality of this malware is delivering other malware to the attacked device. Generally, it was different spyware samples – access to the network of infected devices was available for sale on the Darknet. Some versions also featured a less concealed approach, spamming the victims with numerous advertisements. Malware analysts ensure that these were the functions of xHelper, not the malware it delivered.

It has seen distribution in different forms, both Trojan apps in the Play Store and as a separate file. One of the most popular disguises back in 2019 was a New2048HD game. Rascals likely try to catch all possible trends, so it is obvious to expect it under different other disguises.

xHelper app Play Store
App that spreaded xHelper in the Play Store

Pegasus Spyware

One of the most infamous malware, developed by NSO Group, the subsidiary of the Israeli government. This program was originally designed as a tool for government-grade spying – an important task for special services like the FBI or Mossad. It fits both Android and iOS. NSO offers its brainchild to governments of different countries. These days, over 40 countries around the globe use this tool for obvious purposes. The developer signs a contract with each country, where they agree on all aspects of the malware application. There is also a brother-in-law – Chrysaor malware – pretty much the same thing but with minor adjustments to be more effective on the newest Android versions.

By the functionality, it is a classic example of professionally-made spyware. It can track locations, extract all kinds of files, read chats and SMS messages, access galleries and record calls. To have real-time information about the victim, Pegasus can enable microphones and cameras. Overall, getting this thing on your device means all the private information is not private anymore.

How does Pegasus work?

Ways of spreading the Pegasus users opt for are as sophisticated as the exact malware. The key bearing point is various exploits present in operating systems and application software. Main penetration points were vulnerable link handling mechanisms in default messaging apps, and breaches in WhatsApp. These security violations made it possible to inject Pegasus Spyware without any interaction from the user.

Teabot RAT

Teabot is the youngest malware example in that list. Its first appearance happened at the dawn of 2021. Nonetheless, its peak activity started a year later – in February 2022. Remote-access trojan offers the ability to record the victim’s screen and steal credentials, mainly ones related to banking, insurance accounts, and cryptocurrency wallets. It features some anti-detection measures – mainly, code string obfuscation.

Spreading ways of Teabot RAT are somewhat similar to Joker malware, with one difference. Instead of downloading the program which contains Teabot, victims get dropper malware. It tricks the user to allow the app to install the .apk files from third-party sources. Then, it asks for an “update”, which actually contains the payload. Early samples, however, were primarily spread through smishing, i.e. without the precursive dropper stage.

Eventbot Banker

Eventbot is a pretty unusual malware, because of the way it violates privacy and gets to the users’ data. Analysts spotted it first around March 2020, and it keeps running today. This banking trojan works as a keylogger but makes this in its unique way. In order to extend its abilities within the system, Eventbot tricks the user to permit him to use accessibility features. The latter allows the trojan to open banking apps. Then, it intercepts the login credentials by pasting them into the form via gestures and similar accessibility actions. With such an approach, malware can attack over 180 mobile banking apps from all over the world. The list includes Barclays, Revolut, HSBC UK, Coinbase, and Paypal.

Eventbot Android malware accessbility exploitation

The way it gets into the targeted device is also interesting. First, it appears as an ordinary app, installed by an urgent request from a certain website. As you can suppose, this request is completely fake. Then, this pseudo-updater asks permission to use accessibility features and then requests to run in the background. After that, Eventbot deletes itself from the launcher, hence there’s no way to find and remove it manually.

How to avoid viruses on Android?

As you can see from the paragraphs above, most malicious programs for Android rely on users’ inattention. Actually, malware for computers does the same – but there are many more examples of whether it tries to slip in through exploits. Androids are different in their internal structure and overall actions the users typically do. That’s why social engineering and exploiting low awareness are prevalent when it comes to Android malware. Hence, it is quite easy to find ways to prevent this mess.

Never follow browser redirects. You can face the situation when clicking the link opens not just a page in your current browser tab, but also an additional tab with different content. In some cases, pressing the link may throw you to a completely different page – not even close to what you expect to see. Benevolent and well-known sites will never do that – unless they’re compromised, of course. The redirect pages commonly contain dubious offers, like installing certain apps or enabling pop-ups. No way it will bring something useful for you.

Be sceptical about the links in messages. Never trust messages from strangers which have links. Even if your friend texts you, but the message looks strange and non-typical – consider checking it before following. You can never be sure if that friend was not hacked. Even worse idea is opening those links and following the instructions it shows you.

Use only trusted software. The Play Store contains an enormous amount of applications – 2,78 million. Considering all of them dangerous is wrong, but the vast majority of them will not be useful either. When you need decent software that will not violate your privacy and act as a downloader for malware, check the forums and see what folks advise. There could also be threads on different forums regarding certain app, where you can get exhaustive information about the program.

Use anti-malware software. Both sophisticated and clumsy-made Android malware can be successfully stopped at early stages. All you need to have is a proper anti-malware solution that will thoroughly scan your device time-to-time. Although the value of antivirus software for Android may be underestimated, it is a really useful addition to your phone security. Consider trying out GridinSoft Trojan Scanner – free antivirus for Android. It will effectively scan your device with different scanning systems, without any impact on your device’s performance.

Download Trojan Scanner

The post Android Malware. Is Malware on Android Phone Possible? appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/android-malware/feed/ 1 12604
Spyware vs. Stalkerware: What’s the difference? https://gridinsoft.com/blogs/spyware-vs-stalkerware/ https://gridinsoft.com/blogs/spyware-vs-stalkerware/#respond Tue, 18 Oct 2022 13:52:53 +0000 https://gridinsoft.com/blogs/?p=11173 Fraudsters develop various methods to penetrate the property of others, so there are different types of attacks and threats. In this article, we will look at what spyware and stalkerware are, their differences, and how to avoid these programs penetrating your device. What is Spyware? Spyware is well known to the public, whereas stalkerware is… Continue reading Spyware vs. Stalkerware: What’s the difference?

The post Spyware vs. Stalkerware: What’s the difference? appeared first on Gridinsoft Blog.

]]>
Fraudsters develop various methods to penetrate the property of others, so there are different types of attacks and threats. In this article, we will look at what spyware and stalkerware are, their differences, and how to avoid these programs penetrating your device.

What is Spyware?

Spyware is well known to the public, whereas stalkerware is more obscure. Unfortunately, many unknowingly install stalkerware onto their devices when downloading a seemingly harmless app from the web. This is why spyware attacks is more dangerous than stalkerware, as it can infect computers without the user intentionally downloading it.

Cybercriminals spread spyware via fake emails that appear legitimate. These emails trick the victims into downloading a file that hides malware on their devices. Unfortunately, people don’t realize this malware because an email phishing attack spreads it. Do not forget that this malware preys on mobile devices, often through Google Play for Android. There it is offered under the guise of a tracker of physical or physiological activity, a pedometer, or a “family GPS tracker”. Since the App Store is more modernized, it can screen out malicious content.

How does Spyware work?

Installing spyware on a device can severely jeopardize the user’s personal information and safety. Its primary purpose is to ensure a program tracks your actions across multiple devices. This can be achieved by installing spyware on the devices you use daily. In addition, there are many signs that your computer is infected with spyware. Some examples include phones, computers, and other applications installed on those devices. In addition, intruders track user activity on devices to capture payment details, logins, confidential user data, and others. It is important to remember that Pegasus Spyware is a malware that is covered in many secrets, rumors and false claims.

After the fraudsters receive all the user data, they begin to use it for their purposes. The consequences may be different and endless calls to your mobile number, selling your data to third-party platforms to further exploit you. Transferring such a data to other criminal parties may lead even to real-life robberies – simply basing on information of your typical hours at home and away.

What is Stalkerware?

People usually use stalkerware in a personal way when they spy on someone. Because installing stalkerware often requires physical access to the victim’s device, only someone who knows the victim can use this surveillance method. For example, a parent or romantic partner might use stalkerware to know more about the daily things of their close ones. Program stalkerware uses the method of disguise as child monitoring applications or other harmless applications. Instead, they lie to monitor a user’s every move and gather private information.

How does Stalkerware work?

The stalkerware program can be installed on the device to hunt for hours of activity and location, phone calls, and correspondence in messengers. In most cases, users of stalker programs do not seek access to the object’s data. These pests are similar to software spyware in their active activities, but the stalkerware program does not hunt everything seen on the user’s device.

How to avoid Spyware and Stalkerware

It is hard to say that spyware and stalkerware will never be able to penetrate your device when using certain methods against them. But certain approaches can help you reduce the likelihood of threats that can spread these programs to your device.

• It would be best if you first took care of installing reliable antivirus protection on your PC. GridinSoft Anti-Malware is designed for computers. Its mobile version – Trojan Scanner for Android – is available for free, and provides same great protection fro your phone or tablet. This protection will control your actions and will not let any infected files or programs on your device.

• The second equally relevant step you need to take or control to make it automatically run on your PC is to upgrade your operating system. Sometimes it’s hard to keep track of all the updates for both the software and the device. Therefore, ensure this function is performed automatically as new updates arrive. In this way, you will protect yourself from the hands of intruders who are constantly looking for vulnerabilities in the system that penetrate it.

• Also, don’t forget to check any sites you visit for malicious content. To see if the source is harmful, check its URL, and see if the site is protected by the “lock” icon. Finally, make sure you check your account for anything else. For example, two-factor authentication will do a great job of checking the person who will try to log in to your account. Two-factor authentication involves checking the code sent to your mobile number, a confirmation letter to your email, etc.

The post Spyware vs. Stalkerware: What’s the difference? appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/spyware-vs-stalkerware/feed/ 0 11173
Google Report Companies Creating Mobile Spyware for Governments https://gridinsoft.com/blogs/google-reports-italian-spyware/ https://gridinsoft.com/blogs/google-reports-italian-spyware/#respond Fri, 24 Jun 2022 11:36:39 +0000 https://gridinsoft.com/blogs/?p=8834 Google Reveals An Italian Company to Sell Android and iOS Spyware to Governments In its blog, Google has published a report revealing that multiple companies have been crafting and selling spyware exploiting mobile devices’ zero-day vulnerabilities discovered by Google specialists last year. The post includes code fragments from the disputed malware. Over 30 companies turned… Continue reading Google Report Companies Creating Mobile Spyware for Governments

The post Google Report Companies Creating Mobile Spyware for Governments appeared first on Gridinsoft Blog.

]]>
Google Reveals An Italian Company to Sell Android and iOS Spyware to Governments

In its blog, Google has published a report revealing that multiple companies have been crafting and selling spyware exploiting mobile devices’ zero-day vulnerabilities discovered by Google specialists last year. The post includes code fragments from the disputed malware.

Over 30 companies turned out to create and sell surveillance-aimed pieces of software, with overall 7 out of 9 Google-revealed vulnerabilities being exploited mostly for the needs of government-related actors in different states.

Thus, being consistent with a previously made report by the Lookout Inc. security software company, the Google research shows that RCS Lab S.p.A. (headquarters in Milan, Italy) has designed infecting spyware for Android and iOS devices to be used in Italy and Kazakhstan by governments of these countries. Lookout Inc. has traced the connection between the Italian company and the modular spyware Hermit, deployed in Kazakhstan. Lookout Inc. stressed that despite reasoning about the benignancy of the pro-governmental spyware development (done by companies like RCS Lab,) in reality, such software often ends up in the wrong hands and is used to spy on businesses and individuals.

Google experts express concerns about surveillance capacities moving from being exclusively accessible to governments to being created, sold, and potentially used by private organizations. Such a state of affairs brings new threats and wreaks chaos into the digital world.

As for RCS Lab, the company states on its official LinkedIn page that it “has been operating since 1993 in the world market of services in support of the investigative activity of Government Bodies“. To decide whether this self-presentation justifies creating surveillance malware for Kazakhstan and, earlier, Chile, Pakistan, Mongolia, Bangladesh, Myanmar, Vietnam, Turkmenistan, and Syria is up to our readers.

Zero-day vulnerabilities are the software or hardware defects that exist after the product’s release and before the issue of relevant patches. Vulnerabilities do not necessarily get exploited. That is why some of them remain either unnoticed or unused for years. Techniques, programs, pieces of code, and data items used to benefit from a vulnerability are called exploits.

The post Google Report Companies Creating Mobile Spyware for Governments appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/google-reports-italian-spyware/feed/ 0 8834
FlyTrap Android malware compromised over 10,000 Facebook accounts https://gridinsoft.com/blogs/flytrap-android-malware/ https://gridinsoft.com/blogs/flytrap-android-malware/#respond Wed, 11 Aug 2021 16:56:38 +0000 https://blog.gridinsoft.com/?p=5808 According to experts from Zimperium, Android malware FlyTrap hijacks Facebook accounts in 140 countries around the world by stealing session cookies. Worse, the researchers found that the stolen information was available to anyone who found the FlyTrap C&C server. Analysts believe the malware has been active since at least this spring. Attackers use decoys distributed… Continue reading FlyTrap Android malware compromised over 10,000 Facebook accounts

The post FlyTrap Android malware compromised over 10,000 Facebook accounts appeared first on Gridinsoft Blog.

]]>
According to experts from Zimperium, Android malware FlyTrap hijacks Facebook accounts in 140 countries around the world by stealing session cookies.

Worse, the researchers found that the stolen information was available to anyone who found the FlyTrap C&C server.

Analysts believe the malware has been active since at least this spring.

Forensic evidence of this active Android Trojan attack, which we have named FlyTrap, points to malicious parties out of Vietnam running this session hijacking campaign since March 2021.Zimperium specialists write.

Attackers use decoys distributed through Google Play and third-party Android app stores.

As a rule, such a decoy offers the user free coupons (for Netflix, Google AdWords, and so on) or offers to vote for their favorite football team and Euro 2020 player.

FlyTrap Android malware

To do this, the victim allegedly needs to log into the application using Facebook credentials, and authentication occurs through the legitimate domain of the social network. Since the malicious apps use real Facebook SSO, they cannot directly collect user credentials. Instead, FlyTrap uses JavaScript injection to collect other sensitive data.

The application opens a real URL inside a WebView configured using JavaScript injection, which allows it to retrieve all the information it needs, including cookies, user account details, location information, and IP address.the experts write.

The information collected in this way is transmitted to the attackers’ command and control server. At the moment, more than 10,000 Android users in 144 countries of the world have become victims of this malicious campaign.

FlyTrap Android malware

The exact data and numbers were extracted from the server of the criminals directly, as the researchers found that anyone could get access to it. According to experts, the FlyTrap C&C server had many vulnerabilities that made it easier to access stored information.

The researchers emphasize that phishing pages that steal credentials are not the only tool used by fraudsters. As the FlyTrap example shows, logging in through a legitimate domain can also be risky.

Let me remind you that I also talked about Alien malware that steals passwords from 226 Android apps.

The post FlyTrap Android malware compromised over 10,000 Facebook accounts appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/flytrap-android-malware/feed/ 0 5808
TYPES OF MALWARE ON YOUR ANDROID [PART 2] https://gridinsoft.com/blogs/types-malware-android-part-2/ https://gridinsoft.com/blogs/types-malware-android-part-2/#respond Fri, 14 Jul 2017 14:45:23 +0000 https://blog.gridinsoft.com/?p=598 Forewarned is forearmed, this is the second part of our new category in our Blog! Here is a new threat, that is really hard to notice! Maybe you have it on your device right now. Check it! TYPES OF MALWARE ON ANDROID:   » PowerOff Hijack Do you think, that the switched off phone is secured from… Continue reading TYPES OF MALWARE ON YOUR ANDROID [PART 2]

The post TYPES OF MALWARE ON YOUR ANDROID [PART 2] appeared first on Gridinsoft Blog.

]]>
Forewarned is forearmed, this is the second part of our new category in our Blog! Here is a new threat, that is really hard to notice! Maybe you have it on your device right now. Check it!

TYPES OF MALWARE ON ANDROID:

  » PowerOff Hijack

Do you think, that the switched off phone is secured from any Internet threats? Then you’ve never heard about PowerOffHijack (or Shutdown Hijack).

Security researchers have found it hijacking the shutdown process. It shows a fake message when you are trying to turn off the phone. It looks like real shutdown animation, and the phone seems to be off. The virus in its turn is still working there – it spying on users, collects personal information and downloads other apps without your concern, make calls, takes photos and makes other unpleasant things.

What to do if you have noticed signs of PowerOffHijack on your Android? Firstly, take out the battery to really turn off the device. Then restart it and delete all suspicious and unsafe apps. After that, we recommend scanning your Android device with an antivirus program.

PowerOffHijack malware has already attacked more than 10,000 devices, most of them in China where the malware was appeared and spread through the official local app stores (!)

Important information you need to know about PowerOffHijack:

  1. The malware wasn’t found on a Google Play Store
  2. Only Android versions below 5 vulnerable to PowerOffHijack
  3. The malware must be able to obtain root access to function

To prevent this malware we recommend to update your Android version and do not install apps from unknown sources. Also, scan your phone regularly with an antivirus program. Always check your the developer’s history of each app you’ve downloaded, even if it is Google Play.

Wait for our next post about Malware to be aware of possible threats to your private life. We will tell why you can’t fully trust apps on Google Play.

The post TYPES OF MALWARE ON YOUR ANDROID [PART 2] appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/types-malware-android-part-2/feed/ 0 598