18 Malicious Loan Apps Defraud Millions of Android Users

Cybersecurity researchers have exposed 18 malicious loan apps on the Google Play Store. These apps collectively amassed over 12 million downloads. Operating under the guise of legitimate financial services, they have duped users into high-interest-rate loans. Meanwhile, apps surreptitiously harvest victim’s personal and financial data for malicious purposes, which we’ll discuss next. Researchers have christened this operation as SpyLoan.

The malicious apps primarily focus on preying upon potential borrowers in Southeast Asia, Africa, and Latin America. Despite their attractive appearance, these apps are far from genuine financial services; instead, they engage in fraudulent activities that exploit unsuspecting users. Although these apps have been removed from the store, the damage has already been done. The primary infection pathways include SMS messages and social media like Twitter, Facebook, or YouTube. The list of now-removed apps includes:

• AA Kredit: इंस्टेंट लोन ऐप (com.aa.kredit.android)
• Amor Cash: Préstamos Sin Buró (com.amorcash.credito.prestamo)
• Oro Préstamo – Efectivo rápido (com.app.lo.go)
• Cashwow (com.cashwow.cow.eg)
• CrediBus Préstamos de crédito (com.dinero.profin.prestamo.credito.credit.credibus.loan.efectivo.cash)
• ยืมด้วยความมั่นใจ – ยืมด่วน (com.flashloan.wsft)
• PréstamosCrédito – GuayabaCash (com.guayaba.cash.okredito.mx.tala)
• Préstamos De Crédito-YumiCash (com.loan.cash.credit.tala.prestmo.fast.branch.mextamo)
• Go Crédito – de confianza (com.mlo.xango)
• Instantáneo Préstamo (com.mmp.optima)
• Cartera grande (com.mxolp.postloan)
• Rápido Crédito (com.okey.prestamo)
• Finupp Lending (com.shuiyiwenhua.gl)
• 4S Cash (com.swefjjghs.weejteop)
• TrueNaira – Online Loan (com.truenaira.cashloan.moneycredit)
• EasyCash (king.credit.ng)
• สินเชื่อปลอดภัย – สะดวก (com.sc.safe.credit)

Interestingly, these services exist exclusively as apps and work only on smartphones. You won’t find a web version or an official website. This allows attackers to request permission to obtain users’ confidential information stored on the victim’s smartphones.

Dirty Fraud Methods

In the previous paragraph, I emphasized that attackers operate exclusively through mobile devices instead of classic websites. This is because they would not be able to access as much information through a website as they can through a phone. The operators of SpyLoan not only harvest information from compromised devices but also resort to blackmail and harassment tactics. I.E., victims are pressured into making payments under the threat of releasing their private photos and videos on social media platforms (that reminds me of something). This alarming revelation underscores the darker side of the digital lending landscape.

Users often have reported instances of fraud and coercion. For example, a user from Nigeria, in a message posted on the Google Play Help Community, accused EasyCash of fraudulent lending practices, including exorbitant interest rates and threats of blackmail. Additionally, the apps deploy misleading privacy policies to justify extensive permissions, including access to media files, camera, calendar, contacts, call logs, and SMS messages. This revelation coincides with the resurgence of TrickMo, an Android banking trojan masquerading as a free streaming app. The trojan has enhanced capabilities, including stealing screen content and employing overlay attacks.

Defense Measures and Advice

This SpyLoan incident is not alone but part of a broader scheme dating back to 2020. It adds to over 300 Android and iOS apps uncovered last year. These apps also exploited users’ urgent need for quick cash, trapping them into predatory loan contracts and coercing them into granting access to sensitive information. To mitigate the risks posed by such spyware threats, users are advised to:

• Validate the authenticity of offerings. It is not hard to conceal a rip-off as a genuine and beneficial deal. When it comes to financial operations, it is vital to check every element of the offered deal to find catches. Though in some cases, this is not enough – so I’d prefer the second option.
• Do your research regarding the service provider. Regardless of how good the offer appears to be, it should come from a benign company. Any mismatches in the information, questionable testimonials, outdated, abandoned or even absent sites – those are the signs of a bad deal. And a perfect reason to review your plans to use their services.
• Pay close attention to reviews and permissions before installation. Asking for excessive permissions is a classic catch of quite a few mobile malicious programs. People used to click-through permissions pop-ups during installation, and that is what frauds rely on. Check out what the app asks for, and compare it to the real program functionality. Because why would a financial app ever need continuous access to your microphone?

The post Malicious Loan Apps in Play Store Decieved 12M Users appeared first on Gridinsoft Blog.

Trojanized Telegram Clients Spread on Google Play

Telegram’s Play Store version is identified with the package name "org.telegram.messenger," while the direct APK file downloaded from Telegram’s website is associated with the package name "org.telegram.messenger.web". Malicious packages named “wab,” “wcb,” and “wob” were used by threat actors to trick users into downloading fake Telegram apps. Despite looking like the authentic Telegram app with a localized interface, infected versions contained an additional module. That was missed by Google Play moderators. A few days ago, experts revealed that a malware campaign called BadBazaar was using such rogue Telegram clients to gather chat backups.

Examples of fake Telegram apps:

Security experts have recently discovered a number of malicious apps on Google Play that claim to be versions of Telegram in Uyghur, Simplified Chinese, and Traditional Chinese languages. These apps have descriptions written in their respective languages and contain images that are very similar to the official Telegram page on Google Play, making it difficult to distinguish them from the genuine app.

The devs of these fake apps promote them as a faster version of a regular client, citing a distributed network of data centers worldwide. They use this as bait to persuade users to download the mods instead of the official Telegram app.

How dangerous are fake Telegram apps?

Millions of users have downloaded apps that were found to have malicious features. Among other things, malicious copies have functionality to capture and transmit sensitive information such as names, user IDs, contacts, phone numbers and chat messages to a server controlled by an unknown actor. Experts who discovered this activity have codenamed it Evil Telegram. Google has since taken down these apps from its platform.

Nonetheless, the poor app moderation problem in Google Play has persisted for almost a decade. You can upload literally whatever you want – even malware – and it may be deleted only after numerous reports saying it is malicious. And there’s still no guarantee that the reports will be processed in a suitable time; some rogue apps remain in GP for months. For that reason, the threat will most probably resurface later, especially considering the growing popularity of Telegram.

How to stay safe?

Here are some important tips to keep yourself safe from infected versions of popular messaging apps and other threats that target Android users:

• As I’ve just said, Google Play isn’t completely immune to malware attacks. However, it’s still a much safer option than other sources, so always download and install apps from official stores.
• Before installing any app, even from official stores, please take a closer look at its page and ensure it’s legitimate. Pay attention to the app’s name and developer. Cybercriminals frequently apply typosquatting or spoofing in order to spread their malware.
• Reading negative user reviews is a good way to identify potential issues with an app. If there’s a problem with an app, someone has likely already written about it. Also try searching for reviews on the web. There are plenty of sites where you can leave your feedback without any censorship from the developer or Google. Using several independent sources will give a more clear view.

The post Spyware in Fake Telegram Apps Infected Over 10 million Users appeared first on Gridinsoft Blog.

A few words about Android malware

As we know, the Android operating system is based on the Linux kernel. It was released in 2008, so malicious users had a chance to study it. Despite the misconception that there is no malware on Android, there is much more of it than we think. Actually, among all other mobile OS, Android became a prevalent target for malware creators. Researchers recently found more than 60,000 apps containing adware. While that’s an impressive number, experts say there are far more. Additionally, malware has been thriving for a long time due to a lack of ability to detect it.

Key place where malware is spread is the Google Play Store. Sluggish moderation, together with loyal rules of app uploads, give the crooks almost a carte blanche. Even though there is a security team which checks programs for malware, they physically cannot cope with the sheer volume of uploads to the platform. That is what makes the default – and trusted – applications market for Android such a convenient spot for malware distribution.

How does Android malware work?

According to the analysis, the campaign promotes adware on Android devices for profit. However, the main problem is that attackers can quickly change tactics and redirect users to other types of malware, such as banking Trojans, to steal credentials and financial information or ransomware.

Hidden Android apps

Since API 30, Google has removed the ability to hide app icons on Android once a launcher is registered. So, the malware relies on the user to open the app for the first time. After installation, the app may report a “The app is unavailable in your region. Click “OK” to uninstall”. After clicking “OK,” the app closes but is not uninstalled. Since the malicious application has no icon in the launcher and has a UTF-8 character in the label, it only appears in the list of installed applications. However, it is at the very end by default, so the user is unlikely to pay attention to it. The app registers actions to be called on boot or when the user interacts with the device, and the server can initialize the adware phase at an unknown time interval.

Adware behavior

When the user unlocks the phone, the application gets an adware URL from the server and uses the mobile browser to load the ad. The application uses one of the adware libraries included to render a full-screen WebView of an ad. It serves links, notifications, full-screen videos, open tabs in browsers, and more. During monitoring, researchers noticed the application loading ads from the following domains.

• ehojam[.]com
• publisher-config.unityads.unity3d[.]com
• googleads.g.doubleclick.net
• adc-ad-assets.adtilt[.]com
• wd.adcolony[.]com
• adservice.google[.]com
• gogomeza[.]com
• konkfan[.]com
• httpkafka.unityads.unity3d[.]com
• auction-load.unityads.unity3d[.]com
• kenudo.net
• config.unityads.unity3d[.]com
• pagead2.googlesyndication[.]com
• beahor[.]com
• adc3-launch.adcolony[.]com

Worth noting the domains are not necessarily malware-related.

Redirect

Furthermore, modified versions of official applications may redirect the user to malicious Web sites. For example, when users open a “modded” app and search for something in Google, they may be redirected to a random ad page. Sometimes, these pages pretend to offer the desired mod as a download, but they contain harmful malware. An example user opens hXXp://crackedapk[.]com/appcoins-wallet-mod-apk/download1/website. Immediately they were redirected to hXXp://1esterdayx[.]com/worjt1e6a5efdf4388a83865ddce977639e28e199d821e?q=appcoins%20wallet%20mod%20apk%20v2.9.0.0%20(free%20purchased/premium%20cracked). This website was actually designed to spread malware.

How did Android malware end up on my smartphone?

First, determine how an app can get on a user’s smartphone. There are some ways to install an app on your smartphone:

1. Play Store. This method is the safest and most recommended because the download is from an official source.
2. Third-party sites and sources. This method allows you to install any app downloaded from any site or obtained elsewhere.
3. Zero Day Vulnerability. As the name suggests, this vulnerability was found by attackers, but the developers do not know about it. This is how the Pegasus spyware was spread.

Although all three variants have a chance to download the malicious application, in the first case, the malicious application is likely to be deleted sooner or later. However, in question, apps with adware were not available on Google Play or other official stores. This means the attackers found another way to convince people to install them. Since Android allows you to install any app from any source, attackers disguised the malware as highly sought-after programs. Often these apps cannot be found in official stores or apps that mimic the real ones published on the Play Store. Most often, malicious applications are disguised as:

• Games with unlocked features
• Game cracks
• Cracked utility programs
• YouTube/Instagram without ads
• Free VPN
• Fake videos
• Fake tutorials
• Fake security programs
• Netflix

Since modified applications are a hot commodity, there are entire websites devoted to these applications. Usually, these are the original applications with unlocked functionality or with a lot of game currency. In addition, these sites may contain applications that are visually similar to the real thing. Of course, the download pages may have fake positive reviews and high ratings.

Safety recommendations

The best advice for Android users is to install apps from the official app store. Also, pay attention to the permissions that the app asks for. For example, suppose you have installed Flashlight, and it asks for access to your phonebook and geo-location. Thus, there is every reason to believe it is malware. Don’t download or install any hacked apps. You can also use our Android scanner to check your device for malware.

The post Android Malware Mimics VPN, Netflix and Over 60k of Other Apps appeared first on Gridinsoft Blog.

Vulnerabilities were discovered in the platform of mce Systems, an Israeli company that provides software for mobile operators.

Let me remind you that we also wrote that About 8% of apps in the Google Play Store are vulnerable to a bug in the Play Core library, and also that Google recruits a team of experts to find bugs in Android applications.

Issues scoring between 7 and 8.9 on the CVSS vulnerability rating scale range from command injection to local privilege escalation. They have been assigned the identifiers CVE-2021-42598, CVE-2021-42599, CVE-2021-42600 and CVE-2021-42601.

Vulnerable apps reportedly have millions of downloads on the Google Play Store and are pre-installed as system apps on many devices. Microsoft does not disclose the full list of applications that use the vulnerable platform, but writes that such applications can be found on devices purchased from carriers such as AT&T, TELUS, Rogers Communications, Bell Canada and Freedom Mobile.

All Microsoft vendors are reported to have updated their apps to fix bugs before the security bulletin was published, but other telecoms apps may be using the same problematic framework.

In addition, the researchers warn that other Android devices can also be attacked by these vulnerabilities if the com.mce.mceiotraceagent application, for example, is installed in a phone repair shop. Anyone who finds such an application on their device is advised to remove it immediately.

The post Microsoft Experts Found Vulnerabilities in Pre-Installed Android Applications appeared first on Gridinsoft Blog.

So, according to the company, about 8% of all applications in the Google Play Store use old and unsafe versions of the Play Core library. This library was created by Google and developers can embed it into their apps to interact with the official Google Play Store.

The library is very popular because it can be used to download and install updates from the Play Store, modules, language packs and even other applications.

However, earlier this year, oversecured researchers discovered a serious vulnerability in Play Core, identified as CVE-2020-8913. This bug could be exploited by a malicious application installed on the user’s device and with its help injecting dangerous code into other applications, as well as stealing confidential data, including passwords, photos, 2FA codes and much more.

A demonstration of such an attack can be seen below.

Google engineers fixed a bug with the release of Play Core 1.7.2, released in March 2020. However, according to Check Point, not all developers have updated the Play Core library in time, and now their users are at risk.

According to a September 2020 scan by Check Point, six months after the patch was released, about 13% of all apps in the Google Play Store continued to use older versions of the library, and only 5% were using an updated (secure) version.

The list of applications that “did their duty” to users and updated the library included Facebook, Instagram, Snapchat, WhatsApp and Chrome. But, unfortunately, the developers of many other large applications did not do this. Among them experts listed Microsoft Edge, Grindr, OKCupid, Cisco Teams, Viber, and Booking.com. In total, problematic applications have been installed more than 250 million times.

Check Point researchers write that they notified the authors of all vulnerable applications about the problem, but three months later, only Viber and Booking.com took care of removing this vulnerability from their products. In turn, The Register reports that on December 2, the vulnerability was also fixed as part of Cisco Webex Teams.

Let me remind you that Google recruits a team of experts to find bugs in Android applications.

The post About 8% of apps in the Google Play Store are vulnerable to a bug in the Play Core library appeared first on Gridinsoft Blog.

According to Sebastian Porst, software development manager for Google Play Protect, the products that the new team will focus on include COVID-19 contact tracing apps as well as election-related apps.

“As a Security Engineering Manager in Android Security […] Your team will perform application security assessments against highly sensitive, third party Android apps on Google Play, working to identify vulnerabilities and provide remediation guidance to impacted application developers”, — says a new Google job listing posted on last week

In fact, Google experts will continue the job what independent researchers are currently doing as part of the bug bounty of the Google Play Security Reward program.

Let me remind you that this initiative encourages the search for bugs in third-party applications from the Google Play Store, and Google experts accept bug reports and pay rewards on behalf of the application owners.

At the same time, the existing bug bounty program is limited to applications with more than 100,000 users. However, applications that work with confidential data, as well as those related to critical tasks, do not always meet the conditions of the Google Play Security Reward, which means they are unlikely to be checked by bug hunters.

ZDNet asked Lukáš Štefanko, a mobile malware analyst from the Slovak information security company ESET, to comment on these Google actions.

“Definitely it was a good move. Finding serious security issues is not easy and takes a lot of time and experience”, — said Lukáš Štefanko, while being asked to describe Google’s latest efforts.

According to the expert, having a dedicated team ensures that information security professionals will do their best to find applications that may go unnoticed and may ultimately be exploited by cybercriminals with devastating consequences.

So far, however, it is not clear if Google expects plan completely close the Google Play Security Reward program in this way, or will simply add to it new features.

Let me remind you that recently Researcher Earned $10,000 by Finding XSS Vulnerability in Google Maps.

The post Google recruits a team of experts to find bugs in Android applications appeared first on Gridinsoft Blog.

This threat was first noticed in May of this year, but its BlackRock roots go much further. The fact is that the trojan is based on the “leaked” source codes of another malware, Xerxes, which, in turn, was also based on the sources of other malware.

Overall, BlackRock works in the same way as most other Android bankers; it just targets more applications. So, the trojan steals user credentials, but if possible, prompts the victim to enter payment card information (if the target application supports financial transactions).

“Data collection and theft is done using overlays. That is, the malware detects when a user tries to interact with any legitimate application and displays its own fake on top of this window, where the victim enters his credentials or card details”, – written by ThreatFabric specialists.

To be able to display such windows on top of other applications, the trojan uses an old trick and asks the user for access to the Accessibility Service. Having received these rights, the malware gives itself other necessary permissions on its own, and then completely gets administrator access on the device by using Android DPC.

ThreatFabric researchers write that most BlackRock overlays are designed to attack financial applications as well as social media. However, there are overlays for other types of applications, including dating, news, shopping and so on. A full list of targeted applications can be found in the expert report.

In addition to imposing phishing overlays, the Trojan can perform other malicious operations:

• intercept SMS messages;
• use SMS flood;
• spam all contacts with predefined SMS;
• run specific applications;
• intercept clicks (keylogger);
• show push notifications;
• sabotage the operation of anti-virus applications.

BlackRock is currently spreading through scam sites that disguise itself as fake Google update packages. Until the Trojan was found in the official Google Play Store.

Let me remind you that I recently wrote about two new malware, that can steal cookies from Android apps.

The post BlackRock Trojan steals passwords and card data from 337 applications on Android OS appeared first on Gridinsoft Blog.