Recently, malicious Android apps pretending to be popular platforms like Google, Instagram, Snapchat, WhatsApp, and X (previously Twitter) have been found stealing user credentials from compromised devices.
In a recent report, the SonicWall Capture Labs threat research team stated that this malware uses well-known Android app icons to deceive users into installing the malicious app on their devices.
Although the distribution method of this campaign is not clear yet, once the app is installed, it requests permissions for accessibility services and the device administrator API, which is a deprecated feature providing system-level device administration capabilities.
With these permissions, the rogue app gains control over the device, enabling it to perform various actions such as data theft and deploying malware without the users’ knowledge.
The malware establishes connections with a command-and-control (C2) server to receive commands for executing tasks, allowing it to access sensitive information such as contact lists, SMS messages, call logs, installed apps list, send SMS messages, open phishing pages, and control the camera flashlight.
The phishing URLs used in this attack imitate login pages of popular services like Facebook, GitHub, Instagram, LinkedIn, Microsoft, Netflix, PayPal, Proton Mail, Snapchat, Tumblr, and WordPress.
Another warning comes from Symantec, where they alerted about a social engineering campaign using WhatsApp to distribute a new Android malware disguised as a defense-related application.
As per Symantec, when the malicious application is delivered successfully, it installs itself under the guise of a Contacts application, requests permissions for essential phone functions, and then hides itself from the user.
There have been reports of malware campaigns distributing Android banking trojans like Coper, which can steal sensitive information and deceive users into disclosing their credentials.
Finland’s National Cyber Security Centre (NCSC-FI) recently disclosed a cyber threat where smishing messages lead users to Android malware that steals banking information.
This attack leverages a technique called telephone-oriented attack delivery (TOAD) via SMS messages, prompting users to call a number related to a debt collection claim.
The scammers urge victims to install an antivirus app, which is actually malware designed to extract online banking credentials and conduct unauthorized fund transfers.
Although the specific Android malware used in this attack was not identified, it is suspected to be Vultr, a banking trojan known for similar attacks.
Furthermore, Android malware like Tambir and Dwphon have been identified in recent months, with the latter targeting mobile phones made by Chinese brands specifically for the Russian market.
Dwphon, posing as a system update app, has characteristics of pre-installed malware and is suspected to have infiltrated devices through a supply chain attack.
Kaspersky’s analysis shows a 32% increase in Android users affected by banking malware, with the majority of infections reported in countries like Turkey, Saudi Arabia, and India.
Kaspersky also reported a significant rise in users encountering mobile banking Trojans, marking a concerning trend in the cybersecurity landscape.
