Tag: virus

#scam alert! Avoid these scammy apps still listed in Play Store
Around 20 million activity-tracking apps have been downloaded from the Google Play Store, according to software company Dr.Web (via BleepingComputer). What draws Android users to these three tracking applications so much? They advertise themselves as pedometers and health trackers that encourage you to exercise by promising to pay out cash rewards to those who meet specific targets.

They are still listed in the Google Play Store

According to the study from Dr.Web, these prizes are frequently impossible to obtain because users must accrue a significant number of awards before being required to view a huge number of ads in order to cash out. Users were instructed to watch more advertisements after they had already seen all of them in order to “speed up” the rewards process. “The applications did not check any of the payment-related data submitted by users, therefore the chances of obtaining any of the money promised from these apps are extremely tiny,” the research claims, despite this.

Three apps mentioned in the report remain in the Google Play Store. They are:
- Lucky Step – Walking Tracker with 10 million downloads.
- WalkingJoy with 5 million downloads.
- Lucky Habit: health tracker with 5 million downloads.
All three apps connect with the same command & control server. Such servers are usually used by attackers to send directions to systems infected by malware. With all three apps communicating with the same remote server, it is apparent that they have the same developer. It is also pointed out that earlier versions of the Lucky Step-Walking Tracker falsely said that users had the option of converting their rewards into gift cards for various online stores.

Remember, these crooked developers make money when you view their ads. The more ads you watch, the more money they make.

The mechanism that would convert prizes into cash was eventually deleted from the Lucky Step-Walking Tracker app update, and the interface elements that would need to be tapped to complete this conversion vanished. The prizes that had been accumulated before were now useless.

One more malicious app that you need to avoid

A workout program called FitStar that generates a personalized weight-loss plan for 29 rubles was also highlighted in Dr. Web’s report (equivalent to 41 U.S. cents). Nevertheless, individuals who subscribed were unaware that the program they were enrolling in was only valid for one day. Following the trial period, users were automatically renewed for an additional four days of service at 980 rubles ($13.86). The program’s full access cost 7,000 rubles ($98.98), and users’ subscriptions were automatically renewed every four days.

This app is also still listed in the Google Play Store. Comments for this app note that if you install it, the icon doesn’t show up on your phone’s list of installed apps making it hard to uninstall. The same review also notes that “The app is trying from the start to get into either Facebook or Google data…”

Phishing games

In the same report, Dr. Web warned that phishing apps disguised as investment apps and games were found on Google Play, measuring over 450,000 downloads.

The apps connect to a remote server upon launch and receive a configuration instructing them on what to do. Typically, the instructions involve loading phishing pages that request users to enter sensitive details.

The malicious game apps observed by Dr. Web are the following:
- Golden Hunt – 100,000 downloads
- Reflector – 100,000 downloads
- Seven Golden Wolf blackjack – 100,000 downloads (still on Google Play)
- Unlimited Score – 50,000 downloads
- Big Decisions – 50,000 downloads
- Jewel Sea – 10,000 downloads
- Lux Fruits Game – 10,000 downloads
- Lucky Clover – 10,000 downloads
- King Blitz – 5,000 downloads
- Lucky Hammer – 1,000 downloads
If any of the aforementioned phishing apps are already installed on your Android device, you should uninstall them right once. After that, conduct an antivirus scan to find and get rid of any leftovers.

Google has been questioned regarding the security of the apps that are still available on the Play Store.
February 21, 2023
BadBazaar Android malware linked to Chinese cyberspies
Unknown Android spyware called “BadBazaar” has been found to target China’s ethnic and religious minorities, particularly the Uyghurs in Xinjiang.

Due to their cultural divergence from traditional eastern Chinese values, the central Chinese government has subjected the 13 million-strong Uyghur Muslim minority to extreme oppression.

The new spyware was originally discovered by MalwareHunterTeam and linked to Bahamut in VirusTotal detections.

BadBazaar spyware

Lookout performed more investigation on the malware and discovered that it was brand-new spyware that was being used by APT15, a state-sponsored hacking outfit, in its 2020 attacks against Uyghurs (aka “Pitty Tiger).

Lookout also noticed a second campaign employing updated versions of the spyware known as “Moonshine,” which CitizenLab first came up in 2019 when using it against Tibetan organizations.

Since 2018, the BadBazaar spyware has promoted itself on communication channels frequented by the targeted ethnic group by infecting Uyghurs using at least 111 different apps.

The impersonated apps fall under a variety of categories, including dictionaries, tools for religious practice, battery savers, and media players.

Since Google Play, Android’s official app store, has never seen any record of these apps, they are most likely distributed through rogue websites or unreliable third-party stores.

It’s interesting that there is only one instance of an iOS app on the Apple App Store that communicates with the malicious C2, but it merely sends the device UDID and doesn’t have spyware functionality.

BadBazaar’s data-collecting capabilities include the following:
- Precise location
- List of installed apps
- Call logs with geolocation data
- Contacts list
- SMS
- Complete device info
- WiFi info
- Phone call recording
- Take pictures
- Exfiltrate files or databases
- Access folders of high-interest (images, IM app logs, chat history, etc.)
Looking into the C2 infrastructure, which exposes some of the admin panels and the GPS coordinates of test devices due to errors, Lookout analysts found connections to the Chinese defense contractor Xi’an Tian He Defense Technology.

Only a few of the BadBazaar apps promoted to Uyghurs (Lookout)

Sample of apps carrying Moonshine spyware (Lookout)

Moonshine variants

Lookout researchers began to discover a new operation in July 2022 that uses 50 apps to push users new versions of the “Moonshine” spyware.

These programs are advertised on Telegram channels for Uyghur speakers, where dishonest users recommend them to other users as reliable software.

Examples of programs that contain the spyware Moonshine (Lookout)
The creators of the more recent virus have added additional modules to increase the tool’s capacity for spying, and it is still modular.

Network activity, IP addresses, hardware details, and other information are among the data that Moonshine takes from hacked devices.

Information collected by Moonshine (Lookout)

The C2 commands supported by the malware are:
- Call recording
- Contact collection
- Retrieve files from a location specified by the C2
- Collect device location data
- Exfiltrate SMS messages
- Camera capture
- Microphone recording
- Establish SOCKS proxy
- Collect WeChat data
Lookout has found evidence that the authors of the new Moonshine version are Chinese, as both code comments and server-side API documentation are written in simplified Chinese.

“While Lookout researchers could not connect the malware client or infrastructure to a specific technology company, the malware client is a well-built and full-featured surveillance tool that would have likely required substantial resources.”
Lookout.

This report indicates that surveillance of Chinese minorities continues unabated despite the outcry from international human rights protection organizations.
November 18, 2022
Kernel bug exposes Android to potential malware – Linux Dirty Pipe

If Android were a car engine, and you popped the hood and poked around a bit, you’d find the label “Linux” etched on the engine block. The open-source operating system provides the starting point that Android’s built on top of, but sharing code also means sharing vulnerabilities. Now a newly discovered Linux kernel bug is raising concerns for the security of Android devices, as it leaves a door open for malware intrusion.

The glitch in question has been dubbed “Dirty Pipe” by software engineer Max Kellerman, who provides a detailed writeup about the bug’s discovery. He first spotted some mysteriously corrupted log files last year, and his analysis of the problem revealed a kernel-level flaw that’s existed since 2020. The vulnerability lets software overwrite the system page cache, even for files where apps shouldn’t otherwise have permission. He determined that in the wrong hands the issue had potential for exploitation and alerted the team behind Linux kernel security. Properly coded malware could use this method to obtain full control of a vulnerable system by overwriting files as vital as the system’s root password.

Kellerman was also able to reproduce the bug on a Pixel 6, and reached out to let Google know. The company similarly prepared a fix, and merged it into the Android kernel. Right now, it’s just a matter of OEMs needing to incorporate that fixed kernel in future device updates.

For what it’s worth, Google confirmed to Android Police that Dirty Pipe did not play a role in delaying the release of Android 12L for the Pixel 6. Linux users, meanwhile, need to install their distro’s most recent security updates ASAP.

March 9, 2022
The malware that signs you up for pricey services – Joker

Dozens of malicious apps, some available in Play, found in the past couple months. Joker malware

September has been a busy month for malicious Android apps, with hundreds of them flooding either Google Play or third-party markets from a single malware family alone, researchers from security companies said.

Known as Joker, since late 2016, this family of malicious apps has been targeting Android users and has been one of the most common threats to Android more recently. Joker apps secretly subscribe to costly subscription services once activated and can even steal SMS messages, contact lists, and computer information. Researchers last July said they found Joker lurking about 500,000 times in 11 apparently legitimate apps downloaded from Play.

Late last week, researchers from security firm Zscaler said they discovered a new batch of 120,000 downloads containing 17 Joker-tainted games. Over the course of September, the applications were progressively uploaded to Play. Meanwhile, security firm Zimperium announced on Monday that in September, company researchers discovered 64 new Joker variants, most or all of which were seeded in third-party app stores.
(adsbygoogle = window.adsbygoogle || []).push({});
And, as ZDNet noted, this month and in July, researchers from security firms Pradeo and Anquanke found more Joker outbreaks. Since it first came to light in December 2016, Anquanke said it had located more than 13,000 samples.

“Joker is one of the most prominent malware families that continually targets Android devices,” Zscaler researcher Viral Gandhi wrote in last week’s post. “Despite awareness of this particular malware, it keeps finding its way into Google’s official application market by employing changes in its code, execution methods, or payload-retrieving techniques.”

The roundabout way of attack is one of the keys to the Joker ‘s success. The apps are knockoffs of legitimate apps and contain no malicious code other than a “dropper” when downloaded from Play or a different market. The dropper, which is heavily obfuscated and includes only a few lines of code, installs a malicious part and drops it into the app after a delay of hours or even days.

A flow chart that captures the four pivot points each Joker sample uses was given by Zimperium. In order to mask update components as innocuous applications such as games, wallpapers, messengers, translators and photo editors, the malware often uses evasion techniques.
(adsbygoogle = window.adsbygoogle || []).push({});
The evasion techniques include encoded strings inside the samples where an app is to download a dex, which is an Android-native file that comprises the APK package, possibly along with other dexes. The dexes are disguised as mp3 .css, or .json files. To further hide, Joker uses code injection to hide among legitimate third-party packages—such as org.junit.internal, com.google.android.gms.dynamite, or com.unity3d.player.UnityProvider—already installed on the phone.

The purpose of this is to make it more difficult for the malware analyst to spot the malicious code, as third-party libraries generally contain a lot of code and the existence of additional obfuscation will make it much more difficult to spot the injected classes, “wrote Zimperium researcher Aazim Yaswant.” “In addition, the use of valid package names defeats naïve [blocklisting] attempts, but our z9 machine-learning engine allowed the researchers to detect the above-mentioned injection tricks safely.”

Three forms of post-download strategies to circumvent Google’s app-vetting process are detailed in the Zscaler write-up: direct downloads, one-stage downloads, and two-stage downloads. The final payload was the same, despite the delivery variations. If the final payload is downloaded and enabled by an application, the knock-off application has the opportunity to sign up for premium subscriptions using the user’s SMS app.

A Google spokesman declined to comment other than to note that Zscaler reported that the company removed the apps once they were privately reported.
(adsbygoogle = window.adsbygoogle || []).push({});
Using an antivirus app from Malwarebytes, Eset, F-Secure, or another reputable maker is also an option, although they, too, can have difficulty detecting Joker or other malware.

September 30, 2020