Tag Archive for: app’

GoldDigger Disguises as Fake Android App To Steal Banking Credentials

/in


GoldDigger Disguises as Fake Android App To Steal Banking Credentials

GoldDigger, a new Android Trojan, imitates a fraudulent Android application and has been discovered to spoof both a Vietnamese government portal and a local energy provider.

Since at least June 2023, this specific Trojan has been active. Stealing banking credentials is its major objective.

It takes advantage of the Accessibility Service to steal personal data, intercept SMS traffic, and carry out other tasks for the user. The Trojan may be accessed remotely as well. 

Researchers from Group-IB’s Threat Intelligence team discovered this Android Trojan targeting Vietnamese financial institutions. Three Android Trojans, including GoldDigger, are now operating in the Asia Pacific.

Document

FREE Demo

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware


Tactics Of The GoldDigger Trojan

Implementing a sophisticated protection system is one of GoldDigger’s key characteristics. The Trojan can greatly restrict static and dynamic malware analysis and elude detection due to Virbox Protector, a powerful protection solution for applications.

Banking Trojans’ primary objective is to infect as many devices as they can and access user accounts.

GoldDigger’s TTP
GoldDigger’s TTP

The “Install from Unknown Sources” feature is disabled by default on all Android devices, preventing the installation of apps from unofficial sources. APKs can be installed from sources other than the Google Play Store if the “Install from Unknown Sources” feature is enabled.

To download and install GoldDigger, the “Install from Unknown Sources” feature must be turned on on the victim’s device.

Fake website distributing GoldDigger
Fake website distributing GoldDigger

The GoldDigger Trojan prompts the user to enable Accessibility Service when it is run. The accessibility features offered by Android are designed to make using mobile devices easier for people with impairments. 

These services include speech-to-text,…

Source…

New Android Banking Malware Pose as Government App

/in


New Android Banking Malware Pose as Government App to Target Users

Cybercriminals continue making malware for profit, with a recent report uncovering ASMCrypt in underground forums related to the DoubleFinger loader.

In the cybercrime landscape, researchers at Securelist have also reported on new Lumma stealer and Zanubis Android banking malware versions.

Researchers discovered an ad for ASMCrypt, a cryptor/loader variant designed to avoid AV/EDR detection, resembling the DoubleFinger loader.

However, researchers strongly suspect ASMCrypt is an evolved DoubleFinger version, acting as a ‘front’ for a TOR network service, though with some differences in operation.

Document

FREE Demo

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware


New Android Banking Malware

Buyers get the ASMCrypt binary, which connects to the malware’s TOR backend using hardcoded credentials and then displays the options menu.

Options menu
Options menu (Source – Securelist)

Here below, we have mentioned all the available options:-

  • Stealth injection method
  • Invisible injection method
  • The process the payload should be injected into
  • Folder name for startup persistence
  • Either the malware itself masquerading as Apple QuickTime
  • Either the malware itself masquerades as a legitimate application that sideloads the malicious DLL

Once options are chosen and the build button pressed, the app conceals an encrypted blob in a .png file to be uploaded on an image hosting site. Simultaneously, the cybercriminals create and distribute the malicious DLL or binary, reads the report.

  • Lumma: This stealer is written in C++ and is also known by other names: Arkei stealer, Vidar, Oski, and Mars. It has maintained its core function of stealing crypto wallet data since May 2018. Lumma, with a 46% overlap with Arkei, is the latest variant, and it spreads via a deceptive website, posing as a .docx to .pdf converter, and first appeared in August 2022.
Code snippet of the “debugging” sample
Code snippet…

Source…

Calendar app gaining popularity with students raises security concerns

/in


COLORADO SPRINGS — A popular app used by high schoolers is raising concerns from parents and cybersecurity experts. The Saturn app is promoted as a way for high school students to view their schedule, chat, and create a social calendar for meeting up, and planning for school events.

Just two weeks ago, concerns were raised by parents over the ability to link to a user’s TikTok, Snapchat, and other social media accounts.

Another big concern is anyone who downloads the app can make a profile, claiming to be a student. But after reaching out to Saturn myself, I’m told the app has created major changes in the past week to increase security.

Saturn Technologies released a statement saying it is now using a verification process to make sure that those who download the app are actual students at the school they claim to be a part of. The verification process makes sure users use a school email to view class details and students’ profiles.

But a local cybersecurity expert I spoke with tells me the app still holds several red flags when it comes to security. And he doesn’t believe the app is secure enough to shy away hackers.

“Some of the dangers that you might encounter from having too much information on there is stalking, there might be stalkers out there if your location is known, you open yourself up to burglary or more serious crimes. Identity theft, data breaches, so there’s a slew of things that kids face once they get on this particular app,” said Thomas Russell, a cyber education program manager at the National Cybersecurity Center.

“Right now, I can join and easily mock some type of school email because I know the patterns of the school emails locally, and I can easily go in there and get an account myself. And if I can do it, that means anyone can do it.”

Thomas tells me this is a concern because your child can never know exactly who they are talking to. It’s important that parents use parental controls and look at the app and continue to monitor their child’s chat room behavior on the app.

While the app has grown in popularity in our area, it is not something local high schools are asking their students to download. I spoke with several local school…

Source…

Woman loses over $20k from credit card and bank accounts after downloading third-party app

/in


SINGAPORE – A food delivery order that was supposed to cost $58 ended up costing Ms Lim (not her real name) over $20,000 after scammers took control of her Android phone and banking details remotely.

Ms Lim, 54, lost almost $20,500 from a credit card account and two DBS savings accounts in hours after she clicked on a link to download a third-party app, following which scammers then increased her credit limits and siphoned out all her money.

She had been looking for healthy tingkat (tiffin) meal delivery options for her elderly parents, and on July 26, she made an inquiry after seeing a Facebook ad from a company called Healthy Box.

The ad appeared to be from local caterer Grain, whom she had ordered from before. Hence, she was not suspicious.

She contacted the poster of the advertisement via Facebook messenger, after which the conversation continued on WhatsApp at around noon that day.

After the person confirmed they were from Grain, they sent her a link via WhatsApp to download an app – one that she had not used before – to make the order. She then installed the app, which she said looked exactly like the mobile-enabled version of Grain’s site.

When asked to make payment of $58 via PayNow to another number, she received a message saying that the vendor had not installed PayNow and that she could send the vendor a link to do so.

She then messaged the person to inform them that their PayNow was not working and asked them to check on it, but did not receive a reply.

Ms Lim, who works in events and marketing, went back to her online meetings. About 90 minutes later, when taking a lunch break, she noticed that her phone felt “burning hot”.

When she switched it on, the phone showed a blank screen and it had automatically performed a factory reset. Not suspecting anything, she followed the sequence to reset the phone and set it up again, as one would with a new phone.

Later that day, when she attempted to use her ATM card to withdraw money at around 6pm, she realised that her bank balance was zero.

She called the DBS customer service hotline, and an officer confirmed that $20,493.87 had been transferred out of her account.

A few days later, she went to…

Source…