Tag: Fake | SpinSafe

Watch out for these fake messaging apps on Android – they could be spying on you

April 11, 2024/in Mobile Security

Cybersecurity researchers from ESET found a handful of malicious Android apps that were spying on people and stealing sensitive information from their mobile devices.

In a press release shared with TechRadar Pro earlier this week, the researchers said that a new threat actor group, which they dubbed Virtual Invaders, was active from late 2021.

They created a number of Android apps, posing as communications products, which also came with the open-source XploitSPY malware. They called the campaign “eXotic Visit.”

Low download count

On the surface, the apps worked as intended, offering rudimentary communications services. However, behind the curtains lies malware that extracted people’s contact lists and files, the device’s GPS locations, file names listed in specific directories related to the camera, downloads, and different messaging apps such as Telegram, or WhatsApp. If some file names showed promise, the attackers could extract them as well, it was said.

To build the malware, the attackers seem to have taken the open-source Android Remote Access Trojan (RAT), XploitSPY, and modified it. While the apps offered rudimentary services, they came with a number of fake functionalities, too. Throughout the years, the attackers added new features, including better obfuscation techniques, emulator detectors, and more.

There were more than a dozen apps, ESET said, with the three biggest ones being called Dink Messenger, Sim Info, and Defcom. All were being distributed via standalone websites, as well as Google Play, but all were subsequently removed from Google’s app repository.

Still, the chances of being infected by any of these are relatively low. Apparently, the attackers only targeted individuals in Pakistan and India, and were quite specific in their attacks. In total, there were roughly 380 downloads from the websites and the Play store. Each app has had up to 45 downloads. The distribution methods were not discussed, but they were most likely phishing and social engineering.

More from TechRadar Pro

Source…

RustDoor macOS Backdoor Targets Cryptocurrency Firms with Fake Job Offers

February 16, 2024/in Computer Security

Feb 16, 2024NewsroomEndpoint Security / Cryptocurrency

Several companies operating in the cryptocurrency sector are the target of a newly discovered Apple macOS backdoor codenamed RustDoor.

RustDoor was first documented by Bitdefender last week, describing it as a Rust-based malware capable of harvesting and uploading files, as well as gathering information about the infected machines. It’s distributed by masquerading itself as a Visual Studio update.

While prior evidence uncovered at least three different variants of the backdoor, the exact initial propagation mechanism remained unknown.

That said, the Romanian cybersecurity firm subsequently told The Hacker News that the malware was used as part of a targeted attack rather than a shotgun distribution campaign, noting that it found additional artifacts that are responsible for downloading and executing RustDoor.

“Some of these first stage downloaders claim to be PDF files with job offerings, but in reality, are scripts that download and execute the malware while also downloading and opening an innocuous PDF file that bills itself as a confidentiality agreement,” Bogdan Botezatu, director of threat research and reporting at Bitdefender, said.

Since then, three more malicious samples that act as first-stage payloads have come to light, each of them purporting to be a job offering. These ZIP archives predate the earlier RustDoor binaries by nearly a month.

The new component of the attack chain – i.e., the archive files (“Jobinfo.app.zip” or “Jobinfo.zip”) – contains a basic shell script that’s responsible for fetching the implant from a website named turkishfurniture[.]blog. It’s also engineered to preview a harmless decoy PDF file (“job.pdf”) hosted on the same site as a distraction.

Bitdefender said it also detected four new Golang-based binaries that communicate with an actor-controlled domain (“sarkerrentacars[.]com”), whose purpose is to “collect information about the victim’s machine and its network connections using the system_profiler and networksetup utilities, which are part of the macOS operating system.

In addition, the binaries are capable of extracting details about the disk via “diskutil list” as well…

Source…

Android malware posing as Google Chrome could steal your photos, contacts, and more — how to spot the fake

February 11, 2024/in Mobile Security

An updated version of the XLoader malware for Android devices doesn’t require any user interaction to launch once installed, according to researchers at McAfee (via BleepingComputer). Of course, you still need to click the malicious link in an SMS message to download and install the malware, but this XLoader variant doesn’t require users to manually launch the malware anymore.

Right now, the malware is being distributed through SMS texts on Android devices. If you’re targeted, the SMS text will include a shortened URL that, if clicked on, will direct you to a website to download an Android APK installation file for a mobile app. McAfee says that, “While the app is installed, their malicious activity starts automatically.”

The malware will run silently in the background, gaining access to all kinds of personal, private data on your Android device, including photos, messages, contacts, and potentially banking information. Luckily, the malware is pretty easy to spot and you might already be protected if Google’s Play Protect service is enabled on your Android device. Here’s what to look for, and how to see if Play Protect is active.

How to spot the new XLoader malware

XLoader—also known as MoqHao malware—is likely created by ‘Roaming Mantis,’ a financially-motivated threat actor, and McAfee identified some malicious pop-up messages in the malware’s code in English, Korean, French, Japanese, German, and Hindi, which indicates the malware’s current targets.

If you’re in an area that primarily speaks one of those languages, you might be at risk, but the warning signs that something’s off are pretty clear. In permission requests during the malicious app’s first launch, it’ll masquerade as Google Chrome, but you’ll notice some letters are bolded while others aren’t.

android malware posing as chrome

(Image credit: McAfee)

After those initial requests, the malicious app will ask you to set “chrome” as your default SMS app, citing the reason “to prevent spam” to convince you it’s the right decision. Again, you’ll spot randomly bolded letters here as a warning sign that something’s off.

android malware posing as google chrome