Tag: spread | Page 2

How cybercriminals use common apps on Google Play to spread malware

November 15, 2023/in Computer Security

Google Play is home to more than three million unique apps, most of which get updated regularly to update security patches and implement changes. However, cybercriminals have found ways to make use of these periodic updates to sneak malicious apps onto Google Play.

In 2023, apps with malicious codes were found to have been downloaded more than 600 million times on Google Play, Kaspersky shared in a blog post.

Some of the commonly downloaded apps that contain malware include photo editing apps, file managers, games, music and video players as well as health tracking apps.

The malware in these apps has been found to not just hide adware, but also track users’ location, cellular operator information, load spyware, record voice, and other sensitive user information.

(For top technology news of the day, subscribe to our tech newsletter Today’s Cache)

How threat actors post malicious apps on Google Play?

Cybercriminals create multiple developer accounts to upload apps on Google Play. Through these accounts they upload seemingly unremarkable apps with simple functionality and no malicious code to ensure they are able to sail through Google’s moderation checks. Once the app is downloaded by a sizeable audience, cybercriminals add malicious functionality in the app through an update.

An example of this is seen in the case of iRecorder app, which when uploaded to Google Play in 2021 was able to get past Google’s moderation checks as it did not contain any malicious code. However, once the app garnered close to 50,000 downloads, threat actors updated the app with malicious functionality, allowing the app to record sound from the device’s microphone every 15 minutes and sending it to a server of the app creators.

Threat actors have also been found to have made use of multiple developer accounts to ensure that they can continue uploading malicious apps if one of their accounts is blocked by the moderators.

From signing up for subscriptions to data mining, malicious apps do it all

Malicious codes in apps can be used to access sensitive user data including files, photos, videos and device’s location and cellular information. Such apps have also been found to sign up the user’s cellular…

Source…

NSFW Facebook ads being used to spread dangerous malware — don’t click on these

October 31, 2023/in Computer Security

Hackers have devised a clever new way to trick unsuspecting Facebook users into downloading malware on their computers.

While having your Facebook hacked is bad enough as it is, a new campaign discovered by Bitdefender uses compromised Facebook Business accounts to deliver the NodeStealer malware.

Just like with other info-stealing malware, NodeStealer targets Windows PCs with the goal of stealing browser cookies as well as saved usernames and passwords which can then be used to compromise a user’s other online accounts.

According to a blog post from Meta’s engineering team, previous NodeStealer campaigns have used malicious documents to distribute this dangerous malware. However, this time around, hackers are now using malicious ads to do so.

Here’s everything you need to know about this latest NodeStealer campaign and why you might want to think twice before clicking on any ads you see online.

Duping Facebook users with fake photo albums

(Image credit: Shutterstock)

During its investigation into this new NodeStealer campaign, Bitdefender found that the hackers behind it have come up with an interesting way to get potential victims to click on their malicious ads.

In a blog post detailing its findings, the firm’s security researchers explained that NSFW ads are the main lure used in this campaign. These ads are for Facebook pages which feature scantily clad women as male users are the targeted demographic.

Bitdefender found a number of fake Facebook profiles using “Album Update”, “Album Girl News Update”, “Private Album Update”, “Hot Album Update Today” or other similar names. These profiles feature one or two photos of young women where their faces or NSFW outfits are censored.

Once these fake profiles are set up, the hackers then begin running ads on Facebook to promote their content with short descriptions like “New stuff is online today” or “Watch now before it’s deleted” to instill a sense of urgency and get unsuspecting users to click on them.

When a potential victim does click on one of these ads, instead of getting access to an album full of NSFW photos, they instead download a Windows executable. While most people know the dangers of…

Source…

Disturbing trend of malware being spread to Android devices through fake alerts

October 18, 2023/in Computer Security

Malicious actors have once again found a new way to exploit unsuspecting victims. Recently, Italian cybersecurity researchers at D3Labs uncovered a disturbing trend of malware being spread to Android devices through fake volcano eruption alerts. These criminals are exploiting the IT-Alert service, a public alert system used by the Italian government to disseminate crucial information during emergency situations.

Deceptive Strategy

To lure unsuspecting victims into downloading malicious software, the cybercriminals created a deceptive website that mimicked the IT Alert service. This fake website warned users about the possibility of volcanic eruptions and the potential for a national earthquake. It urged visitors to download an app that would help them monitor the situation in their region. Importantly, this ruse was directed exclusively at Android users, as the website redirected to the actual IT Alert website when accessed via a desktop browser or an iOS device.

Malicious Payload

Once a user fell for this trick and clicked on the download button, a file labeled “IT-Alert.apk” was downloaded to their device. This innocuous-seeming file, however, contained the SpyNote malware. SpyNote is a notorious strain of malware known for targeting financial institutions and is typically sold via Telegram by its creator, who goes by the alias CypherRat.

Infiltrating User Devices

After the malware is installed, it prompts users to grant permission for the app to run in the background. This seemingly innocent request opens the door to malicious actors gaining full control over the victim’s smartphone, thanks to its accessibility services. With this control, these malevolent actors can monitor, manage, and even modify the device’s resources and features, along with enabling remote access capabilities.

This insidious technique also makes it incredibly challenging for victims to uninstall the application, update already uninstalled apps, or install new ones, further complicating the removal of the malware.

Spying and Data Theft

SpyNote’s capabilities are vast and invasive. It can independently manipulate…

Source…

Google Chrome mimicked to spread malware

October 17, 2023/in Computer Security

Bogus browser updates that mimic notifications from Google Chrome, Mozilla Firefox, and Microsoft Edge are being increasingly used by criminals to install malware on target computers.

Cybersecurity firm Proofpoint issued its latest bulletin on October 17th, where it revealed that the threat group codenamed TA569 had been using such lures to deploy its SocGholish malware for five years.

The group is believed to be an initial access broker – a facilitator for ransomware gangs that sells sensitive data illegally obtained for the purposes of breaking past a target organization’s cyber defenses.

“Fake browser updates refer to compromised websites that display what appears to be a notification from the browser developer such as Chrome, Firefox, or Edge, informing them that their browser software needs to be updated,” said Proofpoint. “When a user clicks on the link, they do not download a legitimate browser update but rather harmful malware.”

The cybersecurity analyst adds that it is currently monitoring “at least four distinct threat clusters” that use this tactic. However, it adds that not all groups on its radar are using the same lure to deliver the same payload.

“It is important to identify to which campaign and malware cluster the threat belongs, to help guide defender response,” said Proofpoint. “Specific indicators of compromise associated with the identified activities change regularly, as the threat actors are routinely moving their infrastructure and changing details in their payloads.”

Proofpoint recommends other cybersecurity professionals, or concerned amateurs, consult the @monitorsg account on the Infosec Exchange platform, describing it as “a useful public resource for following along with recent details on payloads and infrastructure changes.”