Tag: Steals | Page 5

This nasty Android malware steals your passwords — and it’s still in Google Play right now

March 3, 2022/in Computer Security

Two more Android banking Trojans have turned up in the Google Play Store, report security researchers.

One malicious app was downloaded more than 50,000 times before being kicked out of Google Play last week, while the second app called QR Code & Barcode – Scanner was incredibly still in Google Play at the time of this writing and is targeting American users.

The first app, called Fast Cleaner, says it aims for “speeding up the device by removing unused clutter and removing battery optimization blocks,” according to a report last week from security firm ThreatFabric.

Fast Cleaner works as promised, but it also contains a dropper, which is malware designed to secretly install other programs on a device without the user’s knowledge. According to ThreatFabric’s analysis, Fast Cleaner’s chief payload was a new type of banking Trojan that ThreatFabric called “Xenomorph” after the hungry protagonist of the Alien movie series.

Xenomorph uses screen overlays to deceive the user into typing in usernames and passwords, collects information about infected devices and reads users’ text messages. With these powers, it can capture login credentials for bank and webmail accounts. It can also capture and hide the temporary PINs used in two-factor authentication, plus other notifications, texted to your phone.

ThreatFabric took apart Xenomorph’s code and found that it could generate convincing fake screens that looked like nearly 60 different apps made by banks in Belgium, Italy, Portugal and Spain. It also could fake (and steal credentials meant for) the Gmail, Google Play, Hotmail, Mail.com, Microsoft Outlook, PayPal and Yahoo Mail apps.

Unwelcome return

The other Android banking Trojan, TeaBot, is better known and made a return to Google Play last month after previously having been kicked out, reports Italian security firm Cleafy.

TeaBot can capture not only the login credentials for bank accounts, webmail and social media, but also snag two-factor-authentication codes meant to block bad guys from logging in with stolen passwords.

Despite Cleafy’s report, the malware is still in Google Play in the form of an app called “QR Code & Barcode – Scanner”, although there are many apps with similar…

Source…

ALERT: Software that steals users’ banking credentials from phones detected

February 27, 2022/in Computer Security

The Nigerian Communications Commission’s Computer Security Incident Response Team (CSIRT) has discovered a newly-hatched malicious software that steals users’ banking app login credentials on Android devices.

According to a security advisory from the Commission’s CSIRT, the software identified as Xenomorph targeted 56 financial institutions from Europe. It is said to have a high impact and vulnerability rate.

In a statement, Dr. Ikechukwu Adinde, the Commission’s Director, Public Affairs, explained that Xenomorph is propagated by an application that was slipped into Google Play store and masquerading as a legitimate application called ‘Fast Cleaner’.

He said it is ostensibly meant to clear junk, increase device speed and optimize battery.

In reality, the app, according to the statement, is only a means by which the Xenomorph Trojan could be propagated easily and efficiently.

He emphasised that the main intent of the malware is to steal credentials, combined with the use of SMS and Notification interception to log-in and use potential two-factor authentication tokens.

Once up and running on a victim’s device, Xenomorph according to the team, can harvest device information and Short Messaging Service (SMS), intercept notifications and new SMS messages, perform overlay attacks, and prevent users from uninstalling it. The threat also asks for Accessibility Services privileges, which allow it to grant itself further permissions.

“To avoid early detection or being denied access to the PlayStore, ‘Fast Cleaner’ was disseminated before the malware was placed on the remote server, making it hard for Google to determine that such an app is being used for malicious actions.”

The team further noted that the malware also steals victims’ banking credentials by overlaying fake login pages on top of legitimate ones.

“Considering that it can also intercept messages and notifications, it allows its operators to bypass SMS-based two-factor authentication and log into the victims’ accounts without alerting them.

“Xenomorph has been found to target 56 internet banking apps, 28 from Spain, 12 from Italy, nine from Belgium, and seven from Portugal, as well as…

Source…

Android Malware That Steals Financial Data Is Back, Dutch Cybersecurity Firm Reports

September 28, 2021/in Computer Security

KEY POINTS

Cybersecurity firm ThreatFabric published a blog post discussing the new threat
The malware is reportedly almost totally based on Cerberus
Called ERMAC, the malware poses a threat to banking and wallet apps

Malicious actors behind the advanced mobile malware Blackrock have returned with a more vicious Android banking trojan dubbed ERMAC. The malware reportedly steals financial data from banking and wallets apps, according to cybersecurity experts.

The newly discovered Android malware was reported by the Dutch cybersecurity firm ThreatFabric. Threat actors have reportedly begun ERMAC’s first major campaign in the late part of August, where the malware masqueraded as Google Chrome.

Since then, ERMAC attacks expanded, including banking apps, delivery services, government applications, media players and even antivirus solutions like McAfee.

All Android devices running on Android 8 (Oreo) or later are affected; Google rolled out a patch last month to fix the issue. Photo: Reuters

Experts believe that hackers have their eyes on Poland.

“At the time of writing this blog we see ERMAC targeting Poland and being distributed under the guise of delivery service and government applications,” ThreatFabric’s CEO Cengiz Han Sahin in a blog post.

ERMAC is almost entirely based on the infamous banking trojan Cerberus. Like its primogenitor and other banking malware, ERMAC is developed to steal contact information and text messages.

It can also open arbitrary applications and execute overlay attacks against a vast range of financial apps to obtain login credentials. The banking malware also comes with features enabling it to clear the cache of a particular app and steal accounts saved on the device.

“The story of ERMAC shows one more time how malware source code leaks can lead not only to slow evaporation of the malware family but also bring new threats/actors to the threat landscape,” Threatfabric said.

“Being built on Cerberus basement, ERMAC introduces a couple of new features. Although it lacks some powerful features like RAT, it remains a threat for mobile banking users and financial institutions all over the world,” the cybersecurity firm noted in the same blog post.

ThreatFabric also…

Source…

Android malware that steals passwords is spreading fast

April 27, 2021/in Computer Security

Google recently boasted about the success of its efforts to protect Google Play Store and Android devices last year mostly using advanced machine learning technology. That, however, doesn’t cover apps acquired outside of the Play Store and the phones that install those. Sometimes, Android’s own open nature sometimes works against it because of that, like the case of this FluBot malware that’s spreading rapidly like a real virus, spreading to people in your phone’s address book to steal their passwords.

The way the malware works isn’t exactly that sophisticated and relies on good old-fashioned social engineering. Victims receive a text message claiming to be from a popular courier service, like DHL or Amazon. The message includes a link that it recommends people tap on to track their package.

As most would have probably guessed, that link opens up a web page that instead downloads an Android APK and asks users to install it. By default, Android doesn’t allow installing from unverified, third-party sources but the site is kind enough to provide instructions on how to change that. Once a phone has been infected, it reportedly steals passwords, online bank details, and other sensitive information stored on the phone.

Like the flu, this FluBot malware also looks into your phone’s address book to send the same phishing message to people there, which is how it is spreading quickly to Android phones. Given how locked down iPhones are, owners of Apple’s iOS devices are immune to this trick but the UK’s National Cyber Security Centre (NCSC) still recommends that iPhone users should play it safe and don’t open those links anyway.

The report does raise the question of how passwords and login credentials, which are often encrypted or protected on Android and most browsers, can get so easily stolen, though that isn’t exactly unheard of. Unfortunately, there is no fix for those already infected other than to factory reset their phone. It might not be so bad for those with backups but users should be careful when restoring backups made after getting infected by the FluBot.

…

Source…

Tag Archive for: Steals

KEY POINTS