Cybersecurity researchers from Zimperium zLabs have unveiled critical insights into four emerging families of Android malware, each orchestrating distinct campaigns aimed at compromising banking and cryptocurrency applications. These malicious entities are reportedly capable of extracting sensitive information from over 800 different applications, as detailed in a recent report shared with Hackread.com.
Meet the Four Families
The diligent team at zLabs has been monitoring these threats, which they have aptly named RecruitRat, SaferRat, Astrinox, and Massiv. Each family employs unique tactics to entice users into downloading their malicious software, with phishing and smishing being the predominant methods.
- Phishing: This method involves the creation of counterfeit websites that closely resemble legitimate login pages for banks or popular services. For instance, the SaferRat campaign utilizes sites that promise free access to premium video streaming services to attract unsuspecting victims.
- Smishing: This technique relies on urgent text messages that claim issues with the recipient’s account, accompanied by a link that, when clicked, downloads the harmful payload. The RecruitRat campaign specifically targets job seekers through fake employment websites, prompting them to download an APK file disguised as a job application.
- Astrinox: This malware mimics a business tool known as HireX on the domain
xhirecc. Although researchers identified a fraudulent Apple App Store page associated with this malware, the actual malicious payloads are currently directed solely at Android users. - Massiv: This group remains enigmatic; its methods of propagation are so cleverly concealed that researchers have yet to uncover definitive signs of its distribution.
The Blindfold Trick
Upon infecting a device, these applications swiftly initiate an Overlay attack. This tactic involves displaying a counterfeit screen that appears when the user opens a legitimate app, such as a banking application or a cryptocurrency wallet. Consequently, if a user enters their password, it is not transmitted to the bank but rather to the hackers.
To further obfuscate their actions, Zimperium’s report highlights that the malware employs a “blindfold” technique. By exploiting Accessibility Service permissions, it can overlay a static image on the user’s screen, presenting a frozen page or a deceptive Android Update screen while the hackers operate undetected in the background. This allows them to access contacts, read SMS messages, and even record the screen using the MediaProjection framework.
Bypassing Your Security
One of the most alarming aspects of these attacks is their ability to intercept security codes. Users often feel secure due to one-time passwords (OTPs) sent via text, but these malware programs can capture those messages in real-time.
Researchers have observed that RecruitRat contains a library of over 700 counterfeit login pages, which activate as soon as a targeted app is opened. Additionally, these threat actors employ keylogging techniques to monitor every keystroke made by the user. By maintaining a persistent connection through WebSockets, they remain linked to the device, poised to strike at the opportune moment. Experts advise users to refrain from clicking links in urgent text messages and to download applications exclusively from official platforms.
