Android malware Archives

AppWizard

February 19, 2025

Warning over privacy of encrypted messages as Russia targets Signal…

Russia-backed hacking groups have advanced their techniques to infiltrate encrypted messaging platforms like Signal, WhatsApp, and Telegram, posing a threat to journalists, politicians, and activists. These hackers are targeting Signal's "linked devices" feature using malicious QR codes to gain real-time access to victims' messages. Incidents have included compromised Signal accounts leading to military strikes. The Sandworm group has been linked to compromising Signal accounts on devices captured in Ukraine, utilizing a Russian-language website to provide instructions for linking accounts to their infrastructure. Successful breaches often go undetected for long periods, with attackers using modified Signal group invite pages and phishing kits. Additionally, threat actors have stolen Signal database files from Android and Windows devices, with malware like Infamous Chisel extracting sensitive data. Attacks on Signal and other messaging services are increasing, with Russia-aligned groups employing social engineering tactics against users of WhatsApp. In response, Signal has enhanced security measures, including a new interface to alert users of unauthorized device links and additional authentication steps.

AppWizard

February 7, 2025

Google is ramping up Android security protection with new Android app safety tools

Google's Android Security and Privacy Team has partnered with Mandiant FLARE to enhance the capa open source binary analysis tool, which analyzes ARM ELF files used in Android malware. The integration of Gemini AI into this toolset aims to improve malware analysis and decision-making. A case study demonstrated the detection of an illegal gambling app disguised as a music app that used various anti-analysis techniques. By employing static analysis with capa, Google was able to identify and remove the app from the Google Play Store. New rules have been developed for capa to detect Android-specific malware behaviors, such as ptrace API calls and code downloading and decrypting methods. The incorporation of Gemini AI aids analysts by summarizing flagged functions and assessing risk levels, thereby accelerating malware detection and rule formulation.

AppWizard

December 23, 2024

Amazon’s App Store Has This Dangerous Android Health App That Can Steal Your Data

The Amazon App Store is hosting a potentially harmful app named BMICalculationVsn, marketed as a body mass index (BMI) calculator. Developed by PT Visionet Data Internasional, the app has been flagged as spyware by McAfee Labs, raising privacy concerns due to its requests for sensitive information such as passwords, payment details, and audio recordings. The app has thousands of installations and has been identified as a security threat since October 8, 2024. Users are advised to keep their Play Protect feature active to mitigate risks associated with third-party app stores.

AppWizard

December 20, 2024

Amazon Appstore used to spread Android malware — delete this malicious app right now

Researchers at McAfee Labs found a malicious app named BMI CalculationsVsn on the Amazon Appstore, disguised as a body mass index calculator. The app activates screen recording when users click the “Calculate” button, potentially capturing sensitive information. Although it was designed to record video, the developer had not implemented the capability to upload recordings. The app could still scan for installed applications and collect text messages. It was uploaded to the Amazon Appstore in early October and was removed after McAfee alerted Amazon. Users who installed it need to delete it manually.

AppWizard

December 19, 2024

Android malware found on Amazon Appstore disguised as health app

A malicious Android spyware application named 'BMI CalculationVsn' was discovered on the Amazon Appstore, disguised as a health tool. Researchers at McAfee Labs identified the app, which was siphoning data from infected devices without users' knowledge, and alerted Amazon, leading to its removal. Users who installed the app must manually uninstall it and scan their devices for any remaining spyware. The app, published by 'PT Visionet Data Internasional,' initially appeared as a user-friendly BMI calculator but secretly activated a screen recording service and collected sensitive information, including SMS messages and one-time passwords. The app first appeared on October 8 and underwent modifications throughout the month. This incident highlights vulnerabilities in app stores and emphasizes the need for users to be cautious when downloading applications and to review app permissions carefully. Keeping Google Play Protect activated is recommended for enhanced security.

AppWizard

December 5, 2024

New DroidBot Android malware targets 77 banking, crypto apps

A new Android banking malware called 'DroidBot' targets the credentials of over 77 cryptocurrency exchanges and banking applications in several European countries, including the UK, Italy, France, Spain, and Portugal. Discovered by Cleafy, it has been operational since June 2024 and functions as a malware-as-a-service (MaaS) platform with a subscription price of ,000 per month. At least 17 affiliate groups are using malware builders to customize their attacks. DroidBot has caused 776 unique infections across the UK, Italy, France, Turkey, and Germany. The developers, believed to be based in Turkey, provide affiliates with tools like a malware builder and command and control servers. DroidBot disguises itself as trusted applications to deceive users and includes features such as keylogging, overlaying fake login pages, SMS interception, and remote control via Virtual Network Computing. It exploits Android's Accessibility Services to monitor user actions. Targeted applications include Binance, KuCoin, BBVA, Unicredit, Santander, Metamask, BNP Paribas, Credit Agricole, Kraken, and Garanti BBVA. Users are advised to download apps only from Google Play, scrutinize permission requests, and activate Play Protect.

AppWizard

December 3, 2024

SpyLoan Android malware on Google Play installed 8 million times

A recent investigation by McAfee identified 15 SpyLoan Android malware apps on Google Play, which collectively received over 8 million installs, mainly targeting users in South America, Southeast Asia, and Africa. These apps disguised themselves as legitimate financial tools, enticing users with false promises of quick loan approvals. Upon installation, users were required to validate their location and submit sensitive personal information. The malware harvested extensive data from users' devices, including SMS messages, GPS locations, and contact lists. Users who secured loans faced high-interest payments and harassment from the operators, who sometimes contacted the borrowers' family members. Notable apps included Préstamo Seguro-Rápido and Préstamo Rápido-Credit Easy, each with 1,000,000 downloads. Despite Google's app review processes, these malicious apps evaded detection. Users are advised to read reviews, check developer reputations, limit app permissions, and activate Google Play Protect.

AppWizard

December 2, 2024

These dangerous Android malware apps have been installed millions of times

Researchers have identified 15 predatory loan applications on the Google Play Store that collectively garnered eight million downloads before being removed. These apps, which falsely advertised low-interest loans, engaged in extortion and harassment of users, particularly targeting individuals in South America, Southeast Asia, and Africa, including countries like Mexico, Colombia, and Senegal. The apps requested a one-time passcode to access user location information for their predatory practices. Users are advised to check app ratings, download numbers, and reviews to verify app legitimacy.

Winsage

November 7, 2024

New Winos4.0 Malware Targeting Windows via Fake Gaming Apps

Cybersecurity researchers at Fortinet’s FortiGuard Labs have identified a malware campaign named Winos4.0 that disguises itself as benign gaming applications targeting Microsoft Windows users. This malware framework is similar to threats like Cobalt Strike and Sliver. Users who download these applications inadvertently install Trojan horses that deploy the Winos4.0 framework, which has been found in various gaming-related tools. The malware appears to focus on the education sector, as indicated by its file description “校园政务” (Campus Administration). Winos4.0 is a re-engineered version of the Gh0stRat remote access trojan and consists of modular components for specific tasks. The attack begins with the retrieval of a BMP file from a remote server, leading to the extraction of a DLL file named “you.dll.” This file downloads additional files, including the main malicious file “libcef.dll,” which injects shellcode to establish a connection with a command and control (C2) server. The malware executes various tasks, such as monitoring system information and maintaining a connection to the C2 server. To protect against such threats, users are advised to download applications only from reputable sources, avoid third-party app stores, and scan new files before execution. Regular device scans are recommended, especially after downloading new content.

AppWizard

November 6, 2024

ToxicPanda Malware Targets Banking Apps on Android Devices

A new Android malware named "ToxicPanda" was first identified in late October 2024 and has been reclassified as a unique entity after initial classification under the TgToxic family. It poses a risk through account takeover via on-device fraud and primarily targets retail banking applications on Android devices. The malware has spread significantly in Italy, Portugal, Spain, and various Latin American regions, with over 1,500 devices reported as victims. ToxicPanda allows cybercriminals to gain remote access to infected devices, intercept one-time passwords, and bypass two-factor authentication. The threat actors are likely Chinese speakers, which is unusual for targeting European banking. The malware spreads through social engineering tactics, encouraging users to side-load the malicious app, and exploits Android’s accessibility services for elevated permissions. Cleafy’s analysis indicates that ToxicPanda's command-and-control infrastructure shows evolving operational strategies, and the malware may undergo further modifications. The challenges for security professionals are increasing as malware operators refine their tactics and expand their targets. Cleafy noted that contemporary antivirus solutions have struggled to detect ToxicPanda due to a lack of proactive, real-time detection systems.