Cybersecurity researchers have discovered a new, massive mobile malware campaign targeting Android and iOS platforms with fake dating, social networking, cloud storage and car service apps, and stole sensitive personal data.
The cross-platform threat is called Sarangtrap by Zimperium Zlabs. It seems that Korean users are the main focus.
“This massive campaign includes over 250 malicious Android applications and over 80 malicious domains, all disguised as legitimate dating and social media applications,” said security researcher Rajat Goyal.
Fake domains that are impersonating legitimate App Store list pages are used as lures to trick users into installing these apps, extracting contact lists and images, all maintaining the illusion of legitimacy.
Once installed, the Android app will prompt the victim to enter the invitation code, and then validated against the Command and Control (C2) server. The app then requests confidential rights that allow access to SMS messages, contact lists and files under the pretext of providing advertised features.
Combining malicious behavior activations into invitation code is clever and sleazy as malware can avoid dynamic analysis and antivirus scans and silently avoid Hoover data.
The iOS version of the campaign tempts users to install a deceptive mobile configuration profile on their devices, and uses configuration to easily install apps and capture contacts, photos and photo libraries.
The campaign is said to be active in development as new variations of the malware samples are restricted to collecting contacts, images and device information on external servers. There is also evidence that the threat actors behind the activity have resorted to threatening victims with the threat of sharing with their family.
“This unstable narrative is not an isolated incident. It highlights the psychological manipulation and social engineering tactics these campaigns employ to exploit emotional vulnerability,” Goyal said.
“The victim is seduced to place malware on a relationship promise, but discovers that he is caught up in a cycle of surveillance, fear and humiliation.”
This disclosure comes in the wake of another campaign that sets up a 607 Chinese domain to distribute malicious application files (APKs) that disguise as telegram messaging apps via QR codes embedded in the site, execute remote commands in real time, and distribute malicious application files (APKs) via QR codes that allow devices to be controlled using the media play API.
“The APK was signed with the V1 Signature Scheme and has become vulnerable to the Janus vulnerability in Android 5.0-8.0,” Bforeai said. “This vulnerability allows an attacker to create deceptive applications.”
“After you create a malicious application, it is repackaged using the original V1 signature. This change is not detected and you can install a compromised app without question. Essentially, the attacker will redistribute it as an APK, install it on an older device (particularly on an older device) and do a complete security check.
Imitation of a reliable and popular online platform has been a compromise vector, as evidenced by an Android campaign aimed at Indian bank customers and Bengali-speaking users, especially those from Bangladesh who live in Saudi Arabia, Malaysia, Malaysia and the United Arab Emirates.
The application is designed to deceive users to enter personal information as part of the expected account creation process, capturing data provided with a fake transaction interface designed to simulate mobile transfers, invoice payments, and bank transfers. In reality, no actual transactions are executed.
“While attack technology is not new, the campaign’s cultural targeting and sustainable activity reflects how cybercriminals continue to adapt their strategies to reach a particular community,” said Dexter Shin, researcher at McAfee Labs.
Malware, which impersonated Indian banking services, uses Firebase for C2 operations, uses phishing pages to mimic real user interfaces, harvesting a wide range of data, including debit card details and SIM information. It also has call forwarding and remote calling features.
Another Asian country targeted by Android malware attacks is Vietnam, where phishing sites disguised as financial and government agencies are being used to breed new bank Trojans called Redhooks.
“We use WebSocket to communicate to a Command and Control (C2) server, supporting over 30 remote commands, providing full control over compromised devices,” Cyble said. “Code artifacts containing Chinese strings suggest development by Chinese-speaking threat actors or groups.”
A notable feature of Redhook is the combination of keylog and remote access trojan (rat) features to carry out qualification theft and financial fraud. It also abuses Android accessibility services to perform overlay attacks and leverages the Mediaprojection API to capture screen content.
The campaign is new, but the exposed AWS S3 bucket used by threat actors has discovered screens, fake bank templates, PDF documents and images detailing the behavior of the malware until November 27, 2024.
“The Red Hook discovery highlights the increasing sophistication of Android Banking Trojans, which combine phishing, remote access and keylogging to carry out financial fraud,” the company added. “By leveraging legitimate Android APIs and abuse accessibility permissions, Redhook remains under the radar of many security solutions and provides deep control over infected devices.”
Malicious Android APKs that spoof popular brands and exploit social engineering and out-of-market distribution channels have also been discovered in siphon data and hijacking network traffic for monetization. Often there is an end goal of simulating user activity and redirecting users via funnels for generations of illegal income.
In addition to incorporating sandboxed and virtualized environment checks, the app has a modular design that allows you to turn on advanced features at will.
“We can now use the open source tool APKSIGNATUREKILLEREX to destroy the native signature verification process on Android and inject secondary payloads (Origin.Apk) into the application’s directory,” Trustwave SpiderLabs said. “This effectively reroutes execution to malicious code, both for the operating system and for the user, while preserving the appearance of the app as a legitimately and properly signed package.”
Although this campaign is not attributed to known threat actors or groups, the use of AD fraud tactics suggests possible connections with Chinese-speaking criminal groups.
That’s not all. A new study from Iverify reveals that setting up a new Android-centric campaign is as easy as renting malware (MAAS) kits like Phantomos and Nebula for monthly subscriptions, and can further lower the standard of cybercrime.
“These kits also feature 2FA intercept capabilities, antivirus software, silent app installation, GPS tracking, and even brand-specific phishing overlays,” said researchers at Daniel Kelley. “The platform has everything you need, including Telegram, the backend infrastructure, and built-in ways to get around Google Play Protect.”
The Underground Forum also has crypto and exploit kits that allow malware to stay under the radar and use social engineering technology to spread infections at large scale. One such tool is the Android ADB scanner. It looks for an open android debug bridge (ADB) port and pushes malicious APK files without the victim’s knowledge. The service is available for around $600-$750.
“Perhaps the most interesting development in this ecosystem is the commoditization of the infected devices themselves,” Kelly pointed out. “In the so-called ‘install’ market, cybercriminals can purchase a large amount of access to Android devices that have already been compromised. ”
Markets such as Valhalla offer devices compromised by Trojan horses such as ERMAC, HOOK, HYDRA, OCTO in selected countries. This approach avoids the need for attackers to distribute malware or devices on their own. Instead, they can retrieve a network of existing bots and perform the selected activity.
To mitigate the risk poses by such apps, we recommend being cautious about apps that require unusual permission or invitation codes.
Source link
