Malicious apps posing as popular apps, such as Google, Instagram, Snapchat, WhatsApp, and X have been found to steal users’ credentials from compromised devices. "This malware uses famous Android app icons to mislead users and trick victims into installing the malicious app on their devices," as shown in a recent report by the SonicWall Capture Labs threat research team.
Once the app is installed on the victim’s phone, it asks them to grant it permissions to accessibility services and the device administrator API, a feature that offers device administration features at the system level.
Gaining these permissions enables the rogue app to gain control over the device, making it possible to carry out actions ranging from malware deployment to data theft without the victims knowing about it.
Also Read: Google CEO Sundar Pichai Lays Out Future AI Roadmap
Phishing URLs Mimicking Popular Services To Fool Users
The new malware is created to establish a connection with a command-and-control (C2) server to receive commands for execution, enabling it to access contact lists, SMS messages, call logs, the list of installed apps, open phishing pages on the web browser, and toggle the camera flashlight.
These phishing URLs pose as login pages of popular services such as Facebook, GitHub, Instagram, LinkedIn, Microsoft, Netflix, PayPal, Proton Mail, Snapchat, Tumblr, X, WordPress, and Yahoo.
The development follows the warning from Cyfirma and Broadcom-owned Symantec about a social engineering campaign that employs WhatsApp as a delivery vector to push a new Android malware by posing as a defense-related application.
"Upon successful delivery, the application would install itself under the guise of a Contacts application," Symantec said. "Upon execution, the app would request permissions for SMS, Contacts, Storage, and Telephone and subsequently remove itself from view."
Also Read: Google Drive Locks Out Author After Labelling Content ‘Inappropriate’
Smishing Messages Are Preying On Android Users
It also comes after the discovery of malware campaigns distributing Android banking trojans like Coper, which is capable of harvesting sensitive data and showing fake window overlays, deceiving users into giving their credentials.
Recently, Finland’s National Cyber Security Centre (NCSC-FI) revealed that smishing messages are being used to direct users toward Android malware that steals users’ banking data. The attack chain uses a technique called telephone-oriented attack delivery (TOAD), wherein the SMS messages urge the victims to call a number in connection to a debt collection claim.
Once the victim makes the call, the scammer on the other end informs the victim that the message is fake and that they should install an antivirus app on their phone to protect against the malware. They also ask the victim to click on a link sent in a second text message to install the compromised security software, but in reality, is malware to steal online banking account credentials and ultimately perform unauthorized fund transfers.