Malware Watch - W/E - 9/6/19
Ad-Clicking Apps Found in Google Play (08/31/2019)
Two apps were spotted using a new method to stealthily perform ad-clicking on user devices. A notepad app (Idea Note: OCR Text Scanner, GTD, Color Notes) and a fitness app (Beauty Fitness: daily workout, best HIIT coach), are packed using legitimate packers originally developed to protect the intellectual property of Android applications. The two apps had a collective download count of about 1.5 million. After identifying the apps' behavior, Symantec contacted Google and the apps were removed from the Play store.
Two apps were spotted using a new method to stealthily perform ad-clicking on user devices. A notepad app (Idea Note: OCR Text Scanner, GTD, Color Notes) and a fitness app (Beauty Fitness: daily workout, best HIIT coach), are packed using legitimate packers originally developed to protect the intellectual property of Android applications. The two apps had a collective download count of about 1.5 million. After identifying the apps' behavior, Symantec contacted Google and the apps were removed from the Play store.
Brazilians Spied On by BRATA Android Malware (08/31/2019)
BRATA is an Android remote access tool malware family discovered by Kaspersky that appears to exclusively target victims in Brazil. It has been widespread since January, primarily hosted in the Google Play store, but also has been seen in unofficial Android app stores. Once a victim's device is infected, BRATA enables its keylogging feature, enhancing it with real-time streaming functionality. It uses Android's Accessibility Service feature to interact with other applications installed on the user's device.
BRATA is an Android remote access tool malware family discovered by Kaspersky that appears to exclusively target victims in Brazil. It has been widespread since January, primarily hosted in the Google Play store, but also has been seen in unofficial Android app stores. Once a victim's device is infected, BRATA enables its keylogging feature, enhancing it with real-time streaming functionality. It uses Android's Accessibility Service feature to interact with other applications installed on the user's device.
Glupteba-Laced Campaign Drops Browser Stealing Malware and Router Exploiter (09/04/2019)
The Glupteba dropper was spotted by Trend Micro in a malicious advertising campaign downloading two undocumented components: a browser stealer and an exploiter that targets MikroTik routers. In addition, the Glupteba dropper can retrieve the latest command and control domain from bitcoin transactions. According to Trend Micro's research team, Glupteba appears to still be evolving and adding new capabilities.
The Glupteba dropper was spotted by Trend Micro in a malicious advertising campaign downloading two undocumented components: a browser stealer and an exploiter that targets MikroTik routers. In addition, the Glupteba dropper can retrieve the latest command and control domain from bitcoin transactions. According to Trend Micro's research team, Glupteba appears to still be evolving and adding new capabilities.
Malicious Dropper Found in Popular CamScanner App (08/27/2019)
While analyzing the CamScanner Phone PDF creator app that was available on Google Play, the researchers at Kaspersky discovered some troubling features within it. The app has an advertising library that contains a malicious dropper component which can be used by an advertiser with nefarious intentions. Kaspersky considers this dropper to have the tendencies of a Trojan and reported its findings to Google, which has since pulled the app from the Play store. However, the app has already been installed over 100 million times.
While analyzing the CamScanner Phone PDF creator app that was available on Google Play, the researchers at Kaspersky discovered some troubling features within it. The app has an advertising library that contains a malicious dropper component which can be used by an advertiser with nefarious intentions. Kaspersky considers this dropper to have the tendencies of a Trojan and reported its findings to Google, which has since pulled the app from the Play store. However, the app has already been installed over 100 million times.
Sophisticated Tactics Spotted in New Social Engineering Toolkit "Domen" (09/03/2019)
A social engineering toolkit called Domen is built around a detailed client-side script that acts as a framework for different fake update templates, customized for both desktop and mobile users in up to 30 languages. Loaded as an iframe from compromised Web sites (most of them running WordPress) and displayed over top as an additional layer, it entices victims to install fake updates that instead download the NetSupport remote administration tool. Malwarebytes scientists have provided additional details about the inner workings of Domen.
A social engineering toolkit called Domen is built around a detailed client-side script that acts as a framework for different fake update templates, customized for both desktop and mobile users in up to 30 languages. Loaded as an iframe from compromised Web sites (most of them running WordPress) and displayed over top as an additional layer, it entices victims to install fake updates that instead download the NetSupport remote administration tool. Malwarebytes scientists have provided additional details about the inner workings of Domen.