naxlee.blogg.se - Critical ops google play

The fake survey form will load using the device’s default browser. While analyzing the sample, the app displays fake survey forms to collect users’ personally identifiable information (PII) such as names, phone numbers, and home addresses, in exchange for gift cards. The module collects specific URLs found in the browser

Module “Wpp” can open the browser to access arbitrary URLs.įigure 5.

The module named “Icon” hides the app’s icon to prevent the user from uninstalling it.

Once downloaded, the first component connects with the C&C server, then decrypts and executes the payload. While the published uploaders of these apps are different, we suspect that the apps came from the same authors since the codes are similar to each other. Uploaded on Google Play, the app (detected by Trend Micro as AndroidOS_FraudBot.OPS ) tries to be subtle by using lightweight modular downloaders to compromise unknowing users’ gadgets.

Malicious voice messenger app with thousands of installs recorded Behavior One of the apps posing as a legitimate voice messenger uploaded on Google Playįigure 2. All the analyzed samples from the seven identified app IDs have similar coding and behavior, which make us suspect that the cybercriminals are working on additional modules and will deploy more malicious apps.įigure 1. While the majority of the fake apps have been taken down, we took one of the apps as an example to show their common behaviors. Infection numbers are not yet critical, but the increase in uploads and user downloads for the remaining live apps call for continued observation due to its rapid development and distribution in the mobile ecosystem. The modular capabilities of the analyzed samples have been tagged versions 1.0, and the cybercriminals may be in the process of adding more features and updates for future malicious activities such as botnet attacks.

Observed variants of these malicious apps and malware have been deployed one by one since October, with its evolution including evasive techniques and its infection behavior divided into several stages. We noticed several uploaded apps on Google Play posing as legitimate voice messenger platforms, with suspicious automated functions such as automatic pop-ups of fake surveys and fraudulent ad clicks.