Saturday, June 15, 2024

Android Malware Masquerades as Chrome Browser Reads SMS & Intercepts Emails

Threat actors primarily target remote access and control of victims’ devices by employing deceptive tactics. They often create fake apps or pose as legitimate ones to trick users into downloading malicious software, compromising the targeted devices’ security and privacy. 

This approach allows them to gain unauthorized access, potentially steal sensitive information, or carry out other malicious activities. 

Cybersecurity researchers at K7 Security Labs recently identified Rusty Droid RAT, a stealthy Android malware masquerading as a Chrome browser to read SMS and intercept emails.

The malware masquerades as ‘Chrome’

Technical Analysis

Rusty Droid persists by repeatedly prompting the user to enable Accessibility Service, concealing its icon from the app drawer once granted.

Accessibility permission request (Source – K7 Security Labs)

Before linking to C2, the Rusty Droid malware collects the following data:

  • Contact info
  • Accounts
  • App list

With accessibility permissions, it decrypts ‘LqL.json’ to an executable DEX file and deploys ‘settings.xml’ with the C2 server IP and bot ID.

This Trojan abuses the Android Accessibility Service as a keylogger, stealing victims’ data like passwords, credit card details, and messages and sending it to cybercriminals for identity theft and fraud, with a connection to C2 server “176.111.174[.]191.

Malicious C2 Panel (Source – K7 Security Labs)

This malware can collect keystrokes during user interaction with those applications to steal login information, including cryptocurrency wallet seed phrases, by connecting to a control server to get a list of targeted programs.

Apps Targeted

Here below, we have mentioned all the targeted applications:

  • com.android.vending
  • ar.bapro
  • ar.com.santander.rio.mbanking
  • ar.macro
  • at.spardat.bcrmobile
  • at.volksbank.volksbankmobile
  • au.com.amp.myportfolio.android
  • au.com.bankwest.mobile   
  • au.com.cua.mb   
  • au.com.ingdirect.android   
  • au.com.macquarie.banking   
  • au.com.mebank.banking   
  • au.com.newcastlepermanent   
  • au.com.suncorp.SuncorpBank   
  • com.BOQSecure   
  • com.BankAlBilad   
  • com.CredemMobile   
  • com.EurobankEFG   
  • com.IngDirectAndroid   
  • com.a2a.android.burgan   
  • com.abnamro.nl.mobile.payments   
  • com.adcb.bank   
  • com.advantage.RaiffeisenBank   
  • com.akbank.android.apps.akbank_direkt   
  • com.anz.android.gomoney   
  • com.aol.mobile.aolapp   com.appfactory.tmb   
  • com.bancodebogota.bancamovil   
  • com.bancomer.mbanking   
  • com.bancsabadell.wallet   
  • com.bankaustria.android.olb   
  • com.bankinter.launcher   
  • com.bankinter.portugal.bmb   
  • com.bankofqueensland.boq   
  • com.barclays.android.barclaysmobilebanking   
  • com.barclays.ke.mobile.android.ui   
  • com.bbva.bbvacontigo   
  • com.bbva.netcash   
  • com.bbva.nxt_peru   
  • com.bcp.bank.bcp   
  • com.bendigobank.mobile  
  • com.boubyanapp.boubyan.bank   
  • com.boursorama.android.clients   
  • com.kutxabank.android   
  • com.kuveytturk.mobil   
  • com.latuabancaperandroid 
  • com.caisseepargne.android.mobilebanking   
  • com.cajasur.android   
  • com.cbd.mobile   
  • com.cbq.CBMobile   
  • com.chase.sig.android   
  • com.cibc.android.mobi   
  • com.cic_prod.bad   
  • com.citi.citimobile   
  • com.citibanamex.banamexmobile   
  • com.citibank.mobile.citiuaePAT   
  • com.clairmail.fth   com.cm_prod.bad   
  • com.coinbase.android   
  • com.comarch.mobile.banking.bgzbnpparibas.biznes   
  • com.comarch.security.mobilebanking   
  • com.commbank.netbank   
  • com.csam.icici.bank.imobile   
  • com.db.mm.norisbank   
  • com.db.mobilebanking  
  •  com.db.pbc.miabanca   
  • com.db.pbc.mibanco   
  • com.dib.app   
  • com.discoverfinancial.mobile   
  • com.finansbank.mobile.cepsube   
  • com.finanteq.finance.ca   
  • com.fullsix.android.labanquepostale.accountaccess   
  • com.fusion.banking   
  • com.fusion.beyondbank   
  • com.garanti.cepsubesi   
  • com.getingroup.mobilebanking   
  • com.greater.Greater   
  • com.grppl.android.shell.BOS   
  • com.grppl.android.shell.CMBlloydsTSB73   
  • com.grppl.android.shell.halifax   
  • com.htsu.hsbcpersonalbanking   
  • com.imaginbank.app  
  •  com.infonow.bofa   
  • com.ingbanktr.ingmobil   
  • com.isis_papyrus.raiffeisen_pay_eyewdg   
  • com.itau.empresas   com.kasikorn.retail.mbanking.wap   
  • com.konylabs.capitalone   
  • com.konylabs.cbplpat   
  • Com.magiclick.odeabank   
  • com.moneybookers.skrillpayments   
  • com.mobileloft.alpha.droid

IOCs

IOCs (Source – K7 Security Labs)

Protect yourself from vulnerabilities using Patch Manager Plus to quickly patch over 850 third-party applications. Try a free trial to ensure 100% security.

Website

Latest articles

Sleepy Pickle Exploit Let Attackers Exploit ML Models And Attack End-Users

Hackers are targeting, attacking, and exploiting ML models. They want to hack into these...

SolarWinds Serv-U Vulnerability Let Attackers Access sensitive files

SolarWinds released a security advisory for addressing a Directory Traversal vulnerability which allows a...

Smishing Triad Hackers Attacking Online Banking, E-Commerce AND Payment Systems Customers

Hackers often attack online banking platforms, e-commerce portals, and payment systems for illicit purposes.Resecurity...

Threat Actor Claiming Leak Of 5 Million Ecuador’s Citizen Database

A threat actor has claimed responsibility for leaking the personal data of 5 million...

Ascension Hack Caused By an Employee Who Downloaded a Malicious File

Ascension, a leading healthcare provider, has made significant strides in its investigation and recovery...

AWS Announced Malware Detection Tool For S3 Buckets

Amazon Web Services (AWS) has announced the general availability of Amazon GuardDuty Malware Protection...

Hackers Exploiting MS Office Editor Vulnerability to Deploy Keylogger

Researchers have identified a sophisticated cyberattack orchestrated by the notorious Kimsuky threat group.The...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles