Monday, September 9, 2024
HomeAndroidNew Android Malware Mimic As Social Media Apps Steals Sensitive Data

New Android Malware Mimic As Social Media Apps Steals Sensitive Data

Published on

A new RAT malware has been discovered to be targeting Android devices. This malware is capable of executing additional commands compared to other RAT malware.

This malware can also perform phishing attacks by disguising itself as legitimate applications like Snapchat, Instagram, WhatsApp, Twitter, and Google to harvest credentials from the victim.

Sonicwall’s further investigation found that it consists of multiple HTML files in its assets folder, which are duplicate login pages of several legitimate applications.

- Advertisement - EHA

These files will harvest the credentials from users and send them back to the C2 server.

Fraudulent HTML files from the Malware’s asset files (Source: SonicWall)

Android Malware Mimic As Social Media

The infection chain of this malware starts after the malicious application is installed on the victim’s Android devices.

However, when installing the application, it requests Accessibility service and Device admin permission to gain control over the installed device and execute further malicious actions.

The distribution of this malware is still unclear, but researchers speculate that it will be done using traditional social engineering techniques.

After installation, the malware communicates with the C2 server to receive instructions and commands for specific tasks.

The list of commands that are executed by the malware is as follows:

The C2 URL is also found to be embedded in the resource file.

Once the malware receives commands from the C2 server, the malware proceeds to harvest credentials from browsers and other Android applications by displaying a fraudulent login page using the HTML files (phishing).

Fraudulent Login pages displayed by the malware (Source: SonicWall)

When victims enter their credentials in these phishing pages, they are collected and shared with the showTt function.

In addition, the malware collects the list of phone numbers stored on the victim device and attempts to change the device’s wallpaper when a condition is met. 

If the ‘str’ parameter matches the decrypted value to 0, 1, or 2, the condition for changing the wallpaper is related to a specific resource.

The malware also retrieves information about the installed applications from the victim’s device. 

After further analysis of the malware code, the malware also uses the CameraManager to turn on/off the flashlight on the victim’s device.

Furthermore, the malware sends a message to a particular number based on the inputs received from the C2 server.

Code that sends a message to a specific number (Source: SonicWall)

Indicators Of Compromise

  • 0cc5cf33350853cdd219d56902e5b97eb699c975a40d24e0e211a1015948a13d
  • 37074eb92d3cfe4e2c51f1b96a6adf33ed6093e4caa34aa2fa1b9affe288a509
  • 3df7c8074b6b1ab35db387b5cb9ea9c6fc2f23667d1a191787aabfbf2fb23173
  • 6eb33f00d5e626bfd54889558c6d031c6cac8f180d3b0e39fbfa2c501b65f564
  • 9b366eeeffd6c9b726299bc3cf96b2e673572971555719be9b9e4dcaad895162
  • a28e99cb8e79d4c2d19ccfda338d43f74bd1daa214f5add54c298b2bcfaac9c3
  • d09f2df6dc6f27a9df6e0e0995b91a5189622b1e53992474b2791bbd679f6987
  • d8413287ac20dabcf38bc2b5ecd65a37584d8066a364eede77c715ec63b7e0f1
  • ecf941c1cc85ee576f0d4ef761135d3e924dec67bc3f0051a43015924c53bfbb
  • f10072b712d1eed0f7e2290b47d39212918f3e1fd4deef00bf42ea3fe9809c41

Combat Email Threats with Easy-to-Launch Phishing Simulations: Email Security Awareness Training -> Try Free Demo 

Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Vulnerabilities in IBM Products Let Attackers Exploit & Launch DOS Attack

IBM has issued a security bulletin addressing critical vulnerabilities in its MQ Operator and...

BBTok Abuses Legitimate Windows Utility Command Tool to Stay Undetected

Cybercriminals in Latin America have increased their use of phishing scams targeting business transactions...

Predator Spyware Exploiting “one-click” & “zero-click” Flaws

Recent research indicates that the Predator spyware, once thought to be inactive due to...

Tropic Trooper Attacks Government Organizations to Steal Sensitive Data

Tropic Trooper (aka KeyBoy, Pirate Panda, and APT23) is a sophisticated cyberespionage APT group,...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

Vulnerabilities in IBM Products Let Attackers Exploit & Launch DOS Attack

IBM has issued a security bulletin addressing critical vulnerabilities in its MQ Operator and...

BBTok Abuses Legitimate Windows Utility Command Tool to Stay Undetected

Cybercriminals in Latin America have increased their use of phishing scams targeting business transactions...

Predator Spyware Exploiting “one-click” & “zero-click” Flaws

Recent research indicates that the Predator spyware, once thought to be inactive due to...