Android Trojan On the Google Play Store With Over 500,000 Installs Steals from Notifications

On the Google Play Store, the cybersecurity analysts at Dr.Web have recently witnessed a major tip in trojan infiltration. Not only that even they have also detected one application that has more than 500,000 installs and steals users’ data from the notifications.

The threat actors use these malicious applications that belong to a family of trojan malware to perform several malicious tasks like:-

• Scams
• Data theft
• Financial losses
• Loss of sensitive personal information

Trojans Tracked

Here below we have mentioned all the trojans tracked by the cybersecurity experts at Dr.Web:-

• Android.Spy.4498
• Android.HiddenAds.3018
• Android.HiddenAds.624.origin
• Android.MobiDash.6922
• Android.MobiDash.6929
• Program.FakeAntiVirus.1
• Program.SecretVideoRecorder.1.origin
• Program.KeyStroke.3
• Program.WapSniff.1.origin
• Program.FreeAndroidSpy.1.origin
• Tool.SilentInstaller.14.origin
• Tool.SilentInstaller.6.origin
• Tool.SilentInstaller.13.origin
• Tool.SilentInstaller.7.origin
• Tool.Loic.1.origin
• Adware.AdPush.36.origin
• Adware.SspSdk.1.origin
• Adware.Myteam.2.origin
• Adware.Adpush.16510
• Adware.Adpush.6547

Fake WhatsApp mods

Among the detected Trojan malware, Android.Spy.4498 trojan is the one that is traced with high activity on the Google Play Store. The Android.Spy.4498 trojan is the unofficial modifications (mods) of WhatsApp messenger such as:-

• GBWhatsApp
• OBWhatsApp
• WhatsApp Plus

The threat actors are spreading these fake malicious WhatsApp mods through several mediums like:-

• Social media posts
• Forums
• SEO poisoning

Moreover, it has been also detected that all these above-mentioned malicious mods offer multiple utility features, and here they are:-

• Arabic language support
• Home screen widgets
• Separate bottom bar
• Hide status options
• Call blocking
• Auto-save received media

Other trojans on the Play Store

Along with this trojan, multiple numbers of trojan malware were detected on the Play Store by the experts of Dr.Web security firm. On the Google Play Store, the attackers are spreading threats under the hood of multiple genuine-looking applications.

Types of applications scattered by the threat actors on Google Play Store:-

• Cryptocurrency management apps
• Social benefit aid tools
• Gazprom investment clones
• Photo editors
• A launcher themed after iOS 15

For diverting the stolen money from the victim’s account to the scammer’s bank account, the attacker tricks the user to deposit money for trading in the fake investment apps.

While in the case of other applications, the attackers trick the users into signing up for the costly subscriptions to steal their money.

Here the threat actors abuse the Flurry stat service to seize the notifications from the Google Play Store and the Samsung Galaxy Store apps.

Recommendations

For mitigations, the cybersecurity researchers have recommended:-

• Avoid downloading APK’s from unknown sources.
• Always check user reviews before downloading any applications.
• Be cautious about the permission requested by the apps during the installation.
• Always monitor the battery and internet data consumption.
• Make sure to enable the Google Play Protect.
• Always use a robust mobile security tool.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.