Friday, March 29, 2024

Hacking Group Spies on and Steal Data from Android Users Posing Actress Nude Photos

Security researchers from Trend Micro discovered malicious apps that spies on and steal data from Android users. Malicious apps dubbed as PoriewSpy steals sensitive information from victims’ such as contacts, location, call logs, SMS, and files in SD cards.

Researchers believe these malicious apps were distributed by a hacking group that targets Indian Government officials before and they suspect these malicious built using DroidJack or SandroRAT based on C&C servers.

Attackers used open source projects android-swipe-image-viewer, or Android Image Viewer for malware development and they have added some additional components and the campaign targetting Android users in India.

Malicious Apps Distribution

PoriewSpy pushed automatically from the malicious websites that visited by users and these apps are named after Indian model-actress. Once launched it will turn your phone into an audio recorder.

Also Read Malicious Code in Kids Game Apps on Google Play Pushing Porn Ads – More than 60 Game Apps Infected

If the malicious apps launched it would initially show up with the nude photos of an Indian actress, but later it hides it app icon from user’s sight. Trend Micro published a detailed analysis report.

                                                     Services
AudioRecordMain espionage component
LogServiceFor log collection
RecordServiceAudio record
“When the user calls using an infected device, the malware will start recording the audio, which it saves to /sdcard/ /.googleplay.security/ named as “_VoiceCall_” + currentTime. It can also turn the mobile device into an audio recorder to timely record audio every 60 seconds even when the user is not having a phone call”, Researchers said.

The malware not only records the audio, it is also capable of stealing contacts, SMS, call logs, and location information.

A hacking group behind PoriewSpy built a number of the malicious app using DroidJack and they are disguised as freeCall, BatterySavor, Secure_Comm, and Nexus_Compatability.“In our research, we also found a malicious app, named after an Indian model-actress, which bears similarities to the code of PoriewSpy apps. Created in 2014, we speculate that this is an earlier version of PoriewSpy that also shares the same C&C server with some of the latest ones”, Researchers said.

Command and Control Servers – PoriewSpy

C&C servers for PoriewSpy and DroidJack-built apps based in Germany, France, and the UK. Both of the malware campaigns became active in the same period of time.

C&C IP’s

5[.]189[.]137[.]8
5[.]189[.]145[.]248
93[.]104[.]213[.]217
88[.]150[.]227[.]71
62[.]4[.]2[.]211
draagon[.]ddns[.]net

Mitigations

  • Give careful consideration to the permission asked for by applications.
  • Download applications from trusted sources.
  • Stay up with the latest version.
  • Encrypt your devices.
  • Make frequent backups of important data.
  • Install anti-malware on their devices.
  • Stay strict with CIA Cycle.
Website

Latest articles

IT and security Leaders Feel Ill-Equipped to Handle Emerging Threats: New Survey

A comprehensive survey conducted by Keeper Security, in partnership with TrendCandy Research, has shed...

How to Analyse .NET Malware? – Reverse Engineering Snake Keylogger

Utilizing sandbox analysis for behavioral, network, and process examination provides a foundation for reverse...

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles