Security News > 2021 > January > Italy CERT Warns of a New Credential Stealing Android Malware
Researchers have disclosed a new family of Android malware that abuses accessibility services in the device to hijack user credentials and record audio and video.
The malware repeatedly reopens the Settings screen every eight seconds until the user turns on permissions for accessibility and device usage statistics, thus pressurizing the user into granting the extra privileges.
Once the access is provisioned, the malware exploits the permissions to log keystrokes, uninstall apps on the device, make calls, send SMS messages, steal cryptocurrency by redirecting payments made via Blockchain.com Wallet app, and access two-factor authentication codes from Google Authenticator app.
In the final step, the malware exfiltrates the captured data - along with system information - to the C2 server, in addition to fetching commands from the server that allows it to launch the Google Authenticator app, steal SMS messages, uninstall apps, launch specific URLs, and record audio and video of the screen through WebRTC. What's more, users opening the apps targeted by the malware are displayed a phishing page that asks for their username and password, CERT noted, adding the style of this screen varies from app to app and that it's designed with an intent to trick the victim into providing the information.
The exact kind of applications singled out by this malware remains unclear, but the researchers said it could be any app that deals with sensitive data, such as those for banking and messaging.
"Once enabled a 'dam' opens up. In fact, Android has always had a very permissive policy towards app developers, leaving the ultimate decision to trust an app or not to the end user."
News URL
http://feedproxy.google.com/~r/TheHackersNews/~3/REYXUNIm2-g/italy-cert-warns-of-new-credential.html
Related news
- Beware: New Vo1d Malware Infects 1.3 Million Android-based TV Boxes Worldwide (source)
- New Android Malware 'Ajina.Banker' Steals Financial Data and Bypasses 2FA via Telegram (source)
- New Vo1d malware infects 1.3 million Android TV streaming boxes (source)
- New Vo1d malware infects 1.3 million Android streaming boxes (source)
- Malware locks browser in kiosk mode to steal Google credentials (source)
- Android malware 'Necro' infects 11 million devices via Google Play (source)
- Necro malware continues to haunt side-loaders of dodgy Android mods (source)
- New Octo Android malware version impersonates NordVPN, Google Chrome (source)
- Necro Android Malware Found in Popular Camera and Browser Apps on Play Store (source)
- TrickMo malware steals Android PINs using fake lock screen (source)