Security News > 2021 > January > Italy CERT Warns of a New Credential Stealing Android Malware
Researchers have disclosed a new family of Android malware that abuses accessibility services in the device to hijack user credentials and record audio and video.
The malware repeatedly reopens the Settings screen every eight seconds until the user turns on permissions for accessibility and device usage statistics, thus pressurizing the user into granting the extra privileges.
Once the access is provisioned, the malware exploits the permissions to log keystrokes, uninstall apps on the device, make calls, send SMS messages, steal cryptocurrency by redirecting payments made via Blockchain.com Wallet app, and access two-factor authentication codes from Google Authenticator app.
In the final step, the malware exfiltrates the captured data - along with system information - to the C2 server, in addition to fetching commands from the server that allows it to launch the Google Authenticator app, steal SMS messages, uninstall apps, launch specific URLs, and record audio and video of the screen through WebRTC. What's more, users opening the apps targeted by the malware are displayed a phishing page that asks for their username and password, CERT noted, adding the style of this screen varies from app to app and that it's designed with an intent to trick the victim into providing the information.
The exact kind of applications singled out by this malware remains unclear, but the researchers said it could be any app that deals with sensitive data, such as those for banking and messaging.
"Once enabled a 'dam' opens up. In fact, Android has always had a very permissive policy towards app developers, leaving the ultimate decision to trust an app or not to the end user."
News URL
http://feedproxy.google.com/~r/TheHackersNews/~3/REYXUNIm2-g/italy-cert-warns-of-new-credential.html
Related news
- Russia targets Ukrainian conscripts with Windows, Android malware (source)
- Android malware "FakeCall" now reroutes bank calls to attackers (source)
- New FakeCall Malware Variant Hijacks Android Devices for Fraudulent Banking Calls (source)
- New Android Banking Malware 'ToxicPanda' Targets Users with Fraudulent Money Transfers (source)
- Cyber crooks push Android malware via letter (source)
- Warning: DEEPDATA Malware Exploiting Unpatched Fortinet Flaw to Steal VPN Credentials (source)
- Google's New Restore Credentials Tool Simplifies App Login After Android Migration (source)
- SpyLoan Android malware on Google play installed 8 million times (source)
- 8 Million Android Users Hit by SpyLoan Malware in Loan Apps on Google Play (source)
- New DroidBot Android banking malware spreads across Europe (source)