Security News > 2021 > July > UBEL is the New Oscorp — Android Credential Stealing Malware Active in the Wild
An Android malware that was observed abusing accessibility services in the device to hijack user credentials from European banking applications has morphed into an entirely new botnet as part of a renewed campaign that began in May 2021.
Italy's CERT-AGID, in late January, disclosed details about Oscorp, a mobile malware developed to attack multiple financial targets with the goal of stealing funds from unsuspecting victims.
While no new activities were reported since then, it appears that Oscorp may have staged a return after a temporary hiatus in the form of an Android botnet known as UBEL. "By analyzing some related samples, we found multiple indicators linking Oscorp and UBEL to the same malicious codebase, suggesting a fork of the same original project or just a rebrand by other affiliates, as its source-code appears to be shared between multiple ," Italian cybersecurity company Cleafy said Tuesday, charting the malware's evolution.
Advertised on underground forums for $980, UBEL, like its predecessor, requests for intrusive permissions that allows it to read and send SMS messages, record audio, install and delete applications, launch itself automatically after system boot, and abuse accessibility services on Android to amass sensitive information from the device such as login credentials and two-factor authentication codes, the results of which are exfiltrated back to a remote server.
Once downloaded on the device, the malware attempts to install itself as a service and hide its presence from the target, thereby achieving persistence for extended periods of time.
Interestingly, the use of WebRTC to interact with the compromised Android phone in real-time circumvents the need to enroll a new device and take over an account to perform fraudulent activities.
News URL
Related news
- Android malware uses NFC to steal money at ATMs (source)
- New NGate Android malware uses NFC chip to steal credit card data (source)
- Cybercriminals Deploy New Malware to Steal Data via Android’s Near Field Communication (NFC) (source)
- New Android Malware NGate Steals NFC Data to Clone Contactless Payment Cards (source)
- SpyAgent Android malware steals your crypto recovery phrases from images (source)
- New Android SpyAgent Malware Uses OCR to Steal Crypto Wallet Recovery Keys (source)
- Beware: New Vo1d Malware Infects 1.3 Million Android-based TV Boxes Worldwide (source)
- New Android Malware 'Ajina.Banker' Steals Financial Data and Bypasses 2FA via Telegram (source)
- New Vo1d malware infects 1.3 million Android TV streaming boxes (source)
- New Vo1d malware infects 1.3 million Android streaming boxes (source)