Security News > 2022 > June > SideWinder hackers plant fake Android VPN app in Google Play Store

Another link discovered by Group-IB downloaded from Google Play, the official Android app store, a fake version of the 'Secure VPN' app, which is still present on Google Play at the time of writing and has just over 10 downloads.
The researchers note that the description available for SideWinder's fake Secure VPN app has been copied from the legitimate NordVPN app.
At runtime, the fake Secure VPN app makes a couple of requests to two domains likely owned by the attacker but these were unavailable during the investigation and a request to the root directory redirected to the legitimate NordVPN domain.
The researchers could not confirm the purpose of the fake VPN app or whether it is malicious or not.
SideWinder has used fake apps on Google Play in the past, as shown by past research from Trend Micro.
Their apps are capable to collect a number of parameters on the targeted hosts and send the information back to their C2. Such parameters include: Location, Battery status, Files on device, Installed app list, Device information, Sensor information, Camera information, Screenshot, Account, Wifi information, Data of WeChat, Outlook, Twitter, Yahoo Mail, Facebook, Gmail, and Chrome.
News URL
Related news
- New North Korean Android spyware slips onto Google Play (source)
- Malicious Android 'Vapor' apps on Google Play installed 60 million times (source)
- Google expands Android AI scam detection to more Pixel devices (source)
- Google Rolls Out AI Scam Detection for Android to Combat Conversational Fraud (source)
- Google Gemini's Astra (screen sharing) rolls out on Android for some users (source)
- North Korean Hackers Disguised as IT Workers Targeting UK, European Companies, Google Finds (source)
- Google fixes Android zero-days exploited in attacks, 60 other flaws (source)
- Google’s Sec-Gemini v1 Takes on Hackers & Outperforms Rivals by 11% (source)
- Google Releases Android Update to Patch Two Actively Exploited Vulnerabilities (source)
- Fortinet: Hackers retain access to patched FortiGate VPNs using symlinks (source)