Security News

Cybersecurity and intelligence agencies from Australia, Canada, New Zealand, the U.K., and the U.S. on Thursday disclosed details of a mobile malware strain targeting Android devices used by the Ukrainian military. The malicious software, dubbed Infamous Chisel and attributed to a Russian state-sponsored actor called Sandworm, has capabilities to "Enable unauthorized access to compromised devices, scan files, monitor traffic, and periodically steal sensitive information."

Russia's Sandworm crew is using an Android malware strain dubbed Infamous Chisel to remotely access Ukrainian soldiers' devices, monitor network traffic, access files, and steal sensitive information, according to a Five Eyes report published Thursday. Ukraine's security agency spotted and blocked Sandworm's latest campaign earlier this month when the Kremlin-backed cyber goons were attempting to use Infamous Chisel to break into the army's combat data exchange system.

Hackers working for the Main Directorate of the General Staff of the Armed Forces of the Russian Federation, more commonly known as the GRU, have been targeting Android devices in Ukraine with a new malicious framework named 'Infamous Chisel. The malware was first highlighted in a warning from the Ukrainian Security Service earlier this month about efforts from the Sandworm hacking group to penetrate military command systems.

A previously undocumented Android banking trojan dubbed MMRat has been observed targeting mobile users in Southeast Asia since late June 2023 to remotely commandeer the devices and perform financial fraud. "The malware, named after its distinctive package name com.mm.user, can capture user input and screen content, and can also remotely control victim devices through various techniques, enabling its operators to carry out bank fraud on the victim's device," Trend Micro said.

Cybersecurity researchers have discovered malicious Android apps for Signal and Telegram distributed via the Google Play Store and Samsung Galaxy Store that are engineered to deliver the BadBazaar spyware on infected devices. Slovakian company ESET attributed the campaign to a China-linked actor called GREF. "Most likely active since July 2020 and since July 2022, respectively, the campaigns have distributed the Android BadBazaar espionage code through the Google Play store, Samsung Galaxy Store, and dedicated websites representing the malicious apps Signal Plus Messenger and FlyGram," security researcher Lukáš Štefanko said in a new report shared with The Hacker News.

A novel Android banking malware named MMRat utilizes a rarely used communication method, protobuf data serialization, to more efficiently steal data from compromised devices. The performance would hinder threat actors from executing bank fraud effectively, which is why MMRat's authors have opted to develop a custom Protobuf protocol for data exfiltration.

A Syrian threat actor named EVLF has been outed as the creator of malware families CypherRAT and CraxsRAT. "These RATs are designed to allow an attacker to remotely perform real-time actions and control the victim device's camera, location, and microphone," Cybersecurity firm Cyfirma said in a report published last week. EVLF is said to be operating a web shop to advertise their warez since at least September 2022.

Threat actors are using Android Package files with unknown or unsupported compression methods to elude malware analysis. "In order to do that, the APK, is using an unsupported decompression method."

Threat actors increasingly distribute malicious Android APKs that resist decompilation using unsupported, unknown, or heavily tweaked compression algorithms. Zimperium, a member of the 'App Defense Alliance' dedicated to identifying and eliminating malware from Google Play, analyzed the decompilation resistance landscape after a Joe Security tweet that showcased an APK that eludes analysis yet runs seamlessly on Android devices.

Gigabud RAT was first documented by Cyble in January 2023 after it was spotted impersonating bank and government apps to siphon sensitive data. While Android devices have the "Install from Unknown Sources" setting disabled by default as a security measure to prevent the installation of apps from untrusted sources, the operating system allows other apps on installed on the device, such as web browsers, email clients, file managers, and messaging apps, to request the "REQUEST INSTALL PACKAGES" permission.