Malware-laced apps is not a new topic to discuss but the surprising fact is that while Android users know about such vulnerability, they still download illegitimate apps from Play Store. Recently, once again researchers found two new malware campaigns which have been targeting the users.
The first campaign involves nine apps that had been downloaded from the Play Store over 470,000 times. These apps asked themselves as utilities for optimizing device performance but in reality, they are connected to servers that could download almost 3,000 different malware variants on targeted devices.
As per the researchers, who revealed the details on Thursday, February 6, the second campaign found to have been using a phishing campaign to infect Android devices with Anubis, which is arguably one of the nastiest and most resourceful pieces of malware written for the mobile OS.
The malware campaign
It should be mentioned after the installation of the malware-laced app, it could log in to targeted Android user's Facebook and Google accounts to perform ad fraud. After the download when the compromised app is connected to the attacker-controlled server which then downloads other malicious apps which can display apps from legitimate advertising platforms and then simulating users clicking on the ads.
These malicious apps can install reward apps from the ad networks and run them in a virtual environment to make them more covert. The malicious activities also include tricking users into enabling Android accessibility permissions, while disabling Play Protect through. This capability allows malicious payloads to download and install apps without being detected. These apps can also use accessibility function to post fake reviews and log in to users' Google and Facebook accounts.
As per security researchers at Trend Micro, the campaign was most active in countries like Japan, Taiwan, US, India and Thailand but not in China. Google has removed these apps from Play Store and if you have downloaded any of these, then you should uninstall them as soon as possible.
Apps participating in this campaign
App Name | Package Name | Installs |
Shoot Clean-Junk Cleaner,Phone Booster,CPU Cooler | com.boost.cpu.shootcleaner | 10,000+ |
Super Clean Lite- Booster, Clean&CPU Cooler | com.boost.superclean.cpucool.lite | 50,000+ |
Super Clean-Phone Booster,Junk Cleaner&CPU Cooler | com.booster.supercleaner | 100,000+ |
Quick Games-H5 Game Center | com.h5games.center.quickgames | 100,000+ |
Rocket Cleaner | com.party.rocketcleaner | 100,000+ |
Rocket Cleaner Lite | com.party.rocketcleaner.lite | 10,000+ |
Speed Clean-Phone Booster,Junk Cleaner&App Manager | com.party.speedclean | 100,000+ |
LinkWorldVPN | com.linkworld.fast.free.vpn | 1,000+ |
H5 gamebox | com.games.h5gamebox | 1,000+ |
The second malware campaign
Anubis is arguably one of the nastiest and most resourceful pieces of malware written for the mobile OS. It is a piece of Android malware that's known for its ingenuity. The malware campaign uses emails that present targets with an attachment that's ostensibly a billing invoice. The devices which are allowed to install apps from sources other than Play Store will display a message prompting as Google Protect alert that asks for the two innocuous privileges.
After a user clicks OK, the app displays Play Protect on the screen and gains 19 permissions, many of them highly sensitive. Security researchers from Cofense detected this campaign which suspects the trick is the result of the fake message overlaying and blocking the authentic Android dialogue.
However, the capabilities of Anubis include: