Android Malware Combines Info-Stealing & Phishing

Android malware that combines info/data-stealing and phishing capabilities lurked in Google Play using the guise of legit-looking applications; one of them was installed at least 100,000 times.

Camouflaged as utility apps or games, Mobstspy infected devices primarily in India, although its distribution was worldwide, affecting users in 199 countries.

Researches found a total of six apps that hid the malware in Google Play. Their names are HZPermis Pro Arabe, Flappy Bird, FlashLight, Win7Launcher, Win7imulator, and Flappy Birr Dog.

Stats for most of them showed they were installed up to a hundred times, with two exceptions:
– Win7Launcher, up to 5,000 installations
– Win7imulator, up to half a million installations

Apps that port the Windows theme to an Android phone are bound to enjoy huge popularity.

Phishing for Google & Facebook logins:

The author(s) behind Mobstspy included phishing capabilities that allow it to launch a fake login screen whenever the victim tries to access their Facebook or Google account.

Most users would not see through the forged screen and are likely to fall for the trick. When they provide their user/password for the first time, the malware shows them a failed login attempt, however the credentials have already been stolen.

Unless users protect access to their accounts with the two-factor authentication feature their accounts are easily compromised this way. Both Facebook and Google have support for 2FA.

Malware sets sights on all valuable data:

Unlike the run-of-the-mill spyware out there, Mobstspy is interested in a wider range of data present on the compromised devices.

Apart from lifting the contacts, call logs and/or text conversations, it is also fitted with a list of folders to search for images and recorded voice conversations stored by different apps.

The content type it targets can be anything from video, images, audio, or documents, and it looks in folders belonging to specific apps, such as Messenger, Snapchat, WhatsApp, Viber, and call recording apps.

Even the Bluetooth storage location, the phone’s camera and sounds directories are on the list.

The File delivery method:

Malware researchers from Trend Micro identified the command and control servers (C2) where Mobstspy sends all the information: mobistartapp[.]com, coderoute[.]ma, hizaxytv[.]com, and seepano[.]com.

To deliver the info the malware relied on Firebase Cloud Messaging, developed by a Google subsidiary as a free cloud solution for messages and notifications for Android, iOS, and web apps.

“Once the malicious application is launched, the malware will first check the device’s network availability. It reads and then parses an XML configure file from its C&C server,” the researchers explain in a blog post yesterday.

The spyware gathers device-related info that helps the attackers keep evidence of the infected devices and target only specific devices in future campaigns.


Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.