Watch out for this Android spyware, says Microsoft • The Register

Watch out for this Android spyware, says Microsoft • The Register

Microsoft’s security team has warned that data-stealing spyware disguised as a banking rewards app is targeting Android users.

Malware, which can be controlled remotely by miscreants once a device is infected, appears to be an updated version of Bad Android software It was first observed in 2021. At that time it was seen stealing customers of Indian banks. This last variant has several additional backdoor capabilities and much better obfuscation, allowing it to steal victims’ two-factor authentication (2FA) messages of bank accounts, account login details and personally identifiable information (PII) without revealing them, he told us.

Microsoft’s Threat Hunters investigation was launched after receiving a text message claiming to be from India’s ICICI Bank Rewards Program. It included the bank’s logo, alerted the user that their loyalty points were about to expire, and gave them to click on a malicious link.

Clicking the link downloads a fake banking rewards app, discovered by the Redmond team as carrying TrojanSpy: AndroidOS/Banker.O. On launch, it asks the user to enable specific permissions and then asks for the user’s credit card details along with all other data they are told to steal. One would hope that being prompted for card information would be a red flag for most people.

Using open source intelligence, security researchers determined that the fake app’s Command and Control (C2) server is using or linked to 75 other malicious Android apps, distributed as APK files.

“Some malicious APKs also use the same Indian Bank logo as the fake app we investigated, which could indicate actors are constantly generating new versions to continue the campaign,” the researchers said. pointed this week.

In addition to pointing to malware in Android — an operating system made by rival Google — Microsoft this week also released an out-of-the-box report. Security update Deceptive security vulnerability in Microsoft Endpoint Configuration Manager.

The hole, traced as CVE-2022-37972, affects versions 2103 through 2207, and can be exploited to steal sensitive information, according to the US government’s CISA, which urge people to apply the fix.

The bug has a CVSS severity score of 7.5 out of 10, the details of which have already been publicly disclosed. Microsoft says the exploit is “less likely”. However, it is a low-complexity attack known to everyone, so it’s time to patch.

According to Redmond, the fix, KB15498768will be listed in the Updates and Services node of the Configuration Manager console.

After further analysis, Microsoft discovered that the Android malware uses MainActivity, AutoStartService, and RestartBroadCastReceiverAndroid to perform a range of nefarious activities including intercepting calls, accessing and downloading call logs, messages, contacts and network information, and modifying Android device settings.

These three functions also allow the app to continue spying on the victim’s phone and work in the background without any user interaction.

Although a bad program can receive and execute a range of commands from its control server, one decree in particular – the silent command, which puts the device into silent mode – is somewhat dangerous because it allows the attacker to receive, steal, and delete messages without alerting the user.

This is bad because banking apps often require 2FA, and it is often sent via SMS. So by turning on the phone’s silent mode, the miscreants could steal these 2FA messages without the victim’s knowledge, thus letting them into online banking accounts – once they learned all the necessary credentials – and potentially draining their money.

According to giant Windows security researchers:

The Microsoft team notes that the spyware encrypts all the data it sends to remote masterminds and decrypts the garbled SMS commands it receives. This uses a combination of Base64 encryption/decryption methods and AES encryption/decryption methods.

In addition, the malware uses an open source library socket To communicate with its own C2 server.

To prevent this and other information-stealing malware from making a mess, security researchers suggest downloading and installing apps only from official app stores. They also noted that Android users can keep the “Unknown sources” option disabled, which prevents potentially malicious sources from installing malware disguised as legitimate apps.

As we’ve said before, it’s nice for Microsoft to point out cybersecurity issues in other people’s code – raising awareness is good for users – but it’s strange to see Redmond make a song and dance around this sort of thing when he routinely downplays the scores of vulnerabilities they fix in their products every month. ®

#Watch #Android #spyware #Microsoft #Register

Leave a Comment

Your email address will not be published. Required fields are marked *