The malicious code was loaded into clean and tested applications along with their updates.
Kyiv. Ukraine. Ukraine Gate – April 21, 2021 – Technology
A group of fraudulent programs targeting Android users in Southwest Asia and the Arabian Peninsula has infiltrated the Google Play branded store of Android applications. They were downloaded at least 700,000 times before they were discovered, and Google proceeded to remove them, according to a McAfee blog.
Malware has been embedded in photo editors, wallpapers, puzzles, keyboard skins, and other applications. They intercepted SMS notifications and then made unauthorized purchases.
Since all applications go through a verification process before being placed on Google Play, the scammers sent a “clean” version of the application for verification, and the malicious code entered it through updates.
McAfee Mobile Security has identified this threat as Android / Etinu. She continues to track her and work with Google to remove malicious apps from Google Play.
The McAfee blog describes how the malware embedded in these applications works. It uses dynamic code loading. Encrypted malware files appear in the application’s resource folder with names such as cache.bin, settings.bin, data. droid, or seemingly innocuous png files.
Once downloaded, the malicious files are automatically decrypted and the scheme starts working.
The researchers concluded that fraudsters could obtain information about the user’s communications operator, phone number, SMS messages, IP address, country, etc.
McAfee Mobile Research believes that notification hijacking threats will continue to evolve. Therefore, they recommend that users pay special attention to applications that request permissions related to SMS and listening to notifications. Real photo editing or wallpaper applications simply won’t ask for them because they are not needed to run them. “If the request seems suspicious, do not accept it,” the company reminds.
Read also: Google Initiative and Improvement of the Quality of Android Apps!
Source: Ukrgate