Fake Android Apps Impersonate Popular Brands to Steal Credentials

Cybersecurity researchers have identified malicious Android apps posing as Google, Instagram, Snapchat, WhatsApp, and X (formerly Twitter) to steal user credentials. These apps use familiar icons to deceive users into installing them on their devices, according to the recent report.

The distribution method for these malicious apps is not yet known. Once installed, the apps request permissions for accessibility services and the device administrator API, which, despite being deprecated, provides system-level administration features. With these permissions, the malware gains control over the device, enabling actions such as data theft and further malware deployment without the user’s awareness.

The malware connects to a command-and-control (C2) server to receive instructions, allowing it to access contact lists, SMS messages, call logs, and installed apps. It can also send SMS messages, open phishing pages in the web browser, and toggle the camera flashlight. The phishing URLs mimic the login pages of popular services like Facebook, GitHub, Instagram, LinkedIn, Microsoft, Netflix, PayPal, Proton Mail, Snapchat, Tumblr, X, WordPress, and Yahoo.

Meanwhile, some cybersecurity company have warned about a social engineering campaign that uses WhatsApp to spread a new Android malware disguised as a defense-related application. This malware installs itself as a Contacts app and requests permissions for SMS, Contacts, Storage, and Telephone, then hides from view.

In related developments, malware campaigns have been distributing Android banking trojans like Coper, which harvest sensitive information and display fake overlays to trick users into revealing their credentials. Finland’s National Cyber Security Centre (NCSC-FI) recently disclosed that smishing messages are directing users to Android malware that steals banking data. These messages use telephone-oriented attack delivery (TOAD) techniques, urging recipients to call a number and then convincing them to install malware disguised as antivirus software.

NCSC-FI suspects the Android malware strain used in these attacks may be Vultr, detailed by NCC Group as using similar methods to infiltrate devices. Other Android-based malware, such as Tambir and Dwphon, have also been detected recently. Dwphon targets mobile phones from Chinese manufacturers and is primarily intended for the Russian market, potentially as a result of a supply chain attack.

Kaspersky’s telemetry data shows a 32% increase in the number of Android users attacked by banking malware compared to the previous year, with infections rising from 57,219 to 75,521. Most of these attacks have been reported in Turkey, Saudi Arabia, Spain, Switzerland, and India. Despite a decline in PC banking malware, mobile banking Trojans have seen significant growth in 2023, according to Kaspersky.

To guard against malicious Android apps, users should only download applications from official app stores like Google Play, regularly update their device’s software, and scrutinize app permissions before installation. Utilizing mobile security solutions can help detect and block malicious apps, while enabling two-factor authentication (2FA) adds an extra layer of security to sensitive accounts.