A new Android malware disguises itself as an advanced version.
A new malware has been discovered, which disguises itself as an advanced version of [ ] and targets devices running version [ ] -. The malware is distributed through phishing pages on [ ] that mimic app stores.
According to researchers, a malicious page on . (now deleted) that mimicked initially provided victims with an implant module called .. This dropper was obfuscated to evade detection and requested permissions that allowed it to identify apps installed on the victim's device, grant access to storage, and permit the installation of additional packages.
The implant then extracts and installs the main payload, which requests user permissions to track notifications, clipboard data, text messages, call logs, and more. Once this is done, the user is presented with a screen displaying a login page. The credentials entered on this page ultimately end up in the hands of the malware operators.
The researchers wrote that ultimately, a connection was established with a real-time database, uploading all stolen data in real time and logging the infected devices, assigning them unique identifiers for tracking. In this scenario, the stolen data was only temporarily stored in the database before being deleted (presumably after the attackers checked for valuable information and copied it to another location).
此外,恶意软件还与 端点建立持久的 连接,以实时执行各种命令。例如,这可能包括对特定数据的请求、立即将数据加载到 数据库、加载和运行其他负载或配置监控参数。
Additionally, changes in screen activity can be tracked by recording device startup and shutdown events, along with data on active applications and events lasting longer than milliseconds. The malware also meticulously monitors all financial transactions in an attempt to intercept confidential data. As a result, the operator receives everything the user types on the keyboard, as well as drags and copies to the clipboard—including data automatically inserted by password managers.
Analysts pointed out that the same phishing domain hosted another malicious artifact named , which may be related to a Russian logistics company of the same name. However, researchers were unable to investigate this further.
Internal: Information-stealing malware with spyware capabilities//..//-------//.