Latest mobile malware report indicates device fraud is on the rise

Android devices

An analysis of the mobile threat landscape in 2022 shows that Spain and Turkey are the countries most targeted for malware campaigns, even with a mix of new and existing banking Trojans increasingly targeting Android devices for device fraud (ODF).

Other frequently targeted countries include Poland, Australia, the United States, Germany, the United Kingdom, Italy, France and Portugal.

“The most disturbing leitmotif is the growing interest in device fraud (ODF), Dutch cybersecurity firm ThreatFabric. He said In a joint report with The Hacker News.

“Only in the first five months of 2022, there was a more than 40% increase in malware families abusing the Android operating system to perform fraud using the device itself, making it nearly impossible to detect using traditional fraud engines.”

cyber security

hydraAnd the Flobot (also known as Cabassous), CerberusAnd the octoAnd the throw you It represents the most active banking Trojans based on the number of samples observed during the same period.

Android devices

Accompanying this trend is the constant discovery of new dropper apps on the Google Play Store that come under the guise of productivity and seemingly useful malware distribution apps –

  • Nano Cleaner (com.casualplay.leadbro)
  • QuickScan (com.zynksoftware.docuscanapp)
  • Chrome (com.talkleadihr)
  • Play Store (com.girltold85)
  • Pocket Screencaster (com.cutthousandjs)
  • Chrome (com.biyitunixiko.populolo)
  • Chrome (Mobile com.xifoforezuma.kebo)
  • BAWAG PSK Security (com.qjlpfydjb.bbycogkzm)

Moreover, device fraud – which refers to a hidden method of initiating rogue transactions from the victim’s devices – made it possible to use previously stolen credentials to log into banking apps and carry out financial transactions.

To make matters worse, banking trojans have been observed constantly updating their capabilities, with Octo devising an improved way to steal credentials from overlay screens even before they are sent.

Android devices

“This is done in order to be able to obtain credentials even if [the] The victim suspected something and closed the overlay without actually pressing the fake “login” on the overlay page,” the researchers explained.

ERMAC, which came out last September, has received a notable upgrade of its own that allows it to withdraw seed phrases from various cryptocurrency wallet apps in an automated manner by taking advantage of Android access service.

cyber security

The accessibility service has been the Achilles heel of Android in recent years, allowing threat actors to do so Positive effect The Legit API To serve unsuspecting users with fake overlay screens and capture sensitive information.

Last year, Google try to To address the issue by ensuring that “services designed only to help people with disabilities access their devices or overcome challenges arising from their disability are eligible to be declared accessibility tools.”

Android devices

But the tech giant is going one step further with Android 13, which is currently in beta, by restricting API access to apps that a user has loaded from outside the App Store, making it more difficult for potentially malicious apps to abuse the service.

However, ThreatFabric indicated that it was able to trivially bypass these limitations via a modified installation process, indicating the need for a more rigorous approach to countering such threats.

It is recommended that users stick to downloading apps from the Google Play Store, avoid giving unusual permissions to apps that have no purpose in requesting them (for example, a calculator app that requests access to contact lists), and watch out for any phishing attempts to install rogue apps.

The openness of the Android operating system serves both good and bad, the researchers said, as malware continues to abuse legitimate features, while the upcoming restrictions seem to hardly conflict with the malicious intent of such apps.