Android Malware Disguises Itself As WhatsApp, Uber And Google Play

Android users are facing a fresh security scare after FireEye researchers discovered a devious piece of malware that is tricking users into revealing sensitive data such as their banking credentials.

The malware essentially mimics the user interfaces of legitimate apps such as Uber, WhatsApp and Google Play.

Sneaky Malware

The FireEye researchers blogged that they first noticed the malware in Denmark, and then Italy, Germany and Austria.

The malware spread via a cunning SMS phishing scheme that sends a message to a user’s Android phone. An example of the message is as follows…. “We could not deliver your order. Please check your shipping information here.”

When the user subsequently clicks on the seemingly legitimate link, malware is downloaded to their device. And this malware is particularly sneaky it seems, as it monitors what apps are active on the device by scanning the apps running in the background.

When the user tries to use that particular app, such as WhatsApp for example, it overlays a fake user interface and prompts them to enter sensitive data such as banking credentials or credit card numbers.

“After landing on the user’s device, the malware launches a process to monitor which app is running in the foreground on the compromised device,” wrote the researchers. “When the user launches a benign app into the foreground that the malware is programmed to target (such as a banking app), the malware overlays a phishing view on top of the benign app.

“The unwary user, assuming that they are using the benign app, will enter the required account credentials, which are then sent to remote C2 servers controlled by threat actors,” the researchers warned.

The researchers detailed the seperate campaigns to steal user information in their blog post.

“All five campaigns attempt to steal credentials from various targeted apps,” wrote the researchers. “When the malicious app is started, a background service is triggered to periodically monitor the apps running in the foreground. When the service detects that the foreground app is one of its targeted apps, it overlays a carefully designed phishing view on top of the target app.”

The FireEye researchers said that Smishing (or SMS phishing) offers a unique vector to infect mobile users.

“The latest Smishing campaigns spreading in Europe show that Smishing is still a popular means for threat actors to distribute their malware,” they wrote. “In addition, threat actors have been using diversified host schemes and different C2 servers, and have been continuously refining their malicious code to keep infecting more users and evade detection.”

They advised Android users to not install apps from outside official app stores, and take caution before clicking any links where the origin is unclear.

Poor Record

Android unfortunately has a very poor reputation when it comes to security. In February for example Check point researchers discovered active Android malware dubbed HummingBad that spreads via malicious online advertisements and seeks to take complete control of a targeted device.

Last September Zscaler discovered a nasty piece of Android ransomware in the form of the Adult Player app. That app had to be accessed from non Google sites, and offered pornographic videos. But in reality, when it was opened, it secretly took pictures of the user with the phone’s front-facing camera, before the device was locked and displayed a demand for $500 (£330).

And last July Zscaler also discovered a malicious application posing as a popular battery monitoring app from the Google Play Store.

What do you know about Internet security? Find out with our quiz!