[ad_1]
Google Chrome is the world’s most popular browser. So, if we find a “highly dangerous” fraudulent update that steals personal data, messages, and photos, it raises serious concerns.
The following was updated on 2/10, and the article was first published on 2/9.
A surprising new report released by McAfee this week warns Android users not to click on message links that install Chrome updates on their devices. MoqHao malware hides within these downloads with a nasty twist. This is what security researchers describe as a new and “highly dangerous technology.”
“The malicious activity is automatically initiated while the app is installed,” the researchers wrote. We are working on implementing mitigations to prevent automatic execution.”
This malicious campaign uses another twist to distribute MoqHao malware through SMS messages. Attackers use short URLs from legitimate services because “short domains are difficult to block because it can affect all URLs used by that service.” It’s starting. [But] When a user clicks on a link within the message, the URL shortener redirects them to the actual malicious site. ”
Once installed, the rogue Chrome update requests extensive user permissions, including access to SMS, photos, contacts, and even the phone itself. The malware is designed to do more damage by running in the background and connecting to command-and-control servers to manage data sent to and from the device.
McAfee believes this MoqHao (XLoader) campaign is the work of the Roaming Mantis group, a threat actor typically operating in Asia. However, McAfee notes that this particular campaign also appears to be targeting users in Europe. One of the languages programmed into this campaign is English. This means that users in the US will also be eligible.
Your new campaign will be installed automatically
McAfee
If you look closely, you’ll see that the message uses Unicode characters to trick users into thinking it’s a legitimate Chrome update. “This technology makes some text appear bold, but the user visually recognizes it as ‘Chrome,'” McAfee said. .android) may impact app name-based detection techniques that compare apps. . chromium). “
It’s only February, but this is the third Android malware alert to headline so far this year. I’ve looked at VajraSpy, SpyLoan, and Xamalicious. We’ve also seen widespread warnings about copycat apps, similar to the one seen here. Regarding this variant in particular, McAfee warns, “This new variant is expected to have a very high impact, as it infects devices simply by being installed without being run.”
“Copycat apps are easy to create,” warns ESET’s Jake Moore. “Downloading and installing malicious apps on your phone can lead to many disasters, including personal data theft, banking information compromise, device performance degradation, intrusive adware, and even spyware that monitors your conversations and messages. may occur.”
permission request
McAfee
As we’ve said repeatedly this year, the timing here may be even more remarkable than the malware itself. Europe’s Digital Markets Act is making significant changes to the apps and platforms we use most. That includes the app store.
Apple is reluctantly rolling out its own services for the first time, warning users of the risks. “While these new regulations bring new options to developers, they also bring new risks, and there’s no getting around them,” he warned Apple’s Phil Schiller. It’s at the top of the list of concerns.
Apple’s embrace of third-party stories will be in direct contrast to Google’s security approach, which has always been far less lockdown, promoting user choice as a balance to security. If Apple can expand its app store options while maintaining security, it will put even more pressure on Android’s security.
In response to McAfee’s report, a Google spokesperson told me that “Android has multiple layers of protection to keep you safe,” and as stated in McAfee’s report. “Android users are currently protected from this by Google Play Protect, which is turned on by default on Android devices with Google Play services. It can warn users or block apps that are known to exhibit malicious behavior, even if they come from multiple sources.
Google also confirmed that it worked with McAfee to address this new malware threat, as McAfee is one of its App Defense Alliance partners.
Updated 2/10:
Given the serious threat of users sideloading dangerous apps and updates onto their devices, the type of threat highlighted in the McAfee report, Google’s new announcements to prevent users from installing and updating dangerous apps It’s no wonder that pilots who have been pilots are attracting attention.
Sideloading continues to be a topic of discussion this year.among them blog post Announcing its latest move, Google said, “Keeping users safe in an open ecosystem requires sophisticated defenses, but our data is vulnerable to a disproportionate number of malicious actors in this open ecosystem. It shows that we are leveraging carefully selected APIs and distribution channels.”
This is exactly what this latest McAfee report confirms. As we saw with attacks on Apple devices, it’s not just Google and Android that have malware hidden within app updates. Hidden inside Visual Studio updates.
As for Android, Google’s warning applies to all Android users who go outside the Play Store and try to install apps on their devices. Google explains, “Users have the flexibility to download apps from a variety of sources, and the safety of apps may vary depending on the download source.”
To give some idea of the scale of the problem, Google says that Google Play Protect’s app scans “identified 515,000 new malicious apps and issued more than 3.1 million warnings or blocks for those apps.” issued,” it warns. Buyer beware.
The new pilot focuses on financial fraud and is being conducted through a “strategic partnership” with the Cyber Security Authority of Singapore (CSA).
“Cybercriminals continue to invest in sophisticated financial fraud, costing consumers more than $1 trillion,” Google said. To that end, Google says it will “analyze and automatically block the installation of apps that may use sensitive runtime privileges that are frequently exploited for financial fraud.” A user attempts to install an app from an internet sideloading source (web browser, messaging app, or file manager). ”
The high-risk permission requests that Google identifies and blocks are “frequently exploited by fraudsters to intercept one-time passwords via SMS or notifications, or to spy on on-screen content,” the company said. states. Based on our analysis of major deceptive malware families that exploit these sensitive runtime privileges, we found that over 95% of installations come from Internet sideloading sources. ”
This is clearly the same level of threat seen with the self-executing MoqHao malware, which also spies on user content and attempts to secure permissions to utilize the device’s SMS and other connectivity features. will do.
During the pilot, Google says, “If a user in Singapore attempts to install an application from an Internet sideloading source and one of these four permissions is declared, Play Protect will provide instructions to the user and automatically install the application. “We will block you.”
As McAfee acknowledged in its own report on MoqHoo, “It’s difficult for the average user to spot fake apps with legitimate icons and application names, so users are encouraged to use secure software to protect their devices.” We recommend that you install it.”
It’s clear that McAfee and other security vendors would like to make this their third-party software, but the reality is that this needs to be the ecosystem itself as the first line of defense. Attacking a user’s device has never been easier.
However, if your device is outside of Google Play’s defenses, you should consider third-party software like McAfee to keep it safe.
Beyond software defenses, common sense and good practices are required. Advice to users remains very important. very Simple. Never click on links like those seen in this latest campaign. please do not Install the app directly from the link. This was at the heart of ESET’s copycat app warning. Also, never agree to permission requests that are not core to the app’s specific functionality.
The golden rules for apps and updates are:
- Please use the official app store. Don’t use third-party stores and don’t change your device’s security settings to allow apps to load.
- Check the developer in the app description. Is the developer someone you admire? Then check the reviews to see if they are genuine or fake.
- Don’t give permissions to apps you don’t need. Flashlights and stargazing apps don’t require access to your contacts or phone. Also, never grant accessibility permissions that facilitate device control unless necessary.
- I never have Until now Click the link in the email or message to download the app or update directly. Always use the app store for installations and updates.
- Don’t install apps that link to established apps like WhatsApp unless you know they’re legitimate. Check out reviews and what people are saying online.
follow me twitter Or LinkedIn.
[ad_2]
Source link
