A new Android malware that impersonates the Google Chrome app has spread to hundreds of thousands of people in the last few weeks, according to researchers. The fake app is being used as part of a sophisticated hybrid cyberattack campaign that also uses mobile phishing to steal credentials.
According to researchers at Pradeo, the attack starts with a basic “smishing” gambit: Targets receive an SMS text asking them to pay “custom fees” to release a package delivery. If they fall for it and click, a message comes up asking them to update the Chrome app.
If they accede to that request, they’re taken to a malicious website hosting the purported app. In reality, it’s the malware, which is downloaded to their phones.
After the supposed “update,” victims are taken to a phishing page that closes the loop on the social engineering: They’re asked to pay a small-dollar amount (usually $1 or $2 dollars) in a less-is-more approach, which is of course just a front to harvest credit-card details, according to the analysis, issued Monday.
“Attackers know that we’re accustomed to receiving alerts of all types on our smartphones and tablets,” Hank Schless, senior manager of security solutions at Lookout, told Threatpost. “They take advantage of that familiarity to get mobile users to download malicious apps that are masked as legitimate ones.”
By combining an efficient phishing technique, the propagation malware and several security-solutions bypasses, the campaign is particularly dangerous, Pradeo researchers noted.
“The attack could be the work of a regular level but very ingenuous cybercriminal,” Pradeo’s Roxane Suau told Threatpost. “All the techniques (code concealment, smishing, data theft, repackaging…) used separately are not advanced, but combined they create a campaign that is hard to detect, that spreads fast and tricks many users.”
The campaign came to light at the beginning of May and has been observed in several European countries, Suau noted. But at the rate it propagates, it could spread far beyond that initial geography.
Fake Chrome App for Viral Propagation
The fake Chrome app is used as a propagation method: Once installed, it sends more than 2,000 SMS messages per week from infected devices, Pradeo found. The messages are sent out on a daily cadence, during certain two- or three-hour blocks, silently in the background. The recipient phone numbers are simply random, not from the victims’ phone books, but seem to follow a sequential pattern, researchers said.
“Every device hosting the malware automatically sends 300 phishing SMS per day,” Suau said. “Every time someone falls victim, it greatly multiplies the propagation.”
Meanwhile, the malware hides on mobile devices by using the official Chrome app’s icon and name, “but its package, signature and version have nothing in common with the official app,” according to the analysis. Suau added that users will end up with two Chrome apps, but one is the fake one.
Potential Follow-On Attacks
Pradeo researchers think that banking fraud and massive phone bills may ensue for victims, in addition to the credential theft.
“There is no premium-number fraud performed at the moment, but as the app loads external code and already asks for the proper permissions to send SMS, it could do it,” Suau said. “I mentioned in the post that users can end up with massive phone bills, because sometimes mobile plans do not include unlimited SMS (which is the case of many corporate phone plans for example).”
She added, “But by calling external code, it could in the future perform more activities such as premium-number fraud, SMS subscription to premium services, or impersonate victims and message their contacts. Users who keep the trojan on their device unknowingly could be further attacked, in different ways.”
For example, an update to the malware could make a few adjustments to its capabilities. “Attackers could easily tell the malware to steal other information on the device or detect when the user is logging into a corporate app or platform where they could steal valuable company data,” Schless said. “For mobile banking users in particular, there’s high risk of encountering a trojanized app. The recent Financial Services Threat Report from Lookout showed that almost 20 percent of mobile banking users were exposed to a trojanized app when trying to log into their accounts.”
Bypassing Cybersecurity Detection
Unfortunately, the campaign goes to length to evade mobile-security solutions, according to Pradeo.
Researchers laid out the mix of techniques:
- Using victims’ phone numbers to expedite phishing SMS, to make sure they are not blocked by messaging apps’ spam filter.
- Using obfuscation techniques and calling external code to hide its malicious behaviors, hence eluding most threat-detection systems.
- Native programing to conceal malicious activities via trojanizing
- As soon as the app is identified and referenced by most antivirus, the cybercriminal operators simply repackage it with a new signature to go back under the radar.
On the latter point, Pradeo was able to identify two variants of the malicious Chrome imposter.
“When comparing both apps we have analyzed, we see that they are 99 percent identical, with only a few file names that seem to have been changed randomly, and on the other hand their weight is the same,” they explained.
How to Defend Against Mobile Phishing
In order to avoid infection from a campaign like this, using a mobile-security solution that uses massive datasets of mobile-threat telemetry could help, given that the attackers are relying on repackaging, Schless said.
“Since so much malware is reused, both in part and in whole, datasets that can automatically convict known and unknown malware are key to ensuring coverage for customers,” he said. “Even more importantly, the solution needs to be cloud-based so that coverage for these threats can be pushed to customers immediately without requiring them to lift a finger.”
Joseph Carson, chief security scientist and advisory CISO at ThycoticCentrify, added that there are steps that individuals can take as well, starting with using good password hygiene and not clicking on random links in text messages.
Also, “set up and create internet-search alerts to check when new accounts using your personal details are created,” he told Threatpost. “This will help identify when criminals are creating accounts using your personal details potentially in an attempt to duplicate your identity.”
Join Threatpost for “Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks” – a LIVE roundtable event on Wed, May 12 at 2:00 PM EDT. Sponsored by Zoho ManageEngine, Threatpost host Becky Bracken moderates an expert panel discussing best defense strategies for these 2021 threats. Questions and LIVE audience participation encouraged. Join the lively discussion and Register HERE for free.