Security researchers from FireEye recently uncovered a new piece of Android malware that can mimic the look and feel of app interfaces from the likes of Uber, WhatsApp and Google Play. The malware reportedly struck first in Denmark and is now making its way through a handful of other European countries, including Italy, Germany and Austria.
According to researchers, the malware is spread via a basic yet cleverly deceptive SMS phishing scheme. When a user receives and subsequently clicks on an ostensibly legit link, the malware is downloaded and begins to monitor which apps are active and which apps are running in the background. What happens next is extremely clever: when a user attempts to use an app that the “malware is programmed to target”, the software overlays a fake user interface with “nearly identical credential input UIs as seen in benign apps.” In turn, the malware than asks unassuming users to enter in sensitive information such as their banking credentials or credit card information.
DON’T MISS: The iPhone 7 nightmare
All the while, victims of this attack believe that the UI screen in front of them is 100% authentic because it only sprung into existence once they decided to launch whatever app they happen to be using. All told, the malware is designed to mimic 8 separate apps, including WhatsApp, WeChat, Uber, Facebook, Viber, the Google Play store and more.
Notably, the authors of this particular are seemingly becoming more sophisticated and ambitious now that they’re targeting a larger array of popular apps.
For example, later campaigns usually targeted more benign apps than earlier campaigns, focusing on messaging apps, for example, as opposed to banking apps. Also, the malicious apps used in later campaigns are often harder to analyze because obfuscation techniques were adopted to evade detection. In addition, some new functionality was added; in particular, we noticed that more recent samples leveraged reflection to bypass the SMS writing restriction enforced by the App Ops service (introduced in Android 4.3). All of this suggests that threat actors are actively improving their code.
Additionally, the malware authors have begun sending out more enticing and seemingly benign links via SMS, with one message stating, “We could not deliver your order. Please check your shipping information here.” In one particular malware campaign targeting users in Denmark, one SMS link managed to generate more than 130,000 clicks.
More information on this particular strain of malware can be viewed via the source link below.