Over the past few months, researchers at Zscaler have found that more than 90 harmful mobile apps have been downloaded over 5.5 million times from the Google Play store. These apps are distributing various types of malware, including the Anatsa banking Trojan.
Zscaler’s blog post from yesterday revealed that the apps, which act as decoys for the malware, consist of PDF and QR code readers, file managers, editors, and translators.
The Anatsa Trojan, also known as Teabot, is a complex Trojan that initially uses seemingly harmless second-stage dropper applications to trick users into installing the payload. Once installed, it utilizes various tactics to secretly gather sensitive banking credentials and financial information.
According to Zscaler, Anatsa is one of the most impactful malwares currently being distributed on Google Play, alongside others such as the Joker fleeceware, the credential-stealing Facestealer, and various types of adware. Zscaler has also detected the Coper Trojan in the mix.
Analysis by Zscaler indicates that the most commonly used apps to conceal malware on the mobile app store are tools similar to those where Anatsa is present, followed by personalization and photography apps.
The behind Anatsa, which can extract data from over 650 financial apps, were previously focused on targeting Android users in Europe. However, Zscaler reports that the malware is now actively targeting banking apps in the US and UK. Additionally, the targets have expanded to financial institutions in more European countries, as well as South Korea and Singapore.
Despite Google’s significant efforts to prevent malicious apps from entering its mobile app store, Anatsa utilizes an attack vector that can bypass these protections, according to Zscaler. It accomplishes this through a dropper technique that makes the initial app appear clean upon installation.
Anatsa was observed to distribute two malicious payloads via apps impersonating PDF and QR code reader applications. These types of apps often attract a large number of installations, further deceiving victims into believing they are genuine.
Anatsa infects a device by using remote payloads retrieved from command-and-control (C2) servers to carry out additional malicious activity. Once installed, it initiates a dropper application to download the next-stage payload.
The researchers noted that the Trojan employs deceptive tactics in its attack vector to avoid detection. It checks the device environment and type before executing, likely to detect sandboxes and analysis environments. It then only loads its third stage and final payload if it determines the coast is clear.
After loading, Anatsa requests various permissions, including SMS and accessibility options, and establishes communication with the C2 server to carry out activities such as registering the infected device and retrieving a list of targeted applications for code injections.
To steal user financial data, Anatsa downloads a target list of financial apps from the C2 and checks if they are installed on the device. It communicates this information back to the C2, which then provides fake login pages for the installed apps to deceive users into providing their credentials, which are then sent back to the attacker-controlled server.
Despite Google’s best efforts, it has been challenging for the company to prevent malicious Android apps from appearing on the Google Play store. Ascriminals continue to develop malware with increasingly evasive tactics, the Zscaler researchers emphasized the importance of organizations implementing proactive security measures to protect their systems and sensitive financial information.
To help corporate mobile users avoid compromise, organizations should adopt a “zero trust” architecture that focuses on user-centric security and ensures that all users are authenticated and authorized before accessing any resources, regardless of their device or location, as advised by the researchers .
Android users can also protect corporate networks by refraining from downloading mobile applications when connected to an enterprise network, or by using appropriate security measures.
Eliminate Malware from Your Android Device
If you have previous experience with a desktop computer, you have likely encountered viruses and malware that can infect your computer, causing relatively various issues. Some viruses are easy to eliminate and only result in a computer slowdown. However, other types of viruses and malware can cause significant harm to a computer and compromise your data.
The best approach to prevent these issues is to use trustworthy antivirus software and take precautionary measures. However, once a virus infiltrates your device, your primary objective should be to remove it as soon as possible.
Similar to desktop computers, Android devices can also fall victim to malware and other forms of viruses. This guide will walk you through the various steps involved in removing malware from Android devices.
What is Malware?
Malware refers to any type of malicious software that infiltrates a computer, network, or computer server. Malware is a broad term that encompasses worms, viruses, and any harmful computer programs. The intent of malware is to directly harm computing devices and gain access to sensitive information, which could include anything from credit card details to the passwords used for bank and social media accounts. While all viruses are considered malware, not every piece of malware is classified as a virus. The three primary types of malware that may infect your Android devices include worms, viruses, and Trojans.
What Is a Worm?
A worm is a piece of malware that spreads from one device to another by replicating itself. Worms are particularly dangerous because they can operate independently and do not require a host file or a hijack code to spread.
What is a Virus?
A virus is a simple computer code that infiltrates a device’s program and forces it to carry out a malicious action that can either damage the device or steal information. Many modern viruses are equipped with a “logic bomb,” which means that the virus will not execute until specific conditions are met. Some viruses are sophisticated, making it challenging to detect them before it’s too late and without expert assistance.
What is a Trojan?
A Trojan is a type of malicious software that the user of the Android device can activate. These programs cannot replicate themselves but can mimic normal functions that the user would likely click on. Once the Trojan is activated, it spreads and begins to damage the device Similar to a regular application, Trojans typically request administrator access. If you click on the “agree” button, the Trojan will have extensive access to your computing device.
What Malware Can Do to Android Phones
After infecting Android phones, malware can carry out numerous actions, as its purpose is to generate revenue for cybercriminals. Malware on Android devices can download malicious applications, open unsafe web pages, send costly SMS text messages, and steal information, including passwords, personal information, location, and contact list.
Once a hacker gains access to your Android device, they can either sell or use your information on the dark web. More complex and sophisticated malware may manifest as ransomware, which can lock your phone and encrypt some of your data and documents. You will then be given time to pay a fee if you want to have your files and data restored.
How Do I Know If My Android Phone Has Malware on It?
While external damage to a phone is easy to identify, malware can cause internal damage that is more challenging to detect. In many cases, malware will consume significant resources on your Android phone, leading to slowdowns and other issues that suggest the presence of malware. Therefore, it is important to determine if your phone has a virus or malware. Here are some indicators that your phone has been infected by malware:
- Your phone has slowed significantly down without an obvious cause.
- Your battery is depleting at a faster rate than usual.
- Applications are taking longer to load.
- The phone is consuming more data than expected.
- Pop-up ads are appearing frequently.
- You notice applications on your phone that you do not remember downloading.
- Your phone bills are higher than they should be.
How Can I Detect Malware on My Android Device?
To identify malware on your Android device, there are several steps you can take, the most important of which is running a standard antivirus scan. There are various antivirus scans and programs available for your phone, both free and paid. Keep in mind that the most expensive antivirus software may not always be the best. Therefore, make sure to choose a program that offers comprehensive functionality rather than just a quick scan feature.
Quick scans can help identify common areas of your device for viruses, while full scans are essential for a thorough check of your Android phone. Relying solely on a quick scan may give you a false sense of security.
How Do I Remove Malware from Android Completely?
After detecting malware on your Android phone, you can eliminate it by following five simple steps.
Step 1: Turn Off Your Phone Immediately and Conduct Research
When you detect malware, turn off your device completely while you conduct research. Turning off the device can prevent the problem from worsening and may prevent the malware from spreading to other networks nearby.
If you know the name of the infected application or program, use this time to research more about it. If you don’t know the name, consider researching the symptoms you’ve observed on another computer. Identifying the infected app is crucial to removing malware from an Android phone.
Step 2: Boot the Phone in Safe Mode or Emergency Mode
Once you have identified the application that needs to be uninstalled, boot your phone in safe mode or emergency mode. Most Android devices allow you to enter safe mode by turning on the device, holding down the power button for a few seconds, and tapping the power-off option.
In safe mode, you should be presented with “power” options such as reboot and safe mode. Activating safe mode is important to prevent the malware from spreading while you uninstall the infected program.
Step 3: Access Device Settings to Locate the Malicious App
While in safe mode, navigate to the “settings” section on your Android phone. You can access this mode by tapping the gear-shaped icon on the screen or searching for the “settings” section on your device. In the settings, scroll down until you find the “apps” option, which you should select. This will display a list of the applications installed on your phone.
Look through the list until you find the infected app that needs to be uninstalled. If the application is a core app, you may not be able to delete it. Instead, you may have the option to disable the app. However, it is unlikely that a core app is the source of a virus or malware.
Step 4: Uninstall the Infected Application
Uninstalling an application is a simple process that begins with selecting the app, which will provide you with options like “force stop,” “force close,” or “uninstall.” Choose the uninstall option to remove the problematic application. In some cases, you may be unable to delete the application properly if your phone has been infected with ransomware.
In such a scenario, the ransomware may have gained access to your administrative settings, preventing the app from being deleted. You can resolve this issue by going to the main settings menu and selecting the “security” section. From there, look for the ” phone device administrators” area, where you should be able to adjust your administrator settings and delete the app.
Step 5: Perform a Factory Reset
If you are willing to part with the current media and content on your Android phone, a factory reset is an effective way to remove malware. This process will eliminate viruses and malware, but more potent malware may survive. A thorough antivirus scan may help detect as much malware as possible.
Step 6: Install Malware Protection
Once you have successfully eliminated the malware, focus on installing malware protection and educating yourself on removing malware from Android devices. Make sure to use a program that can delete unnecessary files, safeguard your data, and scan for viruses. Regularly check for updates to keep the antivirus program equipped with the latest protection.
Advice for Preventing Malware on Your Android Device
Knowing how to eliminate malware from an Android device is useful, but it’s better to keep it from infecting your phone. You can take these simple steps to prevent viruses and other malware from affecting your device:
- Ensure that you invest in reliable and strong security software.
- Avoid clicking on links in text messages or emails that you don’t recognize.
- Keep your software and operating system up to date.
- Use complex passwords.
- Avoid using unsecured WiFi connections. Consider using a VPN when accessing public networks.
- Only download applications from trusted sources such as the Google Play Store.
- Final Remarks
Malware can harm your phone and potentially steal your information if you don’t take proactive measures to remove it once it’s been detected. You can avoid these issues altogether by using robust antivirus software like McAfee Mobile Security, seeking assistance from experts, and staying informed about modern cyber threats and the risks they present.
Do you suspect that your smartphone might be infected with a virus or malicious app? This guide explains how to identify a smartphone virus and also discusses methods for cleaning up your smartphone.
The Issue of Smartphone Viruses & Malware
We’ve all heard about computers and laptops getting infected with viruses. But have you ever considered the possibility of your phone getting a virus?
Currently, globally, six times as many smartphones are sold as computers and laptops. Many people spend more time using a smartphone than a computer. We also use our smartphones for online banking and input personal data such as contacts and payment information. Additionally, smartphones are highly personal devices that collect various data, including GPS location. With all this data stored on a smartphone, it’s no surprise that criminals have been attempting to exploit it.
In recent years, malicious apps have emerged as a concern for smartphone users. There are now apps designed to stealthily steal your personal data, as well as smartphone viruses that use your phone to make premium-rate calls and send text messages.
In general, you can keep your smartphone safe by following some basic security guidelines. Stick to the official app store, avoid jailbreaking your phone, steer clear of pirated software, and double-check app permissions before installing. But what should you do if you suspect your phone has a virus?
Android Users Beware
Currently, it’s estimated that 99% of mobile malware targets Android smartphones. This doesn’t mean that Android is less secure than iOS and Windows Phone; it simply means that Android is more permissive when it comes to installing applications. With iOS and Windows Phone , apps can only be installed from the official app store.
Apps are also reviewed before they are available for download. With Android, apps are not reviewed, and they can be installed from sources outside of Google Play. Therefore, extra caution should be exercised with Android to avoid malicious apps.
As malware mainly affects Android, some of the tips provided in this article are specific to Android devices. However, iOS and Windows Phone users can follow most of the same instructions to identify a malicious application.
How to Avoid Buying Counterfeit Smartphones Loaded with Malware
As high-end smartphones continue to gain popularity, counterfeit smartphones are being imported. They look and feel exactly like the real ones, but they are often filled with malware.
Short Story
I fell for it and purchased a counterfeit Galaxy Note 7 online. The low price should have raised red flags, but I was excited about the “great” deal. They managed to replicate every feature of the Galaxy Note 7. It worked well for a few weeks, but then I noticed that the phone was overheating and downloading unfamiliar apps. Shortly after, I started receiving alerts of login attempts from foreign countries.
Some of my friends and relatives mentioned that I was sending them texts asking for money to be sent via Western Union. They know me well and realized that I wouldn’t make such a request. Unfortunately, a few of them actually sent the money, so I had to reimburse them. I had to change all my passwords, and it was a very stressful situation.
Here’s how to spot a counterfeit smartphone
Don’t purchase a phone without being familiar with the features you should expect from the genuine product. Have a good understanding of the user interface and unique bundled apps. Criminals are skilled at copying, but they still make mistakes.
iPhones are difficult to replicate. The easy way to check if an iPhone is real is to click on the app store icon. If you are taken to the Android store, it’s fake. In case scammers find a way to replicate the app store user interface , search for Apple-exclusive apps such as Keynote, Numbers, and Pages. If you can’t find them, the iPhone is counterfeit.
Android phones are the simplest to replicate. However, a clear sign is the cost. Criminals who sell copied smartphones aim to sell them quickly, so they offer them at a much lower price than the market rate. If you come across a fantastic deal on a new smartphone, question why it is so inexpensive.
While it may be exciting to own the most recent smartphone, some people knowingly purchase counterfeit smartphones just to flaunt them. However, this means you miss out on having a valid warranty. Additionally, your sensitive information could be stolen, and you might even lose friends. It’s just not worth it.
Fortunately, giffgaff offers new and pre-owned smartphones on the giffgaff store, all of which are thoroughly inspected and authenticated. Additionally, the bloggers use and share their honest opinions on the giffgaff blog.
Be cautious of scareware.
Firstly, if you’ve landed on this page after encountering a pop-up message about a virus on your phone, don’t panic. If you’re browsing the internet, it’s likely that you’ve come across fake anti-virus pop -ups (refer to the image below for an example of what a fake pop-up might look like).
If you encounter a virus alert while browsing the internet, it’s probable that your phone is actually safe. You’ve likely encountered scareware: a web-based scam that attempts to convince you that your phone is infected. Do not download any of the software linked from the pop-up; the supposed anti-virus app is likely to be malicious.
Simply close the webpage and restart your smartphone’s web browser. Also, be cautious not to provide any payment details, as they could be used to make fraudulent charges on your account.
After closing the webpage, follow the advice in the remainder of this article. You’ll want to double-check for viruses on your phone. For added peace of mind, you can also use a reputable anti-virus application to scan your phone for viruses (never use the app advertised in the pop-up).
If you’re browsing the internet, you may encounter a scareware scam. You’ll receive a pop-up message stating that your phone is infected. Don’t panic; it’s likely that your phone is actually safe. Close the webpage and follow the advice in the remainder of this article. For additional reassurance, you can also scan your phone with trusted anti-virus software.
Malicious apps have been known to generate revenue by sending premium rate text messages or making premium rate phone calls. It’s always a good idea to review your itemized phone bill to check for unexpected charges. If you notice unusual charges, it’s possible that your smartphone has a virus. Alternatively, you might have unintentionally subscribed to a premium rate text service.
For premium rate numbers in the UK, visit the PhonePayPlus website. PhonePayPlus is the regulator for premium rate telephone services in the UK. You can use their NumberChecker service to look up the company associated with a premium rate number. Either unsubscribe from the service or file a complaint if you believe the charges are related to a virus.
Are you encountering intrusive advertisements (eg pop-up ads and push notifications)?
If you’ve observed intrusive advertisements on your smartphone (eg frequent pop-up messages or push ads appearing in the notification bar), you might have adware on your phone. This doesn’t necessarily mean you have a virus – at best, adware is simply an annoyance, but in some cases, it may also contain malicious code.
Android users experiencing ads in the notification bar can utilize AirPush Detector to identify the problematic app.
NB If you encounter an anti-virus pop-up while browsing the internet, it’s likely scareware. Scareware isn’t directly harmful to your device – simply close the webpage immediately. Avoid clicking on links in the pop-up (refer to the scareware section earlier in this article).
Have your friends received strange texts or emails from your address?
If your friends and family complain about receiving odd text messages from your phone number (eg spam messages), it’s probable that your phone has a virus. A malicious app might be using your phone number to send out spam texts.
For spam emails originating from your address, it’s also possible that your email account has been compromised. Alternatively, there could be a virus on another one of your devices (eg a laptop).
Have new apps suddenly appeared on your phone?
If so, they might have come as an update to existing apps. If you weren’t anticipating the new apps, there’s a possibility that you have a malicious app installed. This malicious app could be downloading new apps in the background.
Are there specific apps using unusually large amounts of data?
Malicious apps often require internet access to communicate with their source. Most smartphone operating systems allow you to view a list of apps that have used the internet and the amount of data they’ve consumed. On Android, navigate to the Settings menu and select ” “Data Usage”. Keep an eye out for apps that seem out of place. For example, if your flashlight app is using the internet, it might be doing more than its intended function.
Also, check the “Wi-Fi Data Usage” tab. Malicious apps are not limited to using 3G for communication; they can also operate solely on Wi-Fi to avoid detection, as many people only monitor mobile data usage.
Have you noticed a significant decrease in battery life after installing a new app?
Viruses can cause an increase in power consumption, leaving a noticeable impact on battery life. If you observe a significant drop in battery life after installing a new app, be cautious. It doesn’t necessarily mean the app is malicious, but it could be buggy or poorly developed. Consider uninstalling the app to improve battery life.
If your phone has been infected by a malicious app, start by checking the list of recently installed apps in Google Play (tap on “All” to sort the apps by date). For each app in the list, conduct a quick review. Watch out for apps with a low number of downloads, consistently low ratings, or negative feedback from other users. If in doubt, uninstall the app to see if it resolves the issue.
If you’ve installed apps from sources other than Google Play, go to Settings > Application Manager to view the full list.
iOS and Windows Phone users should follow similar steps in their respective app stores (iTunes and Windows Phone Marketplace).
Check for Drive-By Downloads (Android only)
In the past, compromised websites have been used to deliver drive-by downloads to Android devices, dropping an APK file in the download folder. If opened, the APK would install a malicious app on your device. Look for .apk files in your smartphone’s download folder to check for drive-by downloads. Do not install any of these apps; delete them immediately and ensure the app is removed from your system.
Use the ‘Permissions Explorer’ App (Android only)
Android users who have identified symptoms of a virus can often pinpoint the problematic app using the Permissions Explorer app (free).
Permissions Explorer displays a complete list of apps on your phone allowed to perform specific activities. To identify the problematic app, match the permissions with the observed malware symptoms. For example, if you’re experiencing unexpected charges for premium-rate text messages, look for apps allowed to send SMS.
Pay attention to apps requesting excessive permissions, such as a flashlight app with access to your phone book. This could indicate that the app is performing additional functions beyond its advertised purpose.
Install an antivirus scanner
There are numerous free antivirus apps available, but I can personally recommend only two: Kaspersky Mobile Antivirus (Android) and Lookout Mobile Security (iOS). These apps provide an additional layer of security for your phone.
Final Thoughts
In this article, we’ve explored ways to determine if your smartphone has a virus. Beware of scareware pop-ups, as they often aim to deceive you into installing fake antivirus software. Instead, look for clear signs such as unfamiliar apps or strange pop-up messages. If you suspect a virus, double-check the recently installed apps. Conduct a permissions audit and perform an antivirus scan.
Malicious applications are widespread and can be extremely annoying by bombarding you with advertisements or stealing your personal information.
Deceptive practices are common with Android malware. For instance, a mobile app named Ads Blocker claimed to eliminate irritating ads from your phone, which tend to pop up and cover your screen at the most inconvenient times. However, users quickly discovered that the app was actually malware designed to display even more ads, as reported by security researchers.
This is just one example of malware that can frustrate Android users by inundating them with ads, for which the creators are paid to display, even when using unrelated apps. Malware often also generates fake clicks on the ads, increasing the profits for the creators.
Nathan Collier, a researcher at internet security company Malwarebytes, who helped identify the fraudulent ad blocker in November, stated, “They’re making money, and that’s the name of the game.”
According to researchers, adware like Ads Blocker is the most prevalent type of malware found on Android devices. An adware infection can make your phone so challenging to use that you may feel inclined to Hulk out and crush it. However, Android malware can do much worse, such as stealing personal information from your phone.
Malware can be disorienting, disrupting your normal phone usage and making you feel uneasy, even if you are unsure of the source of the problem. Additionally, it is quite common. Malwarebytes reported discovering nearly 200,000 instances of malware on their customers’ devices in May and again in June.
So, how can you identify if your phone has malware and prevent it? Here are some insights from mobile malware experts on what you can do.
How malware affects your phone
Mobile malware typically employs one of two methods, as explained by Adam Bauer, a security researcher for mobile security company Lookout. The first type of malware tricks you into granting permissions that allow it to access sensitive information.
This is where the Ads Blocker app comes in, as many of the permissions it requested seemed reasonable for a genuine ad blocker. However, these permissions also allowed the app to operate continuously in the background and display ads to users even when they were using other apps.
The second type of malware exploits vulnerabilities in phones by gaining privilege access to sensitive information through administrators. This reduces the need to prompt users to grant permissions, making it easier for malware to run without being noticed by users.
Indications of malware on your Android phone
If you notice the following occurring, your phone may be infected:
- You constantly see ads, regardless of the app you are using.
- You install an app, but the icon disappears immediately.
- Your battery is depleting much faster than usual.
- You notice unfamiliar apps on your phone.
These signs are cause for concern and require further investigation.
Ransomware on Android phones
Another form of malware is ransomware. Victims typically find their files locked and inaccessible. Usually, a pop-up demands payment in Bitcoin to regain access to the files. According to Bauer, most Android ransomware can only lock files on external storage, such as photos.
What mobile malware can do to your phone
Apart from bombarding you with incessant ads, mobile malware can access private information. Common targets include:
- Your banking credentials
- Your device information
- Your phone number or email address
- Your contact lists
Hackers can utilize this information for various malicious activities. For instance, they can commit identity theft using your banking credentials. The Anubis banking Trojan achieves this by tricking users into granting it access to an Android phone’s accessibility features.
Once the permission is granted, the malware’s activities become completely invisible on the screen, with no indication of any malicious activity as you log into your accounts.
Hackers can also use malware to gather and sell your device and contact information, resulting in an influx of robocalls, texts, and, of course, more ads. Furthermore, they can send links for more malware to everyone in your contacts list.
If you suspect that your information has been caught up in the robocall system, you can explore the options offered by your phone carrier to minimize the annoyance of such calls. For example, T-Mobile, Sprint, and MetroPCS customers have access to Scam Shield , a free app introduced in July.
How to prevent malware on your Android phone
If you suspect your Android device has malware or want to safeguard it, there are specific measures you can implement.
To begin with, ensure that your phone’s software is consistently up to date. Security experts emphasize the importance of keeping your OS and apps updated as one of the most crucial steps to protect your devices and accounts. Upgrading to a current OS version, such as Android 10 or the upcoming Android 11, can address vulnerabilities and restrict access for existing malware. Additionally, updates can prevent malware from functioning in the first place.
Review the permissions granted to your apps. For instance, does a game app have unnecessary permissions such as sending SMS messages? This could be a warning sign. Keep this in mind when installing apps in the future.
Removing apps suspected of being malicious can be challenging. Sometimes, you can revoke an app’s permissions, uninstall the app, and be done with it. However, certain malicious apps may have administrator privileges, requiring additional steps for deletion. If you encounter difficulties removing a specific app, consider researching online for successful removal methods.
Consider using antivirus apps. While these services may impact your phone’s performance and require elevated access to detect malicious behavior, it’s important to choose a trusted option. Opting for the paid version can unlock premium features and minimize advertisements. These apps can alert you to potential malware on your phone and provide customer support when dealing with malware. Consider using well-known programs like Malwarebytes, Norton, Lookout, or Bitdefender to scan your device if you suspect malware is present.
Avoid or uninstall Android apps obtained from third-party app stores. These apps bypass Google’s review process and can more easily introduce malware to your phone. While Google doesn’t catch every malicious app before it reaches your device, sticking to the official Google Play Store provides an additional layer of defense and direct channels to report encountered issues.
Just hours after many people unwrapped new smartphones during the holiday season, a timely reminder of the potential threats and the need for personal responsibility in securing our devices emerge. This underscores the importance of not solely relying on Google and Apple for device security.
Shortly after Android users were alerted to check their devices for the dangerous “SpyLoan” malware-infected apps, a new backdoor called “Xamalicious” has surfaced through multiple apps on Google’s Play Store.
According to McAfee, “Android/Xamalicious trojans are apps related to health, games, horoscope, and productivity.” While Google removed the apps from its store before publication, McAfee warns that “most of these apps are still available for download in third- party marketplaces.”
These apps are designed to deceive users into granting accessibility privileges, allowing them to take control of normally restricted device features. Of all the warnings in this report, this should be of utmost concern.
This marks the second accessibility warning for Android users within a week. The other warning pertains to the resurgence of the “Chameleon” trojan, which manipulates accessibility settings and dynamic activity launches, circumventing Android’s improved “restricted settings,” and potentially compromising a device’s biometric security to steal financial information.
ThreatFabric, which identified this latest iteration, warns that the new Chameleon is a sophisticated Android malware strain. However, it remains harmless unless users grant access for its sophisticated malware to infect their devices.
For Xamalicious, the apps from the Play Store that you should remove right away are listed below. Keep in mind that if an app is banned from the Google Play Store, it doesn’t automatically get deleted from your device. Even though this warning has has been issued while the download numbers are still in the hundreds of thousands, rather than millions, there will likely be many more installations from third-party stores for those who decide to take that risk.
Xamalicious Apps to Remove:
– Essential Horoscope for Android
– 3D Skin Editor for PE Minecraft
– Logo Maker Pro
– Auto Click Repeater
– Count Easy Calorie Calculator
– Sound Volume Extender
– LetterLink
– Numerology: Personal Horoscope & Number Predictions
– Step Keeper: Easy Pedometer
– Track Your Sleep
– Sound Volume Booster
– Astrological Navigator: Daily Horoscope & Tarot
– Universal Calculator
Xamalicious uses a simpler method to gain its privileges, which it then exploits to communicate with its command and control server. Once it’s installed, Xamalicious will send back all the device information needed to assess the likelihood of a successful attack, including hardware, operating system , installed apps, location, and network.
At this point, it will be directed to download and install the malicious code it will use to take over the device or initiate background activity.
While the newly discovered Chameleon variant takes a different approach by presenting itself to users as a Google Chrome app, it still involves the abuse of accessibility privileges to carry out account and device takeovers. This trojan prevents the device from requesting biometric authentication and instead pushes for a PIN, allowing it to steal user account credentials.
“Although the victim’s biometric data remains inaccessible,” ThreatFabric explains, “the trojan forces the device to switch to PIN authentication, thereby bypassing biometric protection entirely.”
The full details of the attack approach can be found in the reports (1,2), but in reality, these specific details are much less important than the social engineering tactics that both trojans rely on to attack devices. In reality, if you’ re likely to grant accessibility privileges to a horoscope or calorie counting app, you’re unlikely to notice other signs of compromise on your smartphone.
As Google warns Android users, “harmful apps might request changes to settings that could put your device or data at risk. To protect you from harmful apps, some device settings may be restricted when you install an app. These settings cannot be changed unless you allow it.”
The solution here is very simple — do not grant such privileges to ANY app unless it’s from a reputable brand like Apple, Google, or Microsoft and logically requires such access, considering your limited movements or senses when using such an app.
Google is more open than Apple when it comes to app permissions on devices and the availability of apps beyond its official store. Its less restrictive approach also means there is more Play Store malware than what is found on Apple’s App Store.
In Google’s view, it comes down to user choice. “We’re trying to strike a balance,” Sundar Pichai explained last month, “We believe in choice.” But with this choice comes responsibility. While this includes being very aware of the access being requested by apps, it also extends to the nature of the apps you allow on your smartphone and, as a result, into your life in general.
My advice to Android users is to regularly check this. In ‘Settings’, go to ‘Privacy’ and then ‘Accessibility Special Access’. Make sure you’re familiar with any app listed, and if not, tap on the app to remove its access.
In the same ‘Settings’ screen, you can also check other permissions you’ve granted. It’s always good practice to do a sweep once in a while — you never know what might have slipped in.
Your smartphone likely has access to your financial accounts, work email, private thoughts, and messages. It knows where you live and work, who you love and who you don’t, even your kids and their schools.
As tempting as it might be to install a flashlight or AI aging app, every app you install increases the risk of compromise. Just take a moment to consider whether you really need the app and, when the app requests access to data and device features, think about what that app truly needs to know.
Zscaler, a security research group, recently announced the discovery of more than 90 malicious Android apps on the Play Store. These apps collectively had over 5.5 million installations and were linked to the ongoing Anatsa malware campaign, which has targeted over 650 apps associated with financial institutions.
By February 2024, Anatsa had infected at least 150,000 devices using various decoy apps, many of which were marketed as productivity software. While the identities of most of the apps involved in this recent attack are unknown, two apps have been identified: PDF Reader & File Manager, and QR Reader & File Manager. At the time of Zscaler’s investigation, these two apps had amassed over 70,000 installations combined.
How these malicious apps infect your phone
Despite Google’s app review process for the Play Store, stealthy malware campaigns like Anatsa can employ a multi-stage payload loading mechanism to evade detection. In essence, these apps pose as legitimate applications and only initiate a covert infection after being installed on the user’s device .
You may believe you are downloading a PDF reader, but once installed and launched, the “dropper” app establishes a connection to a C2 server to retrieve the necessary configurations and strings. Subsequently, it downloads a DEX file containing the malicious code and activates it on your device. Following this, the Anatsa payload URL is downloaded through a configuration file, and the DEX file installs the malware payload, completing the process and infecting your phone.
Fortunately, all identified apps have been removed from the Play Store, and their developers have been banned. However, if you have downloaded these apps, they will remain on your smartphone. If you have either of these two apps on your phone, it is crucial to uninstall them immediately. Additionally, consider changing the passcodes for any banking apps you may have used on your phone to prevent unauthorized access by the threat actors behind Anatsa.
How to avoid malware apps
While malicious developers can be cunning with their attacks, there are certain guidelines you can follow to ascertain the legitimate of an app on the Play Store. Firstly, carefully scrutinize the app’s listing: Examine its name, description, and images. Do they align with the service the developers are promoting? Is the content well-written or riddled with errors? The less professional the appearance, the more likely it is to be fraudulent.
Only download apps from reputable publishers. This is especially important when downloading popular apps, as malware apps may impersonate high-profile apps on various devices. Double-check the developer behind the app to ensure their authenticity.
Also, review the app’s requirements and permissions. It is advisable to avoid anything that requests accessibility, as this is a common method used by malware groups to bypass security measures on newer devices. Other permissions to be cautious of include apps requesting access to your contact list and SMS. If a PDF reader requests access to your contacts, this should raise a red flag.
Additionally, read through the app’s reviews. Be wary of apps with few ratings or those with overly positive reviews that seem suspicious.
The app’s support email address can also provide insight. Many malware apps use a random Gmail account (or other free email account) for their support email. While not every app will have a professional support email, you can usually discern if something seems dubious based on the information provided.
Unfortunately, there is no foolproof method to avoid malware apps unless you refrain from installing apps altogether. However, by being mindful of the apps you install and paying attention to permissions, developers, and other critical information, you can typically discern whether an app is suspicious.
There has been an increase in malware scams targeting Android device users, leading the Singapore Police Force to issue public warnings in recent months.
In some instances, scammers trick victims into clicking on social media posts advertising food items for sale, then persuade them to download a harmful application to complete a purchase.
In another scam variation, certain individuals received unsolicited text messages instructing Android users to download a fake “anti-scam” app.
According to the police advisory, once victims install the app containing malware, the scammers can remotely access the victims’ devices and steal stored passwords.
To address these risks and protect your devices, CNA interviews cyber and mobile security experts to get the answers.
Why are scammers more inclined to target Android users?
According to Mr. Steven Scheurmann, the regional vice president for ASEAN at cybersecurity company Palo Alto Networks, the open nature of the Android platform allows for greater flexibility and customization, making it easier for malicious actors to create and distribute fake app stores or unauthorized apps .
Mr. Scheurmann also highlighted that Android users can download apps from sources other than the official Google Play Store, which increases the likelihood of fraudulent or malicious apps.
Furthermore, the diversity of governance for each type of Android device adds to the complexity of securing the device.
Threat actors are constantly attempting to exploit vulnerabilities in systems.
For example, there has been a surge of malware for the Android platform attempting to impersonate the ChatGPT app, as reported by Palo Alto Networks’ Unit 42.
Does this mean Apple’s operating system is safer?
In contrast, users of Apple’s iOS are only permitted to install approved apps from the official App Store, giving Apple greater control over the apps available to users and reducing the chances of malware being distributed through alternative sources.
However, Mr. Paul Wilcox, the vice president for Asia Pacific and Japan of IT security company Infoblox, cautioned that although iOS does have some security advantages over Android, it does not make the Apple system “bulletproof.”
Agreeing that no system is entirely foolproof, Mr. Scheurmann noted that Palo Alto Networks’ Unit 42 has identified various malware in recent years that were able to bypass the iOS code review process.
User behavior is also crucial in guarding against a potential security breach.
“In fact, from what I have seen, iPhone owners seem to be much more lax in their approach to securing their devices as they believe that iPhones are ‘safe,’ and the likelihood of them installing security software is extremely low,” Mr. Wilcox said.
He added, “The days of any mobile device user feeling impenetrable are over, and all users should embrace the same diligent attitude, not just to online malware, but scammers and fake websites.”
What has Google done to combat malicious apps?
According to a spokesperson, Google does not allow any apps on its Play Store that are deceptive, malicious, or intended to misuse any network, device, or personal data.
Google has also implemented built-in malware protection, Google Play Protect, which uses machine learning models to automatically scan over 100 billion apps on Android devices daily for fraud and malware.
Google Play Protect is automatically enabled.
Additionally, Google stated that in 2022, it prevented 1.43 million policy-violating apps from being published on Google Play through a combination of security features, continued investment in machine learning systems, and its app review process.
“When we find that an app has violated our policies, we take appropriate action,” Google said.
In response to inquiries about addressing links to malicious Android apps on Google’s search engine, the tech company stated that it utilizes automated systems to detect pages containing scammy or fraudulent content and prevent them from appearing in Google Search results.
Leave a Reply