A brand new set of malicious Android apps have been caught posing as app safety scanners on the official Play Retailer to distribute a backdoor able to gathering delicate data.
“These malicious apps urge customers to replace Chrome, WhatsApp, or a PDF reader, but as a substitute of updating the app in query, they take full management of the gadget by abusing accessibility companies,” cybersecurity agency McAfeein an evaluation printed on Monday.
The apps in query have been designed to focus on customers in Brazil, Spain, and the U.S., with most of them accruing wherever between 1,000 to five,000 installs. One other app named DefenseScreen racked up 10,000 installs earlier than it was faraway from the Play Retailer final 12 months.
First documented by Kaspersky in August 2019,(quick for “Brazilian Distant Entry Software Android”) emerged as an Android malware with display screen recording skills earlier than steadily morphing right into a banking trojan.
“It combines full gadget management capabilities with the power to show phishing webpages that steal banking credentials along with skills that enable it seize display screen lock credentials (PIN, Password or Sample), seize keystrokes (keylogger performance), and file the display screen of the contaminated gadget to watch a person’s actions with out their consent,” McAfee researchers Fernando Ruiz and Carlos Castillo mentioned.
The apps that distribute the backdoor alert unsuspecting customers of a safety challenge on their gadgets, prompting them to put in a pretend replace of a particular app (e.g., Google Chrome, WhatsApp, and a non-existent PDF reader app) to handle the issue.
As soon as the sufferer agrees to put in the app, BRATA requests permissions to entry the gadget’s accessibility service, abusing it to seize lock display screen PIN (or password/sample), file keystrokes, take screenshots, and even disable the Google Play Retailer.
By disabling the Play Retailer app, the concept can also be to disable, a characteristic that preemptively runs a security examine on apps earlier than they’re downloaded from the app retailer, and routinely scans Android gadgets for doubtlessly dangerous apps and removes them.
Curiously, new variations of BRATA additionally come geared up with added obfuscation and encryption layers, in addition to transferring a lot of the core performance to a distant attacker-controlled server, in flip permitting the attackers to simply replace the malware and exploit the gadgets they have been put in on whereas staying underneath the radar.
“BRATA is simply one other instance ofthe (ab)use of is and the way, with just a bit little bit of social engineering and persistence, cybercriminals can trick customers into granting this entry to a malicious app and mainly getting complete management of the contaminated gadget,” the researchers concluded.
“By stealing the PIN, Password or Sample, mixed with the power to file the display screen, click on on any button and intercept something that’s entered in an editable area, malware authors can just about get any knowledge they need, together with banking credentials through phishing net pages and even instantly from the apps themselves, whereas additionally hiding all these actions from the person.”