Hundreds of Thousands Download Spyware from Google Play

By: Ionut Arghire

Hundreds of thousands of users ended up with spyware on their devices after downloading seemingly legitimate applications from Google Play, Trend Micro security researchers have discovered. 

Detected as MobSTSPY, the malware, which can gather various information from the victims, isn’t new. For distribution, its operators chose to masquerade the threat as legitimate Android applications and submit them to Google Play.

Trend Micro discovered a total of six such applications, including FlashLight, HZPermis Pro Arabe, Win7imulator, Win7Launcher, Flappy Bird, and Flappy Birr Dog. Available for download in Google Play in 2018, some of these were downloaded over 100,000 times by users from all over the world.

Once one of these applications has been installed on the victim’s device, the spyware can proceed to stealing information such as SMS conversations, call logs, user location, and clipboard items. The malware sends the collected information to the attacker’s server using Firebase Cloud Messaging.

Upon initial execution, the malware checks the device’s network availability, after which it reads and parses an XML configuration file from its command and control (C&C) server. Next, it collects information such as language used on the device, registered country, package name, manufacturer, etc.

The information is then sent to the C&C server for registration purposes. After this step has been completed, the malware waits for the server to send over commands to execute.

Based on the received commands, the spyware can not only steal SMS messages and call logs, but can also retrieve contact lists and files found on the device.

The malware can also perform a phishing attack to gather credentials from the infected device, the security researchers discovered. It can display fake Facebook and Google pop-ups, thus tricking the user into revealing their account details.

After the user provides the credentials, a fake pop-up informs them the log-in was unsuccessful, but at this point the malware has already stolen the credentials.

“Part of what makes this case interesting is how widely its applications have been


Advierten sobre falsas apps de ciberseguridad en Google Play

By: Tecnósfera

Investigadores de la firma Eset Latinoamérica identificaron 35 falsas aplicaciones de ciberseguridad en la tienda de Google Play que prometían detectar archivos maliciosos pero que solo servían para mostrar publicidad no deseada.

De acuerdo con la compañía, los riesgos de descargar este tipo de herramientas radican en que al imitar funciones básicas de ciberseguridad, se pueden detectar aplicaciones maliciosas como legítimas lo que deja a los usuarios expuestos a riesgos reales.

Camilo Gutiérrez, jefe del Laboratorio de Investigación de ESET Latinoamérica, destaca que “si bien estas falsas aplicaciones de seguridad no tienen las funcionalidades de amenazas como el ransomware u otro tipo de malware, despliegan publicidad molesta, realizan detecciones que resultan ser falsos positivos y dan a los usuarios un falso sentido de seguridad, lo que implica que millones de personas poco conscientes pueden fácilmente terminar descargando verdaderos códigos maliciosos disfrazados de una forma similar”.

Los análisis realizados además mostraron que la mayoría de las apps no cumplían con las funciones que prometían y que además las medidas de seguridad tomadas para proteger la información del usuario no eran lo suficientemente eficaces. Por ejemplo, brindaban la posibilidad de establecer una contraseña o patrón de desbloqueo para supuestamente proveer al usuario  una capa adicional de seguridad.

Sin embargo, Gutierrez señala que “el problema principal es que la información importante no es almacenada de forma segura en el dispositivo. En lugar de utilizar cifrado, lo cual es una buena práctica, estas aplicaciones almacenan los nombres de las aplicaciones bloqueadas y las contraseñas para desbloquearlas en texto plano”.


Fake Cryptocurrency Trading Apps Harvest Credentials and Steal Cash

By: sikur


Tara Seals

23 OCT 2017

Hackers are targeting users of the cryptocurrency exchange Poloniex, with two credential-stealing apps that masquerade as official mobile apps for the service.

ESET researchers discovered them on Google Play, built to not only harvest Poloniex login credentials, but also to trick victims into making their Gmail accounts accessible.

“Poloniex is one of the world’s leading cryptocurrency exchanges with more than 100 cryptocurrencies in which to buy and trade,” the researchers said, in a blog. “With all the hype around cryptocurrencies, cyber-criminals are trying to grab whatever new opportunity they can—be it hijacking users’ computing power to mine cryptocurrencies via browsers or by compromising unpatched machines, or various scam schemes utilizing phishing websites and fake apps.”

Both apps work the same way: First, they display a bogus screen requesting Poloniex login credentials, which are then sent on to the attackers. With the logins in hand, attackers can carry out transactions on the user’s behalf, change their settings or even lock them out of their account by changing their password.

The next step is a prompt, seemingly on behalf of Google, asking them to sign in with their Google account “for two-step security check.” The apps then ask for permission to view the user’s email messages and settings, and basic profile info. If the user grants the permissions, the app gains access to their inbox.


Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist