SonicWall Capture Labs Threat Research team came across a malware campaign that steals device information, card information, and google authenticator code on Android devices. This malware uses famous Android app icons to mislead users and trick victims into installing the malicious app on their device. This malicious app may use the following icons:
Fig 1: Malware using famous app icons
We also noticed that most of these malicious apps are fairly new and have recently been submitted over malware sharing platforms like Virus Total.
The critical permissions used in these apps are mentioned below:
After installation, it asks the victim to enable the accessibility service. Once this option is enabled it becomes difficult to uninstall the application from the device.
Fig 4: Accessibility permission
The malicious application connects to the Command-and-Control server and receives commands to execute operations accordingly, as shown in the image below:
In web data, it creates a database where it stores the victim’s personal information and card details.
Google Authenticator generates two-factor authentication (2FA), which provides stronger security for Accounts & requires a second step of verification when a user signs in. This malware manages to evade additional layers of security by getting 2FA codes with the help of Accessibility services.
This malware also sends details of current location of the victim to its remote C&C server.
This malware is also capable of taking screenshots of the victim’s device and sending them to the C&C server.
It stores C&C server’s details like Host address (192.168.110.93) and port number (33660) in base64 encoded form.
SonicWall Capture Labs provides protection against this threat via the SonicWall Capture ATP w/RTDMI.
Indicators of Compromise (IOC):