New Android Malware Mimics Common Apps

The newest sensation sweeping European nations isn’t quite as fashionable as pantsuits or as tasty as flakey milk chocolate; it is a new piece of Android malware that is gaining ground in countries like Denmark, Italy, Germany, and Austria. This software takes over apps like Uber and Google Play by mimicking their familiar user interfaces and tricking users into inputting confidential information.

This malware functions by using a particular SMS phishing scheme that sends out links in SMS messages to trick recipients into installing it on their devices. These links have gotten increasingly more deceptive, as some messages are as simple as “We could not deliver your order. Please check your shipping information here.” After a user clicks on the given link he/she has, unknowingly, given the malware access to monitor and manipulate the device.

Once users have clicked on the link, the malware tracks which apps are used most frequently and which are running in the background. If one of those apps (usually WhatsApp, Uber or Google Play) is launched, the malware overlays a phishing page on top of it and then asks the user to input his/her information. The problem is, the overlay is often “nearly identical” to the original app so it can be very challenging for users to recognize. This overlay is very deceptive because the UI screen is only created when the app is launched, emulating the actual app’s appearance in real time. In this way, the malware can persuasively convince users to input confidential information which then gets sent to the C&C servers.

While mobile banking apps and other financial apps used to be targeted for access to credit cards and other monetary information, the malware is now mimicking more common apps like WhatsApp, WeChat, Uber, Facebook, and Viber. Because the malware is accessing more “benign” apps, people are less suspecting these apps will jeopardize their financial information.

Perpetrators have also used a number of URL shortening services that make the malware harder to detect. FireEye claims that the 30 shortened URLs used to direct users to the malware have been clicked more than 160,000 times. However, the use of these shorteners has made it possible for experts to establish how many different Android devices could possess the malware (Hint: It’s a lot).

Although this malware is adeptly bypassing Android’s security features, there are a few precautions you can take to make sure that your device is safe. The first is to simply make sure you’re not clicking on links that are from unknown sources or contain vague messages. Be cautious when opening any new text messages or emails. You can also download a supplementary security system, like PSafe Total, for extra assurance that your device is secure. PSafe Total can detect the newest types of malware and give your Android devices unparalleled protection against whatever cybercriminals have in store.