Watch out for this Android spyware, says Microsoft • The Register

Microsoft’s security team has warned that data theft spyware disguised as bank rewards apps is targeting Android users.

The malware, which can be remotely controlled by criminals once it has infected a device, appears to be an updated version of nasty Android software first observed in 2021. At the time, it was seen robbing a bank of Indian customers. This latest variant has several additional backdoor features and much better obfuscation, which allows it to steal victims’ two-factor authentication (2FA) messages for bank accounts, account login details, and personally identifiable information (PII). ) without detection, we were told.

Microsoft’s threat hunters investigation began after receiving a text message claiming to be from the Indian bank ICICI rewards program. It included the bank logo, warned the user that their loyalty points were about to expire, and ordered them to click on a malicious link.

Clicking the link downloads a fake bank rewards app, which the Redmond team has detected as a carrier of TrojanSpy: AndroidOS / Banker.O. When done, it asks the user to enable specific permissions, then asks for the user’s credit card details to be collected along with any other data they have been instructed to steal. Hopefully, the immediate request for card information will be a red flag for most people.

Using open source intelligence, security researchers have determined that the bogus app’s command and control (C2) server is being used or linked to 75 other malicious Android applications, distributed as APK files.

“Some of the malicious APKs also use the same Indian bank logo as the fake app we investigated, which could indicate that actors are continually generating new versions to keep the campaign going,” the researchers noted this week.

In addition to reporting malware in Android, an operating system manufactured by arch-rival Google, Microsoft also this week released an out-of-band security update for a spoofing vulnerability in Microsoft Endpoint Configuration Manager.

The hole, traced as CVE-2022-37972, affects versions 2103 through 2207 and can be exploited to steal sensitive information, according to the US government’s CISA, which urged people to apply the fix.

The bug received a CVSS severity score of 7.5 out of 10 and its details have already been disclosed publicly. Microsoft says exploitation is “less likely”. However, it’s a publicly known low-complexity attack, so it’s time to patch.

According to Redmond, the fix, KB15498768, will be listed in the Updates and Maintenance node of the Configuration Manager console.

Upon further analysis, Microsoft found that Android malware uses the MainActivity, AutoStartService, and RestartBroadCastReceiverAndroid functions to conduct a variety of nefarious activities including intercepting calls, accessing and uploading call logs, messages, contacts and information. network and changing the settings of the Android device.

These three features also allow the app to continue spying on the victim’s phone and run in the background without any user interaction.

Although ugly software can receive and execute a series of commands from its control server, one edict in particular – the silent command, which puts the device into silent mode – is quite dangerous because it allows the attacker to receive, steal and delete messages. without notifying the user.

This is bad because banking apps often require 2FA, often sent via SMS. Then, by activating the phone’s silent mode, criminals can steal these 2FA messages without the victim’s knowledge, thus allowing them to access online bank accounts – once they learn all the necessary credentials – and potentially drain them of money.

According to security researchers from the Windows giant:

Microsoft’s team notes that spyware encrypts all data it sends to its remote minds and decrypts the encrypted SMS commands it receives. This uses a combination of Base64 encryption / decryption and AES encryption / decryption methods.

Furthermore, the malware uses the socket.io open source library to communicate with its C2 server.

To prevent this and other information-stealing malware from causing chaos, security researchers suggest downloading and installing apps only from official app stores. They also note that Android users can keep the “Unknown Sources” option disabled, which prevents potentially malicious sources from installing malware disguised as legitimate apps.

As we said before, it’s nice that Microsoft is highlighting cybersecurity issues in other people’s code – raising awareness is good for users – but it’s weird to see Redmond doing a song and dancing to this sort of thing when routinely downplaying the vulnerability scores that it fixes in its products every month. ®