Android devices infected via romance scams

Feb 06 2024

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that will never ever ask you for a small £2000 bank transfer to secure a £20 million Nigerian Prince’s fortune ????????????????

Today’s hottest cybersecurity news stories:

  • ???? Android devices infected w/ VajraSpy via romance scams ????

  • ????️ Windows SmartScreen flaw exploited by Mispadu bank trojan ????

  • ???? Hong Kong office conned out of £20 million by deepfake video ????

But like heaven above me ????

The VajraSpy who loved me ????????????

???? Cybersecurity Alert: Unveiling Patchwork's Elaborate Threat Scheme! ????️‍♂️????

Slovak cybersecurity firm ESET has uncovered a sophisticated cyber threat orchestrated by the notorious Patchwork threat actor, employing romance scams to ensnare victims in Pakistan and India. ???? The nefarious campaign involves the deployment of the VajraSpy remote access trojan, infiltrating Android devices and compromising sensitive information.

???? ESET identified a dozen espionage apps, with six deceptively available on the official Google Play Store. Shockingly, these seemingly innocuous apps garnered over 1,400 downloads collectively from April 2021 to March 2023. ???? Security researcher Lukáš Štefanko highlights VajraSpy's espionage functionalities, ranging from stealing contacts, files, call logs, and SMS messages to extracting WhatsApp and Signal messages, recording phone calls, and even taking pictures through the device's camera.

???? The malicious apps, masquerading primarily as messaging applications such as Privee Talk and MeetMe, exploited the unsuspecting victims in a honey-trap romance scam. Notably, Rafaqat رفاق, posing as a news app, stood out as the only non-messaging application.

???? The exact distribution vector remains unclear, though it is suspected that targets were deceived into downloading the malicious apps as part of the romance scam. This mirrors Patchwork's previous tactics revealed by Meta in March 2023, involving fictitious personas on Facebook and Instagram.

???? VajraSpy is not a newcomer to the threat landscape. In November 2023, Qihoo 360 linked it to the Fire Demon Snake threat actor (aka APT-C-52), showcasing its persistence and adaptability.

????️ The cyber threat extends beyond the borders of Pakistan and India, with reports of Nepalese government entities falling victim to a phishing campaign associated with the SideWinder group. This group, like Patchwork, has been flagged for operating with Indian interests in mind.

???? The development coincides with financially motivated threat actors from Pakistan and India targeting Indian Android users with a fake loan app, employing extortion tactics by manipulating uploaded selfies during the know your customer (KYC) process.

????️ As cybersecurity concerns escalate globally, it is crucial to stay informed, vigilant, and share this warning with your network. Protect yourself against evolving cyber threats. ????????????

Learn AI in 5 minutes a day. We'll teach you how to save time and earn more with AI. Join 400,000+ free daily readers for trending tools, productivity boosting prompts, the latest news, and more.

Windows not so SmartScreen ????????????

???? Cyber Threat Alert: Mispadu Banking Trojan Strikes Again with Windows SmartScreen Bypass! ????????

Palo Alto Networks Unit 42 reveals a resurgence of Mispadu banking Trojan exploiting a now-patched Windows SmartScreen security bypass flaw, compromising users in Mexico. This latest attack introduces a new variant of the Delphi-based malware, first detected in 2019, targeting victims in Latin America (LATAM).

⚠️ Propagated through phishing emails, Mispadu is infamous for stealing information, particularly in the LATAM region. Metabase Q's March 2023 report exposed Mispadu's spam campaigns, harvesting over 90,000 bank account credentials since August 2022. It's part of the broader family of LATAM banking malware, alongside Grandoreiro.

????️‍♂️ Unit 42 identifies the latest infection chain utilising rogue internet shortcut files within fake ZIP archives, exploiting the Windows SmartScreen bypass flaw (CVE-2023-36025), patched by Microsoft in November 2023. Researchers Daniela Shalev and Josh Grunzweig highlight the exploit's simplicity, relying on a crafted .URL file with a link to a threat actor's network share containing a malicious binary.

???? Mispadu, upon activation, selectively targets victims based on their geographic location and system configurations, establishing contact with a command-and-control (C2) server for data exfiltration.

???? Stay vigilant, update your systems, and share this alert to thwart evolving cyber threats! ????????️????

???? Catch of the Day!! ????????????

???? The Motley Fool: “Fool me once, shame on — shame on you. Fool me — you can't get fooled again.” Good ol’ George Dubya ???? Let us tell who’s not fooling around though; that’s the Crüe ???? at Motley Fool. You’d be a fool (alright, enough already! ????) not to check out their Share Tips from time to time so your savings can one day emerge from their cocoon as a beautiful butterfly! ???? Kidding aside, if you check out their website they’ve actually got a ton of great content with a wide variety of different investment ideas to suit most budgets ???? (LINK)

???? Wander: Find your happy place. Cue Happy Gilmore flashback ????️⛳????????️ Mmmm Happy Place… ???? So, we’ve noticed a lot of you guys are interested in travel. As are we! We stumbled upon this cool company that offers a range of breath-taking spots around the United States and, honestly, the website alone is worth a gander. When all you see about the Land of the free and the home of the brave is news of rioting, looting and school shootings, it’s easy to forget how beautiful some parts of it are. The awe-inspiring locations along with the innovative architecture of the hotels sets Wander apart from your run of the mill American getaway ????️???? (LINK)

???? Digital Ocean: If you build it they will come. Nope, we’re not talking about a baseball field for ghosts ???????? (Great movie, to be fair ????). This is the Digital Ocean who’ve got a really cool platform for building and hosting pretty much anything you can think of. If you check out their website you’ll find yourself catching the buzz even if you can’t code (guilty ????). But if you can and you’re looking for somewhere to test things out or launch something new or simply enhance what you’ve got, we’d recommend checking out their services fo’ sho ???? And how can you not love their slogan: Dream it. Build it. Grow it. Right on, brother! ???? (LINK)

Hong Kong Phoney ????????????

???? Scam Alert: Deepfake Heist Costs Multinational Company HK$200 Million! ????????

In a groundbreaking incident in Hong Kong, a multinational company fell victim to a staggering HK$200 million scam ($25.6 million) orchestrated using deepfake technology. ???????? The scam involved a digitally recreated version of the company's chief financial officer (CFO) giving fraudulent money transfer orders during a video conference call.

???? The scammers employed deepfake technology to convincingly replicate the CFO and other meeting participants, making them appear and sound like authentic individuals. Acting senior superintendent Baron Chan Shun-ching emphasised that this case was unique, as it marked the first instance in Hong Kong where multiple fake personas were used in a video conference.

????️‍♂️ The employee from the company's finance department received a phishing message in mid-January, seemingly from the UK-based CFO, instructing a secret transaction. Despite initial doubts, the employee was deceived during a group video conference, where the scammers utilised deepfake technology to create lifelike representations of known company figures.

???? Following the scammers' instructions, the victim made 15 transfers totaling HK$200 million to five Hong Kong bank accounts. The entire episode unfolded over a week before the victim realised it was a scam upon consulting the company's headquarters.

????️ During the video conference, the scammers utilised deepfake voices to imitate the targets reading from a script, adding a layer of deception. The scammers maintained contact with the victim through various channels, emphasising the sophistication of their tactics.

???? Police are investigating the incident, highlighting the evolving threat landscape and the nefarious use of deepfake technology. Senior Inspector Tyler Chan Chi-wing urged vigilance, suggesting methods to verify authenticity, such as requesting movement or posing questions.

???? In response to the rising threat, police plan to expand their alert system covering the Faster Payment System (FPS) to warn users about potential scam-related transfers. The alert system, covering 35 banks and nine stored-value services, will be extended to local instant money transfers online and offline by the second half of the year.

???? Stay informed, stay vigilant, and share this cautionary tale to protect against emerging cyber threats! ???????? We’re living in a Brave New World ????

????️ Extra, Extra! Read all about it!

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • The GeekAI: A daily 3 min newsletter on what matters in AI, with all the new AI things coming to market its good to stay ahead of the curve.

  • Wealthy Primate: Want to earn over $100k a year in IT or cybersecurity? 20 year veteran 'Wealthy Primate' might be able to help you climb that tree ???????? with his stick and banana approach ????????

  • Techspresso: Receive a daily summary of the most important AI and Tech news, selected from 50+ media outlets (The Verge, Wired, Tech Crunch etc)

Let us know what you think!

So long and thanks for reading all the phish!

Recent articles