Android users tricked into installing malicious apps

Jul 20 2023

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that wonders who’s committed more crimes: Joe Biden, Donald Trump, or the world’s cybercriminals combined… ????????

It’s also my Birthday today ???????????? so time for a special edition as we have just hit 3000 subscribers, thanks for signing up and hope you enjoy the daily phish.

Today’s hottest cyber security stories:

  • ???? Hackers exploit WebAPK, trick Android users into installing malicious apps ????

  • ???? Malicious USB Drives hit global targets with SOGU, SNOWYDRIVE malware ????

  • ???? BreachForums owner pleads guilty to cybercrime, child pornography charges ????

Don’t get caught in your own WebAPK

???? Beware of Malicious Web Apps Targeting Android Users! ????????

Threat actors are exploiting Android's WebAPK technology to deceive unsuspecting users into installing harmful web apps on their Android phones, aiming to capture sensitive personal information. ????

According to researchers from CSIRT KNF, the attack begins with victims receiving SMS messages urging them to update their mobile banking application.

The link provided in the message directs users to a website that leverages WebAPK technology to install a malicious app on their devices.

The fake app impersonates PKO Bank Polski, a renowned multinational banking and financial services company based in Warsaw. Details of this campaign were initially disclosed by Polish cybersecurity firm RIFFSEC. ????????

WebAPK enables the installation of progressive web apps (PWAs) directly to the Android device's home screen without using the Google Play Store.

Google explains that, during the installation process, the browser silently instals the app on the user's device after generating and signing an APK for the PWA. Since the APK is signed by trusted providers, the device instals it without disabling security measures. This eliminates the need for sideloading the app. ????✅

Once installed, the malicious banking app ("org.chromium.webapk.a798467883c056fed_v2") prompts users to enter their login credentials and two-factor authentication (2FA) tokens, resulting in the theft of their sensitive information. ????????


Stay cautious when prompted to update apps via SMS and only download applications from trusted sources like the official app stores to safeguard your personal data. Be vigilant against these deceptive tactics and protect yourself from falling victim to such cyber threats. ????️????

I came across ZZZ money club during the crypto market bull run when everyone’s a winner, even during the bear market this discord group has been amazing at giving information on projects and ways to make passive income in various ways.

The group is very active and everyone in this private discord group is very chatty and helpful.

Its run by Yourfriendandy and Decadeinvestor, you can find them here on YouTube, both top guys with great content.

If you are interested in joining the group you can through the link below.


???? Surge in USB-Based Cyber Attacks! ????????

Cyber attacks leveraging infected USB drives as an initial access point have tripled in the first half of 2023, as per recent findings by Mandiant.

Two notable campaigns, namely SOGU and SNOWYDRIVE, have targeted public and private sector organisations worldwide. ????????

Mandiant identifies SOGU as the most prevalent USB-based cyber espionage attack, characterised by the aggressive targeting of global public and private sector entities across various industries.

The threat is attributed to a China-based cluster known as TEMP.Hex, also tracked under names such as Camaro Dragon, Earth Preta, and Mustang Panda.

The targets span construction, engineering, business services, government, healthcare, transportation, and retail sectors in Europe, Asia, and the United States. ????????

The infection chain observed by Mandiant exhibits similarities with another Mustang Panda campaign discovered by Check Point. This campaign unveiled WispRider, a self-propagating malware capable of spreading through compromised USB drives and potentially breaching air-gapped systems. ????????

The attack sequence begins with a malicious USB flash drive being inserted into a computer. This triggers the execution of PlugX (aka Korplug), which decrypts and launches a C-based backdoor named SOGU.

The backdoor facilitates the exfiltration of files of interest, keystrokes, and screenshots. ????????????


Remain cautious when connecting unfamiliar USB drives to your devices, as they can serve as an entry point for sophisticated cyber threats. Regularly update security measures and be vigilant against potential USB-based attacks. ????️????

????️ Extra, Extra! Read all about it ????️

Each week, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • ✍️ The Story Grid: Fancy yourself as a writer, but unsure where to start. Check out this free ebook on how to write stories people will love.

  • ???? Life's A Game with Amanda Goetz: If you're a founder, marketer, or leader who is looking to grow your career and your life, then I highly recommend signing up for this program. You'll learn from some of the top experts in the field.

  • ???? Stand the f*ck out: Anxious about AI, wary customers, and rising competition? This on-trend newsletter could be just the ticket.

Let us know what you think!

Hanging’s too good Forum!

???? Guilty Plea in BreachForums Cybercrime Case! ????????

Conor Brian Fitzpatrick, the former owner of the now-defunct BreachForums website, has pleaded guilty to charges related to operating the cybercrime forum and possessing child pornography images.

This development follows his formal charges in the U.S. for conspiracy to commit access device fraud and possession of child pornography. ????????????️

BreachForums, which launched in March 2022, served as an illicit marketplace where members traded hacked or stolen databases, allowing other criminals to gain unauthorised access to targeted systems. The website was shut down in March 2023, shortly after Fitzpatrick's arrest in New York.

It is estimated that the forum contained around 888 databases with a staggering 14 billion individual records. Prior to its takedown, BreachForums had amassed over 333,000 members. ????????

According to court documents, the purpose of BreachForums and Fitzpatrick's intent in operating the platform was to facilitate the trafficking of stolen or hacked databases, including access devices, and to solicit offers for databases containing such access devices. ????????

The 20-year-old faces a potential maximum prison term of 40 years and fines totaling $750,000. Fitzpatrick is scheduled to be sentenced on November 17, 2023. ⚖️????️

This case highlights the severe consequences faced by those involved in cybercrime activities. It serves as a reminder of the importance of law enforcement efforts to combat illegal online marketplaces and protect the integrity of digital systems.

Stay vigilant and report any suspicious activities to ensure a safer cyberspace. ????️????

So long and thanks for reading all the phish!

Recent articles