Malicious Apps Alert: Beware of Android Spyware! 🚨

Aug 31 2023

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that wishes cyber-attacks only happened once in a #SuperBlueMoon πŸ€©πŸ˜’πŸ˜©

Today’s hottest cybersecurity news stories:

  • πŸ‘² China-linked BadBazaar Android spyware targets Signal & Telegram users πŸ•΅οΈ

  • πŸ§‘β€πŸ’» Source Code 2: this time it’s (dev) personale. Malicious packages steal source code πŸ‘€

  • πŸ‘΄ Russiagate: Putin puts in a BAD word for Ukraine w/ fake Washington Post, Fox stories

How Bazaar, how Bazaar 🎢

πŸ”’ Malicious Apps Alert: Beware of Android Spyware! 🚨

Cybersecurity researchers have uncovered sneaky Android apps on Google Play Store and Samsung Galaxy Store, carrying the dangerous BadBazaar spyware πŸ“±πŸ•΅οΈ. This sinister software steals sensitive info from infected devices 😱.

Slovakian firm ESET has linked this campaign to China's GREF group. The appsβ€”Signal Plus Messenger and FlyGramβ€”have been distributing BadBazaar since July 2020 and 2022, through legit app stores and dedicated rogue websites πŸ•΅οΈβ€β™€οΈπŸŒ.

🌍 Primary targets are in Germany, Poland, and the U.S., with others affected in Ukraine, Australia, Brazil, and more 🌐🌏.

πŸ“² BadBazaar was first spotted in 2022, targeting the Uyghur community in China. It grabs call logs, texts, and locations without victims knowing 😨.

🚫 While Google removed the apps, they're still lurking in Samsung's store. The malicious apps include:

  • Signal Plus Messenger (100+ downloads)

  • FlyGram (5,000+ downloads) πŸ“₯

πŸ”’ Victims were tricked into downloading via a Uyghur Telegram group, luring over 1,300 members πŸ•΅οΈβ€β™‚οΈπŸ“©.

πŸ” The spyware can access Signal PINs and Telegram backups. Signal Plus Messenger can even spy on Signal chats without user actionβ€”by secretly linking devices 😱.

πŸ›‘οΈ FlyGram uses SSL pinning to dodge analysis, making it hard to intercept its network traffic. Around 13,953 users have activated its Cloud Sync feature πŸ’»πŸ”’.

πŸ”Ž ESET is monitoring GREF, but ties to APT15 are inconclusive. BadBazaar's main goal? Snatch data, contacts, call logs, and spy on Signal messages πŸ“₯πŸ“žπŸ•΅οΈβ€β™€οΈ.

Stay vigilant against suspicious apps! πŸš«πŸ‘€

I came across ZZZ money club during the crypto market bull run when everyone’s a winner, even during the bear market this discord group has been amazing at giving information on projects and ways to make passive income in various ways.

The group is very active and everyone in this private discord group is very chatty and helpful.

Its run by Yourfriendandy and Decadeinvestor, you can find them here on YouTube, both top guys with great content.

If you are interested in joining the group you can through the link below.

And you thought Source Code 1 was hard to follow πŸ™ƒπŸ™ˆπŸ˜‚

πŸ” Beware of Malicious npm Packages Targeting Developers! ⚠️

πŸ•΅οΈβ€β™‚οΈ An undisclosed threat actor is using sneaky npm packages to steal source code and config files from developers' machines πŸ–₯️. This highlights the lurking threats in open-source repositories.

πŸ” Software security firm Checkmarx revealed that this campaign traces back to 2021, with the threat actor consistently publishing harmful packages πŸ’». The recent report expands on a previous Phylum disclosure, where npm modules were manipulated to send sensitive data to a remote server πŸ“€.

βš™οΈ The packages are designed to trigger right after installation through a package.json file. This initiates the launch of preinstall.js, which then captures system data, source code, and secrets from specific folders πŸ“‚.

πŸ“¦ The attack finale involves compressing the data into a ZIP file and sending it to a preset FTP server πŸ“‘.

πŸ“… All the packages have "lexi2" as the author in package.json, indicating their origins reaching back to 2021 πŸ“†.

πŸͺ™ The campaign appears focused on the cryptocurrency sector, hinted by package names like binarium-client, binarium-crm, and rocketrefer πŸš€.

πŸ›‘οΈ Security researcher Yehuda Gelb emphasised the persistence and careful planning of these attacks, reminding us of the ongoing dangers in the cryptocurrency realm and the broader cybersecurity landscape 🌐.

Stay vigilant! πŸš«πŸ‘€

πŸ—žοΈ Extra, Extra! Read all about it! πŸ—žοΈ

Each fortnite, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • πŸ’°The Crypto Nutshell: Crypto News & Expert Predictions all in a nutshell πŸ’ͺ

  • πŸ“ˆThe Breakthrough: Receive one idea, one question, and one exercise each week that could spark your next breakthrough.

  • ✈️ViaTravelers: Get exclusive travel tips, news, and insider deals right in your inbox.

Let us know what you think!

More Russia, Russia, Russia (but for real this time) 😬

donald trump GIF by franceinfo

Gif by franceinfo on Giphy

πŸ“° Beware of Fake News Spreading from Russian Disinformation Campaign! πŸ‡·πŸ‡ΊπŸ“’

A recent report from Meta reveals that a Russian disinformation campaign has been distributing fake articles mimicking The Washington Post and Fox News, aiming to undermine support for Ukraine πŸ“Š.

The campaign expanded its focus from Germany, France, and Ukraine to target the United States 🌍.

πŸ•΅οΈβ€β™‚οΈ Meta identified the culprits as Structura National Technology and Social Design Agency, previously sanctioned by the EU, involved in "the largest and most aggressive covert influence operation from Russia since 2017" πŸ•΅οΈβ€β™€οΈπŸ•΅οΈβ€β™‚οΈ.

πŸš€ Named "Doppelganger," the operation delivers false stories critical of Ukraine's President and U.S. President Biden, spreading them across social media platforms πŸ“£.

πŸ“ Elaborate spoofs were created, including a fabricated Washington Post articleΒ suggesting Ukraine's President was a CIA puppet πŸ•΅οΈβ€β™€οΈ. The operation mimicked real journalists and employed genuine bylines πŸ“.

πŸ›‘οΈ This campaign kicked off after Russia's invasion of Ukraine in the previous year, mimicking reputable outlets like The Guardian and Der Spiegel. Even a UN-confirmed massacre was twisted by the operation to frame Ukraine as the perpetrator πŸ“°πŸ‡ΊπŸ‡¦.

πŸ”‘ Meta calls for stronger domain name abuse policies to counteract these threats. The report highlights the need for industry-wide action to guard against such manipulative tactics and protect online users πŸŒπŸ›‘οΈ.

That’s all for today, folks!

Remember to always stay one step ahead of cyber threats! πŸ›‘πŸ’ͺ🌐 Stay safe, cyber-squad!

So long and thanks for reading all the phish!

Recent articles