Malicious Apps Alert: Beware of Android Spyware! ????

Aug 31 2023

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that wishes cyber-attacks only happened once in a #SuperBlueMoon ????????????

Today’s hottest cybersecurity news stories:

  • ???? China-linked BadBazaar Android spyware targets Signal & Telegram users ????️

  • ????‍???? Source Code 2: this time it’s (dev) personale. Malicious packages steal source code ????

  • ???? Russiagate: Putin puts in a BAD word for Ukraine w/ fake Washington Post, Fox stories

How Bazaar, how Bazaar ????

???? Malicious Apps Alert: Beware of Android Spyware! ????

Cybersecurity researchers have uncovered sneaky Android apps on Google Play Store and Samsung Galaxy Store, carrying the dangerous BadBazaar spyware ????????️. This sinister software steals sensitive info from infected devices ????.

Slovakian firm ESET has linked this campaign to China's GREF group. The apps—Signal Plus Messenger and FlyGram—have been distributing BadBazaar since July 2020 and 2022, through legit app stores and dedicated rogue websites ????️‍♀️????.

???? Primary targets are in Germany, Poland, and the U.S., with others affected in Ukraine, Australia, Brazil, and more ????????.

???? BadBazaar was first spotted in 2022, targeting the Uyghur community in China. It grabs call logs, texts, and locations without victims knowing ????.

???? While Google removed the apps, they're still lurking in Samsung's store. The malicious apps include:

  • Signal Plus Messenger (100+ downloads)

  • FlyGram (5,000+ downloads) ????

???? Victims were tricked into downloading via a Uyghur Telegram group, luring over 1,300 members ????️‍♂️????.

???? The spyware can access Signal PINs and Telegram backups. Signal Plus Messenger can even spy on Signal chats without user action—by secretly linking devices ????.

????️ FlyGram uses SSL pinning to dodge analysis, making it hard to intercept its network traffic. Around 13,953 users have activated its Cloud Sync feature ????????.

???? ESET is monitoring GREF, but ties to APT15 are inconclusive. BadBazaar's main goal? Snatch data, contacts, call logs, and spy on Signal messages ????????????️‍♀️.

Stay vigilant against suspicious apps! ????????

I came across ZZZ money club during the crypto market bull run when everyone’s a winner, even during the bear market this discord group has been amazing at giving information on projects and ways to make passive income in various ways.

The group is very active and everyone in this private discord group is very chatty and helpful.

Its run by Yourfriendandy and Decadeinvestor, you can find them here on YouTube, both top guys with great content.

If you are interested in joining the group you can through the link below.

And you thought Source Code 1 was hard to follow ????????????

???? Beware of Malicious npm Packages Targeting Developers! ⚠️

????️‍♂️ An undisclosed threat actor is using sneaky npm packages to steal source code and config files from developers' machines ????️. This highlights the lurking threats in open-source repositories.

???? Software security firm Checkmarx revealed that this campaign traces back to 2021, with the threat actor consistently publishing harmful packages ????. The recent report expands on a previous Phylum disclosure, where npm modules were manipulated to send sensitive data to a remote server ????.

⚙️ The packages are designed to trigger right after installation through a package.json file. This initiates the launch of preinstall.js, which then captures system data, source code, and secrets from specific folders ????.

???? The attack finale involves compressing the data into a ZIP file and sending it to a preset FTP server ????.

???? All the packages have "lexi2" as the author in package.json, indicating their origins reaching back to 2021 ????.

???? The campaign appears focused on the cryptocurrency sector, hinted by package names like binarium-client, binarium-crm, and rocketrefer ????.

????️ Security researcher Yehuda Gelb emphasised the persistence and careful planning of these attacks, reminding us of the ongoing dangers in the cryptocurrency realm and the broader cybersecurity landscape ????.

Stay vigilant! ????????

????️ Extra, Extra! Read all about it! ????️

Each fortnite, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • ????The Crypto Nutshell: Crypto News & Expert Predictions all in a nutshell ????

  • ????The Breakthrough: Receive one idea, one question, and one exercise each week that could spark your next breakthrough.

  • ✈️ViaTravelers: Get exclusive travel tips, news, and insider deals right in your inbox.

Let us know what you think!

More Russia, Russia, Russia (but for real this time) ????

donald trump GIF by franceinfo

Gif by franceinfo on Giphy

???? Beware of Fake News Spreading from Russian Disinformation Campaign! ????????????

A recent report from Meta reveals that a Russian disinformation campaign has been distributing fake articles mimicking The Washington Post and Fox News, aiming to undermine support for Ukraine ????.

The campaign expanded its focus from Germany, France, and Ukraine to target the United States ????.

????️‍♂️ Meta identified the culprits as Structura National Technology and Social Design Agency, previously sanctioned by the EU, involved in "the largest and most aggressive covert influence operation from Russia since 2017" ????️‍♀️????️‍♂️.

???? Named "Doppelganger," the operation delivers false stories critical of Ukraine's President and U.S. President Biden, spreading them across social media platforms ????.

???? Elaborate spoofs were created, including a fabricated Washington Post article suggesting Ukraine's President was a CIA puppet ????️‍♀️. The operation mimicked real journalists and employed genuine bylines ????.

????️ This campaign kicked off after Russia's invasion of Ukraine in the previous year, mimicking reputable outlets like The Guardian and Der Spiegel. Even a UN-confirmed massacre was twisted by the operation to frame Ukraine as the perpetrator ????????????.

???? Meta calls for stronger domain name abuse policies to counteract these threats. The report highlights the need for industry-wide action to guard against such manipulative tactics and protect online users ????????️.

That’s all for today, folks!

Remember to always stay one step ahead of cyber threats! ???????????? Stay safe, cyber-squad!

So long and thanks for reading all the phish!

Recent articles