Ideally, the built-in Google Play Protect feature is supposed to keep malicious apps from ever reaching Android devices. In practice, though, numerous samples of booby-trapped software are sliding unnoticed into the official marketplace all the time. The recent malware outbreaks described below demonstrate that the mobile threat climate is getting hotter and the current security mechanisms aren’t enough to cool it down.
Android malware pilfering one-time passwords
In March 2019, Google announced countermeasures for apps requesting redundant permissions, such as SMS and call log access. This change of the developer policy made it harder for unscrupulous software makers to obtain users’ credentials through bypassing 2FA (two-factor authentication). However, fraudsters appear to have found a clever workaround.
A campaign discovered in mid-June abuses Android’s notification system to steal OTPs (one-time passwords) arriving via short message service or email. Numerous fishy applications mimicking a Turkish cryptocurrency exchange service BtcTurk ended up on Google Play store as part of a major credentials theft maneuver. These apps request notification access rather than permissions to read SMS, which allows them to fly under the radar of Google’s restrictions mentioned above.
Nevertheless, these privileges suffice to read notifications from apps displayed on the screen of an infected device, dismiss them, or click the embedded buttons behind the scenes. It means that the dodgy apps can get 2FA codes generated by various services and sent to a smartphone.
To make the attack chain complete, the impostor applications present a bogus login form. Once the unsuspecting victim enters the username and password in it, these details are surreptitiously sent to the criminals and a fake error message appears about failed login attempt due to maintenance. As a result, the felons get hold of the user’s authentication data for the cryptocurrency exchange and can easily circumvent 2FA mechanisms for other services further on.
Missed call? Not really
In another intricate move, malefactors were able to abuse Android’s Notifications and Push APIs (application programming interfaces) to promote scams. An ongoing campaign is delivering spammy Chrome notifications that, when tapped, redirect the victims to websites crammed up with ads, or to pages that host rogue login forms and aim to steal credentials.
The trickiest part of this hoax is that the fraudsters are using custom icons to obfuscate their bad intentions. This way, a sketchy link in the notification area of a device’s screen may look like a missed call alert. Most people primarily pay attention to the visual manifestation of push messages, so they are likely to get curious who the caller is and press the entry.
The resulting deceptive page can ask for the visitor’s personal data to claim freebies, require extra verification due to a declined payment, or simply display annoying sponsored content. It’s noteworthy that these masqueraded messages won’t show up unless the user accepts notifications from a dubious domain in the browser. Therefore, it’s definitely a good idea to treat such requests with caution.
URL spoofing in a popular Android browser
In early May 2019, researchers discovered an imperfection in the latest versions of the UC Browser that allows cybercriminals to hide the actual URL of a visited site. For the record, this web navigation tool is being used on hundreds of millions of Android devices, so the attack surface is potentially enormous.
According to the report, the app authors have changed the way the URLs are displayed in the address bar. When a user is looking up random information on the Internet and taps entry in the SERPs (search engine results pages), UC Browser and its Mini version only show the search term instead of presenting the actual domain. If the search query string looks like a reputable website’s address, e.g. facebook.com, then the user will think they are on the right web page while they may be actually visiting a malicious Internet resource.
The fact that a harmful landing page may impersonate a legitimate site makes it possible for offenders to orchestrate effective phishing campaigns or serve malware onto Android devices. At the time of this writing, the flaw continues to be in effect although security analysts made the app publisher aware of the issue.
Fake apps causing redirects to fraudulent sites
When looking for apps related to popular brands, Android users run the risk of installing Trojans in disguise. In a new wave of malvertising, perpetrators exploit the web push technology to display deceptive notifications and forward the victims’ traffic to scam sites. The malware-riddled applications that got on researchers’ radar pretend to come from well-known clothing retailers. The range of these culprits could span many more industries, though.
Once such an app is installed, it opens a specific predefined website in Google Chrome. This web page triggers a request to allow notifications, which is cloaked underneath a garden-variety verification that the visitor is not a bot. If the user grants this permission, the site will start sending numerous web push messages to the device. These entries will be showing up in the notification panel even if Chrome is closed or the troublemaking website isn’t currently open.
The push messages can look like alerts from social networks, news outlets, dating sites, and other services most people use every day. When tapped, they redirect the victims to different kinds of shady web pages promoting untrustworthy betting resources, coupons, counterfeit prize claims, and similar hoaxes.
Fully relying on Android’s native security features is a risky business. If there is a ban or restriction introduced to strengthen the defenses, cybercriminals are quite likely to get around it. Moreover, the danger doesn’t necessarily stem from unofficial app repositories. The examples above show that cybercrooks are regularly uploading malicious programs to Google’s Play Store without being stopped in their tracks. Some would advise using Apple products. Yes, they used to be much safer but with many recent examples of rogue programs, it appears that the only way for regular users with any OS to stay safe boils down to vigilance.