{"id":19984,"date":"2022-07-20T08:09:46","date_gmt":"2022-07-20T08:09:46","guid":{"rendered":"https:\/\/harchi90.com\/google-pulls-malware-infected-apps-3-million-users-at-risk-the-register\/"},"modified":"2022-07-20T08:09:46","modified_gmt":"2022-07-20T08:09:46","slug":"google-pulls-malware-infected-apps-3-million-users-at-risk-the-register","status":"publish","type":"post","link":"https:\/\/harchi90.com\/google-pulls-malware-infected-apps-3-million-users-at-risk-the-register\/","title":{"rendered":"Google pulls malware-infected apps, 3 million users at risk \u2022 The Register"},"content":{"rendered":"<div id=\"body\">\n<p>Google pulled 60 malware-infected apps from its Play Store, installed by more than 3.3 million punters, that can be used for all kinds of criminal activities including credential theft, spying and even stealing money from victims.<\/p>\n<p>Zscaler&#8217;s ThreatLabZ and security researcher Maxime Ingrao from fraud protection firm Evina discovered the downloader apps stuffed with software nasties including Joker, Facestealer, Coper, and Autolycos malware \u2014 the latter is a new family, according to Ingrao, who named and <a rel=\"nofollow noopener\" href=\"https:\/\/twitter.com\/IngraoMaxime\/status\/1547164768401858560\" target=\"_blank\">discovered<\/a> Autolycos in eight different apps with more than three million downloads to Android devices.<\/p>\n<p>The new malware strain, similar to Joker, steals SMS messages when downloaded and also unwittingly subscribes users to \u2014 and charges them for using \u2014 premium wireless application protocol services, Ingrao <a rel=\"nofollow noopener\" href=\"https:\/\/twitter.com\/IngraoMaxime\/status\/1547164768401858560\" target=\"_blank\">tweeted<\/a>. <\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">Found new family of malware that subscribe to premium services \ud83d\udc408 applications since June 2021, 2 apps always in Play Store, +3M installs \ud83d\udc80\ud83d\udc80No webview like <a rel=\"nofollow noopener\" href=\"https:\/\/twitter.com\/hashtag\/Joker?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\">#Joker<\/a> but only http requestsLet&#8217;s call it <a rel=\"nofollow noopener\" href=\"https:\/\/twitter.com\/hashtag\/Autolycos?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\">#autolycos<\/a> \ud83d\udc7e<a rel=\"nofollow noopener\" href=\"https:\/\/twitter.com\/hashtag\/Android?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\">#Android<\/a> <a rel=\"nofollow noopener\" href=\"https:\/\/twitter.com\/hashtag\/Malware?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\">#malware<\/a> <a rel=\"nofollow noopener\" href=\"https:\/\/twitter.com\/hashtag\/Evina?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\">#evina<\/a> <a rel=\"nofollow\" href=\"https:\/\/t.co\/SgTfrAOn6H\" target=\"_blank\">pic.twitter.com\/SgTfrAOn6H<\/a><\/p>\n<p>\u2014 Maxime Ingrao (@IngraoMaxime) <a rel=\"nofollow noopener\" href=\"https:\/\/twitter.com\/IngraoMaxime\/status\/1547164768401858560?ref_src=twsrc%5Etfw\" target=\"_blank\">July 13, 2022<\/a><\/p><\/blockquote>\n<p>This spyware is designed to steal SMS messages, contact lists, and device information, and to sign the victim up for premium wireless application protocol (WAP) services.<\/p>\n<p>&#8220;It retrieves a JSON on the C2 address: 68.183.219.190\/pER\/y,&#8221; he further explained.  &#8220;It then executes the urls, for some steps it executes the urls on a remote browser and returns the result to include it in the requests. This allows it not to have a Webview and to be more discreet.&#8221;<\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"top\" data-raptor=\"condor\" data-xsm=\",fluid,mpu,\" data-sm=\",fluid,mpu,\" data-md=\",fluid,mpu,\">\n        <noscript><\/p>\n<p>                <\/p>\n<p>        <\/noscript>\n    <\/div>\n<p>Additionally, fraudsters created Facebook and Instagram ads to promote the phony applications, Ingrao <a rel=\"nofollow noopener\" href=\"https:\/\/twitter.com\/IngraoMaxime\/status\/1547164790753267713\" target=\"_blank\">noted<\/a>.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"top\" data-raptor=\"falcon\" data-xmd=\",fluid,mpu,leaderboard,\" data-lg=\",fluid,mpu,leaderboard,\" data-xlg=\",fluid,billboard,superleaderboard,mpu,leaderboard,\" data-xxlg=\",fluid,billboard,superleaderboard,brandwidth,brandimpact,leaderboard,mpu,\">\n            <noscript><\/p>\n<p>                    <img src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44Yte4R5Sbnrbadvv6JVAVNAAAAAE&amp;t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" alt=\"\"\/><\/p>\n<p>            <\/noscript>\n        <\/div>\n<div class=\"adun_eagle_desktop_story_wrapper\">\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"mid\" data-raptor=\"eagle\" data-xxlg=\",mpu,dmpu,\">\n                <noscript><\/p>\n<p>                        <img src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33Yte4R5Sbnrbadvv6JVAVNAAAAAE&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" alt=\"\"\/><\/p>\n<p>                <\/noscript>\n            <\/div>\n<\/p><\/div>\n<p>The malicious apps include:<\/p>\n<ul>\n<li>Vlog Star Video Editor \u2013 1 million downloads<\/li>\n<li>Creative 3D Launcher \u2014 1 million downloads<\/li>\n<li>Wow Beauty Camera \u2014 100,000 downloads<\/li>\n<li>Gif Emoji Keyboard \u2014 100,000 downloads<\/li>\n<li>Freeglow Camera \u2014 5,000 downloads<\/li>\n<li>Coco Camera v1.1 \u2014 1,000 downloads<\/li>\n<li>Funny Camera \u2014 500,000 downloads<\/li>\n<li>Razer Keyboard &#038; Theme \u2014 50,000 downloads<\/li>\n<\/ul>\n<h3 class=\"crosshead\">\n  <span>Joker, Facestealer and Coper resurface<\/span><br \/>\n<\/h3>\n<p>Meanwhile, Zscaler&#8217;s threat hunters this week said Google removed an additional 52 malware-infested apps on the Play Store, and 50 of them were used to deploy Joker, which has been an ongoing problem for Android devices.  They also discovered Facestealer and Coper malware in two other malicious apps, and those have been booted from the online marketplace as well.<\/p>\n<p>Joker-spread apps were downloaded more than 0,000 times, according to more than 30 security researchers Viral Gandhi and Himanshu Sharma, who provided a technical analysis of the three malware family payloads and listed all 50 Joker downloaders on a ThreatLabZ blog post.<\/p>\n<p>&#8220;Despite public awareness of this particular malware, it keeps finding its way into Google&#8217;s official app store by regularly modifying the malware&#8217;s trace signatures including updates to the code, execution methods, and payload-retrieving techniques,&#8221; Gandhi and Sharma wrote. <\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"top\" data-raptor=\"falcon\" data-xsm=\",fluid,mpu,\" data-sm=\",fluid,mpu,\" data-md=\",fluid,mpu,\">\n            <noscript><\/p>\n<p>                    <img src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44Yte4R5Sbnrbadvv6JVAVNAAAAAE&amp;t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" alt=\"\"\/><\/p>\n<p>            <\/noscript>\n        <\/div>\n<p>Once downloaded, Joker malware steals SMS messages, contact lists, and device information and also unknowingly signs the victim up for premium services.<\/p>\n<p>&#8220;Most commonly, threat actors disguise the Joker malware in messaging applications that require users to grant escalated access permissions by allowing them to serve as the default SMS app on the user&#8217;s phone,&#8221; the threat hunters noted.  &#8220;The malware uses these advanced permissions to carry out its operations.&#8221;<\/p>\n<p>Additionally, Zscaler discovered Facestealer hiding in the now-removed cam.vanilla.snap app on Google Play Store, which had 5,000 downloads.  This malware targets Facebook users via fake Facebook login pages to steal credentials.  And finally, the security team also discovered banking trojan Coper disguised as a Unicc QR Scanner app.<\/p>\n<p>&#8220;Once downloaded, this app unleashes the Coper malware infection which is capable of intercepting and sending SMS text messages, making USSD (Unstructured Supplementary Service Data) requests to send messages, keylogging, locking\/unlocking the device screen, performing overly attacks, preventing uninstalls and generally allowing attackers to take control and execute commands on infected device via remote connection with a C2 server,&#8221; Gandhi and Sharma wrote.  \u00ae<\/p>\n<\/p><\/div>\n<p><script async src=\"\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Google pulled 60 malware-infected apps from its Play Store, installed by more than 3.3 million punters, that can be used for all kinds of criminal activities including credential theft, spying and even stealing money from victims. Zscaler&#8217;s ThreatLabZ and security researcher Maxime Ingrao from fraud protection firm Evina discovered the downloader apps stuffed with software &hellip;<\/p>\n<p class=\"read-more\"> <a class=\"\" href=\"https:\/\/harchi90.com\/google-pulls-malware-infected-apps-3-million-users-at-risk-the-register\/\"> <span class=\"screen-reader-text\">Google pulls malware-infected apps, 3 million users at risk \u2022 The Register<\/span> Read More &raquo;<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"default","ast-global-header-display":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true},"categories":[4],"tags":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack-related-posts":[{"id":15526,"url":"https:\/\/harchi90.com\/delete-these-android-apps-infected-with-autolycos-malware\/","url_meta":{"origin":19984,"position":0},"title":"Delete These Android Apps Infected With Autolycos Malware","date":"July 15, 2022","format":false,"excerpt":"photo: rafapress (Shutterstock)Try as Google might, it seems there's no stopping malware-infected apps from sneaking their way onto the Play Store. We've covered plenty of cases in the past, including the recent \u201ctoll fraud\u201d malware targeting older Androids. Now, the scammers behind a new strain of malware have tricked users\u2026","rel":"","context":"In &quot;Technology&quot;","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":17310,"url":"https:\/\/harchi90.com\/malware-infected-apps-hit-over-3-million-android-devices-delete-these-now\/","url_meta":{"origin":19984,"position":1},"title":"Malware infected apps hit over 3 million Android devices \u2014 delete these now","date":"July 17, 2022","format":false,"excerpt":"Bad apps infected with malware which subscribe users to premium services without their knowledge have been downloaded over three million times from the Google Play Store.As reported by BleepingComputer (opens in new tab)a new malware family dubbed 'Autolycos' was discovered in eight popular Android apps by security researcher Maxime Ingrao\u2026","rel":"","context":"In &quot;Technology&quot;","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":19179,"url":"https:\/\/harchi90.com\/several-new-play-store-apps-spotted-distributing-joker-facestealer-and-coper-malware-the-hacker-news\/","url_meta":{"origin":19984,"position":2},"title":"Several New Play Store Apps Spotted Distributing Joker, Facestealer and Coper Malware \u2014 The Hacker News","date":"July 19, 2022","format":false,"excerpt":"Google has taken steps to ax dozens of fraudulent apps from the official Play Store that were spotted propagating Joker, Facestealer, and Coper malware families through the virtual marketplace. While the Android storefront is considered to be a trusted source for discovering and installing apps, bad actors have repeatedly found\u2026","rel":"","context":"In &quot;Technology&quot;","img":{"alt_text":"","src":"https:\/\/i0.wp.com\/thehackernews.com\/new-images\/img\/b\/R29vZ2xl\/AVvXsEgvfqow2z1XORevUpzKGWWXZ2DP4dMaNi-7cycpa3J_bSZKv0tO6MP40HLl7lvVJDIswOmb6I-YoNMLJym4v9oLZQczujsMqcttB3M_Cvm6E-zLs0XrpwaTZ_SGFjckDfi3CPfijZaii8Z88_btcKeHKKfxm7cDyF3kaVvsirGpb2JWVH0Ot3xGiC2sZg\/s1600\/strike-728.png?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]},{"id":17479,"url":"https:\/\/harchi90.com\/eight-malware-infested-apps-were-able-to-garner-3-million-downloads-from-the-play-store\/","url_meta":{"origin":19984,"position":3},"title":"Eight malware-infested apps were able to garner 3 million downloads from the Play Store","date":"July 17, 2022","format":false,"excerpt":"It preyed on victims through Facebook ads Android is definitely not a malware-free platform. If you stumble upon the wrong website and download the wrong APK, things can go haywire pretty quickly. But it's generally accepted that as long as you get your apps from the Google Play Store, you\u2026","rel":"","context":"In &quot;Technology&quot;","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":20878,"url":"https:\/\/harchi90.com\/even-more-android-malware-was-discovered-on-google-play\/","url_meta":{"origin":19984,"position":4},"title":"Even More Android Malware Was Discovered on Google Play","date":"July 21, 2022","format":false,"excerpt":"photo: to the tock (Shutterstock)cybersecurity at researchers Zscaler ThreatLabz discovered yet another batch of Android malware that was openly available on the Google Play Store and downloaded by hundreds of thousands of users before it was removed. This group includes dozens of apps that hid three major malware strains: Joker,\u2026","rel":"","context":"In &quot;Technology&quot;","img":{"alt_text":"Jachs NY Shirts","src":"https:\/\/i0.wp.com\/i.kinja-img.com\/gawker-media\/image\/upload\/c_fill,fl_progressive,g_center,h_180,q_80,w_320\/7297ea52b95e351b0a745e860d7f01a7.jpg?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]},{"id":6911,"url":"https:\/\/harchi90.com\/avoid-these-toll-fraud-apps-on-android\/","url_meta":{"origin":19984,"position":5},"title":"Avoid These &#8216;Toll Fraud&#8217; Apps on Android","date":"July 7, 2022","format":false,"excerpt":"photo: Stokkete (Shutterstock)Older Android phones are a known security risk, but recent research from Microsoft's 365 Defender Research Team shows just how vulnerable the outdated devices are vulnerable to a serious form of malware known as \u201ctoll fraud.\u201dToll fraud malware hides in normal-looking apps, quietly signing up users for premium\u2026","rel":"","context":"In &quot;Technology&quot;","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"fifu_image_url":"https:\/\/regmedia.co.uk\/2022\/07\/19\/joker_face_shutterstock.jpg","_links":{"self":[{"href":"https:\/\/harchi90.com\/wp-json\/wp\/v2\/posts\/19984"}],"collection":[{"href":"https:\/\/harchi90.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/harchi90.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/harchi90.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/harchi90.com\/wp-json\/wp\/v2\/comments?post=19984"}],"version-history":[{"count":0,"href":"https:\/\/harchi90.com\/wp-json\/wp\/v2\/posts\/19984\/revisions"}],"wp:attachment":[{"href":"https:\/\/harchi90.com\/wp-json\/wp\/v2\/media?parent=19984"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/harchi90.com\/wp-json\/wp\/v2\/categories?post=19984"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/harchi90.com\/wp-json\/wp\/v2\/tags?post=19984"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}