Nasty Android Malware Steals Passwords from over 200 Apps — What to Do Now

Nasty Android Malware Steals Passwords from over 200 Apps — What to Do Now

A new strain of Android malware steals passwords for Facebook, Google, WhatsApp, and over 200 other apps, swipes Google Authenticator two-factor authentication codes, steals contact lists, records keystrokes, and Install. It is even possible for hackers to gain almost complete control of a cell phone. [The ultimate goal is to hijack online accounts, especially bank accounts, and steal money.

The malware, dubbed "Alien" by its creators, is a new variant of the Cerebus banking Trojan. According to researchers at Amsterdam-based information security firm ThreatFabric, the new bug has no such problems.

The alien malware is embedded in fake fitness apps, fake Flash Player apps, fake Coronavirus-related apps, and even fake versions of Google Update; ThreatFabric says these apps are mainly malicious We believe they are distributed via websites and SMS text messages.

"Many of them appear to be distributed via phishing sites, tricking victims (on malicious pages) into downloading fake software updates or fake Corona apps, for example," said ThreatFabric malware analyst Gaetan van Diemen told ZDNet's Catalin Cimpanu. [Once the device is infected, it collects a list of contacts to reuse for further spread of the malware campaign.

Another thing, alien-infected apps ask for permission to obtain administrator privileges on the phone upon installation, giving them access to other apps and system settings. Typically, only antivirus apps and the Find My Device feature have such permissions.

To protect yourself from alien and other information-stealing mobile malware, do not download Android apps from anywhere but the Google Play store. However, malware can lurk in Google Play as well, so you need to install and use the best Android antivirus apps.

Also, do not give administrative privileges to random apps or any apps unless you have a specific reason to do so.

Alien malware has already been modified to target users in more than a dozen countries, most notably Spain, Turkey, Germany, and the United States.

The malware obtains users' passwords by generating fake screens that mimic the login pages of at least 226 different Android apps. Several cryptocurrency apps have also been targeted.

Major banks in the U.S., Canada, and the U.K. include Bank of America, Capitol One, Citibank, Chase, Fifth Third, SunTrust, TD Bank, US Bank, Wells Fargo, BMO, CIBC, National Bank of Canada, RBC, TD Canada, Barclays, HSBC, Lloyds Bank, NatWest, Royal Bank of Scotland, and TSB have been targeted.

Aliens are not limited to banking apps. Amazon, AT&T, eBay, Facebook, Gmail, Google Play, Google Play Games, Instagram, Netflix, Outlook, PayPal, Skype, Snapchat, Telegram, Twitter, USAA, Vibber, What's Up, Yahoo! widely used online service apps have also been targeted.

Taking control of any of these accounts can give an attacker fairly deep insight into a person's life. For example, email accounts can be leveraged to seize other accounts that send lost password reset codes to the user's email address.

The fact that aliens can also read SMS messages and one-time codes generated by Google Authenticator means that many forms of two-factor authentication are not secure.

The full list of alien capabilities is quite breathtaking; ThreatFabric lists the following:

If none of the usual methods for stealing a user's password work, the aliens have an ace up their sleeve that their predecessor, Cerberus has an ace up its sleeve that it did not have.

TeamViewer can be used as a remote access Trojan horse (RAT) by installing remote control and screen sharing applications, since TeamViewer can install apps on its own.

This gives the attacker almost complete view of your phone and, in most cases, complete control. They can see everything you do on your phone and in many cases can do things themselves.

One saving grace is that once TeamViewer is installed by a scammer, it appears in the app tray, where you can see it is there and remove it. However, according to ThreatFabric, that may not be the case for much longer.

"It would be logical for them to improve the RAT that is currently based on TeamViewer (and thus appears to be installed and running on the device)," ThreatFabric's blog post states.

"The obvious thought is that the number of new banking Trojans continues to grow, and many of them are embedding new and improved features to increase the success rate of fraud."

.

Categories