Ferry

Malware Attack on Android: Be Carefull!

Posted 07/07/22

Table of Contents

Malware attacks on Android devices have increased in recent years. It is estimated that more than 10 million Android users are affected by malware. In this article, I will explain the various types of malware that are currently emerging and how to protect your application from malware attacks that can harm your users

What is a Malware Attack on Android?

Malware is a term used to account for any malicious software. It’s usually used to refer to applications designed through cyber-attacks that negatively affect users, manufacturers, and developers; also, Malware refers to any malicious applications, like adware and spyware.

How Can Malware Attack Android?

The threat model was constructed using three common attack vectors:

  • Malicious codes are installed through an app download.
  • An existing app downloads new malicious codes.
  • An attacker injects malicious codes directly into the device’s existing system.

What Kindly of Malware on Android?

multiple threat malware

Sharkboy Malware Android

Sharkboy is an Android banking malware found at the end of October 2021 by the Cleary Threat Intelligence Team. When writing, the SharkBot Malware doesn’t have any relations with other Android banking malware like Flubot, Cerberus/Alien, Anatsa/Teapot, Oscorp, etc.

The Cleary blog post stated that the main goal of SharkBot is to initiate money transfers (from compromised devices) via Automatic Transfer Systems (ATS). As far as we observed, this technique is an advanced attack technique that isn’t used regularly within Android Malware. It enables adversaries to auto-fill fields in legitimate mobile banking apps and initiate money transfers, where other Android banking malware, like Anatsa/Teapot or Oscorp, require a live operator to insert and authorize money transfers. This technique also allows adversaries to scale up their operations with minimum effort.

The ATS features allow the Malware to receive a list of events to be simulated, and ATS Feature will be simulated to do the money transfers. ATS Features can simulate touches/clicks and button presses. ATS Features can use to transfer money and install other malicious applications or components automatically. The case of the SharkBot version that we found in the Google Play Store, which seems to be a reduced version of SharkBot with the minimum required features, such as ATS, to install a full version of the Malware sometime after the initial install.

Because of being distributed via the Google Play Store as a fake Antivirus, we found that they have to include the usage of infected devices to spread the malicious app. Sharkboy achieves this by abusing the ‘Direct Reply’ Android feature. This feature automatically sends a reply notification with a message to download the fake Antivirus app. This spread strategy abusing the Direct Reply feature has been seen recently in another banking malware called Flubot, discovered by ThreatFabric.

What is interesting and different from the other families is that SharkBot likely uses ATS also to bypass multi-factor authentication mechanisms, including behavioral detection like bio-metrics. At the same time, it also includes more classic features to steal users’ credentials.

Escobar Malware Android

This new Aberebot variant widens its information-stealing capabilities by accessing features built-in to smartphones to get as much information as possible, take complete control of victim accounts and empty accounts, and perform unauthorized transactions.

Among the 25 permissions it asks from users, it abuses 15, enabling the Malware to (among other things) record audio, read and send SMS messages, takes screenshots, uninstall apps, get the precise location of the device, and download media files from victims’ devices.

Escobar can steal Google Authenticator multi-factor authentication (MFA) codes, SMS call logs, key logs, and notifications, which it sends to its C2 server.

Lastly, Escobar gives device control to affiliate malware distributors using VNC Viewer, a screen-sharing tool with remote control features. Once the phone is unattended, threat actors can, essentially, do what they want with the device.

Cybele, the cybersecurity company that wrote extensively about Aberebot and Escobar, asserts that Escobar can only distribute highly sophisticated Malware like Escobar from sources outside the Google Play Store.

Google Play is far from perfect, but the best way to minimize the chance of becoming infected with Escobar is to stick to downloading apps from there. Android users should also enable Google Play Protect on their device, and use a mobile security solution.

Octo Banking Trojan

Octo banking Trojan has a remote access capability and uses anti-detection and anti-removal techniques. The remote access capability allows cybercriminals behind Octo to perform on-device fraud (to initiate transactions from the infected device). However, this cannot happen without users enabling Accessibility Services.

It is known that Octo can capture screen contents in real-time, perform overlay attacks on banking and other apps, and log keystrokes. These features allow the attackers to capture entered credentials, a lock pattern or PIN used to unlock the device, and websites in the Chrome browser. Also, they allow them to gather information about clicked elements (and capture all clicks/taps made with the device) and steal contacts.

Moreover, Octo malware can receive commands from the C2 server to block push notifications from specified apps, disable and enable SMS interception, stop the Trojan, open websites, show push notifications, launch apps, send text messages, etc.

How Do I Prevent Malware Attacks on My Apps?

defense against malware

In a modern world where data breaches and cybersecurity threats are all too common, ensuring the security of your app becomes a top priority.

Step 1: Hire a Dedicated Team

If you’re concerned about the security of your app, bringing in the Developer team from the beginning is a great idea. Ensure that security receives adequate funding. With the help of a dedicated team from us, begin to plan the security measures you will take.

Also, consult with us for the developer team whenever there is a change to the app or a major revision to the plan, so we know what to do if something unexpected occurs.

Step 2: Use APIs With Caution

Backend development requires an application programming interface, or API, which allows applications to communicate with one another. However, because they are outward-facing, they can pose a security risk. As you can see from the example above, each application requires a “permission key” (API key) before interacting with or changing your platform. To make your mobile app even more secure, you could incorporate an API gateway.

Step 3: Handle Sessions with Tokens

“A token is a small hardware device that a user carries to authorize access to a network service,” says the Wikipedia entry. According to Wikipedia. Modern app developers use tokens to manage user sessions more efficiently. A token can be easily revoked.

Step 4: Authentication at the highest level

As previously stated, weak authentication is the cause of many security breaches. As a result, stronger authentication is becoming increasingly important. Passwords are frequently used in the context of authentication. As an app developer, it is your responsibility to encourage your users to use strong passwords.

You could, for example, design your app only to accept passwords and automatically renew strong alphanumerics every six months.

Dual-factor authentication is another excellent method for securing a mobile app. If your app supports dual-factor authentication, the app user will prompt to enter a code sent to their phone or email. Modern authentication methods include biometrics such as a retina scan and fingerprints.

Step 5: Make Use of the Best Encryption Techniques and Tools

The first step toward better encryption is to choose a key management system. Place the keys in a safe place. Never save them to the device’s local storage.

Step 6: Impose Access Policies

Use only secure libraries and frameworks to reduce your app’s attack surface. The app you’re creating should comply with the organization’s IT policies and Google Play and Apple’s App Store policies.

Step 7: Test, Test, and Test Again

Many developers, let’s face it, don’t test their code. The importance of QA in developing high-quality code cannot be overstated. The application security phase of the QA process is critical to developing a fantastic mobile app.

To create a secure app, your QA team should review the code regularly and look for security flaws that could lead to data breaches.

Summary

While developing mobile apps, app developers must be aware of the risks posed by cybersecurity threats and data breaches. They will be able to protect both the apps and the data by implementing the above-mentioned mobile app security measures. These measures are simple to put in place. However, if you are still unsure how to proceed, you can contact us to improve your app security.

Tags

Share reading