A remotely controlled malware capable of intercepting and sending SMS, displaying fake activity, as well as downloading and installing other apps, was recently found lurking behind every app on Turkish alternative Android app store. It is at the back of this that Internet security company ESET East Africa has issued an alert to mobile phone users running on the Android platfom to be wary of alternative app stores’ potential to spread malware such as screen locking malware.
The alert comes after cyber-crime researchers discovered that www.CepKutusu.com, a Turkish alternative Android app store was spreading malware under the guise of all the offered Android apps on the site. When users browsed the Turkish alternative app store CepKutusu.com and proceeded to downloading an app, the “Download now” button led to banking malware detected as Android/Spy.Banker.IE instead of the desired app.
According to Teddy Njoroge, who is the country manager Kenya for ESET, ransomware is a fast growing problem for users of mobile devices.
“Just like SMS trojans, ransomware threats have evolved over the past few years with hackers adopting techniques that have proven effective in regular desktop malware to develop lock-screen types and file-encrypting ransomware. These have been causing major financial and data losses for years and which have now made their way to the Android platform,” he said.
After ESET researchers turned to the store’s operator with the discovery of the attack, the store ceased the malicious activity. ESET Android malware researcher, Lukas Stefanko said this was an entirely new tactic by cybercrimnals.
“This is the first time I’ve seen an entire Android market infected like that. Within the Windows ecosystem and in browsers, this technique is known to have been used for some time but in the Android ecosystem, it’s really a new attack vector,” he said.
Athough the misdirection on www.CepKutusu.com was from a legitimate app to the malicious banking malware, the crooks behind the campaign added an exception, a tactic commonly used to increase the chances of staying longer under the radar.
The hackers introduced a seven-day window of not serving malware after a malicious download, thus falsely serving the user with clean download links, only to be redirected to the malware once they try to download any application from the store after the period lapses.
Although focused in Turkey and parts of Europe, the incident points to the growing appetite for mobile malware by hackers using masking tactics to hoodwink users and which could soon become the biggest cybersecurity problem yet.
To protect yourself, experts say that users should always download apps from official app stores and also practice caution when downloading any content from the Internet. Always pay attention to anything suspicious in file name, size and extension and use a reliable mobile security solution to protect you from the latest threats.
Game mode
And if you thought that these threats only affect smartphones, think again. A new threat targeting gamers worldwide with backdoor, spying, and DDoS capabilities was recovered in August, last month. Spread via Aeria games published on unofficial websites the sneaky malware named Joao, is modular malware capable of downloading and running other malicious code on the victim’s computer. To spread their malware, the attackers behind Joao have misused massively multiplayer online role-playing games (MMORPGs) originally published by Aeria Games.
Several other Aeria games have been misused in the same way in the past, however, their corresponding unofficial websites have either gone inactive or had the malicious downloads removed in the meantime. The affected games have been modified to run Joao’s main component – a malicious library with downloading capabilities mskdbe.dll, identified as Win32/Joao, is a big pain. When users run the game launcher, Joao is launched along with it. Detected
Upon launching, the Joao downloader first sends basic information about the infected computer – device name, OS version and information on user privileges – to the attacker’s server. Because the malware keeps its operations “silent” and the game works as expected, there’s nothing suspicious about the whole infection process from the user’s point of view. Compared to downloading and launching a legitimate Aeria game, the only visible difference is an extra .dll file in the game’s installation folder that needs a very keen eye to detect.
After the communication with the server has been established, server-side logic decides whether and which components will be sent to the victim’s computer. The components discovered showed backdoor, spying, and DDoS capabilities. To clean the malware though, one can use a reliable security solution to detect and remove the threat.
To avoid infections gamers are advised to Favor official sources whenever possible and to keep all games updated to avoid vulnerabilities that can be exploited by malicious actors.
In addition they should also use a reliable security solution while playing since many security solutions today have a gamer mode option that lets you enjoy your games without interruptions while also keeping your computer protected.
