Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Millions Impacted by Credential-Stealers in Google Play

During October and November 2017, Kaspersky Lab researchers discovered 85 applications in Google Play that were designed to steal credentials for Russian social network VK.com. One of the malicious applications had more than a million downloads.

During October and November 2017, Kaspersky Lab researchers discovered 85 applications in Google Play that were designed to steal credentials for Russian social network VK.com. One of the malicious applications had more than a million downloads.

While most of the applications were listed in the marketplace in October and gathered fewer than 1,000 installations, some were uploaded in July and proved to be highly popular among users. Seven of the apps had between 10,000 and 100,000 downloads, while nine had between 1,000 and 10,000 installations.

The most popular of the apps masqueraded as a game. It was submitted to Google Play in April 2017 without malicious code in it, but an update in October 2017 added the information stealing capabilities. The game gathered more than 1 million downloads in the seven months it was active on Google Play.

Most of the offending applications were designed to look like apps for the VK.com social platform, supposedly allowing users to listen to music or monitor user page visits. Because apps of this type normally ask for the user to log into their account, they didn’t raise suspicion. Some of the programs were game apps.

The campaign was targeted at VK users only. The platform is highly popular in CIS countries, and the malicious apps first checked the device language and only asked for login credentials if Russian, Ukrainian, Kazakh, Armenian, Azerbaijani, Belarusian, Kyrgyz, Romanian, Tajik, and Uzbek were in use, Kaspersky has discovered.

The actors behind these apps had been publishing their malicious applications in Google Play for over two years, so they had to modify their code to bypass detection, Kaspersky’s researchers say.

The recently observed apps used a modified VK SDK with tricky code, which served the standard login page to the user, relied on malicious JS code to steal credentials from the login page and pass them back to the app. The stolen credentials were encrypted and then uploaded to a remote server.

Most of the malicious apps had the described functionality, but some were slightly different: they also used malicious JS code from the OnPageFinished method for extracting credentials and for uploading them.

Advertisement. Scroll to continue reading.

“We think that cybercriminals use stolen credentials mostly for promoting groups in VK.com. They silently add users to promote various groups and increase their popularity by doing so. We have reason to think so because there were complaints from some infected users that their accounts had been silently added to such groups,” Kaspersky says.

The researchers also note that other Google Play apps submitted by these miscreants were published as unofficial clients for popular messaging app Telegram. Built using an open source Telegram SDK, these apps would work just as any other such software, but they would also add users to promoted groups/chats (based on a list received from the server).

The credential-stealing apps are detected as Trojan-PSW.AndroidOS.MyVk.o. Kaspersky reported 72 of the apps to Google, all of which were removed (13 apps had been removed before). The malicious Telegram clients are detected as not-a-virus:HEUR:RiskTool.AndroidOS.Hcatam.a. They too were removed from Google Play.

Related: 100 Million Passwords For Sale From Russian Social Network VK

Related: Terdot Banking Trojan Could Act as Cyber-Espionage Tool

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Fraud & Identity Theft

A team of researchers has demonstrated a new attack method that affects iPhone owners who use Apple Pay and Visa payment cards. The vulnerabilities...

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

Asus patched nine WiFi router security defects, including a highly critical 2018 vulnerability that exposes users to code execution attacks.