A malicious Android application that was posing as a development tool was stealing users’ media files for over a year, researchers at Symantec warn.
The offending software was being distributed via Google Play, the official app storefront for Android, where it was posing as a development tool called “HTML Source Code Viewer,” published by Sunuba Gaming. The application had between 1,000 and 5,000 downloads when researchers discovered its nefarious activities.
Instead of offering development capabilities to unsuspecting users, the program was grabbing photos and videos from the compromised devices and was sending them to a remote server, Symantec researchers discovered.
To ensure that it could perform its malicious activities unhindered, the program requested a series of permissions that should have tipped users off on its hidden agenda. These include the ability to open network connections, access to information about networks, the permission to read from external storage, and the permission to write to external storage.
This is the second media-stealing app that was found in Google Play over the course of a month, after a piece of software called Beaver Gang Counter was found in late June to be engaging into similar behavior. That application, however, was targeting photos and videos from the popular social media app Viber.
The newly discovered malicious program, on the other hand, is targeting all of user’s personal photos and videos by searching for the files stored in “/DCIM/Camera” and “/DCIM/100LGDSC/” folders, which are the standard locations for this type of content. All of these files were then uploaded to a web server hosted on proqnoz.info, researchers say.
What’s more worrying than the fact that the server contains a great deal of personal photos and videos stolen from victims is that some of these files are dated as far back as March, 2015. “This personal media could be used for blackmailing, ransomware attacks, identity theft, pornography, and other forms of victimization,” Symantec’s Shaun Aimoto explains.
The security researchers also discovered that the attacker’s server is hosted in Azerbaijan and that the malicious application is targeting Gingerbread and newer versions of Android. Google was informed on the nefarious activities the HTML Source Code Viewer application was engaged into and has removed it from Google Play.
Related: Android Malware Gang Makes $10,000 a Day: Report
Related: Information-Collecting Android Keyboard Tops 50 Million Installs
More from SecurityWeek News
- Threat Hunting Summit Virtual Event NOW LIVE
- Video: ESG – CISO’s Guide to an Emerging Risk Cornerstone
- Threat Modeling Firm IriusRisk Raises $29 Million
- SentinelOne Announces $100 Million Venture Fund
- Today: 2022 CISO Forum Virtual Event
- Cymulate Closes $70M Series D Funding Round
- SecurityWeek to Host CISO Forum Virtually September 13-14, 2022: Registration is Open
- Privilege Escalation Flaw Haunts VMware Tools
Latest News
- Fraudulent “CryptoRom” Apps Slip Through Apple and Google App Store Review Process
- US Downs Chinese Balloon Off Carolina Coast
- Microsoft: Iran Unit Behind Charlie Hebdo Hack-and-Leak Op
- Feds Say Cyberattack Caused Suicide Helpline’s Outage
- Big China Spy Balloon Moving East Over US, Pentagon Says
- Former Ubiquiti Employee Who Posed as Hacker Pleads Guilty
- Cyber Insights 2023: Venture Capital
- Atlassian Warns of Critical Jira Service Management Vulnerability
