Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Android Trojan Infrastructure Serves Fake Adobe Flash Apps

The recently discovered Red Alert 2 Android Trojan is using an infrastructure that serves fake Adobe Flash Android apps to unsuspecting users, RiskIQ has discovered.

The recently discovered Red Alert 2 Android Trojan is using an infrastructure that serves fake Adobe Flash Android apps to unsuspecting users, RiskIQ has discovered.

The threat was first detailed last month, when SfyLabs researchers revealed that communication between infected bots and the command and control (C&C) server was performed using Twitter. Written from scratch, Red Alert is capable of stealing login credentials, intercepting SMS messages, and stealing contacts.

Targeting financial institutions and media organizations, the malware is using overlays to steal banking credentials and can also block and log incoming calls from banks, thus preventing intrusion detection.

Now, the RiskIQ researchers say they have managed to identify the infrastructure related to the malware. Starting from a single domain (that resolves to IP address 185.48.56[.]83), the researchers were able to find the email address used to register the domain ([email protected]), and discovered additional eight domains of interest.

Thus, the researchers found two malicious apps purporting to be Adobe Flash Player updates and which were hosted on two of these sites, namely g-shoock[.]xyz and g-shoock[.]ru.

These malicious apps can access network state, get tasks, connect to the Internet, read phone state and SMS, receive SMS messages, and write SMS. They also support commands such as RECEIVE_BOOT_COMPLETED, SYSTEM_ALERT_WINDOW, and WAKE_LOCK.

The two domains, which started resolving around the beginning of June 2017, revealed connections to a larger actor-owned infrastructure. They overlap via passive DNS on the same IP address first associated with Red Alert.

The security researchers also discovered that the infrastructure is still active and that additional Adobe Flash typosquatting domains have been registered by the actor in recent days. These domains too are used for the downloading of APK files.

Advertisement. Scroll to continue reading.

“While, at this time, VirusTotal shows the APK file in question as not malicious, its connection to infrastructure previously connected to known malicious apps and the fact that the domains are typosquatting Adobe’s brand leads RiskIQ to assess that this is, in fact, malicious,” the security researchers note.

Last month, SfyLabs revealed that Red Alert would also masquerade as popular applications such as WhatsApp and Viber, Google Market update, and even Android system updates. The researchers also noted that the Trojan was targeting at least 60 banking applications with HTML overlays.

Related: New “Red Alert” Android Banking Trojan Emerges

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Fraud & Identity Theft

A team of researchers has demonstrated a new attack method that affects iPhone owners who use Apple Pay and Visa payment cards. The vulnerabilities...

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

Asus patched nine WiFi router security defects, including a highly critical 2018 vulnerability that exposes users to code execution attacks.