Symantec has identified new malware targeting Google Android devices that collects personal data.
The malware, detected as Android.Exprespam, is spread through the spamming of links to fake Google Play pages. These pages are hosted on a server located in Washington.
“It is worth noting that the site actually calls itself Gcogle Play,” blogged Symantec threat analyst Joji Hamada. “The domain for the website was registered on December 27 and the malicious APK file contains a signature valid from January 2.”
“We have confirmed nine different app pages on this site, although the downloaded app is the same in each case,” according to Hamada. “A couple of the fake app pages resemble the type of fake tools used by older malware, but most are new types of fake tools. The scammers have made available a variety of apps in the hope that it increases the chances of the apps being installed. This is a distinct ramping up of activities as older malware masqueraded at most as three apps on a site simultaneously.”
The installation screen displays the permissions the malware requests, which include access to personal information, the phone state and identity and account information. Legitimate applications generally do not request these permissions, the researcher noted.
“Once installed and opened, the malware informs the user that the app is incompatible with the device,” Hamada noted. “However, personal data is sent surreptitiously to a server.”
Unlike other types of malware, it uses Secure Sockets Layer (SSL) protocol to upload the information that it steals so that it is encrypted.
“So why would the creators go out of their way to do encrypt the stolen information? It is only speculation on my part but perhaps it may be in order to make it look like they were taking measures to protect the collected data in the same manner as a responsible business,” the researcher blogged. “It is possible that the malware author(s) may use this in their defense if they are ever arrested.”
Hamada urged consumers to think twice before clicking on links in emails they receive from unknown sources.
More from Brian Prince
- U.S. Healthcare Companies Hardest Hit by ‘Stegoloader’ Malware
- CryptoWall Ransomware Cost Victims More Than $18 Million Since April 2014: FBI
- New Adobe Flash Player Flaw Shares Similarities With Previous Vulnerability: Trend Micro
- Visibility Challenges Industrial Control System Security: Survey
- Adobe Flash Player Zero-Day Exploited in Attack Campaign
- Researchers Demonstrate Stealing Encryption Keys Via Radio
- Researchers Uncover Critical RubyGems Vulnerabilities
- NSA, GCHQ Linked to Efforts to Compromise Antivirus Vendors: Report
Latest News
- Industrial Giant ABB Confirms Ransomware Attack, Data Theft
- Organizations Worldwide Targeted in Rapidly Evolving Buhti Ransomware Operation
- Google Cloud Users Can Now Automate TLS Certificate Lifecycle
- Zyxel Firewalls Hacked by Mirai Botnet
- Watch Now: Threat Detection and Incident Response Virtual Summit
- NCC Group Releases Open Source Tools for Developers, Pentesters
- Memcyco Raises $10 Million in Seed Funding to Prevent Website Impersonation
- New Russia-Linked CosmicEnergy ICS Malware Could Disrupt Electric Grids
