Teacher
Professional
- Messages
- 2,669
- Reaction score
- 818
- Points
- 113
A new wave of fraudulent apps has hit the Google Play store, targeting Android users in Southwest Asia and the Arabian Peninsula, with over 700,000 downloads before McAfee Mobile Research found them and working with Google to remove them.
Malware is built into photo editors, wallpapers, puzzles, keyboard skins, and other applications. Malicious programs intercept SMS notifications and then make unauthorized purchases. Legal applications go through a verification process before entering Google Play, and fraudulent applications entered the store by sending a “clean” version of the application for review, and malicious code is injected there after the update.
McAfee Mobile Security identifies this threat as Android / Etinu and warns mobile users that there is a threat when using this application. The McAfee Mobile Research team continues to monitor this threat and is working with Google to remove these and other malicious apps from Google Play.
As always, the most malicious features appear at the final stage. The malware hijacks a notification listener to steal incoming SMS messages like the Android Joker malware does, without permission to read SMS. As a chain, the malware then passes the notification object to the final stage. When the notification comes from the default SMS packet, the message is finally sent using the JavaScript WebView interface.
The researchers concluded that fraudsters could obtain information about the user's communications operator, phone number, SMS messages, IP address, country, etc.
Will there be similar threats in the future?
We expect that threats using the notification listening feature will continue to evolve. The McAfee Mobile Research team continues to monitor these threats and protect customers by analyzing potential malware and working with app stores to remove it. However, it is important to pay special attention to applications that request permissions related to SMS and listening to notifications. Real photo editing or wallpaper applications simply won't ask for them because they are not needed to run them. If the request seems suspicious, do not accept it.
Based on materials from McAfee
