A new Android malware that impersonates the Google Chrome app self-propagates and has already spread to hundreds of thousands of people in the last few weeks. Attackers launched a sophisticated hybrid cyberattack campaign that relies on a fake app and mobile phishing.
Researchers at Pradeo, who has been tracking the campaign, published an analysis of the attackers’ tactics and malware on Monday.
They say the attack starts with basic “smishing.” Victims receive an SMS text asking them to pay a fee to receive a package. If they click the provided button, they see a window asking to update the Chrome app. Instead of Chrome, they download the malware. The malware opens a phishing page that asks to pay a small amount (usually $1 or $2 dollars) and this is where the hackers harvest credit-card details.
Combining an efficient phishing technique, the propagation malware, and several bypasses of security solutions, the campaign is particularly effective, Pradeo researchers say.
“The attack could be the work of a regular level but very ingenuous cybercriminal,” Pradeo’s Roxane Suau told Threatpost. “All the techniques (code concealment, smishing, data theft, repackaging…) used separately are not advanced, but combined they create a campaign that is hard to detect, that spreads fast and tricks many users.”
The campaign started at the beginning of May and has been targeting victims in several European countries. But being that effective, it could spread far beyond Europe, researchers say.
The campaign propagates with the help of the fake Chrome app which sends text messages silently in the background. In a week, it can send out more than 2,000 messages from infected devices. The app does not take recipients’ phone numbers from the victim’s contact list but generates them randomly. However, the numbers seem to follow a sequential pattern, researchers said.
“Every device hosting the malware automatically sends 300 phishing SMS per day,” Suau said. “Every time someone falls victim, it greatly multiplies the propagation.”
The malware uses the official Chrome app’s icon and name, therefore users end up with two Chrome apps, “but its package, signature and version have nothing in common with the official app.”
The hack may result in big phone bills for victims because sometimes mobile plans do not include unlimited SMS, researchers said. They also think that in addition to credential theft, attackers can eventually perform banking fraud.
The malware effectively evades mobile security solutions, according to Pradeo.
Pradeo identified two variants of the fake Chrome app.
“When comparing both apps we have analyzed, we see that they are 99 percent identical, with only a few file names that seem to have been changed randomly, and on the other hand their weight is the same,” they explained.
Researchers say, given that the attackers are relying on repackaging, using a mobile-security solution that relies on massive datasets of mobile-threat telemetry can help to avoid falling victim to this hack.
“Since so much malware is reused, both in part and in whole, datasets that can automatically convict known and unknown malware are key to ensuring coverage for customers,” he said. “Even more importantly, the solution needs to be cloud-based so that coverage for these threats can be pushed to customers immediately without requiring them to lift a finger.”
