Avast Threat Labs warns about MasterFred, new Android spyware that steals credit card information from Netflix, Instagram, and Twitter users via bogus login overlays. With unique phony login overlays in several languages, this new Android banking virus also targets bank clients.
In June 2021, a MasterFred sample was uploaded to VirusTotal for the first time, and it was discovered in June. Alberto Segura, a malware specialist, recently posted a second sample online, claiming it was deployed against Android users in Poland and Turkey.
Researchers at Avast Threat Labs uncovered APIs from the built-in Android Accessibility service to show the malicious overlays after examining the new malware.
The attacker may leverage the Application Accessibility toolkit, which is available by default on Android, to employ the Overlay attack to deceive the user into inputting credit card details for bogus account breaches on both Netflix and Twitter, according to Avast.
Malware writers have been exploiting the Accessibility service to imitate taps and traverse the Android UI to install their payloads, download and install additional malware, and do different background activities for a long time.
MasterFred, on the other hand, stands apart in some ways. One of them is the malicious applications that transmit malware to Android devices also include HTML overlays that display bogus login forms and collect financial information from users.
The virus also sends the stolen data to Tor network servers controlled by its operator via the Onion.ws dark web gateway (also known as Tor2Web proxy).
Because at least one of the malicious applications bundled with the MasterFred banker was recently accessible in Google’s Play Store, it’s fair to assume that MasterFred’s operators are also distributing this new malware through third-party shops.
Avast Threat Labs’ Twitter thread contains indicators of compromise (IOCs), such as MasterFred sample hashes and command-and-control server domains.