Over nine million Android devices infected by info-stealing trojan

Discussion in 'Headline News' started by RickAgresta, Nov 24, 2021.

  1. RickAgresta

    RickAgresta General Peanut, leader of the Peanutty Forces

    Likes Received:
    Trophy Points:
    A large-scale malware campaign on Huawei's AppGallery has led to approximately 9,300,000 installs of Android trojans masquerading as over 190 different apps.

    The trojan is detected by Dr.Web as 'Android.Cynos.7.origin' and is a modified version of the Cynos malware designed to collect sensitive user data.

    The discovery and report come from researchers at Dr. Web AV, who notified Huawei and helped them remove the identified apps from their store.

    However, those who installed the apps on their devices will still have to remove them from their Android devices manually.

    Trojan disguised as game apps
    The threat actors hid their malware in Android apps pretending to be simulators, platformers, arcades, RTS strategy, and shooting games for Russian-speaking, Chinese, or international (English) users.

    As they all offered the advertised functionality, users were unlikely to remove them if they enjoyed the game.

    The list of the Cynos malware apps is too extensive to share here, but some notable examples that stand out due to having a large number of installations are listed below:

    • 快点躲起来 (Hurry up and hide) – 2,000,000
    • Cat adventures – 427,000
    • Drive school simulator – 142,000

    One of the trojanized apps.
    Source: Dr. Web
    Since it's impractical to compare your list of installed apps to the full list of 190 malicious apps, the more straightforward solution would be to run an AV tool that can detect Cynos trojans and their variants.

    Powerful malware
    The functionality of this Cynos trojan variant can perform various malicious activities, including spying on SMS texts and downloading and installing other payloads.

    "The Android.Cynos.7.origin is one of the modifications of the Cynos program module. This module can be integrated into Android apps to monetize them. This platform has been known since at least 2014," explained Doctor Web malware analysts in their report.

    "Some of its versions have quite aggressive functionality: they send premium SMS, intercept incoming SMS, download and launch extra modules, and download and install other apps."

    "The main functionality of the version discovered by our malware analysts is collecting the information about users and their devices and displaying ads."

    The aggressive nature of the trojan becomes apparent right from the installation phase when it asks for permission to perform activities that are not generally associated with a game, such as making phone calls or detecting users' locations.

    Over nine million Android devices infected by info-stealing trojan (bleepingcomputer.com)
    lelisa13p, Hook and scjjtt like this.
  2. Hook

    Hook Have keyboard, will travel

    Likes Received:
    Trophy Points:
    I take it that this warning only applies to the Huawei app store. What a surprise. :vbrolleyes:
    scjjtt and lelisa13p like this.
  3. RickAgresta

    RickAgresta General Peanut, leader of the Peanutty Forces

    Likes Received:
    Trophy Points:
    for that specific instance of malware, yes; the Play store has recently (about 6 weeks ago) had its own issue:
    Photo editor Android app STILL sitting on Google Play store is malware
    Note: The app was shortly removed after BleepingComputer reported it to Google via Play store.

    An Android app sitting on the Google Play store touts itself to be a photo editor app. But, it contains code that steals the user's Facebook credentials to potentially run ad campaigns on the user's behalf, with their payment information.
    The app is called "Blender Photo Editor-Easy Photo Background Editor" and has been installed over 5,000 times to date.

    Last week, similar malicious apps with over 500,000 installs were also found on the Play Store.

    "Log in" with Facebook does more than just login
    Like many Android apps, the "Blender Photo Editor-Easy Photo Background Editor" app comes with the sign-in with Facebook functionality. Except, it also makes use of your Facebook credentials to do some fishy stuff.

    Tatyana Shishkova, an Android Malware Analyst at Kaspersky, discovered the "trojan" app this week which is still available on the Google Play store, at the time of writing.
    The app contains malicious code, identical to what was found in similar "photo editor" apps last week by Maxime Ingrao, a security researcher at mobile payments cybersecurity firm Evina.

    These Android apps require Android users to sign in via their Facebook account to access the app, but then silently collect the credentials via encrypted JavaScript commands hidden within the app.

    The apps then make requests to the Facebook Graph API to peek into the user's Facebook account and look for any ad campaigns and stored payment information.

    The malware, according to Ingrao, "is very interested in the advertising campaigns you might have done and if you have a registered credit card." This would allow the attacker behind these apps to create their own ad campaigns via the user's Facebook credentials, and linked payment information.

    Identical apps installed over 500,000 times
    Ingrao had previously discovered similar malicious apps called "Magic Photo Lab - Photo Editor" and "Pix Photo Motion Edit 2021" with the latter scoring over 500,000 installs.

    Link to article:
    Photo editor Android app STILL sitting on Google Play store is malware (bleepingcomputer.com)

Share This Page