Category: Android

Ghost Team – Facebook Credentials

And another series of Google Play apps have shown to contain malicious code. This time, we are talking about 53 apps, most of the were in aimed at the Asian market.

According to TrendMicro, the malware detected is ANDROIDOS_GHOSTTEAM, and it hid itself into Play Store apps that were containing a considerable amount of Vietnamese language. Furthermore, the Command and Control server pointed to a Vietnamese website.

Nevertheless, if it was installed on phones outside Vietnam, the app would detect that using geolocation and set its language to English.

As mentioned in previous articles on this blog, the malware is most of the time hidden in utility apps such as but not limited to: flashlight apps, QR code scanners, compasses, performance boosting apps and, the most important category, social media enhancing apps. Among these “enhancing apps” the most popular ones are video downloaders.

This idea was reiterated countless times on this blog, but I feel the need to remind you that; information means power. Especially when it comes to social media; most social media sites already have a profile created for each and any one of their users. Although we might think the get only what we share, there have been multiple cases in which companies tracked more that the user agreed to.

Malware evolves and becomes better and better, this one is no exception. This one has a feature that permits it to detect if it runs in a virtual machine.  According to TrendMicro:

“The payload disguises itself as “Google Play Services”, pretending to verify an app. If the unwitting user opens Google Play or Facebook, it displays an alert urging the would-be victim to install the fake Google Play Services. After installation, the payload will also prompt the user to activate/enable device administrator.”

Fortunately, it seems that there is no cyber-campaigns that are using these stolen credentials.

“As other cyberattacks and threats like the Onliner spambot showed, these credentials can be repurposed to deliver far more damaging malware or to amass a zombie social media army that can proliferate fake news or a cryptocurrency-mining malware. Facebook accounts, which can contain a wealth of other financial and personally identifiable information, are also peddled in the underground.”

Don’t forget that your phone knows almost everything about you. Take care of your phone, protect it against threats: run routine scans, install updates when prompted, double or triple check apps before installing, read comments posted for that particular app. And last, but not least, if an app provides features that seem to goo to be true, then almost certainly it’s fake.


Malware Hide’n’Seek

Blink once and your phone is infected.

Even though there are many of us who could spot a fake instantly, we have to remember that there are people who are not as tech savvy as us. Furthermore, there are people that might have just started using smartphones, my grandma, for example.

There was a time when one could identify really fast fake apps, but recently there have been more and more copies showing up on Google Play Store. One notable example was almost a perfect copy of WhatsApp.

On the 3rd of November 2017, in a reddit post a user informed everyone that there were two WhatsApps that apparently came from the same developer.

Two reddit users ( megared17  and dextergenius) took a closer look at the app.

The first one noticed that :

“There are extra bytes which are a Unicode space at the end of the fake one. VERY difficult to see if you don’t look closely.”  

And he provided the following screenshots for comparison:

Original WhatsApp
Fake WhatsApp

The second one went the extra mile, and even installed it:

“I’ve also installed the app and decompiled it. The app itself has minimal permissions (internet access) but it’s basically an ad-loaded wrapper which has some code to download a second apk, also called ‘whatsapp.apk'”

Details about the  fake app.

Furthermore, the app also does its best to hide from the user. It has no name and it uses a blank icon.

Here are more screenshots of the fake app posted by dextergenius:


This app was removed from the Google Play store, but not before tricking unsuspecting users into installing it on their phones.

To quote the Avast Blog:

“The harmful effects from these imitation apps can vary from a nonstop deluge of ads to stealing money and personal info, but they all have one thing in common: they are all entirely illegal. Publishing fake apps is called “scamming” and it is punishable by law.

 When you download these fake apps, you are in many cases putting money in the cyber-criminals’ pockets. Every click can be monetized, and the more money they make, the more resources they can use to create more fake apps, and the cycle continues. Instead we simply recommend: keep away from fake apps.”

Take care of you smartphone, it knows more that anyone about you. Install security software to protect your data. Use Two-Factor Authentication for all the apps that offer you that option

“LightsOut” malware found flashlight apps

Most of us do not install any android apps that do not come from Google’s Play Store. After all that is the only place from which we can 100% that the apps we download are safe, right?

Unfortunately, even Google’s official apps store can fall behind the latest cyber threats. On the 5th of January, Check Point research has identified 22 Flashlight apps (from Google Play Store) that had a malware hidden in them. Their findings show that the infected apps have been downloaded between 1.5mil and 7.5 downloads.

“LightsOut” embeds malicious code in seemingly legitimate flashlight and utility apps. This code can act in two ways:

  1. When the app is launched for the first time, the icon is hidden in order to make harder the process of getting rid of it.
  2. The app prompts the user with a checkbox and control panel. But these two are only a facade, in fact even if the uses chooses to hide the adds; the app will override that option.

We all know that most of these utility apps can be used for free, at the cost having some annoying apps appear here and there. It seems even after purchasing the paid version of the app, the adds would keep rolling.

Moreover, the adds will be displayed out of context. And since there is direct connection between the app and the adds, even if the user realizes what is happening; the app has already hid its icon.

The add would be triggered by actions that have no connection with the app, such as: charging the phone, ending a call, connecting/disconnecting from a WiFi connection, or locking your screen.

What is the aim of  “LightsOut”? To get as much revenue as possible form forcing users to interact with obtrusive adds that are triggered being trigger as often as possible.

Before downloading, a flashlight app, remember that almost all new android devices have that option already built-in. Swipe down to open the setting menu, and there should already be an option called “Torch”.  Although, it is not as fancy as the Flashlight apps, I am pretty sure you just want to use to look for your keys, and not power up a Rave Party.




“Adult Swine” – found in apps for children

As always, the researchers at Checkpoint are shedding light on threat that was “lurking in the shadows” for some time now.

For people in a hurry, at the end of the article you can find the TL;DR and the list of apps.

On the 12th of January, Checkpoint has released information about 60 android apps that contained a malicious code hidden inside them. As adults we are all aware about the threats that exists on the internet. Most of us are able to clearly distinguish and identify them, but nowadays children focused apps become the main target of these attackers.

Over 60 apps have been identified to contain the ‘Adult Swine’ code. Although click-baiting and other types of practices have been around for years now, this new type of intrusive and, most of the time, inappropriate ads is one the rise.

Apps infected with “Adult Swine” could cause problems in three ways:

  1. Displaying ads from the web that are often highly inappropriate and pornographic.
  2. Attempting to trick users into installing fake ‘security apps’.
  3. Inducing users to register to premium services at the user’s expense.

Once installed, the app would connect to the their control server and provide several details about the phone on which it has managed to install itself. Moreover, once it connected to the C&C server, the app would hide its icon from the menus.

Offensive ads

The contents of the ads is offensive and, in most cases, pornographic. Furthermore, since it scans the apps that are running on the phone, the infected app will display the ads inside the same window.

The ads seem to come from two main sources:

  • From legitimate advertisers that did not give the consent for the ads to be used in such a way.
  • From a list of ads that the app has stored in library. As you would imagine, the library contains only offensive ads.

I feel the need to reiterate the idea that this is happening while the children are using the app that the code pretends to be.

Installing fake apps

Scareware is a name give to apps informing the user that their phone/device has been infected. Most of us know how to deal with this type of scams, but we must not forget that the targets here are out children.

After being prompted about the infection, the user is advised to install a ‘security app’ that will repair their device. You guess it, the ‘solution’ is just another malicious app.

Premium services

Although, I personally do not link my credit card to my phone, most of my friends are using this practice.  The thing that I find hilarious is that their reason for doing that is ‘It’s easier for me to buy things and order stuff online.’

Now, each of us are entitled to do exactly what they want with their hard earned money, but I do guess that many of us would not like to have it spent of useless apps and services.

But that is not it, even without your banking data the apps can still use other ways to trick people into buying apps or subscribing to unwanted premium services.

It works just like above-described ‘Scareware’ tactic. But in this case, the app tries to bait the user by informing him that he/she won a certain prize. In order to claim it, the user has to provide it with the phone number. Once the phone number is entered, the app will use it to register to premium apps and services for which the user will have to pay.

The good news is that Google has removed most of the apps that have been infected.

The bad new is that all these apps were available on a platform that is trusted by the majority of Android users.


Sixty apps that were aimed at children have been removed by Google from the Playstore. These apps were infected by a piece of code that is now know as ‘Adult Swine’.

The infected apps would display ads that were offensive, and often, pornographic. Furthermore, it also used ‘Scareware’ tactics to trick users in installing fake and malicious apps.

And finally, it would also use the ‘You won a prize, enter your details to claim the prize.’ tactic to trick user into disclosing their phone numbers. With this information, the app would subscribe the user to paid services and apps; resulting in users getting their accounts charged for services they did not want/did not subscribed to.

For the full list, please visit:  Checkpoint

App Name Minimum Downloads Maximum Downloads
Five Nights Survival Craft 1,000,000 5,000,000
Mcqueen Car Racing Game 500,000 1,000,000
Addon Pixelmon for MCPE 500,000 1,000,000
CoolCraft PE 100,000 500,000
Exploration Pro WorldCraft 100,000 500,000
Draw Kawaii 100,000 500,000
San Andreas City Craft 100,000 500,000
Subway Banana Run Surf 100,000 500,000
Exploration Lite : Wintercraft 100,000 500,000
Addon GTA for Minecraft PE 100,000 500,000
Addon Sponge Bob for MCPE 100,000 500,000
Drawing Lessons Angry Birds 50,000 100,000
Temple Crash Jungle Bandicoot 50,000 100,000
Drawing Lessons Lego Star Wars 50,000 100,000
Drawing Lessons Chibi 50,000 100,000