Tag: Android

Ghost Team – Facebook Credentials

And another series of Google Play apps have shown to contain malicious code. This time, we are talking about 53 apps, most of the were in aimed at the Asian market.

According to TrendMicro, the malware detected is ANDROIDOS_GHOSTTEAM, and it hid itself into Play Store apps that were containing a considerable amount of Vietnamese language. Furthermore, the Command and Control server pointed to a Vietnamese website.

Nevertheless, if it was installed on phones outside Vietnam, the app would detect that using geolocation and set its language to English.

As mentioned in previous articles on this blog, the malware is most of the time hidden in utility apps such as but not limited to: flashlight apps, QR code scanners, compasses, performance boosting apps and, the most important category, social media enhancing apps. Among these “enhancing apps” the most popular ones are video downloaders.

This idea was reiterated countless times on this blog, but I feel the need to remind you that; information means power. Especially when it comes to social media; most social media sites already have a profile created for each and any one of their users. Although we might think the get only what we share, there have been multiple cases in which companies tracked more that the user agreed to.

Malware evolves and becomes better and better, this one is no exception. This one has a feature that permits it to detect if it runs in a virtual machine.  According to TrendMicro:

“The payload disguises itself as “Google Play Services”, pretending to verify an app. If the unwitting user opens Google Play or Facebook, it displays an alert urging the would-be victim to install the fake Google Play Services. After installation, the payload will also prompt the user to activate/enable device administrator.”

Fortunately, it seems that there is no cyber-campaigns that are using these stolen credentials.

“As other cyberattacks and threats like the Onliner spambot showed, these credentials can be repurposed to deliver far more damaging malware or to amass a zombie social media army that can proliferate fake news or a cryptocurrency-mining malware. Facebook accounts, which can contain a wealth of other financial and personally identifiable information, are also peddled in the underground.”

Don’t forget that your phone knows almost everything about you. Take care of your phone, protect it against threats: run routine scans, install updates when prompted, double or triple check apps before installing, read comments posted for that particular app. And last, but not least, if an app provides features that seem to goo to be true, then almost certainly it’s fake.


“LightsOut” malware found flashlight apps

Most of us do not install any android apps that do not come from Google’s Play Store. After all that is the only place from which we can 100% that the apps we download are safe, right?

Unfortunately, even Google’s official apps store can fall behind the latest cyber threats. On the 5th of January, Check Point research has identified 22 Flashlight apps (from Google Play Store) that had a malware hidden in them. Their findings show that the infected apps have been downloaded between 1.5mil and 7.5 downloads.

“LightsOut” embeds malicious code in seemingly legitimate flashlight and utility apps. This code can act in two ways:

  1. When the app is launched for the first time, the icon is hidden in order to make harder the process of getting rid of it.
  2. The app prompts the user with a checkbox and control panel. But these two are only a facade, in fact even if the uses chooses to hide the adds; the app will override that option.

We all know that most of these utility apps can be used for free, at the cost having some annoying apps appear here and there. It seems even after purchasing the paid version of the app, the adds would keep rolling.

Moreover, the adds will be displayed out of context. And since there is direct connection between the app and the adds, even if the user realizes what is happening; the app has already hid its icon.

The add would be triggered by actions that have no connection with the app, such as: charging the phone, ending a call, connecting/disconnecting from a WiFi connection, or locking your screen.

What is the aim of  “LightsOut”? To get as much revenue as possible form forcing users to interact with obtrusive adds that are triggered being trigger as often as possible.

Before downloading, a flashlight app, remember that almost all new android devices have that option already built-in. Swipe down to open the setting menu, and there should already be an option called “Torch”.  Although, it is not as fancy as the Flashlight apps, I am pretty sure you just want to use to look for your keys, and not power up a Rave Party.