Topic: Android malware targets 13 bitcoin wallets and 400 banks (Read 251 times)

Google is known for their lethargic approach towards the malicious apps available in their playstore, they only remove it when they get so much reports from the users by that time the goal of the malicious apps will be achieved that is why never trust play protect or IOS app market and also the software platforms need to find something to eradicate the malicious apps linked with fabricated apps as soon as possible.

Using Linux is highly recommended for crypto community but it's not user friendly which is the main reason they are going after Android or IOS.

SMS and 2 Factor Authentication can also be penetrated, which will be very dangerous.
Many lay people only use smartphones and don't pay attention to what applications are downloaded, and sometimes when visiting some websites or installing game applications, there will be advertisements that download applications automatically, this is very dangerous.

I am also an android user and start to be wary when I get news like this. Tried checking some apps and uninstalling useless apps.

It was so irritating that I got rid of the mobile ad blocker as I would rather have the ads all over the webpage than experiencing much slowed loading times.

It is not only a matter of safety, but also that working on such devices is problematic, and the battery wears out quickly.

Sadly, that tendency of theirs can easily bite them in the ass, and when that happens, they are going to put the blame on everybody and everything except themselves.   

Be aware that downloading applications from unofficial websites carries huge risks, as they might already have been tampered with by scammers.

After the switch to EUR, many people in my country started using such apps, especially older ones who find it difficult to calculate how much something costs in EUR compared to the old currency. Of course, such things can always be checked online, but most people still have a tendency to use apps for almost every activity we can imagine.

Be aware that downloading applications from unofficial websites carries huge risks, as they might already have been tampered with by scammers. I don't see any need to download any other applications on my phone, apart from the browser and wallet app. If you are looking for new applications make sure they have been around for a while and the reviews are good enough too.

~snip~
This malware spreads through a currency converter app. Why would you need to have that installed on your phone? You can literally enter USD to EUR or any other currency pair and get rates from Google.

-snip-

-snip-
As an option to avoid such troubles, the use of Linux systems again arises. As far as I know, these two software programs apply to Android and Windows. Although, of course, phone users need to be very careful with the installation of different programs. Since, according to the data, even the Play Market cannot guarantee the safety of users by allowing masquerading programs into their service.

-snip-
It's not enough to keep your crypto holdings in a separate device, which is a good step, but we still use our mobile for certain things, some use it to open the forum and one cannot access bank applications without internet connection, so the risk still presents itself.

I am also an android user and start to be wary when I get news like this. Tried checking some apps and uninstalling useless apps.

An interesting aspect of the campaign is the darknet service, which the researchers dubbed “Zombinder,” which offers malicious APK binding of malware to legitimate Android applications.

Zombinder launched in March 2022 as a malware packer on APK files, and according to ThreatFabric, it is now growing popular in the cybercrime community.

The APKs used in this campaign vary, with the analysts reporting seeing a fake live football streaming app and a modified version of the Instagram app.

These apps work as expected because the functionality of the legitimate software is not removed. Instead, Zombinder appends a malware loader to its code.

The loader is obfuscated to evade detection, so when the user launches the app, the loader will display a prompt to install a plugin. If the prompt is accepted, the loader will install a malicious payload and launch it in the background.

ThreatFabric has included a list of all targeted banks in the appendix of its report, but it would be too long to present here. In addition, 13 cryptocurrency wallets, including Binance, BitPay, KuCoin, Gemini, and Coinbase, are targeted by malware.

The most noticeable addition to the latest Xenomorph version is the ATS framework, which gives hackers the ability to automatically extract credentials, monitor account balances, make transactions, and steal money from target apps without requiring them to perform remote activities.

Instead, the operator merely sends JSON scripts, which the Xenomorph interprets as a list of activities and then carries out on the infected device on its own.

According to experts at ThreatFabrics, the [ATS execution] engine utilized by Xenomorph differs from its rivals due to the range of programmable potential actions that can be included in ATS scripts and a system that permits conditional execution and action prioritization.

One of the malware’s ATS framework’s most outstanding features is its ability to record third-party authentication programs’ content, circumventing MFA (multi-factor authentication) safeguards that would otherwise prevent automated transactions.

One-time codes can be obtained from Google Authenticator by extracting the relevant codes (ThreatFabric). It concerns that Xenomorph may access authenticator applications on the same device as banks, who are gradually moving away from SMS MFA and advising consumers to use authenticator apps instead.

In addition to the aforementioned, the new Xenomorph has a cookie stealer capable of stealing cookies from the Android CookieManager, where the user’s session cookies are kept.

In order to fool the victim into providing their login information, the thief launches a browser window with the URL of a reliable service and the JavaScript interface turned on.

The threat actors steal the cookies, allowing them to hijack the victim’s web sessions and access their accounts. A significant new malware that entered the world of cybercrime a year ago was Xenomorph, an Android threat.

It is now a far bigger threat to Android users all over the world after the release of its third major version. Users who download apps via Google Play should exercise caution, read reviews, and perform background checks on the publisher because of the app’s current distribution method, the Zombinder.