Analysts of the German company SRLabs, using the SnoopSnitch application installed on more than 500,000…
In total, experts identified 10 malicious applications, 9 of which were present on Google Play at the time of detection:
During the study of these malicious programs, an earlier modification of them was discovered, spreading through Google Play under the guise of the EditorPhotoPip photo editor. It has already been removed from the catalogue, but is still available on application aggregator sites.
These applications can be considered modifications of the same Trojan, as they use the same configuration file format and the same JavaScript scripts to steal data, experts say.
All applications were fully functional, which should have weakened the vigilance of potential victims. At the same time, to access all their functions, as well as supposedly to disable ads, users were asked to log into their Facebook account. Advertising inside some applications was indeed present, and this technique was intended to additionally induce the owners of Android devices to perform the action required by the cybercriminals.
As has already been said, the Facebook login form demonstration was real. The point is that Trojans used a special mechanism to deceive their victims. Having received the necessary settings from one of the control servers after launch, they loaded the legitimate page of the social network (https://www.facebook.com/login.php) into the WebView.
The same WebView was loaded with JavaScript received from the attacker’s server, which directly intercepted the authorization data entered. Then this JavaScript, using the methods provided through the JavascriptInterface annotation, passed the stolen login and password to the Trojan applications, after which they sent them to the attackers’ server. After the victim logged into his account, the Trojans additionally stole the cookies of the current authorization session, which were also sent to the criminals.
The analysis showed that all applications received settings to steal usernames and passwords from Facebook accounts. However, cybercriminals could easily change their parameters and command to load a page of some other legitimate service, or even use a completely fake login form posted on a phishing site. Thus, Trojans could be used to steal logins and passwords from any services.
Let me remind you that we talked about the fact that 306 vulnerabilities were found in popular Android applications, and only 18 of them received patches.
Kurlibat.xyz is a site that tries to trick you into clik to its browser notifications…
Initiateintenselyrenewedthe-file.top is a domain that tries to trick you into clik to its browser notifications…
Wotigorn.xyz is a site that tries to force you into subscribing to its browser notifications…
Initiateintenselyprogressivethe-file.top is a domain that tries to force you into clik to its browser notifications…
Nuesobatoxylors.co.in is a domain that tries to trick you into subscribing to its browser notifications…
Helistym.xyz is a site that tries to force you into clik to its browser notifications…