More than 200 harmful apps found on Google Play Store
Hello and welcome to the Dark Street Hackers. First of all thank you all for your huge support. Now I am here with the latest news about malware. Lets see what it is.
Recently a news came from Google PlayStore that showing that more than 200 malicious apps have been downloaded 150 million times by Android users. This malicious apps generally comes with the adware. The campaign of adware called SimBad discovered this news.
Most of the infected Malicious apps belongs to the games category. When you install these kind of games it will comes with lots of ads. And when you open these applications it will pop up an ad on your screen after particular period of time. The reason is "RxDroider".
"RxDroider" is a malicious software development kit (SDK) to create higher number of ads by attacker for making money. This kind of SDK is provided by'androider[.]com' who tell developers to use it as a development. Also checkpoint research, shows that it does various behavior like, when the user unlocks their phone or uses other apps, it will show ads outside of the application.
When user continue opening Google Play Store or 9Apps then it will redirect to another particular application and the developer can profit from additional installations. In order to prevent uninstallation. It will hide the icon from the launcher. Also works when opening a web browser with links provided by the app developer.
Process is as follows:
Once the Adware apps installed into the victims mobile, "SimBad" registers itself to make sure the installed app keeps running on the victims mobile device whenever they boot or unlock the mobile. "SimBad" later connect to the C&C Server in order to receive the commands from attackers to perform a various malicious operations like removing the icon, making user harder to uninstall, pushing back ground ads into “image”. 'SimBad' has capabilities that could be divided into three groups – Show Ads, Phishing, and Exposure to other applications. With the capability for opening a given URL in a browser. The ‘SimBad’ can generate phishing pages for multiple platforms and open them in a browser, and performing spear-phishing attacks on the user. And Observed C2 server is ‘androider[.]com’ that is used to Parse Backend infrastructure, a model for providing web app and mobile app developers with the way to link their applications to backend cloud storage and APIs exposed by back-end applications. This C2 server domain was registered in via GoDaddy and currently, this domain was expired 7 months ago according to RiskIQ’s PassiveTotal.
Stay tuned for more updates. Until then bye.
Recently a news came from Google PlayStore that showing that more than 200 malicious apps have been downloaded 150 million times by Android users. This malicious apps generally comes with the adware. The campaign of adware called SimBad discovered this news.
Most of the infected Malicious apps belongs to the games category. When you install these kind of games it will comes with lots of ads. And when you open these applications it will pop up an ad on your screen after particular period of time. The reason is "RxDroider".
"RxDroider" is a malicious software development kit (SDK) to create higher number of ads by attacker for making money. This kind of SDK is provided by'androider[.]com' who tell developers to use it as a development. Also checkpoint research, shows that it does various behavior like, when the user unlocks their phone or uses other apps, it will show ads outside of the application.
When user continue opening Google Play Store or 9Apps then it will redirect to another particular application and the developer can profit from additional installations. In order to prevent uninstallation. It will hide the icon from the launcher. Also works when opening a web browser with links provided by the app developer.
Process is as follows:
Once the Adware apps installed into the victims mobile, "SimBad" registers itself to make sure the installed app keeps running on the victims mobile device whenever they boot or unlock the mobile. "SimBad" later connect to the C&C Server in order to receive the commands from attackers to perform a various malicious operations like removing the icon, making user harder to uninstall, pushing back ground ads into “image”. 'SimBad' has capabilities that could be divided into three groups – Show Ads, Phishing, and Exposure to other applications. With the capability for opening a given URL in a browser. The ‘SimBad’ can generate phishing pages for multiple platforms and open them in a browser, and performing spear-phishing attacks on the user. And Observed C2 server is ‘androider[.]com’ that is used to Parse Backend infrastructure, a model for providing web app and mobile app developers with the way to link their applications to backend cloud storage and APIs exposed by back-end applications. This C2 server domain was registered in via GoDaddy and currently, this domain was expired 7 months ago according to RiskIQ’s PassiveTotal.
Stay tuned for more updates. Until then bye.
0 Comments