Check out this Android spyware, says Microsoft, the home of a gazillion Windows flaws

While issuing an emergency patch for Endpoint Configuration Manager

Data-stealing spyware disguised as a banking rewards app is targeting Android users, Microsoft's security team has warned.

The malware, which can be remotely controlled by miscreants once it has infected a device, appears to be an updated version of an Android software nasty first observed in 2021. Back then it was seen robbing Indian bank customers. This latest variant has several additional backdoor capabilities and much better obfuscation, allowing it to stealthily steal victims' two-factor authentication (2FA) messages for bank accounts, account login details, and personally identifiable information (PII) without detection, we're told.

The Microsoft threat hunters' investigation began after receiving a text message claiming to be from India's ICICI bank's rewards program. It included the bank's logo, alerted the user that their loyalty points were about to expire, and instructed them to click on a malicious link.

Clicking on the link downloads a fake banking rewards app, which the Redmond team detected as carrying TrojanSpy:AndroidOS/Banker.O. When run, it asks the user to enable specific permissions, and then asks for the user's credit card details to harvest along with all the other data it be instructed to steal. One hopes being asked for card information right off the bat is a red flag for most people.

Using open-source intelligence, the security researchers determined that the phony app's command and control (C2) server is used by or linked to 75 other malicious Android applications, distributed as APK files. 

"Some of the malicious APKs also use the same Indian bank's logo as the fake app that we investigated, which could indicate that the actors are continuously generating new versions to keep the campaign going," the researchers noted this week.

In addition to pointing out malware in Android – an OS made by arch-rival Google – Microsoft also this week issued an out-of-band security update for a spoofing vulnerability in Microsoft Endpoint Configuration Manager. 

The hole, tracked as CVE-2022-37972, affects versions 2103 to 2207, and can be exploited to steal sensitive information, according to the US government's CISA, which urged folks to apply the fix.

The bug received a 7.5 out of 10 CVSS severity score, and its details have already been publicly disclosed. Microsoft says exploitation is "less likely." Still, it's a low-complexity attack that's publicly known, so it's time to get patching.  

According to Redmond, the fix, KB15498768, will be listed in the Updates and Servicing node of the Configuration Manager console.

Upon further analysis, Microsoft discovered the Android malware uses MainActivity, AutoStartService, and RestartBroadCastReceiverAndroid functions to conduct a raft of nefarious activities including intercepting calls, accessing and uploading call logs, messages, contacts, and network information, and modifying the Android device's settings. 

These three functions also allow the app to continue spying on the victim's phone and running in the background without any user interaction.

Though the software nasty can receive and carry out a range of commands from its control server, one edict in particular — the silent command, which puts the device on silent mode — is rather dangerous because it allows the attacker to receive, steal, and delete messages without alerting the user.

This is bad because banking apps often require 2FA, often sent through SMS. So by turning on the phone's silent mode, the miscreants can steal these 2FA messages without the victim's knowledge, thus allowing them to get into online banking accounts – once they have learned all the necessary credentials – and potentially drain them of money.

According to the Windows giant's security researchers:

Its ability to intercept one-time passwords (OTPs) sent over SMS thwarts the protections provided by banks' two-factor authentication mechanisms, which users and institutions rely on to keep their transactions safe. Its use of various banking and financial organizations' logos could also attract more targets in the future.

Microsoft's team notes that the spyware encrypts all data it sends to its remote masterminds and decrypts the scrambled SMS commands it receives. This uses a combo of Base64 encoding/decoding and AES encryption/decryption methods.

Additionally, the malware uses the open-source library socket.io to communicate with its C2 server.

To prevent this and other info-stealing malware from wreaking havoc, the security researchers suggest downloading and installing apps only from official app stores. They also note Android users can keep the "Unknown sources" option disabled, which prevents potentially malicious sources from installing malware disguised as legitimate apps.

As we've said before, it's nice that Microsoft is pointing out cybersecurity issues in other people's code – raising awareness is good for users – but it's strange to see Redmond making a song and dance about this sort of thing when it routinely downplays the scores of vulnerabilities it fixes in its own products every month. ®

Similar topics


Other stories you might like

Biting the hand that feeds IT © 1998–2022