Fireeye security research team has just uncovered a new type of Android malware which can not only copy the icons of popular apps but can mimic the app interfaces of apps like Google Play Store, Facebook or WhatsApp.
The malware was first discovered in Denmark and has already made its way through a number of European countries including Germany and Italy. There’s no confirmation whether it has even reached other parts of the world as well. Whatever the case, all Android users are under threat from this malware.
The malware launches over your normal apps
According to the researchers, the malware is spread using a very deceptive and basic technique. The technique involves an SMS phishing scheme. When a user receives, what look like a legitimate link, the malware is downloaded automatically and it starts to monitor which apps are active and what is running in the background.
When a user launches or switches to an app which the malware was developed to target, it overlays the app with a fake user interface. The interface is nearly identical to the original one including the credential input pages. The malware then asks the user to input their details, which could include all sort of personal information, and send it back to its server.
The malware could be your Facebook, Google Play Store, Uber, Viber, WeChat, WhatsApp or YouTube app
Meanwhile, the user keeps thinking they are facing a completely authentic screen and what more proof could they possibly need since the screen only popped up after they launched the app.
The malware is designed to target at least 8 different apps in total. The apps include Facebook, Google Play Store, Uber, Viber, WeChat, WhatsApp, YouTube and a few others.
What is more scary is the fact that the malware is being improved and expanded to target even more popular apps. FireEye states “the malicious apps used in later campaigns are often harder to analyze because obfuscation techniques were adopted to evade detection.” There’s more, the malware is being upgraded to bypass “the SMS writing restriction enforced by the App Ops service (introduced in Android 4.3). All of this suggests that threat actors are actively improving their code.”
In addition to that, the people behind this malware have been sending more enticing links via SMS, One of these links managed to get 130,000 clicks. Any link you click, even while browsing the web, could be a source to this malware.
More information regarding this dangerous malware is available at FireEye’s website.