Ad Fraud Targeting Korean Android Users Discovered in 43 Google Media Streaming Apps
- Written by Shipra Sanganeria Cybersecurity & Tech Writer
A recent investigation into Google Play Store apps revealed a fraudulent campaign followed by some developers. The malicious practice of invisible ads that is particularly directed at Korean Android users loads ads while the device screen is switched off.
McAfee’s Mobile Research Team in an advisory stated that initially this practice might seem user-friendly, however, it violates the Google Play Developer policy regarding the display of ads. The Ad Fraud practice not only adversely affects the advertisers but also harms the users in various ways.
Apps mainly consist of media streaming (TV/DMB Player, Music Downloader), news, and calendar applications with a collective 2.5 million installations, were discovered by the team. The discovery was immediately reported to Google, which immediately removed most of the apps. The others which remain have been updated to comply with Google’s policies.
Post installation, this ad fraud library employs sophisticated delay techniques (several weeks) to avoid detection and inspection by the users. In addition, its complicated configurations can be pushed and modified using Firebase Storage or Messaging service. Thus, making it difficult to identify and analyze the fraudulent behavior of these rogue apps.
The advisory stated that during the installation process, these malicious apps seek ‘’power saving and draw over other apps’’ permission, which helps them conduct discreet activities in the background. Users should beware from granting these permissions as it makes them susceptible to phishing and ad fraud campaigns, noted McAfee.
Post the latent period, the invisible ad fraud campaign begins whenever the unaware user’s device screen is turned off. This library registers device information and then retrieves the specific ad URL from Firebase Storage to display the ads. Such practices not only drain device battery life but also consume mobile data resources.
With the rise of smartphone malwares, it is essential that users remain vigilant while installing and granting permission to different apps.
Android Spyware SpyNote Targets European Bank Customers in an Aggressive Campaign
- Written by Shipra Sanganeria Cybersecurity & Tech Writer
The ongoing threat campaign against financial institutions saw the entry of SpyNote spyware, an Android banking trojan. Active since the end of 2022, the trojan was observed to be carrying out bank frauds as well.
Cleafy’s security researchers revealed that the spyware, also dubbed SpyMax, exploits various Accessibility services and Android permissions to carry out malicious attacks against its victims.
The trojan known for its spyware and phishing capabilities is distributed through fake SMS messages (smishing) and a combination of its remote access trojan (RAT) capabilities and phishing tactic is used to execute multiple fraudulent activities.
This campaign against multiple European bank customers was witnessed to be most prevalent around the months of June & July 2023.
The Italian cybersecurity company in an advisory noted that the infection chain primarily begins with a bogus SMS message urging its victims to click the accompanying URL to install the certified banking app. A second message redirects the victims to a seemingly legitimate TeamViewer QuickSupport app, which is used to remotely access the victim’s device.
Once installed, the trojan tracks various user activities and harvests sensitive information from the target’s device including, keystrokes, installed applications, text inputs, GPS location, audio and screen recordings, contacts, SMS messages to bypass two-factor authentication (2FA). With this information, the attacker can easily steal banking and other financial credentials from the host’s device.
Moreover, to avoid detection, the spyware utilizes various techniques like, anti-emulator controls, obfuscation and junk codes, as well as it hides itself, so the user is unable to manually remove it from the device.
The advisory also noted that unlike other banking trojans, SpyNote is one of the most aggressive campaigns observed in recent years. Moreover, its multiple functionalities will make it one of the choice vectors used by threat actors to launch bank fraud activities.
With the rising phishing and smishing campaigns, it is imperative that both individuals and organizations remain vigilant and employ different security measures to thwart such fraud attempts.
