Lyca Mobile Confirms Customer Data Leak After Cyberattack

• Written by Shipra Sanganeria Cybersecurity & Tech Writer

After confirming the cyberattack that led to widespread service disruption, Lyca Mobile disclosed that personal information of some customers was compromised during the incident.

First reported on October 3, 2023; the attack is said to have been discovered by the company on September 30 while investigating the network and operational outage issues.

While addressing the disruption in call services and inaccessibility to its top-up services, the company also hinted at a possible data theft of customer information.

‘’Our number one priority is ensuring the safety and security of our customers’ data, and we are urgently investigating whether any personal information may have been compromised as part of this attack,’’ the statement revealed.

While investigating with third-party security experts, Lyca found that sensitive information related to some customers was accessed by the unknown hackers. Although it was unable to say what type of data was stolen, Lyca revealed the customer information stored on its database.

It includes the name, address, date of birth, alternate contact and address information, copies of identity documents, passport copies, and other similar identity documents. The stolen data also included customer service interactions and stored payment card information, including the last 4 digits of a credit card and its expiration date.

As a precautionary measure, the company has suggested that customers with online accounts should change their passwords and remain vigilant of any suspicious emails, SMS messages, and calls.

Details about the attack and the actors behind it have not been revealed by Lyca, as the investigation and system restoration are still underway. It also notified the UK’s Information Commissioner’s Office and Ofcom about the attack.

Although most of the services have been restored in the affected markets, operational facilities like number porting are still unavailable, Lyca revealed.

The UK-based mobile virtual network operator (MVNO) provides mobile and voice IP (VoIP) services to over 16 million customers across 60 countries, worldwide.

GoldDigger: New Android Trojan Targets Banking Apps and Crypto Wallets

• Written by Shipra Sanganeria Cybersecurity & Tech Writer

Threat intelligence researchers recently discovered a new Android trojan targeting financial applications in Vietnam. Dubbed GoldDigger, the malware’s primary goal is to commit financial fraud by secretly harvesting a user’s banking and other financial credentials.

According to researchers at Group-IB , the trojan is believed to be active since June 2023 and has been monitoring users of more than 50 financial apps, e-wallets, and crypto apps in Vietnam.

In addition to Vietnamese, the app also had translation support for Spanish and traditional Chinese. ‘’[..] these attacks may potentially extend their reach beyond Vietnam, encompassing Spanish-speaking nations and other countries in the APAC region,’’ Group-IB said.

Moreover, it has been found that the malware is being distributed via phishing sites impersonating either a Google Play page or a corporate website. The trojan itself is disguised as a fake Android application of a local energy company or Vietnamese government portal.

Although the trojan disguises itself as a seemingly legitimate app, it can successfully install and harvest user information only when the Android “Install from Unknown Sources” setting is enabled. When on, this setting allows the installation of third-party APKs onto the device.

Once installed, the malicious app requests many intrusive permissions, and exploits Android’s Accessibility Service to harvest sensitive user information, steal credentials, intercept SMS messages, and execute remote access commands. This stolen data is then transferred to a threat actor-controlled command and control (C2) server.

‘’Granting Accessibility Service permissions to GoldDigger enables it to gain full visibility into user actions and interact with user interface elements. This means it can see the victim’s balance, harvest the second credential issued for two-factor authentication, and implement keylogging functions, allowing it to capture credentials,’’ the investigation revealed.

During investigation, the researchers also discovered the use of an advanced obfuscation technique; use of Virbox Protector which prevents detection. ‘’Virbox Protector, a legitimate software [..], presents a challenge in triggering malicious activity in sandboxes or emulators.’’

With the presence of such malicious applications, it’s essential that mobile users keep their device updated, download and install applications from verified sources, and be careful in granting app request permissions.