Malicious Cloned App Fooled Google Play
The removal of some popular apps from Google Play and Apple App Store is causing unexpected troubles. According to various sources, this situation is perfectly exploited by malware developers, as they create clones of Flappy Bird and other well-known games and programs which are used for carrying malicious apps. As a result, unsuspecting users are downloading and running harmful programs. The installation of these apps might result in financial damage because some of them are capable of dialing premium numbers without user‘s consent. Furthermore, other malicious programs have the capabilities to spy on ingoing and outgoing messages. Unfortunately, some of these applications have features which have the potential to cause even greater damage.
Lookout, a company which provides security services for mobiles, reported that a cloned banking application was released. The app was created aiming at the clients of one big Israeli bank. It is a clone of a legitimate program released by the bank itself. What is more, the malicious program was available on Google Play. Although, the IT giant responded quickly to the situation and removed the program from the famous online app store, the malicious program still causes a lot of damage.
The criminals behind this scam were successful, because they managed to fool Google Play. The online store believed that they were distributing a legitimate program, when in fact they were spreading a malicious program. The program itself raises many questions. The most surprising thing is that the app is stealing the users’ ID, instead of credentials. This kind of programs usually collects credentials, as a result, the criminals can easily access bank accounts. Nevertheless, the stolen data could still be used to gather authentication tokens or credentials during another phishing attack. Though, it remains unclear, why the criminals decided to use this kind of strategy, when the required information was with a hands reach.
These events are destroying the believe that certain web stores are completely safe. Just recently, a thought that downloading a program from Google Play or Apple App Store could be dangerous sounded ridiculous. As a result, internet safety professionals have to come up with new ideas for protection.
Svpeng, just like other Android banking Trojans, is capable of causing even more damage that the previously mentioned malware. It is distributed via SMS spam. The Trojan targets users living in USA, Ukraine, Belarus and Germany. The language of the text messages received by the users will be adjusted based on their location. As a result, the info provided by the SMS looks believable. What is more, in November, IT experts reported that Svpeng has a new feature. Due to the adjustments phishing window appears on the screen of infected devices as soon as the banking application is launched. If the banking credentials are entered, a command server instantly receives them.
What is more, Svpeng has a payment card component. It layers a phishing window on top of Google Play and indicates the user to enter a bank card or credit card number, together with their security codes and expiration date.
Svpeng is a Trojan, which undergoes modifications very frequently. In addition to the previously mentioned ones, a ransomware component was added to this ever-changing malware. The new component accuses the user of illegal activity and demands the victim to pay a fine of 500 USD. According, to security expert this modification is now replaced with a new one. It still acts like a typical ransomware, but targets U.S. based users only.
Speaking to the media one expert revealed that all seven modifications of this Trojan have Cryptor class reference. This means that all of them have the capabilities to encrypt data of infected devices. According to the expert, this feature might be exploited in the near future by demanding ransoms for data decryption.