The mobile platform is ubiquitous — enabling users to make online transactions, run their everyday lives, or even use it in the workplace. It’s no surprise that fraudsters and cybercriminals would want to cash in on it. Delivering adware, for example, enables them to monetize affected devices while attempting to be innocuous. And while they may be viewed as a nuisance at best, mobile ad fraud- and adware-related incidents became so rampant last year that it cost businesses hefty financial losses.Read More
The 2018 mobile threat landscape had banking trojans that diversified their tactics and techniques to evade detection and further monetize their malware — and in the case of the Anubis Android malware, retooled for other malicious activities. Anubis underwent several changes since it first emerged, from being used for cyberespionage to being retooled as a banking malware, combining information theft and ransomware-like routines. In mid-January of 2019, we saw Anubis use a plethora of techniques, including the use of motion-based sensors to elude sandbox analysis and overlays to steal personally identifiable information.
The latest samples of Anubis (detected by Trend Micro as AndroidOS_AnubisDropper) we recently came across are no different. While tracking Anubis’ activities, we saw two related servers containing 17,490 samples.Read More
We recently observed an active adware campaign (detected by Trend Micro as AndroidOS_HiddenAd.HRXAA and AndroidOS_HiddenAd.GCLA) concealed in free-to-download 182 game and camera apps, majority of which were found on the Google Play Store and collectively had millions of downloads.Read More
We observed a new cryptocurrency-mining botnet that arrives via open ADB (Android Debug Bridge) ports and can spread via SSH. This attack takes advantage of the way open ADB ports don’t have authentication by default, similar to the Satori botnet variant we previously reported. This malware’s design allows it to spread from the infected host to any system that has had a previous SSH connection with the host.Read More
We uncovered a cyberespionage campaign targeting Middle Eastern countries. We named this campaign “Bouncing Golf” based on the malware’s code in the package named “golf.” The malware involved, which Trend Micro detects as AndroidOS_GolfSpy.HRX, is notable for its wide range of cyberespionage capabilities. Malicious codes are embedded in apps that the operators repackaged from legitimate applications. Monitoring the command and control (C&C) servers used by Bouncing Golf, we’ve so far observed more than 660 Android devices infected with GolfSpy. Much of the information being stolen appear to be military-related.
The campaign’s attack vector is also interesting. These repackaged, malware-laden apps are neither on Google Play nor popular third-party app marketplaces, and we only saw the website hosting the malicious apps being promoted on social media when we followed GolfSpy’s trail. We were also able to analyze some GolfSpy samples sourced from the Trend Micro mobile app reputation service.Read More