Android malware, and respectively Android security, is no joke. The mobile OS is constantly being attacked by malicious apps, draining the victim’s personal and banking information. The latest Android overlay malware case registered by security researchers at FireEye is no different.
Hackers have been targeting Android users in Denmark, Italy and Germany, harvesting credit card information via a piece of overlay malware designed to spoof the interfaces of Uber, WhatsApp and Google Play. It’s yet another SMS phishing (or smishing) campaign users should be very cautious of.
Related: Vishing, Smishing, and Phishing
Android Overlay Malware in Smishing Campaigns
Android overlay malware continues to evolve and grow into a severe mobile security threat. FireEye researchers have monitored and analyzed at least 55 malicious programs using the overlay method. The preferred region for all of the campaigns is Europe.
Earlier versions of this malware family were aimed at banking applications. Thanks to its evolution, now the malware can spoof the interfaces of more popular apps – like WhatsApp and GooglePlay.
More about the Android Smishing Attack
Simply put, once downloaded, the malware will build user interfaces on top of real apps, as an overlay. The interfaces will then ask for credit card details and will eventually send the entered information to the attacker.
Since February, the security firm has observed that the Android malware has been distributed in five campaigns. In one campaign, the attackers successfully generated at least 130,000 clicks to the location where the malware was hosted.
Things are getting serious as later versions of the malware become better at evading detection. apparently, just 6 out of 54 tested AV solutions caught the malicious behavior.
What is worse is that…
Through our close monitoring of overlay malware spreading via Smishing messages, we recently observed that these types of attacks did not stop despite publicity from security researchers. […]In total, we identified 12 C2 servers hosted in five different countries that were involved in these campaigns. Among them, the IP address 184.108.40.206 has been used by 24 malicious apps in two campaigns and 220.127.116.11 has been used by eight malicious apps. We also observed that four C2 servers are within the same 18.104.22.168/24 network segment. All this suggests that the threat actors have control over considerable network resources.