Malware researchers have recently informed about three benign Android apps that actually carried within them a malicious Trojan. These are Trojan versions of the apps iNoty, QuickPic, and Bluelight Filter for Eye Care.
The Nature of iNoty, QuickPic & Bluelight Filter for Eye Care Apps
At first these apps will install and will function normally; however, they bear a malicious code. The legitimate versions of the three apps could be found on Google Play, and they come with no malware inside. The attackers have copied these apps and have installed malicious code inside, then they have distributed them to the victims.
How are the Malicious Apps Distributed
According to the researchers from Malwarebytes, the iNoty, QuickPic and Bluelight Filter for Eye Care apps are not available on the app stores. They are hosted on the Baidu Cloud, a cloud-based file sharing service.
Until now, the malware experts have seen similar attacks that have used DropBox and different other services to host and then spread malware. The interesting thing here is that Baidu have also specialized in making antivirus software. In other words, the attackers use all tools available in order to spread the malicious products they have created.
How Do the Malicious Apps Affect the User’s Device?
When these malicious apps are installed on the Android device, they start functioning normally. The malicious code that has been injected though is monitoring the incoming messages that the user gets. The apps further forward certain messages from the devices of the victims and kill the processes that run in the background.
The malware experts from Malwarebytes alarm the users that these apps can cause inconvenience and plenty of troubles. The analysts believe that the main purpose here is monetization. The infected app signs victims by sending a message from the infected phone. Then the victim gets an additional charge on the bill. This is similar to the fundraisers that collect money as the users are donating them by texting a certain number. In this situation, however, the cause is not a good one.
Often the SMS messages play the role of a two-factor authentication. The banks and some other institutions sometimes spend special codes to the phone of the user to be entered when logging into his account. With these and other apps, the cyber criminals can steal the two-factor codes, as well as the bank logins.
According to the security companies, the Android devices are infected by spyware, installed by people who want to spy on other people. Most of these apps are based on AndroRAT and by using them the spy can retrieve and even send messages from the infected phone of the victim. In general, AndroRAT can be injected into applications that are safe, in order to infect the victims’ phones.
How to Stay Safe?
The cyber attackers try to spread the malware to as many users as they can in order to maximize their earnings. However, there are certain limitations that prevent them from using the malicious app. The apps that have been spotted by the Malwarebytes company are not available on the Google Playstore. Thus, the people who are using this store are much less likely to stumble upon a malicious app.
The cyber criminals store the malicious apps they have created on a cloud-based file and use phishing messages and spam in order to attack their victims. These attacks however are limited by many factors including the language factor. The malware researchers believe that the malicious apps found earlier this week are of Chinese origin as they are stored on a Chinese cloud service. That is why, the researchers believe that the users from Europe and from the United States are not likely to be infected by these apps. Yet, all users should be careful and should avoid third-party app stores.
The security experts recommend the installation of security software on the Android devices that will protect them from such threats.