By Deeba Ahmed
The hackers behind Rsocks botnet used the hacked IoT devices as proxy servers where its customers would pay…
This is a post from HackRead.com Read the original post: Feds Dismantle Russian Rsocks Botnet Powered by Millions of IoT Devices

****The hackers behind Rsocks botnet used the hacked IoT devices as proxy servers where its customers would pay them for using the device’s IP address while the device owner remained unaware of the exploitation.****

The US Department of Justice (DoJ) seized and dismantled a Russian botnet infrastructure, the operators of which hijacked millions of devices across the globe to offer IP proxy service.

The prosecutors alleged that Rsocks was in use by an undisclosed, notorious Russian hacker(s) running a sophisticated cybercrime organization. The gang offered web proxy service after hacking into millions of IoT devices, computers, laptops, and Android smartphones.

**How did the Seizure happen?**

In a press release, the DoJ confirmed the involvement of law enforcement agencies from the UK, the Netherlands, and Germany in this operation launched in 2017 by the Federal Bureau of Investigation (FBI).

Seized Rsocks website

The bureau secretly purchased proxies from Rsocks to track its infrastructure and located at least 325,000 infected devices in the US. Prosecutors claimed that the botnet conducted cyber intrusions within the US and abroad.

**What are Proxy Servers?**

Proxy service operators provide access to IP addresses to interested users for a fee. Though not inherently illegal, the service manages to bypass censorship and access geo-restricted content for the user.

In the case of Rsocks’ botnet, the hackers used the devices as proxy servers. The customers would pay them for using the compromised devices’ IP address while the device owner remained unaware of the exploitation.

> “The owners of these devices did not give the RSOCKS operator(s) authority to access their devices in order to use their IP addresses and route internet traffic.”
> 
> Department of Justice

**A Botnet Comprising 8M Residential Devices**

As per the information shared by Rsocks on Twitter, the botnet had claimed 8 million residential devices and over a million mobile IPs. According to the prosecutors, Rsocks used brute force attacks to invade millions of devices and expand the botnet army illegally.

An archive copy of the now seized website

The operators not only victimized individuals and home businesses but also high-profile private and public entities, including a hotel, a university, a TV studio, and an electronics maker.

**How Was Rsocks Used?**

Reportedly, those intending to avail Rsocks proxies rented the access through an online storefront for different timelines and rates, ranging from $30/day for accessing 2,000 proxies to $200/day for 90,000 proxies.

After purchasing, the cybercriminals redirected malicious internet traffic via the IP addresses linked to the infected devices to hide their identity and launch various attacks such as credentials stuffing, hijacking social media accounts, or phishing messages.

This seizure comes just two weeks after the US authorities seized another illegal marketplace, SSNDOB, for stealing/selling the private data of around 24 million US citizens.

**More Botnet Seizure News**

*   Microsoft takes down largest botnet network “Necurs”
*   World’s Most ‘Resilient Malware’ Botnet Emotet Taken Down
*   The US jails Russian hacker for 8 years over botnet, bank fraud
*   Hacker disrupts Emotet botnet operation by replacing payload with GIFs
*   FBI Disrupts Cyclops Blink Botnet Used by Russian Intelligence Directorate

Feds Dismantle Russian Rsocks Botnet Powered by Millions of IoT Devices

RSOCKS commandeered millions of devices in order to offer proxy services used to mask malicious traffic.

A Russian botnet known as RSOCKS has been dismantled – but not before infecting millions of devices globally.

Like many botnets, RSOCKS initially targeted Internet of Things (IoT) devices, but it soon expanded to industrial control systems, Android devices, and PCs, according to the US Department of Justice (DoJ). Its specialty was providing cover for large-scale credential-stuffing attacks and other malicious activity by offering clients access to the IP addresses of these nodes for proxy purposes, according to the DoJ.

Via a Web-based “storefront,” users could rent access to a pool of proxies for a specified daily, weekly, or monthly time period, at prices ranging from $30 per day for access to 2,000 proxies to $200 per day for access to 90,000 proxies.

"The customer could then route malicious internet traffic through the compromised victim devices to mask or hide the true source of the traffic," according to the DoJ's statement on the RSOCKS takedown. "It is believed that the users of this type of proxy service were conducting large scale attacks against authentication services, also known as credential stuffing, and anonymizing themselves when accessing compromised social media accounts, or sending malicious email, such as phishing messages."

The DoJ worked with law enforcement in Germany, the Netherlands, and the United Kingdom to disrupt the botnet.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Feds Take Down Russian 'RSOCKS' Botnet

The operators behind BRATA have once again added more capabilities to the Android mobile malware in an attempt to make their attacks against financial apps more stealthy.
"In fact, the modus operandi now fits into an Advanced Persistent Threat (APT) activity pattern," Italian cybersecurity firm Cleafy said in a report last week. "This term is used to describe an attack campaign in which

The operators behind BRATA have once again added more capabilities to the Android mobile malware in an attempt to make their attacks against financial apps more stealthy.

"In fact, the modus operandi now fits into an Advanced Persistent Threat (APT) activity pattern," Italian cybersecurity firm Cleafy said in a report last week. "This term is used to describe an attack campaign in which criminals establish a long-term presence on a targeted network to steal sensitive information."

An acronym for "Brazilian Remote Access Tool Android," BRATA was first detected in the wild in Brazil in late 2018, before making its first appearance in Europe last April, while masquerading as antivirus software and other common productivity tools to trick users into downloading them.

The change in the attack pattern, which scaled new highs in early April 2022, involves tailoring the malware to strike a specific financial institution at a time, switching to a different bank only after the victim begins implementing countermeasures against the threat.

Also incorporated in the rogue apps are new features that enable it to impersonate the login page of the financial institution to harvest credentials, access SMS messages, and sideload a second-stage payload ("unrar.jar") from a remote server to log events on the compromised device.

"The combination of the phishing page with the possibility to receive and read the victim's sms could be used to perform a complete Account Takeover (ATO) attack," the researchers said.

Additionally, Cleafy said it found a separate Android app package sample ("SMSAppSicura.apk") that used the same command-and-control (C2) infrastructure as BRATA to siphon SMS messages, indicating that the threat actors are testing out different methods to expand their reach.

The SMS stealer app is said to be specifically singling out users in the U.K., Italy, and Spain, its goal being able to intercept and exfiltrate all incoming messages related to one-time passwords sent by banks.

"The first campaigns of malware were distributed through fake antivirus or other common apps, while during the campaigns the malware is taking the turn of an APT attack against the customer of a specific Italian bank," the researchers said.

"They usually focus on delivering malicious applications targeted to a specific bank for a couple of months, and then moving to another target."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

BRATA Android Malware Gains Advanced Mobile Threat Capabilities

Plus: Firefox adds new privacy protections, a big Intel and AMD chip flaw, and more of the week’s top security news.

This week, WIRED revealed new details that link an Indian police force to a hacking campaign against human rights defenders and activists. Researchers at SentinelOne uncovered connections between the city of Pune’s police agency and evidence planted on the devices of activists, as part of a hacking campaign dubbed Modified Elephant. It is alleged that evidence was planted on the computers of activists Rona Wilson and Varvara Rao and then used to arrest the two men. Among other details, an unnamed security analyst at an email provider revealed to SentinelOne and WIRED that the email address and phone number of a Pune police official was set as the recovery email on hacked accounts.

Elsewhere, a new front is emerging in Russia’s war against Ukraine. In the occupied city of Kherson and other nearby regions, Russian forces are routing internet connections from Ukrainian internet service providers to Russian companies. Ukrainian officials tell WIRED the shifts are happening at a large scale and could result in people being subjected to Vladimir Putin’s surveillance and censorship machine.

Robocalls aren’t going away. There’s been progress in tackling the nuisance calls in recent years but the spammy calls are still prevalent. This week we looked into the roots of the problem and what can still be done in the fight against robocalls. We also looked at a new way for cops to collect your fingerprints. How censors in Shanghai haven’t been able to hide stories of the city’s dead during an aggressive Covid-19 lockdown. And the dwindling options facing WikiLeaks founder Julian Assange after the UK Home Office approved his extradition to the US, where he faces espionage and hacking charges.

But that's not all, folks. Each week we round up the big security and privacy news we didn't cover ourselves. Click the links for the full stories, and stay safe out there.

Viktor Muller Ferreira had a traumatic childhood. Growing up, his father and mother—who had adopted him—split up. His mother later died of pneumonia, and his aunt, who raised him, also passed away. The family didn’t have much money. At school, children bullied Ferreira for his looks and his weird accent. As a result, he didn’t have many friends.

One day when his aunt was out, a neighborhood boy came round and told Ferreira that he was the fairy tale character Grey Shadow and he was going to “devour” him. “This scared me so much that I spent the entire day in a small box out on the balcony, praying until my aunt came home.” As he grew older he worked in a garage, took an interest in journalism, and moved to Brazil to reunite with his estranged father and “restore my citizenship.”

Except, according to authorities in the Netherlands, none of that is true.

Dutch intelligence agency AVID claimed this week that “Viktor Muller Ferreira” is just a cover story and false identity for Sergey Vladimirovich Cherkasov, an alleged Russian intelligence officer belonging to the GRU military unit. AVID said it caught Cherkasov applying to be an intern at the International Criminal Court at The Hague, which is investigating potential war crimes in Russia’s wars against Ukraine and Georgia.

As well as stopping Cherkasov from obtaining the position at the ICC and sending him back to Brazil, the Dutch intelligence agency also published his long and detailed cover story. The four-page story, often known as a covert intelligence officer’s “legend,” details the background of the “Ferreira” identity. “The threat posed by this intelligence officer is deemed potentially very high,” AVID said in a statement.

Since outing “Ferreira,” more clues about his undercover life have emerged. Social media profiles belonging to “Ferreira” have been discovered by the investigative unit Bellingcat, as well as a blog and online CV. He also studied at Trinity College Dublin and Johns Hopkins University. Eugene Finkel, an associate professor at Johns Hopkins, who says he taught “Ferreira,” tweeted: “I wrote him a letter. A strong one, in fact. Yes, me. I wrote a reference letter for a GRU officer. I will never get over this fact. I hate everything about GRU, him, this story. I am so glad he was exposed.”

For years it’s been impossible to move backups of WhatsApp chats between Android and iOS, and vice versa. In August last year, WhatsApp announced it was starting to roll out the ability for people to move their data between iPhones and Android devices. Now, this week, the Meta-owned company says backups will work in the other direction too—from Android to iOS.

Processors from Intel and AMD are vulnerable to a new side-channel attack called Hertzbleed. The attack could allow the theft of cryptographic keys and data, as reported by BleepingComputer and DarkReading. Hertzbleed works by exploiting a common power-saving feature in chips—called dynamic frequency scaling (DVFS)—that could allow an attacker to steal data. Frequency changes in DVFS may be correlated with information being processed by chips, Intel says in a blog post. Despite this, neither Intel nor AMD appear to have plans to address the issue. However, the risk to end users seems low at the moment. The team of researchers who found Hertzbleed say ordinary users probably shouldn’t be worried.

Ever since Covid-19 started spreading in early 2020, technological systems have been developed to try to control its spread. In China, a mandatory health code system was created to monitor people’s health status—people with a red code are required to self-isolate, those with a green code are allowed to move freely. These health codes are tied to people’s phones. Now, according to multiple reports, people in the Chinese province of Henan claim their plans to protest have been blocked as their health code has been turned red. Several people impacted claim they have not been around anyone positive with Covid-19 and the change is an abuse of power by officials.

Mozilla’s web browser may have been struggling in recent years, but it is still one of the most privacy-friendly browsers. This week the company said Firefox is turning on its Total Cookie Protection feature by default for everyone using the browser. Any cookies saved to your computer will be available only to the website that placed them there, Mozilla explains in a blog post. “Instead of allowing trackers to link up your behavior on multiple sites, they just get to see behavior on individual sites,” the company says, adding it is “Firefox’s strongest privacy protection to date.”

In November 2021, the US sanctioned notorious Israeli spyware firm NSO Group. The company’s Pegasus hacking tool has been used around the world to spy on journalists and activists. This week it emerged that US defense firm L3Harris is interested in purchasing the technology behind Pegasus, as the _Financial Times_ reports. Any purchase of the technology by a US company would potentially put it at odds with the Biden administration, which blacklisted NSO. Talk of the potential deal, which was said to be in early stages, has prompted criticism from the White House. “We are deeply concerned,” a senior official told the _Washington Post_. They said the deal could cause security and counterintelligence issues for the US.

An Alleged Russian Spy Was Busted Trying to Intern at The Hague

The U.S. Department of Justice (DoJ) on Thursday disclosed that it took down the infrastructure associated with a Russian botnet known as RSOCKS in collaboration with law enforcement partners in Germany, the Netherlands, and the U.K.
The botnet, operated by a sophisticated cybercrime organization, is believed to have ensnared millions of internet-connected devices, including Internet of Things (

The U.S. Department of Justice (DoJ) on Thursday disclosed that it took down the infrastructure associated with a Russian botnet known as RSOCKS in collaboration with law enforcement partners in Germany, the Netherlands, and the U.K.

The botnet, operated by a sophisticated cybercrime organization, is believed to have ensnared millions of internet-connected devices, including Internet of Things (IoT) devices, Android phones, and computers for use as a proxy service.

Botnets, a constantly evolving threat, are networks of hijacked computer devices that are under the control of a single attacking party and are used to facilitate a variety of large-scale cyber intrusions such as distributed denial-of-service (DDoS) attacks, email spam, and cryptojacking.

"The RSOCKS botnet offered its clients access to IP addresses assigned to devices that had been hacked," the DoJ said in a press release. "The owners of these devices did not give the RSOCKS operator(s) authority to access their devices in order to use their IP addresses and route internet traffic."

Besides home businesses and individuals, several large public and private entities, including a university, a hotel, a television studio, and an electronics manufacturer, have been victimized by the botnet to date, the prosecutors said.

Customers wanting to avail proxies from RSOCKS could rent access via a web-based storefront for different time periods at various price points ranging from $30 per day for access to 2,000 proxies to $200 per day for access to 90,000 proxies.

Once purchased, criminal actors could then redirect malicious internet traffic through the IP addresses associated with the compromised victim devices to conceal their true intent, which was to carry out credential stuffing attacks, access compromised social media accounts, and send out phishing messages.

The action is the culmination of an undercover operation mounted by the Federal Bureau of Investigation (FBI) in early 2017, when it made covert purchases from RSOCKS to map out its infrastructure and its victims, allowing it to determine roughly 325,000 infected devices.

"Through analysis of the victim devices, investigators determined that the RSOCKS botnet compromised the victim device by conducting brute force attacks," the DoJ said. "The RSOCKS backend servers maintained a persistent connection to the compromised device."

The disruption of RSOCKS arrives less than two weeks after it seized an illicit online marketplace known as SSNDOB for trafficking personal information such as names, dates of birth, credit card numbers, and Social Security numbers of about 24 million individuals in the U.S.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Authorities Shut Down Russian RSOCKS Botnet That Hacked Millions of Devices

By Deeba Ahmed
MaliBot Android Malware is also capable of bypassing 2FA (Two-factor authentication). F5 Labs researchers have discovered a new…
This is a post from HackRead.com Read the original post: New MaliBot Android Malware Found Stealing Personal, Banking Data

****MaliBot Android Malware is also capable of bypassing 2FA (Two-factor authentication).****

F5 Labs researchers have discovered a new Android malware family that can exfiltrate personal and financial data after compromising devices. According to researchers, the malware can not only bypass multi-factor authentication processes, but can also steal banking data, passwords, and cryptocurrency wallets.

It is worth noting that the malware is distributed through fraudulent websites and tricks victims into downloading it, thinking it is a popular cryptocurrency tracking app. It is also distributed through smishing.

Furthermore, researchers have identified two malicious sites distributing MaliBot. One of them is a fake version of TheCryptoApp that boasts over a million downloads on the Google Play Store.

**Details of MaliBot**

F5 Labs has dubbed the Android malware MaliBot. This powerful malware disguised as a cryptocurrency mining application may pretend to be another app or a Chrome browser. It asks the user for accessibility and launcher permissions when downloaded to monitor the device and carry out its malicious operations.

MaliBot uses a Virtual Network Computing (VNC) server implementation to gain control of the infected devices. Once it infects a device, it starts exfiltrating financial data and steals PII (personally identifiable information) and cryptocurrency wallet information.

Research revealed that the malware’s C2 server is based in Russia and the servers are the same that were previously used for distributing the Sality malware. From June 2020, the IP was used to launch different malware campaigns.

**MaliBot Capabilities**

MaliBot has diverse capabilities, such as it supports web injections and can be used in overlay attacks. It can run and delete applications and steal sensitive data such as MFA codes, cookies, SMS messages, etc.

It can remotely steal passwords and access text messages, crypto wallet information, web browser cookies, bank details, and capture screenshots from compromised devices. It can also bypass MFA protection.

It mainly abuses the Android Accessibility API that lets it perform specific actions without asking for user permission or interaction and maintain persistence on the infected device. It also bypasses 2FA processes by validating Google prompts via the Accessibility API and steals 2FA codes, which are later transferred to the attacker.

When distributed via SMS messages, the malware can log exceptions and registers itself as a launcher. Bypassing protections around crypto wallets lets the attackers steal bitcoins and other cryptocurrencies from the victim’s wallet linked to the infected device.

Lastly, like FluBot, MaliBot can send SMS messages to other users to spread the infection chain. Currently, this campaign is targeting Spanish and Italian bank customers, but the scope of infection may soon broaden, F5 Labs researcher Dor Nizar noted.

**More Android Malware News**

*   Authorities Take Down SMS-based FluBot Android Spyware
*   Predator Spyware Using Zero-day to Target Android Devices
*   Ginp Android trojan targets banking apps & threaten 2FA/SMS
*   HiddenMiner Android Monero Mining Malware Cause Device Failure
*   New Android banking malware Xenomorph found in Play Store apps

New MaliBot Android Malware Found Stealing Personal, Banking Data

Sock it to ‘em

US law enforcement has announced the dismantling of infrastructure used by a Russian botnet responsible for the compromise of millions of computers and internet-connected devices worldwide.

Cybercrooks have previously paid the ‘RSOCKS’ botnet to leverage these hacked devices in the service of large-scale credential stuffing attacks, whereby stolen login credentials are automatically fed into online login pages at high speed.

According to a US Department of Justice (DoJ) press release published yesterday (June 16), they also used the commandeered IP addresses to anonymize themselves when accessing compromised social media accounts or sending malicious phishing emails.

**Flexible pricing**

The RSOCKS botnet rented out the compromised devices’ IP addresses to cybercriminals at daily, weekly, and monthly rates via an internet – as opposed to dark web – website.

‘Customers’ were charged between $30 per day for access to a pool of 2,000 proxy computers and $200 per day for access to 90,000 proxies, said the DoJ.

Catch up on the latest cybercrime news

An investigation, which also involved law enforcement agencies in the UK, Germany, and Netherlands, determined that the attackers used brute-force attacks – an umbrella term for trial-and-error account takeover techniques – to compromise devices.

Victim organizations have included a university, a hotel, a television studio, and an electronics manufacturer, as well as home businesses and individuals, said the DoJ.

The DoJ said the botnet initially targeted Internet of Things (IoT) devices and later diversified into hacking Android devices and desktop computers.

**Undercover purchase**

The infrastructure used to power the botnet was taken down after an investigation in which the FBI identified around 325,000 compromised devices worldwide after making an undercover purchase from the nefarious site in early 2017.

With the victims’ consent, investigators replaced compromised devices with government-controlled ‘honeypot’ computers at three locations and all three were subsequently compromised by RSOCKS, according to the DoJ.

“Cybercriminals will not escape justice regardless of where they operate,” said US attorney Randy Grossman. “Working with public and private partners around the globe, we will relentlessly pursue them while using all the tools at our disposal to disrupt their threats and prosecute those responsible.”

FBI Special Agent in Charge Stacey Moy said: “This operation disrupted a highly sophisticated Russia-based cybercrime organization that conducted cyber intrusions in the United States and abroad.

“Our fight against cybercriminal platforms is a critical component in ensuring cybersecurity and safety in the United States. The actions we are announcing today are a testament to the FBI’s ongoing commitment to pursuing foreign threat actors in collaboration with our international and private sector partners.”

RELATED Dark web awash with breached credentials, study finds

Russian botnet ‘RSOCKS’ dismantled after hacking millions of devices

An enterprise-grade surveillanceware dubbed Hermit has been put to use by entities operating from within Kazakhstan, Syria, and Italy over the years since 2019, new research has revealed.
Lookout attributed the spy software, which is equipped to target both Android and iOS, to an Italian company named RCS Lab S.p.A and Tykelab Srl, a telecom services provider which it suspects to be a front

An enterprise-grade surveillanceware dubbed **Hermit** has been put to use by entities operating from within Kazakhstan, Syria, and Italy over the years since 2019, new research has revealed.

Lookout attributed the spy software, which is equipped to target both Android and iOS, to an Italian company named RCS Lab S.p.A and Tykelab Srl, a telecom services provider which it suspects to be a front company. The San Francisco-based cybersecurity firm said it detected the campaign aimed at Kazakhstan in April 2022.

Hermit is modular and comes with myriad capabilities that allow it to "exploit a rooted device, record audio and make and redirect phone calls, as well as collect data such as call logs, contacts, photos, device location and SMS messages," Lookout researchers Justin Albrecht and Paul Shunk said in a new write-up.

The spyware is believed to be distributed via SMS messages that trick users into installing what are seemingly innocuous apps from Samsung, Vivo, and Oppo, which, when opened, loads a website from the impersonated company while stealthily activating the kill chain in the background.

Like other Android malware threats, Hermit is engineered to abuse its access to accessibility services and other core components of the operating system (i.e., contacts, camera, calendar, clipboard, etc.) for most of its malicious activities.

Android devices have been at the receiving end of spyware in the past. In November 2021, the threat actor tracked as APT-C-23 (aka Arid Viper) was linked to a wave of attacks targeting Middle East users with new variants of FrozenCell.

Then last month, Google's Threat Analysis Group (TAG) disclosed that at least government-backed actors located in Egypt, Armenia, Greece, Madagascar, Côte d'Ivoire, Serbia, Spain, and Indonesia are buying Android zero-day exploits for covert surveillance campaigns.

"RCS Lab, a known developer that has been active for over three decades, operates in the same market as Pegasus developer NSO Group Technologies and Gamma Group, which created FinFisher," the researchers noted.

"Collectively branded as 'lawful intercept' companies, they claim to only sell to customers with legitimate use for surveillanceware, such as intelligence and law enforcement agencies. In reality, such tools have often been abused under the guise of national security to spy on business executives, human rights activists, journalists, academics and government officials."

The findings come as the Israel-based NSO Group is said to be reportedly in talks to sell off its Pegasus technology to U.S. defense contractor L3Harris, the company that manufactures StingRay cellular phone trackers, prompting concerns that it could open the door for law enforcement's use of the controversial hacking tool.

The German maker behind FinFisher has been courting troubles of its own in the wake of raids conducted by investigating authorities in connection with suspected violations of foreign trading laws by way of selling its spyware in Turkey without obtaining the required license.

Earlier this March, it shut down its operations and filed for insolvency, Netzpolitik and Bloomberg reported, adding, "the office has been dissolved, the employees have been laid off, and business operations have ceased."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Researchers Uncover 'Hermit' Android Spyware Used in Kazakhstan, Syria, and Italy

By Deeba Ahmed
The apps were loaded with info-stealing malware that can extract victims’ Facebook credentials and download other software, etc.…
This is a post from HackRead.com Read the original post: Play Store Apps Caught Spreading Android Malware to Millions

****The apps were loaded with info-stealing malware that can extract victims’ Facebook credentials and download other software, etc.****

According to researchers at Dr. Web, at least a dozen mobile apps on Google Play Store contain info-stealing malware, adware, and other types of malicious software. Most of the apps are Android\-based and collectively boast over 2 million downloads. Based on the app reviews, users aren’t too happy with these apps because of their shady functioning.

**Details of Malicious Apps**

Researchers noted that five infected apps were available for download on Play Store. These include:

1.  **Wild & Exotic Animal Wallpaper:** It contains adware that replaces its name with SIM Tool Kit soon after downloading. It has 500,000 downloads so far.
2.  **PIP Pic Camera Photo Editor**– This app appears as an image editor, but in reality, it steals the Facebook credentials of its users. This app has over 100,000 downloads.
3.  **ZodiHoroscope – Fortune Finder-** This is another malicious app designed to steal Facebook credentials. It has 500,000 downloads.
4.  **PIP Camera 2022**– This app showcases various camera effects but actually steals your Facebook profile information. Around 50,000 users have downloaded it.
5.  **Magnifier Flashlight:** This malicious app contains adware and has around 10,000 downloads.

According to Dr.Web’s report, researchers identified four additional malicious apps that aren’t available on the platform anymore. The apps included a racing game, an app offering deleted photos recovery, a state compensation app for Russians, and an app for free access to OnlyFans.

Though these apps are no longer available to the general public, the risk posed to users who have downloaded them already cannot be overlooked. The worrying aspect is that the malicious apps can steal data from other apps installed on your phone.

Malicious apps pointed out by Dr.Web

**Lesson**

When this article was published, all apps highlighted by Dr. Web were removed from Google Play Store. However, the lesson for smartphone users is that they must not download unnecessary apps from Official or third-party app stores.

Furthermore, always read reviews and feedback in the app’s review section. Although some reviews can be fake or published by developers to promote their app, primarily, the review section plays a vital role in keeping users secure by avoiding downloading malicious apps.

**More Android Malware News**

*   Play Store apps plagued with malware have 700,000 downloads
*   BRATA Android malware factory resets phones after stealing funds
*   New Android banking malware Xenomorph found in Play Store apps
*   Web3 Backdoor Wallets Stealing Seed Phrases from iOS/Android Users
*   New Russian Android Malware Tracks GPS Location and Spies on Victims

Play Store Apps Caught Spreading Android Malware to Millions

The commercial-grade surveillance software initially was used by law enforcement authorities in Italy in 2019, according to a new report.

Researchers have discovered an enterprise-grade Android family of modular spyware dubbed Hermit conducting surveillance on citizens of Kazakhstan by their government.

Lookout Threat Lab researchers - who spotted the spyware - surmise that the secretive Italian spyware vendor RCS Lab developed it and say Hermit was previously deployed by Italian authorities in a 2019 anti-corruption operation in Italy. The spyware also was found in northeastern Syria, home to the country's Kurdish majority and a site of ongoing crises, including the Syrian civil war.

Android devices have been abused with spyware in the past; Sophos researchers uncovered new variants of Android spyware linked to a Middle Eastern APT group back in November 2021. More recent analysis from Google TAG indicates at least eight governments from across the globe are buying Android zero-day exploits for covert surveillance purposes.

Mike Parkin, senior technical engineer at Vulcan Cyber, says spyware is a tool used by many actors worldwide, including criminal organizations, state or state-sponsored threat actors, national security, and law-enforcement organizations following their own mandates.

"Regardless of who is using it or what agenda they are working toward, these commercial- grade spyware tools can seriously threaten people's personal privacy," he says.

The highest profile spyware case in recent memory was the discovery of Pegasus, a legal surveillance software developed by Israeli company NSO Group. The news caused an international furor after it was found covertly installed on iOS and Android mobile phones belonging to human rights activists, journalists, and high-ranking members of governments.

**How Hermit Works**

Hermit first gets installed on a targeted device as a framework with minimal surveillance capability. Then it can download modules from a command-and-control (C2) server as instructed and activate the spying functionality built into these modules.

This modular approach masks the malware from automated analysis of the app and makes manual malware analysis significantly harder. In addition, it allows the malicious actor to enable and disable different functionalities in their surveillance campaign or the capabilities of a target device. Hermit can also alter its behavior as needed to evade analysis tools and processes.

"The modular design might also be part of the business model of the software vendor, allowing them to sell individual spying features as value-add line items," explains Paul Shunk, security researcher at Lookout, which published a report on Hermit today.

Shunk says the overall design and code quality of the malware stands out compared with many other samples he has seen. 

"It was clear this was professionally developed by creators with an understanding of software engineering best practices," he says. "Beyond that, it is not very often we come across malware \[that\] assumes it will be able to successfully exploit a device and make use of elevated root permissions."

The discovery of Hermit adds another puzzle piece to the picture of the secretive market for "lawful intercept" surveillance tools, he says.

"As in the cases of NSO, Cytrox, and other vendors, discovery of their customers usually exposes their claim that their product is only used for legitimate purposes as at least partially untrue," Shunk says.

One of the Hermit samples Lookout analyzed used a Kazakh language website as its decoy.

And the main C2 server used by the app was just a proxy, with the real C2 being hosted on an IP from Kazakhstan. 

"The combination of the targeting of Kazakh-speaking users and the location of the back-end C2 server is a strong indication that the campaign is controlled by an entity in Kazakhstan," Shunk says.

Lookout says an Apple iOS version of the spyware exists as well, but the research team was unable to obtain a sample to analyze.

**'MaliBot' Targets Online Banking**

Meanwhile, another Android-based malware family reared its head this week in the form of Malibot, which is targeting online banking customers in Spain and Italy with the capability to steal credentials and crypto wallets. The malware was discovered by F5 Labs while the security company was tracking the mobile banking Trojan FluBot.

The malware consists of two campaigns: Mining X, which presents a QR code that leads to the malware Android Package Kit, and TheCryptoApp, which attempts to dupe users into downloading a fake version of the popular cryptocurrency tracker app available on the Google Play Store. 

It's also able to steal or bypass multifactor authentication codes and trick victims into downloading the malware either via a direct SMS phishing message or via fake websites they're lured to.

"This is certainly one to pay attention to and F5 expects to see a broader range of targets as time goes on, especially given the versatility of the malware could, in principle, be used for a wider range of attacks than stealing credentials and cryptocurrency," F5 warns in a blog post.

Tag

#android