Cybercriminals are using a network of hired money mules in India using an Android-based application to orchestrate a massive money laundering scheme.
The malicious application, called XHelper, is a "key tool for onboarding and managing these money mules," CloudSEK researchers Sparsh Kulshrestha, Abhishek Mathew, and Santripti Bhujel said in a report.
Details about the scam

How Cybercriminals are Exploiting India's UPI for Money Laundering Operations

By Deeba Ahmed
It is unclear how much the hacker received as part of the Facebook bug bounty program.
This is a post from HackRead.com Read the original post: Nepali Hacker Tops Hall of Fame by Exposing Facebook’s Zero-Click Flaw

Samip Aryal, a cybersecurity researcher and an ethical hacker from Nepal, bypassed the system’s rate-limiting feature and subsequently checked possible combinations of 6-digit numbers (from 000000 to 999999) for two hours.

Samip Aryal, a Nepali bug bounty hunter, discovered a zero-click flaw in Facebook’s password reset system, potentially allowing hackers to compromise any targeted account. This exploit earned Aryal his highest bug bounty, making him top the Facebook Hall of Fame for White-Hat Hackers 2024 ranking, though the exact bounty amount remains unknown.\]

Samip Aryal tops Facebook Hall of Fame list

Aryal discovered a way to abuse Facebook’s password reset functionality without rate-limiting. The bug allowed attackers to hijack user accounts through “zero-click” attacks (without user interaction) by requesting a password reset and brute force the 6-digit security codes. 

The vulnerability was discovered in Facebook’s password reset functionality. It allowed hackers to bypass the system’s rate-limiting feature and subsequently check possible combinations of 6-digit numbers (from 000000 to 999999) for two hours.

In his blog, Aryal revealed finding a vulnerable endpoint on Android Studio while testing Facebook versions. He received a pop-up in the password reset flow offering users to send a security code through Facebook notification. The code remained active for two hours despite incorrect inputs.

“I didn’t see any sort of code invalidation after entering the correct code but with multiple previous invalid tries (unlike in the SMS reset functionality),” Aryal explained.

He used a brute-force attack methodology to cover the entire search space in an hour, revealing that some users had the nonce code displayed on the notification, a zero-click exploit. The code was displayed on another screen with a single click.

For your information, a cryptographic nonce is an arbitrary number that can only be used once in a cryptographic communication. He further noted that hackers could hijack Facebook user accounts by choosing any account, going to its password reset flow, selecting “Send code via Facebook notification,” trying any code to receive a server response, and brute forcing it in two hours. Facebook application users would receive notifications with a six-digit code or prompting them to tap to see the login code.

PoC GIF

Aryal responsibly disclosed the flaw to Facebook on January 30, 2024, and the issue was fixed on February 2. 

The vulnerability could lead to personal information theft, disinformation spread, and network attacks. Being aware of emerging security threats on Meta and other social networking platforms is also crucial to keep your accounts protected.

It is worth mentioning that Meta accounts have particularly been the target of scams lately. In March 2023, researchers at Guardio discovered an info-stealing campaign involving fake ChatGPT extensions claiming to integrate with Google search results but in reality attempting to steal Facebook accounts. 

WithSecure cybersecurity firm identified a connection between recent DarkGate malware attacks and Vietnam-based threat actors attempting to hijack Meta business accounts and steal sensitive data in October 2023.

To stay safe, users should enable two-factor authentication, use strong, unique passwords, be cautious with password reset requests, and stay updated on security threats. 

1.  **6 of the Best Crypto Bug Bounty Programs**
2.  **10 Famous Bug Bounty Hunters of All Time**
3.  **Bug bounty: Hack Tesla Model 3 to win your own Model 3**
4.  **OpenAI’s ChatGPT Bug Bounty Program – Earn $200 to $20k**
5.  **Bug Bounty: Earn $40K for hacking Facebook, Instagram, WhatsApp**

Nepali Hacker Tops Hall of Fame by Exposing Facebook’s Zero-Click Flaw

By Deeba Ahmed
Lookout urges crypto users to be on the lookout of the new and tricky phishing campaign.
This is a post from HackRead.com Read the original post: CryptoChameleon Phishing Scam Targets Crypto Users and FCC Employees

So far, the CryptoChameleon phishing scam has successfully phished over 100 victims, with many still active.

Lookout has discovered a multi-pronged **phishing campaign**, dubbed “CryptoChameleon,” that mimics legitimate login pages for cryptocurrency platforms and the Federal Communications Commission (FCC) via mobile devices.

The kit uses carbon copies of SSO pages and phishing via email, SMS, and voice to trick victims into sharing sensitive information, including usernames, passwords, password reset URLs, and photo IDs, mainly targeting US-based users. 

Researchers detected the suspicious phishing kit when they found a suspicious new domain registration, fcc-oktacom. The **phishing kit** targets cryptocurrency platforms and SSO services and can impersonate various company brands, with Coinbase being the most frequently targeted service. Researchers identified other websites using the kit, with most using a subdomain of official-servercom as their C2.

The attack as reported by Lookout in its **blog post**, has successfully phished over 100 victims, with many still active. Notable files in the kit include the C2 server URL, client-side logic, and style sheets. Cybercriminals use RetnNet hosting for most sites.

Victims have to first complete a captcha using hCaptcha, which prevents automated analysis tools from identifying the site and creates a sense of credibility for the site. Once done, a login page mimicking the FCC’s official **Okta** page is launched, where victims enter their credentials and wait for a login or MFA token. 

The attacker monitors this page via an administrative console and can select where to send the victim’s information. They try to log in using the victim’s credentials in real-time and redirect them to the appropriate page based on the requested information from the MFA service. 

The phishing page could be customized by providing the victim’s phone number and choosing between a 6- or 7-digit code. The phishing kit targets cryptocurrency platforms and SSO services, impersonating various company brands, with Coinbase being the most frequently targeted service. 

Additionally, victims are lured through phone calls, emails, and text messages, while phishing emails are disguised as legitimate messages from **cryptocurrency platforms** or the FCC containing malicious links, while SMS messages resemble legitimate notifications.

Furthermore, Voice phishing involves impersonating representatives to trick victims into revealing confidential information over the phone. Most legitimate victim data came from iOS and Android devices, indicating the attack is primarily targeted at mobile devices. 

A phishing page masquerading as the FCC, along with a malicious text message containing a phishing link, was discovered by attackers, (Credit: Lookout)

Researchers suspect that **Scattered Spider** could be behind this attack because Scattered Spire also impersonates Okta, registers domains using companyname-okta.com, and homoglyph swapping. However, the phishing kit has significantly different capabilities and C2 infrastructure.

CryptoChameleon is a unique phishing campaign that targets multiple devices, mimics genuine login pages, and uses advanced techniques like hCaptcha to bypass detection tools and enhance the legitimacy of their websites, making them difficult to distinguish from legitimate ones.

Researchers suggest users be cautious with **unsolicited messages**, verify the source of messages, and avoid sharing sensitive information online. Moreover, users must use strong, unique passwords, and stay informed on the latest phishing tactics and best practices for online security.

****Experts Opinion****

For insights, we reached out to **Jason Soroko**, Senior Vice President of Product at Sectigo, a Scottsdale, Arizona-based provider of comprehensive certificate lifecycle management (CLM) who stressed moving from traditional login and password and **providing cybersecurity training and social engineering to employees**.

“Neither the usage of fake login screens nor lookalike domain names is novel, however, each of these techniques is effective in harvesting username and password credentials. What security teams should be doing is getting away from username and password authentication. If this isn’t possible, we have to go back to fundamental training in social engineering.”

“We have been taught not to open attachments in emails that have specific characteristics, however, people also need to be taught to scrutinize the domains of websites they are entering credentials into. Ideally, we must get away from weak forms of authentication that can be harvested this way,” Jason advised.

1.  **EvilProxy Phishing Kit Hits 100+ Firms, Bypasses MFA**
2.  **Russian Hackers Employ Telekopye Toolkit in Phishing Attacks**
3.  **NPM Typosquatting Deploys r77 Rootkit via Legitimate Package**
4.  **Storm-1283 Sent 927K Phishing Emails with Malicious OAuth Apps**
5.  **Telekopye Toolkit Used as Telegram Bot to Scam Marketplace Users**

CryptoChameleon Phishing Scam Targets Crypto Users and FCC Employees

By Deeba Ahmed
Don't confuse the XHelper app with the notorious XHelper malware, which targets Android devices and is notoriously difficult to remove.
This is a post from HackRead.com Read the original post: Android Money Transfer XHelper App Exposed as Money Laundering Network

The XHelper App, an APK found on third-party app stores, has been exposed over its large-scale money laundering operation involving Chinese scammers.

CloudSEK researchers have discovered XHelper, an Android app (not to be confused with the **nasty XHelper malware**) linked to a money laundering network, disguised as legitimate websites for scams like fake payment gateways and illegal gambling.

In October 2023, the CloudSEK Threat Intelligence (TI) team **discovered** a critical loophole in India’s banking infrastructure being exploited by Chinese threat actors in a “large-scale money laundering scheme targeting Indian citizens.” The scheme involved hundreds of thousands of compromised “money mule” accounts, transferring funds back to China.

For your information, **money mules** are individuals involved in fraudulent activities, transferring funds and executing financial crimes like cyber fraud or money laundering. 

Now, according to CloudSEK’s **blog post**, the XHelper app is distributed through websites designed as legitimate Money Transfer Businesses, while funds are converted into cryptocurrencies, and scammers are paid in USDT after deducting commissions. 

The operation involves money mules activating order intake within the XHelper app, receiving/fulfilling money laundering tasks, and executing illicit fund transfers using their linked bank app. Successful order completion results in financial rewards within the app, incentivizing continued participation. 

Money mules are recruited by agents; they operate within a network through multiple Telegram channels. They prefer corporate bank accounts with higher transaction limits as it allows them to move large sums of money more efficiently. 

The Xhelper app features a referral system, allowing agents to invite others and earn bonuses for successful recruitment. This pyramid-like structure amplifies the reach of illicit activities. It is a sophisticated app designed to **facilitate money laundering** across the globe, swiftly managing money mule schemes via deceptive payment systems. The app’s efficient operational framework allows criminals to scale their operations without specialized knowledge.

Furthermore, the app integrates several unique features, including a mule ranking system, which allows cybercriminals to conduct their operations easily. XHelper optimizes recruitment and oversight of money mules, masking illegal fund origins and facilitating quicker transitions from bank accounts to cryptocurrency, hiding the paper trail of **laundered money**.

Xhelper app dashboard, another app like Xhelper and modus operandi of the Xhelper app (Credit: CloudSEC\_

The XHelper app basically “serves as the technological backbone for fake payment gateways used in various scams, such as **Pig Butchering**, Task scams, Loan scams, E-Commerce scams, Illegal gambling apps, etc.,” CloudSEK researchers noted in the report. 

Money mule activities can lead to financial losses and operational strain in banks, requiring additional security measures. Legal and compliance issues may result in fines and penalties. Enhanced transaction monitoring costs increase operational costs, and resource allocation is required for investigations, security measures, and compliance efforts. 

Prevention of such schemes is the only solution. for which financial institutions/banks must enhance security, implement stricter verification protocols for merchant account opening, bolster net-banking security measures with multi-factor authentication, monitor suspicious activity, and educate users on secure practices.

1.  **New Dark Web Market Styx: Focuses on Money Laundering**
2.  **Chinese APT Slid Fake Signal, Telegram Apps onto App Stores**
3.  **Europol nabs 106 criminals for SIM swapping, money laundering**
4.  **Chinese Scammers Exploit Cloned Websites in Gambling Network**
5.  **Chinese Hackers Use Coathanger RAT on Dutch Defense Network**

Android Money Transfer XHelper App Exposed as Money Laundering Network

By Deeba Ahmed
The scammers creates fake investment platforms using popular companies like Tesla, Meta, and Imperial Oil and lures unsuspecting users into depositing funds.
This is a post from HackRead.com Read the original post: Savvy Seahorse Using Fake ChatGPT, Facebook Ads in DNS Investment Scam

Infoblox cybersecurity researchers are warning users about a fraudulent scheme launched by a DNS threat actor Savvy Seahorse, which uses Facebook advertisements to trick users into fraudulent investment platforms and transfers deposits to Russian-state-owned banks.

California-based IT automation and security company Infoblox has discovered a relatively new DNS threat actor called “Savvy Seahorse.” According to the company’s report, the actor creates fake investment platforms using popular icons like Tesla, Meta, and Imperial Oil and lures unsuspecting users into depositing funds. 

Savvy Seahorse prefers using Facebook ads to trick users into trusting fake investment platforms and transfers deposits to Russian-state-owned banks. Savvy Seahorse employs advanced techniques like fake ChatGPT and WhatsApp bots to lure users into high-return investment scams, which are the costliest category of threat reported to the FBI’s Internet Crime Complaint Center.

ChatGPT and WhatsApp bots engage users through automated responses for high-return investment opportunities. These campaigns target users in various countries, including Russian, Polish, Italian, German, Czech, Turkish, French, Spanish, and English speakers but interestingly users in Ukraine are protected. 

Through DNS canonical name (CNAME) records, the actor creates a traffic distribution system (TDS) for conducting sophisticated financial scams, controlling access to content and updating the IP addresses of malicious campaigns. This also helps them evade detection by the security industry. It is worth noting that Savvy Seahorse, active since 2021, is the first publicly reported threat actor abusing DNS CNAME records for sophisticated scam campaigns.

In a blog post, Infoblox researchers have identified several red flags associated with the Savvy Seahorse scam. These include short-lived campaigns (active for only 5-10 days), using a phased deployment system, frequent changes in IP addresses (to complicate/block tracking of malicious infrastructure), and the use of wildcard DNS entries.

These entries entail creating numerous subdomains, potentially confusing passive DNS analysis. These characteristics make it difficult to track and block malicious infrastructure. Victims’ data is sent to a secondary HTTP-based TDS server for validation and geofencing.

Around 4.2k base domains with CNAME records are used by Savvy Seahorse to host campaigns, Infoblox researchers confirmed. The attackers create subdomains for each SLD using a domain generation algorithm, using pseudo-random hostnames. Registration forms are used to gather victim information, and after validating it, they are redirected to the fake trading platform. The actor monitors users to prevent security threats.

The scam poses potential risks to individuals, including financial loss, data theft, and malware infection. Users who invest in the fake platform may lose their funds, while the scammers may steal personal and financial information.

Therefore, consumers must be vigilant when trusting unverified sources for making deposits. Remember that the US cumulatively lost over $4.6 billion in 2023 over investment scams.

1.  **WhatsApp Pink is malware spreading through group chats**
2.  **Thousands of Dark Web Posts Expose ChatGPT Abuse Plans**
3.  **China Arrests 4 Who Weaponized ChatGPT for Ransomware Attacks**
4.  **Fake Telegram, WhatsApp clones aim at crypto on Android, Windows**
5.  **SpyNote Android Spyware Poses as Legit Crypto Wallets, Steals Funds**

Savvy Seahorse Using Fake ChatGPT, Facebook Ads in DNS Investment Scam

A vulnerability, now fixed, in Facebook could have allowed an attacker to take over a Facebook account without the victim needing to click on anything at all.

A vulnerability in Facebook could have allowed an attacker to take over a Facebook account without the victim needing to click on anything at all.

The bug was found by a bounty hunter from Nepal called Samip Aryal and has now been fixed by Facebook.

In his search for an account takeover vulnerability, the four times Meta Whitehat award receiver started by looking at the uninstall and reinstall process on Android. By using several different user agents he encountered an interesting response in the password reset flow.

After investigation, a few characteristics of the login code made it an interesting attack vector:

*   The code was valid for two hours
*   It did not change during that period when requesting it
*   There was no validation if you attempted a wrong login code

Combined with the fact that these codes are only 6 digits, Samip saw opportunities for a brute force attack, where an attacker repeatedly tries to access login credentials in the hope of eventually getting into an account.

After uncovering all this information, and with his extensive knowledge about the Facebook authentication process, Samip found the method to take over an account was relatively simple:

*   Pick any Facebook account.
*   Try to login as that user and request a password reset (Forgot password).
*   From the available reset options choose “Send code via Facebook notification”.
*   This creates a POST request. As part of a POST request, an arbitrary amount of data of any type can be sent to the server in the body of the request message.
*   Copy that POST request and use a method to try all the 100,000 possibilities. Note, 100,000 possibilities may sound like a lot, but given the two hour time-frame there are plenty of options to do that.
*   The matching code responds with a 302 status code, a redirect that confirms the search was successful.
*   Use the correct code to reset the password of the account and the attacker can now take over the account.

There was one caveat. The owner of the account will see the notification on the device they are logged in with. And strangely enough the notifications came in two flavors.

_The difference in notification which makes it a zero-click or not_

The first one works as described above, but the second one does require the account owner to tap that notification before Facebook generates a login code. That makes it a lot harder to take over the account.

A detailed report of how Samip found the vulnerability is available on his Medium page.

Facebook has awarded Samip a bounty and fixed the issue. Together with other bounty hunters, Samip submitted hundreds of reports to Meta which they resolved, making Facebook and other platforms a safer place along the way.

**Paying attention pays off**

There are a few takeaways from this method that Facebook users, and users of other platforms for that matter, might use to their advantage.

*   Pay attention to the signs that a password request has been initiated (email, notifications, texts, etc.) Somebody could be trying to take over your account. Follow the instructions on the password reset notification if it’s not you doing the reset.
*   Don’t use the Facebook login option on other platforms, and certainly not on ones that have personal or financial information about you.
*   Turn on 2FA for Facebook to make it harder for criminals to hijack your account.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Facebook bug could have allowed attacker to take over accounts 

**According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?**

The user would have to click on a specially crafted URL to be compromised by the attacker.

CVE-2024-26196: Microsoft Edge for Android (Chromium-based) Information Disclosure Vulnerability

In the tgnet library used in Telegram messenger for Android, there is a use-after-free vulnerability in Connection::onReceivedData that can be triggered remotely.

Telegram For Android Connection::onReceivedData Use-After-Free

Android banking trojans are a serious cyberthreat to everyday users that, through clever trickery, steal passwords and drain bank accounts.

For the most popular operating system in the world—which is Android and it isn’t even a contest—there’s a sneaky cyberthreat that can empty out a person’s bank accounts to fill the illicit coffers of cybercriminals.

These are “Android banking trojans,” and, according to our 2024 ThreatDown State of Malware report, Malwarebytes detected an astonishing 88,500 of them last year alone.

While the 2024 ThreatDown State of Malware report focuses heavily on the corporate security landscape today, make no mistake: Android banking trojans pose a serious threat to everyday users. They are well-disguised, hard to detect in regular use, and are a favorite hacking tool for cybercriminals who want to automate the theft of online funds for themselves.

****What are Android banking trojans?****

The idea behind Android banking trojans—and all cyber trojans—is simple: Much like the fabled “Trojan Horse” which, the story goes, carried a violent surprise for the city of Troy, Android banking trojans can be found on the internet disguised as benign, legitimate mobile apps that, once installed on a device, reveal more sinister intentions.  

By masquerading as everyday mobile apps for things like QR code readers, fitness trackers, and productivity or photography tools, Android banking trojans intercept a person’s online interest in one app, and instead deliver a malicious tool that cybercriminals can abuse later on.

But modern devices aren’t so faulty that an errant mobile app download can lead to full device control or the complete revelation of all your private details, like your email, social media, and banking logins. Instead, what makes Android banking trojans so tricky is that, once installed, they present legitimate-looking permissions screens that ask users to grant the new app all sorts of access to their device, under the guise of improving functionality.

Take the SharkBot banking trojan, which Malwarebytes detects and stops. Last year, Malwarebytes found this Android banking trojan hiding itself as a file recovery tool called “RecoverFiles.” Once installed on a device, “RecoverFiles” asked for access to “photos, videos, music, and audio on this device,” along with extra permissions to access files, map and talk to other apps, and even send payments via Google Play.

These are just the sorts of permissions that any piece of malware needs to dig into your personally identifiable information and your separate apps to steal your usernames, passwords, and other important information that should be kept private and secure.

The introduction screen when opening “RecoverFiles” and the follow-on permissions it asks from users. Once installed, it is invisible on the device home screen.

Still, the tricks behind “RecoverFiles” aren’t yet over.

Not only is the app a clever wrapper for an Android banking trojan, it could also be considered a _hidden_ wrapper. Once installed on a device, the “RecoverFiles” app icon itself does not show up on a device’s home screen. This stealth maneuver is similar to the features of stalkerware-type apps, which can be used to non-consensually spy on another person’s physical and digital activity.

But in the world of Android banking trojan development, cybercrminals have devised far more devious schemes than simple camouflage.

****Slipping under the radar****

The problem with the Ancient Greeks’ Trojan Horse strategy is that it could only work once—if you don’t sack Troy the first time, you better believe Troy is going to implement some strict security controls on all future big horse gifts.

The makers of Android banking trojans have to overcome similar (and far more advanced) security measures from Google. As the Google Play store has become _the_ go-to marketplace for Android apps, cybercriminals try to place their malicious apps on Google Play to catch the highest number of victims. But Google Play’s security measures frequently detect malware and prevent it from being listed.

So, what’s a cybercriminal to do?

In these instances, cybercriminals make an application that is seemingly benign, but, once installed on a device, executes a line of code that actually downloads malware from _somewhere else_ on the internet. This is how cybercriminals recently snuck their malware onto Google Play and potentially infected more than 100,000 users with the Anatsa banking trojan.

What was most concerning in this attack was that the malicious apps that made it onto the Google Play store reportedly worked for their intended purposes—the PDF reader read PDFs, the file manager managed files. But hidden within the apps’ coding, users were actually downloading a set of instructions that directed their devices to install malware.

These malicious packages are sometimes called “malware droppers” as the apps “drop” malware onto a device at a later time.  

****What does it all mean for me?****

There’s a lot of technical machinery at work inside any Android banking trojan that is put in place to accomplish a rather simple end goal, which is stealing your money.

All the camouflage, subterfuge, and hidden code execution is part of a longer attack chain in which Android banking trojans steal your passwords and personally identifiable information, and then use that information to take your money.

As we wrote in the 2024 ThreatDown State of Malware report:

> “Once it has accessibility permissions, the malware initializes its Automated TransferSystem (ATS) framework, a complex set of scripts and commands designed to perform automated banking transactions without user intervention. The ATS framework uses the harvested credentials to initiate unauthorized money transfers to accounts held by the attacker. This mimics real user behavior to bypass fraud detection systems.”

****Staying safe from Android banking trojans****

Protecting yourself from Android banking trojans is not as simple as, say, spotting grammatical mistakes in a phishing email or refusing to click any links sent in text messages from unknown numbers. But just because Android banking trojans are harder to detect by eye does not mean that they’re impossible to stop.

Malwarebytes Premium provides real-time protection to detect and stop Android banking trojans that are accidentally installed on your devices. It doesn’t matter if the banking trojan is simply a malicious app in a convenient package, or if the banking trojan is downloaded through a “malware dropper”—Malwarebytes Premium provides 24/7 cybersecurity coverage and stops dangerous attacks before they can be carried out.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Android banking trojans: How they steal passwords and drain bank accounts 

Meet the guy who taught US intelligence agencies how to make the most of the ad tech ecosystem, "the largest information-gathering enterprise ever conceived by man."

Tag

#android