top of page

Cyber Strategies Blog

Android Malware In Disguise

Rising Threat: Android Malware Masquerading as Popular Apps

Malicious hackers are increasingly deploying Android malware disguised as popular apps like Google, Instagram, and WhatsApp. This concerning trend is linked to the increase of Android banking malware, such as Coper. Cybercriminals are leveraging these campaigns to steal sensitive information, including user IDs and passwords.

Deceptive Tactics of Malicious Android Apps

Typically, these malicious apps mimic well-known logos and brand identities to deceive users into believing they are authentic. Once installed, they prompt users to grant access to the Android Accessibility Service and Device Admin Permission. Unknowingly granting these permissions provides the malware with full control over the device, enabling it to carry out various malicious activities, such as covert data theft and further malware deployment, all without the victim’s knowledge.

Advanced Malware Capabilities

These malware applications are designed to connect with a command-and-control (C2) server, allowing them to receive and execute commands. This connection grants access to a wide range of data, including contact lists, SMS messages, call records, and installed apps. Additionally, the malware can control the camera flashlight, launch phishing pages in web browsers, and send SMS messages.

This type of malware redirects users to fake login pages resembling popular services like Netflix, PayPal, LinkedIn, Facebook, GitHub, Instagram, Microsoft, X, WordPress, and Yahoo, tricking users into entering their usernames and passwords.

Recent Alerts and Incidents

This revelation follows alerts from Cyfirma and Symantec, both owned by Broadcom, regarding a social engineering attack using WhatsApp to spread new Android malware. Symantec explained that once the malicious app is delivered, it masquerades as a Contacts application. Upon execution, it requests permissions for SMS, Contacts and Storage, then removes itself from view, making it harder to detect.

Compromised online accounts can lead to the theft of personal information or fraudulent activities, particularly when they contain sensitive data. For instance, if hackers gain access to a victim’s Microsoft credentials, they could cause havoc if important documents like driver’s licenses, passports, or Social Security numbers are stored on OneDrive.

Surge in Android Banking Malware

The rise of Android banking malware, such as the Coper banking trojan, is particularly alarming. These attacks aim to compromise Android smartphones and steal sensitive information by displaying fake overlays that deceive victims into providing their credentials.

Recent research by Finland’s National Cybersecurity Centre (NCSC-FI) highlighted the use of smishing messages to trick users into installing Android malware designed to steal financial information. This attack chain employs a technique known as telephone-oriented attack delivery (TOAD). Users receive SMS texts directing them to call a number regarding a supposed debt collection issue. During the call, fraudsters convince victims that the message is fraudulent and suggest installing a malware removal program, which is actually malware itself.

New Malware Variants

Recently, Android-based malware such as Tambir and Dwphon have emerged, showcasing various device-gathering capabilities. Dwphon, specifically designed for Chinese mobile models, primarily targets the Russian market.

Staying Safe on Android

Despite Google’s ongoing efforts to enhance security on the Play Store, users must remain vigilant when downloading new apps. Activating Google Play Protect can improve an Android phone’s security by scanning all installed and newly downloaded apps for malware. This integrated security feature helps protect users from malicious applications and enhances overall device security.


Recent Posts
bottom of page