New Family Of Credential Stealing Android Malware, Forewarns Italy CERT
Researchers recently unveiled a new family of credential stealing Android malware which exploits the Androids accessibility service to capture video and audio of activities going on the device display and steal credentials of the user. The malware was first found by the AddressIntel and was named Oscorp by Italy’s CERT-AGID.
Researchers highlighted, “it should be noted that Android malware all follow the same script, they induce the user to install an accessibility service with which they can read what is present and what is typed on the screen, not being able to access the private files of other applications, the actions of these malicious apps are “limited” to the theft of credentials through phishing pages (called, in the jargon of malware, injections ), to blocking the device (intended as screen lock) and possibly to the capture of audio and video.”
It was named Oscorp, as it was the title of the login page over the C2 (command-and-control) server. Researchers said, “having found no confirmation about the identity of this malware, we named it Oscorp, from the title of the login page of its C2.” The malicious apk that the malware installs on the targeted device (named “Assistenzaclienti.apk” in Italian and “Customer Protection” in general) was dispersed through a domain (supportoapp.com), which when installed asks for a number of invasive permissions in order to allow the accessibility service to work and set up communications with the command-and-control server to extract further commands for further operations.
The application is built in such a way that it pressurizes the user to grant permissions by constantly opening the permission setting page of device usage and accessibility in an interval of just 8 seconds and does not stop doing so until and unless the permissions are granted. Once the malware is granted the permissions, it abuses them to make calls, send messages, store keystrokes, uninstall applications, gain access to two-factor authentication code via the Google Authenticator application, and also steals the cryptocurrency by redirecting the payments done via the Blockchain wallet website/application.
Researchers also revealed that on 9 January 2021 the attacker’s cryptocurrency wallet had $584. In the end, the stolen information including the system data is transmitted to the command-and-control server by the malware. During the exfiltration of data, when the command-and-control server is contacted, the malware also extracts further commands for itself that will allow the malware to uninstall applications, steal messages, launch various URLs along with Google authenticator application and capture the video and audio of the Android screen via the WebRTC.
CERT explained that when users open applications that the malware has already targeted, a phishing page asking the username and password from the user is displayed. The style and design differentiate for every single application that has been targeted by the malware, forcing users to believe that the login page is legitimate and necessary.
However, the category of apps that this malware targets remain unclear, researchers believe, it could be any application on your phone that consists of valuable and confidential/sensitive information.
Researchers concluded by explaining, “also in this case we are in the presence of malware for Android that uses Accessibility service. Android protections prevent malware from doing any kind of damage until the user enables that service. Once enabled, however, a “dam” opens up. In fact, Android has always had a very permissive policy towards app developers, leaving the ultimate decision to trust an app or not to the end-user. An approach opposite to that of Apple, which prevents installing applications that have not been signed by her through its store. Store where you can only publish content after passing Apple checks and paying the relevant annual fee. Android instead uses several protection mechanisms present in Linux, including app isolation through namespacing (the technology on which Docker-type containers are based), MLS / MCS implemented through SELinux, application of the least privilege principle with regard to Linux capability and resource limitation through cgroups and the mechanisms inherent in the kernel. It is ironic how a system so protected against targeted attacks by high-level criminals (or by government agencies) is not effective in protecting its users against the threats perpetuated by less competent criminals but very adept at exploiting the human factor. . What perhaps is the real strength of Android (compared to iOS) is the trust it places in its users and in the developer community.”
If you like this article, follow us on Twitter, Facebook, Instagram, and LinkedIn.