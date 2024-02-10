Google Chrome is the most popular browser in the world. So when a “very dangerous” fraudulent update is caught stealing private data, messages and photos, it is a cause for serious concern.

Updated 2/10 below, article originally published 2/9.

A shocking new report from McAfee this week warns Android users to avoid clicking on any message links offering to install Chrome updates on their devices. The MoqHao malware is hidden within those downloads with a sinister twist – what security researchers describe as a new, “very dangerous technology.”

“When apps are installed, their malicious activity begins automatically,” the researchers warn. We have reported this technique to Google and they are already working on implementing mitigations to prevent this type of auto-execution in a future Android version.

This malicious campaign distributes MoqHao malware via SMS messages – with another twist. Threat actors have begun using shorter URLs from legitimate services, noting that “it is difficult to block short domains because it can affect all URLs used by that service. [But] When a user clicks on the link in the message, he or she will be redirected to the actual malicious site by the URL shortener service.

Once installed, the fraudulent Chrome update asks for extensive permissions from the user, including access to SMS, photos, contacts and even the phone. The malware is designed to run in the background, connect to your command and control servers, manage data from the device, and cause more damage.

McAfee attributes this MoqHao (XLoader) campaign to the Roaming Mantis group – a threat actor that typically operates in Asia. However, McAfee says this specific campaign also appears to target users in Europe. One of the languages ​​programmed into the campaign is English, which means US users are also in scope.

If you look carefully, you can see that the messaging uses Unicode characters to trick users into thinking this is a legitimate Chrome update. “This technology makes some letters appear bold, but users recognize it as ‘Chrome,’” McAfee says, while also warning that “this may affect app name-based recognition technologies that the app uses.” Let’s compare the name (chrome) and the package name (com.android.chrome).”

It’s only February, and this is the third headline-generating Android malware alert of the year so far. We’ve looked at Vajraspy, Spylone and Zamalicious. We also saw a blanket warning about copycat apps, which is what we’re seeing here. As far as this one specifically is concerned, McAfee warned that “we expect this new variant to be highly vulnerable as it infects devices as soon as it is installed without execution.”

“It’s easy to create copycat apps,” warns ESET’s Jake Moore. “Downloading and installing a malicious app on your phone can lead to a number of disasters, including theft of personal data, compromised banking information, corrupted device. performance, intrusive adware, and even spyware that monitors your conversations and messages.”

As I’ve said repeatedly this year, the timing here is potentially even more notable than the malware itself. Europe’s Digital Markets Act is bringing significant changes to the apps and platforms we use most. And this also includes app stores.

Apple is reluctantly opening its account at first, but is warning users about the dangers of doing so. “While these new regulations bring new options for developers, they also bring new risks. There’s no way to avoid it,” warned Apple’s Phil Schiller, adding that malware tops the list of concerns.

Apple’s openness to third-party stories will directly compare its security approach to Google’s, which has always been much less locked down, promoting user choice as a balance of security. If Apple can open up App Store alternatives while maintaining security, it will put additional pressure on Android’s security.

In response to the McAfee report, a Google spokesperson told me that “Android has multi-layered security that helps keep users safe,” and, as noted in the McAfee report, that “Android users are currently protected by Google Play Protect.” Google Play Protect can warn users or block apps that exhibit malicious behavior, even if those apps come from sources outside of Play. Must have come from.

Google also confirmed that it has worked with McAfee to address this new malware threat, as it is one of its App Defense Alliance partners.

2/10 Update:

Given the serious threat posed by McAfee’s report, where users sideload dangerous apps and updates onto their devices, it’s no surprise that users are becoming increasingly wary of installing or updating dangerous apps. Google’s newly announced pilot to prevent (1,2,

In its blog post Announcing the move, Google confirmed that “an open ecosystem requires sophisticated security to keep users safe… Our data shows that this open ecosystem has a large number of bad actors selectively “Leverage APIs and distribution channels.”

Thus, Google’s warning applies to all Android users who are willing to go outside its Play Store to install apps on their devices. As Google explains, “Although users have the ability to download apps from many sources, the security of an app may vary depending on the download source.”

To give some idea of ​​the scale of the problem, Google warns that Google Play Protect’s app scanning has “identified 515,000 new malicious apps and issued more than 3.1 million warnings or blocked those apps.” Buyer beware.

The new pilot focuses on financial fraud and is being conducted through a “strategic partnership” with Singapore’s Cyber ​​Security Agency (CSA).

Google says, “Cyber ​​criminals continue to invest in advanced financial fraud scams, causing more than $1 trillion in losses to consumers,” which is why it will analyze and automatically block the installation of those apps. Which can often misuse sensitive runtime permissions to commit financial fraud. The user attempts to install the app from an Internet-sideloading source (web browser, messaging app, or file manager).

Google has identified high-risk permission requests and those will be blocked, it says, “often used by fraudsters to intercept one-time passwords via SMS or notifications, as well as spy on screen content.” It is misused. Based on our analysis of the major fraudulent malware families that exploit these sensitive runtime permissions, we found that more than 95 percent of the installations came from Internet-sideloading sources.

This is apparently the same level of threat we’ve seen in the self-running MoqHao malware, which also tries to spy on user content and secure permissions to be able to access the device’s SMS and other connectivity capabilities.

During the pilot, Google states, “When a user in Singapore attempts to install an application from an Internet-sideloading source and any of these four permissions are declared, Play Protect will automatically provide the user with an explanation.” Will block installation with “.”

As McAfee acknowledged in its report on MoqHoo, “It is difficult for ordinary users to spot fake apps using legitimate icons and application names, so we recommend users to install secure software to protect their devices “

Obviously, McAfee and other security vendors would like this to be their own third-party software, but the reality is that it needs the ecosystem as the first line of defense. Attacking a user’s device should not be this easy.

But where your device falls outside Google’s Play protection, you should really look to third-party software from McAfee or others to keep you safe.

Beyond software security, common sense and good practices are needed. Much advice remains for users, Very Easy. Never click on the links seen in this latest campaign—and definitely don’t do this Install apps from direct links. This was the focus of ESET’s copycat app warning. You should never agree to permission requests that are not critical to an app’s specific functionality.

