Android malware alerts: Stay up to date with the latest threats to your phone
Official app stores are undoubtedly the best place to download software for your phone, especially when considering security. For Android phone owners, that place is typically the Google Play Store, but malicious apps occasionally manage to slip through despite rigorous precautions.
Identifying unsafe apps can be challenging as malicious developers employ cunning tactics to deceive users before and after downloads. To assist you, we've compiled the latest reports on flagged malicious apps from the Google Play Store, presented in chronological order, starting with the most recent.
Remember, even if an app is removed from the Google Play Store, it might still exist on your phone if previously downloaded. Moreover, many of these apps reappear on the Play Store under slightly different names. Some belong to the FakeApp family, attempting to trick users into making purchases or investments. Others are from the Joker family, aiming to enroll users in paid subscriptions.
Identifying unsafe apps can be challenging as malicious developers employ cunning tactics to deceive users before and after downloads. To assist you, we've compiled the latest reports on flagged malicious apps from the Google Play Store, presented in chronological order, starting with the most recent.
5 new apps with the spyware discovered by Kaspersky
Kasperski has discovered that the Android spyware Mandrake, first spotted in 2020, has resurfaced with enhanced capabilities. This new version cleverly bypassed Google Play's security checks, allowing it to infect over 32,000 devices through five seemingly harmless apps. These apps, masquerading as file-sharing tools, crypto platforms, and productivity aids, stole data, recorded screens, and installed additional malware.
Here are the names of the infected apps:
- AirFS - 30,305 installs
- Amber - 19 installs
- Astro Explorer - 718 installs
- Brain Matrix - 259 installs
- CryptoPulsing - 790 installs
To avoid detection, Mandrake employed advanced obfuscation techniques, making it difficult for security software to identify. The malware targeted specific devices based on collected data and then escalated its malicious activities, including stealing credentials and downloading further harmful apps. Despite its insidious nature, none of the infected apps were flagged as malicious until recently.
Google has acknowledged the issue and is working to improve Play Protect's capabilities. That said, it is highly advisable that users delete any of the mentioned apps from their device immediately. Keep your device's operating system and security software up-to-date to protect against similar threats.
Reports on dangerous Android apps
Trojan malware Brokewell disguising as Google Chrome update (April 25, 2024)
Dutch security firm ThreatFabric has discovered a Google Chrome update that disguises itself as legitimate but installs the "Brokewell" trojan malware.
Once installed, this malware collects personal data, grants remote control of the device to attackers, and can spy on users. Additionally, "Brokewell" can access banking apps, posing a significant threat to victims by potentially wiping out their accounts.
The "Brokewell" trojan employs a deceptive Chrome browser update to dupe smartphone users into installing it, utilizing the "overlay" technique to capture login information for targeted applications like banking apps. Through "accessibility logging," the malware records various user interactions, sending this data to a command-and-control server, thereby compromising personal information. With stolen credentials, attackers can remotely control the victim's phone, making all downloaded apps vulnerable to exploitation.
NCC Group discovers upgraded Android banking malware Vultur (March 28, 2024)
The Android banking malware Vultur, first identified in 2021, has evolved with new capabilities, granting it greater control over infected devices, according to security company NCC Group. This upgraded version utilizes Android's Accessibility Services to bypass the Google Play Store, enhancing its remote control functionalities.
Vultur's distribution relies on social engineering tactics, tricking victims via SMS messages into installing it. These messages create urgency by falsely claiming unauthorized transactions, leading victims to download an app disguised as McAfee Security, which is actually the Brunhilda dropper.
Once installed, Vultur enables cybercriminals to perform various malicious activities, including manipulating device functions and stealing credentials, primarily targeting banking apps. Despite its sophistication, Google Play Protect offers automatic protection against known versions of Vultur, emphasizing the need for continued vigilance against such threats.
Once installed, Vultur enables cybercriminals to perform various malicious activities, including manipulating device functions and stealing credentials, primarily targeting banking apps. Despite its sophistication, Google Play Protect offers automatic protection against known versions of Vultur, emphasizing the need for continued vigilance against such threats.
Doctor Web discovers new virus activity on mobile devices (October 26, 2023)
Doctor Web is an IT security provider, which recently discovered several new malicious applications in the Google Play Store. Combined together, the downloads of these apps amounted to more than 2 million.
Some of these apps are HiddenAds malware disguised as mobile games. However, once downloaded they try to hide themselves by adopting the same icon as the Google Play Store or by straight up becoming invisible.
InfoSec's SentinelLabs discovers YouTube pretenders (September 18, 2023)
InfoSec's SentinelLabs is a space where threat researchers can gather data together and expose malware, exploits, and cybercrime in general. One of their latest findings revealed three separate applications that disguise themselves as the YouTube app, two of which have the exact same name as the original version and one called Piya Sharma after a famous anchor of the same name.
The ones responsible for the malware, dubbed CapraRAT, is a group going by the name Transparent Tribe (APT36). Thankfully, the malicious apps cannot be found in the official Google store. Instead, they are spread via social media and fake landing pages.
The scariest part is that they ask for permission to access your camera, microphone, location, SMS, and more of the sort. Such level of access creates the perfect opportunity for info theft, and even though it is thought CapraRAT is intended to affect mainly government officials and for espionage, any regular person can still be affected by it.
The best way to avoid this would be to stick to using the official YouTube application or website. The version that these fake apps and landing pages take you to is generally more stripped down compared to the original one.
Cybersecurity firm CloudSEK research (June 1, 2023)
The Cybersecurity firm CloudSEK carried out research via their own proprietary software and discovered apps that contain or had previously contained malware. A total of 193 apps were found, with 43 of them still active on the Google Play Store at the time. These apps have the ability to obtain server addresses, as well as personal data and files.
CloudSEK states that the number of users affected by these apps amounts to approximately 30 million, and that most of these apps are casual games that are easily forgotten after being installed and played a little. The researchers advise users to regularly scan their phones via an antivirus software to catch such malicious apps before they get the chance to do damage.
Top 10 infected apps based on number of installs:
- Bitcoin Master (+ 1 million downloads)
- Crazy Magic Ball (+1 million downloads)
- Happy 2048 (+1 million downloads)
- HexaPop Link 2248 (+5 million downloads)
- Jelly Connect (+1 million downloads)
- Macaron Boom (+1 million downloads)
- Macaron Match (+1 million downloads)
- Mega Win Slots (+500,000 downloads)
- Tiler Master (+1 million downloads)
Full list:
|
|
|
---|
GitHub list with SpinOk malware apps (May 29, 2023)
A list of 101 apps containing a SpinOk module with spyware features was shared in GitHub, a platform where developers store and manage their code.
The SpinOk module is presented as a marketing SDK. It collects information from the files on your phone and can then send that data back to the source. It can also gather sensor data from your phone’s sensors to avoid detection by security researchers, which makes it especially dangerous.
As you might notice from looking at the list below, most of the applications are either some kind of game or contain a “prize-winning” system. That is the disguise these apps use to trick users into downloading and engaging them afterward.
The apps listed below are reported to have been installed over 421,000,000 times when the list was uploaded to the website, so the chances are not that slim that one is living in your phone’s app drawer.
The SpinOk module is presented as a marketing SDK. It collects information from the files on your phone and can then send that data back to the source. It can also gather sensor data from your phone’s sensors to avoid detection by security researchers, which makes it especially dangerous.
As you might notice from looking at the list below, most of the applications are either some kind of game or contain a “prize-winning” system. That is the disguise these apps use to trick users into downloading and engaging them afterward.
The apps listed below are reported to have been installed over 421,000,000 times when the list was uploaded to the website, so the chances are not that slim that one is living in your phone’s app drawer.
Full list:
|
|
|
---|
Kaspersky discovers Android subscription malware (May 4, 2023)
After downloading the app and it gets access to your notifications, it sends out a confirmation code. The malware then runs on your phone, contacting the source it came from and providing information about your location and mobile carrier.
Once the information is acquired, the hackers send a paid subscription page that the trojan opens via an invisible browser to sign the user up for a paid subscription using the confirmation code mentioned above. This whole process is completely hidden and the user never finds out about it while using the downloaded app.
Full list:
- Beauty Camera Plus
- Beauty Photo Camera
- Beauty Slimming Photo Editor
- Fingertip Graffiti
- GIF Camera Editor
- HD 4K Wallpaper
- Impressionism Pro Camera
- Microclip Video Editor
- Night Mode Camera Pro
- Photo Camera Editor
- Photo Effect Editor
MalwareFox list of known Android Malware Apps (March 16, 2023)
MalwareFox is a company that makes anti-malware software programs, and in March it detailed a list of the latest Android viruses plaguing the Google Play Store. In their report, they talk about each virus and what it does to compromise security.
List of viruses and the top 25 apps some of them were found in:
Harly Trojan | Joker Spyware | Autolycos Malware |
---|---|---|
|
|
|
Things that are NOT allowed: