Updated News Around the World

‘Dangerous’ spyware apps discovered on Google Play Store – Times of India

Cybersecurity researchers have discovered three apps on Google Play Store that were reportedly used by state-sponsored hackers to collect intelligence from targeted devices. This information includes location data and contact lists of victims. According to a report by Singapore-based cybersecurity company Cyfirma, the operation was attributed to the hacking group “DoNot”.
The hacking group reportedly targeted high-profile organisations in Southeast Asia since 2018, reports Bleeping Computer.
The apps used in DoNot‘s latest campaign collect basic information. This data can help the threat group prepare the ground for more dangerous malware attacks. The latest campaign also reportedly represents the first stage of the group’s attacks.
Google Play Store apps spreading spyware
As per Cyfirma, the suspected apps that are reportedly spreading spyware to collect data are available on Google Play Store. Both these apps, nSure Chat and iKHfaa VPN have been uploaded by the developer named ‘SecurITY Industry.’
Meanwhile, the publisher also has a third app on Play Store which didn’t appear malicious for Cyfirma. We at TOI-GadgetsNow have searched the Google Play Store for these apps. The iKHfaa VPN seemed to have been removed while the nSure Chat app is still available on the platform and Google is still allowing users to download it.
The download count on the apps developed by the ‘SecurITY Industry’ is comparatively low. This suggests that these apps are used selectively against specific targets.
How these apps are stealing data
The report claims that these apps request users for risky permissions during installation. These permissions include access to the user’s contact list and precise location data. The apps then collect this data and send them to the attacker.
However, to access the target’s current location, the GPS on the victim’s device needs to be active. In other cases, the app fetches the last known location of the device. The collected data is stored locally using Android‘s ROOM library. This data is later sent to the attacker’s C2 server via an HTTP request.

Cyfirma analysts have also discovered that the code base of the hackers’ VPN app was copied from the legitimate Liberty VPN service.
How Cyfirma linked the operation to DoNot
The cybersecurity firm attributed the campaign to the DoNot threat group based on the specific use of encrypted strings. The techniques were associated with the alleged hacking group. The company also discovered that certain file names generated by the malicious apps were also linked to past DoNot campaigns.
Cyfirma researchers hint that the attackers have abandoned the tactic of sending phishing emails carrying malicious attachments. Instead, the group is now employing spear messaging attack tactics via WhatsApp and Telegram messaging platforms. Links send via direct messages on these apps send victims to the Google Play Store. Android’s app store is a trusted platform which also helps the attack to be legitimate. This helps the attackers easily trick victims into downloading suggested apps.

function loadGtagEvents(isGoogleCampaignActive) { if (!isGoogleCampaignActive) { return; } var id = document.getElementById('toi-plus-google-campaign'); if (id) { return; } (function(f, b, e, v, n, t, s) { t = b.createElement(e); t.async = !0; t.defer = !0; t.src = v; t.id = 'toi-plus-google-campaign'; s = b.getElementsByTagName(e)[0]; s.parentNode.insertBefore(t, s); })(f, b, e, 'https://www.googletagmanager.com/gtag/js?id=AW-877820074', n, t, s); };

window.TimesApps = window.TimesApps || {}; var TimesApps = window.TimesApps; TimesApps.toiPlusEvents = function(config) { var isConfigAvailable = "toiplus_site_settings" in f && "isFBCampaignActive" in f.toiplus_site_settings && "isGoogleCampaignActive" in f.toiplus_site_settings; var isPrimeUser = window.isPrime; if (isConfigAvailable && !isPrimeUser) { loadGtagEvents(f.toiplus_site_settings.isGoogleCampaignActive); loadFBEvents(f.toiplus_site_settings.isFBCampaignActive); } else { var JarvisUrl="https://jarvis.indiatimes.com/v1/feeds/toi_plus/site_settings/643526e21443833f0c454615?db_env=published"; window.getFromClient(JarvisUrl, function(config){ if (config) { loadGtagEvents(config?.isGoogleCampaignActive); loadFBEvents(config?.isFBCampaignActive); } }) } }; })( window, document, 'script', );

For all the latest Technology News Click Here 

 For the latest news and updates, follow us on Google News

Read original article here

Denial of responsibility! NewsUpdate is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – [email protected]. The content will be deleted within 24 hours.