Android malware hidden in a fake VPN is being used to plant fully functioning spyware onto phones in Iran, allowing perpetrators access to call logs and contact lists. The victims are primarily of the Baháʼí faith and are lured into downloading the bugged VPN with promises of graphics surrounding their religion. This is just one of the numerous malwares currently targeting Android phones.
Security company Kaspersky has discovered a malware designed to infect Android phones hidden in a VPN application. Victims are lured into downloading the VPN with the promise of access to attractive Baháʼí-themed pages on social media sites like Instagram and Facebook. Currently, the victims of this scam are those engaging in the faith.
Once downloaded, the VPN client contains “fully functioning spyware” with capabilities allowing criminals to collect and steal sensitive data, including call logs and contact lists. Perpetrators will also have access to anything carried out on the phone, from calls to messages, from the point of the malware download.
The social media sites used will usually guide victims towards a Telegram channel that allegedly holds content that is restricted in Iran. The VPN application is offered as a solution to this, but once it is downloaded the spyware is installed.
SandStrike and wave of Android malware
SandStrike is not the only malware discovered targeting Android phones this week. A group of four apps advertised on the Google Play Store have been infected by a virus called HiddenApps. Together these apps have been downloaded more than one million times, according to new research from security company Malwarebytes.
Published by the developer Mobile apps Group, the infected apps are called ‘Bluetooth Auto Connect’, ‘Driver: Bluetooth, Wi-Fi, USB’, ‘Bluetooth App Sender’ and ‘Mobile Transfer: smart switch’.
According to the report, HiddenApps will lay low for two days after the initial download. Once forgotten about it will open malicious phishing sites on the Chrome browser. “The content of the phishing sites varies,” states the report. Some are merely “pay-per-click” sites that don’t inflict much damage, and some are full-blown phishing sites that have the potential to access credentials and banking information.
Last month, encrypted messaging platform WhatsApp incurred an issue with Android malware. Hackers were using a copycat app called YoWhatsApp to lure victims into downloading an Android trojan called Triada. This trojan can relinquish control of the application to perpetrators, as well as the viewing of messages.
The infected build of YoWhatsApp is a fully working messenger with some additional features, such as customising interfaces. When installed it asks permission to access SMS, this access is then granted to the Triada trojan. More than 3,600 users have been targeted by this attack between August and October, according to a report by Kaspersky.
Can anything be done to stop Android malware
Google has released measures that are coming into force this month that aim to protect users from installing apps that may not have the latest privacy and security features.
According to the Android developers blog, “Starting on November 1, 2022, existing apps that don’t target an API level within two years of the latest major Android release version will not be available for discovery or installation for new users with devices running Android OS versions higher than apps’ target API level.”
This means that users with the latest devices or those who are fully caught up on Android updates will only have access to fully secure apps. “Expanding our target level API requirements will protect users from installing apps that do not have these protections in place,” the blog adds.