Malware collects sensitive info, including credit card data

Apr 29, 2016 23:40 GMT  ·  By

Security researchers discovered malware targeting Android devices that disguises as a Google Chrome update package in an attempt to fool users into lowering their defenses.

Crooks are distributing the fake update package as downloadable APK files, which users have to launch into execution by tapping on them. If a user is not accustomed to updating apps via the Google Play Store app, they might fall for this trick. It is of great importance that our readers understand that apps only need to be installed and then updated via the Google Play store app.

Malware asks for admin permissions

In this particular case, when launched into execution, the Google Chrome update package asks for administrative rights. Since it's a "Google" Chrome update, most users are probably willing to grant it such permissions.

Once the malware has acquired root level permissions, it will begin its malicious behavior. According to Zscaler security researchers, the malware is very potent.

Some of the malware's capabilities include the ability to check for the presence of mobile antivirus solutions such as Kaspersky, ESET, Avast and Dr. Web, and terminating their processes. Additionally, it can also monitor incoming and outgoing calls and SMS messages, as well as start or end calls, and send SMS messages.

Malware steals your credit card details

The most dangerous behavior observed coming from the malware is the fact that it shows a popup asking for the user's credit card details every time the user opens the Google Play Store app.

If users make the mistake of entering these details inside the form, the information will be sent via SMS to a phone number in Russia. Further, the malware also collects browsing history and sends it to a C&C server, along with various other details.

A particularity for this malware distribution campaign is the fact that the attackers are using a large collection of domain names to host the malware, which they change at regular intervals. All domains are registered with terms like Android, Google, Chrome, or Update, in order to confuse and fool users, making them think the malware was downloaded from an official Google server.

Zscaler experts say the only way to remove the malware is to reset the device to factory settings.

Malware collecting credit card data
Malware collecting credit card data

Photo Gallery (2 Images)

Malware disguising as a fake Google Chrome update
Malware collecting credit card data
Open gallery