Rogue Android Apps on Google Play are Spreading Malware

This post is also available in: עברית (Hebrew)

Hacking groups are constantly finding new ways to trick unsuspecting internet users, whether it’s by phishing or impersonating legitimate websites. Now they found another, cleverer way to infiltrate our mobile devices.

An investigation shows that several rogue Android apps that were listed on the Google Play Store have been targeting their users. A cybersecurity firm called CYFIRMA identified two rogue Android apps called “nSure Chat” and “iKHfaa VPN”, which were hosted on the Google Play Store and were used to extract user data.

On the app store, it was stated that the apps were created by a developer called “SecurITY Industry”, which according to the researchers is associated with the hacker group known as “DoNot”. This is a threat group that has been actively targeting individuals in Pakistan and South-East Asia. “Technical analysis indicates that the motive behind the attack is to gather information via the stager payload and use the gathered information for the second-stage attack, using malware with more destructive features,” said CYFIRMA.

According to Cybernews, the apps give threat actors access to users’ contact lists and locations, which allows them to strategize future attacks and employ Android malware with advanced features to target and exploit victims.

The report by CYFIRMA elaborates that the threat actor employed a spear messaging attack on platforms such as Telegram and WhatsApp. The apparent purpose of this attack was to deceive victims into installing one of the mentioned applications from the Google Play store, granting the hackers access to their devices.