The cybersecurity firms who discovered the breach were Avast and Trend Micro. The firms claim that the apps, which did not contain malicious coding, posed as lifestyle, entertainment, performance-boosting, and utility apps. After the apps are installed, they confirm if the device is not an emulator before downloading the malware. Then, the victim is prompted to approve administrator permissions on their device.
Avast claims that once the app is downloaded it collects the device’s unique ID, location, language, and display parameters.
“The device’s location is obtained from the IP address that is used when contacting online services that offer geolocation information for IPs,” the cybersecurity firm said.
In order to steal a victim’s Facebook passwords, the malware asks users to re-verify their account when logging into the social network. However, the login page is really a Facebook look-alike that steals the victim’s username and password before sending it to a remote-controlled server.
“This is most likely due to developers using embedded web browsers (WebView, WebChromeClient) in their apps, instead of opening the webpage in a browser,” Avast said.
Researchers at Trend Micro noted that the stolen Facebook information can be repurposed to deliver more damaging malware or create social media campaigns to spread fake news. They also claim that stolen accounts can expose financial information. The confidential information can later be sold in underground markets to further hacking and generate mining malware for cryptocurrency.
Both security firms believe that the malware plot was developed by a Vietnamese developer due to the use of the language throughout the code. Most of the affected users reside in India, Brazil, Vietnam, Indonesia and the Philippines.
It is also known that the GhostTeam malware was spamming users with pop up advertisements by forcing infected devices to stay awake while showing the unwanted ads. Fortunately, all of the infected apps have been removed from the Google Play store. However, the company suggests that users who installed infected apps keep Google Play Protect enabled. The security feature uses machine learning and other usage analysis tools to remove threatening apps from Android smartphones.
While it is a fact that malware apps in the Google Play store are a common occurrence, users can protect themselves by being cautious when downloading apps and checking online reviews about the app’s security.
The Hacker News also suggests that users maintain an antivirus app on their mobile devices. These devices will help users detect and block threats before they cause serious damage. Users should also keep their devices up-to-date to prevent the creation of flaws for hackers who feed on cyber malware.
Source: The Hacker News