This article tells us how security researchers were able to uncover a successful hacking campaign, that since 2016 infected the devices of around 800,000 Android users, with a banking information stealing malware.
The basic errors:
But despite the apparent success of the campaign, the Geost attackers made some basic errors that have allowed researchers to monitor their whole operation, read chat logs and even identify two of the criminals behind the campaign.
The lack of encryption in their chats:
Researchers uncovered the group when examining samples of HtBot, a form of malware that provides attackers with pseudo-anonymous communication to the internet. However, when using the illegal HtBot service, the attackers didn't encrypt their data, alerting researchers to their activity.
The malware extracts the banking passwords from SMS messages:
Once installed on a device, the malware monitored the text messages of the user and it was via this channel that attackers were able to gain access to bank accounts – because it's still common for Russian banks to send out plaintext passwords to users via SMS.
The attackers are still active:
It's believed that the Geost group is still active and researchers will use their knowledge of the group to keep monitoring their activity – because despite the poor operational security of the attackers, they still have access to a huge network of infected Android devices.
From the whole article the most important lesson we can take is from this paragraph:
The initial infection comes in the form of malicious apps – the attackers take legitimate apps from the Google Play store and edit the code to add malicious capabilities alongside the real functionality of the app before uploading it to third-party Android stores to be downloaded by users. The malicious apps are often weaponised versions of popular services, including games, banking and social-networking apps.
This kind of attack shows that we cannot blindly trust the Google Play store when downloading an Android App from the official store. Do you agree?
In the rush to catch the bus back home I missed the obvious, that I even used in my quote from the article:
the attackers take legitimate apps from the Google Play store and edit the code to add malicious capabilities alongside the real functionality of the app before uploading it to third-party Android stores
So while the article I linked does not apply to the Google play store, my question is still valid and pertinent, and you just need to search in Google for
android fake apps to see this articles:
- Android WARNING: Popular Google Play Store apps FILLED with malware - are you affected?
- Fake Android apps downloaded millions of times
- 10+ million Android users installed a fake Samsung update app (Updated)
A big thanks to Simon Newby for alerting me for my mistake.