Not a day goes by without a piece of malware news. Today is no exception. A new family of Android ransomware has been revealed by researchers.

A brief intro

Dubbed Oscorp, the malware abuses accessibility services in Android devices to steal user credentials and media content. The malware gets its name from the title of the login page of its C2 server. The malicious APK is propagated via domain—supporttoapp[.]com—that asks for permission to enable accessibility service and initiates communication with a C2 server for additional actions.

Functionalities include

  • Using keylogger functionality to steal passwords or other sensitive data typed by users.
  • Uninstalling apps on the infected devices.
  • Making calls and sending text messages
  • Stealing cryptocurrency wallet addresses and credentials.
  • Stealing PINs for Google two-factor authentication.

The malware, furthermore, forces the user into granting extra privileges by opening the Settings app every eight seconds.

The bottom line

Although a list of apps targeted by the malware has not yet been prepared, Italy CERT suspects Oscorp to target apps that deal with confidential information. Users are protected from damages until they enable the accessibility service.

Cyware Publisher