Android smartphones have been an attractive target for cybercriminals for a long time. However, some attackers can be seen putting efforts and using innovation to take their attacks to the next level. Recently, a vast and affordable network of Android mobile malware development packages was discovered on dark web markets, which may revolutionize the way new malware are being created.
The new danger
Check Point researchers have discovered a package dubbed Rogue, which can help in developing advanced Android malware capable of gaining control over the host device and exfiltrating any kind of data.
- A threat actor dubbed Triangulum has been observed offering Rogue in collaboration with another actor nicknamed HexaGoN Dev.
- The sale thread is offering the latest iteration on underground forums for as low as $29.99, providing low-level cybercriminals, with limited technical skills, the ability to steal sensitive personal data.
- The Rogue malware targets Android devices with a keylogger, allowing attackers to monitor the use of websites and apps to steal login credentials and other sensitive data.
- The malware gets around by exploiting Google's Firebase service for apps to disguise its malicious intents and masquerade as a legitimate app on the device.
- Rogue has been maintaining persistence with sophisticated capabilities such as GPS location monitoring, camouflage defense technique, and data exfiltration.
- The Rogue malware is not an entirely new malware family. It is the combined version of two previous families of Android RATs - Cosmos and Hawkshaw.
- Furthermore, Rogue appears to be the latest variant of an old malware called Dark Shades, which was purchased by Triangulum in August 2019.
Similar to Triangulum, there are several threat actors actively using their skills to develop advanced malware and making them commercially available on the dark web. Therefore, it is high time that users stay vigilant about such threats. Experts recommend users to keep their devices updated with all security patches and download apps only from a trusted source of origin from the official app stores.