Sideloading Apps from Untrusted Sources Can Allow Malware to Crawl on Your Phone

What's the matter? 

• The threat actors are leveraging the old Jawa Barat certificate, which was leaked years ago and is now used to sign repackaged samples with PUA, Adware, or malware components.
• As the certificate wasn’t abolished, it’s still used in apps and malware. In 2020, the certificate was found in 125,000 scans.
• In this infostealer, the attackers used the application version name “–no-version-vectors.”

Sideloaded Android apps can be risky

• The malware targets Algerians, and the Command & Control (C&C) domain was once found hosted to a server in Algeria.
• Cybercriminals are leveraging four different versions of a malware, which is detected as “Android.Trojan.InfoStealer.UQ” under the package name “DZ.Eagle.Master” and app label “Covid”. The applications carrying the malware have the same label, but different icons.
• The malware contacts the C&C server and sends the device’s information, including the network operator, manufacturer, phone model, SIM serial number, Wi-Fi IP as well as the Internet IP address.

The terror of Android malware in the past

• Earlier this year, researchers at Trend Micro discovered MobSTSPY, an Android malware, which was capable of prying on communications logs, user location, and stealing files and account credentials. To distribute the malware, several applications were uploaded to the Google Play app store.
• In March 2020, the Cybereason Nocturnus team found a new Android malware, EventBot, was capable of stealing user data from financial applications and SMS messages to allow the malware to bypass two-factor authentication.
• In 2016, Proofpoint discovered an Android malware, DroidJack, embedded into a Pokemon Go version downloaded outside of the Google Play Store. The malware gave the attacker complete control of the victims’ phone.

Winding Up