For the first time, an old malicious certificate has been seen to be associated with the pandemic-themed cyberattacks. When people look for answers pertaining to COVID-19, sometimes they end up installing notorious applications from anonymous sources on their phones. Taking advantage of these trying times, bad actors are using an old certificate for Jawa Barat to deploy the malware into Android devices to steal personal data, including contacts, call logs, SMS messages, and more.
What's the matter?
- The threat actors are leveraging the old Jawa Barat certificate, which was leaked years ago and is now used to sign repackaged samples with PUA, Adware, or malware components.
- As the certificate wasn’t abolished, it’s still used in apps and malware. In 2020, the certificate was found in 125,000 scans.
- In this infostealer, the attackers used the application version name “–no-version-vectors.”
Sideloaded Android apps can be risky
- The malware targets Algerians, and the Command & Control (C&C) domain was once found hosted to a server in Algeria.
- Cybercriminals are leveraging four different versions of a malware, which is detected as “Android.Trojan.InfoStealer.UQ” under the package name “DZ.Eagle.Master” and app label “Covid”. The applications carrying the malware have the same label, but different icons.
- The malware contacts the C&C server and sends the device’s information, including the network operator, manufacturer, phone model, SIM serial number, Wi-Fi IP as well as the Internet IP address.
The terror of Android malware in the past
- Earlier this year, researchers at Trend Micro discovered MobSTSPY, an Android malware, which was capable of prying on communications logs, user location, and stealing files and account credentials. To distribute the malware, several applications were uploaded to the Google Play app store.
- In March 2020, the Cybereason Nocturnus team found a new Android malware, EventBot, was capable of stealing user data from financial applications and SMS messages to allow the malware to bypass two-factor authentication.
- In 2016, Proofpoint discovered an Android malware, DroidJack, embedded into a Pokemon Go version downloaded outside of the Google Play Store. The malware gave the attacker complete control of the victims’ phone.
There’s always a risk in installing apps from unauthorized sources. To protect against Android malware, people must employ a security solution with updated malware signatures.