loader gif

South Korean transportation apps found injecting malware on Android phones

South Korean transportation apps found injecting malware on Android phones
  • A bunch of bus transportation apps developed by a South Korean developer contains fake plugins to deliver malware on Android devices.
  • Among them, three out of four apps were available on Google Play since 2013 while the fourth one was released in 2017.

A new malware campaign has been uncovered by security firm McAfee. Transportation apps purportedly developed by a South Korean developer contained fake plugins that downloaded malware onto Android phones.

On the surface, these apps appeared to provide information on bus services while malicious plugins were in action in the background.

“When the malicious transportation app is installed, it downloads an additional payload from hacked web servers which includes the fake plugin we originally acquired. After the fake plugin is downloaded and installed, it does something completely different – it acts as a plugin of the transportation application and installs a trojan on the device, trying to phish users to input their Google account password and completely take control of the device," indicated the report by McAfee.

Altogether, there were four apps out of which, three were available in Google Play Store since 2013 while the fourth one came around in 2017. Luckily, all of these apps have been removed by Google after it came to know of the issue.

Apps involved in phishing too

After fake plugins sneakily install various malware payloads, a phishing process also occurs with the users ultimately divulging their Google account information such as usernames and passwords.

Finally, when the plugins execute the trojan, the affected phone is totally compromised and then the trojan receives commands from its C2 servers to remotely monitor files on the device.

McAfee’s experts also found minor variations in the malware payload for different devices. Nevertheless, the entire operation remained the same. They also suggest that the malware was devised for ‘targeted attacks’ and looked for users having military or political affiliations.

loader gif