A ISH Technology warned of two malware campaigns targeting Android devices and iPhones in Brazil. According to the company, a new variant of malicious software FakeCall is capable of hijacking Android devices to carry out bank fraud and steal confidential information. On the other hand, Apple IOS and macOS electronics have been victims of the enhanced version of Spyware LightSpy, which installs destructive features and prevents them from starting.
FakeCall (Android)
According to the ISH Threat Intelligence team, the new version of FakeCall for Android uses vishing techniques, voice phishing, to trick users into obtaining their personal information, such as login credentials, card numbers or bank details. In most cases, scams are carried out through fraudulent phone calls or voice messages, which impersonate banks or other trusted institutions.
One of its main functions is to manipulate outgoing calls and redirect them to fraudulent numbers controlled by attackers, which results in identity fraud or call hijacking. In addition to using malware to take full control of mobile devices, the campaign abuses the interception of incoming and outgoing calls.
Its attack is initially spread through a malicious APK file downloaded through phishing and which works as a dropper. The dropper’s main function is to install the actual malicious payload (the second stage) on the victim’s device. From there, the second-stage malware is designed to communicate with a Command and Control (C2) server with the intention of allowing an attacker to perform malicious actions on the compromised device.
When the APK file is downloaded, it uses a decrypted .dex file (an executable code file for Android) to hide its code and make analysis difficult. In addition, the improved malware variant introduces new features, such as monitoring Bluetooth status and detecting screen status events.
To gain full control over the user interface, FakeCall uses the Android Accessibility Service. Once they have control of the screen in their hands, cybercriminals are able to monitor activities, capture information, and grant permissions without the user’s consent.
When the victim contacts their financial institution, the malware redirects the call to a fraudulent number controlled by the attacker. From there, a malicious application, originated through downloads from the negative campaign, deceives the user by displaying a false interface that appears to be the legitimate Android one. So that the target does not notice the manipulation, the interface imitates a real banking experience, which allows the cybercriminal to obtain confidential information or unauthorized access to the victim’s financial accounts.
Spyware LightSpy (iPhone)
The new advanced version of LightSpy Spyware not only expands its functionalities but also includes destructive features that can prevent the compromised device from booting. According to a report from ThreatFabric, the threat actor was discovered to be using the same server for campaigns on both macOS and iOS.
According to studies, based on the exploitation of vulnerabilities, such as in Safari, cybercriminals use plugins to compromise electronic devices. Some of these software additions used have highly destructive capabilities – for example, they can affect the stability of operating systems, freeze devices and prevent them from starting.
The structure of the LightSpy iOS infection chain suggests that the initial exploit URL is embedded in a legitimate or specially crafted web page. Victims need to access this page on their own. According to ISH, any failure in the servers that monitor and allocate victims’ sensitive data could result in the leakage of this confidential information. Therefore, different people could access the materials exfiltrated from the targets.
Google releases updates to fix Android flaws
Recently, Google released fixes for two Android zero-day vulnerabilities that were actively exploited and covered 51 flaws in total. Identified as CVE2024-43047 and CVE-2024-43093, these errors are associated with limited and specific attacks.
According to the Threat Intelligence team at ISH Tecnologia, CVE-2024-43047 was a vulnerability present in Qualcomm’s closed source components in the Android kernel that allows elevation of privileges. On the other hand, CVE-2024-43093 affected the Android Framework component and Google Play system updates, specifically in the platform’s document interface.
Although details about the use of the vulnerabilities in attacks have not been revealed, researchers suggest that CVE-2024-43047 may have been used in targeted spyware operations. This month’s security updates cover Android versions 12 to 15, some impacting specific versions of the operating system.
Recommendations
Given the sophistication of threats, such as FakeCall and Spyware LightSpy, ISH Tecnologia lists recommendations so that internet users know how to defend themselves against these cyber offensives:
- Keep your operating system up to date;
- Avoid clicking on suspicious links and use reliable security software;
- Check application permissions;
- Monitor suspicious activity;
- Make regular backups and try data encryption.
Source: https://www.hardware.com.br/noticias/malwares-disparados-contra-dispositivos-android-e-iphone-no-brasil-aplicam-fraudes-bancarias.html
