Cyble researchers wrote in a report released last week. “Under the name’sincronizador.apk,’ the [threat actor] has constructed a phoney Google Play Store page and hosted the malware that targets Ita Unibanco on it.” This programme has a similar icon and name, which may lead users to believe it is a legitimate Ita Unibanco app.
Researchers have uncovered a new Android banking malware that uses fake Google Play Store pages to carry out fraudulent financial transactions on victims’ devices without their awareness.
It’s not a new approach to use fake app store sites as a trap. Meta (formerly Facebook) revealed details of an attack campaign that used its platform as part of a larger operation to spy on Uyghur Muslims using rogue third-party websites that used replica domains for popular news portals and websites designed to resemble third-party Android app stores, where attackers placed fake keyboard, prayer and dictionary apps that might appeal to the targets.
In the most recent case discovered by Cyble, the fake URL not only imitates the legitimate Android app marketplace, but also contains the malware-infected Ita Unibanco programme, claiming 1,895,897 downloads.
Users who download and run the phoney Google Play Store app are then prompted to activate accessibility services and other unwanted rights that allow the virus to access alerts, obtain window content and perform tap and swipe actions.
It’s not the first time the Sao Paulo-based financial services firm has been targeted by financially motivated terrorists. Janeleiro, a new banking trojan discovered by ESET earlier this April, has been affecting business users in Brazil since at least 2019 across a variety of industries such engineering, healthcare, retail, manufacturing, finance, transportation and government.
Finally the researchers concluded that, “Threat actors are continually adapting their strategies in order to avoid detection and create new ways to target people using ever-more sophisticated techniques. Malicious software is frequently disguised as legitimate software in order to deceive people into installing it .”To avoid such attacks, users should only install applications after checking their legitimacy and only from the official Google Play Store and other trusted portals.”
Indicators Of Compromise
|hxxps://acesso.sincronizadorltoken[.]com||URL||Fake Google Play Store Page and Malicious APK Hosted on this Server|