Cyble researchers wrote in a report released last week. “Under the name’sincronizador.apk,’ the [threat actor] has constructed a phoney Google Play Store page and hosted the malware that targets Ita Unibanco on it.” This programme has a similar icon and name, which may lead users to believe it is a legitimate Ita Unibanco app.

Researchers have uncovered a new Android banking malware that uses fake Google Play Store pages to carry out fraudulent financial transactions on victims’ devices without their awareness.

It’s not a new approach to use fake app store sites as a trap. Meta (formerly Facebook) revealed details of an attack campaign that used its platform as part of a larger operation to spy on Uyghur Muslims using rogue third-party websites that used replica domains for popular news portals and websites designed to resemble third-party Android app stores, where attackers placed fake keyboard, prayer  and dictionary apps that might appeal to the targets.

In the most recent case discovered by Cyble, the fake URL not only imitates the legitimate Android app marketplace, but also contains the malware-infected Ita Unibanco programme, claiming 1,895,897 downloads.

Users who download and run the phoney Google Play Store app are then prompted to activate accessibility services and other unwanted rights that allow the virus to access alerts, obtain window content and perform tap and swipe actions.

It’s not the first time the Sao Paulo-based financial services firm has been targeted by financially motivated terrorists. Janeleiro, a new banking trojan discovered by ESET earlier this April, has been affecting business users in Brazil since at least 2019 across a variety of industries such engineering, healthcare, retail, manufacturing, finance, transportation  and government.

Finally the researchers concluded that, “Threat actors are continually adapting their strategies in order to avoid detection and create new ways to target people using ever-more sophisticated techniques. Malicious software is frequently disguised as legitimate software in order to deceive people into installing it .”To avoid such attacks, users should only install applications after checking their legitimacy and only from the official Google Play Store and other trusted portals.”

Indicators Of Compromise

Indicators Indicator Type Description 
3500c50910c94c7f9bc7b39a7b194bac6137cef586281ee22f5439bb2d140480 SHA256 Malicious APK 
hxxps://acesso.sincronizadorltoken[.]com URL Fake Google Play Store Page and Malicious APK Hosted on this Server 

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s