Google Chrome is the most popular browser in the world. So when a “very dangerous” fraudulent updater is caught stealing private data, messages and photos, it is a cause for serious concern.
Updated 2/11 below, article originally published 2/9.
An alarming new report from McAfee this week warns Android users to refrain from clicking on links in messages installing Chrome updates on their devices. The MoqHao malware hides in these downloads with an unpleasant feature, which security researchers describe as a new “very dangerous technique”.
“During application installation,” the researchers warn, “their malicious activity starts automatically. We have reported this technique to Google and they are already working on implementing mitigations to prevent this type of autorun in a future version of Android.
This malicious campaign distributes MoqHao malware via SMS messages, with another variant. Threat actors have started using short URLs from legitimate services, as “it is difficult to block the short domain as it could affect all URLs used by that service.” [But] when a user clicks on the link in the message, they will be redirected to the actual malicious site by the URL shortener service.
Once installed, the fraudulent Chrome update then asks for expanded user permissions, including access to text messages, photos, contacts, and even the phone itself. The malware is designed to run in the background, connecting to its command and control server, managing data to and from the device, as damage is done.
McAfee attributes this MoqHao (XLoader) campaign to the Roaming Mantis group, a threat actor that typically operates in Asia. However, McAfee notes that this specific campaign also appears to target users in Europe. One of the programmed languages in the campaign is English, which means US users are also in range.
If you look closely, you can see that the email uses Unicode characters to trick users into thinking it’s a legitimate Chrome update. “This technique causes some characters to appear bold, but users visually recognize them as ‘Chrome’,” says McAfee, also warning that “this may affect application name-based detection techniques that compare the name of the application.” ‘application (Chrome) and package name (com.android)..chrome).”
It’s only February and this is the third headline-grabbing Android malware alert of the year so far. We have seen VajraSpy, SpyLoan and Xamalicious. We also saw a broader warning about copied apps, which echoes what we see here. As for this one in particular, McAfee warns that “we expect this new variant to have a considerable impact as it infects devices simply by being installed without running.”
“Copy apps are simple to produce,” warns ESET’s Jake Moore. “Downloading and installing a malicious app on your phone can lead to a number of disasters, including theft of personal data, compromise of banking information, poor device performance, intrusive adware and even spyware monitoring your conversations and messages.”
As I’ve said several times this year, timing is potentially even more important than the malware itself. The EU Digital Markets Act brings substantial changes to the apps and platforms we use most. And that includes app stores.
Apple reluctantly opens its own for the first time, but warns of dangers for users. “These new regulations, while providing new options for developers, also bring new risks. There’s no way around it,” warned Apple’s Phil Schiller, with malware high on the list of such concerns.
In response to the McAfee report, a Google spokesperson told me that “Android has multi-layered protections that help keep users safe” and, as noted in the McAfee report, that “Android users are Currently protected against this by Google Play Protect, which is enabled by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play.
Google also confirmed that it has worked with McAfee to combat this new malware threat, as it is one of its App Defense Alliance partners.
Google’s focus on its Play Store ecosystem and its promotion, including Play Protect, is commendable and certainly makes a difference. The problem, however, is that this requires a better software and security update process than exists today.
The nature of Android’s fragmented ecosystem has always lagged noticeably behind Apple’s command-and-control structure when it comes to keeping devices up to date and responding to issues in real time. Reliance on OEM device makers to do much of this work leaves Google without the same levers of control as Apple, and it shows.
And, as it happens, this is precisely the problem that is occurring at the moment.
As Ars Technica reported this weekend: “We’re a third of the way through February, but Android’s January 2024 Google Play system update has only just rolled out. The now-infamous update was initially rolled out in early January, but was pulled after it began locking users out of their phone’s local storage. Apparently, the update has been patched and is rolling out to devices.
But at least now – as of this weekend – it appears to be fixed. Although Ars Technica warns that “the update was the second time in four months that an automatic Android update broke some Pixel phones… These issues all make updating a Pixel phone a proposition scary lately. »
And while this update issue affects Pixel phones, Samsung has its own issues, like SamMobile explain. “Usually it’s flagship devices that receive monthly security updates and mid-range and budget devices that receive quarterly updates, but it’s not always that clear cut. Some devices may receive monthly updates for a year or two after hitting the market and then be moved to the quarterly schedule, while others may be relegated to quarterly updates from day one.
All of this means that there is a real need for common sense and best practices to keep users safe. The advice remains very, very simple. Never click on links such as those seen in this latest campaign – and definitely not install apps directly from links. This was at the heart of ESET’s Copycat app warning. You should also never accept permission requests that are not essential to an app’s specific functionality.
Here are the golden rules for apps and updates:
- Stick to official app stores: Don’t use third-party stores and never change your device’s security settings to allow an app to load.
- Check the developer in the app description: is this someone you would like to have in your life? And check the reviews, do they look legit or cultured?
- Don’t give permissions to an app that it shouldn’t need: Torches and stargazing apps don’t need access to your contacts and phone. And never grant accessibility permissions that make it easier to control devices unless you need them.
- Never Never Click links in emails or messages that directly download apps or updates. Always use app stores for installations and updates.
- Don’t install apps linked to established apps like WhatsApp unless you know for sure they are legitimate: check reviews and articles online.
Follow me on Twitter or LinkedIn.