Crooks Deliver Android Malware via Fake Google Chrome Updates

Exterminator

Level 85
Thread author
Verified
Top Poster
Well-known
Oct 23, 2012
12,527
Security researchers discovered malware targeting Android devices that disguises as a Google Chrome update package in an attempt to fool users into lowering their defenses.

Crooks are distributing the fake update package as downloadable APK files, which users have to launch into execution by tapping on them. If a user is not accustomed to updating apps via the Google Play Store app, they might fall for this trick. It is of great importance that our readers understand that apps only need to be installed and then updated via the Google Play Store app.

Malware asks for admin permissions
In this particular case, when launched into execution, the Google Chrome update package asks for administrative rights. Since it's a "Google" Chrome update, most users are probably willing to grant it such permissions.

Once the malware has acquired root level permissions, it will begin its malicious behavior. According to Zscaler security researchers, the malware is very potent.

Some of the malware's capabilities include the ability to check for the presence of mobile antivirus solutions such as Kaspersky, ESET, Avast and Dr. Web, and terminating their processes. Additionally, it can also monitor incoming and outgoing calls and SMS messages, as well as start or end calls, and send SMS messages.

Malware steals your credit card details
The most dangerous behavior observed coming from the malware is the fact that it shows a popup asking for the user's credit card details every time the user opens the Google Play Store app.

If users make the mistake of entering these details inside the form, the information will be sent via SMS to a phone number in Russia. Further, the malware also collects browsing history and sends it to a C&C server, along with various other details.

A particularity for this malware distribution campaign is the fact that the attackers are using a large collection of domain names to host the malware, which they change at regular intervals. All domains are registered with terms like Android, Google, Chrome, or Update, in order to confuse and fool users, making them think the malware was downloaded from an official Google server.

Zscaler experts say the only way to remove the malware is to reset the device to factory settings.
 

_CyberGhosT_

Level 53
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Aug 2, 2015
4,286
ESET has a big warning plastered on their page stating for Android users to avoid installing the fake update apk.
Great share Exterminator.
PeAcE
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top