Security researchers have discovered a phishing campaign that specifically targets users of Android devices, which could result in compromise if unsigned Android applications are permitted on the device.
The campaign seeks to deliver Anubis, a malware that was originally used for cyber-espionage, now retooled as a banking trojan. Anubis can completely hijack an Android mobile device, steal data, record phone calls, and even hold the device to ransom by encrypting the victim’s personal files, said a blog post by researchers at Cofense.
“With mobile devices increasingly used in the corporate environment, thanks to the popularity of BYOD policies, this malware has the potential to cause serious harm, mostly to consumers and businesses that allow the installation of unsigned applications,” said Marcel Feller, phishing defense services manager at Cofense.
In the attack, cyber-criminals send a phishing email that asks the user to download an invoice. This email downloads an Android Package Kit (APK), which is the common format used by Android to distribute and install applications.
Upon opening the file, the user is asked to enable “Google Play Protect”. Researchers said that this is not a genuine “Google Play Protect” screen; instead it gives the app all the permissions it needs while simultaneously disabling the actual Google Play Protect.
The malware mainly targets banking and financial applications, but also looks for popular shopping apps such as eBay or Amazon. Once an application has been identified, Anubis overlays the original application with a fake login page to capture the user’s credentials.
Tom Davison, EMEA technical director at Lookout, told SC Media UK that organisations need visibility into potentially vulnerable Android operating system versions and risky configurations for all devices accessing business data.
“By taking an active approach to mobile vulnerability management, enterprises can reduce the potential attack surface. Secondly, employees need to be aware of the dangers and prevalence of mobile phishing attacks. Lookout has observed that one in 50 mobile devices in the enterprise encounter a phishing attempt daily. Phishing attacks may target credential theft, or as in this case, attempt to persuade users to install additional malicious applications,” he said.
Fleming Shi, chief technology officer at Barracuda Networks, told SC Media UK that granting excessive permissions can allow apps to harvest a wide variety of personal information, which can either be sold directly or stored, making it susceptible to being leaked later in the event of a data breach.
“Some permissions, while potentially dangerous, can also serve as good warning signs of a malicious app. For example, granting the ability to read SMS messages could be leveraged to intercept multi-factor authentication tokens. Similarly, granting the ability to send SMS messages could be used to send spam or phishing campaigns from your device. Also, granting access to your contacts could potentially harvest targets for spam or phishing campaigns via SMS/MMS, email or phone,” he said.
Peter Galdies, managing director at DQM GRC, told SC Media UK that BYOD is fundamentally a poor choice for high risk environments.
“It constantly exposes your organisation to a wider set of continuously evolving security challenges, as opposed to using a network that only allows a limited set of known configurations. Of course, organisations need to balance this risk against their desire to be flexible and reduce costs, so that it falls into the domain of formal risk analysis, which is a skill few individuals are trained to properly manage,” he said.