A wave of Android applications has been uncovered, posing as popular platforms like Google, Instagram, Snapchat, WhatsApp, and X (formerly Twitter). These seemingly innocuous apps serve as tools for credential theft, according to the SonicWall Capture Labs threat research team
Once installed, the malicious app coerces users into granting two critical permissions: Accessibility Service and Device Admin Permission. These permissions allow the malware to seize control over the victim's device and perform a series of malicious actions without the user's knowledge or consent.
According to the findings, the malicious app establishes a connection with a command-and-control (C&C) server, through which it receives a set of instructions, ranging from data harvesting to more insidious activities.
One of the primary functions of the malware is to harvest credentials. By accessing specific URLs through the victim's web browser, the malware siphons off sensitive login information, including usernames and passwords, directly from the user's device. Furthermore, it has the capability to infiltrate various aspects of the device's functionality, including contact lists, SMS messages, call logs, and the roster of installed applications.
The malware also implements the ability to perform multiple intrusive actions, including sending unauthorized SMS messages, directing users to phishing pages, retrieving information about the apps installed on the victim’s device, and even toggling the device's camera flashlight at will.