Almost half of mobile malware are hidden apps

Certain apps are hiding themselves and stealing resources and data from mobile devices, according to a new report by security firm McAfee. This is a growing threat comprising almost half of all malicious mobile malware, and a 30% increase from 2018, said Raj Samani, chief scientist and McAfee fellow, who authored the Q1 2020 McAfee Mobile Threat Report.  

SEE: Top Android security tips (free PDF) (TechRepublic)

“This shows where the focus from criminals [is] on the mobile platform, which is in stark contrast to non-mobile malware,” Samani said.

A new malware family called LeifAccess or Shopper is taking advantage of the accessibility features in Android to create accounts, download apps, and post reviews, according to the report.

LeifAccess, “is a broad campaign [and] is using alternate methods to achieve installation but thereafter trying to achieve legitimacy to the user with fake warnings,” Samani said. 

For example, LeifAccess does not create an icon or shortcut, “so it’s not immediately obvious that the app is installed … but for some of the hidden apps within the report, malicious mobile attacks will even masquerade as a legitimate app,” he said.

Then, users receive fake warnings to get them to activate accessibility services, enabling the full range of the malware’s capabilities, according to the report.

“These cover a range of vague but scary system warnings, such as ‘system needs to upgrade your video decoder,’ ‘application reduces your phone performance, please check it now,’ and ‘security error should be dealt with immediately.'”

Then, the malware waits up to eight hours before showing the fake notification in an effort to separate the warnings from installation, the report said.

The malware, first identified in May 2019, has been spreading globally, primarily in the US and Brazil, the report said.

Abusing accessibility in Android

Android’s accessibility features are intended to help people overcome obstacles to using their devices, the report noted. For example, they can use voice commands instead of the touch screen.

Google has restricted the permissions on accessibility features and moved functions to new application programming interfaces (APIs) in an effort to combat abuse of these tools, but criminals are still able to abuse this functionality, the report said.

SEE: Mobile device security: Tips for IT pros (free PDF) (TechRepublic)

“One of the key features being abused is the ability to automate actions in the graphical interface in the background,” the report said. “Users can combat this by checking their accessibility permission settings and turning them off if they are not needed. However, this malware can still perform click fraud and install other apps without accessibility functions.”

How to protect yourself from mobile malware 

Using the authorized app stores [such as the App Store and Google Play] is very important, “but also don’t necessarily rely on reviews as an example of legitimacy,” Samani advised, adding that there are examples detailed in the report with some malicious apps writing fake reviews. 

One way to tell is by looking for reviews that reuse the same simple phrases, as they are probably an indication of fake reviews pumping up a suspicious or malicious app, the report said.

Use of “up-to-date security software is imperative since new malicious apps will be identified and subsequently removed from the device,” Samani said.

If you think you’ve been attacked, try to determine the extent of the damage as this will go a long way toward figuring out how to respond, he said. 

“For example, if it is passwords that are stolen, then ensuring these are changed is imperative,” Samani stressed. “If there is fraud, then reporting this to the authorities and the bank will be the first course of action.” 

While cybercriminals and nation-states increased their mobile attack methods last year, this year they have expanded the ways they are hiding their attacks and fraud, the report said. This makes it increasingly difficult to identify and remove them.

Also see