The new trend in #Joker #malware is to display a red 2020 banner in the left corner of the icon. 👀 So I created a program that crawls the Play Store and analyzes the pixels of the image. 🤖 And it works ! I was able to find 9 Joker malwares always on Play Store 👌

CC @malwrhunterteam @01net @mobilesecurity_ @ReBensk @phonandroid @Cyb3rguerre @LukasStefanko

Three games have been downloaded a lot in the last two weeks : com.ninetytwo.advance[dot]car.parking.impossible[dot]city[dot]drive com.simgames.drag[dot]racing.simulator com.tgames.motor.stunt.master At #Evina we received millions of fraud attempts which we blocked.

#Hary #malware is hidding in gaming apps, the game Advance Car Parking is currently on Google Play with over 500 000 downloads 💀 The malware subscribes to paid subscriptions on the mobile operator bill 💰 It has successfully made it to the top of the Google Play rankings.

Apps : com.pixel.creationing (removed) com.painting.oil.watercolor (removed) paintboard.digstal (removed) com[DOT]pixel[DOT]brush[DOT]art C2 : 157[DOT]245[DOT]199[DOT]116 CC @malwrhunterteam @mobilesecurity_ @ReBensk @phonandroid @Cyb3rguerre @LukasStefanko

To promote the applications, fraudsters create Google Ads campaigns. This enables them to quickly climb the Play Store rankings.

The malware hides in a native library. To execute it, the library checks that the phone is not rooted and not uses RE tools it also checks if the app is downloaded from an ad. It then downloads a file containing malicious code with an image url, and load it.

Found new malwares that triggers purchases for premium services on Play Store. Some apps have been ranked in the top 10 apps, ahead of TikTok in Poland. After Africa, this variant of Autolycos is now targeting Europe, let's call it Aesimus.👾 #Android #Malware #Evina

App package : com.vanjan.sms (100k+ downloads, still on Play Store) CC @malwrhunterteam @mobilesecurity_ @LukasStefanko @Cyberdost

This deleted application was created by the same developer as the ActivationPW application (still on the Play Store) that contains the activation[dot]pw website that allows you to buy the accounts with infected phones

How did I find the website that uses the infected phones? The malware sends data to the domain goomy[dot]fun Looking at VirusTotal, we can see that this domain was used by an application called VirtualNumber which has been removed from the Play Store

The malware ask the phone number of the user in the first screen. Then it pretends to load the application but remains all the time on this page, it is to hide the interface of the received sms and that the user does not see the sms of subscriptions to the various services

Found new #Android #malware that read all the sms and send to a server 👀 A website sells account creations (Fb, Google..) it uses infected phones to make the registrations with auth sms 🥷🏻 N°1 in new sms app in Play Store in #India it has infected 100k+ people there 👾

CC @malwrhunterteam @mobilesecurity_ @ReBensk @phonandroid @Cyb3rguerre @LukasStefanko

com.razer.keyboards (10k+)  https://t.co/dLmVIkvKEh.editor (1M+) ❌ com.okcamera.funny (500K+)  https://t.co/8fyEMql0bj (1k+) ❌ app.launcher.creative3d (1M+) ❌ com.gif.emoji.keyboard (100K+) ❌ https://t.co/W5wjm83pDV (5K+) ❌ https://t.co/cju9S26Nny (100K+) ❌

To promote the applications, fraudsters create several Facebook pages and run ads on Facebook and Instagram. For example, there were 74 ad campaigns for Razer Keyboard & Theme malware

It retrieves a JSON on the C2 address: 68.183.219.190/pER/y It then executes the urls, for some steps it executes the urls on a remote browser and returns the result to include it in the requests This allows it not to have a Webview and to be more discrete

Found new family of malware that subscribe to premium services 👀 8 applications since June 2021, 2 apps always in Play Store, +3M installs 💀💀 No webview like #Joker but only http requests Let’s call it #Autolycos 👾 #Android #Malware #Evina

Two new malwares that steal Facebook credentials : 📷 Neon 3D Effect +100k installs (com.eachannkeefei.neoneffectedit) 📷 Collage Maker +50k installs (com.baugulfbergg.photocollagemaker) Always apps ranked in the top new apps photography #Android #Malware #StealFB #Evina

Apps : https://t.co/nH6lgcGKBF https://t.co/TCFOBfRo5e (REMOVED) CC @malwrhunterteam @mobilesecurity_ @bl4ckh0l3z @Frandroid

The malware is very interested in the advertising campaigns you might have done and if you have a registered credit card. This allows him to create his own advertising campaigns with your account, so he can use your credit card for his own ads.