This isn’t just another Mirai knockoff. KimWolf is sophisticated, resilient, and aggressively monetized.

The infection vector is devastatingly simple. The malware masquerades as a legitimate system application named “Google Play Protect” (package name: com.google.android.hosting). To the average user, seeing this app run in the background looks completely normal—comforting, even. In reality, it’s a wolf in sheep’s clothing.

Once installed, usually via malicious third-party streaming apps or drive-by downloads, the device joins a global army. Researchers at Qianxin Xlabs estimate the botnet has issued over 1.7 billion DDoS attack requests, flooding targets with traffic from unsuspecting users’ homes.

What makes KimWolf particularly annoying for defenders is its use of the Ethereum Name Service (ENS). Instead of using traditional domains that authorities can seize or block, the botnet communicates with .eth domains (specifically kimwolf.eth) to resolve its Command and Control (C2) servers.

You can’t just “take down” a domain on the blockchain. This decentralized infrastructure makes the botnet incredibly resistant to standard takedown efforts.

“KimProxy”: Selling Your Bandwidth

The operators aren’t just using these devices for DDoS attacks; they’re renting them out. The botnet powers a service called KimProxy, which sells access to “residential proxies.”

Cybercriminals love residential proxies because traffic routed through them looks like it’s coming from a regular home internet connection (yours, specifically). This allows them to:

• Bypass geographical restrictions
• Commit ad fraud
• Launch credential stuffing attacks without triggering security alarms

It’s a classic case of proxyjacking—your device and your electricity are being used to facilitate other crimes, and you’re footing the bill.

Are You Infected?

The malware targets Android-based TV boxes, many of which are inexpensive generic models that may not receive regular security updates. If you have one of these devices:

• Check your installed apps for anything suspicious, particularly duplicate “Google” apps or system tools you don’t recognize.
• Monitor your network traffic for unusual spikes effectively turning your home into a proxy node.
• Consider a factory reset if the device behaves erratically.

It’s a stark reminder that in the world of cheap IoT devices, if you aren’t paying for the product, you might just be the product—or in this case, the weapon.

The post KimWolf Botnet Hijacks 1.8M Android TVs for Massive DDoS Attacks appeared first on Gridinsoft Blog.

Google Releases Fixes for Two Android Zero-Day Flaws

On April 8, 2025, Google released its monthly Android security bulletin, patching 62 vulnerabilities, with a focus on two zero-day flaws that were under active exploitation. Zero-day vulnerabilities are particularly concerning as they are exploited before developers can identify and patch them, often by sophisticated actors such as government agencies or cybercriminals. The timing of this update, aligning with the first Monday of April, follows Google’s standard practice, as noted in Android Security Bulletins Overview.

The vulnerabilities, tracked as CVE-2024-53150 and CVE-2024-53197, were part of the Linux kernel’s USB-audio driver, a critical component handling audio over USB connections. This location in the kernel makes them especially dangerous, as kernel-level exploits can bypass many security layers, potentially leading to full device compromise. As Android itself is a derivative of Linux, such flaws touch it as well.

New Android Vulnerabilities: Key Facts

To understand these vulnerabilities, we looked into the National Vulnerability Database (NVD) and related reports. Here’s a breakdown of each issue, including technical details and potential impact.

The first one, CVE-2024-53150, is an out-of-bounds read in the USB-audio driver, specifically in the ALSA (Advanced Linux Sound Architecture) component of the Linux kernel. Its CVSS score is 7.8, so it’s considered high severity. The problem occurs when the driver traverses clock descriptors—it doesn’t properly check the length (bLength) of each descriptor. A malicious device can exploit this by sending a bogus descriptor that’s too short, causing the driver to read beyond the allocated memory.

According to the vulnerability list entry, this was fixed by adding sanity checks to the validator functions to skip descriptors that don’t meet the minimum length requirements. Out-of-bounds reads can leak sensitive memory data, including user info or system-level secrets. This type of attack would typically be launched through a malicious USB device. Although there aren’t many details on real-world exploitation, reports indicate it’s been used in targeted attacks—likely alongside other bugs for greater effect.

The second vulnerability, CVE-2024-53197, is an out-of-bounds write—again in the USB-audio driver. Like the previous CVE, this one also scores a 7.8 on the CVSS scale, and worse—it’s a zero-click exploit. This one involves handling certain devices like the Extigy and Mbox. Here, an attacker can manipulate the bNumConfigurations value to exceed what the driver expects. That leads to out-of-bounds writes during configuration allocation.

The issue was patched by implementing proper bounds checks in the usb_get_configuration function. This flaw can be used for privilege escalation, potentially letting attackers inject and run arbitrary code in the kernel—yes, with full system privileges. No user interaction is required.

Amnesty International reported that this Android zero-day vulnerability was part of a real-world exploit chain used by Serbian authorities in December 2024. The target? A student activist’s Android phone. But more on that next. The exploit chain included this CVE along with CVE-2024-53104 and CVE-2024-50302, both of which had been patched earlier. This points to a coordinated attack likely involving commercial surveillance tools, such as those provided by Cellebrite.

Real-World Exploitation and Targeted Attacks Suggested

Some reports confirm that both Android zero-day vulnerabilities were used in “limited, targeted exploitation,” likely by state actors or advanced persistent threat groups. The case of the Serbian student activist is particularly notable, where local authorities used these flaws to attempt spyware installation, highlighting the geopolitical implications of such vulnerabilities.

So, government-backed actors are leveraging these flaws for surveillance—adding a layer of complexity, especially for activists and journalists who may be targeted. It also raises questions about the role of forensic tool providers like Cellebrite, which was implicated in developing the exploit chain, leading to their banning Serbia from using their products, as noted in Candid Technology.

From a technical standpoint, both Android zero-day vulnerabilities highlight the challenges of securing kernel-level components, particularly those interfacing with hardware like USB. The USB-audio driver’s complexity, handling various device types, makes it a frequent target, as seen with previous vulnerabilities like CVE-2024-53104, patched in February 2025. Policy-wise, the exploitation by state actors raises concerns about digital rights and privacy, especially in authoritarian contexts.

Mitigation and User Guidance

Google acted quickly in response to these vulnerabilities, releasing patches as part of the April 2025 security update. Devices that have been updated to this patch level are protected. The update includes two patch levels: 2025-04-01 and 2025-04-05.

To stay safe, users are strongly encouraged to take a few important steps. First, check for and install the latest security updates on your Android device. Make sure your patch level is 2025-04-05 or later to ensure you’re covered.

Second, be extra cautious with USB connections — especially when plugging into unfamiliar or untrusted devices. These Android zero-day vulnerabilities are tied to the USB stack, so it’s not the best time to be adventurous with random charging stations.

The post Google Releases Two Android Zero-Day Fixes, Exploited in the Wild appeared first on Gridinsoft Blog.

The finding of Natalie Silvanovich was brought to Google back in September 2024, while the official disclosure of the flaw happened only a week into 2025. The reason for such a hesitation is obvious: the developers were working on patching the flaw before it became publicly acknowledged.

CVE-2024-49415 is a vulnerability in Samsung versions of Android 12, 13 and 14, that resides in libsaped.so, a library of C2 media service responsible for audio playback. It is possible to push executable code beyond the application buffer, making the program that uses the library to execute the code. It has received a CVSS rating of 8.1, which is low compared to other zero-click vulnerabilities.

Typically, flaws like Samsung zero-click one occur because the software does not handle its inputs properly. A thing that should not be an executable code is handled as one, which makes room for malicious activities in this place.

Researchers report about Samsung zero-click flaw being possible to exploit with a specially crafted voice message sent through the Google Messages app in Android. The zero-click nature of the flaw is provided by the way the app handles voice messages, and makes it possible to infect the user device without any interaction needed.

Why is Samsung Zero-Click Vulnerability Dangerous?

Zero-click vulnerabilities are generally considered to be among the most dangerous flaws. Yet the Samsung zero-click flaw got the severity rating of “only” 8.1 – a notable step down from RCE/ACE vulnerabilities that require no authentication, for example.

The main concern of zero-click vulnerabilities is the fact that they need no user interaction whatsoever. All that adversaries need is to send a specially crafted package or, in this case, a voice message. The rest of the action – downloading and executing a malicious program – is done by the application itself; as it is considered trusted, a lot of security solutions will not raise any alarm.

Attackers commonly use such flaws to silently deliver the payload to the target system. An infamous Pegasus spyware, that primarily targets iOS devices, is focused almost exclusively on running via zero-click vulnerabilities.

In the case of Samsung zero-click flaw, the reason for the lower severity is the need for the specific application for the trick to work as intended. In cases other than Google Message, the app may simply crash or not execute the payload properly.

Fortunately for all Samsung users, the flaw is already fixed; all that one needs to do is to install the latest security updates. As the flaw is considerably easy to exploit, I’d expect con actors to start using it massively after the recent disclosure.

The post Samsung Zero-Click Vulnerability Discovered, Update Now appeared first on Gridinsoft Blog.

8 Million Android Users Hit by SpyLoan Malware in Loan Apps on Google Play

Researchers have found a series of malicious apps on the Google Play Store. Collectively, these programs have been installed over 8 million times. These apps pose as quick-loan services, exploiting users’ need for money under the guise of financial assistance. Instead of what they state, these fake loan apps collect sensitive data and further intimidate victims.

The malware identified in the majority of these samples is SpyLoan. Initially detected in 2020, it has resurfaced with updated tactics, with another noteworthy appearance in 2023. It now targets users in countries such as Mexico, Colombia, Thailand, and Tanzania.

As the name implies, SpyLoan mainly hides under the guise of loan-related apps. Its goal is to сollect sensitive user data, exploit permissions to access phone features and coerce users through intimidation or extortion. The user may get the loan, but will also get phishing phone calls, SMS messages and emails, all with the potential of financial damage and psychological abuse.

How the Malware Operates

SpyLoan malware operates by tricking users into sharing personal and financial information. The apps use social engineering tactics to request extensive permissions, such as access to contacts, call logs, SMS, and device location.

Although these permissions are justified as part of anti-fraud measures, in reality, they enable the malware to harvest data from the device. Once collected, the data is encrypted using AES-128 and sent to a command server. This encryption stage, although employing a pretty weak algorithm, makes it hard to parse the data transfer and recognize it as malicious.

Victims are lured into these apps with promises of fast and easy loans, targeting regions such as Mexico, Colombia, Thailand, and Tanzania. However, instead of providing legitimate financial services, users see high interest rates and huge penalties for payment delays.

Moreover, cybercriminals start threatening victims with time; threats involving their personal data and photos, most likely stolen through the SpyLoan functionality. This malicious cycle traps users in debt while violating their privacy. The malicious apps, targeting regions across South America, Africa, and Southeast Asia, include:

• Préstamo Seguro-Rápido, seguro
• RupiahKilat-Dana cair
• ÉcoPrêt Prêt En Ligne
• ยืมอย่างมีความสุข – เงินกู้
• Huayna Money – Préstamo Rápido

While some apps have been removed or modified to comply with Google Play policies, five of these are still available for download. I expect them to be gone pretty soon, too, but publishing new ones appears to be a rather simple task. Google should pay a lot of attention to its security mechanisms, to say the least. We have several older news articles about the malware in Play Store – consider checking them out.

How to Stay Safe?

The apps rely on a shared framework, suggesting a common developer or toolkit that cybercriminals use globally. By tailoring the user experience to local cultures and regulations, these apps effectively infiltrate diverse markets. However, SpyLoan is not a new threat; its operations date back to 2020, with previous reports revealing similar tactics and outcomes. I’ve written about this before.

To protect against threats like SpyLoan, you should carefully review app permissions, check the legitimacy of developers, and read app reviews. Additionally, users should avoid downloading apps promoted through unverified social media posts.

For advanced protection that will recognize even well-concealed threats, consider using GridinSoft Trojan Scanner. This free anti-malware program for Android provides all the necessary scanning and malware removal capabilities to keep your system safe.

The post SpyLoan Virus Found in Loan Apps on Google Play Store appeared first on Gridinsoft Blog.

Google Pixel Phones Contain a Vulnerable Pre-Installed App

According to a recent report, Google Pixel devices shipped globally since September 2017 contain a severe vulnerability, latched within a pre-installed app. The application in question, Showcase.apk, can potentially expose millions of users to significant security risks. Researchers at iVerify discovered that this app has excessive system privileges. This enables it to remotely execute code and install arbitrary packages on the device.

Experts from other companies, including Palantir Technologies, and Trail of Bits state that the app poses considerable security risks for several reasons. First, it downloads a configuration file over an unprotected HTTP connection, making the file vulnerable to tampering. This allows attackers to execute code at the system level. The configuration file is downloaded from a single U.S.-based domain hosted on AWS, which further exacerbates the vulnerability. Also, the app is granted excessive privileges, which could have negative implications in certain scenarios, as discussed further.

Potential Exploitation Risks

The said APK file installs the Verizon Retail Demo Mode (“com.customermobile.preload.vzw”), a program developed by Smith Micro, a company specializing in enterprise software. In short, this app is designed to switch the devices into a showroom mode. It includes switching phones into demo mode, disabling certain features to prevent tampering or locking. This app requires nearly three dozen different permissions, including access to location and external storage. While the program itself is not inherently malicious – many companies use similar functionality – its implementation is somewhat different.

The main issue is that the app’s use of an unencrypted HTTP connection makes it vulnerable to “man-in-the-middle” (MitM) attacks. This could allow attackers to eavesdrop on the transferred data and inject their own Internet packages on the fly. This obviously opens gates to malicious code or spyware installation to the attacked device.

The good news is that the app is not enabled by default, meaning there is no potential attack surface unless it is activated. Despite the potential for abuse, there is currently no evidence that this vulnerability has been exploited in the wild. On the other hand, the app’s deep integration into the system firmware means users cannot uninstall it. At the same time, it could be activated if a threat actor gains physical access to the device and enables developer mode. Another possible case is when the phone may be vulnerable “out-of-box” is when one purchases a showroom stock device – large retailers often offer them at a nice discount, at the price of a used smartphone at times.

Google’s Response

Google responded to the research findings by stating that the vulnerability is not related to the Android platform or Pixel devices but rather to a package specifically developed for Verizon demo devices in stores. Additionally, Google emphasized that exploiting this app would require both physical access to the device and the user’s password. The company also noted that the app is not present on the latest Pixel 9 series devices and confirmed that it will be removed from all supported Pixel devices in a future software update. Showroom devices may need this software (or its equivalents) installed manually.

The post Google Pixel Devices Shipped with Vulnerable App appeared first on Gridinsoft Blog.

In addition to having an unpleasant motive, these messages can extend malware to your device. According to the Federal Trade Commission, such spam texts are illegal, as the ultimate goal is either to steal or to violate the integrity of the user’s privacy. But for a problem such as spam to not violate your privacy, we will provide you with a guide on using the proper actions and how to block text messages.

What to do if you receive a spam texts?

1. Don’t reply directly to any spam texts.

Answering a spam message is not just a bad mistake; it is also a sign for an attacker that your account is active, and you can send even more messages of this type. So the least you can do when you see a message that does not concern you is don’t answer it, and that’s it.

2. Do treat your personal information like it’s cash.

Spam texts are designed to cheat out confidential information from you. The last item includes your financial information, statement of how much you earn, social security number, whether you have credits, your passwords, and more. In future, you should know that most legitimate organizations or companies will not ask you to submit such information. Especially if they won’t do it through a simple text message; if you question this type of message, contact the organization from which it is as if you have received the letter and find out exactly whether you need to show such information.

3. Don’t click on any links in the spam Texts.

Often, the content of a spam message will permanently be attached to a link or form to fill in your data. The first and most important thing you need to know is that you shouldn’t click on these links. Because basically, they are malicious. After you click on such links, you can distribute malware to your device. Malware can damage your phone, slow its operation and occupy the entire memory of your device, steal personal data, including photos and videos that are on the phone. It can also lead you to write off money from your operator’s account without your knowledge and others.

4. Do review your cell phone bill regularly.

Don’t forget to check your account on your cell phone. If you find any unnecessary write-offs without your knowledge, then call the phone company and find out why they did this.

5. Check your phone’s settings.

You may have third-party features on your device that will allow you to block the source of unwanted calls and text messages.

1. For Android phones, click on the three dots in the upper right corner of spam texts. Next, click on this and select “People” and “Options”. Then select “lock”. After that, you will not receive spam text messages from this number.
2. For iPhones, in the top corner of spam messages, click on “i”. Then click on the number and select “Lock”.

Banning the spam on iOS

Ban the spam on Android

6. Do place a cell phone number on the National Do Not Call Registry.

If you don’t know how to get rid of annoying messages from unknown sources, follow the following advice. Add your phone number to the Federal Trade Commission’s National No Calls Registry, and it will eliminate a vast number of spam calls. Then if you receive a call within 31 days after the number has already been added to the registry – you can contact the FTC.

7. Do check to see if your carrier offers a call-blocking service.

Some third-party services and applications can block phone numbers. You should check all messages received from third-party sources. Send this type of message to 7726 and check if it is spam. Your operator may investigate and take action against the start of this message. Your message to this number is free of charge.

How to protect?

Agree that it is very unpleasant when annoying ads, viruses or other malicious programs regularly appear on a broken smartphone? Try the free Trojan Scanner for Android smartphones, which uses patented scanning technology with daily database updates to help ensure the best virus detection rate on your Android smartphone. Just install and run it, because it does not slow down the system and does not drain the phone’s battery.

The post How to Stop Spam Texts? appeared first on Gridinsoft Blog.

What Does “Scam Likely” Mean?

For customers of T-Mobile, Metro by T-Mobile (formerly MetroPCS), and Sprint (post-T-Mobile merger), “Scam Likely” is an alert that identifies potential spam callers. This feature is a part of T-Mobile’s “Scam Shield” protection, designed to block fraudulent calls before they reach you. This proactive measure is automatically enabled for all subscribers, ensuring you don’t have to tweak settings to benefit from it.

T-Mobile utilizes a comprehensive database of known scam numbers and automatically screens incoming calls against this list. Calls flagged as “Scam Likely” could involve various scam tactics, such as:

• Impersonating government officials
• Demanding payments via gift cards
• Proposing fake tech support solutions
• Initiating disruptive robocalls

This identification is managed at the network level, so regardless of whether you use an iPhone, Android, or a basic button phone, you’ll see the “Scam Likely” alert. There’s no need for any additional apps, although the free T-Mobile Scam Shield app is available for those who want extra control over these features.

While the “Scam Likely” system is robust, no system is perfect. There may be instances where legitimate calls are mistakenly labeled as scam. It’s advisable to approach these calls with caution. If you choose to answer, protect your personal information vigilantly. If the call feels suspicious or the caller pressures you, it’s safe to hang up. Genuine callers will likely leave a voicemail if it’s important.

How to Block Scam Calls

Although your carrier may alert you about “Scam Likely” calls, these calls aren’t blocked by default. If you find yourself inundated with unwanted calls, T-Mobile offers a free Scam Blocker feature. Here’s how to activate it:

1. Open your phone’s dialer app.
2. Enter the code #662# and make the call to activate the blocking.
3. To confirm activation, dial #787#.

How to Spot Scam Calls?

Most operators have similar services to combat fraudulent calls. This is due to the STIR/SHAKEN, a set of protocols that allows carriers to fight caller ID spoofing. Thanks to these standards, the operator can display a “Call Verified” message on your phone. This way, he confirms that it has not been spoofed. This feature is now becoming available on more and more devices and carriers as they all work to reduce spam calls.

So, if you’re an AT&T customer, you can download their official software. It’s available for iPhone or Android and contains free spam and fraud blocking features as well as advanced protection that’s available by subscription. And if you use Verizon, a free call filtering service is available as well. To manage this feature, you can also install the Verizon Call Filter app, available for iPhone or for Android. Like AT&T, Verizon also offers a paid subscription to improve this. Other carriers likely provide similar services as well. For more information, visit the store, log in to your account management page, or contact your carrier’s customer service number.

How to Block Calls?

Suppose you are annoyed by a spammer, and your operator does not provide such a service. In this case, you can block the annoying number using the standard tools of the operating system of your device. In addition, there are third-party applications available in the app store that can handle this task. These applications usually have a database of fraudulent numbers and will alert you if an incoming call is potentially unsafe. In addition, these apps allow you to detect and block fraudulent calls, regardless of which carrier you have. The disadvantage of such applications is that they are often paid and require a subscription.

How to Block Scam Calls on Android

If your phone has the default dialler app from Google, it will alert you to potential spammers by default. If your Android device uses a different dialer app, do the following:

1. Open the dial app and tap the number you want to block.
   
2. Click on Details, then select Block number.
   Block number” width=”338″ height=”600″ class=”aligncenter size-full wp-image-12730″ />

In addition, you can use a third-party app to filter out spam.

How to Block Scam Calls on iPhone

You can block any number on your iPhone using the built-in blocklist feature. To do this, do the following:

1. Open the Phone app and tap Recent and press the “i” icon next to the number you need to block.
   
2. Scroll down and tap Block this caller.
   

This straightforward process makes it easy to block unwanted calls directly from your call log, helping you manage your privacy and security on your device.

There is a more radical method that will solve the problem of unwanted calls. Your iPhone has a feature that allows you to silence all calls from unknown numbers. To do this:

1. Open Settings and scroll down to iPhone.
   
2. Tap Silence Unknown Callers.
   
3. Toggle it to on.
   

It’s important to understand that if you turn this on, all calls from numbers that aren’t in your contacts will be rejected automatically. Most people receive legitimate calls from unknown numbers from time to time, such as a meeting reminder or an important call from someone using a friend’s phone. We recommend using this method only in extreme cases, such as if you receive much spam. Otherwise, you might miss important calls.

How to Stop Scam Likely Calls

Protecting your cell phone number is the best way to prevent scam calls. You need to add your number to the National Call Barring Registry to do this. Unfortunately, this does not stop all calls, but it will filter out annoying telemarketing and other such garbage.

You also have to be careful when you’re sharing your number. Nowadays, almost every online ad, account, and other services will ask for your phone number. Plus, in some cases, companies can share your number with affiliates for marketing purposes. So think carefully before sharing your number with anyone online. Instead, you can sign up for a free Google Voice number and use it as an additional method of communication. The plus side of this method is that if you provide this number for all secondary services, you can always disconnect the number and not worry about incoming calls, even if they are spam.



The post Scam Likely Calls: How to block them? appeared first on Gridinsoft Blog.

]]> https://gridinsoft.com/blogs/how-to-block-scam-likely-calls-iphone-android/feed/ 1 https://gridinsoft.com/blogs/android-zero-day-flaws-google-pixel/ https://gridinsoft.com/blogs/android-zero-day-flaws-google-pixel/#respond Fri, 05 Apr 2024 16:04:37 +0000 https://gridinsoft.com/blogs/?p=21089 Google has disclosed that two Android zero-day security vulnerabilities have been detected in its Pixel smartphones. The patch is already available, as Google claimed fixing the flaws in the recent Pixel Update Bulletin. Even worse news is that the flaw is already under exploitation in targeted attacks. Two Android Zero-Day Flaws Exploited in Targeted Attacks […]

The post Two Android Zero-Day Flaws in Google Pixel Exploited appeared first on Gridinsoft Blog.

]]> Google has disclosed that two Android zero-day security vulnerabilities have been detected in its Pixel smartphones. The patch is already available, as Google claimed fixing the flaws in the recent Pixel Update Bulletin. Even worse news is that the flaw is already under exploitation in targeted attacks.

Two Android Zero-Day Flaws Exploited in Targeted Attacks

In a recent announcement, Google released a statement regarding detecting two zero-day security vulnerabilities in its Pixel smartphones. The first vulnerability, CVE-2024-29745 (CVSS 7.2), is an information disclosure flaw in the bootloader component that could compromise data confidentiality. The other one, CVE-2024-29748, is a privilege escalation flaw in the firmware component that can allow unauthorized access and control over the device.



According to Google’s advisory, these vulnerabilities were fixed on April 2, 2024. The original discovery though happened back in early January 2024, by GrapheneOS developers. The good news is that they are subject to limited, targeted exploitation, which means the risk of widespread exploitation is relatively low. Nonetheless, Google urges all Pixel smartphone users to update their devices to the latest software version as soon as possible.

Android Zero-Day Vulnerabilities Exploited in the Wild

Although Google has not provided specifics on the attacks, GrapheneOS developers have indicated active exploitation of this flaw. In addition, CISA has updated its Known Exploited Vulnerabilities Catalog with these vulnerabilities currently being exploited. CVE-2024-29745 is linked to a vulnerability in the fastboot firmware, which supports various device states such as unlocking, flashing, and locking. Threat actors can exploit this flaw to access the devices’ memory without privileges or user interaction.

On the other hand, CVE-2024-29748 presents a different risk. This flaw allows to circumvent the factory reset done by the apps that use device admin API for this. As the result, attackers were able to stop the device from finishing the factory reset, although they need a physical interaction with one. Although Google has addressed a part of the issue, GrapheneOS has pointed out that the reset can still be stopped by cutting power to the device. As a result, GrapheneOS is working on a more comprehensive solution. This includes a stronger duress PIN/password feature and a secure “panic wipe” action that can be executed without requiring a reboot.

Safety Recommendations

As the digital landscape evolves, so does the sophistication of cyber threats. To mitigate these risks, users should manually verify if their devices have the latest software version. Staying informed about security updates and best practices is crucial in safeguarding digital assets against emerging threats. Google’s disclosure serves as a reminder of the ongoing battle for cybersecurity and the need for continuous improvement in defense mechanisms to protect personal information.



The post Two Android Zero-Day Flaws in Google Pixel Exploited appeared first on Gridinsoft Blog.

]]> https://gridinsoft.com/blogs/android-zero-day-flaws-google-pixel/feed/ 0 https://gridinsoft.com/blogs/xamalicious-trojan-android/ https://gridinsoft.com/blogs/xamalicious-trojan-android/#respond Thu, 28 Dec 2023 15:55:51 +0000 https://gridinsoft.com/blogs/?p=18556 A new Android backdoor, dubbed Xamalicious, was discovered by the researchers at the edge of 2023. This malware exhibits potent capabilities to perform malicious actions on infected devices. Malware reportedly exploits Android’s accessibility permissions to gain access to various sources of user data. What is Xamalicious Malware? As I’ve said in the introduction, Xamalicious is […]

The post Xamalicious Trojan Hits Over 327K Android Devices appeared first on Gridinsoft Blog.

]]> A new Android backdoor, dubbed Xamalicious, was discovered by the researchers at the edge of 2023. This malware exhibits potent capabilities to perform malicious actions on infected devices. Malware reportedly exploits Android’s accessibility permissions to gain access to various sources of user data.

What is Xamalicious Malware?

As I’ve said in the introduction, Xamalicious is a backdoor malware designed for Android. It is based on a Xamarin framework, which eventually granted it the name, and some of the abilities. Typically for sophisticated examples of Android malware, it abuses accessbility permissions to gain access to things like clipboard, autofill forms, notifications, messages, and others.

Xamalicious operates in two stages. Initially, it gathers device metadata and contacts a command-and-control (C2) server. This first contact is crucial for determining further steps, as upon sending the initial data, malware masters should decide their further steps. If needed, the malware can deliver other payloads and run them as an assembly DLL at runtime. This enables complete control over the device, potentially leading to fraudulent actions such as ad clicks and unauthorized app installations.

Researchers say about locating the threat within 25, some of which were even distributed through the official Google Play Store since mid-2020. Alarmingly, these apps have been installed at least 327,000 times, affecting users from Western Europe, South and North America and Australia.

Here some of these malicious apps:

• Track Your Sleep (com.shvetsStudio.trackYourSleep)
• Count Easy Calorie Calculator (com.lakhinstudio.counteasycaloriecalculator)
• Sound Volume Extender (com.muranogames.easyworkoutsathome)
• 3D Skin Editor for PE Minecraft (com.littleray.skineditorforpeminecraft)
• Logo Maker Pro (com.vyblystudio.dotslinkpuzzles)
• Auto Click Repeater (com.autoclickrepeater.free)
• LetterLink (com.regaliusgames.llinkgame)
• Essential Horoscope for Android (com.anomenforyou.essentialhoroscope)

Geography of Activity: Xamalicious Malware



Technical aspects

To evade detection, Xamalicious authors have encrypted all communications and data transmissions between the C2 and infected devices. The encryption is not limited to HTTPS protection but extends to JSON Web Encryption tokens. Such tokens use advanced algorithms like RSA-OAEP with 128CBC-HS256. This makes the malware difficult to analyze and detect.



Moreover, the first-stage dropper contains self-update functions for the main Android package file (APK), suggesting that it can be weaponized as spyware or a banking trojan without user interaction.

Android applications written in non-java code with frameworks such as Flutter, react native and Xamarin can provide an additional layer of obfuscation to malware authors that intentionally pick these tools to avoid detection and try to stay under the radar of security vendors and keep their presence on apps markets.the report

How to Protect Against Xamalicious Backdoor?

Xamalicious is not a ground-breaking malware sample, but its dangers should not be underestimated. The fact that it exploits the same Android features is not about its technological obsolescence. “Don’t change what’s working” – hackers stick to this rule, and it works out rather well.

To avoid the infection, exercise caution when downloading apps, especially from unofficial sources. Even more attention should be paid to the permissions you give to the programs. And, to seal the deal, consider running an anti-malware scan on your smartphone, at least once a week. This will ensure your data security.



The post Xamalicious Trojan Hits Over 327K Android Devices appeared first on Gridinsoft Blog.

]]> https://gridinsoft.com/blogs/xamalicious-trojan-android/feed/ 0 https://gridinsoft.com/blogs/malicious-loan-apps/ https://gridinsoft.com/blogs/malicious-loan-apps/#respond Mon, 11 Dec 2023 22:49:57 +0000 https://gridinsoft.com/blogs/?p=18268 Eighteen malicious loan apps on the Google Play Store, posing as legitimate financial services, have scammed users. They offer high-interest-rate loans while harvesting their personal and financial data for malicious purposes, totaling over 12 million downloads. 18 Malicious Loan Apps Defraud Millions of Android Users Cybersecurity researchers have exposed 18 malicious loan apps on the […]

The post Malicious Loan Apps in Play Store Decieved 12M Users appeared first on Gridinsoft Blog.

]]> Eighteen malicious loan apps on the Google Play Store, posing as legitimate financial services, have scammed users. They offer high-interest-rate loans while harvesting their personal and financial data for malicious purposes, totaling over 12 million downloads.

18 Malicious Loan Apps Defraud Millions of Android Users

Cybersecurity researchers have exposed 18 malicious loan apps on the Google Play Store. These apps collectively amassed over 12 million downloads. Operating under the guise of legitimate financial services, they have duped users into high-interest-rate loans. Meanwhile, apps surreptitiously harvest victim’s personal and financial data for malicious purposes, which we’ll discuss next. Researchers have christened this operation as SpyLoan.

The malicious apps primarily focus on preying upon potential borrowers in Southeast Asia, Africa, and Latin America. Despite their attractive appearance, these apps are far from genuine financial services; instead, they engage in fraudulent activities that exploit unsuspecting users. Although these apps have been removed from the store, the damage has already been done. The primary infection pathways include SMS messages and social media like Twitter, Facebook, or YouTube. The list of now-removed apps includes:

• AA Kredit: इंस्टेंट लोन ऐप (com.aa.kredit.android)
• Amor Cash: Préstamos Sin Buró (com.amorcash.credito.prestamo)
• Oro Préstamo – Efectivo rápido (com.app.lo.go)
• Cashwow (com.cashwow.cow.eg)
• CrediBus Préstamos de crédito (com.dinero.profin.prestamo.credito.credit.credibus.loan.efectivo.cash)
• ยืมด้วยความมั่นใจ – ยืมด่วน (com.flashloan.wsft)
• PréstamosCrédito – GuayabaCash (com.guayaba.cash.okredito.mx.tala)
• Préstamos De Crédito-YumiCash (com.loan.cash.credit.tala.prestmo.fast.branch.mextamo)
• Go Crédito – de confianza (com.mlo.xango)
• Instantáneo Préstamo (com.mmp.optima)
• Cartera grande (com.mxolp.postloan)
• Rápido Crédito (com.okey.prestamo)
• Finupp Lending (com.shuiyiwenhua.gl)
• 4S Cash (com.swefjjghs.weejteop)
• TrueNaira – Online Loan (com.truenaira.cashloan.moneycredit)
• EasyCash (king.credit.ng)
• สินเชื่อปลอดภัย – สะดวก (com.sc.safe.credit)

Interestingly, these services exist exclusively as apps and work only on smartphones. You won’t find a web version or an official website. This allows attackers to request permission to obtain users’ confidential information stored on the victim’s smartphones.

Dirty Fraud Methods

In the previous paragraph, I emphasized that attackers operate exclusively through mobile devices instead of classic websites. This is because they would not be able to access as much information through a website as they can through a phone. The operators of SpyLoan not only harvest information from compromised devices but also resort to blackmail and harassment tactics. I.E., victims are pressured into making payments under the threat of releasing their private photos and videos on social media platforms (that reminds me of something). This alarming revelation underscores the darker side of the digital lending landscape.



Users often have reported instances of fraud and coercion. For example, a user from Nigeria, in a message posted on the Google Play Help Community, accused EasyCash of fraudulent lending practices, including exorbitant interest rates and threats of blackmail. Additionally, the apps deploy misleading privacy policies to justify extensive permissions, including access to media files, camera, calendar, contacts, call logs, and SMS messages. This revelation coincides with the resurgence of TrickMo, an Android banking trojan masquerading as a free streaming app. The trojan has enhanced capabilities, including stealing screen content and employing overlay attacks.

Defense Measures and Advice

This SpyLoan incident is not alone but part of a broader scheme dating back to 2020. It adds to over 300 Android and iOS apps uncovered last year. These apps also exploited users’ urgent need for quick cash, trapping them into predatory loan contracts and coercing them into granting access to sensitive information. To mitigate the risks posed by such spyware threats, users are advised to:

• Validate the authenticity of offerings. It is not hard to conceal a rip-off as a genuine and beneficial deal. When it comes to financial operations, it is vital to check every element of the offered deal to find catches. Though in some cases, this is not enough – so I’d prefer the second option.
• Do your research regarding the service provider. Regardless of how good the offer appears to be, it should come from a benign company. Any mismatches in the information, questionable testimonials, outdated, abandoned or even absent sites – those are the signs of a bad deal. And a perfect reason to review your plans to use their services.
• Pay close attention to reviews and permissions before installation. Asking for excessive permissions is a classic catch of quite a few mobile malicious programs. People used to click-through permissions pop-ups during installation, and that is what frauds rely on. Check out what the app asks for, and compare it to the real program functionality. Because why would a financial app ever need continuous access to your microphone?



The post Malicious Loan Apps in Play Store Decieved 12M Users appeared first on Gridinsoft Blog.

]]> https://gridinsoft.com/blogs/malicious-loan-apps/feed/ 0 https://gridinsoft.com/blogs/securidropper-android-google-play/ https://gridinsoft.com/blogs/securidropper-android-google-play/#respond Wed, 08 Nov 2023 22:09:24 +0000 https://gridinsoft.com/blogs/?p=17528 SecuriDropper is a rare example of the Android dropper malware that operates under the dropper-as-a-service (DaaS) model. This malware is raising significant concerns among experts due to its ability to bypass Google’s enhanced security measures and deliver a variety of malicious payloads. What is SecuriDropper Malware? SecuriDropper represents the latest evolution in the ever-changing world […]

The post SecuriDropper Bypasses Google Play & Android Defenses appeared first on Gridinsoft Blog.

]]> SecuriDropper is a rare example of the Android dropper malware that operates under the dropper-as-a-service (DaaS) model. This malware is raising significant concerns among experts due to its ability to bypass Google’s enhanced security measures and deliver a variety of malicious payloads.

What is SecuriDropper Malware?

SecuriDropper represents the latest evolution in the ever-changing world of cyber threats. It serves as a conduit for cybercriminals to efficiently distribute their malware in a convenient way. This, actually, is a key point of the dropper-as-a-service model. Such innovation enables threat actors to separate the development and execution of an attack from the installation of malware. This trick offers a level of sophistication that is both concerning and challenging to combat.



Dropper malware plays a crucial role in the cybercriminal ecosystem. It acts as a precursor tool designed to provide initial access to the target system. Its primary function is to download and install a malicious payload on the victim’s device, making it a valuable tool for threat actors. This strategic approach allows malicious actors to advertise their services to other criminal groups, creating a lucrative business model.

Distribution of Malicious Payloads

SecuriDropper has been observed distributing a range of malicious payloads, including Android banking trojans such as SpyNote and ERMAC. These trojans are often disguised as legitimate applications and are distributed through deceptive websites and third-party platforms like Discord. The resurgence of Zombinder, another Dropper-as-a-Service tool, has further amplified concerns about the distribution of malware payloads through sideloaded apps.

SecuriDropper is a stark reminder that the fight against cyber threats is an ongoing and evolving battle. As Android continues to implement enhanced security measures, cybercriminals adapt and innovate, finding new ways to infiltrate devices and distribute malware. Dropper-as-a-Service platforms have become powerful tools for malicious actors, posing significant challenges to Android security.

Android 13 Feature Blocks SecuriDropper

Despite quite depressing statements from the above, things are not that bad. Users who got Android 13 updates for their devices are able to counteract SecuriDropper on their own. The new feature called Restricted Settings does what it sounds like to the side-loaded applications.



As the dropper aims at getting excessive permissions, particularly to Accessibility and Notifications, the feature will block such permissions by default. This, however, is an Android 13-only feature, so users of earlier OS versions should be careful when granting permissions.

Folks with the most recent updates should not be reckless either. There is a chance of an infected app in the Google Play Market, which diminishes any anti-side-loaded apps tricks. And since Google hesitates with implementing security features to its official app sources, it remains a source of a threat.

How to Protect Yourself from SecuriDropper

SecuriDropper is a sophisticated Android dropper-as-a-service malware that poses a significant threat to the security of Android devices. To protect yourself from this emerging threat and similar malware, follow these security measures:

• Only download applications from official app stores like Google Play Store. These platforms implement stringent security measures to ensure the safety of the apps they host.
• Regularly update your Android device’s operating system and installed applications. Software updates often include security patches that address known vulnerabilities.
• Install a reputable mobile security solution on your device. These security apps can help detect and remove threats like SecuriDropper from your device.
• Be cautious when considering sideloaded apps obtained from unofficial sources. While sideloading offers access to a wider range of apps, it also presents security risks. Ensure you trust the source and origin of sideloaded apps.
• Pay close attention to the permissions requested by apps during installation. Avoid granting unnecessary permissions to apps. For example, if a simple flashlight app requests access to your contacts and camera, it may be suspicious.
• Regularly backup your important data to a secure location or cloud storage. This ensures you can recover your data in case of a malware infection.

By following these security measures, you can reduce the risk of falling victim to SecuriDropper and other similar threats. Remember that staying vigilant and proactive in protecting your Android device is essential in today’s evolving threat landscape.

The post SecuriDropper Bypasses Google Play & Android Defenses appeared first on Gridinsoft Blog.

]]> https://gridinsoft.com/blogs/securidropper-android-google-play/feed/ 0 https://gridinsoft.com/blogs/cloud-mining-scams-spread-banking-trojans/ https://gridinsoft.com/blogs/cloud-mining-scams-spread-banking-trojans/#respond Fri, 16 Jun 2023 11:06:12 +0000 https://gridinsoft.com/blogs/?p=15368 It’s no secret that cybercriminals are increasingly using mobile platforms as an attack vector lately. One example is a new Android malware. It spreads through fake cloud mining scams services and targets cryptocurrency wallets and online banking apps. Analysts dubbed this banking trojan as Roamer, though hackers may use different other malware for such attacks. […]

The post Cloud Mining Scams Spread Banking Trojans appeared first on Gridinsoft Blog.

]]> It’s no secret that cybercriminals are increasingly using mobile platforms as an attack vector lately. One example is a new Android malware. It spreads through fake cloud mining scams services and targets cryptocurrency wallets and online banking apps. Analysts dubbed this banking trojan as Roamer, though hackers may use different other malware for such attacks.

What are we talking about?

The era of hype around crypto-mining is over, and the shortage of video cards and mining farms is a thing of the past. Today, cloud computing technology is making it possible to significantly lower the entry threshold into the world of crypto-mining. To start mining Bitcoin, for example, there is no need to buy expensive equipment. Instead, the user can rent computing power from cloud mining companies for a fee. Of course, scammers couldn’t stay away from this niche.

The current fraudulent scheme is as follows: attackers create a phishing website that pretends to provide cloud mining services. Unsuspecting users end up on the website, where they are prompted to download a smartphone app. However, instead of the promised app, the user downloads malware that steals crypto wallet data and other valuable information from their device. It sounds too obvious, but this scheme works if it’s being written about.

How the Cloud Mining Scams scheme works

A team of researchers discovered a phishing website with the address hxxps://cloudmining[.]uk[.]com, which looks like a cloud mining platform. The site has “Create Account” and “Sign In” buttons and links to download a mobile app from Google Play and the App Store for Android and iOS devices, respectively. However, attackers use a trick: when clicking on the “Google Play” link, the user is not redirected to the application page in the store, but a direct download of the .apk file named CloudMining.apk takes place. An experienced user might have noticed the unusualness of this behavior. Still, an ordinary user might not pay attention to it. This is precisely the kind of oversight that attackers are counting on. After downloading the file, the victim gets a malicious software module that aims to steal confidential data from the victim’s device.



The Roamer Banking Trojan

The “Roamer” Banking Trojan is a malware that extracts sensitive information from infected devices. It targets various crypto wallets and banking applications. It is distributed through fraudulent websites and employs different themes, such as gaming or shopping mall names and icons. Once installed, the malware exploits the Accessibility Service to extract information from targeted applications. The malware targets the following cryptocurrency wallet and banking applications:

HDFC Bank Mobile Banking App
Bitso
OKX: Buy Bitcoin, ETH, Crypto
TokenPocket Wallet Crypto DeFi
TronLink Pro
Binance: BTC, Crypto, and NFTS
Coinbse: Buy Bitcoin & Ether
aelf Official Wallet
Bitpie Wallet
Trust: Crypto & Bitcoin Wallet
MB Bank
SafePal: Crypto Wallet BTC NFT
KuCoin: BTC, Crypto Exchange

Poloniex Crypto Exchange
MetaMask - Blockchain Wallet
SCB Mobile Banking
ACB One
VCB Digibank
PayPal - Send, Shop, Manage
MSB mBank
VietinBank iPay
Coinbase: Buy Bitcoin & Ether
Bybit: Buy Bitcoin, Trade Crypto
Huobi: Buy Crypto & Bitcoin
imToken: Crypto & DeFi Wallet

Roamer Trojan steals sensitive data, including crypto wallet details and banking credentials. It automatically inserts TA's crypto address into the victim's app and transfers funds to TA's account. In addition, it collects SMS data, files, and location details from infected devices. It can open targeted apps, take screenshots, and initiate screen recording. Stolen data is transmitted to a C&C server.

Telegram channel for phishing distribution

Researchers also found an active telegram channel that began its activity on May 15, 2023, and has more than 5 thousand subscribers. Supposedly, scammers use this channel for their purposes and to attract victims. The channel regularly publishes information about cloud mining schemes and distributes phishing websites hxxps://cloud-miner[.]cc and hxxps://cloud-miner[.]top. Although the latter site has a different design, it also involved cloud mining scams. It offers to download the previously mentioned smartphone app.



Another phishing site

These sites have "Sign in" and "Sign up" buttons to give them a realistic look, but they are not just decorative elements. Clicking on these buttons will redirect the user to another phishing site, hxxps://cloud-mining[.]vip, which offers to create an account and mine Tron (TRX). After registering, the user will be prompted to top up their wallet to start mining, a typical scam scheme. As you may have guessed, it simply hijacks your wallet, since the site intendedly lacks any forms protection.



Safety tips

The following are tips to help prevent unpleasant experiences with this cyber threat:

• Only install software from official app stores. This is the Google Play Store for Android and, for iOS, the App Store. While this doesn't guarantee 100% protection against rogue apps, it significantly reduces the chances. Also, if you are an Android user, ensure that Google Play Protect is turned on.
• Use biometric security features such as fingerprints or facial recognition to unlock your mobile device.
• Use strong passwords, change them periodically, and use multifactor authentication wherever possible.
• Update your device firmware and apps to the latest version to fix vulnerabilities and improve security.
• Be wary of links from unknown senders in SMS, messengers, and emails. Don't click on them, especially if they are suspicious.
• Never give anyone your banking information or confirmation codes, even if they pretend to be from a bank or other organization.



The post Cloud Mining Scams Spread Banking Trojans appeared first on Gridinsoft Blog.

]]> https://gridinsoft.com/blogs/cloud-mining-scams-spread-banking-trojans/feed/ 0