To Steal Credentials, Malevolent Android Apps Disguised as Google, Instagram, and WhatsApp

Malevolent Android Apps Disguised as Google

To Steal Credentials, Malevolent Android Apps Disguised as Google, Instagram, and WhatsApp

It has been observed that compromised devices are infected with malicious Android applications that pose as Google, Instagram, Snapchat, WhatsApp, and X (formerly Twitter) in order to capture users’ credentials.


“This malware deceives individuals and tricks victims into installing the malicious app on their devices by using well-known Android app icons,” the threat research team at SonicWall Capture Labs said in a recent report.

At this time, the distribution vector for the campaign is unknown. Nevertheless, following installation on the users’ mobile devices, the application prompts them to authorize access to the accessibility services and the device administrator API, an obsolete functionality that facilitates system-level device administration.

Acquiring these privileges enables the malicious application to seize command of the device, enabling it to execute capricious operations such as intruding data or deploying malware without the awareness of the targets.

In order to obtain instructions for execution, the malware is specifically engineered to establish connections with a command-and-control (C2) server. This enables it to gain access to contact lists, SMS messages, call logs, the list of installed applications, send SMS messages, load phishing pages into the web browser, and toggle the camera flashlight.

Phishing URLs imitate the registration pages of widely recognized platforms including PayPal, Proton Mail, Snapchat, Tumblr, X, and Yahoo. Additionally, they include LinkedIn, Proton Mail, Instagram, Facebook, Netflix, and Proton Mail.

Symantec, which is owned by Broadcom, has issued a warning regarding a social engineering campaign that utilizes WhatsApp as a delivery vector to distribute a novel Android malware. The campaign involves the use of WhatsApp as a defense-related application.

“Based on successful delivery, the application would install itself under the guise of a Contacts application,” Symantec reported. “Upon execution, the app would request permissions for SMS, Contacts, Storage, and Telephone and subsequently remove itself from view.”

Additionally, this occurs after the identification of malware campaigns that distribute Android banking trojans such as Coper, which possess the ability to steal confidential data and present illegitimate window overlays to trick users into divulging their credentials.

The National Cyber Security Centre of Finland (NCSC-FI) disclosed last week that users are being directed to Android malware that obtains banking information via smishing messages.

The attack chain utilizes a method known as telephone-oriented attack delivery (TOAD), in which the SMS messages instruct the recipients to contact a specific number regarding a debt collection demand.

The fraudster on the other end of the line notifies the recipient that the message is fraudulent and advises them to safeguard their device by installing an antivirus application.


Additionally, they direct the recipient to click on a hyperlink enclosed in a subsequent text message, which is supposed to activate the security software in question.  However, it is actually malicious software designed to illicitly obtain online banking account credentials and execute unauthorized fund transfers.

Although NCSC-FI did not specify the precise Android malware strain employed in the attack, it is presumed to be Vultr, which NCC Group described early last month as employing an almost identical method to compromise devices.


Tambir and Dwphon, two Android-based malware programs with diverse device gathering capabilities that have been spotted in the open in recent months, with the latter program specifically designed for the Russian market and targeting mobile phones manufactured by Chinese handset manufacturers.

“Dwphon comes as a component of the system update application and exhibits many characteristics of pre-installed Android malware,” Kaspersky reported.

“The exact infection path is unclear, but there is an assumption that the infected application was incorporated into the firmware as a result of a possible supply chain attack.”

Comparing the current year to the previous, the number of Android users inflicted with banking malware increased by 32%, from 57,219 to 75,521, according to telemetry data analyzed by the Russian cybersecurity firm. Infections have been reported in the majority in India, Turkey, Saudi Arabia, Spain, and Switzerland.

“Although the number of users affected by PC banking malware continues to decline, […] the year 2023 saw the number of users encountering mobile banking Trojans increase significantly,” Kaspersky reported.

one year cyber security diploma course

About The Author:

Yogesh Naager is a content marketer who specializes in the cybersecurity and B2B space.  Besides writing for the News4Hackers blog, he’s also written for brands including CollegeDunia, Utsav Fashion, and NASSCOM.  Naager entered the field of content in an unusual way.  He began his career as an insurance sales executive, where he developed an interest in simplifying difficult concepts.  He also combines this interest with a love of narrative, which makes him a good writer in the cybersecurity field.  In the bottom line, he frequently writes for Craw Security


Pan India Operation Targets 28200 Smartphones, 20 Lakh Numbers Employed for Cybercrimes

Chrome Zero-Day Alert: Patch a New Vulnerability in Your Browser by Updating It Now

Google To Use Gemini AI to Tackle Advanced Cyber Threats

About Author

Leave a Reply

Your email address will not be published. Required fields are marked *

Open chat
Can we help you?