Google Chrome is the world’s most popular browser. So when a “very dangerous,” fraudulent update is caught stealing private data, messages and photos, it’s a cause for serious concern.
2/10 update below, article originally published 2/9.
An alarming new report from McAfee this week warns Android users to refrain from clicking any message links that install Chrome updates on their devices. MoqHao malware is hiding within those downloads with a nasty twist—one which the security researchers describe as a new, “very dangerous technique.”
“While the app is installed,” the researchers warn, “their malicious activity starts automatically. We have reported this technique to Google and they are already working on the implementation of mitigations to prevent this type of auto-execution in a future Android version.”
This malicious campaign distributes the MoqHao malware through SMS messages—with another twist. The threat actors have started using short URLs from legitimate services, given that “it is difficult to block the short domain because it could affect all the URLs used by that service. [But] when a user clicks on the link in the message, it will be redirected to the actual malicious site by the URL shortener service.”
Once installed, the fraudulent Chrome update then asks for expansive user permissions, including access to SMS, photos, contacts and even the phone itself. The malware is designed to run in the background, connecting with its command and control server, managing data to and from the device, as ever more damage is done.
McAfee attributes this MoqHao (XLoader) campaign to the Roaming Mantis group—a threat actor that usually operates in Asia. However, McAfee notes that this specific campaign also appears to target users in Europe. One of the languages programmed into the campaign is English, which means U.S. users are also in range.
If you look carefully, you can see that the messaging uses Unicode characters to trick users into thinking it’s a legitimate Chrome update. “This technique makes some characters appear bold, but users visually recognize it as ‘Chrome’,” McAfee says, also warning that “this may affect app name-based detection techniques that compare app name (Chrome) and package name (com.android.chrome).”
It’s only February, and this is the third headline-generating Android malware alert of the year so far. We have seen VajraSpy, SpyLoan and Xamalicious. We have also seen a wider warning about copycat apps, which echoes what we’re seeing here. As for this one specifically, McAfee warns that “we expect this new variant to be highly impactful because it infects devices simply by being installed without execution.”
“Copycat apps are simple to produce,” warns ESET’s Jake Moore. “Downloading and installing a malicious app on your phone can lead to a number of disasters, including theft of personal data, compromise of banking information, poor device performance, intrusive adware and even spyware monitoring your conversations and messages.”
As I’ve said repeatedly this year, the timing here is potentially even more notable than the malware itself. Europe’s Digital Markets Act is effecting substantial changes to the apps and platforms we use most. And that includes app stores.
Apple is reluctantly opening up its own for the first time, but is warning of the dangers to users as it does so. “These new regulations, while they bring new options for developers, also bring new risks. There’s no getting around that,” Apple’s Phil Schiller has warned, with malware top of the list of those concerns.
Apple opening up to third-party stories will directly contrast its security approach to Google’s, which has always been much less locked down, promoting user choice as a balance to security. If Apple can open up app store choice while maintaining security, that will put additional pressure on Android’s protection.
In response to the McAfee report, a Google spokesperson told me that “Android has multi-layered protections that help keep users safe,” and, as noted in the McAfee report, that “Android users are currently protected against this by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play.”
Google also confirmed that it had worked with McAfee on addressing this new malware threat, as it’s one of its App Defense Alliance partners.
2/10 update:
Given the kind of serious threat highlighted by McAfee’s report, where users sideload dangerous apps and updates to their devices, it’s no surprise that Google’s newly announced pilot to prevent users installing or updating dangerous apps is gaining increasing attention.
Sideloading will be the debate that runs and runs this year. In its blogpost announcing its latest move, Google confirmed that while “keeping users safe in an open ecosystem takes sophisticated defenses… our data shows that a disproportionate amount of bad actors take advantage of select APIs and distribution channels in this open ecosystem.”
This is exactly what we have seen with this latest McAfee report. Albeit malware hiding within an app update is not limited to Google and Android, as we have just seen with an attack on Apple devices hidden within a Visual Studio update.
As for Android, Google’s warning applies to any and all Android users willing to step outside its Play Store to install apps into their devices. As Google explains, “while users have the flexibility to download apps from many sources, the safety of an app can vary depending on the download source.”
To provide some sense of the scale of the problem, Google warns that Google Play Protect’s app scanning “has identified 515,000 new malicious apps and issued more than 3.1 million warnings or blocks of those apps.” Buyers beware.
The new pilot focuses on financial fraud and is being conducted through a “strategic partnership” with the Cyber Security Agency of Singapore (CSA).
“Cybercriminals continue to invest in advanced financial fraud scams, costing consumers more than $1 trillion in losses,” Google says, which is why it will “analyze and automatically block the installation of apps that may use sensitive runtime permissions frequently abused for financial fraud when the user attempts to install the app from an Internet-sideloading source (web browsers, messaging apps or file managers).”
The high-risk permission requests Google has identified and which will be blocked, it says, “are frequently abused by fraudsters to intercept one-time passwords via SMS or notifications, as well as spy on screen content. Based on our analysis of major fraud malware families that exploit these sensitive runtime permissions, we found that over 95 percent of installations came from Internet-sideloading sources.”
This is clearly the same level of threat we have seen in the self-running MoqHao malware, which also seeks to secure permissions enabling it to spy on user content and make use of the device’s SMS and other connectivity capabilities.
During the pilot, Google explains, “when a user in Singapore attempts to install an application from an Internet-sideloading source and any of these four permissions are declared, Play Protect will automatically block the installation with an explanation to the user.”
As McAfee acknowledges in its own report on MoqHoo, “it is difficult for general users to find fake apps using legitimate icons and application names, so we recommend users to install secure software to protect their devices.”
Clearly, McAfee and other security vendors would like that to be their own third-party software, but the reality is that this needs to be the ecosystem itself as a first line of defense. It should not be this easy to attack a user’s device.
But where your device sits outside Google’s Play defenses, you really should be looking at third-party software, from McAfee or others to keep you safe.
Beyond software defenses, there is the need for common sense and good practice. The advice for users remains very, very simple. Never click on links such as those seen in this latest campaign—and definitely do not install apps directly from links. This was central to ESET’s copycat app warning. You should also never agree to permission requests that aren’t core to an app’s specific functionality.
Here are the golden rules for apps and updates:
- Stick to official app stores—don’t use third-party stores and never change your device’s security settings to enable an app to load.
- Check the developer in the app’s description—is it someone you’d like inside your life? And check the reviews, do they look legitimate or farmed?
- Do not grant permissions to an app that it should not need: torches and star-gazing apps don’t need access to your contacts and phone. And never grant accessibility permissions that facilitate device control unless you have a need.
- Never ever click links in emails or messages that directly download apps or updates—always use app stores for installs and updates.
- Do not install apps that link to established apps like WhatsApp unless you know for a fact they’re legitimate—check reviews and online write-ups.