Cyber security experts, hunting for threats have identified a new variant of Android malware called MoqHao which runs automatically on infected devices without requiring any user interaction.
What cybersecurity experts say about MoqHao Android malware
“The typical [malware] MoqHao requires users to install and launch the application to achieve the desired purposebut this new variant does not require execution [da parte dell’utente]“, has declared McAfee Labs in a report released this week. “While the application is installed, their malicious activity starts automatically.”
The targets of the campaign involving this malware include Android users located in France, Germany, India, Japan, and South Korea.
MoqHao, also called Wroba and XLoader (not to be confused with the malware of the same name for Windows and macOS), is an Android-based mobile threat associated with a Chinese financial cluster named Roaming Mantis (also known as Shaoye).
The typical ones attack chains begin with package delivery-themed SMS messages containing fraudulent links that, when clicked by Android devices, lead to malware release but redirect victims to credential harvesting pages that impersonate Apple's iCloud login page when visited from an iPhone.
In July 2022, Sekoia detailed a campaign that compromised at least 70,000 Android devices in France; since the beginning of last year, Updated versions of MoqHao have been found capable of infiltrating Wi-Fi routers and performing domain name system (DNS) hijackings.revealing the adversary's commitment to innovating its arsenal.
The latest iteration of MoqHao continues to be distributed via smishing techniques, but what has changed is that the malicious payload runs automatically upon installation and asks the victim to grant risky permissions without launching the application, a behavior previously seen with fake applications containing the HiddenAds malware.
What has also undergone a makeover are the shared links in the SMS messages themselves, which are hidden using URL shorteners to increase the likelihood of the attack being successful; the contents of these messages are extracted from the bio field (or description) from fraudulent Pinterest profiles created for this purpose.
MoqHao is equipped with several features that allow it to stealthily collect sensitive information such as device metadata, contacts, SMS messages and photos, call specific numbers in silent mode and enable/disable Wi-Fi, among other things.
McAfee said it reported the findings to Google, claiming it was “already working to implement mitigations to prevent this type of automatic execution in a future version of Android”.
This development comes as Chinese cybersecurity firm QiAnXin has revealed than a previously unknown crime syndicate called Bigpanzi has been linked to the compromise of Android-based smart TVs and set-top boxes (STBs) in order to aggregate them into a botnet to conduct distributed denial-of-service (DDoS) attacks.
The operation, active since at least 2015, it is estimated to control a botnet composed of at least 170,000 bots active daily, most of which are located in Brazil; however, 1.3 million distinct Brazilian IP addresses have been associated with Bigpanzi as of August 2023.
Infections are possible by tricking users into installing trap applications to stream pirated movies and TV shows through suspicious websites; the campaign was made known for the first time by the Russian antivirus provider Doctor Web in September 2023.
“Once installed, these devices transform into operational nodes within their illicit media streaming platform, offering services such as traffic proxyDDoS attacks, OTT content delivery and pirate traffic“said QiAnXin researchers.
“The possibility that TVs and STBs controlled by Bigpanzi broadcast violent, terrorist or pornographic content, or use increasingly convincing AI-generated videos for political propaganda, constitutes a significant threat to social order and stability.”
#MoqHao #Android #malware #returns #form