An Android malware campaign leveraging money-lending apps to steal personal information from victims and blackmail them has recently been discovered,
Named by cybersecurity firm Zimperium "MoneyMonger," the campaign uses malicious apps developed using the Flutter framework. MoneyMonger "takes advantage of Flutter’s framework to obfuscate malicious features and complicate the detection of malicious activity by static analysis," the firm"s blog stated. "Due to the nature of Flutter, the malicious code and activity now hide behind a framework outside the static analysis capabilities of legacy mobile security products."
The money-lending apps used in the campaign are not available in the Google Play Store. Instead, they can be downloaded through unofficial app stores or sideloaded to devices via social media campaigns, compromised websites, rogue ads, and phishing messages. The apps are estimated to have amassed over 100,000 downloads.
After one of the malicious apps is installed, it will request the user to grant certain permissions under the pretense that doing so will guarantee the user a loan. However, once permissions are granted, the app will collect data, such as GPS locations, text messages, contacts, call logs, files, photos, and audio recordings and use this information to force victims into paying excessively high-interest rates for the loans.
If the victim fails to repay on time, the threat actors will threaten to reveal their victim"s personal information, call people from their contact list, and even send photos stolen from the device.
Zimperium likens the malware campaign"s use of blackmail to how ransomware functions "due to their success in leaving victims feeling helpless in the situation." It expounded further:
Quick loan programs are often full of predatory models, such as high-interest rates and payback schemes, but adding blackmail into the equation increases the level of maliciousness. And due to the financial uncertainty many people globally are experiencing, it is no surprise to find this malware type growing in popularity.
The cybersecurity firm notes that one variant of the MoneyMonger campaign targets Indian residents, while others are targeting those in Peru.
To protect yourself from such malicious apps, always read an app"s reviews (among other things). Also, be careful when granting permissions requested by apps. If an app is asking for a permission that is unrelated to the program"s function, it could be malicious.
Update: A Google spokesperson offered the following statement regarding the issue:
None of the identified malicious apps in the report are on Google Play. Google Play Protect checks Android devices with Google Play Services for potentially harmful apps from other sources. Google Play Protect will warn users that attempt to install or launch apps that have been identified to be malicious.
Source: Zimperium