Spyware That Can Record Passwords Is Spread Using Fake Skype and Signal Apps
Attackers can't afford to stop in their quest to find new and interesting ways of infecting victims with malware. For example, when it comes to Android users, there are known infection vectors that, on the face of it, work rather well but are not as effective as they used to be. Hackers often push a simple application that promises to add certain features to the users' device like a flashlight or a QR code scanner. Upon installation, the app requests permissions that are not typical for the advertised functionality, but people often ignore them. Sure enough, they later realize that they've actually installed malicious software on their mobile devices.
It's a tried and tested method that works to this day, but more and more people are becoming aware of it. What's more, those who might be more susceptible to high-profile attacks know how to protect themselves. This means that threat actors are facing a bigger challenge, and sure enough, they are stepping up to it.
Hackers spread malware with the help of trojanized legitimate applications
In a recent interview with ThreatPost, Apurva Kumar from a security company called Lookout talked about what the hackers have been using to hit their targets with malware. Having realized that people are starting to be a bit more careful with the apps they install on their devices, the attackers are now trying to trick them using the names of legitimate, well-known online services.
Specifically, Kumar noted that some spyware actors are utilizing the names of Skype and Signal to push targets into installing malware. The operation of these two applications is dependent on them having access to things like the camera and the contacts list saved on the device, which means that the targets are less likely to become suspicious. What's more, users are offered a known, recognizable brand and logo, and not a random app that promises to scan QR codes (something your phone is likely capable of anyway).
It must be said that Kumar's focus was on attacks aimed at high-value targets, and not random users. In these attacks, putting the malicious app under a household name is simply not enough. The researcher said that in the cases she's examined, the crooks took legitimate Skype or Signal applications, unpacked them, and injected their malicious code inside them. This way, the target would install the app with all its regular capabilities, and they are less likely to see that their data is being siphoned off.
Monokle is alive and kicking
Apurva Kumar's interview centered around a family of Android spyware or surveillanceware called Monokle. It has been around since at least 2015, but it wasn't until last summer when Lookout's experts spotted it and examined it in greater detail.
The security company even attributed the extremely versatile spyware to a Russian company called Special Technology Center (STC). STC develops security products for Android, but it's also thought to have strong connections to the Russian government. In 2016, the company was sanctioned by the Obama administration for interfering with the US Presidential Elections, which, if Lookout's attribution is accurate, hasn't really done much to deter it from carrying on with the distribution of spyware.
Regular users are not particularly likely to be hit by trojanized Skype and Signal applications carrying Monokle. As we mentioned in our previous article, the spyware is extremely sophisticated, and it's likely used on high-profile targets only. This doesn't mean, however, that other threat actors won't take note of STC's alleged tactics, so keeping your wits about you even when you're installing seemingly recognizable applications is as important as ever.