Other malware in the Google Play Store • The Register

in letter A quartet of malware-laden Android apps from a single developer have been caught with malicious code more than once, yet the infected apps remain on Google Play and have been collectively downloaded more than a million times.

The apps come from the developer Mobile apps Group and are infected with the Trojan known as HiddenAds, security shop Malwarebytes said. He analyzed one of the Mobile app Group’s products, Bluetooth Auto Connect, which apparently does what the name suggests but also much more.

A run of over ten months with malicious code on Google Play? Maybe it’s time to say three caveats and you’re off to the Mobile apps Group

According to Malwarebytes, once installed the app waits a few days to start behaving maliciously. Once it intervenes, the app starts opening phishing sites in Chrome ranging from harmless pay-per-click spam, to sites that tell users to download updates or take action because their device is infected.

“As a result, unlocking the phone after several hours means closing more tabs,” said Nathan Collier of Malwarebytes.

Interestingly, the malware in Mobile apps Group’s .APKs was removed twice, in January 2021 and again the following month, when the developer uploaded clean versions of Bluetooth Auto Connect before re-adding the malware in a future update. .

Collier believes the developer was likely caught by Google, leading to clean uploads. Despite this, he notes that the latest clean version was released on October 21, 2021, with a new malware-infested version added to Google Play in December last year.

“Now in version 5.7, that malicious code remains to this date. A ten-plus month run of malicious code on Google Play. Maybe it’s time to say three strikes and you’re out for Mobile apps Group,” Collier said.

Google Play has a history of hosting malicious apps, perhaps one of the most egregious cases came to light last July, when 60 apps installed by over 3.3 million users were removed due to malware.

This isn’t even the first time the HiddenAds trojan has been found on Google Play: it was spotted in the store in 2020, while in 2021 a popular barcode scanning app installed on over 10 million devices was updated to add HiddenAds. (and also sought after as a necklace).

Google was also accused of failing to check preloaded malware on cheap Android devices, for which more than 50 advocacy groups called the company in 2020.

The attack on the software supply chain hits the US media

Proofpoint Threat Research warns that more than 250 local and regional US newspaper websites accessed and provided malicious code to readers following a software supply chain attack.

The responsible group is believed to be TA569, or SocGholish, Proofpoint said in a Twitter discussion. The group reportedly compromised an unnamed media company that delivers JavaScript ads and videos to news sites across the country “by modifying the code base of this otherwise benign JS.”

Proofpoint has been monitoring TA569 for several years and in 2020 warned it was performing similar attacks via HTML injections and CMS compromises. According to Proofpoint, the ultimate goal is an infection with the SocGholish malware, which masquerades as update files for Firefox and other web browsers.

Only the infected media companies running the ads have the true tally showing how widespread the damage is, Proofpoint said, adding that compromised sites have been found serving Boston, New York, Chicago, Washington, DC and other metropolitan areas.

Proofpoint said TA569 regularly removes and adds new malicious code, “so the presence of the payload and malicious content can vary from hour to hour,” making this difficult to detect as well.

Nearly half of US government employees use outdated mobile devices

According to a report examining the telemetry of more than 200 million devices, just under half of the mobile devices used by US officials at all levels of government use outdated operating systems.

According to security firm Lookout, this includes U.S. federal, state, and local employees using outdated versions of Android and iOS on their devices, with much worse numbers reported for Android.

Ten months after the release of Android 12, only 67% of federal devices and 54% of state / local devices were running the updated version. Android 11 was present on around 15% of devices at all government levels, while over 10% of state and local devices still used Android 9.

The only large group of iOS devices that weren’t running iOS 15 (the most recent version during the data period) were state and local devices, about a quarter of which were still running iOS 14 ten months after iOS 15 was released.

But cybercriminals bent on accessing government devices are moving away from malware and turning to simply collecting credentials, meaning those outdated operating systems may not be to blame for the threat actors taking hold in government agencies. Americans.

About 50 percent of phishing attacks on government employees attempted to steal credentials, up from about a third the year before, Lookout said. Good news from the report is that government employees appear to be learning the lesson from phishing.

“Well over 50 percent of federal, state and local employees who received a notification that they clicked a phishing link did not click a subsequent mobile phishing link.” ®