You can never be too careful when downloading a new app to your iPhone or Android phone as what may look harmless on the surface could actually be a malicious app designed to infect your device with malware.
Case in point, the mobile security firm Zimperium has discovered a new malware campaign which targets users of the best iPhones and best Android phones with over 250 malicious apps spread via 80+ malicious domains.
What sets this particular campaign apart is that in addition to posing as utility apps, many of the malicious apps used in it also posed as dating apps along with file sharing ones and car service platforms.
Once installed on a vulnerable smartphone, the apps were then used to download a dangerous info-stealing malware capable of stealing all sorts of sensitive personal data including a victim’s contacts and even their photos. The hackers behind this campaign then took things a step further, threatening to extort victims by leaking their private info and photos to their contacts or online if their demands weren't met.
Here’s everything you need to know about this new malware campaign along with some tips and tricks to help you stay safe from malicious apps and the dangers they pose to both your data and your devices.
Delete these apps right now
Before we go into the campaign itself and how it worked, you should first check your phone to make sure that you haven’t installed any of the apps below. If you have, you’re going to want to manually delete them from your devices:
- Pilatess
- Mfile
- Zcloud
- Haikiss
- WhaleS
- KingCloud
- Acloud
- Cloud-k
- AceCloud
- Lovelush
- LOVESS
- Slovehome
- Erotic-s
- BKing
I’ve highlighted just a few of them above but you can see the full list here (Google Sheet). If you take a closer look at the names of these malicious apps, you’ll notice that many of them are in Korean which makes sense given that this campaign mainly targeted users in South Korea.
Given that anyone could have shared a link to one of the malicious domains hosting these fake apps, iPhone and Android users worldwide could be impacted. Either way, it’s always a good idea to take a closer look at all of the apps you have installed and to delete any you don’t recognize or haven’t used in a while.
From phishing sites to fake apps
In a blog post detailing the inner workings of this new campaign dubbed SarangTrap, Zimperium’s security researchers explain that potential victims are first tricked into visiting carefully crafted phishing sites.
These are designed to impersonate popular brands and app stores which not only adds legitimacy to the campaign but may also entice users to download these bad apps.
Once installed, these fake apps lure users in with slick user interfaces while requesting access to loads of unnecessary permissions with the caveat that they won’t work without them. To make these apps seem more exclusive, especially the ones posing as dating apps, users are also prompted to enter a valid invitation code.
After being entered, this invitation code is sent to a hacker-controlled server for validation after which, these malicious apps then request access to the sensitive permissions they’ll use to infect a device with malware and steal personal info from it.
Besides acting as a lure, this process allows the malware to remain undetected by the best antivirus software and other security solutions designed to stop malicious activity from bad apps.
With the necessary permissions in hand, these fake apps reveal their true nature. While they look slick and polished at first, they contain no dating features or other functionality at all. Instead, they’re just a facade used by the hackers behind this campaign to gain a foothold on vulnerable devices from which they can then steal all sorts of valuable sensitive data.
When it comes to the types of data the malware spread by these fake apps is able to steal, it can download a victim’s phone number and device identifiers along with all their photos and text messages. With all this info, the hackers behind this campaign can easily extort victims, though they could also bundle it altogether and sell this data to other cybercriminals to use in their own attacks.
Surprisingly, in addition to malicious Android apps, this campaign also uses a deceptive mobile configuration profile to go after iPhone users. By installing this profile on an iPhone, the hackers are able to steal much of the same sensitive data on iOS including a victim’s contacts and photos.
How to stay safe from malicious apps
Just like with new software on your computer, you always need to be careful when installing new apps on your phone, especially as we now have so much personal and even financial info on our mobile devices.
For starters, you want to avoid sideloading apps or installing apps from unknown sources or websites. If you’re taken to a site trying to get you to install an app instead of to an official app store like the Google Play Store or Apple’s App Store, this is a major red flag and a great indication that you should avoid this particular app altogether.
When you install a new app on your devices, you want to pay close attention to the types of permissions it requests the first time that you open it. While it makes sense for a messaging app to request access to your text messages, it definitely doesn’t when a dating app does so. If any permissions seem odd or unnecessary, this is another red flag that something could be off with a particular app.
Besides being extra careful when installing new apps, I highly recommend that you limit the number of apps on your phone overall. Having a lot of apps installed makes it difficult to find malicious ones and even good apps can go bad when injected with malicious code. The fewer apps you have, the less likely it is that one of them will be malicious or turn malicious later.
If you’re using an Android phone, you want to make sure that Google Play Protect is enabled as this pre-installed security solution scans all of the new apps you download as well as all of your existing apps for malware. For extra protection though, you may also want to consider running one of the best Android antivirus apps alongside it.
While there isn't an iPhone equivalent of these apps due to Apple’s own restrictions, the best Mac antivirus software from Intego can scan your iPhone or iPad for malware when plugged into your Mac via a USB cable.
Given that downloading and installing a malicious app even accidentally can have very serious consequences, you may also want to invest in one of the best identity theft protection services. They can help you get your identity back after having it stolen as well as compensate you for any funds lost to fraud or a cyberattack.
Malicious apps are the easiest way for hackers to establish a foothold on your devices and gain leverage over you and your data which is why they aren’t going anywhere anytime soon. This is why it’s up to you to be proactive as well as careful when it comes to which apps you download and where you download them from.
Follow Tom's Guide on Google News to get our up-to-date news, how-tos, and reviews in your feeds. Make sure to click the Follow button.
More from Tom's Guide
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
