This malware collects enough info to steal your identity — and it’s hiding in downloads for popular apps

(Image credit: solarseven/Shutterstock)

Downloading new apps on your computer is usually a simple and straightforward process, but you now need to be extra careful when doing so as hackers have begun impersonating popular apps to spread malware.

According to a new blog post from the cybersecurity firm Cyble, hackers have begun using phishing pages designed to impersonate a number of popular apps online. While a user may think they’re downloading a widely used app, they’re actually installing malware on their computer.

On January 16, the firm’s researchers discovered a phishing site that was impersonating a popular chat app. The very next day, the same phishing site had been transformed to mimic the site of the remote desktop tool TeamViewer. This shows that the hackers behind the campaign are actively changing and customizing their phishing sites to target a number of popular apps.

Once a user clicks the download button on these phishing sites, malware named “messenger.exe” and “teamviewer.exe” is downloaded onto their PC. However, the hackers behind this campaign are using a clever trick to bypass the best antivirus software: they’re padding these downloads with extra zeros to increase their file size. This helps their malicious executables bypass security checks, as larger software can be harder for antivirus software to detect.

Aurora malware

In this case, the malware being distributed is the Aurora infostealer which as the name suggests, can collect all kinds of sensitive data from the browsers, browser extensions, crypto wallets and user directories on an infected machine. Surprisingly, the malware can also extract data from Telegram if a user has the desktop app installed.

Once all of this sensitive information — including passwords — is gathered up by Aurora, it’s saved in JSON format, compressed using GZIP and converted into the Base64 encoding format before it's sent off to a Command-and-Control (C&C) server controlled by the hackers behind this campaign. 

With a user’s cookies, browsing history, login data and web data in hand, an attacker can commit fraud, drain a user’s bank accounts or even commit identity theft. While the consequences of downloading a fake app that's actually malware might not be apparent at first, this could make things worse as those who have been infected might proceed as normal. All the while, hackers will continue to collect sensitive and personal data from their infected PC.

How to stay safe from malware hiding in app downloads

Best antivirus software

(Image credit: Shutterstock)

Unsuspecting users tend to end up on these phishing sites by clicking on fake ads that have begun to frequently appear in search engines. As such, installing one of the best ad blockers can prevent you from seeing them which means you’ll be far less likely to end up on one of these phishing pages in the first place. In fact, even the FBI now recommends using an ad blocker.

At the same time, you also need to be extremely careful when downloading new software on both your smartphone and PC. You should always check to make sure that you are on a company’s official website before clicking download. Scrolling further down when looking at search results is a good way to make sure you end up on the right site as hackers have impersonated GIMP, Notepad++ and other popular apps in the past and will likely continue to do so.

While you should certainly be using antivirus software on your PC and one of the best Android antivirus apps on your Android smartphone, you may also want to consider upgrading to one of the best internet security suites. These premium packages not only offer antivirus protection but they often include a password manager, a VPN and a firewall to keep you better protected from all manner of online threats.

Fake app downloads have been quite successful for hackers and other cybercriminals which is why we’ll likely continue to see them using this tactic to infect unsuspecting users with malware going forward.

Next: PayPal hacker attack exposes customer names and Social Security numbers — what to do now

Anthony Spadafora
Senior Editor Security and Networking

Anthony Spadafora is the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to password managers and the best way to cover your whole home or business with Wi-Fi. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.