Fake Android Apps Use Overlays to Extract Login Data

How careful are you when installing new apps? How often do you go through the list of installed apps to check if you are familiar with them all and if they do not have permissions to access high levels of sensitive data? The ball is in your court when it comes to installing useful, reliable apps and removing the ones you no longer use or trust. Unfortunately, things are not always straightforward, and sometimes malicious apps slip right past us straight into our mobile devices. If reliable security apps are installed, in theory, malware should not stand a chance. However, a single skipped update can mean that an exposed vulnerability allows cybercriminals to inject malware into our phones. Therefore, if you use a smartphone, you need to be smart about how you secure it. If you are careless, fake apps could slither in and steal private data right from under your nose.

Catelites is a perfect example of malware that relies on users’ carelessness and cleverly designed fake apps. This malware attacked Android phones, and it is likely to have derived from a malicious banking Trojan named CronBot. This infection helped hackers invade the devices of over one million Android users in 2017, and that resulted in over $900,000 being stolen. The attackers behind this malware were caught, but the malicious infection did not just disappear, and smart hackers learned a thing or two from it when building their own versions. Catelites is likely to have been created using the highly successful prototype, and just like the predecessor, it was spread using fake apps. These apps were not distributed using well-known, popular platforms (e.g., Google Play), but rather third-party app stores that are generally believed to be untrustworthy. Although Google Play itself does not seem to be able to shake off malware, it certainly is much more trustworthy than random sources that promote suspicious apps.

If the Android user is tricked into installing fake apps, malware can be downloaded and installed using various methods. For example, when it came to Catelites, the attackers were using a pretty sophisticated attack. First, a fake app associated with this malware took on the name and the logo of a well-known app to trick gullible users into thinking that it was legitimate. Once downloaded, it created an app icon with the name “System Application.” If the user tapped the icon, they were asked to give it administrator rights, and that is always a bad sign. You should NEVER grant administrator rights to anything that you are not 100% sure about. If the victim was tricked into giving the permissions, the fake app disappeared from the screen, and, instead of it, three new icons that seemed to represent Chrome, Gmail, and Google Play were created. The moment the user tapped on any of these icons, they were asked to fill in sensitive data, such as login credentials. Alternatively, the fake app delivered a notification asking to sing-in. The success of Catelites lied within a smart overlay.

An overlay, in the case of Catelites, is a fake screen that is meant to look like a legitimate screen displayed by reliable apps. So, for example, when opening a Gmail app, the infection displayed an overlay that looked exactly like the legitimate screen that asks the user to log in. This is how cybercriminals could trick users into disclosing sensitive information without suspecting a thing. Many malicious infections have been exploiting the overlay feature, and one of them is the infamous Marcher banking Trojan. According to researchers, Catelites was also spread with the help of apps capable of posing as over 2,200 banks. When fake apps posing as bank apps were opened, overlays were used to extract online banking account information, making it possible for attackers to take over these accounts and, potentially, clean out savings. Besides this, Catelites was also capable of intercepting SMS messages (potentially, to circumvent 2FA), recording device-related information, locking the device, and even wiping all data if administrator privileges were obtained.

There are plenty of malicious apps just like Catelites, and they all use disguises and other sneaky techniques to invade unprotected Android devices. Therefore, even if you end up deleting Catelites or a similar kind of infection, you need to prepare your device to face other threats alike. First and foremost, set up a trustworthy security system to guard you. Next, always stay vigilant, so as to notice poorly designed overlays, fake apps, and, hopefully, malware before it is fully activated. Never grant admin rights before thinking about it carefully and never ignore your gut-feeling when it tells you that something is out of the ordinary.

References:

Chrysaidos, N., Phuc, P. D. December 20, 2017. New malware targets accounts at over 2,200 financial institutions. Avast blog and SfyLabs.