The domains used by the infostealer look like file names for Google updates, but each URL is only active for a little while before being replaced. It changes URLs like a spy changes clothing in order to remain undetected by URL filters.
ZScaler provided a list of URLs they’ve caught:
http[:]//ldatjgf[.]goog-upps.pw/ygceblqxivuogsjrsvpie555/
- http[:]//iaohzcd[.]goog-upps.pw/wzbpqujtpfdwzokzcjhga555/
- http[:]//uwiaoqx[.]marshmallovw.com/
- http[:]//google-market2016[.]com/
- http[:]//ysknauo[.]android-update17[.]pw/
- http[:]//ysknauo[.]android-update16[.]pw/
- http[:]//android-update15[.]pw/
- http[:]//zknmvga[.]android-update15[.]pw/
- http[:]//ixzgoue[.]android-update15[.]pw/
- http[:]//zknmvga[.]android-update15[.]pw/
- http[:]//gpxkumv.web-app.tech/xilkghjxmwvnyjsealdfy666/
Director of Security Research at Zscaler, Deepen Desai, told ZDNet, “The malware may arrive from compromised or malicious websites using scareware tactics or social engineering.” An easy way to avoid that trouble is to stay away from questionable websites in the first place, and think twice about clicking “Ok.”
He said, “One common theme we have seen in recent malicious android application packages involves scareware tactics where the user will see a popup indicating that their device is infected with a virus and asks them to update to clean up infection.”
After downloading, the fake update called “Update_chrome.apk” prompts unsuspecting Android users to grant it admin access. If they agree, the malware seeks out and nullifies any already installed security or antivirus apps like Avast, ESET, Dr. Web, and Kaspersky to prevent them from functioning as they should.
Once the security software is crippled, the fake Chrome goes about tracking all texts and calls, sending the info to a command-and-control server. The malware can even hang up on unknown callers. If the Google Play Store is installed, it will show a fake credit card payment page that looks eerily close to the real one. If the user falls for that, the malware will send the CC info to a Russian telephone number.
Since the user can’t revoke its admin access, once the user gives the fake chrome infostealer admin access, the only recourse is to factory reset the device.
Editors' Recommendations
- Android 11 update: Here’s when your phone is getting new software
- How to remove malware and viruses from your Android phone
- Google may add Apple-like Continuity tools to Chrome OS and Android
- Delete these eight malware-ridden Android apps immediately
- Android malware keeps returning even after factory reset through Google Play
