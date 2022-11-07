



Four Android apps containing malware from one developer have been detected with malicious code multiple times, but the infected apps remain on Google Play and have been downloaded more than 1 million times in total.

According to security shop Malwarebytes, these apps come from developer Mobile apps Group and are infected with a Trojan horse known as HiddenAds. We analyzed one of his products from the Mobile Apps Group, Bluetooth Auto Connect. Bluetooth Auto Connect ostensibly does what the name suggests, but it does much more.

Ten months or more of malicious code on Google Play? Maybe it’s time to say strike three times and join the mobile apps group.

According to Malwarebytes, once the app is installed, it takes several days to start acting maliciously. Once the action is taken, the app starts opening phishing sites in Chrome. These sites range from benign pay-per-click spam to sites that tell users to download updates or take action because their devices are infected.

Malwarebytes’ Nathan Collier said:

Interestingly, the Mobile apps Group .APK malware was removed twice in January 2021, and the following month the developer uploaded a clean version of Bluetooth Auto Connect before adding the malware back in an upcoming update. was removed by

Collier believes the developer was likely caught by Google, leading to a clean upload. Nonetheless, he states that the last clean version of him went live on his October 21, 2021, and that a new, malware-infected version was added to Google Play last December.

“Now in version 5.7, that malicious code is still there to this day. The malicious code has been on Google Play for over 10 months. You’ll be joining the group,” Collier said.

Google Play has a history of hosting malicious apps, and perhaps one of the most egregious cases came to light in July of this year. The malware removed 60 apps installed by over 3.3 million users.

This is not the first time the HiddenAds Trojan has been spotted on Google Play. Spotted in stores in 2020, but in 2021 he updated the popular barcode scanning app installed on over 10 million devices to add HiddenAds (also Collier).

Google has also been accused of failing to crack down on malware preloaded on cheap Android devices, which more than 50 advocacy groups called on the company in 2020.

Attack on software supply chain hits US news media

Proofpoint Threat Research warns that more than 250 US local newspapers and their websites have been visited and served malicious code to their readers following an attack on the software supply chain.

The group responsible is believed to be TA569, or SocGholish, Proofpoint said in a Twitter thread. The group reportedly compromised an obscure media company serving JavaScript ads and videos to national news sites by modifying a benign JS codebase.

Proofpoint has been tracking TA569 for several years and in 2020 warned that it was conducting similar attacks via HTML injection and CMS compromise. According to Proofpoint, the ultimate goal is to infect SocGholish malware masquerading as an update file for Firefox and other web browsers.

Only infected media companies serving ads have a real tally of how widespread the damage is, Proofpoint said, with compromised sites in Boston, New York, Chicago, Washington DC, and others. It added that it was found in a metropolitan area.

According to Proofpoint, TA569 regularly removes and adds new malicious code, so “the payload and the presence of malicious content can change over time,” which can also be detected. is becoming difficult.

Nearly half of U.S. government employees use outdated mobile devices

A report examining telemetry from more than 200 million devices found that just under half of the mobile devices used by US civil servants at all levels of government run outdated operating systems.

According to security firm Lookout, this includes federal, state and local employees using outdated versions of Android and iOS on their devices, with much worse numbers reported for Android. I’m here.

Ten months after the Android 12 release, only 67% of federal devices and 54% of state/provincial devices were running the latest version. Android 11 was on about 15% of all government-level devices, while more than 10% of state and local devices were running Android 9.

The only large group of iOS devices not running iOS 15 (the latest version during the data period) are state and local devices, of which about a quarter are 10 or older since the release of iOS 15. It was running iOS 14 months later.

But cybercriminals bent on gaining access to government devices have turned their backs on malware and turned to simple credential harvesting. So these outdated OSes may not be to blame for the attackers’ footholds in US government agencies.

According to Lookout, nearly 50% of phishing attacks against government employees attempt to steal credentials, up from about a third the year before. One of the good news from the report is that government officials appear to be learning lessons from phishing.

“More than 50% of federal, state, and local employees who received a notification that they had clicked a phishing link did not click the subsequent mobile phishing link.”

