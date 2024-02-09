



Google Chrome is the world's most popular browser. So, if you find a highly dangerous and fraudulent update that steals your personal data, messages, and photos, it will raise serious concerns.

A highly dangerous rogue Chrome update has been discovered

McAfee

A surprising new report released by McAfee this week warns Android users not to click on message links that install Chrome updates on their devices. The MoqHao malware is hidden within these downloads with a nasty twist that security researchers describe as a new and highly dangerous technique.

Researchers warn that malicious activities are automatically initiated while the app is installed. We have reported this technique to Google, and Google is already working on implementing mitigations to prevent this kind of auto-execution in his future Android versions.

This malicious campaign uses another twist to distribute MoqHao malware through SMS messages. Short domains are difficult to block because they can affect all URLs used by that service, so attackers have started using short URLs from legitimate services. [But] When a user clicks on a link within the message, the URL shortener redirects them to the actual malicious site.

Once installed, the rogue Chrome update requests extensive user permissions, including access to SMS, photos, contacts, and even the phone itself. The malware is designed to do more damage by running in the background and connecting to command-and-control servers to manage data sent to and from the device.

McAfee believes this MoqHao (XLoader) campaign is the work of threat actors from the Roaming Mantis group, which typically operates in Asia. However, McAfee notes that this particular campaign also appears to be targeting users in Europe. One of the languages ​​programmed into this campaign is English. This means that users in the US will also be eligible.

Your new campaign will be installed automatically

McAfee

If you look closely, you'll see that this message uses Unicode characters to trick users into thinking it's a legitimate Chrome update. This technique makes some text appear bold, but users visually recognize it as Chrome, McAfee said, which compares the app name (Chrome) to the package name (com.android.chrome). It also warns that it may impact app name-based detection methods.

It's only February, but this is the third Android malware alert to headline so far this year. I've looked at VajraSpy, SpyLoan, and Xamalicious. We also saw widespread warnings about copycat apps, which mirror what we saw here. This particular variant, McAfee warns, is expected to have a very high impact, as this new variant infects devices simply by being installed without being run.

It's easy to create copycat apps, warns ESET's Jake Moore. Downloading and installing malicious apps on your phone can lead to a variety of disasters, including personal data theft, banking information compromise, device performance degradation, intrusive adware, and even spyware that monitors your conversations and messages. may occur.

permission request

McAfee

As I've said repeatedly this year, the timing here may be even more remarkable than the malware itself. The European Digital Markets Act makes significant changes to the apps and platforms we use most. That includes the app store.

Apple is reluctantly rolling out its own services for the first time, warning users of the risks. While these new regulations bring new options to developers, they also introduce new risks. There's no getting around this, and Apple's Phil Schiller warned that malware is at the top of their list of concerns.

Apple's embrace of third-party stories stands in direct contrast to its security approach to Google, which has always had far looser lockdowns and promoted user choice as a balance to security. If Apple can expand its app store options while maintaining security, it will put additional pressure on securing Android.

I reached out to Google for comment on McAfee's report.

Our advice to users, on the other hand, is very simple. Never click on links like those seen in this latest campaign. Also, do not install apps directly from links. This was at the heart of ESET's copycat app warning. Also, never agree to permission requests that are not core to your app's specific functionality.

The golden rules for apps and updates are:

Use official app stores, avoid third-party stores, and don't change your device's security settings to allow apps to load. Check the developer in the app description. Do you have a favorite? Then check the reviews to see if they are genuine or fake. Don't give permissions to apps you don't need. Flashlights and stargazing apps don't require access to your contacts or phone. Also, never grant accessibility permissions that facilitate device control unless necessary. Never click on links in emails or messages that directly download apps or updates. Always use the app store for installations and updates. Don't install apps that link to established apps like WhatsApp unless you know for a fact that they are legitimate reviews or online posts.

