Google Chrome is the world’s most popular browser. So if a “very dangerous” rogue update is caught stealing private data, messages and photos, it’s a cause for serious concern.
2/11 update below, article originally published 2/9.
An alarming new report from McAfee this week warns Android users not to click on notification links that install Chrome updates on their devices. MoqHao malware hides in these downloads with a nasty twist – one that security researchers describe as a new, “highly dangerous technique.”
“While the app is installed,” the researchers warn, “their malicious activity starts automatically. We have reported this technique to Google and they are already working on implementing measures to prevent this type of automatic execution in a future Android version.”
This malicious campaign spreads the MoqHao malware via text messages – with a different twist. The threat actors have started using short URLs from legitimate services as “it is difficult to block the short domain because it could affect all URLs used by that service. [But] when a user clicks on the link in the message, the URL shortener service redirects them to the actual malicious site.
Once installed, the rogue Chrome update then asks for extended user permissions, including access to SMS, photos, contacts, and even the phone itself. The malware is designed to run in the background, connecting to the command-and-control server and managing data to and from the device as more and more damage is done.
McAfee attributes this MoqHao (XLoader) campaign to the Roaming Mantis group, a threat actor typically active in Asia. However, McAfee notes that this particular campaign also appears to be targeting users in Europe. One of the languages programmed into the campaign is English, meaning American users are also within reach.
If you look closely, you can see that the messages use Unicode characters to trick users into thinking it is a legitimate Chrome update. “This technique makes some characters appear bold, but users visually recognize it as ‘Chrome,’” says McAfee, also warning that “this may affect app name-based detection techniques that use the app name (Chrome) and compare the package name (com.android). .chrome).”
It’s only February and this is the third headline-generating Android malware alert of the year so far. We’ve seen VajraSpy, SpyLoan, and Xamalicious. We’ve also seen a broader warning about copycat apps, which echoes what we’re seeing here. Regarding this specifically, McAfee warns that “we expect this new variant to have a major impact as it infects devices simply by being installed without running.”
“Copycat apps are easy to produce,” warns ESET’s Jake Moore. “Downloading and installing a malicious app on your phone can lead to a number of disasters, including theft of personal data, compromise of banking information, poor device performance, intrusive adware, and even spyware that monitors your calls and messages.”
As I’ve said repeatedly this year, the timing here is potentially even more remarkable than the malware itself. The European Digital Markets Act will bring substantial changes to the apps and platforms we use most. And that also includes app stores.
Apple reluctantly opens its own company for the first time, but warns of the dangers to users. “While these new regulations bring new opportunities for developers, they also bring new risks. There’s no way around that,” Apple’s Phil Schiller warned, with malware at the top of the list of concerns.
In response to the McAfee report, a Google spokesperson told me that “Android has multi-layered protections that help keep users safe,” and, as noted in the McAfee report, that “Android users are currently protected from this by Google Play Protect , which is enabled by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even if those apps come from sources outside of Play.”
Google also confirmed that it has worked with McAfee to tackle this new malware threat, as it is one of its App Defense Alliance partners.
Google’s focus and promotion on its Play Store ecosystem, including Play Protect, is commendable and is certainly making a difference. The problem, however, is that it will require a better software and security update process than is currently in place.
The nature of Android’s fragmented ecosystem has always lagged significantly behind Apple’s command and control structure when it comes to keeping devices up to date and responding to real-time issues. By relying on device OEMs for much of this work, Google doesn’t have the same controls as Apple, and it shows.
And by a twist of timing, we see this problem playing out right now.
If Ars Technica reported this weekend: “We’re a third of the way through February, but the Google Play January 2024 system update for Android is just now rolling out. The now infamous update was originally rolled out in early January, but was pulled after it started blocking users from their phone’s local storage. Apparently the update has been resolved and is being rolled out to devices again.”
But now – as of this weekend – it at least seems to have been resolved. Although Ars Technica warns that “the update marked the second time in four months that an automatic Android update has broken some Pixel phones… These issues all make updating a Pixel phone a scary proposition lately.”
And while that update issue affects Pixel phones, Samsung has its own issues, such as SamMobile explains. “Typically, it’s the flagship devices that get monthly security updates and the mid-range and budget models that get quarterly updates, but that’s not always clear. Some devices may receive monthly updates for the first two years after release and then be moved to the quarterly schedule, while others may be relegated to quarterly updates from day one.”
All this means that there is a real need for user common sense and good practice to stay safe. The advice remains very good terribly simple. Never click on links like the ones seen in this latest campaign, especially not Do not install apps directly from links. This was central to the warning about ESET’s copycat app. You should also never agree to permission requests that are not part of the specific functionality of an app.
These are the golden rules for apps and updates:
- Stick to official app stores. Don’t use third-party stores or change your device’s security settings to allow an app to load.
- Check the developer in the app description. Is this someone you would like to have in your life? And check the reviews: do they look legit or farmed?
- Don’t give permission to an app that doesn’t need it: Torches and stargazing apps don’t need access to your contacts and phone. And never grant accessibility permissions that facilitate device control unless you need to.
- Never ever click links in emails or messages that directly download apps or updates. Always use app stores for installations and updates.
- Don’t install apps that link to established apps like WhatsApp unless you are sure they are legitimate. Check reviews and online articles.