Watch out: photo editor apps hiding malware on Google Play

Thanks to Chen Yu of SophosLabs for her research.

SophosLabs has discovered apps in Google Play harbouring Guerilla ad clicker malware.

The malware, identified by Sophos as Andr/Guerilla-D, found its way on to Google Play during March and April 2018, in innocent-looking photo editor apps.

Guerilla ad clicker

SophosLabs detected the malware in a total of 25 apps, all of which have been reported to Google.

Sadly, it’s not the first time this malware has made it past Google’s Android app review process and into the walled garden of Google Play. Earlier this year SophosLabs alerted Google to the presence of more than a dozen malicious apps and published a report about Guerilla malware targeting Android users.

The apps harbouring the Guerilla malware work – they really are games, flashlight apps or photo editors – but while they’re doing what you’d expect, they’re also doing something you wouldn’t: contacting remote servers and receiving instructions to download malicious JAR (Java Archive) files.

That extra Java code generates fraudulent ad revenue for the app developers by making the phone click on Google ads in the background, without users realising.

The new batch of Guerilla apps display a few technical differences from those removed from Google Play earlier this year.

Like the earlier apps, the latest ones hide their payloads in their asset folders as text files. This time around the apps use the filenames atop.txt or atgl.txt.

In an apparent effort to avoid detection, the JAR files now arrive encrypted, with the DES algorithm, and are decrypted on the phone.

Guerilla decryption

The affected packages are:

Title Package Name Downlaods Publisher
Ladies World com.channe.ladiesworld 50000+ Chenxy
Happy photos com.flower.hphoto 50000+ chandrahegang
Beauty camera 1000+ bai xiongshu
S-PictureEditor com.aeapp.utli.edit 50000+ bai xiongshu
Collage maker 2018 com.YtApp.collage.edit 100000+ bai xiongshu
Gallery com.Aeapp.gaIlery.pls  5000+ bai xiongshu
Collage Maker 100000+ bai xiongshu
S Photo Plus 100000+ LiaoAny
CollagePlus com.aml.tpho.edit 100000+ LiaoAny
Photo Studio 10000+ elaine.wei
Collage Studio 5+ elaine.wei
Photo Studio Plus com.uil.cls.edit 10000+ elaine.wei
Collage Studio Pro com.old.clo.pic 10+ elaine.wei
Hot Chick com.ndun.hotchick 10000+ Sunshine Fun
Popular video 5000+ Phoenix bird Tech Limited
Music play 1000+ Jiangxi Huarui Network technology company
Photo collage edit 10+ Jiangxi Huarui Network technology company
Pic collage com.UIApp.pic.collage 50+ Jiangxi Huarui Network technology company
Super Photo Plus com.HwA.slp.photopls 1+ kowloon
Bees collage com.HwA.bee.pisc kowloon
Superb Photo kowloon
Sweet Collection com.zwws.sweetcollection 10000+ TopFun Families
Pic collage 5+ Shenzhen coronation plus Technology Co.. Ltd.
K music 10+ Shenzhen coronation plus Technology Co.. Ltd.

What to do?

In all areas of cybersecurity we recommend a strategy of defence in depth.

The safest place to get your Android apps is still Google Play. Although malware is found there fairly regularly, it’s still news when it happens. Google Play isn’t perfect but it’s a far safer environment than other, unregulated, app repositories.

Because no app review process can ever be perfect, we recommend running security software on your phone too, such as Sophos’s free Sophos Mobile Security for Android.

from SophosLabs blog


Mobile Menace Monday: re-emergence of a fake Android AV

Back in early 2013, a new mobile antivirus (AV) company called Armor for Android emerged into the mobile security software industry that had everyone perplexed. It seemed eerily like malware known as a Fake AV, and some even gave it that label. As a younger mobile researcher, I was one of those who gave it such a label, adding it to a list of malware detections. Shortly after, Armor for Android contacted the security company I worked for at the time and demanded their detection be removed.

As a rebuttal, I wrote a blog to fire back with evidence that there was no way this AV company could be legitimate—despite it being on Google Play. I never published that blog because I was thrown off by something that had me questioning everything: the AV company was tested by a reputable antivirus testing company. Even more off-putting, it landed a high score to receive an official certification! How could a Fake AV be certified by a respectable AV test company?

I left the blog alone and let the subject die. But recently, Armor for Android appears to have made a comeback. Let’s take a look at how they were gaming the system five years ago, and what new tricks they’re up to now.

Cheating the system

Suddenly, Armor for Android was competing with everyone else in the industry after only a couple months. But how? Simple. They were cheating. I remember vividly that the naming conventions they used to detect malware were the same as other well-received anti-malware mobile scanners. To be fair, many in the industry use similar naming conventions. However, the ones used by Android for Armor were EXACTLY the same as other companies. It was obvious they were stealing other company’s detections. But how?

Share, but don’t steal

VirusTotal is a company that everyone in the software security industry uses to share detections with the world. You can simply upload a file, even an Android APK, to and several antivirus/anti-malware scanners will return results. This can aid the typical user in finding out if a file is malicious. In addition, it helps point security researchers in the right direction in determining for themselves if something is malicious. What isn’t allowed is stealing directly from VirusTotal to produce your results. Not only is this against the terms of service, it is a deadly sin among everyone in the security industry.

But that is exactly what Android for Armor does. By using a network analyzer tool and running Android for Armor, you can see traffic to and from VirusTotal. The detailed data reveals that they indeed steal the detections of others. Pretty easy to do well on a test when you’re peeking over the shoulder of the smartest kids in class!

Showing their real intentions

Android for Armor could have stopped there. They had already duped Google Play. In addition, they clearly had the money to pay for an expensive test to receive certification. Instead, they decided to proceed with tactics used by other Fake AV malware. The following evidence is what I found years ago, but regrettably never published.

Back in 2013, I was playing a free game downloaded from Google Play. In exchange for the app being free, I agreed to receive non-aggressive ads, as many of us do. What I saw was a series of different links using scare tactics:

Click to view slideshow.

As a young mobile researcher, I did what all of us would have done and clicked on these links to see down which rabbit holes it would me. The first hop was this one:

Onward down the rabbit hole, I clicked Download & Scan FREE Now, and it started to download a file named Scan-For-Viruses-Now.apk (more on this app in a bit).

After the download, I landed on a known Armor for Android web page that instructs you to allow unknown sources and again to download and install an app.

Very odd for a legitimate AV company to instruct mobile users to download directly from their website rather than pointing them to Google Play.

Double chance of infection

Further analyzing the downloaded app, Scan-For-Viruses-Now.apk, it’s a version of Armor for Android that insists on a payment of $1.99 to scan the device. Check the fine print, because that ends up being $1.99 per week, or $103.48 a year. But hey, they have a certification by an AV testing form, right?

Click to view slideshow.

It appears Scan-For-Viruses-Now.apk downloads just in case you weren’t falling for the last web page asking to allow unknown sources and stating IMPORTANT! You must now INSTALL, OPEN and ACTIVATE. Also, if allowing unknown sources was disabled on your device, it would have been a last chance effort, since Scan-For-Viruses-Now.apk wouldn’t have been able to download and install. In my opinion, none of this looks like the practices of a legitimate AV company.

Re-emergence of a classic

Just a couple of days ago, an APK came into our mobile intelligence system with a different name, but very familiar set of behaviors. It was clearly a repackaged variant of Armor for Android, but this time called Android’s Antivirus.

Click to view slideshow.

Swiftly, we added a detection called PUP.Riskware.Armor.

Warning about Fake AVs

Fake AVs like the one described above have been around for a long time and come in many different forms. Some can be extremely dangerous. For legitimate antivirus/anti-malware programs to do their jobs, special permissions must be given. For instance, Malwarebytes for Android uses device administration as required to remediate nasty ransomware. As a respectable anti-malware company, you have our word that we will never use device administration rights for erasing mobile devices or other nefarious actions.  However, give those same rights to a malicious Fake AV app, and you could be in trouble.

Fake AV or legitimate

Because of the elevated permissions needed, consumers need to take extra caution when choosing a mobile antivirus/anti-malware scanner. Unfortunately, it’s often hard to tell what is a Fake AV versus a legitimate antivirus/anti-malware mobile app—especially when Fake AVs creep into Google Play and take time to create a convincing website. As a consumer, do your research to pick respectable software companies. Does the company have a deep, respectable blog (like this one)?  How long have they been around? When in doubt, you can always rely on Malwarebytes products to keep you safe from the latest threats!

Denial of entry

Although I never published that blog way back when, I did stand my ground to classify Armor for Android as a fake AV. Now, as a researcher at Malwarebytes, I continue to fight against shady fake AV companies in the mobile space. I helped detect Armor for Android as a fake Android AV years ago. I’ll do the same for any other company looking to take advantage of mobile customers. Stay safe out there!

The post Mobile Menace Monday: re-emergence of a fake Android AV appeared first on Malwarebytes Labs.

from Malwarebytes Labs

Fake Teleg’e’ram on Google Play

Recently, the Russian government ordered the immediate blocking of the messaging app Telegram and requested its removal from the Apple App Store and Google Play Store. In reviewing activities around this matter, Zscaler ThreatLabZ researchers noticed a fake Telegram app making the rounds in the Google Play Store. Zscaler informed Google about the fake app and it was promptly removed from the store. 

Because Telegram is partially open-source, we initially thought this fake Telegram app was a regular app implementing Telegram APIs. However, upon further analysis, we found that the fake app had been repackaged, in which case it is possible that a developer simply decompiled the original Telegram app and added advertisement libraries. We also noticed that the name and icon of the fake app changes after installation. Our analysis is detailed below. 

App Details 

Name: Telegraph Chat (which changes to Teleg’e’ram after installation) 
Package Name: com.telegeram.anydev
Hash: 1f188831ec559566f8746e5e57bb1fcbb0f30ead
VT count: 2/62 (at time of analysis) 

The screenshot below shows the fake Telegram app (left) and the original Telegram app (right). The fake app portrayed itself as Telegraph Chat and the Play Store description of the app was precisely the same as the original Telegram app. The only differences were that the term Telegram was changed to Telegraph Chat and the app icon was slightly altered after installation.

Fig 1: Fake app vs original app (Google Play Store)


The screenshot below on the left shows the app as it appears in Google Play, displayed as Telegraph Chat. The screenshot on the right shows how the app changes after installation, displaying a different icon and name, Telegeram (notice the extra “e”).

Fig 2: Fake app name/icon change


As soon users try to open the app, they are bombarded with different types of ads. Below is a screenshot of banner ads inside the app (left) and an interstitial ad (right). 

Fig 3: Ads displayed by fake app


In one instance, we also noticed an obfuscated piece of code sent by the server that contained a Play Store link to browser named Silver Mob US Browser. We could not analyze this app because it had been removed from Google Play Store before our investigation began. The screenshot below shows the response and further functionality. 

Fig 4: Download link leading to ‘removed’ Play Store app


Adware, such as this example, presents a threat, because it is capable of providing links that can lead users to download highly malicious Android apps. 

In our analysis, we noticed that the fake app performed original Telegram app’s messaging functions, but other functions were missing. We tried calling to other numbers, which is a functionality in the original Telegram, but the fake app stopped working, as shown in the message below:

Fig 5: Fake app fail.


Telegram is a popular app with 200 million users, according to its own reports. But with the confusion brought about the actions of the Russian government, bad actors have seized an opportunity to present an app that may trick users searching for Telegram into downloading a malcious app. This technique is often used when an app is popular (see Pokemon GO) or, in this case, in the news.

Fake versions of popular apps are an ongoing problem, and once such an app has been downloaded on a mobile device, it is easy for the developer to open a gateway for more downloads and installation of malware. 

Users should always take appropriate precautions before installing any app, even in trusted stores like Google Play or Apple App Store. One effective precaution is to read other users’ reviews before installation.  


Fig 6: Google Play reviews for fake Telegram app


ThreatLabZ will continue to track and ensure coverage for fake Android apps to protect Zscaler customers.


from Zscaler Research

Improving the Advanced Protection Program for iOS users

Last October, Google launched the Advanced Protection Program, our strongest level of account security, designed to protect the overlooked segment of our users who face an increased risk of sophisticated attacks. These users may be journalists, activists, business leaders, political campaign teams, and others who feel especially vulnerable.

Today we’re announcing that Advanced Protection now supports Apple’s native applications on iOS devices, including Apple Mail, Calendar, and Contacts. This allows iOS users to enroll in the program without having to adjust how they use Google services on their Apple devices.

To protect you from accidentally sharing your most sensitive data with fraudulent apps or web services, Advanced Protection places automatic limits on which apps can gain access to your Google data. Before today, this meant that only Google applications were able to access your data if you were enrolled in the program.

With today’s update, you can now choose to allow Apple’s native iOS applications to access your Gmail, Calendar, and Contacts data. When you sign into iOS native applications with your Google account, you will get instructions on how to complete the sign-in process if you’re enrolled in Advanced Protection. We’ll continue to expand the list of trusted applications that can access Google data in the future. 

Layers of security protections

In addition to these updates, you’ll continue to benefit from Advanced Protection’s other safeguards. To provide you with the strongest defense against phishing, Advanced Protection goes further than traditional 2-Step Verification, requiring you to use a physical Security Key to sign back into your account after you’ve logged out, or anytime you sign in on a new device. Advanced Protection also helps block fraudulent access to your account by adding extra steps to the account recovery process to prevent people from impersonating you and pretending they’ve been locked out of your account.

Our goal is to make sure that any user facing an increased risk of online attacks enrolls in the Advanced Protection Program. Today, we’ve made it easier for our iOS users to be in the program, and we’ll continue our work to make the program more easily accessible to users around the globe. Get started at

from Official Google Blog

Use your favorite password manager with Android Oreo

Security experts recommend strong, unique passwords for each service that you use. For most of us, however, it can be difficult to manage credentials across multiple websites and apps, especially if you’re trying to keep track of everything in your head.

In Android 8.0 Oreo, we made it simpler to use Autofill with a password manager, like LastPass, Dashlane, Keeper, or 1Password. Particularly on tiny devices like your phone, autofill can make your life easier by remembering things (with your permission), so that you don’t have to type out your name, address, or credit card over and over again.

With the new autofill services in Oreo, password managers can access only the information that’s required in order to autofill apps, making your data more secure. There’s a specific list of password managers (which you can find in Android Settings) that meet our security and functional requirements, and we’ll be continuing to grow this list over time. If you already use a password manager, then you’ll be able to try the new experience today.


How does it work?

Setting up Autofill on your device is easy. Simply go to Settings, search for “Autofill,” and tap “Autofill service.” If you already have a password manager installed, it will show up in this list. You can also tap “Add service” to download the password manager of your choice from the Play Store.

Once you’ve set a password manager as your Autofill service, the information stored in that app will show up in Autofill whenever you fill out forms (for example, your saved username and password will show up as a suggestion when you’re logging into an app for the first time).

We include Google as an autofill service on all devices running Android 8.0 and above, which lets you use data that you already have saved in Chrome to fill in passwords, credit cards, addresses, and other personal information.


Language and input settings


Autofill service settings: here you can pick the app that you would like to use as your Autofill service

Whether you use Google or another password manager from the Play Store, the new Autofill experience on Oreo makes it easier to securely store and recall commonly typed information, like passwords and credit card numbers.

from Official Google Blog

Vulnerability Spotlight: Multiple Vulnerabilities in Moxa EDR-810 Industrial Secure Router

Vulnerability Spotlight: Multiple Vulnerabilities in Moxa EDR-810 Industrial Secure Router

These vulnerabilities were discovered by Carlos Pacho of Cisco Talos

Today, Talos is disclosing several vulnerabilities that have been identified in Moxa EDR-810 industrial secure router.

Moxa EDR-810 is an industrial secure router with firewall/NAT/VPN and managed Layer 2 switch functions. It is designed for Ethernet-based security applications in remote control or monitoring networks. Moxa EDR-810 provides an electronic security perimeter for the protection of critical assets such as pumping/ treatment systems in water stations, DCS systems in oil and gas applications, and PLC/SCADA systems in factory automation.

Moxa has released an updated version of the firmware. Users are advised to download and install the latest release as soon as possible to fix this issue.



from Threat Research – Cisco Blog

New Android Malware Secretly Records Phone Calls and Steals Private Data

Security researchers at Cisco Talos have uncovered variants of a new Android Trojan that are being distributed in the wild disguised as a fake anti-virus application, dubbed "Naver Defender."



, the malware is a remote administration tool (RAT) designed to steal sensitive information from compromised Android devices, as well as capable of recording phone calls.

Talos researchers published Monday

technical details

about two recent variants of KevDroid detected in the wild, following the initial


of the Trojan by South Korean cybersecurity firm ESTsecurity two weeks ago.

Though researchers haven’t attributed the malware to any hacking or state-sponsored group, South Korean media have linked KevDroid with North Korea state-sponsored cyber espionage hacking group "

Group 123

," primarily known for targeting South Korean targets.

The most recent variant of KevDroid malware, detected in March this year, has the following capabilities:

  • record phone calls & audio
  • steal web history and files
  • gain root access
  • steal call logs, SMS, emails
  • collect device’ location at every 10 seconds
  • collect a list of installed applications

Malware uses an open source library, available on


, to gain the ability to record incoming and outgoing calls from the compromised Android device.

Although both malware samples have the same capabilities of stealing information on the compromised device and recording the victim’s phone calls, one of the variants even exploits a

known Android flaw

(CVE-2015-3636) to get root access on the compromised device.

All stolen data is then sent to an attacker-controlled command and control (C2) server, hosted on PubNub global Data Stream Network, using an HTTP POST request.

"If an adversary were successful in obtaining some of the information KevDroid is capable of collecting, it could result in a multitude of issues for the victim," resulting in "the leakage of data, which could lead to a number of things, such as the kidnapping of a loved one, blackmail by using images or information deemed secret, credential harvesting, multi-factor token access (SMS MFA), banking/financial implications and access to privileged information, perhaps via emails/texts," Talos says.

"Many users access their corporate email via mobile devices. This could result in cyber espionage being a potential outcome for KevDroid."

Researchers also discovered another RAT, designed to target Windows users, sharing the same C&C server and also uses PubNub API to send commands to the compromised devices.

How to Keep Your Smartphone Secure

Android users are advised to regularly cross-check apps installed on their devices to find and remove if any malicious/unknown/unnecessary app is there in the list without your knowledge or consent.

Such Android malware can be used to target your devices as well, so you if own an Android device, you are strongly recommended to follow these simple steps to help avoid this happening to you:

  • Never install applications from 3rd-party stores.
  • Ensure that you have already opted for Google Play Protect.
  • Enable ‘verify apps’ feature from settings.
  • Keep "unknown sources" disabled while not using it.
  • Install anti-virus and security software from a well-known cybersecurity vendor.
  • Regularly back up your phone.
  • Always use an encryption application for protecting any sensitive information on your phone.
  • Never open documents that you are not expecting, even if it looks like it’s from someone you know.
  • Protect your devices with pin or password lock so that nobody can gain unauthorized access to your device when remains unattended.
  • Keep your device always up-to-date with the latest security patches.

from The Hacker News