Google Chrome is the world’s most popular browser. So when a “very dangerous,” fraudulent update is caught stealing private data, messages and photos, it’s a cause for serious concern.
An alarming new report from McAfee this week warns Android users to refrain from clicking any message links that install Chrome updates on their devices. MoqHao malware is hiding within those downloads with a nasty twist—one which the security researchers describe as a new, “very dangerous technique.”
“While the app is installed,” the researchers warn, “their malicious activity starts automatically. We have reported this technique to Google and they are already working on the implementation of mitigations to prevent this type of auto-execution in a future Android version.”
This malicious campaign distributes the MoqHao malware through SMS messages—with another twist. The threat actors have started using short URLs from legitimate services, given that “it is difficult to block the short domain because it could affect all the URLs used by that service. [But] when a user clicks on the link in the message, it will be redirected to the actual malicious site by the URL shortener service.”
Once installed, the fraudulent Chrome update then asks for expansive user permissions, including access to SMS, photos, contacts and even the phone itself. The malware is designed to run in the background, connecting with its command and control server, managing data to and from the device, as ever more damage is done.
McAfee attributes this MoqHao (XLoader) campaign to the Roaming Mantis group—a threat actor that usually operates in Asia. However, McAfee notes that this specific campaign also appears to target users in Europe. One of the languages programmed into the campaign is English, which means US users are also in range.
If you look carefully, you can see that the messaging uses Unicode characters to trick users into thinking it’s a legitimate Chrome update. “This technique makes some characters appear bold, but users visually recognize it as ‘Chrome’,” McAfee says, also warning that “this may affect app name-based detection techniques that compare app name (Chrome) and package name (com.android.chrome).”
It’s only February, and this is the third headline-generating Android malware alert of the year so far. We have seen VajraSpy, SpyLoan and Xamalicious. We have also seen a wider warning about copycat apps, which echoes what we’re seeing here. As for this one specifically, McAfee warns that “we expect this new variant to be highly impactful because it infects devices simply by being installed without execution.”
“Copycat apps are simple to produce,” warns ESET’s Jake Moore. “Downloading and installing a malicious app on your phone can lead to a number of disasters, including theft of personal data, compromise of banking information, poor device performance, intrusive adware and even spyware monitoring your conversations and messages.”
As I’ve said repeatedly this year, the timing here is potentially even more notable than the malware itself. Europe’s Digital Markets Act is effecting substantial changes to the apps and platforms we use most. And that includes app stores.
Apple is reluctantly opening up its own for the first time, but is warning of the dangers to users as it does so. “These new regulations, while they bring new options for developers, also bring new risks. There’s no getting around that,” Apple’s Phil Schiller has warned, with malware top of the list of those concerns.
Apple opening up to third-party stories will directly contrast its security approach to Google’s, which has always been much less locked down, promoting user choice as a balance to security. If Apple can open up app store choice while maintaining security, that will put additional pressure on Android’s protection.
I have approached Google for any comments on McAfee’s report.
Meanwhile, the advice for users remains very, very simple. Never click on links such as those seen in this latest campaign—and definitely DO NOT install apps directly from links. This was central to ESET’s copycat app warning. You should also never agree to permission requests that aren’t core to an app’s specific functionality.
Here are the golden rules for apps and updates:
- Stick to official app stores—don’t use third-party stores and never change your device’s security settings to enable an app to load.
- Check the developer in the app’s description—is it someone you’d like inside your life? And check the reviews, do they look legitimate or farmed?
- Do not grant permissions to an app that it should not need: torches and star-gazing apps don’t need access to your contacts and phone. And never grant accessibility permissions that facilitate device control unless you have a need.
- Never EVER click links in emails or messages that directly download apps or updates—always use app stores for installs and updates.
- Do not install apps that link to established apps like WhatsApp unless you know for a fact they’re legitimate—check reviews and online write-ups.