A newly discovered malware on Android, called MasterFred, steals credit card information of Netflix, Instagram and Twitter users through fake login overlays.
MasterFred, categorized as an Android banking Trojan, also victimizes bank depositors through fake login overlays in several languages. Discovered in June 2021, the MasterFred banking Trojan is emerging as a major threat that resurfaced recently, Bleeping Computer reported.
A sample of the malware was first discovered by malware analyst Alberto Segura and was submitted to VirusTotal for analysis during that time. Segura then shared a second sample last week, claiming it was used against Android users in Turkey and Poland.
Android Malware Uses APIs to Carry Out Attacks to Harvest Financial Information
After thorough analysis, researchers from Avast Threat Labs found that the hackers use application programming interfaces (APIs) from the Android Accessibility Service to carry out their attacks. According to Avast Threat Labs, the attacker uses the APIs on Android "to implement the Overlay attack to trick the user into entering credit card information for fake account breaches" on such apps as Netflix, Instagram and Twitter.
Such malicious use of the Android Accessibility Service has been previously done by malware developers. It was used to simulate taps and navigate the user interface to install the malware, download and initialize other malicious payloads, and implement other background operations on the Android phone without the user knowing it.
Hackers Use Apps That Carry HTML Overlays Showing Fake Login Forms to Get Financial Data
However, MasterFred is distinct animal on its own. The malicious apps that bring the malware onto the Android devices also carry HTML overlays that show the fake login forms resembling Netflix, Twitter and Instagram pages to take the user's financial data. MasterFred also utilizes the Tor2Web proxy or the Onion.ws dark web gateway to transmit those stolen data to network servers under the attacker's control.
When the apps are downloaded, users are prompted to sign in, similar to any other legitimate online service, and enter credit card details.
Attackers Using Third-Party App Stores to Spread Malware
These malicious apps that carry the malware was recently available on the Google Play Store, making it seem like legitimate software. It is thus apparent that the attackers are using third-party app stores to deliver malware to unsuspecting users.
After their discovery, the malicious apps had been removed from Google Play Store, BleepingComputer quoted the Avast research team as saying.
Avast Threat Labs has also posted indicators of compromise (IOCs), such as MasterFred sample hashes and command-and-control server domains.
The MasterFred malware preys on unsuspecting Android users who would download and install any app and share credit card or other financial information online. As such, users are advised to make sure that they use legit apps through validated and genuine download locations on third-party app stores.
A few days ago, thousands of South Korean users were victimized by a similar Android malware called PhoneSpy, which likewise collects data from Android devices and allow hackers to take full control of it.