A new malware that can affect WhatsApp, Uber and Google Play is on the market and hackers are using it to spoof a user interface of any of the three common apps. Through the malware, they are then able to steal credit card information and other personal data from the affected users.
The intruding software which is affecting Android devices at the moment is reported to be detected in Denmark, Italy and Germany at the moment and it has been spreading. The hackers are using phishing methods to spread the malware through SMS, according to the security vendor FireEye.
After users mistakenly download the malware it creates a fake user interface on the phone and works as an overlay of the real apps that are affected. The overlay interfaces then ask for the credit card information and then when the data is entered, it sends the information back to the hackers. It is believed that this family of malware is continually evolving. FireEye claims that since February this year, they have detected at least 55 of these malicious programs in Europe alone and they use the same overlay technique.
The earlier versions of the malware usually targeted the banking apps, but after evolving the malware now is affecting some of the most used apps on the Android platform such as WhatsApp and Google Play. Most of the times users usually input their credit card information and private details into these products just as they do in banking apps, according to the FireEye researcher, Wu Zhou.
Wu said that the cyber attackers were looking to get the biggest financial gain, therefore, they would normally target apps that are widely used and have a large user base. In some scenarios, the malware is said to have affected YouTube, Uber and the popular Chinese messaging service, WeChat.
In attempts to spread the malware, the hackers have normally used SMS messages which would be accompanied with a link and they can trick their victims from it. One of the SMS messages sent by the crooks read: “We could not deliver your order. Please check tour shipping information here.”
FireEye noticed that the campaign was spread through five various different campaigns. One lone campaign saw the hackers try to generate at least about 130,000 clicks to where the link was hosted. New versions are also on the market and they’re hard to detect. Of the 54 antivirus tools tested, only six managed to notice a danger with the malicious coding, FireEye said.
The malware is believed to have servers in the UAE, Germany, Italy, Latvia and the Netherlands.