A new malware is added to the list of viruses for Android, the last one identified is MasterFred, capable of using the Android accessibility libraries to extract personal data . In reality, the technique used is already well known to professionals so much so that, in the past, it had been used for multiple malicious purposes. The trojan was spotted in June 2021 and a new sample was isolated last week . For now, the most affected users are the citizens of Poland and Turkey but of course there is attention on the part of the laboratories in identifying the attack strategy.
MasterFred, what malware does for Android
MasterFred is a Trojan and as such is conveyed through an apparently harmless application, typically as a payload. From the first analyzes conducted by Avast , at least one application was certainly used as an attack vector through the Play Store and has probably already been removed.
Once installed, the malware uses the accessibility features present in Android to present fake windows when creating Netflix and Twitter profiles. Through the HTML Overlays fields are shown in which to enter financial data , such as credit cards or credentials to access your bank, masked by fake login forms. Once their actions have been performed, the applications continue to function correctly but MasterFred transmits the recovered data in the background.
The technique, as anticipated, is already proven and has been greatly inflated in the past for countless forms of attack. For example, through the Overlays it was possible to produce a sequence of user gestures that induced him to activate particular Android functions without his knowledge. In fact, the Overlay typically displays harmless or misleading content while the actions (touches) performed on the screen are recorded by the applications running in the foreground (but hidden by the Overlay itself).
Some additional details about the attack
What we do know is that Trojans are also referred to as RATs, or Remote Administration Tool. Therefore they need Command and Control servers to send data to or from which to receive instructions that typically do not have to be easily identifiable. It is no coincidence that a Websocket has been identified in MasterFred towards the Dark web . In fact, it uses Onion.ws, a gateway to the dark web, as a proxy to deposit stolen information from users on attackers' servers. Using the Tor network keeps malicious people safe from being identified, thanks to the particularly complex structure of the network.
As always, the advice seems trivial but it can save our lives from cases like this. We are always wary of applications whose origins we do not know and which are not verified . In this sense, even applications downloaded from third-party stores may be more insecure than those in the Play Store. But above all, we enter personal codes and bank details only if we are really sure where we have landed. In this case, fake Netflix, Instagram or Twitter pages deceived users who, trusting the brands, did not think about why such data was requested.
The article Beware of MasterFred the new malware targeting Android comes from Tech CuE | Close-up Engineering .