CP
cyberpings
Malware & RansomwareHIGH

Malware - Android OS Attack Bypasses Mobile Payment Security

IMInfosecurity Magazine
AndroidLSPosedDigital Luteramobile payment securitySIM-binding
🎯

Basically, a new Android attack tricks payment apps into giving away money without the user knowing.

Quick Summary

A new Android attack technique is hijacking payment apps and bypassing security. Users are at risk of unauthorized transactions and fraud. Experts recommend stronger verification methods to combat this threat.

What Happened

A new Android attack technique has emerged, using the LSPosed framework to manipulate the runtime environment. Unlike previous methods that modified application code, this attack targets system-level processes. Researchers from CloudSEK discovered that attackers can hijack legitimate payment apps without altering their code or triggering standard security checks. This innovative approach allows malicious modules to intercept and alter communications between apps and the device, effectively bypassing protections like Google Play Protect.

The attack exploits a module known as "Digital Lutera," which takes advantage of Android APIs to intercept SMS messages and spoof device identities. By doing this, attackers can extract two-factor authentication (2FA) data in real time, making it a potent threat to mobile payment security.

Who's Being Targeted

The primary targets of this attack are users of mobile payment systems that rely on SMS verification for security. By undermining the SIM-binding process, attackers can trick bank servers into believing that a victim's SIM card is present on a different device. This enables unauthorized access to bank accounts and transaction approvals, putting many users at risk.

Fraudsters can intercept SMS verification tokens and inject fake SMS records into device databases. This method allows them to reset payment PINs and transfer funds without the victim's awareness, leading to large-scale fraud risks. Researchers have observed these activities being coordinated on platforms like Telegram, where attackers share intercepted login data and plan access attempts.

Signs of Infection

Users may not notice any immediate signs of infection, as the attack operates at a system level. However, there are a few indicators to watch for:

  • Unexpected SMS messages or changes in account settings.
  • Unusual transactions or requests for verification codes that you did not initiate.
  • Difficulty in reinstalling or removing affected payment apps, as the malicious hooks remain active within the operating system.

How to Protect Yourself

To mitigate the risks associated with this evolving threat, experts recommend implementing stronger integrity checks. This includes:

  • Utilizing hardware-based verification to ensure that the device is genuine.
  • Stricter backend validation of SMS delivery, moving away from relying solely on device-reported data.
  • Encouraging users to be vigilant about their account activity and to report any suspicious transactions immediately.

By adopting these measures, both users and financial institutions can better protect themselves against this sophisticated Android malware.

🔒 Pro insight: This attack method undermines traditional mobile payment security, requiring a shift towards hardware-based verification and carrier-level SMS validation.

Original article from

Infosecurity Magazine

Read Full Article

Share

Related Pings

HIGHMalware & Ransomware

Warlock Ransomware - New Post-Exploitation Techniques Revealed

The Warlock Ransomware Group has ramped up its tactics with new post-exploitation techniques. This poses a serious threat to organizations, especially those with weak security. Awareness and proactive measures are crucial to combat these evolving threats.

Dark Reading·
HIGHMalware & Ransomware

RondoDox Botnet - Expands Targets to 174 Vulnerabilities

RondoDox botnet is ramping up attacks, targeting 174 vulnerabilities with 15,000 daily exploit attempts. This surge poses significant risks to various devices globally. Organizations must act quickly to defend against these threats.

Security Affairs·
HIGHMalware & Ransomware

LeakNet Ransomware - New ClickFix Tactics Uncovered

LeakNet ransomware is using ClickFix tactics via hacked sites to trick users into running harmful commands. This new strategy broadens their reach, putting many at risk. Stay informed and protect your systems against these evolving threats.

The Hacker News·
HIGHMalware & Ransomware

Malware - Attackers Use SEO Poisoning to Steal VPN Credentials

Storm-2561 is stealing VPN credentials through SEO poisoning. This attack targets enterprise employees searching for VPN tools, leading them to fake software. The implications are serious, as stolen credentials can enable unauthorized access to corporate networks.

Cyber Security News·
HIGHMalware & Ransomware

Malware - Six Packagist Themes Distribute Trojanized jQuery

A supply chain attack has compromised OphimCMS with six malicious themes. These themes contain trojanized jQuery, posing risks to developers and users alike. Immediate action is required to secure affected systems and protect sensitive data.

Cyber Security News·
HIGHMalware & Ransomware

LeakNet Ransomware - Stealthy Attacks Using ClickFix Technique

LeakNet ransomware gang is using ClickFix for stealthy attacks. This new tactic targets corporate environments, increasing the risk of data breaches. Organizations must stay vigilant.

BleepingComputer·