Sharing is caring!

ThreatLabZ has discovered a new Android malware that camouflages as a Chrome update and which can do a lot of damage on infected devices. Infostealer is using a domain similar to file names for Google updates, so users can be easily tricked to believe they’re actually updating their browser, but it changes URLs and remains undetected by URL filters.

Here’s a list of URLs detected by ZScaler:

– http[:]//ldatjgf[.]
– http[:]//iaohzcd[.]
– http[:]//uwiaoqx[.]
– http[:]//google-market2016[.]com/
– http[:]//ysknauo[.]android-update17[.]pw/
– http[:]//ysknauo[.]android-update16[.]pw/
– http[:]//android-update15[.]pw/
– http[:]//zknmvga[.]android-update15[.]pw/
– http[:]//ixzgoue[.]android-update15[.]pw/
– http[:]//zknmvga[.]android-update15[.]pw/
– http[:]//

Director of Security Research at Zscaler, Deepen Desai, was interviewed by ZDNet and he said that “The malware may arrive from compromised or malicious websites using scareware tactics or social engineering.” Users are advised to stay away from dubious websites and to no click OK no matter how tempting it is. Desai added that “One common theme we have seen in recent malicious android application packages involves scareware tactics where the user will see a popup indicating that their device is infected with a virus and asks them to update to clean up infection.”

The fake update is called “Update_chrome.apk” and after it’s downloaded to the device, it asks for admin access. If the user agrees, the malware stops the anti-virus program to function as it should, then it tracks all texts and calls and send info to a command-and-control server. It affects the Google Play Store, as well, as it will show a fake credit card payment that imitates the real one and will send the CC info to a Russian telephone number. Unfortunately, users can’t revoke admin access, so they will have no other option but to factory reset the device, in order to get rid of the virus. This is like formatting the C drive and installing Windows again.