Pradeo, a mobile security company, faced an advanced phishing attack by stealing a victim’s credit card information using malware that mimics the Google Chrome browser for Android. The company claims that fake Chrome has been installed on hundreds of thousands of Android devices over the past few weeks.
Security experts refer to the Trojan as a so-called smishing when a victim receives an SMS message informing him about the need to pay a customs fee to deliver a parcel. If the user clicks on the link, they are first prompted to update the Chrome app, and then they are redirected to a phishing page where they must pay (usually $ 1-2). As soon as the user has made a payment, the attacker gains access to the bank card data.
The fake Chrome app from the victim’s device sends over 2,000 SMS messages a week to random numbers (every day for 2-3 hours). Moreover, these numbers are not taken from the phone book but generated automatically. This mechanism ensures the successful spread of the Trojan. To remain unnoticed, the malware hides on mobile devices behind the Chrome icon and name. Still, its installation package, signature, and version have nothing to do with the official Google browser.
Attackers use several methods to go undetected and bypass mobile security solutions. Firstly, they check that phone numbers are not on the spam list and are not blocked. Secondly, the Trojan uses an obfuscation method, hiding its behavior, and thirdly, if found, it is rebuilt with a new signature. As part of this campaign, Pradeo found two fake Chrome apps that were 99% identical.
To avoid theft of bank card data, users should not enter them on unknown and suspicious sites, and applications should always be updated from Google Play or other official and trusted sources.