A new Android Trojan that uses web push notifications to redirect users to scam and fraudulent sites has been discovered by security researchers on Google’s Play Store.
Multiple fake apps of well-known brands that distributed the malware dubbed Android.FakeApp.174 got removed in early June after researchers from Doctor Web reported them to Google.
While the apps were only installed by a little over 1000 users, the malware operators could publish other similar apps at any time on the Play Store and might also be switching to more aggressive attack methods such as redirecting victims to malicious payloads, launching phishing attacks targeting bank customers, or spreading fake news.
For instance, “Potential victims can think the fake notification is real and tap it only to be redirected to a phishing site, where they will be prompted to indicate their name, credentials, email addresses, bank card numbers, and other confidential information,” Doctor Web explains.
When the malicious fake apps are first launched, the Android.FakeApp.174 Trojan loads a site hardcoded in its settings using the Google Chrome web browser, a website which asks the targets to allow notifications under the guise of verifying that the user is not a bot.
Upon agreeing to enable web push notifications for “verification purposes,” the compromised device’s owner is subscribed to the site’s notifications and will be spammed with dozens of notifications sent by Chrome using Web Push technology.
This tech makes it possible to send alerts when the web browser is closed, when the website is not open in the browser, and even after the Trojan is completely removed from the system as explained by Doctor Web.
“These messages are displayed on the device notification panel and may be mistaken for system messages. They may look like notifications from social media, dating websites, news agencies, and other well-known online services,” says Doctor Web.
These push notifications can pose as a wide range of alerts ranging from new social media messages and news to new social media events and notifications seemingly being pushed by applications installed on the device.
The crooks use these camouflaged push notifications to redirect the victims to various types of scam sites such as “advertising of casinos, betting shops, various Google Play applications, discounts and coupons,” as well as more treacherous “fake online polls and prize drawings, aggregators of partner links, and other online resources that vary depending on the country of residence of the user.”
The Doctor Web researchers think that the Android.FakeApp.174 Trojan creators “will make more active use of this method to promote questionable services, so mobile users should be careful while visiting websites and not subscribe to notifications if the website is unfamiliar or suspicious.”
Android users who already have been tricked into subscribing to this type of spam web push notifications are advised to go through the following steps to get rid of them:
- Go to the Google Chrome settings, select “Site Settings” and then “Notifications”;
- On the list of websites with notifications, find the website address, tap it, and select “Clear & reset”.
To read the original article: