1. Discovered Malwares on Google play store
like Face stealer and AUTO-LAUNCHING HiddAd
Annual Threat Report 2023 | 29
In 2022, Quick Heal Security Labs saw many Facebook credential stealer (aka Facestealer)
applications on the Google Play Store. Social media credentials are always a lucrative thing for threat
actors. They use various techniques to get them, like overlays with fake user interfaces, key logging, or
simple social engineering to trap users. Off late, threat actors are using JavaScript code injection in
WebView to steal Facebook credentials. The script directly hacks the entered Facebook login
credentials.
Quick Heal Security Labs detects these apps with variants of Android.Facestealer.
Quick Heal has found 14 auto launching HiddAd applications on the Google Play Store this year.
The download count of all these applications is more than 6 million. HiddenAd or HiddAd are
icon-hiding adware applications that execute themselves without user interaction. The prime motive
of HiddAd is to generate revenue through aggressive advertisements. Malware authors conceal the
icon in the application drawer and employ deceptive techniques to make uninstallation more difficult
for users. Quick Heal denotes them by naming them "Autolauncher HiddAds".
2. Rise of Banking Malware in a New Avatar
Quick Heal Security Researchers examined the most recent banking Trojan variants this year,
including Drinik, SOVA, Escobar, Godfather, and zanubis, which has some new features in its new
avatar. These have capabilities to steal sensitive data such as contacts, SMS, call logs, device
location, credential theft, capture keystrokes, and take screenshots. Besides recording video and
audio calls, the malware also deletes files, sends SMSs, makes calls, and takes pictures using the
camera based on the commands received from the C&C server. These malwares can read or submit
OTP on behalf of the victim by stealing credit/debit card information, net banking passwords, and
SMS messages. All the data is encrypted before being sent to the C2 server.
Indian banks are targeted by Drinik, which masquerades as the official tax management app, and
SOVA mimics Amazon and Google Chrome icons. Drinik malware gets all permissions and opens a
genuine Indian income tax website via WebView, rather than loading a phishing page, and then uses
screen recording along with keylogging functionality to gain users' login credentials. At the end, it
shows that the user is eligible to get a refund and then redirects to a phishing page that asks for the
account number, credit card number, CVV, and card PIN.
This year, several banks have issued advisories for Android users against these Android banking
Trojans. The bank said that users should download the app only from the official Play Store. Quick
Heal detects banking malware with Android variants of Android.Banker, Android.Hqwar and
Android.Agent.
3. Spyloan: Users are Harassed by Instant
Loan Applications
These applications offer small loans without requiring much paperwork but charge heavy interest
rates. These applications ask for contact, SMS, storage, and camera access permissions. This data is
used by threat actors to harass users. In view of this, RBI issued new guidelines for these applications
in September 2022. According to that, loan applications should not be allowed to access irrelevant
data. RBI is also set to prepare a white list of legal loan applications. The Google Play Store has also