U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Oscorp, a new Android malware targets Italian users

Researchers at the Italian CERT warns of new Android malware dubbed Oscorp that abuses accessibility services for malicious purposes. Researchers from security firm AddressIntel spotted a new Android malware dubbed Oscorp, its name comes from the title of the login page of its command-and-control server. Like other Android malware, the Oscorp malware trick users into granting […]

oscorp android malware

Researchers at the Italian CERT warns of new Android malware dubbed Oscorp that abuses accessibility services for malicious purposes.

Researchers from security firm AddressIntel spotted a new Android malware dubbed Oscorp, its name comes from the title of the login page of its command-and-control server.

Like other Android malware, the Oscorp malware trick users into granting them access to the Android Accessibility Service, this means they will be able to read the text on the phone screen, determine an app installation prompt, scroll through the permission list and press the install button on the behalf of the user.

“not being able to access the private files of other applications, the actions of these malicious apps are “limited” to the theft of credentials through phishing pages (called, in the jargon of malware, injections), to blocking the device (intended as screen lock) and possibly to the capture of audio and video.” read the advisory published by Italy’s CERT-AGID (Italian language).

A few days ago, AddressIntel experts identified a domain called “supportoapp [.] Com” that was serving the file “Client assistance.apk”.

Once the app is installed, which is presented with the name “Customer Protection”, it asks users to enable the accessibility service.

oscorp android malware

The malware uses the Geny2 service to induce the user to enable the accessibility service and, once activated, automatically enable some permissions.

The malicious code reopens the Settings screen every eight seconds to force the user into granting the requested permissions for accessibility and device usage statistics.

Enabling accessibility service makes it possible to:

  • Enable keylogger functionality.
  • Automatically obtain the permissions and capabilities required by the malware.
  • Uninstall app.
  • Make calls.
  • Send SMS.
  • Stealing cryptocurrency.
  • Stealing the PIN for Google’s 2FA

At the time of the analysis, the wallet used by the malware had $584.

The CERT’s report provides technical details about the malware, such as the description of the services such as the PJService used to collect info on the device. The malware communicates with the C2 via HTTP POST requests.

When the user opens one of the apps targeted by Oscorp, the malicious code will display a phishing page that asks him to provide a username and password.

The style of this screen is different for each app and it’s designed to trick the victim into providing the information.

“Android protections prevent malware from doing any kind of damage until the user enables accessibility service,” concludes the CERT-AGID’s advisory. “Once enabled, however, a ‘dam’ opens up. In fact, Android has always had a very permissive policy towards app developers, leaving the ultimate decision to trust an app or not to the end user.”

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Intel)

[adrotate banner=”5″]

[adrotate banner=”13″]