New and dangerous Android malware affects users from 196 countries


Cybersecurity researchers discovered spyware, named ANDROIDOS_MOBSTSPY, disguised as multiple legitimate Android applications.

All the applications were available for download on Google Play with some already having over 100,000 downloads all over the world.
The applications that contained the malware were: Flappy Birr Dog, FlashLight, HZPermis Pro Arabe, Win7imulator, Win7Launcher, and Flappy Bird.

Good news is that Google has already removed all of these applications from Google Play.
Remember everything can be hacked. In order to stay away from any threats related to the cyber world, we recommend the install of antivirus for Windows or antivirus for Mac on every device that you own, depending on which OS your device is running. If you are a company, it is also recommended to hire every year a specialized cybersecurity company that will run annual tests on your company’s network. These tests include penetration testing and ethical hacking tests;

ANDROIDOS_MOBSTSPY modus operandi:
Information stealing
MobSTSPY is capable of stealing information like user location, SMS conversations, call logs and clipboard items.
When the malicious application is launched, the malware will first check the device’s network availability. It then reads and parses an XML configuration file from its C&C server.

The malware will then collect certain device information such as the language used, its registered country, package name, device manufacturer etc.

All the gathered information is sent to its C&C server.
Researchers warn that depending on the command the malware receives, it can steal SMS conversations, contact lists, files, and call logs.
During a malware analysis it was discovered that in addition to this info-stealing capabilities, the malware can also gather additional credentials through a phishing attack. It’s capable of displaying fake Facebook and Google pop-ups to phish for the user’s account details. The fake pop-up will only state that the log-in was unsuccessful.

Among the affected countries are Mozambique, Poland, Iran, Vietnam, Algeria, Thailand, Romania, Italy, Morocco, Mexico, Malaysia, Germany, Iraq, South Africa, Sri Lanka, Saudi Arabia, Philippines, Argentina, Cambodia, Belarus, Kazakhstan, Tanzania, United Republic of Hungary, and many others.

This case fully illustrates that despite top cybersecurity measures implemented by Google, users must remain cautious when downloading them to their devices.

Keep in mind that our modern society is dependent on computers, mobile devices, and the use of the internet always stay safe and secured.
We would continue to monitor this cybersecurity problem. Meanwhile, users should keep a keen eye out for any cyber attacks. Remember to use an antivirus for Windows or antivirus for Mac in every device that you own, depending on which OS your machine is running, If you are a company we recommend to hire every year a specialized cybersecurity company that will run annual tests on your company’s network, tests like this include: penetration testing and ethical hacking.

Indicators of Compromise
SHA256
Package Name
Label
Download Count
12fe6df56969070fd286b3a8e23418749b94ef47ea63ec420bdff29253a950a3
ma[.]coderoute[.]hzpermispro
HZPermis Pro Arabe
50 to 100
72252bd4ecfbd9d701a92a71ff663776f685332a488b41be75b3329b19de66ba
com[.]tassaly[.]flappybird
Flappy Bird
0
4593635ba742e49a64293338a383f482f0f1925871157b5c4b1222e79909e838
com[.]mobistartapp[.]windows7launcher
Win7Launcher
1,000 to 5,000
38d70644a2789fc16ca06c4c05c3e1959cb4bc3b068ae966870a599d574c9b24
com[.]mobistartapp[.]win7imulator
Win7imulator
100,000 to 500,000
0c477d3013ea8301145b38acd1c59969de50b7e2e7fc7c4d37fe0abc3d32d617
com[.]mobistartapp[.]flashlight
FlashLight
50 to 100
a645a3f886708e00d48aca7ca6747778c98f81765324322f858fc26271026945
com[.]tassaly[.]flappybirrdog
Flappy Birr Dog
10
C&C Servers
hxxp://www[.]mobistartapp[.]com
hxxp://www[.]coderoute[.]ma
hxxp://www[.]hizaxytv[.]com
hxxp://www[.]seepano[.]com