Kaspersky Researcher: Smartphone Users Should Beware Of Covert Trojans In Apps

Users in Indonesia are also targets for hidden trojans in applications (photo: Kaspersky)

JAKARTA - With the number of smartphone users continuing to increase today, mobile application development has become a rapidly growing industry. Today there are millions of apps to help users with almost every aspect of their daily lives, from entertainment to billing and banking.

With this in mind, cybercriminals are working hard to develop their own apps and take advantage of users who are not vigilant enough.

Kaspersky researchers have observed scammers actively deploying Trojans, and secretly subscribing to paid services, masquerading as various mobile apps, including popular games, healthcare apps, and photo editors. Most of these Trojans request access to user messages and notifications, so that scammers can then prevent messages containing confirmation codes.

Users do not consciously subscribe to this service, but instead become victims of cybercriminals. For example, users fail to read the fine print and, before they know it, they have paid for a horoscope app. Victims often don't realize these subscriptions exist until their cell phone accounts show something wrong.

According to Kaspersky researchers, the most widely spread Trojans that register users to unwanted subscriptions are:

joker

Trojans from the Trojan.AndroidOS.Jocker family can intercept code sent in text messages and bypass anti-fraud solutions. They are usually spread on Google Play, where scammers download legitimate apps from stores, add malicious code to them, then re-upload them under a different name.

In most cases, these trojan-infected applications fulfill their purpose and users never suspect that they are the source of the threat. So far in 2022, Jocker has attacked users the most in Saudi Arabia (21.20 percent), Poland, (8.98 percent) and Germany (6.01 percent).

MobOk

MobOk is considered to be the most active subscription Trojan with more than 70 percent of mobile users having encountered this threat. The MobOk Trojan is well known for its additional capabilities, apart from reading the code from messages, allowing it to bypass CAPTCHAs. MobOK does this by automatically sending images to a service designed to parse the displayed code.

Since the beginning of the year, MobOk Trojan most frequently attacks users in Russia (31.01 percent), India (11.17 percent) and Indonesia (11.02 percent).

Vesub

The Vesub Trojan is distributed through unofficial sources and imitates games to popular applications, such as GameBeyond, Tubemate, Minecraft, GTA5, and Vidmate. This malware opens an invisible window, asks for a subscription, and then enters a code that is intercepted from text messages that victims receive. After that the user subscribes to the service without their knowledge or consent.

Most of these apps have no legitimate functionality. They instantly make users subscribe as soon as they are launched, while victims only see a loading window. However, there are instances, such as the fake GameBeyond app, where the detected malware is actually accompanied by a random set of functional games.

Two out of five users who encountered the Vesub trojan were in Egypt (40.27%). This Trojan family has also been active in Thailand (25.88%) and Malaysia (15.85%).

GriftHorse.l

Unlike what was mentioned above, this one Trojan does not enter the victim into a third-party subscription service, but uses its own. Users end up subscribing to one of these services simply by not reading the user agreement carefully.

For example, there is an application that has recently spread intensively on Google Play, offering to customize a personal weight loss plan for a token fee. The application contains small print stating the subscription fee with automatic billing. This means the money will be deducted from the user's bank account automatically without the need for further confirmation from the user.

“Apps can help us stay connected, fit, entertained and in general make our lives easier. There are several mobile apps popping up every day, for every taste and purpose. Unfortunately, cybercriminals are using this to their advantage,” comments Igor Golovin, security expert at Kaspersky.

Igor also sees some apps designed to steal money by getting users to subscribe to unwanted services. According to Igor, this threat can be prevented, and that is why it is important to know the signs that indicate a Trojan application.

“Even if you trust the app, you should avoid giving it too many permissions and access. Only allow access to notifications for apps that need them and to perform their intended purpose, for example, to transfer notifications to a wearable device. Apps like themed wallpapers or photo editing don't need access to your notifications."