Android malware poses as top apps to steal data — Google, Instagram, WhatsApp all spoofed

Android Logo
(Image credit: Google)

Multiple malicious Android applications have been spotted masquerading as some of the platform’s most popular tools, but anyone installing the imposters might get their login credentials or other, very sensitive information stolen from their device.

A report from cybersecurity researchers SonicWall Capture Labs described observing multiple apps pretending to be Google, Instagram, Snapchat, WhatsApp, Twitter, and others, mostly by using icons that look almost identical to the ones used by legitimate apps. 

"This malware uses famous Android app icons to mislead users and trick victims into installing the malicious app on their devices," the researchers said. They did not discuss who the cybercriminals behind the campaign are, or how they go about distributing these apps. An educated guess would be through fake websites, instant messaging platforms, phishing, and more.

Increasing sophistication

The most popular targets are the Indonesian community, as well as the wider APAC region, we were told. The identity of the attackers is unknown at this time, but the researchers said the campaign has some similarities to the AIRAVAT Android RAT. 

Once the malware is installed on the Android device, it will first ask for Accessibility Service and Device Admin Permission permissions (the latter is present in older models), which should be enough of a red flag for anyone. 

Still, if the victim grants these permissions, the app can then connect to its command-and-control (C2) server to receive further commands for execution, access the device’s contact lists, SMS messages, call logs, and the list of installed apps. It can also send SMS messages; open phishing pages on the web browser, and toggle the camera flashlight.

The best way to protect against malicious Android apps is to only download them from legitimate sources, always double-check the ratings and user reviews, and be mindful of the permissions the app is requesting upon installation.

May 15 edit - added additional information from SonicWall regarding the most common victims and possible identity of the attackers.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.