Google Chrome is the world’s most popular browser. So when a “very dangerous,” fraudulent update is caught stealing private data, messages and photos, it’s a cause for serious concern.
2/11 update below, article originally published 2/9.
An alarming new report from McAfee this week warns Android users to refrain from clicking any message links that install Chrome updates on their devices. MoqHao malware is hiding within those downloads with a nasty twist—one which the security researchers describe as a new, “very dangerous technique.”
“While the app is installed,” the researchers warn, “their malicious activity starts automatically. We have reported this technique to Google and they are already working on the implementation of mitigations to prevent this type of auto-execution in a future Android version.”
This malicious campaign distributes the MoqHao malware through SMS messages—with another twist. The threat actors have started using short URLs from legitimate services, given that “it is difficult to block the short domain because it could affect all the URLs used by that service. [But] when a user clicks on the link in the message, it will be redirected to the actual malicious site by the URL shortener service.”
Once installed, the fraudulent Chrome update then asks for expansive user permissions, including access to SMS, photos, contacts and even the phone itself. The malware is designed to run in the background, connecting with its command and control server, managing data to and from the device, as ever more damage is done.
McAfee attributes this MoqHao (XLoader) campaign to the Roaming Mantis group—a threat actor that usually operates in Asia. However, McAfee notes that this specific campaign also appears to target users in Europe. One of the languages programmed into the campaign is English, which means U.S. users are also in range.
If you look carefully, you can see that the messaging uses Unicode characters to trick users into thinking it’s a legitimate Chrome update. “This technique makes some characters appear bold, but users visually recognize it as ‘Chrome’,” McAfee says, also warning that “this may affect app name-based detection techniques that compare app name (Chrome) and package name (com.android.chrome).”
It’s only February, and this is the third headline-generating Android malware alert of the year so far. We have seen VajraSpy, SpyLoan and Xamalicious. We have also seen a wider warning about copycat apps, which echoes what we’re seeing here. As for this one specifically, McAfee warns that “we expect this new variant to be highly impactful because it infects devices simply by being installed without execution.”
“Copycat apps are simple to produce,” warns ESET’s Jake Moore. “Downloading and installing a malicious app on your phone can lead to a number of disasters, including theft of personal data, compromise of banking information, poor device performance, intrusive adware and even spyware monitoring your conversations and messages.”
As I’ve said repeatedly this year, the timing here is potentially even more notable than the malware itself. Europe’s Digital Markets Act is effecting substantial changes to the apps and platforms we use most. And that includes app stores.
Apple is reluctantly opening up its own for the first time, but is warning of the dangers to users as it does so. “These new regulations, while they bring new options for developers, also bring new risks. There’s no getting around that,” Apple’s Phil Schiller has warned, with malware top of the list of those concerns.
In response to the McAfee report, a Google spokesperson told me that “Android has multi-layered protections that help keep users safe,” and, as noted in the McAfee report, that “Android users are currently protected against this by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play.”
Google also confirmed that it had worked with McAfee on addressing this new malware threat, as it’s one of its App Defense Alliance partners.
Google’s focus and promotion on its Play Store ecosystem—including Play Protect—is laudable and certainly making a difference. The issue, though, is that it requires a better software and security update process than exists today.
The nature of Android’s fragmented ecosystem has always lagged materially behind Apple’s command and control structure when it comes to keeping devices updated and responding to real time issues. A reliance on device OEMs to make much of this work, leaves Google without the same levers of control as Apple, and it shows.
And in a twist of timing, we are seeing this very issue play out at the moment.
As Ars Technica reported this weekend, “we’re a third of the way through February, but Android’s January 2024 Google Play System update is just now rolling out. The now-infamous update originally rolled out at the beginning of January but was pulled after it started locking users out of their phone’s local storage. Apparently, the update has been fixed and is rolling back out to devices.”
But at least now—as of this weekend—it appears to be fixed. Although Ars Technica warns that “the update was the second time in four months that an automatic Android update broke some Pixel phones… Those issues all make updating a Pixel phone a scary proposition lately.”
And while that update issue relates to Pixel phones, Samsung has its own issues, as SamMobile explains. “Usually, it’s the flagship devices that receive monthly security updates and the mid-range and budget ones that get quarterly updates, but it’s not always that clear-cut. Some devices may get monthly updates for the first year or two after they hit the market and then be moved to the quarterly schedule, while some may be relegated to quarterly updates from day one.”
All of which means that there is a real need for user common sense and good practice to stay safe. The advice remains very, very simple. Never click on links such as those seen in this latest campaign—and definitely do not install apps directly from links. This was central to ESET’s copycat app warning. You should also never agree to permission requests that aren’t core to an app’s specific functionality.
Here are the golden rules for apps and updates:
- Stick to official app stores—don’t use third-party stores and never change your device’s security settings to enable an app to load.
- Check the developer in the app’s description—is it someone you’d like inside your life? And check the reviews, do they look legitimate or farmed?
- Do not grant permissions to an app that it should not need: torches and star-gazing apps don’t need access to your contacts and phone. And never grant accessibility permissions that facilitate device control unless you have a need.
- Never ever click links in emails or messages that directly download apps or updates—always use app stores for installs and updates.
- Do not install apps that link to established apps like WhatsApp unless you know for a fact they’re legitimate—check reviews and online write-ups.