Security researchers recently discovered a new malware that masquerades itself as a number of popular apps, including WhatsApp, Uber and Google Play, to try and trick unsuspecting users to provide their credit card data.
According to the researchers at security firm FireEye, the malware has been spreading via an SMS (short message service) phishing campaign in which the hackers send off text messages with a malicious link.
“After landing on the user’s device, the malware launches a process to monitor which app is running in the foreground on the compromised device,” explained FireEye researchers in a blog post.
“When the user launches a benign app into the foreground that the malware is programmed to target (such as a banking app), the malware overlays a phishing view on top of the benign app. The unwary user, assuming that they are using the benign app, will enter the required account credentials, which are then sent to remote C2 servers controlled by threat actors,” said the researchers.
The researchers warned the malware has been primarily targeting Android users in Denmark and Italy. However, developing activity has also been seen in other European countries, including Germany, Austria and the UK.
From February 2016 to June 2016, security researchers said they observed over 50 malicious campaigns in Europe – all of which were using the overlay technique in an attempt to phish users’ banking credentials.
In more recent campaigns, the malware was leveraged to spoof the interfaces of highly downloaded apps, such as the popular messaging service WhatsApp or the Android app store, Google Play.
“Threat actors usually want to gain the largest financial benefit, so they typically target these apps that have a large user base,” FireEye researcher Wu Zhou told PC World.
Researchers also warned that newer versions of the malware have become more difficult to detect. As of June, only six out of 54 anti-virus tools could identify the malware samples as malicious.