Threat hunters have discovered MoqHao, a brand-new type of Android malware that runs on infected devices without the need for user interaction.
According to a report released this week by McAfee Labs,” Typical MoqHao requires users to install and launch the app to achieve their desired purpose, but this new variant requires no execution.” Their malicious activity begins automatically while the app is installed.
Android users from France, Germany, India, Japan, and South Korea are among the campaign’s target markets.
An Android-based mobile threat called MoqHao, also known as Wroba and XLoader ( not to be confused with the Windows and macOS malware of the same name ), is connected to the Shaoye ( Roaming Mantis ) group of Chinese criminals.
Typical attack chains start with SMS messages with package delivery themes and malicious links that, when viewed on Android devices, cause malware to spread but instead direct users to credential harvesting websites that appear to be Apple’s iCloud login page.
Sekoia described a campaign that compromised at least 70,000 Android devices in France in July 2022. Updated MoqHao versions have been discovered to infiltrate Wi-Fi routers and carry out Domain Name System ( DNS ) hijacking as of early last year, demonstrating the enemy’s dedication to developing its arsenal.
The malicious payload is now run automatically upon installation and prompts the victim to grant it risky permissions without launching the app, a behavior previously observed with bogus apps containing the HiddenAds malware. The most recent iteration of MoqHao is still distributed using smishing techniques.
To increase the likelihood of the attack succeeding, URL shorteners are used to hide the links shared in the SMS messages themselves. These messages ‘ content is taken from fake Pinterest profiles created for this purpose’s bio ( or description ) field.
MoqHao has a number of features that enable it to covertly gather sensitive data, including device metadata, contacts, SMS messages, and photos. It can also call specific numbers in silent mode and enable/disable Wi-Fi.
Google is reportedly “already working on the implementation of mitigations to prevent this type of auto-execution in a future Android version,” according to McAfee, who claimed to have reported the findings to the company.
A previously unidentified cybercrime syndicate by the name of Bigpanzi has been linked to the compromise of Android-based smart TVs and set-top boxes (STBs ) in order to trap them in a botnet for carrying out distributed denial-of-service ( DDoS ) attacks. This development was made public by Chinese cybersecurity company QiAnXin.
A botnet of 170,000 daily active bots, the majority of which are in Brazil, is thought to be under the control of the operation, which has been in operation since at least 2015. But since August 2023, Bigpanzi has been linked to 1.3 million different Brazilian IP addresses.
By deceiving users into downloading booby-trapped apps to stream pirated movies and TV shows through shady websites, the infections are made possible. Doctor Web, a Russian antivirus vendor, made the campaign public for the first time in September 2023.
According to QiAnXin researchers, “once installed, these devices become operational nodes within their illicit streaming media platform, catering to services like traffic proxying, DDoS attacks, OTT content provision, and pirate traffic.”
” Social order and stability are seriously threatened by the potential for Bigpanzi-controlled TVs and STBs to broadcast violent, terroristic, or pornographic content or to use increasingly convincing AI-generated videos for political propaganda.”