Mobile & Gadgets

Android Malware Passes Off as Authentic App for Fraud

Android users are at risk as malware passing itself off as the user interface of popular apps launches phishing campaigns over SMS to steal credit card information. Phishing messages claiming to be from the post office were the most successful, claiming a little over 80% of clicks.

The overlay technique is difficult to detect and was the preferred hacking strategy for banking apps, as it creates an identical phishing interface.

As hackers target apps with large client pools, victims so far include users of Uber, WhatsApp, Google Play, YouTube and Chinese messaging app WeChat. Countries targeted so far are Denmark, Italy, Germany, the United Arab Emirates, Latvia and the Netherlands.

The phishing campaigns spread through SMS texts which tell the user that an order hasn’t been confirmed. When clicking on the link in the message, the mobile is infected with malware. At least 130,000 clicks have been reported for one campaign.

As of February 2106, 55 malicious programs using the same technique have been detected. These programs create an overlay that asks users to insert their credit card information. This is ultimately sent to the remote C2 servers of the hacker, who will use it for financial gain.

More recently launched programs are difficult to detect due to “obfuscation techniques adopted to evade detection,” so users are advised to take more caution when receiving text messages or when downloading applications.

To keep safe from such attacks, users are advised to avoid installing applications from suspicious sources, clicking on unusual links or performing transactions via insecure Wi-Fi networks.

About the author


From a young age, Luana knew she wanted to become a writer. After having addressed topics such as NFC, startups, and tech innovation, she has now shifted focus to internet security, with a keen interest in smart homes and IoT threats. Luana is a supporter of women in tech and has a passion for entrepreneurship, technology, and startup culture.

1 Comment

Click here to post a comment
  • I'm not sure I understand. Is it just a website that's dressed in what looks like WhatsApp's interface? Or is there actual WhatsApp malware? Not that I'd be affected,I use the secure Threema. ;-) Just wondering.