{"id":162353,"date":"2022-11-30T10:41:29","date_gmt":"2022-11-30T18:41:29","guid":{"rendered":"https:\/\/www.mcafee.com\/blogs\/?p=162353"},"modified":"2023-07-11T11:23:20","modified_gmt":"2023-07-11T18:23:20","slug":"fake-security-app-found-abuses-japanese-payment-system","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/fake-security-app-found-abuses-japanese-payment-system\/","title":{"rendered":"Fake Security App Found Abuses Japanese Payment System"},"content":{"rendered":"

Authored by <\/span>SangRyol<\/span> Ryu<\/span> and Yukihiro <\/span>Okutomi<\/span><\/span>\u00a0<\/span><\/p>\n

McAfee<\/span>\u2019s<\/span> Mobile <\/span>Research <\/span>t<\/span>eam <\/span>recently <\/span>analyzed new<\/span> malware targeting <\/span>mobile payment <\/span>users in Japan.<\/span> The malware <\/span>which<\/span> was<\/span> distributed on <\/span>the <\/span>Google Play <\/span>store <\/span>pretends <\/span>to be<\/span> a <\/span>legitimate <\/span>mobile security <\/span>app,<\/span> but<\/span> it<\/span> is<\/span> in fact<\/span> a<\/span> payment <\/span>fraud <\/span>malware<\/span> stealing <\/span>passwords <\/span>and abusing reverse proxy<\/span> targeting the mobile payment services<\/span>.<\/span> McAfee<\/span> researchers <\/span>notified Google of<\/span> the malicious apps<\/span>,<\/span> <\/span>\u30b9\u30de\u30db\u5b89\u5fc3\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3<\/span><\/span>, or \u2018Smartphone Anshin Security<\/span>\u2019<\/span>, package name<\/span> \u2018<\/span>com.z.cloud.px.app<\/span>\u2019<\/span> and <\/span>\u2018<\/span>com.z.px.ap<\/span>px<\/span>\u2019<\/span>. <\/span>The applications are no longer available <\/span>on Google Play. <\/span>Google Play Protect<\/span> has also taken steps <\/span>to protect users <\/span>by disabling the apps <\/span>and providing<\/span> a<\/span> warning. <\/span>McAfee Mobile Security products detect this threat as Android\/<\/span>ProxySpy<\/span>.<\/span>\u00a0<\/span><\/span>\u00a0<\/span><\/p>\n

How do victims install this malware?<\/span>\u00a0<\/span><\/h2>\n

The malware actor <\/span>continues to publish <\/span>malicious <\/span>apps<\/span> on <\/span>the <\/span>Google Play<\/span> Store<\/span> with various <\/span>developer<\/span> accounts<\/span>.<\/span> According to the information<\/span> <\/span>posted<\/span><\/span><\/a> on Twitter <\/span>by <\/span><\/span>Yus<\/span>u<\/span>ke Osumi<\/span><\/span><\/a>, Security Researcher at Yahoo! <\/span>Japan,<\/span> the attacker sends<\/span> SMS<\/span> messages<\/span> from overseas<\/span> with <\/span>a <\/span>Google Play link <\/span>to lure <\/span>user<\/span>s<\/span> to install the malware.<\/span> To attract more user<\/span>s<\/span>, the message <\/span>en<\/span>tices users to update security software.<\/span><\/span>\u00a0<\/span><\/p>\n

\"A<\/p>\n

A SMS message from <\/span>F<\/span>rance<\/span> (from<\/span> Twitter post by <\/span>Yusuke<\/span>)<\/span><\/p>\n

\"malware<\/p>\n

Malware on Google Play<\/span><\/span>\u00a0<\/span><\/p>\n

The Mobile Research team also found that the malware actor uses Google Drive to distribute the malware. In contrast to installing an application after downloading an APK file, Google Drive allows users to install APK files without leaving any footprint and makes the installation process simpler. Once the user clicks the link, there are only a few more touches required to run the application. Only three clicks are enough if users have previously allowed the installation of unknown apps on Google Drive.<\/span>\u00a0<\/span><\/p>\n

Following notification from McAfee researchers, Google has removed known Google Drive files associated with the malware hashes listed in this blog post.<\/span>\u00a0<\/span><\/p>\n

 <\/p>\n