Blog
OSCORP—A New Android Malware

OSCORP—A New Android Malware

Oscorp a new android malware recently got identified by Italy’s CERTAGID experts. This malware hides in the APK(Android Application Package) and then attacks the user’s data. It tricks the user to grant access to the Android Accessibility Service.

How does it work?

A domain name “supportoapp.com” was identified by the experts. This domain is responsible for integrating the file “Client assistance.apk”.Once the “Customer Protection” application is installed, it urges the device used to activate the accessibility service.

The malware Oscorp uses the G2 (Geny2) service to make the user give access. Once it gets activated, it automatically activates some permissions. The malware continuously reopens the Settings every eight seconds with an intention to force the user to grant certain requested permissions.

List of Permissions:

The list of permissions include:

  1. CAMERA
  2. CALL_PHONE
  3. INTERNET
  4.  READ_SMS
  5.  READ_PHONE_STATE
  6. DISABLE_KEYGUARD
  7. RECEIVE_SMS
  8. RECEIVE_MMS
  9. SEND_SMS
  10. RECORD_AUDIO
  11. SYSTEM_ALERT_WINDOW
  12. WRITE_EXTERNAL_STORAGE
  13. WRITE_SMS
  14. INJECT_EVENTS
  15. PACKAGE_USAGE_STATS
  16. READ_PRIVILEGED_PHONE_STATE
  17. ACCESS_NETWORK_STATE
  18. ACCESS_SUPERUSER
  19. MODIFY_AUDIO_SETTINGS
  20. READ_EXTERNAL_STORAGE
  21. RECEIVE_BOOT_COMPLETED
  22. REQUEST_DELETE_PACKAGES
  23. REQUEST_IGNORE_BATTERY_OPTIMIZATIONS
  24. REQUEST_INSTALL_PACKAGES
  25. WAKE_LOCK

 

Threats:

The malware can perform the following functions once the user enables the accessibility service:

  1. Enabling keylogger functionality. This enables the attacker to steal sensitive information that is typed by the user.
  2. Automatically obtain the permissions and capabilities required by the malware.
  3. It has the ability to uninstall applications on the victim’s device.
  4. It steals the system information like model number, operator, etc.
  5. It can automatically make calls.
  6. Send text messages without consent.
  7. Theft of sensitive information including credentials and wallet addresses of cryptocurrency.
  8. Stealing of PIN for Google’s 2FA(two-factor authentication).

To go unnoticed the malware blocks the most efficient and widely known antiviruses such as Avast, Avira, and ESET.

How to Defend?
The best one can do to defend is to turn off accessibility services when not needed. Downloading and installing applications from the Google Play Store helps. Downloading from APK files can be dangerous if the source is untrustworthy.

Leave a Reply

Your email address will not be published. Required fields are marked *