
OSCORP—A New Android Malware
Oscorp a new android malware recently got identified by Italy’s CERTAGID experts. This malware hides in the APK(Android Application Package) and then attacks the user’s data. It tricks the user to grant access to the Android Accessibility Service.
How does it work?
A domain name “supportoapp.com” was identified by the experts. This domain is responsible for integrating the file “Client assistance.apk”.Once the “Customer Protection” application is installed, it urges the device used to activate the accessibility service.
The malware Oscorp uses the G2 (Geny2) service to make the user give access. Once it gets activated, it automatically activates some permissions. The malware continuously reopens the Settings every eight seconds with an intention to force the user to grant certain requested permissions.
List of Permissions:
The list of permissions include:
- CAMERA
- CALL_PHONE
- INTERNET
- READ_SMS
- READ_PHONE_STATE
- DISABLE_KEYGUARD
- RECEIVE_SMS
- RECEIVE_MMS
- SEND_SMS
- RECORD_AUDIO
- SYSTEM_ALERT_WINDOW
- WRITE_EXTERNAL_STORAGE
- WRITE_SMS
- INJECT_EVENTS
- PACKAGE_USAGE_STATS
- READ_PRIVILEGED_PHONE_STATE
- ACCESS_NETWORK_STATE
- ACCESS_SUPERUSER
- MODIFY_AUDIO_SETTINGS
- READ_EXTERNAL_STORAGE
- RECEIVE_BOOT_COMPLETED
- REQUEST_DELETE_PACKAGES
- REQUEST_IGNORE_BATTERY_OPTIMIZATIONS
- REQUEST_INSTALL_PACKAGES
- WAKE_LOCK
Threats:
The malware can perform the following functions once the user enables the accessibility service:
- Enabling keylogger functionality. This enables the attacker to steal sensitive information that is typed by the user.
- Automatically obtain the permissions and capabilities required by the malware.
- It has the ability to uninstall applications on the victim’s device.
- It steals the system information like model number, operator, etc.
- It can automatically make calls.
- Send text messages without consent.
- Theft of sensitive information including credentials and wallet addresses of cryptocurrency.
- Stealing of PIN for Google’s 2FA(two-factor authentication).
To go unnoticed the malware blocks the most efficient and widely known antiviruses such as Avast, Avira, and ESET.
How to Defend?
The best one can do to defend is to turn off accessibility services when not needed. Downloading and installing applications from the Google Play Store helps. Downloading from APK files can be dangerous if the source is untrustworthy.