OSCORP—A New Android Malware

Oscorp a new android malware recently got identified by Italy’s CERTAGID experts. This malware hides in the APK(Android Application Package) and then attacks the user’s data. It tricks the user to grant access to the Android Accessibility Service.

How does it work?

A domain name “supportoapp.com” was identified by the experts. This domain is responsible for integrating the file “Client assistance.apk”.Once the “Customer Protection” application is installed, it urges the device used to activate the accessibility service.

The malware Oscorp uses the G2 (Geny2) service to make the user give access. Once it gets activated, it automatically activates some permissions. The malware continuously reopens the Settings every eight seconds with an intention to force the user to grant certain requested permissions.

List of Permissions:

The list of permissions include:

1. CAMERA
2. CALL_PHONE
3. INTERNET
4.  READ_SMS
5.  READ_PHONE_STATE
6. DISABLE_KEYGUARD
7. RECEIVE_SMS
8. RECEIVE_MMS
9. SEND_SMS
10. RECORD_AUDIO
11. SYSTEM_ALERT_WINDOW
12. WRITE_EXTERNAL_STORAGE
13. WRITE_SMS
14. INJECT_EVENTS
15. PACKAGE_USAGE_STATS
16. READ_PRIVILEGED_PHONE_STATE
17. ACCESS_NETWORK_STATE
18. ACCESS_SUPERUSER
19. MODIFY_AUDIO_SETTINGS
20. READ_EXTERNAL_STORAGE
21. RECEIVE_BOOT_COMPLETED
22. REQUEST_DELETE_PACKAGES
23. REQUEST_IGNORE_BATTERY_OPTIMIZATIONS
24. REQUEST_INSTALL_PACKAGES
25. WAKE_LOCK

Threats:

The malware can perform the following functions once the user enables the accessibility service:

1. Enabling keylogger functionality. This enables the attacker to steal sensitive information that is typed by the user.
2. Automatically obtain the permissions and capabilities required by the malware.
3. It has the ability to uninstall applications on the victim’s device.
4. It steals the system information like model number, operator, etc.
5. It can automatically make calls.
6. Send text messages without consent.
7. Theft of sensitive information including credentials and wallet addresses of cryptocurrency.
8. Stealing of PIN for Google’s 2FA(two-factor authentication).

To go unnoticed the malware blocks the most efficient and widely known antiviruses such as Avast, Avira, and ESET.

How to Defend?
The best one can do to defend is to turn off accessibility services when not needed. Downloading and installing applications from the Google Play Store helps. Downloading from APK files can be dangerous if the source is untrustworthy.