A new Android malware campaign has been uncovered by security researchers that mimics the user interfaces of popular apps like WhatsApp, Uber, Google Play, WeChat and others to trick Android users into divulging their credit card details.

Cybersecurity firm FireEye has uncovered several strains of malware spreading via SMS phishing campaigns, which have so far targeted Android users in Germany, Austria, Italy, Denmark and Russia. The firm pointed out that other European countries could also be impacted by the malware.

"Through our close monitoring of overlay malware spreading via Smishing messages, we recently observed that these types of attacks did not stop despite publicity from security researchers," FireEye highlighted. The firm also pointed out that "the malware code has been evolving over time. The malware author(s) seems to be working diligently to improve the code by adding new target apps, obfuscating the code to evade detection, and trying to bypass App Ops restrictions."

Smishing campaign targets victims via SMS

"Smishing (SMS phishing) offers a unique vector to infect mobile users. The latest Smishing campaigns spreading in Europe show that Smishing is still a popular means for threat actors to distribute their malware," FireEye researchers said.

The firm explained that hackers send victims SMS messages with an embedded link that redirects users to the malware app. Once installed, the malware has been designed to stay dormant until it detects users launching a benign app, like a banking app, after which it activates itself and presents an overlay phishing view over the benign app. "The unwary user, assuming that they are using the benign app, will enter the required account credentials, which are then sent to remote C2 servers controlled by threat actors," FireEye said.

Android malware targets victims in Europe masquerading as WhatsApp, Uber and Google Play
Between February and June 2016, FireEye uncovered 55 malicious campaigns in Europe Reuters

Growing by leaps and bounds

Between February and June 2016, FireEye uncovered 55 malicious campaigns in Europe. "All the malware samples use the same view overlay technique to phish banking credentials, and all share the same C2 communication protocol," FireEye added. The recent modifications made to the malware also indicate that "threat actors are actively improving their code".

Shortened URLs

Shortened URLs are commonly used for mobile devices and hackers have now begun capitalising on this as well. When monitoring the various Smishing campaigns, FireEye observed cybercriminals making use of shortened URLs to evade detection. FireEye said: "In total, we observed four different URL shorteners were used at least once, including bit.ly, tr.im, is.gd and jar.ma. Of the four, bit.ly has been the most commonly used URL shortener. The other three URL shorteners were not observed until June 2016, and only one was used for each service. Diversifying URL shorteners suggests that the threat actors are trying to avoid detection."

How to protect yourself

FireEye researchers caution that despite detailed reports of cybercriminals' activities, hackers have been constantly honing their skills and making improvements to malicious code to target more victims and evade detection. The firm advises users against installing apps "from outside official app stores", adding that users should exercise caution when clicking on links "where the origin is unclear".