More than 90 malicious apps on Google Play have infected 5.5 million Android devices.
Cloud security company Zscaler has just issued a warning about the discovery of more than 90 malicious applications on Google Play, which has been downloaded to more than 5.5 million Android users' devices.
These apps initially contained no malicious code, but once installed, they will silently download the Anatsa malware (also known as TeaBot) through fake updates. Anatsa is a dangerous type of banking malware that is capable of stealing users' banking account login credentials.
There have been more than 5 million downloads of malware-infected Android apps.
Anatsa's main targets are financial applications of organizations in the UK, but it has also hit victims in the US, Germany, Spain, Finland, South Korea and Singapore.
While the researchers did not share the identities of the infected Android apps on the Google Play store, Zscaler did notify Google of the malicious apps and they have been removed from Google Play. However, users should still be cautious when downloading apps, especially those with financial implications.
To protect themselves, users should carefully check information about the app developer, read other users' reviews, and only download apps from trusted sources. In addition, regularly updating the operating system and applications is also an important measure to prevent malware attacks.
Once again, hackers have shown their sophistication and danger by spreading malware that can disable antivirus programs and secretly mine cryptocurrency on users' devices. According to installed cybersecurity researchers from Elastic Security Labs and Antiy, a new cyberattack campaign called REF4578 has been discovered, targeting devices with antivirus programs.
REF4578 cyber attack campaign that poses a major threat to computer users.
REF4578 cyber attack campaign that poses a major threat to computer users.
Watch More Image Part 2 >>>
Attackers use hazardous drivers to infiltrate systems, disable and uninstall security software. They then installed XMRig, a popular cryptocurrency mining tool, to illicit mine users' resources. The identity of the criminal group behind this campaign is currently unknown, and the number of affected devices is not yet known.
It is unclear exactly how attackers spread the malware, but researchers predict that phishing, social media, text messages, malicious ads, and impersonation are common channels.
The victim receives an exe file named Tiworker disguised as a legitimate Windows file. When executed, it installs a PowerShell script named GhostEngine, which silently performs various malicious actions.
GhostEngine disables Windows Defender, enables telemetry services, clears event logs, and loads two vulnerable drivers: aswArPots.sys (from Avast) and IObitUnlockers.sys (from IObit) to uninstall antivirus software.
Once the security is disabled, GhostEngine deploys XMRig, which begins secretly mining the Monero (XMR) cryptocurrency. This cryptocurrency is popular with cybercriminals for its high security and anonymity.
To protect themselves from this threat, users need to pay attention to the following signs:
- Antivirus software becomes performance abnormal
- Strange files or programs appear on the computer
- Computer performance declines
- Unusually high CPU or network usage
If you suspect your device is infected with REF4578, you should use trustworthy antivirus software to scan and remove the malware. At the same time, you should regularly update your operating system and software to patch security holes.