As if traveling weren’t hard enough already, now travelers have to worry about things beyond pickpockets and scammers in foreign lands as a new malware has been identified. A report from Lookout Inc. reveals that four apps in the Google Play store were injected with Overseer, a trojan that gathers user information.
The infected apps include Embassy, an app that helps travelers find embassies abroad, as well as Russian and European News apps.
Google was quick to take down the infected apps from the Play store when it was notified by Lookout, but that milk is already spilled. Now that the target of one of these things has found an audience, there will likely be others.
In this case, “the legitimate functionality of the Embassy application aimed to provide a user with the ability to search for the addresses of specific embassies in any geographic location. At the time of analysis, the legitimate functionality was not working, however the command-and-control server was active,” said Michael Flossman, a security analyst at Lookout told Threatpost.
How Overseer works
Overseer takes information such as a user’s contacts which includes name, phone number, email and times contacted; all user accounts on a compromised device; basestation ID, latitude, longitude, network ID, location area code; names of installed packages, their permissions, and whether they were sideloaded; free internal and external memory; device IMEI, IMSI, MCC, MNC, phone type, network operator, network operator name, device manufacturer, device ID, device model, version of Android, Android ID, SDK level and build user; and whether a device has been rooted in one of several ways.
Overseer piqued the interest of Lookout for two reasons. One, because it targets foreign travelers; two, because its command and control (CNC or C2) uses Facebook’s Parse Server, hosted on Amazon Web Services. The use of the Parse server allows the spyware to use HTTPS and a CNC that resides in the US on a popular cloud service. This makes the Overseer harder to detect. Devices infected with Overseer periodically beacons to the api.parse.com domain to check if the attacker wants to run any commands.
These malware constructs are one of the latest manifestations of a tried and tested cybercrime scheme, with a number of surprising twists. It illustrates the wile and determination of sophisticated and organized cybercriminal groups, as well as the struggle that enterprise IT departments face when taking on defending their digital assets. It makes a strong case for equally sophisticated defense systems to be deployed across the workforce.
Image source: Pexels