The world’s top companies use wandera Learn Why Try Wandera for Free

Is your messaging app spying on you?

Is your messaging app spying on you?

1400 940 Liarna La Porta

SMS seems like an old-school way to carry out a hack but it is still a very valid attack vector today. Wandera has identified a bitly URL shortener that prompts the user to download a malicious Android messaging app. It looks like Android’s default messaging app to the user but it’s actually a type of spyware.

The Ananto spyware is designed to transmit every SMS received on the device. A copy of these messages is sent back to a command and control server (C&C).

How does it happen?

We suspect the bitly link is spread through email and social media. For example, it might be sent in an email that looks familiar or friendly, tempting the user to click through. This is an easy trap to fall into since you can rarely tell where a bitly link goes to and they are widely trusted.

Once the link is clicked and the user opts to install the application the following screen is displayed which asks for “device admin” privileges.

hm3dn9u

Immediately after the installation, the default “MMS Messaging” icon in Android menu disappears.

Because the application appears to replace Android’s default messaging app it’s unlikely the user will notice anything suspicious.

What is being exposed?

Users affected by the malicious application are exposing the following information:

  • Android Version
  • Device Model
  • List of applications installed
  • Mobile Network Code
  • Country
  • SMS (Content + Sender’s phone number)

This has serious security implications when you think about the sensitive information that is sometimes sent SMS. For example, two-factor authentication codes are often sent to users by banks and other services handling highly sensitive and private information.  

We suspect this attack may be used as part of a wider hack, stealing two-factor authentication keys in tandem with other techniques to access online banking, for example.

To see more, read our post on Zero-Day iPhone Hacks: New Vulnerabilities and Why They Matter

To make matters worse, the C&C connection does not use encryption, meaning it also exposes the stolen information to any third party hacker that may be intercepting traffic as well.

cyber-crime1-1024x768

What can you do?

Uninstalling the spyware is extremely difficult and requires extensive technical knowledge so obviously prevention is the best remedy.

A number of customers in our global network including a big name in the payments industry have already been exposed to the URL.

For end users, we recommend these precautions:

  • Do not install apps from third-party websites
  • Check your security settings to ensure the option “Allow installation of applications from both trusted and unknown sources” is opted out
  • Before clicking on a URL shortener, try to preview it first by appending ‘+’ sign at the end i.e https://bitly.com/1ZfcNeV+

Our recommendation is for businesses to have an active mobile security service deployed. These technologies should have filtering and blocking functionality that happens at the data level to block traffic to suspicious URLs like Ananto.

Read the full Threat Advisory

 

Learn more about threat prevention

You might hear about the dangerous leaks and mobile attacks that make the news. But your organization might just be vulnerable to other threats right now.

FIND OUT MORE

Liarna La Porta

Liarna La Porta

Liarna La Porta leads content marketing at Wandera. As Editor of Wandera’s blog, Liarna keeps the content ticking that makes Wandera a reliable news source for mobile security professionals. Her passion for helping tech start ups in all aspects of marketing and PR is reflected in the expert industry coverage she provides.An Australian adventurist at heart, Liarna has been in the Marketing and PR industry for over six years working from Melbourne, Sydney, London and San Francisco, soaking up the expertise required for her global role at Wandera.

All stories by:Liarna La Porta
Liarna La Porta

Liarna La Porta

Liarna La Porta leads content marketing at Wandera. As Editor of Wandera’s blog, Liarna keeps the content ticking that makes Wandera a reliable news source for mobile security professionals. Her passion for helping tech start ups in all aspects of marketing and PR is reflected in the expert industry coverage she provides.An Australian adventurist at heart, Liarna has been in the Marketing and PR industry for over six years working from Melbourne, Sydney, London and San Francisco, soaking up the expertise required for her global role at Wandera.

All stories by:Liarna La Porta