Bitter APT injects malware into fraudulent apps to steal logins, intercept SMS, take photos, install apps and more
Facebook-owning Meta has published its Q2 2022 Adversarial Threat Report 2022, highlighting two APT groups targeting Android users in the UK, New Zealand, Pakistan and India via involved and time-consuming social engineering attacks.
The goal of both threat groups is to infect users with malware by luring them into downloading malicious apps, which then abuses device permissions to relay harvested information back to the attackers. This results in a treasure trove of account credentials, location data, camera and microphone access, call logs, contact lists, etc, that can be used to access and take over other accounts, gain access to business networks to launch ransomware attacks, or provide data that can support more involved social engineering attacks.
Bitter APT authored a new Android spyware (which Meta calls Dracarys), that has been found in spoof versions of popular, legitimate apps such as YouTube, Signal and WhatsApp. It abuses permissions the user grants the app to access other parts of their device.
It’s worth noting that Bitter is not just targeting Android. They also created an iOS chat app delivered via Apple’s Testflight service, a testing space for app developers.
From Meta’s threat report:
“Bitter injected Dracarys into trojanized (non-official) versions of YouTube, Signal, Telegram, WhatsApp, and custom chat applications capable of accessing call logs, contacts, files, text messages, geolocation, device information, taking photos, enabling microphone, and installing apps,”
The free Trustd app detects trojanised apps that carry the Dracarys malware, and can help you to successfully remove them. Download Trustd for Android from Google Play to prevent, detect and remove malicious apps.
Security researchers at Cyble were only able to find Dracarys on trojanised versions of Signal, not the other messaging apps listed by Meta. As Signal’s code is open source, the malware’s authors compiled their own version with Signal’s expected functionality of accessing contacts, the camera, microphone, SMS, files and geolocation – but adding malicious code that enabled it to abuse Android’s Accessibility Service grant extra permissions and continue to run in the background, “even if the user closes the Signal app, raising its privileges and “clicking” on the screen without user interaction.”
How to stay safe:
- Only download apps from vetted marketplaces, such as Google Play or Apple’s App Store.
- Install the free Trustd Mobile Security app to scan links in SMS, chat apps or social media that may try to trick you into opening a spoof website. The app scanner will detect malicious and hidden apps on your device and help you remove them, and you will get alerts when spyware like Dracarys abuse permissions, take screenshots etc. Download Trustd for Android from Google Play to prevent, detect and remove malicious apps.
- Consider upgrading to Trustd Plus to enable Safe Browsing. This second form of protection will alert you to fake websites that are used to trick you into downloading malware.
- Be vigilant for social engineering attacks that can result from compromised accounts. Look out for “friends” asking you to download files or send them credentials over messenger, or DM.
- Conduct user awareness training to educate employees on the dangers of downloading apps from unvetted marketplaces and to look out for mobile phishing and complex social engineering attacks.
- Use Trustd MTD for 3-pronged protection against spyware like Dracarys –
- Safe Browsing alerts the user if they browse to a fraudulent website that may host malware;
- AI-powered phishing protection to scan links in SMS or social media messages that may try to send the user to a fraudulent website that may host malware; and
- Malware app detection, scanning the device for malicious apps and helping the user to remove them – plus alerts for permissions abuse such as camera or mic access. Discover Trustd MTD and book a demo or free trial.