Emerging Android Malware Exploits Accessibility Services to Commit Fraud
A new variant of Android malware, known as “Oscorp,” has been uncovered, leveraging accessibility services to capture user credentials and illicitly record audio and video. This discovery was reported by Italy’s CERT-AGID and identified by cybersecurity firm AddressIntel. The malware prompts users to install an accessibility service that allows attackers to monitor on-screen activity and keystrokes.
The malware, which takes its name from the login page of its command-and-control (C2) server, is distributed under the guise of a legitimate application called “Assistenzaclienti.apk,” or “Customer Protection,” via a suspicious domain named “supportoapp[.]com.” Upon installation, it demands extensive permissions, allowing it to communicate with a C2 server to execute further commands, thereby enhancing its malicious capabilities.
A notable feature of Oscorp is its aggressive tactics to manipulate user permissions; the malware incessantly reopens the Settings menu every eight seconds until the victim grants the necessary accessibility rights. Once these permissions are obtained, it enables a range of harmful activities, including logging keystrokes, initiating phone calls, messaging, and redirecting cryptocurrency transactions, specifically targeting app users such as the Blockchain.com Wallet. As of January 9, it was reported that the attacker-controlled wallet had amassed $584.
The malware meticulously exfiltrates collected data along with system information—like installed applications, device model, and carrier details—to its C2 server. In turn, it can execute commands to launch the Google Authenticator app, seize SMS messages, uninstall applications, access specific URLs, and conduct audio and video surveillance through WebRTC protocols. Users interacting with compromised apps might also encounter a phishing page modeled to elicit their credentials, effectively deceiving them into providing sensitive information.
While the specific applications targeted remain undetermined, researchers advise that any application managing sensitive data, particularly those related to banking and messaging services, could be at risk. CERT-AGID highlights that Android’s security framework permits malware to inflict damage only after the user activates accessibility services, thus putting the onus of trust squarely on the end-user.
The Oscorp malware employs several tactics aligning with the MITRE ATT&CK framework. Initial entry is achieved through social engineering, while persistence and privilege escalation occur as users unknowingly grant accessibility services and permissions. The sheer range of actions available to the malware underscores the importance of security diligence among device users.
For business owners, this incident serves as a critical reminder of the evolving landscape of mobile threats and the necessity for stringent cybersecurity practices. As malware capabilities grow increasingly sophisticated, organizations must remain vigilant in educating employees about recognizing potential threats and managing permissions carefully on mobile devices.
