New Android Trojan Disguises Itself as Antivirus Threatening User Security
Security experts from Cisco Talos have identified a new variant of an Android Trojan, disguised as a fraudulent antivirus application named “Naver Defender.” This malware, known as KevDroid, is a remote administration tool (RAT) capable of compromising Android devices by stealing sensitive information and even recording phone calls.
Researchers revealed technical details on two recent KevDroid variants detected in the wild, following its initial discovery by South Korean cybersecurity firm ESTsecurity a fortnight ago. Although the source of the malware has not been explicitly linked to any hacking group, South Korean media have connected it to Group 123, a state-sponsored cyber espionage organization from North Korea, which primarily targets entities in South Korea.
The most recent KevDroid variant observed in March 2023 showcases a range of alarming capabilities. These include the ability to record calls and audio, extract web history and files, gain root access, and compile extensive logs of SMS, emails, and call activity. Additionally, it tracks device location updates every ten seconds and compiles a list of installed applications. Notably, this variant leverages an open-source library available on GitHub to facilitate call recording, amplifying its potential impact on user privacy.
While both identified malware samples possess similar functionalities, including data exfiltration and call recording, one variant exploits a known Android vulnerability (CVE-2015-3636) to escalate privileges and gain root access. This allows the attacker deeper penetration into the device’s operating system, significantly increasing the threat level.
All extracted data is transmitted to a command and control (C2) server managed by the attacker, hosted on the PubNub global Data Stream Network. This data exfiltration could lead to a variety of malicious outcomes for victims. According to Talos, successful information retrieval could result in severe ramifications, ranging from data leaks to potential threats involving extortion, identity theft, and cyber espionage, particularly for users who access corporate communications via their mobile devices.
The threat of KevDroid extends beyond personal privacy violations and poses risks to businesses. The implications of its capabilities suggest that corporate networks could become vulnerable targets if employees inadvertently introduce the malware into their systems during routine mobile usage.
To safeguard against such threats, Android users are urged to conduct regular checks on installed applications to eliminate any suspicious software. Best practices include avoiding installations from third-party stores, enabling Google Play Protect, and maintaining device updates with the latest security patches. Furthermore, establishing strong security measures, like authentication through a PIN or password, is crucial in mitigating unauthorized access.
In conclusion, the emergence of KevDroid underscores the urgent need for vigilance in mobile cybersecurity practices. Business owners, particularly those whose operations rely on mobile communications, must prioritize cybersecurity measures to thwart evolving threats in this ever-changing digital landscape.