XLoader Malware Uses Fake Sites And Apps To Drain Your Account
By: Jim Stickley and Tina Davis
September 27, 2019
As they are known to do, hackers are upping the ante with their latest hustle. This latest malware phishing scam is hitting both Android and Apple users with an elaborate ruse designed to separate them from their banking data. By the end of the scam, hackers have everything they need to access your financial accounts. Trend Micro researchers discovered the sixth version of this hack is using new techniques to spread the malware misery via a phishing text (smishing). The text has a link to a fake website designed as a Japanese mobile phone operator. Say what?
Although this latest version currently involves attacks on Japanese users, there’s every reason to believe it will at some point, likely very soon, reach the U.S. and the rest of the world. The hack includes an XLoader update designed to steal even more device information than before. The fake website that users who follow the link are taken to includes downloading a bogus security app. The Android version of the fake security app is really an Android Application Package (APK) for different fake sites. The sinister APK downloads the XLoader malware onto the device, but it doesn’t end there. Once the malware is installed, it steals device data and lures users into downloading fake banking or gaming apps. It’s also present in another data-stealing malware hiding in the user’s Twitter, Instagram, and Tumblr accounts and stays undetectable. All stolen data is sent to a Command and Control server (C&C) for further attacks.
iPhone users never fear, you haven’t been left out of this hack. The iPhone version of the malware directs users to a fake website instead of a fake app. The prompts require users to download a malicious XML file. The XML file creates a non-functional website that supposedly needs a user’s iOS profile to fix it. Once further caught in the hack, users are sent to a fake Apple website where they enter their Apple ID. That information goes directly to a C&C server, which stores the ID and prompts even more malicious attacks.
Researchers find the sixth version of this malware is already being replaced with yet a seventh version. But for now, a user’s “Spidey-Sense” is necessary to thwart the attack to begin with. Carefully looking for the basic phishing red flags is always recommended.
- When in doubt, throw it out. Emails and texts from unknown senders that can’t be verified should be deleted immediately. Don’t let your curiosity get the better of you–hacker’s count on that.
- Beware of subject lines and content that draws on human emotions. Tricksters know that scare tactics, contest winning, incredible discount sales, and other extreme subjects are likely to get a reaction.
- Never open attachments or follow links if you don’t know the sender, are not expecting the attachment or link, or if something just tells you it’s not trustworthy. If it’s a phishing email, the attachments are full of malware, and the links go to fake websites designed to get your personally identifiable information (PII) like passwords and account numbers.
- Keep software updated on all devices. They often have bug fixes and security updates to keep your devices as safe as they can be.
- Any email needing you to verify PII is automatically suspect. Rather than relying on links and attachments to do so, find the true URL for who claims to be asking and type it in yourself. It’s only on the legitimate website where you can find out if you truly need to verify your PII. Alternatively, go into your account using a previously trusted and bookmarked link.