Czech Android Trojan Impersonates QRecorder App

A new Czech Android Trojan has been detected which has been found to impersonate the QRecorder app. A statement from the police shows that the hacker or group behind it has already stolen over 78 000 Euro from victim accounts.

Fake QRecorder App Turns out to be a Czech Android Trojan

This week the Czech Police reported that a new dangerous Android Trojan has been found out to be particularly active. Five victims from the Czech Republic are known so far to have been affected by it. The current samples are spread on various repositories as a fake copy of the QRecorder app. Successful installations from the Google Play repository alone number more than 10 000 instances. The impersonating app itself is a call recording solution, its description and attached screenshots showcase a typical entry having no suspicious elements.

Like other popular Android threats upon installation and first run it will request permissions to draw over other apps. When they have been granted the Czech Android Trojan will be able to control what is displayed to the user. This will trigger its built-in behaviour patterns, one of the first actions that are done is to report the infection to the criminal controllers. The analysis reveals that within 24 hours the infected devices will receive instructions. When no instructions are given the Android Trojan will not initiate any action.

The attackers have been found to use Firebase messages to communicate with the Trojan-infected devices. The slave malware QRecorder app will check for the presence of predefined banking apps. If none are found links will be found to encrypted payloads. The slave client will download them and decrypt the contents. Before the this step is initiated the user will asked additional (Read more...)

*** This is a Security Bloggers Network syndicated blog from How to, Technology and PC Security Forum | authored by Martin Beltov. Read the original post at: