Tag: Android malware

  • Morpheus Spyware Hijacks WhatsApp Through Fake Android Update App

    Morpheus Spyware Hijacks WhatsApp Through Fake Android Update App

    Key Takeaway

    1. Morpheus spyware infects Android devices via fake update apps, requiring victim cooperation and specific manipulation of telecom providers.
    2. The malware abuses Android accessibility permissions and simulates system updates and messaging interfaces to gain full access to messages and contacts.
    3. The operation is linked to Italian surveillance vendor IPS, targeting political activists, and highlights vulnerabilities in social engineering tactics.
    4. Users should be cautious of suspicious SMS messages prompting app updates, especially when mobile data is unexpectedly cut off.

    A new spyware operation has been discovered that cleverly uses fake Android update apps to spy on users, but it needs the cooperation of the victim’s own mobile provider, making it different from other common attacks. This campaign involves tricking the target into installing a malicious app while the telecom provider is secretly helping to block the victim’s data at the same time.

    Spyware Details and Infection Process

    The malware, called Morpheus, was found by an Italian digital rights group called Osservatorio Nessuno, who shared their findings in a report published on April 24. The spyware is considered low-cost because it relies on social engineering tactics, like convincing someone to install something dangerous, rather than exploiting technical flaws like zero-click vulnerabilities used by more sophisticated tools such as Pegasus. The entire attack hinges on the target manually installing the malicious app, but the methods used to get them there are carefully planned and well documented.

    The Method of Attack

    First, the targeted person’s mobile data is deliberately cut off by their service provider, working closely with authorities to deploy the spyware. After their data gets cut, they receive an SMS message telling them to install a certain app to restore their network connection and to update their phone. The app in question is actually the spyware, hidden in plain sight. Once the app is installed, Morpheus exploits Android’s accessibility permissions, which normally allow apps to read what’s on the screen and interact with other apps. It then shows a fake system update screen and prompts for a reboot, making the user think they’re just updating their device.

    Fake Updates and WhatsApp Spoofing

    Once freshly rebooted, Morpheus creates a fake WhatsApp interface, pretending to check the user’s account. It then asks for biometric verification, claiming that a normal account check is taking place. But in reality, tapping on the biometric prompt unknowingly gives the spyware permission to add a new device to the users WhatsApp account. This grants Morpheus full access to their messages, contacts, and chats, without them suspecting a thing. Language clues, like Italian code snippets and cultural hints in the malware, suggest it’s tailored for Italian targets.

    Connections with Italian Surveillance Companies

    The organization Osservatorio Nessuno linked Morpheus to a company called IPS, which is based in Italy and has over three decades of experience in providing lawful interception technology to police and intelligence agencies. IPS operates across more than 20 countries and has several Italian police forces as clients. Although no specific individuals were named, experts think political activists and other high-profile targets might have been targeted with this spyware, further illustrating the growing concern about surveillance tools sold by Italian firms like IPS, CY4GATE, eSurv, RCS Lab, and SIO. It’s notable that in April 2026, WhatsApp warned 200 of its users about fake versions of the app that contained spyware linked to SIO.

    Precautions and Detection

    It’s important to note this spyware doesn’t spread through the Google Play Store and cannot install itself without user action. It requires the target to manually download and install an APK file outside from official sources. So, any suspicious SMS claiming to offer a system update, especially if the user unexpectedly loses mobile data along with that message, should be considered dangerous. Android’s accessibility permissions are very powerful and should never be handed out to an app received through a text message link—it’s a common way for malware to gain extensive control over the device.

    Other Recent Threats

    Recently, security experts also caught a different threat actor impersonating IT support staff on Microsoft Teams, tricking employees into installing custom malware that could compromise corporate networks. These types of threats remind us that cyber attackers are constantly developing new tricks to steal data and control devices, requiring users to stay vigilant and cautious about unexpected messages and updates.

    For more insights on cyber threats and spyware operations, visit osservatorionessuno.org or follow recent reports from cybersecurity analysts.

    Sources
    Tags: , , , ,
  • Pre-installed Malware on Android Can Steal Your Private Data

    Pre-installed Malware on Android Can Steal Your Private Data

    Key Takeaways

    1. Keenadu Malware: A new malware named Keenadu can be pre-installed on Android devices and infiltrates OTA upgrade packages.

    2. Device Access Risks: The malware can grant attackers full access to system data, personal files, and install apps without user consent, primarily used for ad fraud.

    3. Limited Activation: Keenadu does not activate in Chinese time zones or if the Google Play Store is absent, hinting at its origins.

    4. Affected Devices: The malware has been detected on various devices, including the Alldocube iPlay 50 Mini Pro, with over 13,000 victims reported mainly in Japan, Russia, the Netherlands, Germany, and Brazil.

    5. Recommended Action: If affected, users should consider replacing their device with one from a reputable manufacturer, as the malware embeds deeply in the firmware, making removal difficult.

    Courtesy of diligent security experts, unaware users can frequently learn about security vulnerabilities hiding in their smart gadgets. A team from Kaspersky Labs has uncovered new malware that, surprisingly, can sometimes be pre-installed on contemporary Android devices.

    What is Keenadu?

    Named Keenadu, this advanced malware can infiltrate OTA upgrade packages, allowing it to sneak into the firmware of compromised devices. It can also find its way onto devices through dubious unofficial app installers and, on occasion, even through the legitimate Google Play Store.

    The Threat it Poses

    This malware is not to be taken lightly; it can potentially grant full device access to those with malicious intent. According to Kaspersky, this includes access to system data, personal files, and sensitive information, as well as the ability to install applications without the user’s approval. Curiously, it seems the malware has only been used so far for ad fraud.

    Some apps that have been found infected by Kaspersky are shown in the image below:

    Origins and Implications

    Regarding the malware’s origins, there is no solid information available. Researchers discovered it does not activate if it senses Chinese time zones or location, and also if the Play Store is absent on the device. While we are not making any assertions, it’s worth noting that the Google Play Store does not function in China.

    The malware was detected in various devices, including the Alldocube iPlay 50 Mini Pro. Alldocube is also from China and has previously acknowledged issues with compromised OTA update channels, as reported by BleepingComputer.

    Currently, Kaspersky has reported that the “Keenadu” malware has impacted over 13,000 victims, primarily in Japan, Russia, the Netherlands, Germany, and Brazil.

    What to Do if Affected

    Unfortunately, if a user becomes a victim of such an attack, the most advisable step appears to be replacing the device with one from a more reputable manufacturer. This is due to the fact that the malware embeds itself so “deeply” into the firmware of a device, making it nearly impossible to eliminate. While acquiring firmware from a different source may be an option, it carries its own risks, such as compatibility issues.

    Source:
    Link

     

    Tags: , ,