""The threat actor leveraged QR codes and notification pop-ups to lure victims into installing and executing the malware on their mobile devices," ENKI said. "The malicious app decrypts an embedded encrypted APK and launches a malicious service that provides RAT capabilities." "Since Android blocks apps from unknown sources and displays security warnings by default, the threat actor claims the app is a safe, official release to trick victims into ignoring the warning and installing the malware.""
""A noteworthy aspect of the attack is its QR code-based mobile redirection, which prompts users visiting the URLs from a desktop computer to scan a QR code displayed on the page on their Android device to install the supposed shipment tracking app and look up the status. Present within the page is a tracking PHP script that checks the User-Agent string of the browser and then displays a message urging them to install a security module under the guise of verifying their identity""
Kimsuky operators are conducting a campaign that uses phishing sites impersonating Seoul-based CJ Logistics to deliver a new Android malware variant via QR codes and booby-trapped URLs. The malicious flow uses QR code-based mobile redirection and notification pop-ups to convince Android users to install a forged shipment-tracking app. The initial APK (SecDelivery.apk) downloads and decrypts an embedded encrypted APK, then launches a DocSwap RAT-like service after ensuring required permissions. A tracking PHP script on the phishing pages checks User-Agent and prompts installation of a fake security module under the pretext of customs verification.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]