Recently, a newly identified Android malware known as ‘MasterFred’ utilises faulty login overlays to steal the credit card information of Instagram, Twitter, and Netflix subscribers. This new Android banking malware also targets bank clients with custom faux login overlays available in different languages.
The first MasterFred sample was first introduced in a cybersecurity firm last June.
Last week, an analyst posted a second sample online, identifying that MasterFred was utilised against Android OS users from Turkey and Poland. After examining the newly discovered malware, a researcher found that APIs provided the built-in Android Accessibility service to portray the fake and compromised overlays.
According to the researcher, by utilising the Application Accessibility toolkit inside the Android OS by default, the criminals were enabled by this ac to use the target application to execute the fake overlay attack to trick subscribers into inputting credit card information for account breaches on Twitter and Netflix.
Researchers said that the new Android malware MasterFred is unique but not new.
The approach of using the Accessibility service is not particularly new to actors since they have been utilising the flaw long ago to imitate taps and navigate the Android UI to install their downloads, malware, payloads, and execute several operations in the background.
However, MasterFred stands out by utilising malicious apps to deliver the malware on Android gadgets, including the HTML overlays employed to display the fake login forms and exfiltrate unaware victims’ financial details. MasterFred also utilises the ‘Onion[.]ws’ dark web gateway to deliver the exfiltrated details to Tor network servers under its command.
Additionally, it is safe to presume that the malware operators are also likely to use third-party application stores as a delivery transmitter for this new malware since researchers discovered that at least one of the malicious applications is attached to the MasterFred banker seen available on Google Play Store.
There is no known increase in MasterFred’s activities as of now and researchers are currently examining the situation to release a proper guideline on how to avoid these kinds of attacks. It is suggested to carefully check the site’s users are visiting, especially if it is unwanted.
