Oscorp, a mobile malware built to attack several financial targets with the purpose of stealing funds from unsuspecting victims, was revealed by Italy’s CERT-AGID in late January.
It has the ability to intercept SMS messages and phone calls, as well as execute Overlay Attacks on more than 150 mobile applications using spoof login screens to steal valuable information.
Malicious SMS messages were used to spread the malware, with attackers posing as bank operators to dupe targets over the phone and secretly gain access to the infected device via WebRTC protocol, allowing them to perform unauthorized bank transfers.
As per the latest report by The Hacker News, it appears that Oscorp has returned after a short break in the form of the UBEL Android botnet.
Cybersecurity firm Cleafy discovered many indicators linking Oscorp and UBEL to the same malicious codebase by examining various comparable samples, indicating a fork of the same original project or just a rebranding by other affiliates, as its source-code appears to be shared by multiple hackers
UBEL, like its predecessor, is advertised on underground forums for $980 and requests invasive permissions that allow it to read and send SMS messages, record audio, install and delete applications, launch itself automatically after system boot, and abuse Android accessibility services to collect sensitive information such as login credentials and two-factor authentication codes, among other things.
Once installed on the system, the malware tries to disguise itself as a service and hide its presence from the target, allowing for long-term persistence.
Surprisingly, using WebRTC to communicate with the exploited Android phone in real time eliminates the requirement to enrol a new device and take over an account in order to commit fraud.
Spain, Poland, Germany, Turkey, the United States, Italy, Japan, Australia, France, and India are among the countries where Oscorp is targeting banks and other apps.
You might also like: