Firewall News

Top Menu

  • Home
  • Our Blog
  • Contact Us

Main Menu

  • Software Updates
  • Alerts & Bugs
  • Out of the Box
  • Home
  • Our Blog
  • Contact Us

Firewall News

Firewall News

  • Software Updates
    • WatchGuard logo

      TDR 6.0.0 is now integrated into WatchGuard Cloud

      04/01/2021
      0
    • Sophos Logo

      XG Firewall 17.5 MR14 Released

      30/07/2020
      0
    • Sophos Logo

      Sophos Firewall Manager SFM 17.1 MR4 Released

      27/07/2020
      0
    • Sophos Logo

      Sophos Enterprise console - Endpoint Security and Control v10.8.9 for Windows has ...

      16/07/2020
      0
    • Sophos Logo

      Sophos iView v3 MR-2 Released

      07/07/2020
      0
    • Sophos Logo

      SD-RED Firmware 3.0.002 Pattern Update

      06/07/2020
      0
    • Sophos Logo

      XG Firewall 17.5 MR13 Released

      06/07/2020
      0
    • Sophos Logo

      End-of-Life (EoL) announcement for old firmware v17 and v17.1 for XG Firewall

      03/07/2020
      0
    • WatchGuard logo

      Fireware 12.5.4 Now Available

      01/07/2020
      0
  • Alerts & Bugs
    • Sophos Logo

      Advisory: Sophos Central Maintenance scheduled for Saturday, April 2nd, 2022

      29/03/2022
      0
    • Sophos Logo

      Sophos: Important Product Lifecycle Updates

      03/03/2022
      0
    • WatchGuard logo

      WatchGuard Support Alert

      23/02/2022
      0
    • Sophos Logo

      Sophos: Important Product Lifecycle Reminder

      03/02/2022
      0
    • Sophos Logo

      Sophos: Product Lifecycle Information: Extended Support for Windows 7 and Windows Server ...

      31/01/2022
      0
    • Sophos Logo

      End-of-Life (EoL) announcement for Sophos SSL VPN Client

      29/11/2021
      0
    • WatchGuard logo

      WatchGuard: macOS Monterey 12.0.1 Does Not Support the AuthPoint Logon App

      09/11/2021
      0
    • Sophos Logo

      Sophos UTM Manager (SUM) End of Distribution

      04/11/2021
      0
    • WatchGuard logo

      WatchGuard: End of Sale Notice: AP420

      01/11/2021
      0
  • Out of the Box
    • WatchGuard’s Firebox T80 Earns 5-Star Rating in SC Labs Review

      17/11/2020
      0
    • WatchGuard Wins Big in CRN 2020 Tech Innovator Awards

      16/11/2020
      0
    • Coronavirus scams: what to look for and how to stop them

      02/04/2020
      0
    • Dell SonicWALL TZ 300

      Out the Box - Dell SonicWALL TZ 300

      05/07/2016
      0
    • Dell SonicWALL TZ SOHO

      Out the Box - Dell SonicWALL TZ SOHO

      05/07/2016
      0
    • WatchGuard Firebox T50

      WatchGuard Firebox T50

      31/03/2016
      0
    • WatchGuard Firebox M200

      WatchGuard Firebox M200

      31/03/2016
      0
Alerts & BugsSonicWALL
Home›Alerts & Bugs›SonicWALL – ANDROID SCAMS RELATED TO THE NEW VIRAL TREND – FACEAPP

SonicWALL – ANDROID SCAMS RELATED TO THE NEW VIRAL TREND – FACEAPP

By admin
01/08/2019
1221
0
Share:

When an application or game becomes a viral sensation, malware writers are quick to leverage their popularity for spreading scams.We have seen this with Fortnite and Apex Legends in the past, now we are seeing it again with the new viral application – FaceApp.

SonicWall Capture Labs Threats Research team has observed a number of scams using the wildly popular FaceApp to lure innocent victims. Highlighted below are the different types of scams that we observed:

VERIFICATION AND SURVEY SCAMS – WEB

There are a number of websites which claim to provide FaceApp Pro version for free. Upon clicking them, the user is redirected to a fake survey/verification websites aiming to extract sensitive user information such as email and credit card details. Here are some examples of such websites (at the time of writing this blog):

  • h[xx]ps://appmolly.com/faceapp-pro
  • h[xx]p://tweakapps/club/index-4.html

It is interesting to note that when we changed index-4.html to index-3.html and index-5.html we could see similar pages for PUBG mobile and Spotify premium respectively. This indicates that scamsters setup multiple pages for what is trending at the moment:

VERIFICATION AND SURVEY SCAMS – MOBILE

We observed a FaceApp-Pro apk (MD5: bb99a60d9f69a18b3d115d615c0e2fbd) that is part of a malware clone scam (more about this later in the blog). This app requests the users to ‘verify their mobile device’ before they can use the app:

The app starts displaying survey links which aim at extracting credit-card and other sensitive details from the users.

Malware writers often create a malicious app and make copies of it with different application names and icons to increase their chances of infecting users based on what is trending at the moment. Given its current popularity, the name FaceApp is being leveraged in multiple scams. He have highlights of few such instances below.

MALWARE CLONES – SMS STEALER

  • Package name: com.example.asus.myapplication

As visible below there are a number of apps with the same name but different icons, FaceApp being one of them (Koodous link)

Upon inspection, this application turned out to be a SMS stealer which is dormant at the moment since the server it tries to contact to has been cleaned/shutdown:

We found a telegram link in the code as well, it is possible that this application received commands via Telegram:

We found code related to reading and sending SMS messages from the infected device:

MALWARE CLONES – VERIFICATION SCAMS

This application has already been highlighted previously when discussing the verification scam. Among other application names we saw the name FaceApp being used as part of this scam (Koodous link):

MALWARE CLONES – SPYWARE

We observed a  few malware apps with the FaceApp name and icon which are a little older but, contain dangerous functionalities. These apps do not have the same package names but, can be grouped based on similar activity names:

  • Package name: ffo.bzgbuamnsxouu.huzckzj
  • Package name: fjfw.phlrugygex.jhkheqxciezscs

Among other permissions, these malware apps asks for a few sensitive permissions that can cause a big impact on user’s data and enable the attacker to spy on the victim:

  • read external storage
  • write external storage
  • get tasks
  • read contacts
  • read sms
  • send sms
  • receive sms
  • call phone
  • receive boot completed
  • get accounts
  • read contacts
  • read history bookmarks
  • call phone
  • write settings

This malware is equipped to execute a number of commands coming from the attacker, some of them include:

  • sendsms – Sends a SMS from the device
  • getlastsms – Extracts the last SMS received on the device
  • sendflood – Sends a large number of SMS message to a particular number
  • call – Calls a particular number
  • megalock – Lock the device with a custom password sent by the attacker

In order to execute few commands mentioned above, the malware needs device administrator privileges. The following code shows the custom message used by the malware to trick users to grant that privilege:

As FaceApp continues to gain popularity we expect to see more such scams surface in the near future. Staying vigilant and being careful about what applications are downloaded and installed on the device is one of the most potent ways to be safe among such scams.

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: AndroidOS.FakeFaceApp.BT
  • GAV: AndroidOS.FakeFaceApp.SM
  • GAV: AndroidOS.FakeFaceApp.MV

Indicators of compromise:

  • a86d054bae218db30523690add463355 – ffo.bzgbuamnsxouu.huzckzj
  • a86d054bae218db30523690add463355 – ffo.bzgbuamnsxouu.huzckzj
  • b888e34899e2572961e9a757066c0492 – com.example.asus.myapplication
  • bb99a60d9f69a18b3d115d615c0e2fbd – com.comunidadapk.fkapps
Previous Article

The Top 25 Enterprise IT Innovators Of ...

Next Article

WatchGuard Named Gold Winner Three Times Over ...

0
Shares
  • 0
  • +
  • 0
  • 0
  • 0
  • 0

Related articles More from author

  • Fortinet logo
    Alerts & BugsFortinet

    FortiGuard Labs Discovers Vulnerability in Asus Router

    06/02/2018
    By admin
  • Sophos Logo
    Alerts & BugsSophos

    Sophos – XG Firewall: When users are getting logged out randomly with script based SSO

    30/09/2019
    By admin
  • Alerts & BugsTrendMicro

    Trend Micro Worry-Free Business Security Services Systems Update

    27/11/2020
    By admin
  • Sophos Logo
    Alerts & BugsSophos

    Sophos Central Admin-Unable to change login email address in “Account Details” section of Sophos Central Admin dashboard

    05/09/2019
    By admin
  • Sophos Logo
    Alerts & BugsSophos

    Advisory: Sophos Central Maintenance scheduled for Saturday, July 10th, 2021

    07/07/2021
    By admin
  • Sophos Logo
    Alerts & BugsSophos

    Sophos XG Firewall: Packet capture may show violation for DHCP and DHCP relay traffic

    11/09/2019
    By admin

  • SonicWall Logo
    Alerts & BugsSonicWALL

    SonicWall Product Notice: Spectre & Meltdown Vulnerability Update

  • Sophos Logo
    Alerts & BugsSophos

    Advisory: Sophos XG Firewall: Asnarok Vulnerability – Actions required for CFM managed devices

  • Fortinet Certified ICSA Labs
    News

    Fortinet Certified by ICSA for Advanced Threat Defense

Timeline

  • 29/03/2022

    Advisory: Sophos Central Maintenance scheduled for Saturday, April 2nd, 2022

  • 03/03/2022

    Sophos: Important Product Lifecycle Updates

  • 01/03/2022

    Shoring up your cybersecurity posture in light of ongoing crisis

  • 23/02/2022

    WatchGuard Support Alert

  • 03/02/2022

    Sophos: Important Product Lifecycle Reminder

Sponsored Links

Latest Comments

  • Paul Sillars
    on
    21/06/2016
    I received this in an email this morning, it was the first I heard about it ...

    Dell Software Group sold to help fund looming EMC deal

  • Paul Sillars
    on
    20/06/2016
    This is going to be an interesting one to watch. Especially after today's announcement that ...

    Ingram Micro gets distribution access to Dell’s security range in Australia

Find us on Facebook

Firewall.News Logo

This site serves more as a reference point for some of the major security vendor's updates and product/press releases

It will never be a definitive list, but it helps our customers keep up to date and also allows us to express our comment and observations as well.

About us

  • PO Box 451, North Lakes, Queensland, 4509, Australia
  • [email protected]
  • Recent

  • Popular

  • Comments

  • Sophos Logo

    Advisory: Sophos Central Maintenance scheduled for Saturday, April 2nd, 2022

    By admin
    29/03/2022
  • Sophos Logo

    Sophos: Important Product Lifecycle Updates

    By admin
    03/03/2022
  • Shoring up your cybersecurity posture in light of ongoing crisis

    By admin
    01/03/2022
  • WatchGuard logo

    WatchGuard Support Alert

    By admin
    23/02/2022
  • Dell SonicWALL Supermassive

    Ingram Micro gets distribution access to Dell’s security range in Australia

    By admin
    14/06/2016
  • Francisco Partners and Elliott Management to Acquire the Dell Software Group

    Dell Software Group sold to help fund looming EMC deal

    By admin
    21/06/2016
  • WatchGuard Firebox M500 – The Cure for HTTPS Performance Headaches

    By admin
    05/03/2015
  • Sophos Logo

    Advisory: Sophos Central Maintenance scheduled for Saturday, April 2nd, 2022

    By admin
    29/03/2022
  • Paul Sillars
    on
    21/06/2016

    Dell Software Group sold to help fund looming EMC deal

    I received this in ...
  • Paul Sillars
    on
    20/06/2016

    Ingram Micro gets distribution access to Dell’s security range in Australia

    This is going to ...

Follow Me

  • Contact
  • About Us
  • Home