Researchers have disclosed a new family of Android malware that abuses accessibility services in the device to hijack user credentials and record audio and video.
Dubbed “Oscorp” by Italy’s CERT-AGID, the malware “induce(s) the user to install an accessibility service with which [the attackers] can read what is present and what is typed on the screen.”
So named because of the title of the login page of its command-and-control (C2) server, the malicious APK (called “Assistenzaclienti.apk” or “Customer Protection”) is distributed via a domain named “supportoapp[.]com,” which upon installation, requests intrusive permissions to enable the accessibility service and establishes communications with a C2 server to retrieve additional commands.
Furthermore, the malware repeatedly reopens the Settings screen every eight seconds until the user turns on permissions for accessibility and device usage statistics, thus pressurizing the user into granting the extra privileges.
Once the access is provisioned, the malware exploits the permissions to log keystrokes, uninstall apps on the device, make calls, send SMS messages, steal cryptocurrency by redirecting payments made via Blockchain.com…