Skip to content
  • Blog Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form

Threat Actors Combine Android Malware With Click Fraud Apps to Steal Login Credentials

Posted on July 22, 2025July 22, 2025 By CWS

A contemporary wave of malicious Android Bundle Package (APK) recordsdata is weaving collectively two of cybercrime’s most dependable income streams—click-fraud promoting and credential theft—right into a single, adaptable risk that has begun circulating throughout Southeast Asia, Latin America, and components of Europe.

Disguised as informal video games, task-reward utilities, and even clones of legit Chrome or Fb apps, the malware lures customers away from Google Play to sideload rogue installers, a tactic that neatly sidesteps Google’s built-in vetting controls and capitalizes on social-engineering hooks akin to “Get Free $5” or “Create Your Advert Marketing campaign”.

As soon as the APK lands on a sufferer’s handset, the app instantly requests an extreme bouquet of permissions—digital camera, contacts, account administration, and the flexibility to run foreground providers—effectively past what any light-weight sport or coupon app ought to want.

Trustwave SpiderLabs analysts recognized the marketing campaign whereas tracing a Fb-ads themed lure that mechanically dropped a payload named fb20-11-en.apk from a spoofed area.

Their telemetry exhibits that the identical infrastructure followers out dozens of variant apps, every region-tuned to impersonate banks, telecoms, or betting platforms but compiled from a typical code base.

Victims are hit twice. Within the foreground, the app silently masses parked domains and affiliate funnels, simulating faucets and scrolls to inflate ad-impression counts, a maneuver clearly displayed within the redirection chain.

Redirection chain (Supply – Trustwave)

Within the background, convincing login types siphon usernames, passwords, and infrequently one-time PINs, forwarding them to an encrypted command-and-control (C2) again finish.

This dual-purpose structure, analysts warn, lets operators monetize each contaminated gadget instantly whereas quietly harvesting knowledge for resale or later account takeover.

Beneath the hood, the cluster depends on a modular configuration system that ships its C2 map as a Base64 string encrypted with AES in Digital Code Guide mode.

A tough-coded key—123456789mangofb—is embedded instantly within the APK, enabling the malware to decode contemporary API routes on the fly and rotate infrastructure when domains are blocked.

The related routine, decompiled by Trustwave, is reproduced beneath for readability:-

Cipher cipher = Cipher.getInstance(“AES”);
byte[] keyBytes = new byte[16];
System.arraycopy(“123456789mangofb”.getBytes(), 0, keyBytes, 0, 16);
SecretKeySpec keySpec = new SecretKeySpec(keyBytes, “AES”);
cipher.init(Cipher.DECRYPT_MODE, keySpec);
byte[] decrypted = cipher.doFinal(Base64.decode(encryptedData, 0));

An infection Mechanism: From Sideload to Silent Management

Set up begins with a social-media message or QR-code poster that pushes customers to a look-alike touchdown web page.

Tapping the “Begin Now” button launches a right away APK obtain and, crucially, suppresses Android’s regular install-source warning by mixing the file path with legitimate-looking sub-domains akin to apk.kodownapp.high.

As soon as executed, the app leverages the open-source ApkSignatureKillerEx framework to graft a secondary payload (origin.apk) into its personal listing with out invalidating the unique signature, guaranteeing the OS treats it as a reliable improve.

AES-wrapped config (Supply – Trustwave)

On first run, it points a beacon to 38.54.1.79:9086/#/entry, retrieves the AES-wrapped config, and solely then prompts ad-click automation or credential harvesting modules, considerably lowering the behavioral noise most sandboxes depend on for detection.

By time the consumer notices anomalous battery drain or knowledge spikes, each advert income and contemporary credential units have lengthy since been exfiltrated via a fallback “crash-log” channel masquerading behind a seemingly innocuous sub-domain.

Enhance detection, scale back alert fatigue, speed up response; all with an interactive sandbox constructed for safety groups -> Strive ANY.RUN Now

Cyber Security News Tags:Actors, Android, Apps, Click, Combine, Credentials, Fraud, Login, Malware, Steal, Threat

Post navigation

Previous Post: ToolShell Zero-Day Attacks on SharePoint: First Wave Linked to China, Hit High-Value Targets
Next Post: UK Sanctions Russian Hackers Tied to Assassination Attempts

Related Posts

10 Best AI penetration Testing Companies in 2025 Cyber Security News
Microsoft and CrowdStrike Teaming Up to Bring Clarity To Threat Actor Mapping Cyber Security News
Auditing Data Access Controls for Privacy Regulation Adherence Cyber Security News
Hackers Mimic as OpenAI and Sora Services to Steal Login Credentials Cyber Security News
Threat Actors Leveraging GenAI for Phishing Attacks Impersonating Government Websites Cyber Security News
New Obex Tool Blocks EDR Dynamic Libraries From Loading at Runtime Cyber Security News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Threat Actors Tricks Target Users Via Impersonation and Fictional Financial Aid Offers
  • TransparentTribe Attack Linux-Based Systems of Indian Military Organizations to Deliver DeskRAT
  • Jingle Thief Attackers Exploiting Festive Season with Weaponized Gift Card Attacks
  • Smishing Triad Linked to 194,000 Malicious Domains in Global Phishing Operation
  • Warlock Ransomware Actors Exploiting Sharepoint ToolShell Zero-Day Vulnerability in New Attack Wave

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Threat Actors Tricks Target Users Via Impersonation and Fictional Financial Aid Offers
  • TransparentTribe Attack Linux-Based Systems of Indian Military Organizations to Deliver DeskRAT
  • Jingle Thief Attackers Exploiting Festive Season with Weaponized Gift Card Attacks
  • Smishing Triad Linked to 194,000 Malicious Domains in Global Phishing Operation
  • Warlock Ransomware Actors Exploiting Sharepoint ToolShell Zero-Day Vulnerability in New Attack Wave

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News