Photo: mundissima / Shutterstock.com
The notorious MaqHao Android malware, associated with the Roaming Mantis threat actor group, has taken a perilous turn with a new variant that employs auto-execution upon installation, marking a significant evolution in the tactics employed by this long-standing malware.
The malware has been active since 2015, primarily targeting Asian countries, including Korea and Japan. In addition to these countries, the recent malware has been known to target France, Germany and India.
Researchers from McAfee analysed this new variant of MaqHao and published details. The researchers discovered that the MaqHao continues its distribution through smashing, that is, phishing SMS messages.
When the victim clicks on the malicious links, it downloads the application. Another detail the researchers found was that this newer variant uses URL-shortening services to offer short links, making it quite difficult to block the domain.
Furthermore, this new variant initiates malicious activities automatically upon installation. This is the second major departure from the conventional MaqHao behaviours, showcasing that the threat actors have evolved. Researchers have reported this behaviour to Google, and the company is actively working on mitigation features.
The authors of this new variant have introduced novel tactics to evade detection. Using Unicode strings in app names makes certain characters appear bold, visually resembling legitimate applications such as ‘Chrome’. This manipulation could potentially undermine app name-based detection techniques.
Furthermore, MoqHao employs social engineering techniques to deceive users into setting the malicious app as their default SMS app. A fake message appears before the settings window, instructing users to set up the app to prevent spam.
After initialisation, the malware creates a notification channel, tailoring phishing messages based on the device’s carrier. Notably, MaqHao retrieves phishing messages and URLs from Pinterest profiles, utilising them to trick users into clicking on malicious links.
Researchers found that this latest variant established a connection to the command and control (C2) server via WebSocket, introducing several new commands in addition to those observed in previous iterations. This expanded repertoire of C2 commands underscores the malware’s adaptive nature and ongoing efforts to stay ahead of security measures.
The cybersecurity researchers cautioned users to remain vigilant, not click on any links, and regularly update Google Play. Moreover, the users are advised to keep the Android OS updated and follow the best practices to prevent smashing.