State-sponsored attackers infiltrate Play Store with fake VPN app
APT35 hid spyware in a fake VPN app to steal sensitive information
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
Spyware can come in many forms and in May of last year,Google’sThreat Analysis Groupdiscovered that state-sponsored hackers had disguised their malicious software as aVPNapp and uploaded it to theGoogle Play Store.
The search giant’s Threat Analysis Group tracks a wide variety of threats and state-sponsored hackers in order to warn its users when they have been targeted online. One of the more notable campaigns it recently tracked was led by state-sponsored hackers from Iran that go by the nameAPT35.
Back in May of 2020, Google’s threat analysts discovered that APT35 had attempted to uploadspywareto theGoogle Play Storeby disguising their malicious payload as a VPN app designed to mimic the look and feel ofExpressVPN. If installed on a user’s devices, this fake VPN app could steal sensitive information including call logs, text messages, contacts and location data from devices.
Thankfully though, Google detected the app quickly and removed it from the Play Store before any users had a chance to download and install it. Still though, the search giant recently detected APT35 attempting to distribute this fake VPN app on other platforms in July of 2021.
Credential phishing
According to a newblog postfrom Google’s Threat Analysis Group, earlier this year APT35 compromised a website affiliated with a university in the UK in order to host a phishing kit.
After gaining control of the site, the hackers sent email messages with links to it in an attempt to harvest credentials from a number of popularemail servicesincluding Gmail, Hotmail and Yahoo. Not only were potential victims tricked into activating an invitation to join a fakewebinarby logging in but APT35’s phishing kit was also capable of asking for two-factor authentication (2FA) codes sent to their devices.
While this technique is also popular with cybercriminals, APT35 has relied on its since 2017 in order to target high-value accounts across a wide variety of industries such as government, academia, journalism, NGOs, foreign policy and even national security.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
When Google suspects a government-backed hacking group like APT35 is targeting its users, its Threat Analysis Groupsends out warningsto let them know that they have been identified as a target. At the same time, the company also blocks malicious domains using Google Safe Browsing which is built into Chrome.
As cyber threats have increased over the past few years, Google is now encouraging ‘high risk’ users to sign up for itsAdvanced Protection Programand the company even plans to distribute 10,000security keysto them throughout 2021.
After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.
Is it still worth using Proton VPN Free?
Mozambique VPN usage soars as internet restrictions continue
I’ve used Genmoji and now I’m convinced Apple Intelligence will be a huge success
