Ethical Hacking News
Cybercriminals are using fake apps to steal personal data across Asia's mobile networks, targeting Android and iOS platforms with malicious dating, social networking, cloud storage, and car service apps. The SarangTrap campaign involves over 250 malicious Android applications and more than 80 malicious domains, disguising them as legitimate dating and social media applications to trick users into installing the apps.
Researchers discovered a new mobile malware campaign targeting Android and iOS platforms with fake dating, social networking, cloud storage, and car service apps. The campaign, codenamed SarangTrap, involves over 250 malicious Android applications and more than 80 malicious domains disguised as legitimate apps. The malware exfiltrates contact lists and images, and requests sensitive permissions to access SMS messages, contact lists, and files. The iOS version of the campaign entices users into installing a deceptive mobile configuration profile to capture contacts and photos. The threat uses psychological manipulation and social engineering tactics to take advantage of emotional vulnerability. The creation of fake apps can be achieved with relative ease using malware-as-a-service (MaaS) kits like PhantomOS or Nebula for a monthly subscription. Underground forums offer crypters, exploit kits, and malicious services that allow malware to spread infections at scale using social engineering techniques. Cybercriminals can buy access to already compromised Android devices in bulk, enabling a network of existing bots to carry out activities.
Cybersecurity researchers have discovered a new, large-scale mobile malware campaign that is targeting Android and iOS platforms with fake dating, social networking, cloud storage, and car service apps. The cross-platform threat has been codenamed SarangTrap by Zimperium zLabs, indicating the extent of its reach. Users in South Korea appear to be the primary focus, although other regions may also be at risk.
This extensive campaign involved over 250 malicious Android applications and more than 80 malicious domains, all disguised as legitimate dating and social media applications. The bogus domains, which impersonate legitimate app store listing pages, are used as a lure to trick users into installing these apps, resulting in the exfiltration of contact lists and images, while keeping up an illusion of legitimacy.
Once installed, the Android apps also prompt the victim to enter an invitation code, after which it is validated against a command-and-control (C2) server. The app then proceeds to request sensitive permissions that allow it access to SMS messages, contact lists, and files under the pretext of offering the advertised functionality. This clever approach allows the malware to evade dynamic analyses and antivirus scans and silently hoover data.
The iOS version of the campaign has been found to entice users into installing a deceptive mobile configuration profile on their device, which facilitates the app installation to capture contacts, photos, and the photo library. The psychological manipulation and social engineering tactics employed by these campaigns to take advantage of emotional vulnerability are a concerning aspect of this threat.
The disclosure comes in the wake of another campaign that has set up 607 Chinese-language domains to distribute malicious application files (APKs) posing as the Telegram messaging app via a QR code embedded on the site, which executes remote commands in real-time to enable data theft, surveillance, and control over the device using the MediaPlayer API.
To understand the extent of this threat, it is essential to delve into the mechanisms behind these campaigns. The creation of fake apps that mimic popular dating and social media applications can be achieved with relative ease, thanks to the availability of malware-as-a-service (MaaS) kits like PhantomOS or Nebula for a monthly subscription. These kits often come with features such as 2FA interception, bypassing antivirus software, silent app installs, GPS tracking, and phishing overlays that are specific to a brand.
Furthermore, underground forums offer crypters and exploit kits that allow malware to remain under the radar and spread infections at scale using social engineering techniques. One tool in question is Android ADB Scanner, which looks for open Android Debug Bridge (ADB) ports and pushes a malicious APK file without the victim's knowledge. This service can be obtained for around $600-$750.
An interesting development in this ecosystem is the commoditization of infected devices themselves. So-called "install" markets let cybercriminals buy access to already compromised Android devices in bulk, obviating the need for attackers to distribute malware or infect devices on their own. This approach enables a network of existing bots to carry out activities of their choice.
To mitigate these risks, it is advised to remain cautious of apps requiring unusual permissions or invitation codes, avoid downloading apps from untrusted sources or unofficial app stores, and periodically review device permissions and installed profiles. The threat landscape surrounding mobile malware continues to evolve, with cybercriminals adopting new tactics and leveraging existing vulnerabilities to their advantage.
The SarangTrap campaign highlights the need for vigilance among users and the importance of staying informed about emerging threats in the mobile security space. As technology advances, so too do the methods used by malicious actors to exploit vulnerabilities. Staying proactive and taking steps to protect personal data is essential in today's digital landscape.
Related Information:
https://www.ethicalhackingnews.com/articles/Cybercriminals-Are-Using-Fake-Apps-to-Steal-Personal-Data-Across-Asias-Mobile-Networks-ehn.shtml
https://thehackernews.com/2025/07/cybercriminals-use-fake-apps-to-steal.html
Published: Tue Jul 29 11:15:39 2025 by llama3.2 3B Q4_K_M
