AT Cyber intelligence firm Cyble discovered new details about “Drakari”, a type of “spyware” that infects Android devices and poses as apps to infect the “smartphones” of its victims. Meta, the parent company of Facebook, first discovered this “malware” a few months ago when it named it and mentioned it in its report on threats from the second quarter of this year. The technology company then linked its use to a cybercriminal group known as the Bitter APT, which operates in Southeast Asia and focuses its attacks on countries such as New Zealand, India, Pakistan and the United Kingdom.
The company explained in its report that Bitter integrated this “spyware” into unofficial and illegal versions of applications such as YouTube, Signal, Telegram or WhatsApp, among other personalized chat platforms. As Meta commented in this article, once installed on them, this “malware” is capable of accessing the call log, contact list, files, text messages, geolocation and device information, as well as change android permissions and activate the microphone, install other “apps” or take pictures with the camera.
Cyble has now released a white paper that focuses on how Dracarys is using one of the vulnerable applications, in this case Signal, to carry out its attacks. steal information and send it to external firebase server. First of all, the cybercriminal group Bitter, also known as T-APT-17, has a web portal that uses the “signalpremium.com” domain and uses it to impersonate the platform’s official download page. Also, take advantage of the fact that Signal is open source “software” for recreate a fully functional version of the program with all its features and known functions and pass them off as legitimate and include them in the “Dracarys” code.
Installing the Signal Trojan “app” offers the user access to services such as contact list, SMS, camera, microphone, device storage, location, and the ability to make calls. Also, “spyware” breaks accessibility services to grant itself additional permissions, so continue running in the background even when the user has closed the application.
How to avoid one of these infections
The cybersecurity company offered users a number of recommendations to avoid falling victim to this “malware”, including exclusive installation of applications from official stores, such as Play Store or App Store. In addition, the firm also finds it convenient to use “authoritative” antivirus systems on all connected devices such as desktops, tablets, laptops and mobile phones.
The use of strong passwords is also recommended, as well as the activation of multi-factor authentication “whenever possible” and biometric security featuressuch as fingerprint identification or face recognition. On the other hand, links from suspicious emails or automated SMS services should be avoided, as well as be careful when granting certain permissions to “app”. Finally, the cybersecurity firm recommends updating all devices and, in the case of Android, making sure you have the Google Play Protect tool active.
*The article has been translated based on the content of www.lainformacion.com. If there is any problem regarding the content, copyright, please leave a report below the article. We will try to process as quickly as possible to protect the rights of the author. Thank you very much!
*We just want readers to access information more quickly and easily with other multilingual content, instead of information only available in a certain language.
*We always respect the copyright of the content of the author and always include the original link of the source article.If the author disagrees, just leave the report below the article, the article will be edited or deleted at the request of the author. Thanks very much! Best regards!