Cybersecurity researchers have discovered a new, large-scale mobile malware campaign that's targeting Android and iOS platforms with fake dating, social networking, cloud storage, and car service apps to steal sensitive personal data. The cross-platform threat has been codenamed SarangTrap by Zimperium zLabs. Users in South Korea appear to be the primary focus. "This extensive campaign involved over 250 malicious Android applications and more than 80 malicious domains, all disguised as legitimate dating and social media applications," security researcher Rajat Goyal said. The bogus domains, which impersonate legitimate app store listing pages, are used as a lure to trick users into installing these apps, resulting in the exfiltration of contact lists and images, all while keeping up an illusion of legitimacy. Once installed, the Android apps also prompt the victim to enter an invitation code, after which it's validated against a command-and-control (C2) server. The app then proceeds to request sensitive permissions that allow it access to SMS messages, contact lists, and files under the pretext of offering the advertised functionality. Coupling the activation of the malicious behavior to an invitation code is, by turns, clever and sneaky as it allows the malware to evade dynamic analyses and antivirus scans and silently hoover data. The iOS version of the campaign has been found to entice users into installing a deceptive mobile configuration profile on their device, and…Read More