Do Not Install Apps On Your Phone If You See This Warning

Do not install these apps.
getty
Just days after the FBI warned Windows users that installing or updating Google Chrome may carry a ransomware threat, there’s a similar warning for phone users.
In its latest #StopRansomware advisory, the bureau says that unofficial Chrome updates can provide the initial entry for an attack. “The fake Google Chrome browser executable functions as a remote access trojan (RAT),” which hides on a user’s PC.
Now Cleafy warns that PlayPraetor — an Android RAT — is also surging, fueled by the same kind of fake downloads the FBI flagged. Developed by Chinese-speaking threat actors, this malware attacks banking apps and crypto wallets. But there’s an obvious warning — the crafted web domains on the app install or update pages.
“The botnet’s rapid growth,” Cleafy says, “now exceeds 2,000 new infections per week.” It is underpinned “by a Chinese-language Command and Control (C2) panel, which leverages a multi-tenant architecture to support a scalable affiliate model and includes automated tools for creating custom malware delivery pages.”
Put more simply, that means “impersonating legitimate Google Play Store pages to trick victims into downloading malicious applications.” Again, this malware exploits Android’s Accessibility Services, which enables it to overlay targeted apps to steal login credentials as the user interacts with the overlay.
Fake Chrome “Play Store” page
Cleafy
“An investigation of the overlay attack payloads,” Cleafy says, “revealed an extensive list of global targets, including nearly 200 banking apps and cryptocurrency wallets.”
While fake Play Store pages “is a well-established tactic among cybercrime groups,” the researchers say “the truly significant aspect of these campaigns lies in their scale.” This includes “using more than 16,000 URLs and employing various techniques to profit from victims. This evolution marks a clear transition from a regional to a global threat.”
Staying safe is easy — don’t install or update apps from outside Play Store. While Google’s official app marketplace is not without its issues, these attacks rely on duplicating real download pages for well known apps to trick users.
Don’t install apps in this way. Ensure Play Protect is enabled on your phone. And if you ever do find yourself tempted to hit download or install on a website, check the URL. If it’s anything other than play.google.com, then you’re about to fall victim to an attack.
Cleafy warns that “PlayPraetor represents another significant entry from Chinese-speaking threat actors into the global financial fraud landscape.” This malware, the team says, is “a dynamic and highly relevant threat to the global financial ecosystem.”