Spyware can take many forms, and in May of last year, Google’s threat analysis group discovered that state-sponsored hackers disguised their malware as a VPN app and downloaded it. on the Google Play Store.
The search giant’s threat analysis group tracks a wide variety of threats and state-sponsored hackers to alert its users when they are targeted online. One of the most notable campaigns he has recently followed was carried out by Iranian state-sponsored hackers known as APT35.
In May 2020, Google threat analysts discovered that APT35 attempted to download spyware from the Google Play Store by disguising its malicious payload as a VPN app designed to mimic the appearance of ExpressVPN. If installed on a user’s devices, this bogus VPN app could steal sensitive information including call logs, text messages, contacts, and device location data.
Fortunately, Google detected the app quickly and removed it from the Play Store before users had a chance to download and install it. Nonetheless, the search giant recently detected that APT35 was attempting to distribute this bogus VPN app on other platforms in July 2021.
According to a new blog post from Google’s Threat Analysis Group, earlier this year APT35 compromised a UK university-affiliated website in order to host a phishing kit.
After gaining control of the site, hackers sent emails with links to it in an attempt to retrieve credentials for a number of popular email services including Gmail, Hotmail, and Yahoo. . Not only were potential victims tricked into activating an invitation to join a fake webinar by logging in, but APT35’s phishing kit was also able to request two-factor authentication (2FA) codes sent to their devices.
While this technique is also popular with cybercriminals, APT35 has been using it since 2017 to target high value accounts in a wide variety of industries such as government, academia, journalism, NGOs, foreign policy. and even national security.
When Google suspects a government-backed hacking group like APT35 of targeting its users, its threat analysis group sends out warnings to let them know they have been identified as a target. At the same time, the company is also blocking malicious domains using Google’s Safe Browsing, which is built into Chrome.
As cyber threats have increased in recent years, Google is now encouraging “high risk” users to enroll in its advanced protection program, and the company even plans to distribute 10,000 security keys to them throughout 2021. .