and relay a victim 's location to an attacker in real time , has been downloaded between one and five million times since 2014 from the US Google Play store . Zscaler ThreatLabz found that the app claimedAttack.Phishingto give users access to the latest Android software updates , but in fact was being used to spy on a user ’ s exact geolocation , which could have been used for any number of malicious reasons . Despite clear red flags , millions downloaded it . “ The app portrays itself as a ‘ System Update , ’ ” the firm ’ s researchers explained , in a blog . “ After reading the app reviews , it became clear that several users were misled by the app , thinking that it would provide them with latest Android release . Many users were unhappy with the app and conveyed their concerns. ” In addition to the negative reviews , there were other indicators that raised suspicions : The Google Play Store page for this particular app was showing blank screenshots , which is not common , and there was no proper description for the app . It also didn ’ t mention that it would track the victim , nor that it would send location information to a third party . It said only , “ This application updates and enables special location features. ” “ There are many spyware variations present on the Google Play store , such as Cell Tracker , but the legitimate apps are explicit in their intentions , and have specific purposes for tracking a user ’ s device , ” Zscaler researchers noted . As soon as the user tries to start up the app , it abruptly quits and hides itself from the main screen . From there , it sets up an Android service and broadcast receiver to fetch the user ’ s last known location and set it up in Shared Preferences . An attacker could also set a location alert when victim ’ s battery is running low . Interestingly , the code is a carbon copy of the location-stealing code in DroidJack , the remote access trojan . “ There are many apps on the Google Play Store that act as a spyware ; for example , those that spy on the SMS messages of one ’ s spouse or fetch the location of children for concerned parents , ” researchers said . “ But those apps explicitly state their purpose , which is not the case with the app we analyzed for this report . It portrayed itself asAttack.Phishinga system update , misleadingAttack.Phishingusers into thinking they were downloading an Android System Update. ” Google has removed the app from the store since Zscaler reported it to the Google security team .
Researchers said good social engineering and users ’ trust in the convenience afforded by the OAUTH mechanism guaranteed Wednesday ’ s Google Docs phishing attacksAttack.Phishingwould spread quickly . Google said that up to 1 million Gmail users were victimized by yesterday ’ s Google Docs phishing scamAttack.Phishingthat spread quickly for a short period of time . In a statement , Google said that fewer than 0.1 percent of Gmail users were affected ; as of last February , Google said it had one billion active Gmail users . Google took measures to protect its users by disabling offending accounts , and removing phony pages and malicious applications involved in the attacks . Other security measures were pushed out in updates to Gmail , Safe Browsing and other in-house systems . “ We were able to stop the campaign within approximately one hour , ” a Google spokesperson said in a statement . “ While contact information was accessedAttack.Databreachand used by the campaign , our investigations show that no other data was exposedAttack.Databreach. There ’ s no further action users need to take regarding this event. ” The messages were a convincingAttack.Phishingmix of social engineering and abuse of users ’ trust in the convenience of mechanisms that share account access with third parties . Many of the phishing messages came fromAttack.Phishingcontacts known to victims since part of the attack includes gaining access to contact lists . The messages claimedAttack.Phishingthat someone wanted to share a Google Doc with the victim , and once the “ Open in Docs ” button in the email is clicked , the victim is redirectedAttack.Phishingto a legitimate Google OAUTH consent screen where the attacker ’ s application , called “ Google Docs ” asks for access to victim ’ s Gmail and contacts through Google ’ s OAUTH2 service implementation . While the ruse was convincingAttack.Phishingin its simplicity , there were a number of red flags , including the fact that a Google service was asking for access to Gmail , and that the “ To ” address field was to an odd Mailinator account . Google also quickly updated Safe Browsing and Gmail with warnings about the phishing emails and attempts to stealAttack.Databreachpersonal information . The phishing emails spreadAttack.Phishingquickly on Wednesday and likely started with journalists and public relations professionals , each of whom are likely to have lengthy contact lists ensuring the messages would continue to spreadAttack.Phishingin an old-school worm-like fashion . OAUTH ’ s open nature allows anyone to develop similar apps . The nature of the standard and interaction involved makes it difficult to safely ask for permission without giving the users a lot of information to validate whether an app is malicious , said Duo ’ s Sokley . “ There are many pitfalls in implementing OAUTH 2.0 , for example cross site request forgery protection ( XSRF ) . Imagine if the user doesn ’ t have to click on the approve button , but if the exploit would have done this for you , ” said SANS ’ Ullrich . “ OAUTH 2.0 also inherits all the security issues that come with running anything in a web browser . A user may have multiple windows open at a time , the URL bar isn ’ t always very visible and browser give applications a lot of leeway in styling the user interface to confuse the user . ”
Social media phishing attacksAttack.Phishingjumped by a massive 500 % in Q4 , driven by a huge increase in fraudulent accounts including many posing asAttack.Phishingcustomer support for big name brands , according to Proofpoint . The security vendor revealed the findings in its Q4 2016 Threat Summary and Year in Review report . It claimedAttack.Phishingfraudulent accounts across sites like Twitter and Facebook increased 100 % from the third to fourth quarter . Such accounts are used for phishingAttack.Phishing, malware distribution , spam and other ends . In fact , Proofpoint observed a 20 % increase in Facebook and Twitter spam from Q3 to Q4 , with the quarter recording the second highest spam volume in the year . Yet it was a particular variety of phishing that caught the eye . So-called “ angler phishingAttack.Phishing” is a relatively new tactic in which the black hats register fake Twitter accounts that masquerade asAttack.Phishingcustomer support accounts . They monitor the real support accounts for irate customer messages and then quickly jump in to send messages back to those users loaded with malicious links . The tactic was particularly common among financial services and entertainment accounts , according to the report . Elsewhere , the number of new ransomware variants grew 30-fold over Q4 , and malicious email campaigns grew significantly , with Q4 's largest campaign 6.7 times the size of Q3 's . Some of the biggest campaigns apparently involved hundreds of millions of messages dropping Locky ransomware . However , there was some good news , with scams involving the spoofing of CEO emails sent toAttack.PhishingCFOs falling 28 % in the final quarter . This is partly because CFOs are more cautious about the veracity of such messages , but can also be linked to a 33 % surge in DMARC implementation which helped to block attempts to spoofAttack.Phishingthe CEO ’ s email address . In addition , exploit kits remained at low levels of activity after some high profile Angler EK arrests in Q2 , although large scale malvertising campaigns persisted , Proofpoint claimed .