Cyber Attacks

Fake Google reCAPTCHA used to hide Android banking malware


A new phishing campaign that targets online banking users was found which disguises as Google to steal valuable credentials.

The cybersecurity researchers from Sucuri reported that the attack against a Polish bank and its users is imitating Google reCAPTCHA systems and panic-eliciting techniques that makes the victim click on malicious links inserted in scam emails.

The scam emails contain a fake confirmation for a recent transaction, together with a link to a malicious .PHP file. The messages sent to the targeted victims ask them to verify the non-existent transactions by clicking on the link.

If a victim does not understand that the message is fake and clicks on the link, they are not redirected to a standard, fake replica of the bank, but rather the PHP file serves a fake 404 error page.

The page has a number of specifically defined user-agents which are limited to Google crawlers. If the request is not Google crawler-related or if other search engines are used then the PHP script loads a fake Google reCAPTCHA made up of JavaScript and static HTML.

The replica of the Google’s reCAPTCHA resembles like the original one but since it depends on static elements, the images will always be the same unless the malicious PHP file’s coding is changed. Also it does not support audio replay, unlike the original Google CAPTCHA.

The browser agent is then re-checked to verify how the victim has visited the page. A .zip dropper is on offer, alongside a malicious .APK reserved for Android users who fill in the CAPTCHA and download the payload.

The malware is commonly found in the wild in its Android form and it can read a mobile device’s state, location, and contacts; scan and send SMS messages, make phone calls, record audio, and steal other sensitive information.

Priyanka R
Cyber Security Enthusiast, Security Blogger, Technical Editor, Author at Cyber Safe News

    New Attacks Against 4G, 5G Mobile Networks Re-Enable IMSI Catchers

    Previous article

    Google eliminates passwords with FIDO2 support on Android

    Next article

    You may also like


    Leave a reply

    Your email address will not be published. Required fields are marked *