Technology / Grinch-like app sneaks onto users’ phones disguised as Santa to steal data

Grinch-like app sneaks onto users’ phones disguised as Santa to steal data

An advanced persistent threat (APT) group posing as a Santa Claus app and other Christmas apps has been discovered stealing user information.

Criminal Santa (CC)

An APT group dubbed ‘Santa-APT’ has been hiding information-stealing malware inside Christmas-themed mobile apps such as ‘Play with Santa’, security researchers have found.

Researchers at security firm CloudSek said they have been monitoring the same group’s desktop malware campaigns for several months but recently spotted a festive campaign surfacing.

The desktop malware used by the group is specifically designed for jumping air-gapped systems, meaning that it can function without internet access.

It is capable of snatching both files and screenshots from systems and sending them back to control and command (C&C) servers based in Germany, but the type of documents it was gathering led CloudSek to believe that it was “collecting classified data from software companies and government organisations”.

CloudSek traced the group responsible to South Asia and found that the company claims on its website to “software development consultation” as well as spyware to track employee activity.

Researchers believe that the Santa-APT group is recruiting for mobile app developers, with many of the developers in the group thought to have mobile application backgrounds.

The Santa-APT mobile malwares frequently masqueraded as games and utilities in the past, but more recently the attackers have begun pushing malware which poses as Santa-themed games.

The Trojan smuggled in with the game apps is capable of stealing contacts, SMS messages, call records, location information, calendars, photos and browser history from users’ phones and sending it back to the C&C servers.

Despite needing user permissions to access the information in the first place, Cloudsek says that Santa-APT has already infected almost 8,000 devices.

Because of the discovery of unused folders for keylogs and voice recordings, CloudSek CTO Rahul Sasi believes that “it is possible the Trojan is still under development”.

However, he warned users to be wary about the apps they choose to install.

“This Christmas make sure you think about security before installing an app,” wrote Sasi on the CloudSek blog.

“Verify the permissions you are granting an application before accepting them. Ensure that an application has enough legitimate reviews.

“And last but not the least, do not let someone else install any application on your official/personal devices.”

Photo © Kevin Dooley (CC BY 2.0). Cropped.

TEISS banner


Get our latest features in your inbox

Join our community of business leaders