Google pays a close attention to cyber security to provide customers with safe and reliable apps. Unfortunately, one the latest issues deals with a highly dangerous Trojan horse, which has spread as a fake Android application. The payload delivery of the malware started when the customers downloaded an alternative to the original Facebook Messenger named Messenger Super Lite Free. The counterfeit Facebook application offered a clean design, low app size, and great performance on 2G networks. No other significant features except “no charge” were listed in the description of the program. Soon after detecting the Ramnit Trojan, Google removed it from the platform, but it is worth digging a bit deeper as this Trojan can still cause harm for Android and Windows PC users alike.
The Ramnit Trojan is a threat whose goal is to record data inputs and send it to a command and control server (C&C), which is likely to result in identity theft. The Trojan first emerged in 2010 and was developed for Android devices too. Since its debut in 2010, its developers had re-launched it several times and released the latest PC version in 2016. At that time, the Ramnit Trojan targeted six major banks in the United Kingdom with two new live attack servers and one C&C server. The new version was powered by the Hooker module, which is also known as a Spy Module, to monitor URL access, enable data theft in real time, and display web injections to the victim. Another module named DriveScan remained unchanged and enabled the Trojan to search the drive for files with keywords such as "wallet" and "passwords." It was detected that the Trojan had been prepared for real-time fraud attacks. It is worth mentioning that not all online banking-related frauds happen in real time. Banking Trojans gather information, and the attackers can later commit an account takeover from a different device.
The Ramnit Trojan is a dangerous threat because its presence on a PC means that a person's sensitive information is at risk. The Ramnit malware is a data-stealing threat. It may seem that monitoring browsing activity is not a significant situation, but in the case of the Ramnit Trojan, this fact means that the remote attackers can find frequently visited websites, login details, and other personal information such as bank and credit card numbers, usernames, and, most important, passwords. Usually, such powerful Trojan horses are programmed to hook all popular browsers, including Chrome, Firefox, and Internet Explorer. Microsoft's new browser Edge has also been selected by the attackers, enabling them to derive a benefit from their malicious product.
When an infected Android device is connected to a computer, the Trojan executes itself by copying its files to several common locations, which include "Program Files," "AppData," "WinDir," "Temp," and "CommonProgramFiles." Similarly to other highly dangerous infections, the Ramnit Trojan creates its registry entry in the registry root HKEY_LOCAL_MACHINE and runs its process in the svchost.exe system process. Moreover, it inserts its malicious code into .exe and .dll files.
Removing the Ramnit Trojan is crucial because of potential consequences. All gathered data can be used to steal money or open credit card accounts. On top of that, the stolen credentials can be sold to third parties. Malware researchers always emphasize that Internet users should be aware of potential danger. It is important to avoid questionable websites, ignore emails from unknown senders, download software only from reliable websites, and keep the operating system protected by a high quality malware prevention program.
As for the downloads from reliable websites, Google's practice shows that even the most popular ones can come under pressure. The fake alternative to the original Facebook Messenger is not the only case that has slipped through Google's security. In March 2017, security researchers found 132 Android applications featuring malware designed for Windows on the Google Play Store. It is believed that those who uploaded the applications were not aware of the fact that the applications had been infected. One of the compromised programs attempted to install a Base64 encoded Windows executable on the user's phone, but it is worth noting that Android cannot run EXE files. The file was aimed at altering the network hosts file and changing firewall settings. No widespread harm was done as the infected programs are known to have been installed approximately to 10,000 devices. Moreover, all those programs since then have been removed from the Google Store.
Overall, ratings do not show whether the program is indeed reliable as hackers can rig up the ratings. It is worth going through in-depth reviews to grasp the worth of the application and prevent undesirable consequences.