A new malware sample was detected outside of the Play Store, on sites where people end up after receiving smishing (SMS) messages. The researchers at IBM Trusteer discovered that the HTTPS sites used would notify potential victims that their Android version is obsolete and provide an APK that would reportedly upgrade them to the most recent version.
As thoroughly explained by BleepingComputer, the virus is planted on the device and seeks access to the ‘Accessibility Service’ if the user allows “downloads from unknown sources.”
This permission is being exploited to record screenshots and keystrokes without seeking any other permissions that would raise concerns.
The accessibility service is primarily utilized by BrazKing for a malicious activity like Keylogger capabilities, RAT capabilities, SMS, and contact list access.
BrazKing no longer utilizes the ‘getinstalledpackages’ API call to see what applications are installed on the infected device; instead, it leverages the screen dissection capability.
BrazKing now overlays without the ‘System Alert Window’ permission, therefore it is possible for it to overlay a phony screen on top of the real program as other trojans can.
Instead, it uses a webview window opened from within the accessibility service to load the bogus screen