MasterFred Malware

Infosec researchers have detected a new Android malware threat named MasterFred. Like a typical banking Trojan, it utilizes fake login overlays and aims to collect the victims' credit card information or banking details. To trick its targets into divulging the information voluntarily, MasterFred's overlays are designed to mimic those of popular banking and social applications, such as Netflix, Twitter, Instagram and more. The attack campaign affects multiple regions with victims being identified in Turkey and Poland.

At least one of the weaponized applications carrying MasterFred malware was available for download on the official Google Play Store temporarily. However, the rest are most likely being spread via third-party app platforms.

Malicious Functionality

The applications delivering MasterFred also come bundled with the necessary HTML overlay screens. These include the fake login forms that are presented to the victim and will siphon all entered information. However, the basis of MasterFred actions is the exploitation of the build-in Android Accessibility tools. In a typical fashion observed among these malware types, MasterFred abuses this otherwise useful feature to display its threatening overlays. Other nefarious uses of the Accessibility service may include the simulation of screen taps to navigate the Android UI and either open corrupted links, deliver additional payloads or execute other actions in the background. MasterFred transmits all collected information to the Command-and-Control (C2, C&C) servers of the attackers, which are hosted on the TOR network.