Oscorp Malware

Oscorp Malware Description

A new Android malware named the Oscop was detected by the Italian security firm AddressIntel. The threat relies on users granting it access to the Android Accessibility Service under the pretense of it being for 'Personal protection.' If, at first, the user declines the prompt, the Oscop will continue to reopen the Settings menu every 8 seconds until it receives the requested permissions. If it is fully deployed, the threat can carry out a wide range of threatening functions, including establishing a keylogging routine, uninstalling other applications, making calls and sending SMS, collecting cryptocurrency, and harvesting PINs for Google's 2FA (2-factor authentication). The Oscop also attempts to obtain user credentials for various applications by deploying a specially crafted phishing page for each different application that asks for usernames and passwords.

The threat is being distributed as a file named 'Client assistance.apk.' The researchers also managed to locate the domain responsible for hosting the threat. It is called 'supportoapp.com.' Communication with the Command-and-Control (C2, C&C) infrastructure for the Oscop campaign is achieved through HTTP POST requests.

Users should remember always to exercise caution when installing new applications, especially if the source is a dubious third-party platform and not one of the official application stores. Even for legitimate applications, it is worth paying attention to the different permissions they demand to receive, as many exhibits a significant overreach, asking for access to features not related to their core functionality directly.