Hackers Mimic Google Chrome Install Page on Google Play to Deploy Android Malware

Security researchers have uncovered a sophisticated malware campaign targeting Android users through fake Google Chrome installation pages. Cybercriminals have created deceptive websites hosted on newly registered domains that closely mimic the Google Chrome install page on the Google Play Store. These fraudulent sites serve as delivery mechanisms for SpyNote, a powerful Android remote access trojan […] The post Hackers Mimic Google Chrome Install Page on Google Play to Deploy Android Malware appeared first on Cyber Security News.

Apr 14, 2025 - 08:20

Hackers Mimic Google Chrome Install Page on Google Play to Deploy Android Malware

Security researchers have uncovered a sophisticated malware campaign targeting Android users through fake Google Chrome installation pages.

Cybercriminals have created deceptive websites hosted on newly registered domains that closely mimic the Google Chrome install page on the Google Play Store.

These fraudulent sites serve as delivery mechanisms for SpyNote, a powerful Android remote access trojan (RAT) capable of comprehensive surveillance, data theft, and complete remote control of infected devices.

The visual similarity to legitimate Google Play pages creates a convincing illusion that tricks unsuspecting users into installing malicious applications, believing they are downloading authentic software from Google’s official app store.

The malware in question, known as SpyNote, represents a significant threat to mobile security due to its extensive capabilities.

Once installed, SpyNote gains access to sensitive information including SMS messages, contacts, call logs, location data, and stored files.

More alarmingly, the malware can activate device cameras and microphones, manipulate calls, execute arbitrary commands, and implement robust keylogging functionality targeting application credentials.

SpyNote has been linked to sophisticated APT groups including OilRig (APT34), APT-C-37 (Pat-Bear), and OilAlpha, demonstrating its versatility for both targeted espionage and broader cybercriminal activities.

DomainTools researchers identified common patterns in the attack infrastructure, noting that many of the malicious domains were registered through NameSilo, LLC or XinNet Technology Corporation.

Their analysis revealed consistent hosting patterns with IP addresses primarily associated with Lightnode Limited and Vultr Holdings LLC.

The websites themselves share remarkably similar structures, with minimal variations in malware configurations and command and control infrastructure.

Interestingly, the threat actors utilize a mix of English and Chinese language in delivery sites and include Chinese-language comments within both the website code and the malware itself, potentially suggesting a China nexus.

The campaign poses a particular threat to organizations with bring-your-own-device policies or those with employees who might inadvertently install the malware on personal devices that later connect to corporate networks.

Given SpyNote’s persistence mechanisms, which often require a factory reset for complete removal, infected devices represent a significant security liability.

The malware’s ability to capture authentication credentials and intercept two-factor authentication codes through Accessibility Services makes it an effective tool for account takeovers and further network penetration.

Inside the Infection Mechanism

The deceptive websites employ several sophisticated techniques to create a convincing facade.

They include image carousels displaying screenshots of mimicked Google Play app pages, loaded from suspicious domains like “bafanglaicai888[.]top” that are likely controlled by the same threat actors.

Fake App Installation on Google Play Store (Source – Domain Tools)

These visual elements are designed to enhance the illusion of legitimacy and reduce victim suspicion.

When users interact with the fake Play Store interface, they unwittingly trigger a JavaScript function named “download()” that initiates the retrieval of a malicious .apk file from a hardcoded URL.

The JavaScript code, while simple, effectively executes the download through an invisible iframe:-

function download(url){
    var src = url;
    var iframe = document.createElement('iframe');
    iframe.style.display = 'none';
    iframe.src = "javascript: 'location.href=\"" + src + "\"'";
    document.getElementsByTagName('body')[0].appendChild(iframe);
}

The downloaded file initiates a two-stage installation process. The initial .apk serves as a dropper that installs a second embedded .apk containing the core SpyNote malware functionality.

The malware implements its command and control infrastructure through a base.dex file within the assets folder, which contains connection parameters for remote communications.

The C2 domains consistently use port 8282 for communication, with some variants hardcoding the IP address “66.42.63.74” directly in the code.

The infection chain culminates with the malware aggressively requesting numerous intrusive permissions, gaining extensive control over the compromised device and establishing persistent communication with attacker-controlled servers.

The sophistication of this campaign highlights the evolving threat landscape for mobile devices and emphasizes the need for caution when downloading applications, even when websites appear to represent legitimate sources.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!

Also Read:

Microsoft Issues Urgent Patch to Resolve Office Update Crashes

The post Hackers Mimic Google Chrome Install Page on Google Play to Deploy Android Malware appeared first on Cyber Security News.