A new family of Android malware dubbed Oscorp by CERT-AGID Italy, that abuses accessibility services in the device to hijack user credentials and record audio and video.

The title of the login page of its command-and-control (C2) server, the malicious APK is distributed via a domain named “supportoapp[.]com,” which upon installation, requests intrusive permissions to enable the accessibility service and establishes communications with a C2 server to retrieve additional commands.

The malware repeatedly reopens the Settings screen every eight seconds until the user turns on permissions for accessibility and device usage statistics, thus pressurizing the user into granting the extra privileges.

The malware exploits the permissions to log keystrokes, uninstall apps on the device, make calls, send SMS messages, steal cryptocurrency by redirecting payments made via Blockchain.com Wallet app, and access two-factor authentication codes from the Google Authenticator app.

The malware finally exfiltrates the captured data along with system information to the C2 server, in addition to fetching commands from the server that allows it to launch the Google Authenticator app, steal SMS messages, uninstall apps, launch specific URLs, and record audio and video of the screen through WebRTC. Phishing page displays asking user name and password of sensitive apps installed like banking Apps.

Android has always had a very permissive policy towards app developers, leaving the ultimate decision to trust an app or not to the end use can be protected till the app is operable. Once opened malware will be out of control and will cause havoc’s