Oscorp – New Android Credential Stealing Malware Actively Attack in the Wild

Recently, security researchers have found an android malware, and it has been dubbed as Vulture that is a Remote Access Trojan (RAT). According to the report, this malware is violating accessibility services on the targeted devices, so that the attackers can hijack user credentials for European banking.

However, this malware is quite dangerous, as it uses Virtual Network Computing (VNC) remote screen access technology to keep a continuous check on the users. 


After discovering the malware attack, it also came out that this malware was disseminated by the official of Google Play Store and misrepresented itself as the Protection Guard application that contained nearly 5,000 installations.

This is not the first time to encounter such malware, as Italy’s CERT-AGID, has disclosed some of the details regarding Oscorp in January. This malware has features that include the capability to block SMS messages and make phone calls.

Not only this but it also intensifies overlay attacks for more than 150 mobile applications and it is done by practicing comparable login screens that distract the valuable data.

Oscorp Evolves Into UBEL

The new Oscorp malware comes up with some new but minor changes, but experts noted that simultaneously a new Android botnet names UBEL was being promoted on several hacking forums.

After detecting the malware, the experts noted that several UBEL clients have commenced accusing the malware of scamming because the clients affirmed that it is not working on specific Android devices.

Apart from this, there is proof that justifies that Oscorp evolves into UBEL, that is the “bot id” string format, which consists of an initial “RZ-” substring which is followed by casual alphanumeric characters.

Static Analysis

However, in the static analysis, the experts have noted that it included the most interesting permissions that are requested by Oscorp for getting access to limited parts of the Android system such as READ_SMS, SEND_SMS and it also provides other legitimate applications that are BIND_ACCESSIBILITY_SERVICE).

  • SYSTEM_ALERT_WINDOW: This allows an app to produce windows that are displayed on top of all other apps. 
  • RECORD_AUDIO: This allows an app to record audio‍
  • READ_SMS: This allows an app to convey SMS messages‍
  • SEND_SMS: This allows an app to convey SMS messages‍
  • RECEIVE_SMS: This allows an app to accept SMS messages‍
  • REQUEST_INSTALL_PACKAGES: It allows an application to inquire about installing packages‍
  • REQUEST_DELETE_PACKAGES: It allows an application to request eliminating packages   ‍
  • RECEIVE_BOOT_COMPLETED: This allows an app to launch itself automatically after system boot.

Dynamic Analysis

According to the report, whenever the malicious application gets downloaded on the device, it attempts to be installed as an “Android Service”, which works as an application element that can easily implement long-running operations in the background.

Once the installation of “Android Service” is done Oscorp generally request some mandatory permissions, and that’s why we have mentioned them below:- 

  • Inspect your actions
  • Recover window content
  • Execute arbitrary gestures

Apart from all, the report claimed that this new malware has used the cross-platform ngrok service so that it can connect local servers that are generally guarded by Network Address Translation (NAT) as well as firewalls to the Internet.

The services were being protected via secure tunnels as it provides remote access to a VNC server that is originally running locally on the phone. 

However, the most interesting part is that the use of WebRTC to communicate with the negotiated Android phone, all this is done because it is quite necessary to enroll a new device.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.