February 4, 2020 By David Bisson 2 min read

Security researchers discovered a new form of Android malware that is attempting to steal money from diabetic patients.

In September 2019, FortiGuard Labs came across a sample of the Android malware, detected as Android/FakePlayer.X!tr, operating within a program called “Treatment for Diabetes.” The security firm’s researchers analyzed the app and found that it provides users with information pertaining to diabetes. For instance, they observed that the app contains facts and myths about diabetes as well as information regarding diagnosis methods, treatment options and insulin.

Upon closer examination, however, researchers noticed the app doing something unexpected. It was leveraging a successful installation to request permission to view and send SMS messages, an unusual request for a medical application. In the event that a user approved, the malware then used a Trojan dialer to send SMS messages to the phone number 5554, presumably in an attempt to steal money from its victims.

Stay Alert for Malicious Health-Related Apps

This isn’t the first time that FortiGuard Labs came across a health-related app containing Android malware. As reported by ZDNet, the research team presented on three other malicious programs at the Virus Bulletin 2019 conference in London. One of those apps claimed that it could tell users their life expectancy if they filled out a form, but the program behaved suspiciously, covertly sending the information entered by the user to a remote server. Another program claimed to help users manage their diabetes, but the app failed to work unless they installed other apps full of adware. The last app did provide advice on diabetes but also tracked a user’s GPS location, IP address and the other apps installed on their device.

Through these programs, attackers might have directly stolen money from their victims. They might have also compromised the privacy of their users by stealing their device information, as well as personal and even medical information. Attackers can monetize such details on the dark web, thereby opening the door for secondary attacks against victims.

How to Defend Against Android Malware

Consumers should always be wary of mobile apps that request strange permissions upon installation and ensure they are downloading apps from a legitimate marketplace. Attackers have shown they won’t hesitate to employ social engineering methods to deceive individuals, making security awareness crucial for mobile device users.

Security professionals can help defend their organizations against Android malware by investing in a mobile device management (MDM) platform that helps manage and secure mobile and internet of things (IoT) devices. Companies should also consider implementing a zero-trust model by tightly integrating their identity and access management (IAM), unified endpoint management (UEM) and mobile threat defense (MTD) capabilities.

More from

How governance, risk and compliance (GRC) addresses growing data liability concerns

4 min read - In an era where businesses increasingly rely on artificial intelligence (AI) and advanced data capabilities, the effectiveness of IT services is more critical than ever. Yet despite the advancements in technology, business leaders are increasingly dissatisfied with their IT departments.According to a study by IBM's Institute for Business Value, confidence in the effectiveness of basic IT services among top executives has significantly declined. While AI promises transformational capabilities, particularly generative artificial intelligence (gen AI), the road to realizing these benefits…

Risk, reward and reality: Has enterprise perception of the public cloud changed?

4 min read - Public clouds now form the bulk of enterprise IT environments. According to 2024 Statista data, 73% of enterprises use a hybrid cloud model, 14% use multiple public clouds and 10% use a single public cloud solution. Multiple and single private clouds make up the remaining 3%.With enterprises historically reticent to adopt public clouds, adoption data seems to indicate a shift in perception. Perhaps enterprise efforts have finally moved away from reducing risk to prioritizing the potential rewards of public cloud…

Cybersecurity Awareness Month: Horror stories

4 min read - When it comes to cybersecurity, the question is when, not if, an organization will suffer a cyber incident. Even the most sophisticated security tools can’t withstand the biggest threat: human behavior.October is Cybersecurity Awareness Month, the time of year when we celebrate all things scary. So it seemed appropriate to ask cybersecurity professionals to share some of their most memorable and haunting cyber incidents. (Names and companies are anonymous to avoid any negative impact. Suffering a cyber incident is bad…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today