Critical flaw leaves thousands of Cisco Switches vulnerable to remote hacking
8.4.2018 thehackernews
Vulnerebility

Security researchers at Embedi have disclosed a critical vulnerability in Cisco IOS Software and Cisco IOS XE Software that could allow an unauthenticated, remote attacker to execute arbitrary code, take full control over the vulnerable network equipment and intercept traffic.
The stack-based buffer overflow vulnerability (CVE-2018-0171) resides due to improper validation of packet data in Smart Install Client, a plug-and-play configuration and image-management feature that helps administrators to deploy (client) network switches easily.


Embedi has published technical details and Proof-of-Concept (PoC) code after Cisco today released patch updates to address this remote code execution vulnerability, which has been given a base Common Vulnerability Scoring System (CVSS) score of 9.8 (critical).
Researchers found a total of 8.5 million devices with the vulnerable port open on the Internet, leaving approximately 250,000 unpatched devices open to hackers.
To exploit this vulnerability, an attacker needs to send a crafted Smart Install message to an affected device on TCP port 4786, which is opened by default.
"To be more precise, the buffer overflow takes place in the function smi_ibc_handle_ibd_init_discovery_msg" and "because the size of the data copied to a fixed-size buffer is not checked, the size and data are taken directly from the network packet and are controlled by an attacker," Cisco explain in its advisory.
The vulnerability can also result in a denial-of-service condition (watchdog crash) by triggering indefinite loop on the affected devices.


Researchers demonstrated the vulnerability at a conference in Hong Kong after reporting it to Cisco in May 2017.
Video Demonstrations of the Attack:
In their first demonstration, as shown in the video below, researchers targeted Cisco Catalyst 2960 switch to reset/change the password and entered privileged EXEC mode:

 

In their second demo, researchers exploited the flaw to successfully intercept the traffic between other devices connected to the vulnerable switch and the Internet.

Affected Hardware and Software:
The vulnerability was tested on Catalyst 4500 Supervisor Engines, Cisco Catalyst 3850 Series Switches, and Cisco Catalyst 2960 Series Switches devices, as well as all devices that fall into the Smart Install Client type are potentially vulnerable, including:
Catalyst 4500 Supervisor Engines
Catalyst 3850 Series
Catalyst 3750 Series
Catalyst 3650 Series
Catalyst 3560 Series
Catalyst 2960 Series
Catalyst 2975 Series
IE 2000
IE 3000
IE 3010
IE 4000
IE 4010
IE 5000
SM-ES2 SKUs
SM-ES3 SKUs
NME-16ES-1G-P
SM-X-ES3 SKUs
Cisco fixed the vulnerability in all of its affected products on 28th March 2018, and Embedi published a blog post detailing the vulnerability on 29th March. So, administrators are highly recommended to install free software updates to address the issue as soon as possible.


How to Make Your Internet Faster with Privacy-Focused 1.1.1.1 DNS Service

8.4.2018 thehackernews Safety

Cloudflare, a well-known Internet performance and security company, announced the launch of 1.1.1.1—world's fastest and privacy-focused secure DNS service that not only speeds up your internet connection but also makes it harder for ISPs to track your web history.
Domain Name System (DNS) resolver, or recursive DNS server, is an essential part of the internet that matches up human-readable web addresses with their actual location on the internet, called IP addresses.
For example, when you try to open a website, say thehackernews.com, your DNS looks up for the IP address linked to this domain name and load the site.


Since the default DNS services provided by ISPs are often slow and insecure, most people rely on alternative DNS providers—such as OpenDNS (208.67.222.222), Comodo DNS (8.26.56.26) and Google (8.8.8.8), to speed up their Internet.
But if you use Cloudflare new 1.1.1.1 DNS service, your computer/smartphone/tablet will start resolving domain names within a blazing-fast speed of 14.8 milliseconds—that's over 28% faster than others, like OpenDNS (20.6ms) and Google (34.7ms).
Even if you are visiting websites over HTTPS, DNS resolvers log every site you visit, making your ISP or 3rd-party DNS services know about everything you do on the Internet.
"That means, by default, your ISP, every wifi network you’ve connected to, and your mobile network provider have a list of every site you’ve visited while using them," the company says.
However, Cloudflare has changed this game with its new free DNS service, which it claims, will be "the Internet's fastest, privacy-first consumer DNS service," promising to prevent ISPs from easily tracking your web browsing history.
Cloudflare public DNS resolvers, 1.1.1.1 and 1.0.0.1 (as alternate DNS server for redundancy), support both DNS-over-TLS and DNS-over-HTTPS to ensure maximum privacy.
The company has also promised not to sell users’ data, instead to wipe all logs of DNS queries within 24 hours. It's also working with auditors at KPMG to examine its systems and guarantee it's not actually collecting your data.
How to Change DNS Settings to Boost Internet Speed
For Mac PCs:
Open System Preferences.
Search for DNS Servers and tap it.
Click the + button to add a DNS Server and enter 1.1.1.1 and 1.0.0.1 (for redundancy).
Click Ok and then Apply.
For Windows Computers:
Tap Start and then click on Control Panel.
Click on Network and Internet, and then tap Change Adapter Settings.
Right-click on the Wi-Fi network you are connected to, then click Properties.
Select Internet Protocol Version 4 and click Properties, and then write down any existing DNS server entries for future reference.
Now tap Use The Following DNS Server Addresses, and replace those addresses with the 1.1.1.1 DNS addresses: For IPv4: 1.1.1.1 and 1.0.0.1; and For IPv6: 2606:4700:4700::1111 and 2606:4700:4700::1001
Click OK, then Close, and Restart your browser.
For Android Devices:
Connect to your preferred WiFi network.
Enter your router’s gateway IP address in your browser. Fill in your username and password, if asked.
In your router’s configuration page, locate the DNS server settings, and enter any existing DNS server entries for future reference.
Replace those addresses with the 1.1.1.1 DNS addresses: For IPv4: 1.1.1.1 and 1.0.0.1, and For IPv6: 2606:4700:4700::1111 and 2606:4700:4700::1001
Save your settings, then restart your browser.
Note: Android requires a static IP to use custom DNS servers. This setup requires additional setup on your router, affecting your network’s strategy for adding new devices to the network. Cloudflare recommends configuring your router’s DNS instead, which gives all devices on your network the full speed and privacy benefits of 1.1.1.1 DNS.
For iOS Devices (iPhone/iPad):
From your iPhone's home screen, open Settings.
Open Wi-Fi and then your preferred network in the list.
Tap Configure DNS, and then click on Manual.
If there are any existing entries, tap the - button, and Delete next to each one.
Now, add 1.1.1.1 and 1.0.0.1 (as alternate DNS server for redundancy) to the DNS address.
Now, tap the Save button on the top right.
You’re all set to go! Your device now has faster, more private DNS servers.
Well, I have already switched to Cloudflare DNS service. If you too, please tell me your experience in the comments below


Google Bans Cryptocurrency Mining Extensions From Chrome Web Store
8.4.2018 thehackernews Cryptocurrency

In an effort to prevent cryptojacking by extensions that maliciously mine digital currencies without users' awareness, Google has implemented a new Web Store policy that bans any Chrome extension submitted to the Web Store that mines cryptocurrency.
Over the past few months, we have seen a sudden rise in malicious extensions that appear to offer useful functionality, while embedding hidden cryptocurrency mining scripts that run in the background without the user's knowledge.
Last month, cryptocurrency miners were even found in a Russian nuclear weapons lab and on thousands of government websites. In January, cryptocurrency mining malware also infected more than half-million PCs.


Until now, only those cryptocurrency mining extensions were allowed on the Chrome Web Store that are solely intended for mining, and explicitly informed users about its working and revenue model.
If the company finds any mining extension developers submitted was not in compliance and secretly mines cryptocurrency using a victim device's computing power, it simply blocks the extension.

Since about 90 percent of the mining extensions developers submitted to the Chrome Web Store failed to comply with the rules, the tech giant decided to ban all browser extensions that mine cryptocurrency (even if it's used for legitimate purposes) from its Web Store.
"Starting today, Chrome Web Store will no longer accept extensions that mine cryptocurrency," Google says in its Chromium Blog. "Existing extensions that mine cryptocurrency will be delisted from the Chrome Web Store in late June."
However, the ban on cryptocurrency mining extensions will not impact other digital currency and blockchain-related extensions, such as Bitcoin price checkers, blockchain browsers, and cryptocurrency wallet managers.


Google noted that its new move is "another step forward in ensuring that Chrome users can enjoy the benefits of extensions without exposing themselves to hidden risks."
Though banning cryptocurrency mining extensions is definitely a great move, the ban may not eliminate the problem as a whole, since attackers have increasingly been developing ways to hide their mining functionality in an extension until after it gets Chrome Web Store approval.
The ban comes less than a month after Google announced its plans to ban advertisements related to cryptocurrency.
Google is not the first one to impose a ban on cryptocurrency-related abuses. Late last month, Twitter announced its plan to block cryptocurrency-related ads on its platform, and in January, Facebook banned all ads promoting cryptocurrencies, including Bitcoin and ICOs.


Apple Plans to Replace Intel Chips in Macs with its Custom Designed CPUs
8.4.2018 thehackernews IT

In a major blow to Intel, Apple is reportedly planning to use its custom-designed ARM chips in Mac computers starting as early as 2020, ultimately replacing the Intel processors running on its desktop and laptop hardware.
The company makes its own A-series custom chips for iPhones, iPads and other iThings, while the Mac devices use Intel x64 silicon. Now according to a report from Bloomberg, Apple plans to replace Intel's Mac chips with its own homegrown CPUs.


The report says Apple executives have a project, codenamed "Kalamata," that designs desktop-grade Arm-compatible processors, along with a macOS port, allowing the company to craft a uniform architecture across all of its product lines.
The report also says this changeover would be part of a "multi-step transition" to make iOS devices and Macs "work more similarly and seamlessly together," helping Apple's plan (project codename 'Marzipan') to bring iOS apps to Mac for software cross-compatibility.
The changeover is likely to be in the wake of recent high-profile security issues around Intel chip architecture and chips from other manufacturers. It is similar to the approach Apple has taken in the past by switching to PowerPC architecture in 1991 and to Intel in 2006.
With the changeover, Apple would not have to share 5% of its annual revenue with Intel and pay for exclusive deals to offer high-end processors first to its customers, and competitors would not be able to copy innovations so easily.
Switching to its own chips would also allow the company to control its own hardware roadmap better, and offer better performance to its users.


Bloomberg also notes that the revised Mac Pro laptops arriving next year will include an Apple-developed chip, and other Mac laptops will also receive Apple-developed chips this year.
Soon after the Bloomberg report was published, Intel’s stock price took a hit and dropped by 9.2 percent, the biggest intraday drop in over two years. They are down 6.07 percent at $48.92 at the time of writing.
Rumors of Apple ditching Intel and switching to its own custom silicon have been circulating for a decade. Last September, a report also claimed Apple was looking to cut back on its reliance on Intel, but nothing of that sort happened.
Both Apple and Intel did not yet respond to the report.


New Android Malware Secretly Records Phone Calls and Steals Private Data
8.4.2018 thehackernews Android

Security researchers at Cisco Talos have uncovered variants of a new Android Trojan that are being distributed in the wild disguising as a fake anti-virus application, dubbed "Naver Defender."
Dubbed KevDroid, the malware is a remote administration tool (RAT) designed to steal sensitive information from compromised Android devices, as well as capable of recording phone calls.
Talos researchers published Monday technical details about two recent variants of KevDroid detected in the wild, following the initial discovery of the Trojan by South Korean cybersecurity firm ESTsecurity two weeks ago.
Though researchers haven't attributed the malware to any hacking or state-sponsored group, South Korean media have linked KevDroid with North Korea state-sponsored cyber espionage hacking group "Group 123," primarily known for targeting South Korean targets.
The most recent variant of KevDroid malware, detected in March this year, has the following capabilities:
record phone calls & audio
steal web history and files
gain root access
steal call logs, SMS, emails
collect device' location at every 10 seconds
collect a list of installed applications
Malware uses an open source library, available on GitHub, to gain the ability to record incoming and outgoing calls from the compromised Android device.

Although both malware samples have the same capabilities of stealing information on the compromised device and recording the victim's phone calls, one of the variants even exploits a known Android flaw (CVE-2015-3636) to get root access on the compromised device.
All stolen data is then sent to an attacker-controlled command and control (C2) server, hosted on PubNub global Data Stream Network, using an HTTP POST request.
"If an adversary were successful in obtaining some of the information KevDroid is capable of collecting, it could result in a multitude of issues for the victim," resulting in "the leakage of data, which could lead to a number of things, such as the kidnapping of a loved one, blackmail by using images or information deemed secret, credential harvesting, multi-factor token access (SMS MFA), banking/financial implications and access to privileged information, perhaps via emails/texts," Talos says.
"Many users access their corporate email via mobile devices. This could result in cyber espionage being a potential outcome for KevDroid."
Researchers also discovered another RAT, designed to target Windows users, sharing the same C&C server and also uses PubNub API to send commands to the compromised devices.
How to Keep Your Smartphone Secure
Android users are advised to regularly cross-check apps installed on their devices to find and remove if any malicious/unknown/unnecessary app is there in the list without your knowledge or consent.
Such Android malware can be used to target your devices as well, so you if own an Android device, you are strongly recommended to follow these simple steps to help avoid this happening to you:
Never install applications from 3rd-party stores.
Ensure that you have already opted for Google Play Protect.
Enable 'verify apps' feature from settings.
Keep "unknown sources" disabled while not using it.
Install anti-virus and security software from a well-known cybersecurity vendor.
Regularly back up your phone.
Always use an encryption application for protecting any sensitive information on your phone.
Never open documents that you are not expecting, even if it looks like it's from someone you know.
Protect your devices with pin or password lock so that nobody can gain unauthorized access to your device when remains unattended.
Keep your device always up-to-date with the latest security patches.


Intel Admits It Won't Be Possible to Fix Spectre (V2) Flaw in Some Processors

8.4.2018 thehackernews Vulnerebility

As speculated by the researcher who disclosed Meltdown and Spectre flaws in Intel processors, some of the Intel processors will not receive patches for the Spectre (variant 2) side-channel analysis attack
In a recent microcode revision guidance (PDF), Intel admits that it would not be possible to address the Spectre design flaw in its specific old CPUs, because it requires changes to the processor architecture to mitigate the issue fully.
The chip-maker has marked "Stopped" to the production status for a total 9 product families—Bloomfield, Clarksfield, Gulftown, Harpertown Xeon, Jasper Forest, Penryn, SoFIA 3GR, Wolfdale, and Yorkfield.
These vulnerable chip families—which are mostly old that went on sale between 2007 and 2011—will no longer receive microcode updates, leaving more than 230 Intel processor models vulnerable to hackers that powers millions of computers and mobile devices.
According to the revised guidance, "after a comprehensive investigation of the microarchitectures and microcode capabilities for these products, Intel has determined to not release microcode updates for these products for one or more reasons."
Intel mentions three reasons in its documentation for not addressing the flaw in some of the impacted products:
Micro-architectural characteristics that preclude a practical implementation of features mitigating Variant 2 (CVE-2017-5715)
Limited Commercially Available System Software support
Based on customer inputs, most of these products are implemented as "closed systems" and therefore are expected to have a lower likelihood of exposure to these vulnerabilities.
Spectre variant 2 vulnerability (CVE-2017-5715) affects systems wherein microprocessors utilize speculative execution and indirect branch prediction, allowing a malicious program to read sensitive information, such as passwords, encryption keys, or sensitive information, including that of the kernel, using a side-channel analysis attack.
However, these processors can install pre-mitigation production microcode updates to mitigate Variant 1 (Spectre) and Variant 3 (Meltdown) flaws.
"We've now completed release of microcode updates for Intel microprocessor products launched in the last 9+ years that required protection against the side-channel vulnerabilities discovered by Google. However, as indicated in our latest microcode revision guidance, we will not be providing updated microcode for a select number of older platforms for several reasons, including limited ecosystem support and customer feedback." says an Intel spokesperson via email.
Besides Intel, AMD Ryzen and EPYC processors were also found vulnerable to 13 critical vulnerabilities that could allow an unauthorized attacker to access sensitive data, install persistent malware inside the chip, and gain full access to the compromised systems.
AMD has acknowledged reported vulnerabilities and promised to roll out firmware patches for millions of affected devices in the coming weeks.
However, CTS Labs, the security firm that discovered and disclosed the vulnerabilities, claimed that AMD could take several months to release patches for most of the security issues, where some of them cannot be fixed.


New Agent Tesla Spyware Variant Discovered
8.4.2018 securityweek
Virus

A new variant of the Agent Tesla spyware has been spreading via malicious Microsoft Word documents, Fortinet reports.

The malware was initially detailed last June, when security researchers discovered it was spreading via a Microsoft Word document containing an auto-executable malicious VBA Macro. When opening the document, users were asked to “enable content,” which resulted in the spyware being covertly installed if they did so.

The malicious documents observed in the recent campaign instead ask the victim to double click a blue icon to enable a “clear view.” This action, however, results in a POM.exe file being extracted from the embedded object, which is saved to the system’s temporary folder and executed.

The POM.exe executable is written in Visual Basic and acts as an installer, Fortinet’s Xiaopeng Zhang reveals.

The Agent Tesla spyware was designed to collect keystrokes, system clipboard, screenshots, and credentials from a variety of installed software. To perform its nefarious activities, the malware creates different threads and timer functions in the main function.

The new malware variant has the same capabilities as the previously observed version, but uses SMTPS to send the collected data to the attacker’s email box, instead of HTTP POST requests.

“Based on my analysis, the commands used in the SMTP method include ‘Passwords Recovered’, ‘Screen Capture’, and ‘Keystrokes’, etc. The commands are identified within the email’s ‘Subject’ field,” the security researcher explains.

To receive the stolen information, the attacker registered a free Zoho email account for this campaign. The email service provider has been informed on the abuse, Fortinet says.


After Cambridge Analytica Facebook COO Sandberg admits other possible misuses
8.4.2018 securityaffairs
Social

After the Cambridge Analytica privacy scandal, Facebook chief operating officer Sheryl Sandberg admitted that the company cannot rule out other cases of misuse.
In the wake of recent revelations about the Cambridge Analytica scandal, Facebook Chief operating officer Sheryl Sandberg doesn’t exclude other data misuse.

Sandberg gave two interviews last weeks to National Public Radio and NBC’s “Today Show during which she admitted the severe responsibility of the company. She pointed out that Facebook was not able to prevent third parties from abusing its platform, she said that the company should have taken further steps to protect the privacy of its users.

“We know that we did not do enough to protect people’s data,” Sandberg told NPR. “I’m really sorry for that. Mark is really sorry for that, and what we’re doing now is taking really firm action.”

“Safety and security is never done, it’s an arms race,” she said. “You build something, someone tries to abuse it.”

“But the bigger is, ‘Should we have taken these steps years ago anyway?'” Sandberg said. “And the answer to that is yes.”

“We really believed in social experiences, we really believed in protecting privacy, but we were way too idealistic,” she added.

“We did not think enough about the abuse cases and now we’re taking really firm steps across the board.”

One of the most debated aspects of the Cambridge Analytica scandal is that Facebook was aware of the misuses years before. Unfortunately, this is true and Sandberg confirmed it. She said that Facebook was first aware two and a half years ago that Cambridge Analytica had obtained user data in an illegal way.

“When we received word that this researcher gave the data to Cambridge Analytica, they assured us it was deleted,” she said. “We did not follow up and confirm, and that’s on us — and particularly once they were active in the election, we should have done that.”

Cambridge Analytica

When asked by journalists at “Today Show” if other cases of misuse of user data could be expected, Sandberg

Sandberg was asked by the “Today Show” if other cases of misuse of user data could be expected, she said it is possible and for this reason, the social media giant is doing an investigation.

“We’re doing an investigation, we’re going to do audits and yes, we think it’s possible, that’s why we’re doing the audit,” she told NPR..

“That’s why this week we shut down a number of use cases in other areas — in groups, in pages, in events — because those are other places where we haven’t necessarily found problems, but we think that we should be more protective of people’s data,”

Sandberg announced that from next week, the news feed will be integrated with a feature that will allow users to see all the apps they’ve shared their data with.

“a place where you can see all the apps you’ve shared your data with and a really easy way to delete them.”

Sandberg admitted that the Facebook should have detected the Russian interference in the 2016 presidential election, but this was a lesson for the company that in the future will not permit it again.

“That was something we should have caught, we should have known about,” she told NPR. “We didn’t. Now we’ve learned.”

“We’re going after fake accounts,” “A lot of it is politically motivated but even more is economically motivated.”

Zuckerberg will appear before a US congressional panel next week to address privacy issues.


Pocket cryptofarms

7.4.2018 Kaspersky Android  Cryptocurrency
Investigating mobile apps for hidden mining
In recent months, the topic of cryptocurrency has been a permanent news fixture — the value of digital money has been see-sawing spectacularly. Such pyrotechnics could hardly have escaped the attention of scammers, which is why cryptocurrency fluctuations have gone hand in hand with all kinds of stories. These include hacked exchanges, Bitcoin and Monero ransoms, and, of course, hidden mining. We’ve noticed that attackers no longer limit themselves to servers, desktops, and laptops. They are increasingly drawn to mobile devices, mainly Android. We decided to take a closer look to see which mobile apps stealthily mine digital coins on user devices and how widespread they are.

Primitive counterfeit apps
We found several types of malware posing as popular programs and games, but actually just showing ads and secretly mining cryptocurrencies using the CoinHive SDK. In particular, we unearthed counterfeit versions of Instagram, Netflix, Bitmoji, and others. The scammers had added the word “hack” to the original app names. These “hacked” apps were distributed through forums and third-party stores. Kaspersky Lab products detect such programs as RiskTool.AndroidOS.Miner.

Fragment of RiskTool.AndroidOS.Miner.a code that runs a hidden miner and displays an advertising page

Advertising page that RiskTool.AndroidOS.Miner.a shows to the user

Primitive miners based on web frameworks
There are a number of web frameworks that make it easy to create mobile apps, including miners. At the heart of such apps there lies a web page containing a JS script for mining cryptocurrency (for example, the CoinHive script). Most of the miners we found of this type were based on the Thunkable and Cordova frameworks. These apps are most commonly distributed through third-party sites, although one of them was found in the official Google Play store, where it was removed after we reported it.

Screenshot of a game in the Google Play store that mined cryptocurrency

We also found one app built on a different framework, Andromo. It looks like a discount aggregator at first glance, but instead of linking to sites with discounted products, it loads a page that mines cryptocurrency and doesn’t even try to hide it:

One more app caught our eye — Crypto Mining for Children. Based on the B4A framework, it was found in the official Google store (at the time of writing this article it had been deleted). Its stated goal was to mine cryptocurrency for charity. But the description contained no word about where or how the coins would be spent — something that any bona fide fundraising organization would publish. What’s more, the name of the developer bore a striking resemblance to that of a well-known mobile app (a cryptocurrency wallet), but with one letter missing. That’s a common trick used by phishers.

Useful apps infected with miners
This category is made of programs that Kaspersky Lab products detect as Trojan.AndroidOS.Coinge; they are popular apps in which cybercriminals have added malicious code for mining cryptocurrency.

Infected version of the TSF Launcher app

Interestingly, the cybercriminals added the malicious code to the code of other SDKs used by the app. That way, the app runs a library that does the mining. Not only that, we managed to detect a modification of this Trojan that does away with the need for a library: the malware adds its code to all web pages it opens. It’s worth noting that both methods of infection are similar to those used by Trojan-PSW.AndroidOS.MyVk to steal passwords.

A modification of Trojan.AndroidOS.Coinge adds mining code to all opened web pages

We managed to detect 23 different apps infected by Trojan.AndroidOS.Coinge.

Miners in apps for watching soccer
According to Kaspersky Security Network, the most common mining apps among those we found were connected to the topic of soccer. The name PlacarTV (placar means “account” in Portuguese) or something similar cropped up frequently. The main function of such apps was to show soccer videos while secretly mining cryptocurrency.

The PlacarTV app uses CoinHive for mining

The PlacarTV app interface

Our data shows that some of these apps were distributed through Google Play, with the most popular having been installed more than 100,000 times.

A modification of the PlacarTV app that was distributed through Google Play

The apps access the placartv.com server. This same domain is used in the developer’s email address specified in the Google Play store. Unbeknown to visitors, the site placartv.com runs a script that mines cryptocurrency.

Code of the placartv.com page used to mine cryptocurrency

Mobile clickers
Members of the Trojan.Clicker malware family typically open web pages and click them without the user noticing. Such pages can contain both adverts and subscriptions to WAP services. But having started to make easy money from unsuspecting users, the creators seemingly got greedy. And it wasn’t long before cryptocurrency mining was added to the feature set of some clickers. We already analyzed a similar case when a miner was caught lurking in the modules of the Loapi Trojan.

Another Trojan-turned-miner is Ubsob. This malware poses as a suite of useful apps. When started, it downloads and installs an app that it uses to mask itself. Its creators broadened their horizons by adding code borrowed from the app NeoNeonMiner for cryptomining.

Installation of the original app initialized by the Ubsob Trojan

Furthermore, the Trojan requests device administrator rights to establish a foothold in the system. This means that to delete it, it must first be removed from the list of device administrators. During the process, the malware displays a scary message – “These action can lead to data lost. Are you really wont to erase all your data?”

Message displayed by the Ubsob Trojan when attempting to deprive it of administrator rights

The Trojan mainly “resides” in CIS countries, above all Russia.

Other interesting finds
Fire-prevention miner
Probably the most interesting Trojan we analyzed is Trojan.AndroidOS.Coinge.j. It has no legitimate app functions at all and installs itself either as a porn app or as an Android system app. As soon as it starts, the malware requests device administrator rights to prevent its removal.

Trojan.AndroidOS.Coinge.j requests device administrator rights

The Trojan uses several layers of encryption and obfuscation to protect its code from analysis, but that’s not the only string to its bow. The malware monitors the device battery and temperature to mine cryptocurrency without posing a fire hazard. It seems the cybercriminals have no desire to repeat the “success” of Loapi, which incinerated our test phone.

Almost a third (29%) of the Trojan’s victims were in India. It is also active in the United States (8%), Britain (6%), Iran (5%), and Ukraine (5%). Like Ubsod, it uses the code of a legitimate app to mine cryptocurrencies.

VPN with undocumented features
We found another battery and temperature-monitoring miner in Google Play under the guise of the Vilny.net VPN app for establishing a VPN connection. By the time of detection, it had been installed more than 50,000 times. We reported it to Google.

Code of the Vilny.net VPN app

Information about the Vilny.net VPN app on Google Play

Conclusion
Keep in mind that mobile mining has a number of limitations:

First, mobile devices trail a long way behind desktop systems performance-wise, let alone dedicated mining farms, which eats into the profitability of cryptocurrency mining on mobile devices.
Second, heavy use of mobile devices causes them to heat up noticeably, alerting the user.
Lastly, smartphones’ relatively small battery power means they discharge quickly if used intensively, making mining more visible to the user and time-limited.
However, our study showed that cybercriminals are not put off by these limitations. We uncovered numerous mobile miners built on various frameworks and distributed in various ways, including through the official Google Play store. Perhaps cybercriminals are banking on compensating for smartphones’ poor performance and mobile miners’ easy detection through the sheer number of handheld devices out there and their high infectibility.

MD5
F9C4A28284CD7A4534A1102C20F04C9D
B32DBBFBB0D4EC97C59B50D29DDAAA2D
2D846265F6569547490FCB38970FC93E
6E1FDFBDAB69090FEA77B3F2F33098A8
5464647B09D5F2E064183A073AE97D7B
5B7324C165EE6AF26CDA55293DAEACDF
E771099ACA570F53A94BE713A3C2ED63
3062659C25F44EEA5FE8D3D85C99907D
AEBB87E9AEA464EFB6FCC550BF7D2D38
38CE6C161F87345B773795553AAE2C28
CA3E7A442D5A316DA9ED8DB3C4D913A7
34F43BAAFAEBDAC4CC582E1AAACF26BD
F8DE7065A7D9F191FD0A53289CDB959B
34EB1FFDC8D9D5DD3C32A0ACC4995E29
020A9064D3819A0293940A4F0B36DD2A
EE78507A293D007C47F3D2D471AAD013
0E129E2F4EA3C09BFB0C4841E173580C
50BF20954B8388FA3D5E048E6FA493A9