- Android -
Last update 04.10.2017 16:16:35
Introduction List Kategorie Subcategory 0 1 2 3 4 5 6 7 8
Yet Another Android Malware Infects Over 4.2 Million Google Play Store Users
15.9.2017 thehackernews Android
Even after so many efforts by Google, malicious apps somehow managed to fool its Play Store's anti-malware protections and infect people with malicious software.
The same happened once again when at least 50 apps managed to make its way onto Google Play Store and were successfully downloaded as many as 4.2 million times—one of the biggest malware outbreaks.
Security firm Check Point on Thursday published a blog post revealing at least 50 Android apps that were free to download on official Play Store and were downloaded between 1 million and 4.2 million times before Google removed them.
These Android apps come with hidden malware payload that secretly registers victims for paid online services, sends fraudulent premium text messages from victims' smartphones and leaves them to pay the bill—all without the knowledge or permission of users.
Dubbed ExpensiveWall by Check Point researchers because it was found in the Lovely Wallpaper app, the malware comes hidden in free wallpaper, video or photo editing apps. It's a new variant of malware that Mcafee spotted earlier this year on the Play Store.
But what makes ExpensiveWall malware different from its other variants is that it makes use of an advanced obfuscation technique called "packed," which compresses malicious code and encrypts it to evade Google Play Store's built-in anti-malware protections.
The researchers notified Google of the malicious apps on August 7, and the software giant quickly removed all of them, but within few days, the malware re-emerged on the Play Store and infected over 5,000 devices before it was removed four days later, Check Point said.
Here's How ExpensiveWall Malware Works:
Once an app with ExpensiveWall—which researchers think came from a software development kit called GTK—is downloaded on a victim's device, the malicious app asks for user's permission to access the Internet, and send and receive SMS messages.
The internet access is used by the malware to connect the victim's device to the attacker's command and control server, where it sends information on the infected handset, including its location alongside unique hardware identifiers, such as MAC and IP addresses, IMSI and IMEI numbers.
The C&C server then sends the malware a URL, which it opens in an embedded WebView window to download JavaScript code that begins to clock up bills for the victim by sending fraudulent premium SMS messages without their knowledge, and uses the victim's phone number to register for paid services.
However, according to the Check Point researchers, it is still unclear how much revenue was generated via ExpensiveWall's premium SMS scam.
Google's Play Store—Home for Malware
Android malware continues to evolve with more sophisticated and never-seen-before capabilities with every passing day, and spotting them on Google Play Store has become quite a common thing.
Last month, over 500 Android apps with spyware capabilities were found on Play Store, which had been downloaded more than 100 million times.
In July, Lipizzan spyware apps were spotted on Play Store that can steal a whole lot of information on users, including text messages, emails, voice calls, photos, location data, and other files, and spy on them.
In June, more than 800 Xavier-laden apps were discovered on Google Play that had been downloaded millions of times, and the same month researchers found first code injecting rooting malware making rounds on Google Play Store.
A month prior to it, researchers spotted 41 apps on Play Store hidden with the Judy Malware that infected 36.5 million Android devices with malicious ad-click software.
In April, over 40 apps with hidden FalseGuide malware were spotted on Play Store that made 2 Million Android users victims.
Earlier this year, researchers also discovered a new variant of the HummingBad malware, dubbed HummingWhale, hidden in more than 20 apps on Google Play Store, which were downloaded by over 12 Million users.
How to Protect Your Android From Such Malware Apps
Even after Google removed all the malware-tainted apps from its official Play Store marketplace, your smartphones will remain infected with the ExpensiveWall malware until you explicitly uninstall the malicious apps, if you have downloaded any.
Google has recently provided a security feature known as Play Protect that uses machine learning and app usage analysis to automatically remove malicious apps from the affected smartphones to prevent further harm.
However, according to the Check Point researchers, many phones run an older version of Android that does not support the feature, leaving a wide audience open to malware attacks.
You are strongly advised to always keep a good antivirus app on your device that can detect and block any malicious app before it can infect your device, and always keep your device and all apps up-to-date.
Premium SMS malware EXPENSIVEWALL infected millions of Android handsets
15.9.2017 securityaffairs Android
Google removed 50 malicious apps from the official Play Store after experts discovered a new malware, dubbed ExpensiveWall, eluded Google Bouncer checks.
Google has removed 50 malicious apps from the official Play Store after experts with security firm Check Point discovered a new malware, dubbed ExpensiveWall, eluded the checks of the Google’s Bouncer.
The ExpensiveWall malware was found in the Lovely Wallpaper app, it includes a payload that registers victims for paid online services and sends premium SMS messages from their devices. The malicious code was discovered in 50 apps on the Play Store that were downloaded by between 1 million and 4.2 million users.
“Check Point’s mobile threat research team identified a new variant of an Android malware that sends fraudulent premium SMS messages and charges users’ accounts for fake services without their knowledge.” states the analysis shared by Check Point researchers.
“The new strain of malware is dubbed “ExpensiveWall,” after one of the apps it uses to infect devices, “Lovely Wallpaper.” “
The malware is not totally new to security experts, malware researchers with McAfee first spotted it in the Play Store in January, but they highlighted that the payloads have significant differences.
The ExpensiveWall authors encrypted and compressed the malicious code in order to by bypass Google’s automated checking processes, and they succeeded!
Once the application is installed by the victims, it requests the permission to access the internet and send and receive SMS messages. Then ExpensiveWall sends back to the C&C server handset information, including its location, MAC and IP addresses, IMSI, and IMEI numbers.
The C&C server, in turn, sends the malware a URL that it opens in an embedded WebView window and downloads the JavaScript code used to send the premium SMS messages.
According to Check Point researchers, the malicious code is spread to different applications as a software development kit called GTK.
“After analyzing different samples of the malware, Check Point mobile threat researchers believe ExpensiveWall is spread to different apps as an SDK called “gtk,” which developers embed in their own apps. Three versions of apps containing the malicious code exist. The first is the unpacked version, which was discovered earlier this year. The second is the packed version, which is being discussed here, and the third contains the code but does not actively use it.” continues the analysis.
Check Point reported the discovery to Google on August 7, 2017, and the company promptly removed the malicious apps from Google Play Store. Unfortunately even after the affected Apps were removed from the store, within days another sample was spotted in the Google Play, this time it has likely infected more than 5,000 devices before it was removed four days later.”
Experts said Google missed warnings about the malware infection that were published by the users that downloaded the apps in the comments section. One of the infected apps received a huge number of negative feedback by outraged users that noticed the malicious behavior.
Unfortunately such kind of incidents is becoming frequent, in June two times in a month Google removed malicious apps infected with the Ztorg Trojans that allowed attackers to root targeted devices.
In April, Millions of users looking to get software updates downloaded an app hiding a spyware called SMSVova through the official Google Play store.
It has been estimated that the fake application hiding the SMSVova spyware was uploaded in the Google Play in 2014, and has been downloaded between 1,000,000 and 5,000,000 times.
Clearly, Google must improve its checks to avoid further incidents.
Google Patches 81 Android Vulnerabilities With September 2017 Updates
7.9.2017 securityweek Android
A total of 81 security vulnerabilities have been addressed in this month’s set of security patches for the Android platform. 13 of the flaws were rated Critical severity.
The security bulletin has two security patch levels, each focused on addressing vulnerabilities in specific components.
The 2017-09-01 security patch level fixes a total of 30 vulnerabilities, 10 of which are rated Critical severity, 15 High risk, and 5 Medium severity. Affected Android iterations range from version 4.4.4 to 8.0, but only some vulnerabilities impact all platform releases.
The most affected component was media framework, with 24 vulnerabilities addressed in it, including 10 rated Critical severity, all remote code execution flaws. 10 other bugs were rated High risk, including one remote code execution, 4 elevation of privilege, and 5 denial of service issues.
The remaining 4 bugs are considered Moderate risk. Three of them, however, have a Medium risk rating only when affecting Android versions 7.0, 7.1.1, 7.1.2, or 8.0. When impacting platform releases older than 7.0, they are considered High severity, Google’s advisory reads.
As part of the 2017-09-01 security patch level, Google also addressed a High risk elevation of privilege flaw in Framework, three High risk (2 remote code execution and one elevation of privilege) issues in Libraries, one High severity denial of service bug in Runtime, and one Moderate elevation of privilege bug in System.
Tracked as CVE-2017-0780, the denial of service vulnerability in Runtime affects Nexus and Pixel devices and allows an attacker to remotely crash a victim’s Android Messages app by sending a malformed multimedia message (MMS), Trend Micro reveals. If the bug is triggered, the app can’t recover even if the device is rebooted.
The bug resides in unhandled, Java-level Null Pointer Exceptions (NPEs) in the process of parsing Graphic Interface Format (GIF) files in the messaging app. An attacker looking to exploit the bug needs to know the phone number of the victim they want to send the malicious GIF to.
A total of 51 vulnerabilities were resolved as part of the 2017-09-05 security patch level, but only three of them were rated Critical.
Qualcomm components emerge as the most impacted, with 21 vulnerabilities resolved in them, including 1 Critical remote code execution bug, 4 High risk flaws (1 information disclosure and 3 elevation of privilege), and 16 Moderate severity bugs (11 elevation of privilege and 5 information disclosure).
A total of 8 vulnerabilities were addressed in Broadcom components, including a Critical remote code execution bug, a High severity elevation of privilege issue, and five Moderate flaws (4 elevation of privilege and 1 information disclosure). Only one High severity information disclosure bug was addressed in Imgtk components.
The 2017-09-05 security patch level also resolves 11 flaws in Kernel components, including 1 Critical remote code execution, 7 High risk issues (3 elevation of privilege, 3 information disclosure and 1 denial of service), and 3 Moderate bugs (2 elevation of privilege and 1 information disclosure).
As part of this month’s set of patches, 10 vulnerabilities were resolved in MediaTek components, including 7 High risk bugs and 3 Medium severity. All of these flaws were elevation of privilege issues.
All Google devices will receive the 2017-09-05 security patch level, which addresses all vulnerabilities included in that patch string level and the previous patch string levels. However, the patches will be delivered to these devices as part of the upgrade to Android 8.0 Oreo, Google said.
Variant of Android WireX Bot Delivers Powerful UDP Flood Attacks
6.9.2017 securityweek Android Attack
Variant of WireX Android Botnet is Able to Deliver High-volume UDP Flood DDoS Attacks
When several tech companies combined to analyze and hopefully control a new Android-based botnet they called WireX, they described it as focused on low bandwidth HTTP(S) attacks using POST and GET. They missed one variant subsequently analyzed by Qihoo Technology's 360 Flame Labs. This variant of WireX is able to deliver high-volume UDP flood attacks.
Both F5 Networks and Akamai have subsequently analyzed this 'new' variant. Akamai admits that it was 'essentially overlooked' by the original researchers until found and analyzed by Qihoo's Labs. F5 appears to have found it independently. Worryingly, a single bot is capable of generating over 250GB of attack traffic per attack directive.
The analyses show that the INSMainActivity component "runs the show and is responsible for both preliminary bootstrapping and spinning up the command and control (C2) polling services." It polls the p.axclick.store for commands. If it receives a response where the <title> tag is not empty, it spins up the AsyncTask/Vpxbjlowiwzg service. This in turn generates the C2 polling threads, one of which is responsible for the UDP attack logic, including sending out the UDP traffic.
If the initial C2 response contains both a <title> tag and the string 'snewxwri' (WireX is so-named from an anagram of the final 5 characters), then the attack directive string is split() into an Array on this delimiter value. The delimiter separates the target IP address and the port to attack (which is 1337 in Akamai's analysis).
"The UDP attack traffic exiting the infected device uses fairly generic attack characteristics and offers no customization capabilities for the attacker." In this variant/version, the attacker has no options over the packet size, or padding content for the UDP attack -- the bot receives its instructions and runs its attack cycle. Each packet is null (0x00) padded to a length of 512 bytes.
The bot spins up 50 threads. Each thread runs until 10,000,000 packets have been directed at the target, and is replaced by the next thread. "It is possible," writes Akamai, "a victim could receive many more than 500,000,000 packets per a given attacking source. At these rates, a single host is capable of generating over 250GB of attack traffic per attack directive received."
The attack rate is dependent on the speed of the delivering device and its network connections. "The code does not throttle the attack, and as a result will use all resources available on the device. We noticed our Android phone got surprisingly hot to the touch as a result."
WireX is more complex and dangerous than originally thought. "Discovering, and ultimately confirming, that WireX can also launch UDP-based volumetric attacks is important, as they are more likely to impact additional applications and OSI layers. This further expands the botnet's capabilities, raising additional concerns for defenders." No definite WireX UDP DDoS attack has yet been seen.
"Initial samples of WireX were flagged as click fraud malware," comments Akamai.
F5 offers a possible explanation: one command that is triggered only when the application launches is served by the p.axclick.store URL. "It results in the malware opening the default Android browser 10 times and browsing the target URL, which just seems like some basic clickfraud functionality," comment the F5 researchers.
"While it's easy to see how a click fraud bot could be easily repurposed to carry out HTTP(S) attacks, adds Akamai, "this discovery and our research all but confirms that WireX wasn't a click fraud botnet being repurposed to perform DDoS attacks. WireX was purpose built to engage in DDoS attacks from the start. To what end (ransom, ddos-for-hire, etc.), has yet to be fully realized."
F5 also points out that despite the basic nature of the UDP attack itself, "it has good market differentiation in its HTTP functionality. Being based on Android’s WebView class, the thingbot [the term used for IoT-based botnets, such as Mirai] is better equipped with browser-like functionality, making it more resistant to various bot challenges, such as cookie support, redirects, and JavaScript, which are still an obstacle for many DDoS malwares."
What does seem clear is that WireX is at the early stages of its evolution -- but already shows indications that it could develop into a serious threat.
Google removed almost 300 Android apps involved in DDoS attack
3.9.2017 Securityaffairs Android
Google removed almost 300 Android apps from the official Play Store after expert at ESET reported they were abused for a DDoS attack.
This week Google has removed at least 300 apps from the Official Play Store after learning that apps were being hijacked to power DDoS attacks.
“We identified approximately 300 apps associated with the issue, blocked them from the Play Store, and we’re in the process of removing them from all affected devices”, said a Google spokesperson. “The researchers’ findings, combined with our own analysis, have enabled us to better protect Android users, everywhere”.
In August experts from ESET warned of possible attack, crooks were building a botnet dubbed WireX that is has been estimated to be composed of at least 70,000 devices before Google removed the apps.
ESET detection engineer, Lukas Stefanko, was the first that identified the threat 20 days before the apps were removed from the Play Store.
“”We detected this infiltration as Android/HiddenApp and Android/Clickerand, plus we were one of the first to disclose this threat and how to get rid of it”, said Stefanko.
The expert reported his findings to the Google Security team that promptly managed to identify and remove the apps, then the ESET researchers informed the users via Facebook.
ESET suggests users install up-to-date security software and be aware when applications that you’ve installed change name or app icon”.
“for people that only recently removed one of these infiltrators, or for people that could stumble upon them in the Play store, my advice would be to read comments and app reviews. You should mainly focus on the negative ones, make sure you have installed up-to-date security software and be aware when applications that you’ve installed change name or app icon”. said Lukas.
Android Banking Trojan MoqHao targets South Korea users
30.8.2017 securityaffairs Android
Security researchers from McAfee have spotted a new Android banking Trojan dubbed MoqHao, targeting South Korean users via SMS phishing messages.
Attackers send phishing emails with a malicious code link that tricks victims into believing that it points to a lost private picture or a Chrome update.
When victims click on the shortened links in the SMS messages the MoqHao Android banking Trojan is installed, then the malicious code attempts to spread by sending phishing SMS messages to the victims’ contacts.
“Last month, a number of users started posting on South Korean sites screenshots of suspicious SMS messages phishing texts (also known as smishing) to lure them into clicking on shortened URLs.” reads the analysis published by McAfee.
“When the victim clicks on the shortened URL using an Android device, a JavaScript script on the web server checks the user agent of the browser and shows an alert message asking to update Chrome to a new version, which is in fact a malicious fake Chrome Android app.” “If the URL is accessed by any other device (such as an iPad), the web server redirects the user to a security page of Naver, a popular search engine and portal site in South Korea.”
The MoqHao banking Trojan can execute commands send by the C&C server and collect sensitive information via a local Google phishing website.
Unlike Android banking Trojans, MoqHao includes java-httpserver to host a phishing page that opens in the default browser once the user clicks on a fake alert message.
Once the victim has downloaded APK and installed it, the malicious code requests various suspicious permissions, such as “directly call phone numbers,” “read your contacts,” or “read your text messages.”In order to achieve persistence, the malware asks every second for device administrator privileges, even if the victim dismisses it.
MoqHao monitors on the user activities by registering a broadcast receiver for system events (i.e. New package install, screen state, SMS messages).
Then the malware also connects to the first-stage remote server and dynamically receives the IP for the second-stage server from the user profile page of Chinese search engine Baidu.
“When connected to the second-stage server, Android/MoqHao sends a “hello” message containing the following device information:
UUID
Device ID (IMEI)
Android version
Device product name, build ID string
Whether the device is rooted
SIM status
Phone number
Registered accounts”
MoqHao checks whether major Korean bank apps are installed and downloads the related Trojanized versions from the C&C server, then it displays alerts the victim that an update is available for the targeted app. Once the victim accepts to install the update, the malicious app replaces the legitimate one.
Experts believe the malware is not completed or some features are still not active.
“During our analysis of this threat, when Android/MoqHao requests the download of a specific fake or Trojanized banking app, the control server responds with an error. Affected users in South Korea have not reported downloads or attempted installation of additional APK files. This suggest that the fake update functionality is probably not implemented or is at least not currently used by the malware authors.” continues the analysis.
The MoqHao banking Trojan was first spotted in January, likely it was just a test version that was continuously updated in February and March arriving at a stable release in May.
Experts linked the malware to a hacking campaign that in May 2015 targeted users in South Korea via a phishing message in the default web browser.
Although the two malwares have very similar behaviors, they have completely different code bases.
“The similarities between the 2015 and 2017 phishing campaigns suggests the same cybercriminals, who have shifted from DNS redirection attacks to a smishing campaign. The attackers are still targeting Chrome and getting the control server from a dynamic webpage while changing the code base of the initial dropper component as well as the dynamically loaded payload,” concluded McAfee.
MoqHao Banking Trojan Targets South Korean Android Users
29.8.2017 securityweek Android
A recently spotted Android banking Trojan targeting South Korean users via SMS phishing messages (smishing) was linked to an infection campaign from two years ago, McAfee security researchers reveal.
The mobile phishing messages attempt to lure users into executing malware by claiming to link to a leaked private picture, or by posing as a Chrome update. Once the user clicks on the shortened link in the message, however, the banking Trojan dubbed MoqHao is installed.
Once a device has been compromised, the malware can send phishing SMS messages to the user’s contacts; can leak sensitive information, including received SMS messages; can install Android apps provided by the command and control (C&C) server; can execute remote commands and return results, and can gather sensitive information via a local Google phishing website, McAfee discovered.
During installation, the malware requests various permissions that allow it to perform its nefarious operations, such as call phone numbers, acccess contacts, and read text messages. Next, the threat requests admin privileges to achieve persistence, and displays the request window continuously, even if the user dismisses it.
MoqHao then dynamically registers a broadcast receiver for system events such as new package install, screen state, SMS messages, and more, which allows it to spy on the user activities and send device status information to the C&C. The malware also connects to the first-stage remote server and dynamically receives the IP for the second-stage server from the user profile page of Chinese search engine Baidu.
After connecting to this server, the malware sends a message containing device information such as: UUID, IMEI, Android version, device product name, build ID string, root status, SIM status, phone number, and registered accounts. Other details are periodically sent to the server, including: network operator and type (LTE, GPRS), MAC address, battery level, Wi-Fi signal level, device admin rights, screen on/off, ringer mode, and whether current package is ignoring battery optimization or not.
The Trojan checks infected devices for major Korean bank apps and downloads relevant fake or Trojanized versions of these programs if it finds them. Next, it alerts the victim that an update is available for the targeted app. Once the victim approves the update, the malicious app replaces the legitimate one.
During analysis, however, the malware’s requests to download the malicious apps resulted in an error. According to McAfee, the functionality might not be implemented or not in use, given that infected users haven’t reported attempted installation of additional APK files.
The security researchers first observed Android/MoqHao in January, but that seemed more like a test version. Updated variants of the malware were observed in February and March, but the first non-test iteration emerged only in May.
The banking Trojan, the researchers say, appears connected to a May 2015 attack targeting users in South Korea via a phishing message in the default web browser. Although that message was very similar to those spreading Android/MoqHao and the two malware variants share some behavior and functionality, the threats have completely different code bases.
“The similarities between the 2015 and 2017 phishing campaigns suggests the same cybercriminals, who have shifted from DNS redirection attacks to a smishing campaign. The attackers are still targeting Chrome and getting the control server from a dynamic webpage while changing the code base of the initial dropper component as well as the dynamically loaded payload,” McAfee says.
Tech Firms Unite to Neutralize WireX Android Botnet
29.8.2017 securityweek Android
Major New WireX Android Botnet Neutralized by Cross-Vendor Collaborative Research
Black clouds on the internet do sometimes have a silver lining. Global attacks such as those from Mirai last year and WannaCry/NotPetya this year have fomented informal collaborative global responses -- one of which happened this month when multiple competitive vendors collaborated in the research and neutralization of a major new botnet called WireX.
The collaboration was informal. Security experts often move around the industry, but usually retain good relationships and continue those relationships. This happened with WireX. It first appeared on August 2nd, but was small enough to be ignored. Two weeks later it ramped up into something altogether different.
In a joint and coordinated announcement and series of blogs, Flashpoint, Akamai, Cloudflare, and RiskIQ have today explained how their researchers, together with researchers from other organizations, detected, collaborated, and ultimately neutralized the botnet.
The initial August 2nd attacks were minimal, suggesting the malware was in development or in the early stages of deployment. "More prolonged attacks have been identified starting on August 15th, with some events sourced from a minimum of 70,000 concurrent IP addresses," say the reports. The targets of the attacks are not specified, but some reports suggest that several large websites in the hospitality sector were taken down.
The attacks were volumetric, attacking the application layer with HTTP GET requests disguised to look like legitimate web traffic. At this level, the attacks were soon detected by multiple cyber security firms, and the collaboration began.
When it did, "the investigation began to unfold rapidly starting with the investigation of historic log information, which revealed a connection between the attacking IPs and something malicious, possibly running on top of the Android operating system."
Analyses of logs from August 17 attacks implicated a particular Android app. Searches using variations of the application name and parameters in the application bundle revealed multiple additional applications from the same, or similarly named authors, with comparable descriptions. Around 300 apps were located. The attacks themselves seem to have come from more than 100 different countries, indicating a wide and successful distribution of the malicious apps.
"We identified approximately 300 apps associated with the issue, blocked them from the Play Store, and we're in the process of removing them from all affected devices," says Google. "The researchers' findings, combined with our own analysis, have enabled us to better protect Android users, everywhere."
Many of the apps appear to be legitimate with benign functions, such as media/video players, ringtones or tools such as storage managers -- but "with additional hidden features that were not readily apparent to the end users that were infected." This malware stayed alive and active in background even when the app itself was not in use.
Existing anti-malware tools already detect the malware as 'Android Clicker', leading the researchers to believe it started life as click fraud malware that was later repurposed as a DDoS tool.
This was not a botnet 'takedown' (such as Kelihos earlier this year) in the usual sense, where industry and law enforcement combine to locate and 'seize' or sinkhole the C2 server or servers (although the researchers do proffer their thanks to "the FBI for their assistance in this matter"). This is more a neutralization than a takedown. The collaborative research by the vendors has resulted in isolating the rules that can stop the malformed GET (and potentially also POST) traffic, while Google's efforts to locate and remove the apps from the Play Store (and cleanse infected devices) stops them being originated.
Almost more important than the botnet neutralization, however, is this new example of collaboration between the different companies concerned. "This research is exciting because it's a case study in just how effective collaboration across the industry is," said Allison Nixon, director of security research at Flashpoint. "This was more than just a malware analysis report. The working group was able to connect the dots from the victim to the attacker. The group also used the information to better mitigate the attack and dismantle the botnet -- and this was completed very quickly."
Akamai's senior network architect and security researcher, Jared Mauch, added, "In the case of the WireX botnet, a direct result of our information sharing and other research collaboration was our ability to fully uncover what made this malicious software tick in a much more timely manner."
"I'm proud of our research team and the researchers who worked together to rapidly investigate and mitigate this dangerous new discovery," said Matthew Prince, co-founder & CEO of Cloudflare.
"The WireX botnet operation shows the value of a collaborative response from security firms, service providers, and law enforcement," said Darren Spruell, threat researcher at RiskIQ.
The hope is that this success becomes a repeated example of how the global industry can collaborate to defeat global threats. "This report is an example of how informal sharing can have a dramatically positive impact for the victims and the Internet as a whole," conclude the researchers. "Cross-organizational cooperation is essential to combat threats to the Internet and, without it, criminal schemes can operate without examination."
WAP Billing Trojans Threaten Android Users
25.8.2017 securityweek Android
Several of the pieces of malware targeting Android devices in the second quarter of 2017 abused WAP billing to help cybercriminals make money, Kaspersky reported on Thursday.
Wireless Application Protocol (WAP) billing provides a mechanism for users to acquire content online and have it charged directly to their mobile phone bill so that they don’t have to provide any payment card information. The method is similar to premium SMS services, but it does not involve sending SMS messages and instead users have to click on a button displayed on a website to approve charges.
Android malware abusing WAP billing was spotted in the past years, including on Google Play, and it now appears to be making a comeback.
Several of the top 20 most common trojans detected by Kaspersky products in the second quarter abused WAP billing. While a majority of the infections were in Russia and India, victims were also seen in many other countries.
“We haven’t seen these types of Trojans for a while. The fact that they have become so popular lately might indicate that cybercriminals have started to use other verified techniques, such as WAP-billing, to exploit users,” said Roman Unuchek, security expert at Kaspersky Lab. “Moreover, a premium rate SMS Trojan is more difficult to create. It is also interesting that malware has targeted mainly Russia and India, which could be connected to the state of their internal, local telecoms markets.”
The list of trojans that abuse WAP billing include Trojan-Clicker.AndroidOS.Ubsod, which infected nearly 8,000 devices in Russia and 81 other countries; Xafekopy, which infected more than 5,000 users in India and 47 other countries; Autosus, which infected roughly 1,400 devices in India, South Africa and Egypt; and Podec, which had last been seen in the second quarter of 2016.
These pieces of malware have been used by several cybercrime groups, and while in some cases their development started in late 2016 or early 2017, their use increased significantly at the beginning of summer.
The samples analyzed by Kaspersky disable the infected device’s WiFi and enable the mobile data connection, which is needed due to the fact that WAP billing only works through mobile Internet as the carrier needs to be able to identify the user making the online purchase.
The trojans then use JavaScript code to automate certain actions, such as opening web pages and clicking on the buttons associated with WAP billing. By automating these tasks, no user interaction is required for the attack to work.
The malware also deletes incoming SMS messages to avoid raising suspicion. Some samples also abuse Device Administrator rights on the infected Android device to make their removal more difficult.
“We weren’t able to find a reason why so many cybercriminals decided to switch or to start attacking WAP-billing services at the same time,” Unuchek said. “WAP-billing services are not a new thing – in some countries they’ve existed for several years.”
WAP Billing Trojans Threaten Android Users
25.8.2017 securityweek Android
Several of the pieces of malware targeting Android devices in the second quarter of 2017 abused WAP billing to help cybercriminals make money, Kaspersky reported on Thursday.
Wireless Application Protocol (WAP) billing provides a mechanism for users to acquire content online and have it charged directly to their mobile phone bill so that they don’t have to provide any payment card information. The method is similar to premium SMS services, but it does not involve sending SMS messages and instead users have to click on a button displayed on a website to approve charges.
Android malware abusing WAP billing was spotted in the past years, including on Google Play, and it now appears to be making a comeback.
Several of the top 20 most common trojans detected by Kaspersky products in the second quarter abused WAP billing. While a majority of the infections were in Russia and India, victims were also seen in many other countries.
“We haven’t seen these types of Trojans for a while. The fact that they have become so popular lately might indicate that cybercriminals have started to use other verified techniques, such as WAP-billing, to exploit users,” said Roman Unuchek, security expert at Kaspersky Lab. “Moreover, a premium rate SMS Trojan is more difficult to create. It is also interesting that malware has targeted mainly Russia and India, which could be connected to the state of their internal, local telecoms markets.”
The list of trojans that abuse WAP billing include Trojan-Clicker.AndroidOS.Ubsod, which infected nearly 8,000 devices in Russia and 81 other countries; Xafekopy, which infected more than 5,000 users in India and 47 other countries; Autosus, which infected roughly 1,400 devices in India, South Africa and Egypt; and Podec, which had last been seen in the second quarter of 2016.
These pieces of malware have been used by several cybercrime groups, and while in some cases their development started in late 2016 or early 2017, their use increased significantly at the beginning of summer.
The samples analyzed by Kaspersky disable the infected device’s WiFi and enable the mobile data connection, which is needed due to the fact that WAP billing only works through mobile Internet as the carrier needs to be able to identify the user making the online purchase.
The trojans then use JavaScript code to automate certain actions, such as opening web pages and clicking on the buttons associated with WAP billing. By automating these tasks, no user interaction is required for the attack to work.
The malware also deletes incoming SMS messages to avoid raising suspicion. Some samples also abuse Device Administrator rights on the infected Android device to make their removal more difficult.
“We weren’t able to find a reason why so many cybercriminals decided to switch or to start attacking WAP-billing services at the same time,” Unuchek said. “WAP-billing services are not a new thing – in some countries they’ve existed for several years.”
Over 500 Android Apps On Google Play Store Found Spying On 100 Million Users
24.8.2017 thehackernews Android
Over 500 different Android apps that have been downloaded more than 100 million times from the official Google Play Store found to be infected with a malicious ad library that secretly distributes spyware to users and can perform dangerous operations.
Since 90 per cent of Android apps is free to download from Google Play Store, advertising is a key revenue source for app developers. For this, they integrate Android SDK Ads library in their apps, which usually does not affect an app's core functionality.
But security researchers at mobile security firm Lookout have discovered a software development kit (SDK), dubbed Igexin, that has been found delivering spyware on Android devices.
Developed by a Chinese company to offer targeted advertising services to app developers, the rogue 'Igexin' advertising software was spotted in more than 500 apps on Google's official marketplace, most of which included:
Games targeted at teens with as many as 100 million downloads
Weather apps with as many as 5 million downloads
Photo editor apps with 5 Million downloads
Internet radio app with 1 million downloads
Other apps targeted at education, health and fitness, travel, and emoji
Chinese Advertising Firm Spying On Android Users
The Igexin SDK was designed for app developers to serve targeted advertisements to its users and generate revenue. To do so, the SDK also collects user data to help target interest-based ads.
But besides collecting user data, the Lookout researchers said they found the SDK behaved maliciously after they spotted several Igexin-integrated apps communicating with malicious IP addresses that deliver malware to devices unbeknownst to the creators of apps utilizing it.
"We observed an app downloading large, encrypted files after making a series of initial requests to a REST API at http://sdk[.]open[.]phone[.]igexin.com/api.php, which is an endpoint used by the Igexin ad SDK," the researchers explain in a blog post.
"This sort of traffic is often the result of malware that downloads and executes code after an initially "clean" app is installed, in order to evade detection."
Once the malware is delivered to infected devices, the SDK can gather logs of users information from their device, and could also remotely install other plugins to the devices, which could record call logs or reveal information about users activities.
How to Protect Your Android From This Malware
Google has since removed all the Android apps utilizing the rogue SDK from its Play Store marketplace, but those who have already installed one such app on their mobile handsets, make sure your device has Google Play Protect.
Play Protect is Google's newly launched security feature that uses machine learning and app usage analysis to remove (uninstall) malicious apps from users Android smartphones to prevent further harm.
In addition, you are strongly advised to always keep a good antivirus application on your device that can detect and block malicious apps before they can infect your device, and always keep your device and apps up-to-date.
Android malware continues to evolve with more sophisticated and never-seen-before capabilities with every passing day. Last month, we saw first Android malware with code injecting capabilities making rounds on Google Play Store.
A few days after that, researchers discovered another malicious Android SDK ads library, dubbed "Xavier," found installed on more than 800 different apps that had been downloaded millions of times from Google Play Store.
Android Malware Found on Google Play Abuses Accessibility Service
24.8.2017 securityweek Android
A dropper discovered by researchers on Google Play abuses accessibility services in a unique way to deliver Android malware.
The threat was analyzed by experts at Zscaler and Securify after finding an app on Google Play named “Earn Real Money Gift Cards.” The application hides a variant of the Android banking trojan BankBot, whose source code was leaked online in late 2016.
The developer of the app hiding BankBot also created another application present on Google Play, a game named “Bubble Shooter Wild Life.” This game actually works, but it also includes functionality that turns it into a malware downloader.
The dropper appears to be under development, but an analysis of its code, which has been protected by its creator using the Allatori Obfuscator, shows that it first requests permission to draw over other apps. It then waits 20 minutes before initiating its malicious routines, which is likely how it managed to bypass Google’s Bouncer security system.
The dropper then tricks the user into giving it accessibility permissions by displaying a fake Google Service alert. While victims believe they are enabling a “Google Service,” they are actually enabling accessibility features.
Once this step has been completed, a fake Google service update window is displayed and an APK from the device’s memory card is installed in the background. The process that takes place in the background also involves enabling the Android option that allows installation of apps from unknown sources. The user does not need to perform any other actions after accessibility permissions are granted as everything else takes place automatically in the background.
Researchers from both Zscaler and Securify believe this particular type of accessibility services abuse is unique to this piece of malware.
Securify told SecurityWeek that this dropper is sold on dark web marketplaces to cybercriminals looking to deliver Android trojans such as Exo, Mazar and BankBot.
Google has known about the malicious applications, which have a total of less than 5,000 downloads, for at least two days, but they have yet to be removed from Google Play.
Malware that abuses Android accessibility services is not uncommon, but cybercriminals keep finding new ways to exploit the feature. A study conducted last year by enterprise mobile security firm Skycure revealed that a majority of Android devices are vulnerable to attacks that trick users into enabling accessibility features via clickjacking.
Faketoken evolves and targets taxi booking apps to steal banking info
19.8.2017 securityaffairs Android
Kaspersky discovered a news strain of the mobile banking Trojan Faketoken that displays overlays on top of taxi booking apps to steal banking information.
Security experts from Kaspersky have discovered a news strain of the infamous mobile banking trojan Faketoken that implements capabilities to detect and record an infected device’s calls and display overlays on top of taxi booking apps to steal banking information.
“The authors of its newer modifications continue to upgrade the malware, while its geographical spread is growing. Some of these modifications contain overlay mechanisms for about 2,000 financial apps. In one of the newest versions, we also detected a mechanism for attacking apps for booking taxis and paying traffic tickets issued by the Main Directorate for Road Traffic Safety.” states the analysis published by Kaspersky.
In December, Kaspersky observed the Android ransomware Faketoken was enhanced with file-encrypting abilities.
Now the new variant of the malware dubbed Faketoken.q was improved again to steal credentials from Uber and other booking apps as well.
Faketoken.q is being distributed using bulk SMS messages to trick users into downloading an image file that actually downloads the malware.
The mobile Trojan is composed of two parts, the first part is an obfuscated dropper (verdict: Trojan-Banker.AndroidOS.Fyec.az), the second one is a file with DAT extensions that contains the malware’s main features.
Once victims have downloaded the Android malware it installs the necessary modules and the main payload, which hides its shortcut icon and starts monitoring user’s activities, including calls to launched apps.
“After the Trojan initiates, it hides its shortcut icon and starts to monitor all of the calls and whichever apps the user launches. Upon receiving a call from (or making a call to) a certain phone number, the malware begins to record the conversation and sends it to evildoers shortly after the conversation ends.” continues the analysis.
When the calls are made to or received from certain phone numbers, Faketoken.q records the conversations and sends the recordings to the attacker’s server. The malicious code also checks which apps the victim is using and when detects the launch of an app whose interface it can clone, it overlays the app with a fake user interface.
The fake user interface presented by Faketoken.q prompts victims to enter their payment card data, including the bank’s verification code.
Researchers observed that the malware is able to display fake interface for many mobile banking apps and other applications, such as:
Android Pay
Google Play Store
Apps for paying traffic tickets
Apps for booking flights and hotel rooms
Apps for booking taxis
The Trojan is able to intercept the incoming SMS messages to obtain the SMS code sent by the bank to authorize transactions, then it forwards the code to C&C server.
It seems that Faketoken.q has been developed to target Russian-speaking users because it only uses the Russian language on the user interface.
To avoid being infected by Faketoken and apps similar malware, do not install applications from third-party stores and pay attentions to unsolicited SMSs and email messages you receive on your mobile device.
Android Trojan Now Targets Non-Banking Apps that Require Card Payments
18.8.2017 thehackernews Android
The infamous mobile banking trojan that recently added ransomware features to steal sensitive data and lock user files at the same time has now been modified to steal credentials from Uber and other booking apps as well.
Security researchers at Kaspersky Lab have discovered a new variant of the Android banking Trojan called Faketoken that now has capabilities to detect and record an infected device's calls and display overlays on top of taxi booking apps to steal banking information.
Dubbed Faketoken.q, the new variant of mobile banking trojan is being distributed using bulk SMS messages as their attack vector, prompting users to download an image file that actually downloads the malware.
Malware Spy On Telephonic Conversations
Once downloaded, the malware installs the necessary modules and the main payload, which hides its shortcut icon and begins monitoring everything—from every calls to launched apps—that happens on the infected Android device.
When calls are made to or received from certain phone numbers on the victim's device, the malware begins to record those conversations and sends the recordings to the attacker's server.
Moreover, Faketoken.q also checks which apps the smartphone owner is using and when detects the launch of an app whose interface it can simulate, the Trojan immediately overlays the app with a fake user interface.
Malware Exploits Overlay Feature to Steal Credit Card Details
In order to achieve this, the Trojan uses the same standard Android feature that is being employed by a whole bunch of legitimate apps, such as Facebook Messenger, window managers, and other apps, to show screen overlays on top of all other apps.
The fake user interface prompts victims to enter his or her payment card data, including the bank’s verification code, which can later be used by attackers to initiate fraudulent transactions.
Faketoken.q is capable of overlaying a large number of mobile banking apps as well as miscellaneous applications, such as:
Android Pay
Google Play Store
Apps for paying traffic tickets
Apps for booking flights and hotel rooms
Apps for booking taxis
Since fraudsters require an SMS code sent by the bank to authorise a transaction, the malware steals incoming SMS message codes and forward them to the attackers command-and-control (C&C) server for a successful attack.
According to the researchers, Faketoken.q has been designed to target Russian-speaking users, as it uses the Russian language on the user interface.
Ways to Protect Against Such Android Banking Trojans
The easiest way to prevent yourself being a victim of such mobile banking Trojans is to avoid downloading apps via links provided in messages or emails, or any third-party app store.
You can also go to Settings → Security and make sure "Unknown sources" option is turned off in order to block installation of apps from unknown sources.
Most importantly, verify app permissions before installing apps, even if it is downloaded from official Google Play. If you find any app asking more than what it is meant for, just do not install it.
It's always a good idea to install an antivirus app from a reputed vendor that can detect and block such malware before it can infect your device, and always keep your system and apps up-to-date.
Booking a Taxi for Faketoken
17.8.2017 Kaspersky Android
The Trojan-Banker.AndroidOS.Faketoken malware has been known about for already more than a year. Throughout the time of its existence, it has worked its way up from a primitive Trojan intercepting mTAN codes to an encrypter. The authors of its newer modifications continue to upgrade the malware, while its geographical spread is growing. Some of these modifications contain overlay mechanisms for about 2,000 financial apps. In one of the newest versions, we also detected a mechanism for attacking apps for booking taxis and paying traffic tickets issued by the Main Directorate for Road Traffic Safety.
Not so long ago, thanks to our colleagues from a large Russian bank, we detected a new Trojan sample, Faketoken.q, which contained a number of curious features.
Infection
We have not yet managed to reconstruct the entire chain of events leading to infection, but the application icon suggests that the malware sneaks onto smartphones through bulk SMS messages with a prompt to download some pictures.
The malware icon
The structure of the malware
The mobile Trojan that we examined consists of two parts. The first part is an obfuscated dropper (verdict: Trojan-Banker.AndroidOS.Fyec.az): files like this are usually obfuscated on the server side in order to resist detection. At first glance, it may seem that its code is gibberish:
However, this is code works quite well. It decrypts and launches the second part of the malware. This is standard practice these days, whereas unpacked Trojans are very rare.
The second part of the malware, which is a file with DAT extensions, contains the malware’s main features. The data becomes encrypted:
By decrypting the data, it is possible to obtain a rather legible code:
After the Trojan initiates, it hides its shortcut icon and starts to monitor all of the calls and whichever apps the user launches. Upon receiving a call from (or making a call to) a certain phone number, the malware begins to record the conversation and sends it to evildoers shortly after the conversation ends.
The code for recording a conversation
The authors of Faketoken.q kept the overlay features and simplified them considerably. So, the Trojan is capable of overlaying several banking and miscellaneous applications, such as Android Pay, Google Play Store, and apps for paying traffic tickets and booking flights, hotel rooms, and taxis.
Faketoken.q monitors active apps and, as soon as the user launches a specific one, it substitutes its UI with a fake one, prompting the victim to enter his or her bank card data. The substitution happens instantaneously, and the colors of the fake UI correspond to those of the original launched app.
It should be noted that all of the apps attacked by this malware sample have support for linking bank cards in order to make payments. However, the terms of some apps make it mandatory to link a bank card in order to use the service. As millions of Android users have these applications installed, the damage caused by Faketoken can be significant.
However, the following question may arise: what do fraudsters do in order to process a payment if they have to enter an SMS code sent by the bank? Evildoers successfully accomplish this by stealing incoming SMS messages and forwarding them to command-and-control servers.
We are inclined to believe that the version that we got our hands on is still unfinished, as screen overlays contain formatting artifacts, which make it easy for a victim to identify it as fake:
The screen overlays for the UI of a taxi-booking app
As screen overlays are a documented feature widely used in a large number of apps (window managers, messengers, etc.), protecting yourself against such fake overlays is quite complicated, a fact that is exploited by evildoers.
To this day we still have not registered a large number of attacks with the Faketoken sample, and we are inclined to believe that this is one of its test versions. According to the list of attacked applications, the Russian UI of the overlays, and the Russian language in the code, Faketoken.q is focused on attacking users from Russia and CIS countries.
Precautions
In order to avoid falling victim to Faketoken and apps similar to it, we strongly discourage the installation of third-party software on your Android device. A mobile security solution like Kaspersky Mobile Antivirus: Web Security & AppLock would be quite helpful too.
MD5
CF401E5D21DE36FF583B416FA06231D5
More than 1,000 Spyware Apps Found On Android App Stores
12.8.2017 thehackernews Android
More than 1,000 Spyware Apps Found On Android App Stores
If you think you are downloading apps from Google Play Store and you are secure, then watch out!
Someone has managed to flood third-party app stores and Google Play Store with more than a thousand malicious apps, which can monitor almost anything a user does on their mobile device from silently recording calls to make outbound calls without the user’s interaction.
Dubbed SonicSpy, the spyware has been spreading aggressively across Android app stores since at least February and is being distributed by pretending itself to be a messaging app—and it actually offers a messaging service.
SonicSpy Can Perform a Whole Lots of Malicious Tasks
At the same time, the SonicSpy spyware apps perform various malicious tasks, including silently recording calls and audio from the microphone, hijacking the device's camera and snap photos, making outbound calls without the user's permission, and sending text messages to numbers chosen by the attacker.
Besides this, the SonicSpy spyware also steals user information including call logs, contacts and information about Wi-Fi access point the infected device has connected to, which could easily be used to track the user's location.
The spyware was discovered by security researchers at mobile security firm Lookout. The researchers also uncovered three versions of the SonicSpy-infected messaging app in the official Google Play Store, which had been downloaded thousands of times.
Although the apps in question—Soniac, Hulk Messenger and Troy Chat—have since been removed by Google from the Play Store, they are still widely available in third-party app stores along with other SonicSpy-infected apps.
Iraq Connection to the SonicSpy Spyware
The researchers believe the malware is related to a developer based in Iraq and say the overall SonicSpy malware family supports 73 different remote instructions that its attacker could execute on an infected Android device.
The connection of Iraq to the spyware stems from similarities between SonicSpy and SpyNote, another Android malware that was discovered in July 2016, which was masquerading as a Netflix app and was believed to have been written by an Iraqi hacker.
"There are many indicators that suggest the same actor is behind the development of both. For example, both families share code similarities, regularly make use of dynamic DNS services, and run on the non-standard 2222 port," says Lookout Security Research Services Technology Lead Michael Flossman.
Also, the important indicator is the name of the developer account behind Soniac, listed on the Google Play store, was "iraqiwebservice."
Here's How the SonicSpy Spyware Works
One of the SonicSpy-infected messaging apps that made it through Google's Play Store masqueraded as a communications tool called Soniac.
Once installed, Soniac removes its launcher icon from the smartphone menu to hide itself from the victim and connects to a command and control (C&C) server in an attempt to install a modified version of the Telegram app.
However, the app actually includes many malicious features which allowed the attackers to gain almost full control of the infected device and turn it a spy in your pocket that could silently record audio, make calls, take photos, and pilfer your personal data, including call logs, contacts and details about Wi-Fi access points.
Before being removed by Google, the app had already been downloaded between 1,000 and 5,000 times, but since it was part of a family of 1,000 variants, the malware could have infected many thousands more.
SonicSpy Could Get Into Play Store Again
Although SonicSpy-infected apps have now been removed from the Play Store, the researchers warned that the malware could potentially get into the Play Store again with another developer account and different app interface.
"The actors behind this family have shown that they're capable of getting their spyware into the official app store and as it's actively being developed, and its build process is automated, it's likely that SonicSpy will surface again in the future," the researchers warned.
While Google has taken many security measures to prevent malicious apps from making through Google's security checks, malicious apps still make their ways into the Play Store.
Just last month, we warned you about a clever malware, called Xavier, that was discovered in over 800 different Android apps that had been downloaded millions of times from Google Play Store and silently collected sensitive user data and can perform dangerous tasks.
In April, we reported about the BankBot banking trojan making its way to Google Play Store with the ability to get administrator privileges on infected devices and perform a broad range of malicious tasks, including stealing victim's bank logins.
In the same month, about 2 Million Android users fell victim to the FalseGuide malware hidden in more than 40 apps for popular mobile games, such as Pokémon Go and FIFA Mobile, on the official Google Play Store.
How to Protect yourself against such Malware
The easiest way to prevent yourself from being targeted by such clever malware, always beware of fishy apps, even when downloading them from official Google Play Store and try to stick to the trusted brands only.
Moreover, always look at the reviews left by users who have downloaded the app and verify app permissions before installing any app even from the official app stores and grant those permissions that are relevant for the app's purpose.
Also, do not download apps from third party source. Although in this case, the app is also being distributed through the official Play Store, most often victims became infected with such malware via untrusted third-party app stores.
Last but not the least, you are strongly advised to always keep good antivirus software on your device that can detect and block such malware before they infect your device, and keep your device and apps up-to-date.
SonicSpy Spyware Found in Over One Thousand Android Apps
11.8.2017 securityweek Android
Security researchers have found more than one thousand applications rigged with spyware over the past six months, including some distributed via Google Play.
The applications are part of the SonicSpy malware family and have been aggressively deployed since February 2017 by a threat actor likely based in Iraq, Lookout security researchers say. Google was informed on the malicious activity and has removed at least one of the offending apps from Google Play.
One sample found in Google Play was called Soniac and was posing as a messaging application. Although it does provide the advertised functionality by leveraging a customized version of the Telegram messaging app, the software also includes malicious components, Lookout says.
Once the malicious program has been installed on a device, its author is provided with “significant control” over that device. The overall SonicSpy family of malware includes support for 73 different remote instructions, yet only some are found in Soniac.
Among these, the security researchers mention the ability to silently record audio, an option to take photos with the camera, and the ability to make outbound calls. Additionally, the malware can send text messages to attacker-specified numbers and can retrieve information such as call logs, contacts, and information about Wi-Fi access points.
When executed, SonicSpy removes its launcher icon to hide itself from the victim, then attempts to establish a connection to the command and control (C&C) infrastructure (at arshad93.ddns[.]net). The malware also attempts to install its own custom version of Telegram, which it has stored in the res/raw directory under the name su.apk.
While analyzing the discovered samples, the security researchers found similarities with SpyNote, a malware family first detailed in mid-2016. Based on numerous indicators, the researchers suggest that the same actor is behind the development of both malware families.
According to Lookout, both SonicSpy and SpyNote share code similarities and both make use of dynamic DNS services, in addition to running on the non-standard 2222 port.
The SpyNote attacker, the researchers say, was using custom-built desktop software to inject malicious code into the Trojanized apps, thus allowing the victim to continue interacting with their legitimate functionality. The stream of observed SonicSpy apps suggests the actors behind it are using a similar automated-build process, yet the researchers haven’t recovered their desktop tooling until now.
Lookout also notes that the account behind Soniac, iraqwebservice, has previously posted two other SonicSpy samples to the Play Store, yet those are no longer live. Called Hulk Messenger and Troy Chat, the applications contained some functionality as other SonicSpy samples, but it’s unclear whether Google removed them or the actor behind them decided to remove them to evade detection.
“Anyone accessing sensitive information on their mobile device should be concerned about SonicSpy. The actors behind this family have shown that they're capable of getting their spyware into the official app store and as it's actively being developed, and its build process is automated, it's likely that SonicSpy will surface again in the future,” the security researchers conclude.
A new era in mobile banking Trojans
1.8.2017 Kaspersky Android
Svpeng turns keylogger and steals everything through accessibility services
In mid-July 2017, we found a new modification of the well-known mobile banking malware family Svpeng – Trojan-Banker.AndroidOS.Svpeng.ae. In this modification, the cybercriminals have added new functionality: it now also works as a keylogger, stealing entered text through the use of accessibility services.
Accessibility services generally provide user interface (UI) enhancements for users with disabilities or those temporarily unable to interact fully with a device, perhaps because they are driving. Abusing this system feature allows the Trojan not only to steal entered text from other apps installed on the device, but also to grant itself more permissions and rights, and to counteract attempts to uninstall the Trojan.
Attack data suggests this Trojan is not yet widely deployed. In the space of a week, we observed only a small number of users attacked, but these targets spanned 23 countries. Most attacked users were in Russia (29%), Germany (27%), Turkey (15%), Poland (6%) and France (3%). It is worth noting that, even though most attacked users are from Russia, this Trojan won’t work on devices running the Russian language. This is a standard tactic for Russian cybercriminals looking to evade detection and arrest.
The Svpeng malware family is known for being innovative. Starting from 2013, it was among the first to begin attacking SMS banking, to use phishing pages to overlay other apps to steal credentials, and to block devices and demand money. In 2016, cybercriminals were actively distributing Svpeng through AdSense using a vulnerability in the Chrome browser. This makes Svpeng one of the most dangerous mobile malware families, and it is why we monitor the functionality of new versions.
The attack process
After starting, the Trojan-Banker.AndroidOS.Svpeng.ae checks the device language and, if it is not Russian, asks the device for permission to use accessibility services. In abusing this privilege, it can do many harmful things. It grants itself device administrator rights, draws itself over other apps, installs itself as a default SMS app, and grants itself some dynamic permissions that include the ability to send and receive SMS, make calls, and read contacts. Furthermore, using its newly-gained abilities the Trojan can block any attempt to remove device administrator rights – thereby preventing its uninstallation. It is interesting that in doing so it also blocks any attempt to add or remove device administrator rights for any other app too.
Svpeng was able to become a device administrator without any interaction with the user just by using accessibility services.
Using accessibility services allows the Trojan to get access to the UI of other apps and to steal data from them, such as the names of the interface elements and their content, if it is available. This includes entered text. Furthermore, it takes screenshots every time the user presses a button on the keyboard, and uploads them to the malicious server. It supports not only the standard Android keyboard but also a few third-party keyboards.
Some apps, mainly banking ones, do not allow screenshots to be taken when they are on top. In such cases, the Trojan has another option to steal data – it draws its phishing window over the attacked app. It is interesting that, in order to find out which app is on top, it uses accessibility services too.
From the information Svpeng receives from its command and control server (CnC), I was able to intercept an encrypted configuration file and decrypt it to find out the attacked apps, and to obtain a URL with phishing pages.
I uncovered a few antivirus apps that the Trojan attempted to block, and some apps with phishing URLs to overlay them. Like most mobile bankers, Svpeng overlays some Google apps to steal credit card details.
Also, the config file contained a phishing URL for the PayPal and eBay mobile apps to steal credentials and URLs for banking apps from different countries:
UK– 14 attacked banking apps
Germany – 10 attacked banking apps
Turkey– 9 attacked banking apps
Australia– 9 attacked banking apps
France– 8 attacked banking apps
Poland– 7 attacked banking apps
Singapore– 6 attacked banking apps
There was one more app in this configuration file – Speedway app, which is a rewards app, not a financial app. Svpeng will overlay it with a phishing window to steal credentials.
It can also receive commands from the CnC:
To send SMS
To collect info (Contacts, installed apps and call logs)
To collect all SMS from the device
To open URL
To start stealing incoming SMS
Distribution and protection
The Trojan-Banker.AndroidOS.Svpeng.ae is distributed from malicious websites as a fake flash player. Its malicious techniques work even on fully-updated devices with the latest Android version and all security updates installed. By accessing only one system feature this Trojan can gain all necessary additional rights and steal lots of data.
Triada Trojan Preinstalled on Low-Cost Android Devices
31.7.2017 securityweek Android
Several low-cost Android device models were recently found to feature the Triada Trojan built into their firmware, Dr. Web security researchers say.
Designed as a financial threat, Triada was said last year to be the most advanced mobile malware because it could inject itself into the Zygote parent process, thus running code in the context of all applications. Earlier this year, it adopted sandbox technology (specifically, the open source sandbox DroidPlugin) to improve its detection evasion capabilities.
According to Dr. Web, the malware was recently found embedded in libandroid_runtime.so system library, thus being able to penetrate the processes of all running apps without requiring root privilages. The modified library, the security firm reveals, was found on several mobile devices, including Leagoo M5 Plus, Leagoo M8, Nomu S10, and Nomu S20.
“[Triada] is embedded into the source code of the library. It can be assumed that insiders or unscrupulous partners, who participated in creating firmware for infected mobile devices, are to be blamed for the dissemination of the Trojan,” Dr. Web researchers reveal.
The malware was implemented in the library in a way that allows it to get control “each time when an application on the device makes a record to the system log.” The initial launch of the Trojan, the researchers say, is performed by Zygote, which is launched before other applications.
After initialization, the malware sets up parameters, creates a working directory, then checks the environment. If running in the Dalvik environment (the discontinued process virtual machine in Android), it intercepts a system method to keep track of when applications start and inject its malicious code in them immediately after they start.
The Trojan can secretly run additional malicious modules to download other Trojan components. This approach, the security researchers say, can be used to run malicious plugins to steal confidential information and bank credentials, to run cyber-espionage modules, or intercept messages from social media clients and messengers.
Another malicious module Triada can extract and decrypt from libandroid_runtime.so was designed to download additional malicious components from the Internet and to ensure they can interact with each other.
“Since [Triada] is embedded into one of the libraries of the operating system and located in the system section, it cannot be deleted using standard methods. The only safe and secure method to get rid of this Trojan is to install clean Android firmware,” the security researchers warn.
Dr. Web says it has informed the manufacturers of compromised smartphones of the issue. Affected users are advised to install all updates that might be released for their devices.
Experts spotted Triada Trojan in firmware of low-cost Android smartphones
30.7.2017 securityaffairs Android
Malware researchers at the Russian anti-virus firm Dr.Web have spotted the Triada Trojan in the firmware of several low-cost Android smartphones.
Another case of pre-installed malware make the headlines, malware researchers at the Russian anti-virus firm Dr.Web have spotted the Triada Trojan in the firmware of several low-cost Android smartphones, including Leagoo M5 Plus, Leagoo M8, Nomu S10, and Nomu S20.
Experts speculate that threat actors compromised the supply chain infecting a small number of smartphones of the above models.
“Virus analytics from Dr.Web detected a malicious program built into the firmware of several mobile devices running Android. The Trojan called Android.Triada.231 is embedded into one of the system libraries. It penetrates processes of all running applications and can secretly download and run additional modules.” reads the analysis published by Dr Web.
The Triada Trojan was found inside the Android OS Zygote core process, the component used to launch programs on mobile devices.
“By infecting Zygote, Trojans embed into processes of all running applications get their privileges and function as part of applications. Then, they secretly download and launch malicious modules.” continues the analysis.
The Triada trojan was first discovered in March 2016 by researchers at Kaspersky Lab that at time recognized it as the most advanced mobile threat ever seen. The range of techniques used by the threat to compromise mobile devices was not implemented in any other known mobile malware.
Triada was designed with the specific intent to implement financial frauds, typically hijacking the financial SMS transactions. The most interesting characteristic of the Triada Trojan apart is the modular architecture, which gives it theoretically a wide range of abilities.
Once the malware was initialized it sets up some parameters, creates a working directory, and checks the environment it is running. If the malware is running in the Dalvik environment, it hooks up one of the system methods to track the start of all applications and perform malicious activity immediately after they start.
“The main function of Android.Triada.231 is to secretly run additional malicious modules that can download other Trojan components. To run additional modules, Android.Triada.231 checks if there is a special subdirectory in the working directory previously created by the Trojan. The subdirectory name should include the MD5 value of the software package name of the application, into the process of which the Trojan is infiltrated.” states the analysis.
Experts at Dr Web explained that the Triada Trojan cannot be deleted using standard methods because it is hidden into one of the libraries of the operating system and located in the system section. To eradicate the threat, it is necessary to install a clean Android firmware. Dr.Web notified manufacturers of compromised smartphones.
Google Detects Dangerous Spyware Apps On Android Play Store
27.7.2017 thehackernews Android
Security researchers at Google have discovered a new family of deceptive Android spyware that can steal a whole lot of information on users, including text messages, emails, voice calls, photos, location data, and other files, and spy on them.
Dubbed Lipizzan, the Android spyware appears to be developed by Equus Technologies, an Israeli startup that Google referred to as a 'cyber arms' seller in a blog post published Wednesday.
With the help of Google Play Protect, the Android security team has found Lipizzan spyware on at least 20 apps in Play Store, which infected fewer than 100 Android smartphones in total.
Google has quickly blocked and removed all of those Lipizzan apps and the developers from its Android ecosystem, and Google Play Protect has notified all affected victims.
For those unaware, Google Play Protect is part of the Google Play Store app and uses machine learning and app usage analysis to weed out the dangerous and malicious apps.
Lipizzan: Sophisticated Multi-Stage Spyware
According to the Google, Lipizzan is a sophisticated multi-stage spyware tool that gains full access to a target Android device in two steps.
In the first stage, attackers distribute Lipizzan by typically impersonating it as an innocuous-looking legitimate app such as "Backup" or "Cleaner" through various Android app stores, including the official Play store.
Once installed, Lipizzan automatically downloads the second stage, which is a "license verification" to survey the infected device to ensure the device is unable to detect the second stage.
After completing the verification, the second stage malware would root the infected device with known Android exploits. Once rooted, the spyware starts exfiltrating device data and sending it back to a remote Command and Control server controlled by the attackers.
Lipizzan Also Gathers Data from Other Popular Apps
The spyware has the ability to monitor and steal victim's email, SMS messages, screenshots, photos, voice calls, contacts, application-specific data, location and device information.
Lipizzan can also gather data from specific apps, undermining their encryption, which includes WhatsApp, Snapchat, Viber, Telegram, Facebook Messenger, LinkedIn, Gmail, Skype, Hangouts, and KakaoTalk.
There's very few information about Equus Technologies (which is believed to have been behind Lipizzan) available on the Internet. The description of the company's LinkedIn account reads:
"Equus Technologies is a privately held company specialising in the development of tailor made innovative solutions for law enforcement, intelligence agencies, and national security organisations."
Earlier this year, Google found and blocked a dangerous Android spyware, called Chrysaor, allegedly developed by NSO Group, which was being used in targeted attacks against activists and journalists in Israel, Georgia, Turkey, Mexico, the UAE and other countries.
NSO Group Technologies is the same Israeli surveillance firm that built the Pegasus iOS spyware initially detected in targeted attacks against human rights activists in the United Arab Emirates (UAE) last year.
How to Protect your Android device from Hackers?
Android users are strongly recommended to follow these simple steps in order to protect themselves:
Ensure that you have already opted into Google Play Protect.
Download and install apps only from the official Play Store.
Enable 'verify apps' feature from settings.
Protect their devices with pin or password lock.
Keep "unknown sources" disabled while not using it.
Keep your device always up-to-date with the latest security patches.
Google Rolls-Out Play Protect Services for Android
24.7.2017 securityweek Android
After introducing the product at the Google I/O conference in May, Google has now made its Play Protect security services available to all Android users.
Play Protect was designed to combine various Android security services, including Verify Apps and Bouncer, in a single suite integrated into all devices with Google Play. This, Googls says, will let users benefit from comprehensive protection capabilities without having to search for and download multiple applications on their devices.
The Internet giant already performs tens of billions of application scans every day in an effort to protect the 2 billion active Android devices around the world. According to Google, it can identify risks, discover potentially harmful applications, prevent them from compromising devices, and even remove them from already infected devices when necessary.
Play Protect was designed to scan all applications in Google Play before they are downloaded, but also periodically all apps installed on connected devices. Thus, it can detect harmful behavior even in applications that haven’t been installed via Google Play.
In fact, Play Protect scans and monitors apps from third-party sources continuously, meaning it could detect malicious activities even if they are performed long after the app was installed (some programs hide their behavior by acting normally in the beginning). Potentially harmful apps are disabled and the user is alerted.
“Google Play Protect continuously works to keep your device, data and apps safe. It actively scans your device and is constantly improving to make sure you have the latest in mobile security. Your device is automatically scanned around the clock, so you can rest easy,” Google claims.
A Find My Device service (previously known as Android Device Manager) is also part of Play Protect, allowing users to easily locate, lock, or wipe phones, tablets, and other type of devices that have been lost or stolen. Safe Browsing, the feature that keeps users protected when surfing the web via Chrome on Android, is also included in the suite.
Users looking to customize the Play Protect options on their devices should head to Settings > Google > Security > Play Protect (previously Verify Apps). Play Protect should be available on all devices running Google Play services 11 or above.
Despite Google’s continuous focus on improving Android safety, malicious apps still manage to slip into Google Play and infect millions. To circumvent the company’s protections, cybercriminals hide their malware in fake system updates, mobile games, utility programs, and fake versions of popular streaming apps.
IntelliAV: Toward the Feasibility of Building Intelligent Anti-Malware on Android Devices
19.7.2017 securityaffairs Android
IntelliAV is a practical intelligent anti-malware solution for Android devices based on the open-source and multi-platform TensorFlow library.
Android is targeted the most by malware coders as the number of Android users is increasing. Although there are many Android anti-malware solutions available in the market, almost all of them are based on malware signatures, and more advanced solutions based on machine learning techniques are not deemed to be practical for the limited computational resources of mobile devices.
There are many reasons for a user to have an intelligent security tool capable of identifying potential malware on the device.
1. The Google Play Store is not totally free of malware. Many zero-day mobile malware has been found in Google Play in the past.
2. Third-party app stores are popular among mobile users. Nevertheless, security checks on the third-party stores are not as effective as those available on the Google Play Store.
3. It is quite often that users can be dodged by fake tempting titles like free games when browsing the web, so that applications are downloaded and installed directly on devices from untrusted websites.
4. Another source of infection is phishing SMS messages that contain links to malicious applications. Recent reports by Lookout and Google show how a targeted attack malware, namely Pegasus(Chrysaor), which is suspected of infecting devices via a phishing attack, could remain undetected for a few years.
5. One of the main concerns for any computing device in the industry is to make sure that the device a user buys is free of malware. Mobile devices make no exception, and securing the supply chain is paramount difficult, for the number of people and companies involved in the supply chain of the components.
There is a recent report that shows how some malware was added to Android devices somewhere along the supply chain before the user received the phone.
6. Almost all of the Android anti-malware
products are mostly signature-based, which lets both malware variants of known families, and zero-day threats to devices. There are claims by a few Android anti-malware vendors that they use machine learning approaches, even if no detail is
available on the mechanisms that are actually implemented on the device.
7. Offline machine learning systems would fail against wrapper/downloder malware
as the wrapper/downloader app usually doesn’t reveal enough malicious activities.
IntelliAV (http://www.intelliav.com) is a practical intelligent anti-malware solution for Android devices based on the open-source and multi-platform TensorFlow library.
The detail of the system can be found in a paper that the authors will present at CD-MAKE 2017 conference in September at Reggio Calabria, Italy.
IntelliAV does not aim to propose yet another learning-based system for Android malware detection, but by leveraging on the existing literature, they tested the feasibility of having an on-device intelligent anti-malware tool to tackle the deficiencies of existing
Android anti-malware products, mainly based on pattern matching techniques.
The architecture of the proposed IntelliAV system is depicted as follows:
its design consists of two main phases, namely offline training the model, and then its operation on the device to detect potential malware samples.
As the first phase, a classification model is built offline, by resorting to a conventional
computing environment. It is not necessary to perform the training phase on the device because it has to be performed on a substantial set of samples whenever needed to take into account the evolution of malware. The number of times the model needs to be updated should be quite small, as reports by AV-TEST showed that just the 4% of the total number of Android malware is actually new malware.
As the second phase, the model is embedded in the IntelliAV Android application that will provide a risk score for each application on the device.
IntelliAV can scan all of the installed applications on the device, and verify their risk scores (Quick Scan). In addition, when a user downloads an apk, it can be analyzed by IntelliAV before installation to check the related risk score, and take the appropriate decision (Custom Scan).
Challenging Modern AV vendors
Based on the recent reports by Virustotal, there is an increase in the number of anti-malware developers that resort to machine learning approaches for malware detection. However, the main focus of these products appears to be on desktop malware, especially Windows PE malware. Based on the available public information, there are just a few pieces of evidence of two anti-malware developers that use machine learning approaches for Android malware detection, namely Symantec and TrustLook. Their products are installed by more than 10 million users. While it is not clear how these products use machine learning, the authors considered them as two candidates for
comparison with IntelliAV. To provide a sound comparison, in addition to the Symantec and Trustlook products, the authors selected three other Android anti-malware products, i.e., AVG, Avast, and Qihoo 360, that are the most popular among
Android users as they have been installed more than 100 million times. the authors
compared the performances of IntelliAV on 2311 recent Android malware
(between January to March 2017).
As an independent test, IntelliAV has been tested by AV-TEST on 500 recent and common Android malware in July 2017.
Interesting, they could achieve 96% detection rate although the last model update of IntelliAV is December 2016, which shows the power of IntelliAV on detecting unknown malware.
About the Author Mansour Ahmadi
IntelliAV has been developed at the University of Cagliari, Italy, by Mansour Ahmadi, Angelo Sotgiu, and Giorgio Giacinto. Mansour Ahmadi is a post-doctoral researcher at the PRA lab at the University of Cagliari, Italy. Angelo Sotgiu has a bachelor degree from the University of Cagliari. Prof. Giorgio Giacinto is an Associate Professor of Computer Engineering at the University of Cagliari.
Android Backdoor GhostCtrl can spy on victims and take over Windows Systems
18.7.2017 securityaffairs Android
The GhostCtrl backdoor, is an OmniRAT-Based Android malware that can spy on victims, steal data and take over Windows System using the RETADUP infostealer.
Today’s smartphones are as powerful as the computers of only a few years ago. Unfortunately, that also means that Android phones have as many instances of malware as desktop and laptop computers. In 2016, Kaspersky Lab registered nearly 40 million attacks by malicious mobile software. Since smartphones are essentially full computers in your pocket, the bad guys are able to use many of the same techniques and in sometimes even the same tools! In late 2015 researchers at Avast discovered bad guys using the OmniRat remote administration tool (RAT) to compromise Android phones. On its own OmniRat is not malicious. It is a very capable tool for IT folks to provide remote support for Android users and even allows for remote access to Windows, Linux and Mac systems. It was also a very good tool for the bad guys to access your systems.
After several quiet months, OmniRat variants have been spotted in the wild and the software has benefitted from some significant updates since we last saw it. Dubbed GhostCtrl by Trend Micro researchers, it can do some “traditional” mobile malware things like:
Upload and download files to or from the bad guys’ servers
Send SMS messages to specified numbers (usually extra fee numbers)
Provide real time sensor data
As well as some very cool, and scary new things like:
Control the system infrared transmitter
Surreptitiously record voice, audio or video
Use the text-to-speech feature (i.e. translate text to voice/audio)
Clear/reset the password of an account specified by the attacker
Make the phone play different sound effects
Terminate an ongoing phone call
Use the Bluetooth to search for and connect to another device.
“The information-stealing RETADUP worm that affected Israeli hospitals is actually just part of an attack that turned out to be bigger than we first thought—at least in terms of impact. It was accompanied by an even more dangerous threat: an Android malware that can take over the device.” states the analysis from Trend Micro.
“Detected by Trend Micro as ANDROIDOS_GHOSTCTRL.OPS / ANDROIDOS_GHOSTCTRL.OPSA, we’ve named this Android backdoor GhostCtrl as it can stealthily control many of the infected device’s functionalities.”
This is scary enough — especially when you consider that there are a lot of bad guys out there that are only now starting to think of creative ways to exploit these new capabilities — GhostCtrl doesn’t limit itself to Android devices. Compromising a smartphone gives you access to a powerful computer, but most bad guys are after information. GhostCtrl comes with the RETADUP worm which was recently discovered stealing information from Windows systems in Israeli hospitals.
“GhostCtrl’s combination with an information-stealing worm, while potent, is also telling. The attackers tried to cover their bases, and made sure that they didn’t just infect endpoints. And with the ubiquity of mobile devices among corporate and everyday end users, GhostCtrl’s capabilities can indeed deliver the scares.” continues Trend Micro.
How Do You Get Infected?
GhostCtrl comes as an Android Application Package (APK) masquerading as a legitimate Android app such as WhatsApp, Pokemon Go, MMS — anything that will appeal to users. When the wrapper APK is launched, it decodes text from the resource file, writes this string as another APK and then launches this Malicious APK prompting the user to install it. It is easy to see how a user could be fooled or confused as to what file is asking to be installed and proceeding. Once the malicious software is installed the wrapper APK runs it as a service with no visible icon allowing the malware to run silently in the background.
Once the malicious application is running in the background, it contacts Command and Control (C&C) servers on the Internet to determine its next actions as described above. Depending on the infected target and the motivations of the bad guys the GhostCtrl malware could be used for any number of malicious activities. If the infected phone is only used by an individual at home, ransomeware at the lock screen or pay-for-use SMS messaging is a good bet. However, since GhostCtrl has also been linked with RETADUP, bad guys could find themselves with an Android-based back channel into a Windows environment inside an enterprise, which offers many more opportunities for money making.
There have already been three versions of the GhostCtrl RAT identified in the wild, each adding features and capabilities to the previous version. You should expect that it will continue to be enhanced as it continues to be successful in making money for the authors. And while the Google Play store has hosted malware for brief periods of time, it is unlikely that an APK downloaded from the official Play Store will be GhostCtrl. If you are getting your APKs from anywhere else, you should brace for the worst.
OmniRAT-Based Android Backdoor Emerges
17.7.2017 securityweek Android
A newly discovered Android backdoor appears to be based on the OmniRAT remote administration tool (RAT) that targets Android, Windows, Linux and MacOS devices, Trend Micro security researchers warn.
Dubbed GhostCtrl, the threat masquerades as a legitimate or popular application and uses the names App, MMS, whatsapp, and even Pokemon GO. When launched, however, the malicious Android Application Package (APK) is decoded and saved on the Android device.
The APK is dynamically clicked by a wrapper and the user is prompted to install it. The prompt, Trend Micro explains, won’t go away even if the user attempts to dismiss the message, thus eventually annoying the user into accepting the installation.
Once the installation has been completed, a service that helps the malicious code run in the background is launched. The backdoor function is usually named com.android.engine, in an attempt to mislead users into believing it is a legitimate system process.
The malware then connects to the command and control (C&C) server to retrieve commands, which the server sends encrypted, but the malicious APK decrypts them upon receipt.
Trend's security researchers also noticed that the backdoor connects to a domain rather than directly to the C&C server’s IP address, most probably in an attempt to obscure traffic. Several Dynamic Name Servers (DNS) the researchers discovered at some point led to the same C&C IP address: hef–klife[.]ddns[.]net, f–klife[.]ddns[.]net, php[.]no-ip[.]biz, and ayalove[.]no-ip[.]biz.
“A notable command contains action code and Object DATA, which enables attackers to specify the target and content, making this a very flexible malware for cybercriminals. This is the command that allows attackers to manipulate the device’s functionalities without the owner’s consent or knowledge,” Trend Micro says.
The malware can control the Wi-Fi state; monitor the phone sensors’ data in real time; set phone’s UiMode, like night mode/car mode; control the vibrate function; download pictures as wallpaper; list the file information in the current directory and upload it to the C&C; delete/rename a file in the indicated directory; upload a desired file to the C&C; create an indicated directory; use the text to speech feature (translate text to voice/audio); send SMS/MMS to a number; delete browser history or SMS; download a file; call a phone number; open activity view-related apps; control the system infrared transmitter; and run a shell command and upload the output result.
“Another unique C&C command is an integer-type command, which is responsible for stealing the device’s data. Different kinds of sensitive—and to cybercriminals, valuable—information will be collected and uploaded, including call logs, SMS records, contacts, phone numbers, SIM serial number, location, and browser bookmarks,” the researchers explain.
Compared to other Android info-stealers, GhostCtrl can pilfer a great deal of data in addition to the above: Android OS version, username, Wi-Fi, battery, Bluetooth, and audio states, UiMode, sensor, data from camera, browser, and searches, service processes, activity information, and wallpaper.
Furthermore, the malware can intercept text messages from phone numbers specified by the attacker and can record voice or audio and upload the recording to the C&C. All the stolen data is sent to the server encrypted.
The malware also includes a series of commands that aren’t usually seen in Android RATs, such as the option to clear/reset the password of an account, set the phone to play different sound effects, specify the content in the Clipboard, customize the notification and shortcut link, control the Bluetooth to search and connect to another device, or set the accessibility to TRUE and terminate an ongoing phone call.
The first GhostCtrl packed a framework to gain admin-level privilege, but had no function codes. These, however, were included in the subsequent variants, which also added an increasing number of features to be hijacked. The second version could also work as ransomware by locking the device’s screen and resetting the password, and could root the device. The third version, the security researchers say, includes obfuscation techniques to hide its malicious routines.
“GhostCtrl’s combination with an information-stealing worm, while potent, is also telling. The attackers tried to cover their bases, and made sure that they didn’t just infect endpoints. And with the ubiquity of mobile devices among corporate and everyday end users, GhostCtrl’s capabilities can indeed deliver the scares,” Trend Micro said.
Google Silently Adds 'Panic Detection Mode" to Android 7.1 – How It's Useful
11.7.2017 thehackernews Android
How often do you click the 'back' or the ‘Home’ button on your mobile device to exit an application immediately?
I believe, several times in a single day because a large number of apps do not have an exit button to directly force-close them instead of going back and back and back until they exit.
Sometimes Android users expect the back button to take them back to the back page, but sometimes they really want to exit the app immediately.
Often this has severe usability implications when a majority of users are already dealing with their low-performance mobile devices and believe that clicking back button multiple times would kill the app and save memory, but it doesn't.
Google has now addressed this issue and silently included a feature within Android 7.1 Nougat that allows users to exit from apps by pressing the 'back' key successively within 0.3 seconds for over four times.
Dubbed "Panic Detection Mode," the feature runs in the background of Android operating system and detects panic in situations when a user repeatedly presses the back button on their smartphone to exit an app and allows the operating system to override the application and send the user safely back to the home screen.
While Google did not publicly make any announcement about the panic detection mode feature, XDA Developers yesterday unearthed the feature within the source code of Android 7.1 Nougat.
Since then a number of media outlets described Android 7.1 Nougat Panic Detection Mode as a security feature that protects Android devices from malicious applications.
It has been reported as a new security feature that looks for the number of times a user presses the back button within a certain amount of time and allows users to exit from the apps that go rogue and try to take control of user's device.
But the feature seems to be developed by Google engineers keeping usability as a priority, instead of security in mind.
Because activating panic detection mode neither automatically detects a malicious app and report back to Google, nor it behaves differently for a legitimate app.
However, it can help Android users in some cases to kill rogue app instantly; but again it’s up to users if they are able to identify malicious apps themselves and want to remove them manually.
So, this feature is also useful if a malicious application takes control over the display and prevents you from backing out of it.
The 'panic detection mode' feature is currently limited to the devices running Android 7.1 Nougat, and not available for all the Android users, XDA Developers pointed out. The feature also needs to be manually enabled by the user.
Google fights enough to keep its Android operating system safe and secure, but malware and viruses still make their ways into its platform, especially through malicious apps even on Google's own Play Store.
It appears that Google also has plans for wider implementation of the 'panic detection mode' feature in the upcoming version of its Android OS and would most likely make it enabled by default in the future releases.
BroadPwn potentially expose to hack millions of Android devices using Broadcom Wi-Fi Chip
7.7.2017 securityaffairs Android
Google warned of a serious flaw dubbed BroadPwn in some Broadcom Wi-Fi chipsets that potentially impacts millions of Android devices.
Google published the monthly security update for Android devices, it warned of a serious flaw, dubbed BroadPWN, in some Broadcom Wi-Fi chipsets that potentially impacts millions of Android devices, as well as some iPhone models.
BroadPwn is a critical remote code execution vulnerability, tracked as CVE-2017-3544, that affects the Broadcom BCM43xx family of WiFi chipsets. Remote attackers can trigger the flaw without user interaction to execute malicious code on vulnerable devices with kernel privileges.
“The most severe vulnerability in this section could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of an unprivileged process.,” reads the Google July 2017 Android Security Bulletin.
The BroadPwn issue was reported by the Exodus Intelligence expert Nitay Artenstein, he will present the analysis at the Next Black Hat 2017 conference.
“Meet Broadpwn, a vulnerability in Broadcom’s Wi-Fi chipsets which affects millions of Android and iOS devices, and can be triggered remotely, without user interaction. The Broadcom BCM43xx family of Wi-Fi chips is found in an extraordinarily wide range of mobile devices – from various iPhone models, to HTC, LG, Nexus and practically the full range of Samsung flagship devices.
“In this talk, we’ll take a deep dive into the internals of the BCM4354, 4358 and 4359 Wi-Fi chipsets, and explore the workings of the mysterious, closed-source HNDRTE operating system. Then, we’ll plunge into the confusing universe of 802.11 standards in a quest to find promising attack surfaces.” states the abstract of the talk.
Google also patched 10 critical RCEs and more than 100 high and moderate issues. The company also fixed several critical flaws affecting the Android Mediaserver process, some of them could be exploited by a remote attacker to perform code execution.An input validation flaw in the libhevc library, tracked as CVE-2017-0540, can be exploited by using a specifically crafted file.
“A remote code execution vulnerability in libhevc in Mediaserver could enable an attacker using a specially crafted file to cause memory corruption during media file and data processing. This issue is rated as Critical due to the possibility of remote code execution within the context of the Mediaserver process. Product: Android. Versions: 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1. Android ID: A-33966031.” reads the vulnerability description.
As usual, Google already issued security updates for Pixel and Nexus devices, but remaining Android devices will remain vulnerable until OEMs will fix the issues too.
Millions of Android Devices Using Broadcom Wi-Fi Chip Can Be Hacked Remotely
7.7.2017 thehackernews Android
Google has released its latest monthly security update for Android devices, including a serious bug in some Broadcom Wi-Fi chipsets that affects millions of Android devices, as well as some iPhone models.
Dubbed BroadPwn, the critical remote code execution vulnerability resides in Broadcom's BCM43xx family of WiFi chipsets, which can be triggered remotely without user interaction, allows a remote attacker to execute malicious code on targeted Android devices with kernel privileges.
"The most severe vulnerability in this [runtime] section could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of an unprivileged process," Google describes in the July 2017 Android Security Bulletin.
The BroadPwn vulnerability (CVE-2017-3544) has been discovered by Exodus Intelligence researcher Nitay Artenstein, who says the flawed Wi-Fi chipset also impacts Apple iOS devices.
Since Artenstein will be presenting his finding at Black Hat 2017 event, details about the BroadPwn bug is scarce at this moment.
"The Broadcom BCM43xx family of Wi-Fi chips is found in an extraordinarily wide range of mobile devices – from various iPhone models to HTC, LG, Nexus and practically the full range of Samsung flagship devices," the abstract for Artenstein's talk says.
Besides the fix for the BroadPwn vulnerability, July's Android Security Bulletin includes patches for 10 critical, which are all remote code execution bugs, 94 high and 32 moderate rated vulnerabilities.
Two months ago, an over-the-air hijacking vulnerability was discovered in Broadcom WiFi SoC (Software-on-Chip) chips, allowing attackers within the same WiFi network to remotely hack, iPhones, iPads, iPods and Android handsets without any user interaction.
At that time, Apple rushed out an emergency iOS patch update to address the serious bug, and Google addressed the flaw in its Android April 2017 security updates.
Android Security Bulletin: July 2017 Updates
Among the other critical flaws is a long list of vulnerabilities in the Mediaserver process in the Android operating system, which also allows attackers to perform remote code execution on the affected devices.
One of the vulnerabilities is an issue with the way the framework handles some specific files. The libhevc library has an input validation vulnerability (CVE-2017-0540), which can be exploited using a crafted file.
"A remote code execution vulnerability in libhevc in Mediaserver could enable an attacker using a specially crafted file to cause memory corruption during media file and data processing," the vulnerability description says.
"This issue is rated as Critical due to the possibility of remote code execution within the context of the Mediaserver process."
The over-the-air updates and firmware for Google devices have already been issued by the company for its Pixel and Nexus devices, though rest of Android still need to wait for an update from their OEMs, leaving million of Android devices vulnerable for next few months.
Millions of Android Devices Using Broadcom Wi-Fi Chip Can Be Hacked Remotely Thursday, July 06, 2017 Mohit Kumar 1486 770 59 2351 Google has released its latest monthly security update for Android devices, including a serious bug in some Broadcom Wi-Fi chipsets that affects millions of Android devices, as well as some iPhone models. Dubbed BroadPwn, the critical remote code execution vulnerability resides in Broadcom's BCM43xx family of WiFi chipsets, which can be triggered remotely without user interaction, allows a remote attacker to execute malicious code on targeted Android devices with kernel privileges. "The most severe vulnerability in this [runtime] section could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of an unprivileged process," Google describes in the July 2017 Android Security Bulletin. The BroadPwn vulnerability (CVE-2017-3544) has been discovered by Exodus Intelligence researcher Nitay Artenstein, who says the flawed Wi-Fi chipset also impacts Apple iOS devices. Since Artenstein will be presenting his finding at Black Hat 2017 event, details about the BroadPwn bug is scarce at this moment. "The Broadcom BCM43xx family of Wi-Fi chips is found in an extraordinarily wide range of mobile devices – from various iPhone models to HTC, LG, Nexus and practically the full range of Samsung flagship devices," the abstract for Artenstein's talk says. Besides the fix for the BroadPwn vulnerability, July's Android Security Bulletin includes patches for 10 critical, which are all remote code execution bugs, 94 high and 32 moderate rated vulnerabilities. Two months ago, an over-the-air hijacking vulnerability was discovered in Broadcom WiFi SoC (Software-on-Chip) chips, allowing attackers within the same WiFi network to remotely hack, iPhones, iPads, iPods and Android handsets without any user interaction. At that time, Apple rushed out an emergency iOS patch update to address the serious bug, and Google addressed the flaw in its Android April 2017 security updates. Android Security Bulletin: July 2017 Updates Among the other critical flaws is a long list of vulnerabilities in the Mediaserver process in the Android operating system, which also allows attackers to perform remote code execution on the affected devices. One of the vulnerabilities is an issue with the way the framework handles some specific files. The libhevc library has an input validation vulnerability (CVE-2017-0540), which can be exploited using a crafted file. "A remote code execution vulnerability in libhevc in Mediaserver could enable an attacker using a specially crafted file to cause memory corruption during media file and data processing," the vulnerability description says. "This issue is rated as Critical due to the possibility of remote code execution within the context of the Mediaserver process." The over-the-air updates and firmware for Google devices have already been issued by the company for its Pixel and Nexus devices, though rest of Android still need to wait for an update from their OEMs, leaving million of Android devices vulnerable for next few months.
CopyCat Android malware infected 14 Million devices and rooted 8 Million
7.7.2017 securityaffairs Android
Researchers at Check Point spotted a new family of Android malware dubbed CopyCat that infected 14 million devices and rooted 8 million of them.
Researchers at Check Point’s Mobile Research Team have spotted a new family of Android malware that infected 14 million devices and rooted 8 million of them.
According to the expert, the new strain of Android malware dubbed CopyCat allowed its authors to earn $1.5 million from April to May 2016 by implementing an ad fraud scheme.
“Check Point researchers identified a mobile malware that infected 14 million Android devices, rooting approximately 8 million of them, and earning the hackers behind the campaign approximately $1.5 million in fake ad revenues in two months.” states the analysis published by the researchers. “CopyCat is an extensive campaign that infected 14 million devices globally, rooting 8 million of them, in what researchers describe as an unprecedented success rate. Check Point researchers estimate that the malware generated $1.5 million for the group behind the campaign.”
Researchers with Check Point’s Mobile Research Team spotted CopyCat in March, the largest number of infections is in Southeast Asia (55%) and Africa (18%), but the infections in the US are increasing.
Attackers spread the malware by trojanizing popular apps that were made available for download on third-party app stores.
Once installed on the target mobile device, the malware waits for it reboot, then it downloads a series of exploits from an Amazon S3 bucket in order to root the device.
“Once the device has restarted, CopyCat downloads an “upgrade” pack from an S3 bucket, a web storage service provided by Amazon. This pack contains six common exploits with which the malware attempts to root the device.” continues the analysis.
“If successful, CopyCat installs another component to the device’s system directory, an activity which requires root permissions, and establishes persistency, making it difficult to remove”
The malicious code injects code into the Zygote process in the Android core that launches apps, with this technique the attackers gain admin privileges.
CopyCat isn’t the first malware targeting Zygote, in 2016 experts at Kaspersky and at Checkpoint found the Triada Android Trojan using the same technique.
According to the experts at Check Point, the authors of the CopyCat malware use to inject code into the Zygote process to get credit for fraudulently installed apps on the device by swapping out referrer IDs for legitimate apps with their own.
The crooks also earn money by displaying fake ads and installs fake apps.
The analysis of C&C servers revealed that between April and May the attackers served fake ads to 3.8 million of the devices while crooks were stealing credit for installing apps on Google Play from 4.4 million of other devices.
It’s interesting to note that the CopyCat malware used a bulk of old exploits to root millions of devices, such as the Towelroot, other exploits were from 2014 and 2013. This means that the success of the CopyCat attack that possible due to a large number of unpatched devices.
Malware experts believe that the Chinese MobiSummer ad network could be behind the CopyCat malware.
“It is unclear who is behind the CopyCat attack, however, there are several connections to MobiSummer, an ad network located in China. It is important to note that while these connections exist, it does not necessarily mean the malware was created by the company, and it is possible the perpetrators behind it used MobiSummer’s code and infrastructure without the firm’s knowledge.” states the analysis.
“The first connection between the company and the malware is the server, which operates both the malware and some of MobiSummer’s activity. In addition, some of the malware’s code is signed by MobiSummer itself, and some of the remote services used by the malware were created by the company. The malware also refrains from targeting Chinese devices, suggesting the malware developers are Chinese and want to avoid any investigation by local law enforcement, a common tactic in the malware world.”
Check Point reported findings of its investigation to Google.
Mozilla Brings Privacy-Focused Browser to Android
21.6.2017 securityweek Android
After making it available for iOS devices in November 2016, Mozilla this week brought its privacy-focused mobile browser to Android.
Called Firefox Focus, the application is designed to address the various threats to user privacy that loom on the web, while also providing users with a fast, free, and easy-to-use browsing experience.
On iOS, the browser currently enjoys a 4.6 average rating on the App Store, making it “the highest rated browser from a trusted brand for the iPhone and iPad,” Mozilla says.
The main feature of the browser is to block ad, analytics, social, and various other trackers, without requiring users to change their settings. Because of that, it can provide users with increased control on how their online activities are tracked on their devices, regardless of whether they surf the Internet from a smartphone or tablet.
The Android version packs the very same features, and is “free of tabs and other visual clutter,” Mozilla’s Barbara Bermes reveals. The same as the iOS counterpart, the application allows users to browse the web without being followed by tracking ads, thus also offering a faster experience.
Additionally, the browser features an easily accessible “Erase” button that allows users to clear the browsing session data with a single tap. All of the privacy enhancements in Firefox Focus, Mozilla says, are available without requiring users to modify their settings.
“Browse like no one’s watching. The new Firefox Focus automatically blocks a wide range of online trackers — from the moment you launch it to the second you leave it. Easily erase your history, passwords and cookies, so you won’t get followed by things like unwanted ads,” Mozilla notes in the browser’s description in Google Play.
According to Bermes, Firefox Focus for Android comes with some additional features, such as an ad tracker counter (to see how many ads are blocked per site), the option to disable tracker blocker (for sites that are not loading correctly), and a notification reminder (it reminds users they can easily tap to erase the browsing history while the browser runs in the background).
“For Android users we also made Focus a great default browser experience. Since we support both custom tabs and the ability to disable the ad blocking as needed, it works great with apps like Facebook when you just want to read an article without being tracked,” Bermes continues.
The browser, she notes, was meant to empower users on the mobile web, and is expected to receive new features that will improve the experience it provides.
Chrome is currently the uncontested leader in the browser market, but Mozilla’s privacy-focused application could impact its dominance, Chris Olson, CEO of The Media Trust, told SecurityWeek in an emailed statement.
“It will be interesting to see how this latest Firefox browser will impact Chrome's dominance of the browser market. In attempts to differentiate itself with default ad blocking, Firefox is potentially alienating partners in the hopes of driving user adoption. It remains to be seen how many users disable the ad block feature as many of the world's most heavily-trafficked websites won't load properly on mobile devices when an ad blocker is active,” Olson said.
Firefox Focus for Android is available via Google Play, while the iOS version can be downloaded through the App Store.
Two Ztorg Trojans Removed from Google Play Store Are Definitely Better
21.6.2017 securityaffairs Android
For the second time in a month, Google removed malicious apps infected with the Ztorg Trojans that could allow attackers to root targeted devices.
Most software developers update their apps to patch vulnerabilities and add new features. But when the software is malware, an update could be the worst thing to do. The Google Play Store is always working to prevent malware from being downloaded by unsuspecting users and recently two apps built with the Ztorg malware were removed. The two apps, “Magic Browser” and “Noise Detector,” are believed to have been benign when they were originally uploaded to the Play Store, but the bad guys were updated the software using the malware toolkit over time.
The Ztorg Malware toolkit was identified by Kaspersky Labs in September, 2016 with “Guide for Pokémon Go.” At the time it was identified the Guide had been downloaded over 500,000 times and researchers estimate at least 6,000 successful infections. Since that time, dozens of apps associated with Ztorg have been distributed and eventually removed from the Google Play Store. And like all good developers, the bad guys using Ztorg are adding features and capabilities over time.
Once the initial app is installed, it utilizes a wide range of advanced techniques to evade detection, get updates from the Command and Control infrastructure and ultimately try to get Root on the phone. From Fortinet researchers:
It implements many emulator detection features. It detects the Android SDK emulator, but also emulators from Genymotion, Bluestacks and BuilDroid. It also detects tainted environments. Several of its checks will be difficult to bypass.
It uses string obfuscation, based on XOR.
It communicates with a remote server using DES-CBC encryption.
It downloads, installs and launches an Android application from that remote server.
What happens when your smartphone is infected with a Ztorg trojan? Like most malware, the bad guys’ ultimate objective is to make money. Initial Ztorg trojans leveraged AdWare to generate money for the bad guys through legitimate advertising networks. Some of the techniques included redirecting webpages, messing with search results and collecting information about what sites you visit. These are legitimate, if unwanted, business activities, but in the case of the bad guys distributing trojan apps, the users participate unknowingly. The bad guys get all the profits, and the users get a poorly performing phone, that may even become unstable or unusable.
The two apps recently removed from the Google Play Store, “Magic Browser” and “Noise Detector” show an evolution of Ztorg Trojan capabilities and include some nifty new techniques for making illegitimate money. Premium Rate SMS is a business model where an individual sends a specific text message and the fees are automatically charged to the user’s mobile phone bill. For example, you could donate money for disaster relief simply by texting an amount with your phone. The latest Ztorg trojan leverages this Premium Rate SMS system, with the proceeds going to the bad guys. And like the rest of the Ztorg system, they use some sophisticated techniques to maximize their profits and minimize their chances of being caught.
Once infected, the trojan lies dormant for 10 minutes. In this way, if the user notices something odd, they are less likely to associate it with the app they just installed. After the delay, the trojan sends the first five digits of the phone’s International Mobile Subscriber Identity (IMSI) to the C&C servers. This part of the IMSI identifies what network the phone is connected to, and in what country. With this information the C&C can determine which Premium Rate SMS services are available and the trojan starts racking up the bills. And since most of these SMS services will reply with a txt message receipt or notice, the Ztorg Trojans delete incoming SMS messages. It seems obvious that a user would notice missing legitimate messages, but in the meantime the bad guys are counting their profits.
Mobile phones are convenient because they are compact, powerful and use a lot of simple shortcuts to makeup for the lack of a keyboard and a large screen. App stores make it easy to install new apps but it isn’t always obvious what the apps themselves are doing.
“The Ztorg Trojan continues to appear on the Google Play Store, accompanied by new tricks to bypass security and infect as many different Android devices and OS versions as possible. Even if a victim downloads what is clearly a clean app, there is no guarantee that it will still be clean in a few days’ time. Users, Google and security researchers need to remain vigilant at all times and to be proactive about protection,” says Roman Unuchek, researcher at Kaspersky Labs.
Ztorg: from rooting to SMS
20.6.2017 Kaspersky Android
I’ve been monitoring Google Play Store for new Ztorg Trojans since September 2016, and have so far found several dozen new malicious apps. All of them were rooting malware that used exploits to gain root rights on the infected device.
Then, in the second half of May 2017 I found one that wasn’t. Distributed on Google Play through two malicious apps, it is related to the Ztorg Trojans, although not a rooting malware but a Trojan-SMS that can send Premium rate SMS and delete incoming SMS. The apps had been installed from Google Play more than 50,000 and 10,000 times respectively.
Kaspersky Lab products detect the two Trojan apps as Trojan-SMS.AndroidOS.Ztorg.a. We reported the malware to Google, and both apps have been deleted from the Google Play Store.
The first malicious app, called “Magic browser” was uploaded to Google Play on May 15, 2017 and was installed more than 50,000 times.
Trojan-SMS.AndroidOS.Ztorg.a on Google Play Store
The second app, called “Noise Detector”, with the same malicious functionality, was installed more than 10,000 times.
Trojan-SMS.AndroidOS.Ztorg.a on Google Play Store
What can they do?
After starting, the Trojan will wait for 10 minutes before connecting to its command and control (C&C) server. It uses an interesting technique to get commands from the C&C: it makes two GET requests to the C&C, and in both includes part of the International Mobile Subscriber Identity (IMSI). The first request will look like this:
GET c.phaishey.com/ft/x250_c.txt, where 250 – first three digits of the IMSI.
If the Trojan receives some data in return, it will make the second request. The second request will look like this:
GET c.phaishey.com/ft/x25001_0.txt, where 25001 – first five digits of the IMSI.
Why does the Trojan need these digits from the IMSI?
The interesting thing about the IMSI is that the first three digits are the MCC (mobile country code) and the third and fourth digits are the MNC (mobile network code). Using these digits, the cybercriminals can identify the country and mobile operator of the infected user. They need this to choose which premium rate SMS should be sent.
In answer to these requests, the Trojan may receive an encrypted JSON file with some data. This data should include a list of offers, and every offer carries a string field called ‘url’, which may or may not contain an actual url. The Trojan will try to open/view the field using its own class. If this value is indeed a url, the Trojan will show its content to the user. But if it is something else and carries an “SMS” substring, the user will send an SMS containing the text supplied to the number provided.
Malicious code where the Trojan decides if it should send an SMS.
This is an unusual way to send SMS. Just after it receives urls to visit, or SMS to send, the Trojan will turn off the device sound, and start to delete all incoming SMS.
I wasn’t able to get any commands for the Trojans distributed through Google Play. But for other Trojans located elsewhere that have the same functionality, I got the command:
{“icon”:”http://down.rbksbtmk.com/pic/four-dault-06.jpg”,”id”:”-1″,”name”:”Brower”,”result”:1,”status”:1,”url”:”http://global.621.co/trace?offer_id=111049&aff_id=100414&type=1″}
It was a regular advertising offer.
WAP billing subscriptions
I was able to find several more malicious apps with the same functionality distributed outside the Google Play Store. The interesting thing is that they don’t look like standalone Trojans, more like an additional module for some Trojan.
Further investigation revealed that these Trojans were installed by a regular Ztorg Trojan along with other Ztorg modules.
In a few of these Trojans, I found that they download a JS file from the malicious url using the MCC.
Malicious code where the Trojan downloads a JS file.
I downloaded several JS files, using different MCC’s, to find out what cybercriminals are going to do with users from a different countries. I wasn’t able to get a file for a US MCC, but for other countries that I tried I received files with some functions. All the files contain a function called “getAocPage” which most likely references AoC – Advice of Charge. After analyzing these files, I found out that their main purpose is to perform clickjacking attacks on web pages with WAP billing. In doing so, the Trojan can steal money from the user’s mobile account. WAP billing works in a similar way to Premium rate SMS, but usually in the form of subscriptions and not one-time payments as most Premium rate SMS.
JS file from a CnC for Russian users (MCC = 250)
It means that urls which the Trojan receives from the CnC may not only be advertising urls, but also urls with WAP billing subscriptions. Furthermore some Trojans with this functionality use CnC urls that contain “/subscribe/api/” which may reference subscriptions too.
All of these Trojans, including Trojans from Google Play, are trying to send SMS from any device. To do so they are using lots of methods to send SMS:
Part of the “Magic browser” app’s code
In total, the “Magic browser” app tries to send SMS from 11 different places in its code. Cybercriminals are doing this in order to be able to send SMS from different Android versions and devices. Furthermore, I was able to find another modification of the Trojan-SMS.AndroidOS.Ztorg that is trying to send an SMS via the “am” command, although this approach should not work.
Connection with the Ztorg malware family
The “Magic browser” app was promoted in a similar way to other Ztorg Trojans. Both the Magic browser” and “Noise detector” apps shared code similarities with other Ztorg Trojans. Furthermore, the latest version of the “Noise detector” app contains the encrypted file “girl.png” in the assets folder of the installation package. After decryption, this file become a Ztorg Trojan.
I found several more Trojans with the same functionality that were installed by a regular Ztorg Trojan along with the other Ztorg modules. And it isn’t the first case where additional Ztorg modules were distributed from Google Play as a standalone Trojan. In April 2017, I found that a malicious app called “Money Converter”, had been installed more than 10,000 times from Google Play. It uses Accessibility Services to install apps from Google Play. Therefore, the Trojan can silently install and run promoted apps without any interaction with the user, even on updated devices where it cannot gain root rights.
Trojan-SMS vs. rooting
There were two malicious apps on Google Play with the same functionality – “Noise Detector” and “Magic browser” but I think that they each had a different purpose. “Magic browser” was uploaded first and I assume that the cybercriminals were checking if they were able to upload this kind of functionality. After they uploaded the malicious app they didn’t update it with newer versions.
But it is a different story with “Noise Detector” – here it looks like the cybercriminals were trying to upload an app infected with a regular version of the Ztorg Trojan. But in the process of uploading they decided to add some malicious functionality to make money while they were working on publishing the rooting malware. And the history of “Noise Detector” updates prove it.
On May 20 they uploaded a clean app called “Noise Detector”. A few days later they updated it with another clean version.
Then, a few days after that, they uploaded a version to Google Play that contained an encrypted Ztorg Trojan, but without the possibility of decrypting and executing it. On the following day they finally updated their app with the Trojan-SMS functionality, but still didn’t add the possibility to execute the encrypted Ztorg module. It is likely that, if the app hadn’t been removed from Google Play, they would have added this functionality at the next stage. There is also the possibility that attempting to add this functionality is what alerted Google to the Trojan’s presence and resulted in its deletion.
Conclusions
We found a very unusual Trojan-SMS being distributed through Google Play. It not only uses around a dozen methods to send SMS, but also initializes these methods in an unusual way: by processing web-page loading errors using a command from the CnC. And it can open advertising urls. Furthermore, it is related to Ztorg malware with the same functionality, that is often installed by Ztorg as an additional module.
By analyzing these apps I found that cybercriminals are working on clickjacking WAP billing. It means that these Trojans may not only open ad urls, or send Premium rate SMS, but also open web-pages with WAP billing and steal money from a user’s account. To hide these activities the Trojans turn off the device sound and delete all incoming SMS.
This isn’t the first time that the cybercriminals distributed Ztorg modules through Google Play. For example, on April 2017 they uploaded a module that can click on Google Play Store app buttons to install or even buy promoted apps.
Most likely, the attackers are publishing Ztorg modules to make some additional money while they are trying to upload the regular rooting Ztorg Trojan. I suggest this because one of the malicious apps had an encrypted Ztorg module but it wasn’t able to decrypt it.
MD5
F1EC3B4AD740B422EC33246C51E4782F
E448EF7470D1155B19D3CAC2E013CA0F
55366B684CE62AB7954C74269868CD91
A44A9811DB4F7D39CAC0765A5E1621AC
1142C1D53E4FBCEFC5CCD7A6F5DC7177
A New malware dubbed dvmap for android was found and removed from play store
16.6.2017 securityaffairs Android
Kaspersky Lab had discovered a new malware dubbed dvmap for Android was found and removed from the official Google Play store
A New malware dubbed dvmap for Android was found and removed from the official Google Play store
Kaspersky Lab had discovered the new malware that is capable of obtaining root access on Android devices and is capable of taking over the system library with the execution of a code injection attack.
The malware named DVMAP was seen being distributed as a game called Colourblock and has a new feature in mobile malware.
“In April 2017 we started observing new rooting malware being distributed through the Google Play Store. Unlike other rooting malware, this Trojan not only installs its modules into the system, it also injects malicious code into the system runtime libraries. Kaspersky Lab products detect it as Trojan.AndroidOS.Dvmap.a.” states Kaspersky Lab.
The ability to deploy code injection is a new capability unseen until now and represents a dangerous evolution on Android menaces.
The malware tries to gain root access after the application installation and launches a file to verify the Android version and what library it will inject the code. Once successful the malware tries to connect to C&C server that keeps updating every process of the malware. DVMAP can also disable the user’s security settings to try gain root access over the device.
The creators of the malware were able to bypass Play Store security mechanisms by embedding it with a game, in a two-phase infection method. First, a game was uploaded to the Play Store free of malware, and then the application was substituted with the malware itself bypassing this way the security mechanisms of Google. Before its removal, the malware was able to infect at least 50,000 devices that downloaded the game application.
“This makes Dvmap the first Android malware that injects malicious code into the system libraries in runtime, and it has been downloaded from the Google Play Store more than 50,000 times. Kaspersky Lab reported the Trojan to Google, and it has now been removed from the store.” continues Kaspersky.
DVMAP can disable runtime libraries depending which version of Android is in use, so it can install other payloads linked to third parties that could compromise sensitive data as banking accounts. One of these payloads is “com.qualcmm.timeservices” The malware can also work on 32 and 64 bits of Android.
Until now there is no correction for the malware, but users can count on simple best practices of security do avoid or detain the infection. It is highly recommended that users download only from developer’s official site, maintain an up to date backup of data and always verify which privilege will be granted to the application that will be installed. A full factory reset also is highly recommended to users who have been infected and also maintaining up to date the definitions of antivirus.
Hundreds of Fake Android Antivirus Apps Deliver Malware
15.6.2017 securityweek Android
There are thousands of Android applications containing the label “antivirus,” but a big chunk of them are dangerous programs designed to infect devices of unsuspecting users with malware, RiskIQ warns.
After the WannaCry ransomware outbreak last month, numerous fake programs claiming to keep Android users safe from the threat began to emerge, despite the fact that Android wasn’t targeted by the malware. RiskIQ decided to have a closer look at the many antivirus apps for Android and discovered that these fake apps aren’t limited to the WannaCry theme.
What’s more, the security company discovered, was that while some of the programs are worthless, others are straight up malicious, being designed to spread adware, Trojans, and other type of malware, instead of protecting users from such threats.
According to RiskIQ, there are 6,295 total Android apps, past and present, claiming to either be an antivirus solution, review antivirus solutions or be associated with antivirus software in some way. RiskIQ discovered that 707 of the apps triggered blacklist detections in VirusTotal. 655 of these “antivirus” apps are in Google Play, and 131 of them triggered blacklist detections.
Furthermore, 4,292 of these apps are active today, including 525 of those that triggered blacklist detections in VirusTotal. 508 of the apps are in Google Play, yet only 55 of them triggered blacklist detections.
Overall, while 11% of total antivirus apps lived in the Google Play store, only 12.2% of active antivirus apps are available through the portal. However, 20% of total blacklisted antivirus apps live in the store, although only 10.8% of the active blacklisted antivirus apps are present there, RiskIQ found.
RiskIQ also points out that, while not all of the blacklist hits from VirusTotal point to malicious applications, there are many malicious antivirus apps that are not blacklisted at all. However, as soon as one application is flagged by a well-known vendor, or by more of them, it may be worth further review.
“When it comes to the safety of your mobile devices, it is always best to be diligent. Be careful about inviting the bad guys in and giving them access to everything when choosing an antivirus app,” RiskIQ’s Forrest Gueterman notes.
To stay protected, users should pay close attention when choosing a mobile antivirus solution, and should download such apps only from official stores, as they tend to remove malicious apps faster than unofficial portals.
Reviewing the permissions requested by these apps is also very important, and users are also advised to have a close look at the developer email address (to avoid those using a free email service like Gmail or Hotmail) and at the app description (it could point to a fake app if riddled with grammatical errors). Checking the app against known blacklists can also keep devices protected.
Beware! Over 800 Android Apps on Google Play Store Contain 'Xavier' Malware
13.6.2017 thehackernews Android
Over 800 different Android apps that have been downloaded millions of times from Google Play Store found to be infected with malicious ad library that silently collects sensitive user data and can perform dangerous operations.
Dubbed "Xavier," the malicious ad library, initially emerged in September 2016, is a member of AdDown malware family, potentially posing a severe threat to millions of Android users.
Since 90 percent of Android apps are free for anyone to download, advertising on them is a key revenue source for their developers. For this, they integrate Android SDK Ads Library in their apps, which usually doesn't affect an app's core functionality.
According to security researchers at Trend Micro, the malicious ad library comes pre-installed on a wide range of Android applications, including photo editors, wallpapers and ringtone changers, Phone tracking, Volume Booster, Ram Optimizer and music-video player.
Features of Xavier Info-Stealing Malware
The previous variant of Xavier Ad library was a simple adware with an ability to install other APKs silently on the targeted devices, but in the latest release, the malware author has replaced those features with more sophisticated ones, including:
Evade Detection: Xavier is smart enough to escape from being analyzed, from both static and dynamic malware analysis, by checking if it is being running in a controlled environment (Emulator), and using data and communication encryptions.
Remote Code Execution: The malware has been designed to download codes from a remote Command & Control (C&C) server, allowing hackers to remotely execute any malicious code on the targeted device.
Info-Stealing Module: Xavier is configured to steal devices and user related information, which includes user’ email address, Device id, model, OS version, country, manufacturer, sim card operator, resolution, and Installed apps.
According to the researchers, the highest number of infected users are from Southeast countries in Asia such as Vietnam, Philippines, and Indonesia, with a fewer number of downloads are from the United States and Europe.
Here is a list of 75 infected Android apps that Google has already removed from its Play Store, and if you have installed any of these apps on your device, you are advised to remove it immediately.
Android malware continues to evolve with more sophisticated and never-seen-before capabilities with every passing day. Just last week, we saw first Android malware with code injecting capabilities making rounds on Google Play Store.
How to Protect Yourself
The easiest way to prevent yourself from being targeted by a clever malware like Xavier, always beware of fishy applications, even when downloading them from official Play Store and try to stick to the trusted brands only.
Moreover, always look at the reviews below left by other users who have downloaded the app and verify app permissions before installing any app and grant those permissions that have are relevant for the app's purpose.
Last but not the least, you are strongly advised to always keep a good antivirus application on your device that can detect and block such malware before they can infect your device, and keep your device and apps up-to-date.
First Android-Rooting Trojan With Code Injection Ability Found On Google Play Store
9.6.2017 thehackernews Android
A new Android-rooting malware with an ability to disable device’ security settings in an effort to perform malicious tasks in the background has been detected on the official Play Store.
What's interesting? The app was smart enough to fool Google security mechanism by first pretending itself to be a clean app and then temporarily replacing it with a malicious version.
Security researchers at Kaspersky Lab discovered a new piece of Android rooting malware that was being distributed as gaming apps on the Google Play Store, hiding behind puzzle game "colourblock," which was being downloaded at least 50,000 times prior to its removal.
Dubbed Dvmap, the Android rooting malware disables device's security settings to install another malicious app from a third-party source and also injects malicious code into the device system runtime libraries to gain root access and stay persistent.
"To bypass Google Play Store security checks, the malware creators used a very interesting method: they uploaded a clean app to the store at the end of March, 2017, and would then update it with a malicious version for short period of time," the researchers said.
"Usually they would upload a clean version back on Google Play the very same day. They did this at least 5 times between 18 April and 15 May."
Here's How Dvmap Malware Works
android-rooting-malware-app-google-play-store
Dvmap Trojan works on both 32-bit and 64-bit versions of Android, which once installed, attempts to gain root access on the device and tries to install several modules on the system including a few written in Chinese, along with a malicious app called "com.qualcmm.timeservices."
To make sure the malicious module gets executed with system rights, the malware overwrites system's runtime libraries depending on which Android version the device is running.
To complete the installation of the above-mentioned malicious app, the Trojan with system rights turns off "Verify Apps," feature and modify system setting to allow app installation from 3rd party app stores.
"Furthermore, it can grant the "com.qualcmm.timeservices" app Device Administrator rights without any interaction with the user, just by running commands. It is a very unusual way to get Device Administrator rights," the researchers said.
This malicious 3rd party app is responsible for connecting the infected device to the attacker's command-and-control server, giving out full control of the device into the hands of attackers.
However, the researchers said, they haven't noticed any commands received by the infected Android devices so far, so it's unclear "what kind of files will be executed, but they could be malicious or advertising files."
How to Protect Yourself Against Dvmap Malware
Researchers are still testing the Dvmap malware, but meanwhile, advise users who installed the puzzle game in question to back up their device's data and perform a full factory data reset in an effort to mitigate the malware.
To prevent yourself from being targeted by such apps, always beware of fishy apps, even when downloading from Google Play Store, and try to stick to the trusted brands only. Moreover, always look at the comments left by other users.
Always verify app permissions before installing any app and grant only those permissions which have relevant context for the app's purpose.
Last but not the least, always keep a good antivirus app on your device that can detect and block such malware before it can infect your device and keep it up-to-date.
Dvmap: the first Android malware with code injection
8.6.2017 Kaspersky Android
In April 2017 we started observing new rooting malware being distributed through the Google Play Store. Unlike other rooting malware, this Trojan not only installs its modules into the system, it also injects malicious code into the system runtime libraries. Kaspersky Lab products detect it as Trojan.AndroidOS.Dvmap.a.
The distribution of rooting malware through Google Play is not a new thing. For example, the Ztorg Trojan has been uploaded to Google Play almost 100 times since September 2016. But Dvmap is very special rooting malware. It uses a variety of new techniques, but the most interesting thing is that it injects malicious code into the system libraries – libdmv.so or libandroid_runtime.so.
This makes Dvmap the first Android malware that injects malicious code into the system libraries in runtime, and it has been downloaded from the Google Play Store more than 50,000 times. Kaspersky Lab reported the Trojan to Google, and it has now been removed from the store.
Trojan.AndroidOS.Dvmap.a on Google Play
To bypass Google Play Store security checks, the malware creators used a very interesting method: they uploaded a clean app to the store at the end of March, 2017, and would then update it with a malicious version for short period of time. Usually they would upload a clean version back on Google Play the very same day. They did this at least 5 times between 18 April and 15 May.
All the malicious Dvmap apps had the same functionality. They decrypt several archive files from the assets folder of the installation package, and launch an executable file from them with the name “start.”
Encrypted archives in the assets folder
The interesting thing is that the Trojan supports even the 64-bit version of Android, which is very rare.
Part of code where the Trojan chooses between 32-bit and 64-bit compatible files
All encrypted archives can be divided into two groups: the first comprises Game321.res, Game322.res, Game323.res and Game642.res – and these are used in the initial phase of infection, while the second group: Game324.res and Game644.res, are used in the main phase.
Initial phase
During this phase, the Trojan tries to gain root rights on the device and to install some modules. All archives from this phase contain the same files except for one called “common”. This is a local root exploit pack, and the Trojan uses 4 different exploit pack files, 3 for 32-bit systems and 1 for 64-bit-systems. If these files successfully gain root rights, the Trojan will install several tools into the system. It will also install the malicious app “com.qualcmm.timeservices.”
These archives contain the file “.root.sh” which has some comments in Chinese:
Part of .root.sh file
Main phase
In this phase, the Trojan launches the “start” file from Game324.res or Game644.res. It will check the version of Android installed and decide which library should be patched. For Android 4.4.4 and older, the Trojan will patch method _Z30dvmHeapSourceStartupBeforeForkv from libdvm.so, and for Android 5 and newer it will patch method nativeForkAndSpecialize from libandroid_runtime.so. Both of these libraries are runtime libraries related to Dalvik and ART runtime environments. Before patching, the Trojan will backup the original library with a name bak_{original name}.
Patched libdvm.so
During patching, the Trojan will overwrite the existing code with malicious code so that all it can do is execute /system/bin/ip. This could be very dangerous and cause some devices to crash following the overwrite. Then the Trojan will put the patched library back into the system directory. After that, the Trojan will replace the original /system/bin/ip with a malicious one from the archive (Game324.res or Game644.res). In doing so, the Trojan can be sure that its malicious module will be executed with system rights. But the malicious ip file does not contain any methods from the original ip file. This means that all apps that were using this file will lose some functionality or even start crashing.
Malicious module “ip”
This file will be executed by the patched system library. It can turn off “VerifyApps” and enable the installation of apps from 3rd party stores by changing system settings. Furthermore, it can grant the “com.qualcmm.timeservices” app Device Administrator rights without any interaction with the user, just by running commands. It is a very unusual way to get Device Administrator rights.
Malicious app com.qualcmm.timeservices
As I mentioned before, in the “initial phase”, the Trojan will install the “com.qualcmm.timeservices” app. Its main purpose is to download archives and execute the “start” binary from them. During the investigation, this app was able to successfully connect to the command and control server, but it received no commands. So I don’t know what kind of files will be executed, but they could be malicious or advertising files.
Conclusions
This Trojan was distributed through the Google Play Store and uses a number of very dangerous techniques, including patching system libraries. It installs malicious modules with different functionality into the system. It looks like its main purpose is to get into the system and execute downloaded files with root rights. But I never received such files from their command and control server.
These malicious modules report to the attackers about every step they are going to make. So I think that the authors are still testing this malware, because they use some techniques which can break the infected devices. But they already have a lot of infected users on whom to test their methods.
I hope that by uncovering this malware at such an early stage, we will be able to prevent a massive and dangerous attack when the attackers are ready to actively use their methods.
MD5
43680D1914F28E14C90436E1D42984E2
20D4B9EB9377C499917C4D69BF4CCEBE
Android Malware 'Dvmap' Delivered via Google Play
8.6.2017 securityweek Android
Researchers at Kaspersky Lab recently came across a new Trojan designed to target Android smartphones. The malware, delivered via the Google Play store, is capable of rooting devices and it leverages some new techniques to achieve its goal.
The Trojan, dubbed “Dvmap” by Kaspersky, was uploaded to Google Play disguised as various apps, such as a simple puzzle game. The security firm said the malicious apps were downloaded from the official Android app store more than 50,000 times before being removed by Google.
It’s not uncommon for malware to make its way into Google Play. In the case of Dvmap, cybercriminals uploaded a clean application at the end of March and then, on five separate occasions between April 18 and May 15, they pushed malicious updates that were available for only a short period of time.
By keeping the malicious version on Google Play only for a short amount of time – the clean version would typically be re-uploaded on the same day – the attackers managed to evade detection by Google’s security systems.
Once it infects a device, the malware, which works on both 32-bit and 64-bit versions of Android, uses a local root exploit pack to obtain root privileges. If the smartphone has been successfully rooter, several modules are installed on the system.
It’s not uncommon for rooting malware to install modules on the targeted device, but Dvmap has another trick up its sleeve. The Trojan, whose code includes comments written in Chinese, also injects malicious code into system runtime libraries, and experts believe it’s the first piece of Android malware to do this.
The code injection takes place in the main phase of the attack, when the malware patches one of two runtime libraries – either libdvm.so or libandroid_runtime.so, depending on the version of Android present.
Dvmap replaces legitimate code with malicious code in order to execute its modules. However, this can also cause some legitimate apps to crash or stop functioning properly.
The malicious code executes a file that turns off the Verify Apps feature in Android to allow the installation of apps from third-party stores. It can also provide Device Administrator rights to an installed app whose purpose is to download other files.
The command and control (C&C) server did not send any files during Kaspersky’s tests so it’s unclear what types of files have been delivered, but researchers believe it’s either other malware or adware.
Judging by the fact that some of the techniques used by Dvmap can break infected devices, experts believe the cybercriminals are still testing the malware. However, given the large number of users who have already downloaded it from Google Play, they have plenty of devices to perform tests on.
Judy Doesn’t Love You – Judy Malware has a sweet name but may have infected 36 million users
1.6.2017 securityaffairs Android
Experts found a new malware, dubbed Judy malware, in the Play Store, it is designed to infect Android devices and generate false clicks on advertisements.
Google is suffering once again from malicious software applications found inside popular apps available on Play store. The new malware – code named “Judy” – is designed to infect Android devices and generate false clicks on advertisements. According to Checkpoint Software, which discovered Judy, the payoff for the malware developers is to generate revenue on the false advertising clicks.
The new malicious app bypassed Google checks and may have been inside 41 popular games on the Play store for years, infecting as many as 36 million users.
“Check Point researchers discovered another widespread malware campaign on Google Play, Google’s official app store. The malware, dubbed “Judy”, is an auto-clicking adware which was found on 41 apps developed by a Korean company. ” states the analysis published by CheckPoint. “The malicious apps reached an astonishing spread between 4.5 million and 18.5 million downloads. ” “We also found several apps containing the malware, which were developed by other developers on Google Play.” “These apps also had a large amount of downloads between 4 and 18 million, meaning the total spread of the malware may have reached between 8.5 and 36.5 million users.”
The tainted software packages containing the malware were developed by a Korean company and have all been pulled from the Google Play Store. Several other vendor packages have also been pulled that reportedly contained the same malware code. However, it is not clear if these apps were intentionally designed with the Judy malware or simply suffered the same fate because of shared code.
The disclosure comes on the heels of two similar malware programs, “Falseguide” and “Skinner” which bypassed Google’s safety and check system. All the malware designs appear to be similar in that they used communications links with a Command and Control server for operation. Once the link was established, the Command Server would then download the malicious software on the unsuspecting user.
The malware developers first would design and upload a bait program to the Google Play Store. Most of the bait apps used by Judy appear to be games or simulated doll dress designs aimed at children. The bait programs would appear to be innocent to the user and pass the Google checking system since they contained no malicious code. The apps apparently look valid because they are designed to communicate with a specific URL for additional user game data such as updated dress designs for children’s dolls. Both the user and Google were unaware that the URL was actually a link to the malicious Command server.
One a user downloaded and started the app, the command server would infect the unknowing user with a silent and invisible web browser using JavaScript. The malware used the JavaScript code to locate and click on banners from Google ads once a targeted series of websites are launched inside the silent web browser. The silent browser would then simulate a computer by clicking on the paying advertisements and banners. Each infected user would then unknowingly be clicking thousands of times a day against advertisements. The fake clicks against the websites generated revenue for the malware developer cheating the paying advertisers.
One feature of Judy, however, was that some of the spammed ads also required the user to click on them in order to get the home screen functional again. While many of the apps were apparently popular, some of them received 4 and 5-star reviews, users often complained about the large number of ads that they were seeing. This tell-tale clue should have been a warning sign that the apps were doing more than simply dressing simulated dolls.
According to Checkpoint, the malware apps were all developed by a single Korean company named Kiniwini, registered on Google Play as ENISTUDIO corp.
“The company develops mobile apps for both Android and iOS platform,” states the Checkpoint bulletin.
“It is quite unusual to find an actual organization behind mobile malware, as most of them are developed by purely malicious actors. It is important to note that the activity conducted by the malware is not borderline advertising, but definitely an illegitimate use of the users’ mobile devices for generating fraudulent clicks, benefiting the attackers.”
Google has recently attempted to beef-up its Play Store, releasing new privacy and security guidelines to developers and increasing checks against potentially malevolent software apps. However, the use of a secondary communications system seems to bypass security checks since Google cannot see the hidden malware stored on a separate Command server during the upload and activation process for developers.
It is not unusual for app developers to utilize a communications link to specific URLs. Many games and user applications require a link in order to update common data, generate game revenue and add additional features. The design of using a malicious Command server to install functioning malware is something that previously had been reserved for intelligence agencies and criminal hacker organizations.
While, the abuse of millions of users to generate illegal income via hidden clicks on paying ads is not entirely new, there are darker possible designs that can target the individual users with more than just advertisements; stealing financial information, violating privacy, stalking and tracking. Both Google and Apple should take note of this new design that can bypass traditional upload and install security features of their store fronts.
Judy Android Malware Infects Over 36.5 Million Google Play Store Users
30.5.2017 securityaffairs Android
Security researchers have claimed to have discovered possibly the largest malware campaign on Google Play Store that has already infected around 36.5 million Android devices with malicious ad-click software.
The security firm Checkpoint on Thursday published a blog post revealing more than 41 Android applications from a Korean company on Google Play Store that make money for its creators by creating fake advertisement clicks from the infected devices.
All the malicious apps, developed by Korea-based Kiniwini and published under the moniker ENISTUDIO Corp, contained an adware program, dubbed Judy, that is being used to generate fraudulent clicks to generate revenue from advertisements.
Moreover, the researchers also uncovered a few more apps, published by other developers on Play Store, inexplicably containing the same the malware in them.
The connection between the two campaigns remains unclear, though researchers believe it is possible that one developer borrowed code from the other, "knowingly or unknowingly."
"It is quite unusual to find an actual organization behind the mobile malware, as most of them are developed by purely malicious actors," CheckPoint researchers say.
Apps available on play store directly do not contain any malicious code that helped apps to bypass Google Bouncer protections.
Once downloaded, the app silently registers user device to a remote command and control server, and in reply, it receives the actual malicious payload containing a JavaScript that starts the actual malicious process.
"The malware opens the URLs using the user agent that imitates a PC browser in a hidden webpage and receives a redirection to another website," the researchers say. "Once the targeted website is launched, the malware uses the JavaScript code to locate and click on banners from the Google ads infrastructure."
The malicious apps are actual legitimate games, but in the background, they act as a bridge to connect the victim’s device to the adware server.
Once the connection is established, the malicious apps spoof user agents to imitate itself as a desktop browser to open a page and generate clicks.
Here’s a list of malicious apps developed by Kiniwini and if you have any of these installed on your device, remove it immediately:
• Fashion Judy: Snow Queen style
• Animal Judy: Persian cat care
• Fashion Judy: Pretty rapper
• Fashion Judy: Teacher style
• Animal Judy: Dragon care
• Chef Judy: Halloween Cookies
• Fashion Judy: Wedding Party
• Animal Judy: Teddy Bear care
• Fashion Judy: Bunny Girl Style
• Fashion Judy: Frozen Princess
• Chef Judy: Triangular Kimbap
• Chef Judy: Udong Maker – Cook
• Fashion Judy: Uniform style
• Animal Judy: Rabbit care
• Fashion Judy: Vampire style
• Animal Judy: Nine-Tailed Fox
• Chef Judy: Jelly Maker – Cook
• Chef Judy: Chicken Maker
• Animal Judy: Sea otter care
• Animal Judy: Elephant care
• Judy’s Happy House
• Chef Judy: Hotdog Maker – Cook
• Chef Judy: Birthday Food Maker
• Fashion Judy: Wedding day
• Fashion Judy: Waitress style
• Chef Judy: Character Lunch
• Chef Judy: Picnic Lunch Maker
• Animal Judy: Rudolph care
• Judy’s Hospital: Pediatrics
• Fashion Judy: Country style
• Animal Judy: Feral Cat care
• Fashion Judy: Twice Style
• Fashion Judy: Myth Style
• Animal Judy: Fennec Fox care
• Animal Judy: Dog care
• Fashion Judy: Couple Style
• Animal Judy: Cat care
• Fashion Judy: Halloween style
• Fashion Judy: EXO Style
• Chef Judy: Dalgona Maker
• Chef Judy: ServiceStation Food
• Judy’s Spa Salon
At least one of these apps was last updated on Play store in April last year, means the malicious apps were propagating for more than a year.
Google has now removed all above-mentioned malicious apps from Play Store, but since Google Bouncer is not sufficient to keep bad apps out of the official store, you have to be very careful about downloading apps.
All Android Phones Vulnerable to Extremely Dangerous Full Device Takeover Attack
26.5.2017 thehackrenews Android
Researchers have discovered a new attack, dubbed 'Cloak and Dagger', that works against all versions of Android, up to version 7.1.2.
Cloak and Dagger attack allows hackers to silently take full control of your device and steal private data, including keystrokes, chats, device PIN, online account passwords, OTP passcode, and contacts.
What's interesting about Cloak and Dagger attack?
The attack doesn't exploit any vulnerability in Android ecosystem; instead, it abuses a pair of legitimate app permissions that is being widely used in popular applications to access certain features on an Android device.
Researchers at Georgia Institute of Technology have discovered this attack, who successfully performed it on 20 people and none of them were able to detect any malicious activity.
Cloak and Dagger attacks utilise two basic Android permissions:
SYSTEM_ALERT_WINDOW ("draw on top")
BIND_ACCESSIBILITY_SERVICE ("a11y")
The first permission, known as "draw on top," is a legitimate overlay feature that allows apps to overlap on a device's screen and top of other apps.
The second permission, known as "a11y," is designed to help disabled, blind and visually impaired users, allowing them to enter inputs using voice commands, or listen content using screen reader feature.
Scary Things Hackers Can Do to Your Android (Demo)
Since the attack does not require any malicious code to perform the trojanized tasks, it becomes easier for hackers to develop and submit a malicious app to Google Play Store without detection.
Unfortunately, it’s a known fact that the security mechanisms used by Google are not enough to keep all malware out of its app market.
If you are following regular security updates from The Hacker News, you must be better aware of frequent headlines like, "hundreds of apps infected with adware targeting play store users," and "ransomware apps found on play store."
Just last month, researchers uncovered several Android apps masqueraded as an innocent "Funny Videos" app on Play Store with over 5,000 downloads but distributed the 'BankBot banking Trojan' that steal victims' banking passwords.
Here's what the researchers explained how they got on the Google Play Store to perform Cloak & Dagger attacks:
"In particular, we submitted an app requiring these two permissions and containing a non-obfuscated functionality to download and execute arbitrary code (attempting to simulate a clearly malicious behavior): this app got approved after just a few hours (and it is still available on the Google Play Store)." researchers say.
Once installed, the researchers say the attacker can perform various malicious activities including:
Advanced clickjacking attack
Unconstrained keystroke recording
Stealthy phishing attack
Silent installation of a God-mode app (with all permissions enabled)
Silent phone unlocking and arbitrary actions (while keeping the screen off)
In short, the attackers can secretly take over your Android device and spy on your every activity you do on your phone.
Researchers have also provided the video demonstrations of a series of Cloak and Dagger attacks, which will blow your mind, trust me.
Google Can’t Fix It, At Least Not So Fast
University researchers have already disclosed this new attack vector to Google but noted that since the issue resides in the way Android OS has been designed, involving two of its standard features that behave as intended, the problem could be difficult to resolve.
"Changing a feature is not like fixing a bug," said Yanick Fratantonio, the paper's first author. "System designers will now have to think more about how seemingly unrelated features could interact. Features do not operate separately on the device."
As we reported earlier, Google gives "SYSTEM_ALERT_WINDOW" ("draw on top") permission to all applications directly installed from the official Google Play Store since Android Marshmallow (version 6), launched in October 2015.
This feature that lets malicious apps hijack a device's screen is one of the most widely exploited methods used by cyber criminals and hackers to trick unwitting Android users into falling victims for malware and phishing scams.
However, Google has planned to change its policy in 'Android O,' which is scheduled for release in the 3rd quarter this year.
So, users need to wait for a long, long time, as millions of users are still waiting for Android Nougat (N) from their device manufacturers (OEMs).
In other words, the majority of smartphone users will continue to be victimised by ransomware, adware and banking Trojans at least for next one year.
Temporary Mitigation
The easiest way to disable the Cloak and Dagger attacks in Android 7.1.2 is to turn off the "draw on top" permission by heading on to:
Settings → Apps → Gear symbol → Special access → Draw over other apps.
The universal and easiest way to avoid being hacked is always to download apps from Google Play Store, but only from trusted and verified developers.
You are also advised to check app permissions before installing apps. If any app is asking more than what it is meant for, just do not install it.
Google Patches Nexus 6 Secure Boot Bypass
26.5.2017 securityweek Android
One of the vulnerabilities addressed by Google in its May 2017 security patches allowed the bypass of Nexus 6’s Secure Boot through kernel command-line injection, HCL Technologies researchers reveal.
By exploiting the flaw, an attacker with physical access to the device or one with authorized-ADB/fastboot USB access to the (bootloader-locked) device could gain unrestricted root privileges and “completely own the user space.” For that, the attacker would have to load a tampered or malicious initramfs image.
Security researcher Roee Hay also explains that, because the exploitation doesn’t lead to a factory reset, user data remains intact and still encrypted. The vulnerability is tracked as CVE-2016-10277.
The issue, Hay says, is a continuation of CVE-2016-8467, a High risk vulnerability affecting the Nexus 6/6P bootloader, and which was addressed in Google’s January 2017 security patches. The exploit abused fastboot commands to change the androidboot.mode argument in the kernel command line and was addressed by hardening the bootloader.
“Just before Google released the patch, we had discovered way to bypass it on Nexus 6,” the researcher notes.
Because the fsg-id, carrier and console arguments in Nexus 6’s bootloader can be controlled through the fastboot interface (even if the bootloader is locked), one could pass arbitrary kernel command line arguments if the bootloader didn’t sanitize said three arguments. The researchers also found a series of parameters that can contain arbitrary values and which propagate to the kernel command line.
After previously discovering they could tamper with the bootmode, the researchers focused on finding ways to compromise a device further by inserting arbitrary arguments into the command line. Eventually, they discovered that they could defeat Secure Boot by being able to control a single argument.
The exploit relies on initramfs, a cpio (gzipped) archive that gets loaded into rootfs (a RAM filesystem) during the Linux kernel initialization. The bootloader prepares the kernel command line and initramfs parameters for the Linux kernel in the Device Tree Blob, and then transfers execution to the Linux kernel.
A kernel_init function executes the first userspace process called /init, and a kernel command line argument rdinit can override this default value, but exploitation wasn’t effective, mainly because the Nexus 6 initramfs doesn’t contain a large enough set of binaries, the researcher notes.
“Interestingly, we’ve realized that in arm, it is also possible to control, through a kernel command line argument initrd, the physical address where the initramfs is loaded from by the kernel,” Hay says.
By overriding the default values provided by the bootloader in the Device Tree Blob, the researchers caused the Kernel to crash. Next, they focused on loading their own initramfs archive to the device’s memory, through fastboot.
“Note that the Linux Kernel does not re-verify the authenticity of initramfs, it relies on the bootloader to do that, so if we manage to put a tampered initramfs at the controlled phys_initrd_start physical address, the kernel will indeed populate it into rootfs,” the researcher explains.
Fastboot offers a download mechanism via USB and, because the operation is available even on locked bootloaders, an attacker can abuse it to load a tampered initramfs on the device. The exploit is then successful if the bootloader and Kernel don’t overwrite the data before initramfs is populated into rootfs.
The security researchers created a Proof-of-Concept initramfs and made it publicly available on GitHub. Upon gaining full control of rootfs, an attacker can create a malicious /vendor folder, where firmware images of various SoCs available on the board would normally be saved.
“Kernel drivers usually consume these images upon initialization, and update their SoC counterparts if needed. Hence, the attacker could flash unsigned firmware images. We haven’t checked if there are such, but from our experience with other devices, there are. As for signed ones, downgrade attacks might be possible as well,” Hay says.
Google addressed the issue in the May 2017 set of monthly patches by setting the bootloader to sanitize the fsg-id, carrier and console config arguments.
Police dismantled the Cron gang that targeted Bank Accounts via Android Malware
24.5.2017 securityaffairs Android
Russian authorities with the support of the security firm Group-IB dismantled the operations of the Cron gang that infected more than 1 million smartphones.
Russian authorities dismantled a major criminal ring that was targeting bank accounts by using an Android malware, dubbed ‘Cron,’ that compromised more than one million Android smartphones.
According to the Russian Interior Ministry, the criminal organization had stolen nearly $900,000 from bank accounts.
Law enforcement, assisted by the cyber security firm Group-IB have identified 25 members of the organization led by a 30-year-old living in the city of Ivanovo.
16 members of the gang were detained in November 2016, while the last active member was arrested in April.
The Cron Trojan was first spotted in March 2015, when the crime gang had been distributing the malware disguised as Viber and Google Play apps.
Early 2016, investigators discovered that an Android banking Trojan dubbed ‘Cron Bot’ was offered for rent in the criminal underground. According to the experts from the IBM X-Force the Cron Bot had been leased for between $4,000 and $7,000, depending on the configuration chosen by the buyer.
The Cron gang used spam SMS messages to spread the malware to individuals in Russia, the attackers used a very effective social engineering technique. The SMS messages informed recipients that their ads or photos had been shared on a website, and included links to a site that tricked victims into downloading and executing the malicious code.
“Spam SMS messages with a link to a website infected with the banking Trojan. The message was of the following form: “Your ad is posted on the website ….”, or “your photos are posted here.” After the user visits the compromised website, the malware will be downloaded on the device, tricking the victim to install it.” reads the report published by Group-IB.
“The victim could install the malicious program on the phone by downloading fake applications masked as legitimate ones. The Trojan is distributed under the guise of such applications as Navitel; Framaroot; Pornhub; Avito.“
Once the Cron Trojan infected a device, the malware could send SMS messages to any phone number, upload SMS messages received by the victim to C&C servers, and hide SMS messages coming from the bank. Using the features the malware can intercept 2FA messages sent to the users to authorize fraudulent transactions conducted by crooks.
The Cron gang earned approximately $900 000 USD (50 million rubles) with its activity.
“Every day Cron malware attempted to steal money from 50-60 clients of different banks. An average theft was about 8,000 rubles ($100). According to crime investigators, the total damage from Cron’s activity amounted to approximately $800 000 USD (50 million rubles). ” continues the report.
The investigators discovered the Cron Gang decided to extend its activity to other countries, they rented the Tiny.z banking Trojan for $2,000 per month.
Experts speculate the hackers had been planning on targeting France banking users because the Cron gang developed web injections for several of French banks, including Credit Agricole, Assurance Banque, Banque Populaire, BNP Paribas, Boursorama, Caisse d’Epargne, Societe Generale and LCL.
Google Adds New Behavior-Based Malware Scanner To Every Android Device
20.5.2017 thehackernews Android
In order to keep its billions of users safe, Google has introduced another security defense for its Android devices, called Google Play Protect.
Google Play Protect, which is part of the Google Play Store app, uses machine learning and app usage analysis to weed out the dangerous and malicious apps, which have always been albatross around the tech giant's neck.
Since Google Play Protect actually comes with the Google Play Store, users do not need to install or activate this security feature separately.
Google Play Protect for Android devices consists:
App scanning
Anti-Theft Measures
Browser Protection
Play Protect's App Scanning Feature
Google Play Protect is an always-on service on devices which said to scan 50 billion apps each day across a billion Android devices to ensure they are safe.
Google already has a number of security measures in place to help keep your smartphones safe, including Verify Apps and its Bouncer service, but once apps are uploaded to the Play Store and installed on your device, Google does not have anything in place to monitor the behavior of those apps – something that most malware apps were abusing.
Running automatically in the background, Google Play Protect is actually built into devices, which will not only analyse apps before appearing on the Play Store, but also monitor them once installed on the device, including apps that have been installed from third-party stores as well.
For this, Google makes use of machine learning algorithms that automatically compares app behavior and distinguishes those acting abnormally, and if encounters any malicious app, it warns you or even disables the app to prevent further harm.
Google says it works around the clock to keep up with the latest threats
Google says the new machine learning system regularly updates to help Android ecosystem stay one step ahead of any potential threats by always looking out for "new risks, identifying potentially harmful apps and keeping them off your device or removing them."
Play Protect's Anti-Theft Measures
With the introduction of Google Play Protect, Android Device Manager has been replaced with Find My Device, use to locate lost and misplaced devices.
You can use the browser or any other device to remotely call, locate, and lock, your Android device or even erase the data to protect sensitive information remotely.
Find My Device is the same old solution, but Google included it into the Google Play Protect program.
Play Protect's Browser Protection
With Safe Browsing feature in Chrome, Play Protect lets users stay safe while browsing the Internet.
Usually, virus, malware and worm land on to your smartphones and computers via malicious web browsers. So, if you visit any website that is acting suspicious, Safe Browsing feature will warn you and block websites that feel sketchy or seems to be unsafe for you.
Google Play Protect service will be rolling out to Android devices over the coming weeks.
Google Launches Security Services for Android
20.5.2017 securityweek Android
Google this week launched a set of security services designed to bring improved protection and visibility for Android users.
Dubbed Google Play Protect, the new product is built into all devices with Google Play and should provide “comprehensive security services for Android,” the Internet giant says.
“Whether you’re checking email for work, playing Pokémon Go with your kids or watching your favorite movie, confidence in the security of your device and data is important,” Edward Cunningham, Product Manager, Android Security, notes.
“We know you want to be confident that your Android devices are safe and secure, which is why we are doubling down on our commitment to security,” he continues.
There are 2 billion active Android devices globally and Google performs more than 50 billion application scans every day to keep them safe.
With the help of machine learning, Google says it can discover new risks, identify potentially harmful apps, and either protect devices from them or remove them where they have been already installed.
Google is also rigorously analyzing all apps before publishing them on the Play Store, though it isn’t unheard of malicious programs that slip into the marketplace and infect users by the millions.
According to Cunningham, Play Protect can warn about bad apps downloaded from other sources as well. It is meant to keep an eye on all applications that perform nefarious operations on a device, in an attempt to keep users’ data safe.
One of the features included in Google Play Protect is Find My Device, which is meant to help users even when they lose their devices.
“With Find My Device you can locate, ring, lock and erase your Android devices—phones, tablets, and even watches. This feature is built in and enabled on all devices,” Cunningham notes.
Users interested in learning more on this application should head to android.com/find or simply check the Find My Device app.
The new features will be rolling out to Android devices over the coming weeks.
Numerous infected applications were found in Google Play this year, ranging from fake system updates to mobile games, utility programs, and fake versions of popular streaming apps. In June last year, malicious versions of Pokémon GO landed in the storefront.
Google Won't Patch A Critical Android Flaw Before ‘Android O’ Release
12.5.2017 thehackernews Android
Millions of Android smartphones are at serious risk of "screen hijack" vulnerability that allows hackers to steal your passwords, bank details, as well as helps ransomware apps extort money from victims.
The worse thing is that Google says it won't be patched until the release of 'Android O' version, which is scheduled for release in the 3rd quarter this year.
And the worse, worse, worse thing is that millions of users are still waiting for Android N update from their device manufacturers (OEMs), which apparently means that majority of smartphone users will continue to be victimized by ransomware, adware and banking Trojans for at least next one year.
According to CheckPoint security researchers, who discovered this critical flaw, the problem originates due to a new permission called "SYSTEM_ALERT_WINDOW," which allows apps to overlap on a device's screen and top of other apps.
This is the same feature that lets Facebook Messenger floats on your screen and pops up when someone wants to chat.
Starting with Android Marshmallow (version 6), launched in October 2015, Google updated its policy that by default grants this extremely sensitive permission to all applications directly installed from the official Google Play Store.
This feature that lets malicious apps hijack a device's screen is one of the most widely exploited methods used by cyber criminals and hackers to trick unwitting Android users into falling victims for malware and phishing scams.
"According to our findings, 74 percent of ransomware, 57 percent of adware, and 14 percent of banker malware abuse this permission as part of their operation. This is clearly not a minor threat, but an actual tactic used in the wild," CheckPoint researchers notes.
Google has been using an automated malware scanner called Bouncer to find malicious apps and prevent them from entering the Google Play Store.
Unfortunately, it’s a known fact that Google Bouncer is not enough to keep all malware out of the market and our readers who are following regular security updates better aware of frequent headlines like, "ransomware apps found on play store," "hundreds of apps infected with adware targeting play store users."
Recently, researchers uncovered several Android apps available on Play Store carrying the 'BankBot banking trojan,' which abused the SYSTEM_ALERT_WINDOW permission to display overlays identical to each targeted bank app's login pages and steal victims' banking passwords.
This means that still, an unknown number of malicious apps are out there on Google Play Store equipped with this dangerous permission, which could threaten the security of millions of Android users.
“After Check Point reported this flaw, Google responded it has already set plans to protect users against this threat in the upcoming version “Android O.”
“This will be done by creating a new restrictive permission called TYPE_APPLICATION_OVERLAY, which blocks windows from being positioned above any critical system windows, allowing users to access settings and block an app from displaying alert windows.”
Meanwhile, users are recommended to beware of fishy apps, even when downloading from Google Play Store.
Moreover, try to stick to the trusted brands only and always look at the comments left by other users.
Always verify app permissions before installing apps and grant only those permissions which have relevant context for the app's purpose if you want to be safe.
Google Play Apps Expose Tens of Millions to Adware: Sophos
11.5.2017 securityweek Android
More than 50 applications distributed via Google Play have exposed tens of millions of Android users to a piece of adware packed inside the apps, Sophos researchers warn.
Dubbed Android XavirAd, the adware library displays annoying ads to affected users, and also collects personal information and sends it to a remote server. Detected as Andr/Infostl-BK, the information-stealing component is believed to have compromised up to 55 million users.
To explain how the malicious code works, the security researchers analyzed an application called Add Text on A Photo. The app displays full screen advertisements at regular intervals, even when it isn't being used.
When launched, the XavirAd library contacts a remote server to get configuration code. The server sends it the advertisement settings, including full screen ad intervals, and the library saves the information in shared preferences. The domain used for this is api-restlet.com, which appears to have been registered a year and a half ago and which has its origins in Vietnam, the security researchers reveal.
The program then downloads another .dex file from cloud.api-restlet.com, meant to collect various information from the user’s phone: the email address for the Google account, list of installed apps, IMEI identifier and android_id, screen resolution, SIM operator, app installation source, and device manufacturer, model, brand, and OS version. The collected data is encrypted and sent to a web address.
To add insult to injury, the application states in its privacy policy that it does not collect any personal information from the user’s device.
Sophos’ researchers also discovered that the XavirAd library tries to hide itself from security inspection. It uses encrypted strings, the class constructor contains a different decryption routine for each class, and keys are different in each class, although the algorithm remains the same.
Additionally, the malicious code includes anti-sandbox technology to hide itself from dynamic analysis. The adware first checks the emulator, then a series of strings for the emulator, and stops its malicious behavior if it detects it is running in a testing environment. Additionally, it checks the user’s email address for specific strings, as an additional layer of protection.
The list of Google Play apps found to contain the XavirAd library is available on Sophos’ blog. Users are advised to avoid them.
Android’s Vampire Bat Apps are listening to your life through ultrasonic beacons
8.5.2017 securityaffairs Android
Researchers at Technische Universitat Braunschweig published a study on 200+ Android mobile apps that are listening to your life through ultrasonic beacons.
Researchers at Technische Universitat Braunschweig in Germany recently published a finding that over 200 Android mobile applications are listening to your life through ultrasonic beacons.
Like digital electronic vampire bats, these apps are checking for ultrasonic beacons and the data is then used to track users and then serve them with targeted advertising.
Basically, software developers have combined with advertisers to have your phone pick up broadcast sounds inside stores, on TV and via the Internet. The ultrasonic beacon sounds vibrate at 18,000 to 20,000 times a second which is well above the hearing of most people. These beacon sounds are monitored covertly by the android phone applications which then transmit the results to the developer who in turn sells the information that you were in a specific store, or watching the tagged ad on TV or the Internet.
The process is relatively simple by programming standards. The covert surveillance software is embedded into popular programs such as coupon offers, games or text message systems offered for free by various organizations. The first time you run the program – it embeds an endless loop called a “service” so the surveillance portion is always running even when you are not using the app or have restarted your phone. The surveillance software is also keyed to listen for specific frequencies of sound and will transmit that information when it detects that sound via a hidden internet link.
The technology and design employed by the app developers is similar in format to that used by the US Central Intelligence Agency (CIA) for surveillance as revealed by Wikileaks in their VAULT7 publications. Companies caught using these apps so far include the Philippines versions of the McDonald’s and Krispy Kreme. The German researchers also found four local retail stores also had ultrasonic beacons installed designed to trigger any listening cell phone.
“It was really interesting to find beacons at the entrance of some stores in two German cities,” says Erwin Quiring, a privacy researcher who worked on the study. “It affects all of us if there’s some kind of privacy invasive technique we don’t know about and which runs silently on phones.”
The applications, most of which are available on the Google Play Store, have not informed customers that they are being monitored and may continue to monitor them even after the app is uninstalled. The app developers, companies and advertisers involved are clearly in violation of the privacy agreement to post on Google Play which requires developers to “comprehensively disclose how an app collects, uses and shares user data, including the types of parties with whom it’s shared.”
Google has not commented publically if they intend to pursue the developers for their privacy violations. Under Google policy – the developers and the advertising corporations may be prohibited from using the Play store but a similar privacy violation by Uber against Apple only resulted in a quiet scolding and an apology. It is unlikely that Google will banish large corporations such as McDonalds for breaking privacy requirements with surveillance apps distributed by the Play Store.
The researchers were able to focus their attention on one particular provider named Silverpush which now claims that it has disabled the tracking features in its applications. However, the data shows that tracking apps developed with the Silverpush implanted covert surveillance technology have been downloaded more that 2 million times from Google Play.
Phone owners have few options when it comes to defending against this surveillance. The most effective is to closely inspect your applications using the SETTINGS menu. Each application has a permissions list which will show if they are allowed to record audio.
A hint to newbie users here – if you download a free flashlight app and it has audio recording permissions – it is doing more than turn on or off your cellphone light.
To demonstrate how easy it is to develop and use such a surveillance system we put together a card game program that has a secret listener hidden inside it. The demonstration Black Jack program does not perform the “service” installation and only records 1 time after the game is started and stops when a player selects the “HIT” option. The output is written to a file in MP4 format and stored openly on the external SD card under the name “BJ(date/time).mp4”. The source code and signed Android APK run file are included in a zip file with a SHA256 check at:
https://www.softwar.net/blackjack.html
The differences between the demonstration program and the operational ultrasonic surveillance app systems are:
1 – Game demo does not install as a “SERVICE” so only runs when app is in use.
2 – Game demo does not have a special listener to detect ultrasonic beacon sounds.
3 – Game demo does not have a transmit feature to send data back to a controller.
4 – Game demo stores the recorded sound locally in a mp4 file so you can examine it.
However, as the demonstrator quickly shows, a surveillance application designed to pick up sound does not limit itself to just ultrasonic beacons but can pick up all sounds. The ultrasonic beacon detection has to be programmed into the system to filter out other sounds. While companies that employ this kind of targeting state they did not listen to conversations – the potential is there to re-transmit your conversations to a controller just as the CIA versions do.
All that is required is to remove the code filtering out the ultrasonic beacon sound, and insert a routine to transmit all the sounds that are picked up. The end program would resemble a hidden one-way ISP phone service with everything within detection being relayed in real-time, or stored for later downloading if the phone is outside the range of an internet connection.
In addition, other information such as your phone number, GPS location and even proximity to the nearest beacons can be pinpointed, by advertisers who then market to you as if they were a salesman in your pocket, or by others who can abuse this technology. When combined with GPS location and even video surveillance your cell phone not only becomes a major threat to privacy but to your personal security as well.
The question for phone makers, owners, and government officials is exactly what are we all going to do about this? Phone makers can do a better job showing what powers each application is using and how the consumer can limit them. Owners can actually take the time to be more cautious; observing that Caveat emptor – “Let the buyer beware” – applies to free downloaded applications. Finally, government officials may want to consider new regulations on the use of such surveillance technology for marketing purposes.
Google Patches More Critical Flaws in Android Mediaserver
3.5.2017 securityweek Android
Google this week announced the contents of the May 2017 Android security patches, revealing that six Critical Remote Code Execution (RCE) flaws were addressed in the Mediaserver component.
Over the past couple of years, Mediaserver emerged as one of the most vulnerable Android components, after a Critical RCE bug dubbed Stagefright was said to affect 950 million devices. Detailed in July 2015, the vulnerability encouraged Google to issue monthly security updates for Android.
A second Stagefright flaw was resolved only months later, and Google addressed numerous other vulnerabilities in Mediaserver over the nearly two years of regular patches. The company even decided to re-architect Mediaserver with the release of Android 7.0 Nougat in August last year, but security researchers continue to find vulnerabilities in the component.
Published on Monday, Google’s Android Security Bulletin for May 2017 was divided into two patch levels: the 2017-05-01 partial security patch level string, which addresses 20 flaws, and the 2017-05-05 complete security patch level string, which addresses 98 issues. None of the vulnerabilities has been exploited or abused in live attacks, Google’s advisory reveals.
The six Critical issues in Mediaserver, resolved in the 2017-05-01 patch level string, could enable remote code execution on affected devices through multiple methods, including email, web browsing, and MMS when processing media files. The bugs impact numerous platform versions, including Android 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, and 7.1.2.
The patch level also addresses three High-risk Elevation of privilege (EoP) and four Denial of service (DoS) (two High, one Moderate, and one Low severity) vulnerabilities in the Mediaserver component.
The remaining 7 issues include two High risk bugs in Framework APIs (one EoP and one Information disclosure), a High severity EoP in Audioserver, a Medium risk EoP in Bluetooth, and three Moderate severity Information disclosure vulnerabilities (in File-Based Encryption, Bluetooth, and OpenSSL & BoringSSL).
The 2017-05-05 security patch string resolves 23 Critical bugs, 59 High severity issues, and 16 Moderate risk flaws. All of the vulnerabilities addressed in the previous strings are also resolved in this patch level, Google notes.
The 23 Critical bugs included an RCE in GIFLIB, 8 EoPs in MediaTek touchscreen driver, Qualcomm bootloader, kernel sound subsystem, Motorola bootloader, NVIDIA video driver, Qualcomm power driver, kernel trace subsystem, and 14 various vulnerabilities in Qualcomm components.
Of the 59 High severity issues, 14 were various bugs in Qualcomm components; one RCE in libxml2; 40 EoPs in MediaTek drivers, Qualcomm drivers, kernel subsystems (performance and networking), Goodix touchscreen driver, and HTC bootloader; 3 Information disclosure flaws in MediaTek command queue driver and Qualcomm Wi-Fi and crypto engine drivers; and one DoS in Qualcomm Wi-Fi driver.
All of the 16 Moderate severity vulnerabilities were Information disclosure bugs, affecting kernel UVC driver and kernel trace subsystem, Qualcomm drivers (video, power, LED, shared memory, sound codec, camera, sound, SPCom), Broadcom Wi-Fi driver, and Synaptics touchscreen driver.
“The most interesting piece of the May Android patches is that Google fixed six issues affecting Mediaserver, all with critical severity indicating the potential for remote code execution. What is not clearly stated is whether the mitigations added into the Android 7.0 release might actually prevent an attacker from exploiting the bugs,” Craig Young, computer security researcher for Tripwire’s Vulnerability and Exposures Research Team (VERT), told SecurityWeek in an emailed comment.
“With Android 7.0, Google has revamped the Mediaserver component by moving risky parsing code into unprivileged sandboxes and by enabling Undefined Behavior Sanitizer (UBSAN) to prevent exploitation of the most common bug classes found in this component. It would be nice to see Google release more detailed bulletins indicating the impact of various vulnerabilities specifically to the different Android versions.
“It is also good to see that Google’s telemetry through SafetyNet did not reveal any active customer exploitation of any flaws fixed in the May update,” Young concluded.
Fake app hiding a SMSVova spyware went undetected for years in the Google Play Stores
23.4.2017 securityaffairs Android
Millions of users looking to get software updates have downloaded an app hiding a spyware called SMSVova through the official Google Play store.
Bad news for millions of Android users looking to get software updates, they have been tricked into downloading a spyware called SMSVova through the official Google Play store.
Experts at Zscaler discovered that the bogus app was posing as a legitimate application called “System Update” and claiming to provide users with access to the latest Android software release.
It has been estimated that the fake application hiding the SMSVova spyware was uploaded in the Google Play in 2014, and has been downloaded between 1,000,000 and 5,000,000 times.
Experts reported the discovery to Google that promptly removed it from the store.
The SMSVova spyware was developed to track the physical location of the users, it was controlled by attackers via SMS messages.
“In our ongoing effort to hunt malware, the Zscaler ThreatLabz team came across a highly suspicious app on the U.S. Google Play Store that has been downloaded between one and five million times since 2014.” reads the analysis published Zscaler. “Upon analysis, we found it to be an SMS-based Spyware, which can steal and relay a victim’s location to an attacker in real time.”
According to Zscaler, once the app was installed when users try to open it they were displayed the message:
‘Unfortunately, Update Service has stopped.’
then the app hides itself from the main screen and launches the phone’s MyLocationService which collect location data and stores it in the Shared Preferences directory of the mobile device.
Despite the error message, the spyware sets up an Android service and broadcast receiver:
MyLocationService: Fetches last known location
IncomingSMS (Receiver): Scans for incoming SMS message
SMSVova monitors specific incoming SMS messages with specific characteristics, messages with more than 23 characters in length and that contain the text string “vova-” and “get faq.”
“Once the spyware has been installed on the victim’s device, an attacker can send an SMS message ‘get faq’ and this spyware will respond with a set of commands,” according to Zscaler.
The SMSVova spyware implements other commands, including “changing current password” and “setting low battery notification.” According to Desai, those behind the spyware use the SMS commands in order to instruct SMSVova to retrieve and text back location data. The “setting low battery notification” message is used to instruct the phone to text location data when the battery runs low.
It’s still a mystery why threat actor behind the spyware is collecting location data.
It is interesting to note that the SMS-based behavior and exception generation at the initial stage of the startup weren’t detected by the antivirus engines on VirusTotal.
Authors of the SMSVova spyware have designed the threat to evade detection by antivirus solutions and Google Play’s malware detector. The app was last updated in December 2014, at that time the controls implemented by Google weren’t so stringent, anyway the malicious code eluded Google detector for years.
It is curious to note that according to the recent Google Android Security 2016 Year In Review report, in 2016 devices that installed applications only from Google Play had fewer than 0.05 percent of potentially harmful applications installed.
“There are many apps on the Google Play store that act as a spyware; for example, those that spy on the SMS messages of one’s spouse or fetch the location of children for concerned parents. But those apps explicitly state their purpose, which is not the case with the app we analyzed for this report,” concluded the analysis.
Millions Download "System Update" Android Spyware via Google Play
20.4.2017 securityweek Android
Millions of users looking to get Android software updates have been tricked into downloading spyware on their devices through the Google Play marketplace, Zscaler reveals.
Posing as a legitimate application called “System Update” and claiming to provide users with access to the latest Android software updates, the spyware made it to Google Play in 2014, and has registered between 1,000,000 and 5,000,000 downloads by the time Google was alerted and removed it from the store.
Instead of delivering to its promise, however, the malware spies on users’ exact geolocation, and can send it to the attacker in real time. It receives commands from its operator via SMS messages, the security researchers explain.
The application’s Google Play page should have been a warning to users that it wasn’t what it appeared to be, given that it displayed blank screenshots and users were complaining about its lack of functionality, yet many still downloaded and installed it. The page also stated that the “application updates and enables special location features.”
When the user attempts to run the installed app, however, an error message is displayed: “Unfortunately, Update Service has stopped.” In the background, the application sets up an Android service and broadcast receiver to fetch the last known location and scan for incoming SMS messages.
The spyware is looking for incoming messages that feature a specific syntax, Zscaler explains: “the message should be more than 23 characters and should contain ‘vova-’ in the SMS body. It also scans for a message containing ‘get faq’.”
The attacker can set a location alert when the device’s battery is running low, and can also set their own password for the spyware (the application comes with the default password “Vova”). After a phone number and password are set, the spyware starts a process to send the device’s location to the attacker.
“The SMS-based behavior and exception generation at the initial stage of startup can be the main reason why none of the antivirus engines on VirusTotal detected this app at the time of analysis,” Zscaler explains.
The application was last updated in December 2014 and managed to evade detection for a long time, but its functionality remained active. What’s more, the security researchers discovered the same code for stealing a victim’s location as the DroidJack Trojan that was discovered several years ago, and which was recently posing as fake Pokemon GO and Super Mario Run games for Android.
“There are many apps on the Google Play Store that act as a spyware; for example, those that spy on the SMS messages of one’s spouse or fetch the location of children for concerned parents. But those apps explicitly state their purpose, which is not the case with the app [in] this report. It portrayed itself as a system update, misleading users into thinking they were downloading an Android System Update,” Zscaler concludes.
Android Trojan Targeting Over 420 Banking Apps Worldwide Found On Google Play Store
14.4.2017 thehackernews Android
Do you like watching funny videos online?
I am not kind of a funny person, but I love watching funny videos clips online, and this is one of the best things that people can do in their spare time.
But, beware if you have installed a funny video app from Google Play Store.
A security researcher has discovered a new variant of the infamous Android banking Trojan hiding in apps under different names, such as Funny Videos 2017, on Google Play Store.
Niels Croese, the security researcher at Securify B.V firm, analyzed the Funny Videos app that has 1,000 to 5,000 installs and found that the app acts like any of the regular video applications on Play Store, but in the background, it targets victims from banks around the world.
This newly discovered banking Trojan works like any other banking malware, but two things that makes it different from others are — its capability to target victims and use of DexProtector tool to obfuscate the app's code.
Dubbed BankBot, the banking trojan targets customers of more than 420 banks around the world, including Citibank, ING, and some new Dutch banks, like ABN, Rabobank, ASN, Regiobank, and Binck, among many others.
How Android Banking Trojan Works
In a nutshell, BankBot is mobile banking malware that looks like a simple app and once installed, allows users to watch funny videos, but in the background, the app can intercept SMS and display overlays to steal banking information.
Mobile banking trojan often disguises itself as a plugin app, like Flash, or an adult content app, but this app made its way to Google Play Store by disguising itself as any other regular Android app.
Google has removed this malicious app from its Play Store after receiving the report from the researcher, but this does not mean that more such apps do not exist there with different names.
"Another problem is that Google [Play Store] mainly relies on automated scanning without a full understanding of the current obfuscation vectors resulting in banking malware on the Google Play Store." researcher told The Hacker News.
Once downloaded, the app persistently requests administrative rights, and if granted, the banking malware can control everything that's happening on an infected smartphone.
The BankBot springs into action when the victim opens any of the mobile apps from a pre-configured list of 425 banking apps. A complete list of banks a BankBot variant is currently imitating can be found on the blog post published by the researcher.
Once one of the listed apps is opened, BankBot immediately displays an overlay, which is a page on the top of legitimate mobile banking app and tricks Android users entering their banking credentials into the overlay, just like a phishing attack.
This will not only sends your banking credentials to your bank’s servers but also sends your financial credentials to the server controlled by fraudsters.
This social engineering technique is often used by financially motivated criminals to deceive users into giving up their personal details and sensitive banking information to fraudsters.
How to protect yourself?
There are standard protection measures you need to follow to remain unaffected:
Install a good antivirus app that can detect and block such malware before it can infect your device. Always keep the app up-to-date.
Always stick to trusted sources, like Google play Store and the Apple App Store, and verify app permissions before installing apps. If any app is asking more than what it is meant for, just do not install it.
Do not download apps from third party source. Although in this case, the app is being distributed through the official Play Store, most often such malware are distributed via untrusted third-party app stores.
Avoid unknown and unsecured Wi-Fi hotspots and Keep your Wi-Fi turned OFF when not in use.
Be careful which apps you give administrative rights to. Admin rights are powerful and can give an app full control of your device.
Never click on links in SMS or MMS sent to your mobile phone. Even if the email looks legit, go directly to the website of origin and verify any possible updates.
Android Trojan Uses Sandbox to Evade Detection
8.4.2017 securityweek Android
The Triada malware, said last year to be the most advanced mobile threat, recently boosted its detection evasion capabilities with the adoption of sandbox technology, Avast security researchers reveal.
Detailed for the first time in March last year, the malware was observed leveraging the Zygote process to hook all applications on a device. Featuring a modular architecture, the Trojan was mainly designed to redirect financial SMS transactions to buy additional content or steal money from the user.
Recently, Triada started using the open source sandbox DroidPlugin, which is designed to dynamically load and run an app without actually installing it. With the help of this sandbox, Triada loads malicious APK plugins, thus running them without having to install them on the device. Because of this practice, anti-virus solutions have a hard time detecting the malware, because its malicious components are not stored in the host app.
The malware is being distributed with the help of social engineering tactics, by deceiving victims into downloading the malware. Once installed, the threat hides its icon from the phone’s desktop and starts stealing personal information in the background, without ever alerting the victim.
While the earliest variant of the malware didn’t use DroidPlugin, a new variant that emerged in November started integrating it, Avast researchers explain. Around the same time the new Triada variant emerged, the malware author reportedly submitted an issue to DroidPlugin to report an out-of-memory bug.
According to Avast, the malware disguises itself as Wandoujia, a famous Android app store in China. Furthermore, it was observed hiding all of its malicious APK plugins in the asset directory, for DroidPlugin to run.
“Each of these plugins has its own dedicated malicious action to spy on the victim, including file stealing, radio monitoring, and more. One of the plugins communicates with a remote command and control (C&C) server, which instructs which activities should be carried out. These are then carried out by the other APKs,” the researchers say.
Avast also explains that the malware developer didn’t integrate the malicious plugins into an application, but instead opted for the use of DroidPlugin sandbox to dynamically load and run them specifically to bypass antivirus detections. The host application doesn’t include malicious actions, and antivirus solution won’t detect and blog the host app.
Only a couple of cases of malware using sandboxes for their nefarious purposes have been observed so far, but more instances might emerge. “While it can be convenient to use a sandbox to run an app without installing it, sandboxes can also be used maliciously by malware,” Avast concludes.
Cyberspies Target Middle East With Windows, Android Malware
5.4.2017 secureweek Android
A cyberespionage group apparently not linked to any previously known threat actor has been using several Windows and Android malware families in attacks aimed at organizations in the Middle East.
The first report on this group’s activities was published last month by Chinese security firm Qihoo 360, which tracks the actor as APT-C-23 and Two-Tailed Scorpion. Researchers at Palo Alto Networks and ClearSky have also conducted a joint investigation into the gang’ operations.
According to the security firms, the group uses Windows and Android malware to spy on victims. Qihoo 360 said it observed nearly 85 percent of infections in Palestine, followed by Israel, but Palo Alto also reported seeing victims in Egypt and the United States.
As for the types of organizations targeted, Qihoo reported that educational institutions appeared to be the main target, followed by military organizations, while Palo Alto mentioned media companies.
Palo Alto Networks and ClearSky have dubbed the Windows malware families used by these cyberspies KASPERAGENT and MICROPSIA. The Android threats are being tracked as SECUREUPDATE and VAMP.
The attackers delivered their malware using fake news websites and spear-phishing emails containing Bit.ly shortened links. Two of the Bit.ly links analyzed by researchers had been clicked hundreds of times.
KASPERAGENT, named so based on a “Kasper” string found in several of the analyzed samples, is used as a reconnaissance tool and downloader for other payloads. However, some of the samples include additional capabilities that allow the hackers to steal passwords from Chrome and Firefox, take screenshots, log keystrokes, execute arbitrary commands, exfiltrate files, and update the malware.
The second Windows malware family used by Two-Tailed Scorpion is MICROPSIA, which allows attackers to log keystrokes, capture screenshots, and steal Office documents.
Researchers initially found no connection between the two malware families, but they eventually uncovered a link: an email address used to register the command and control (C&C) domains.
Some of the domains registered with that email address were also found to host Android malware disguised as harmless applications. One of them is SECUREUPDATE, a backdoor that acts as a downloader for other malware.
The second Android malware is VAMP, which can record calls, harvest contact information, access messages, and steal documents from the infected device.
Both the Android and Windows malware attacks also involve phishing websites that attempt to trick users into handing over their credentials.
Palo Alto has discovered roughly 200 samples of the Windows malware and 17 Android malware samples. The security firm has been monitoring the threat since March 2016, but the KASPERAGENT malware had been used since at least July 2015.
“Through this campaign there is little doubt that the attackers have been able to gain a great deal of information from their targets,” explained Palo Alto Networks researchers. “The scale of the campaign in terms of sheer numbers of samples and the maintenance of several different malware families involved suggests a reasonably sized team and that the campaign is not being perpetrated by a lone wolf, but rather a small team attackers.”
Android Chrysaor spyware went undetected for years
5.4.2017 securityaffairs Android
Chrysaor spyware is an Android surveillance malware that remained undetected for at least three years, NSO Group Technology is suspected to be the author.
Security experts at Google and Lookout spotted an Android version of one of the most sophisticated mobile spyware known as Chrysaor that remained undetected for at least three years. due to its smart self-destruction capabilities.The experts, in fact, were not able to analyse the threat due to its smart self-destruction capabilities. The Chrysaor spyware has been found installed on fewer than three-dozen Android devices.
Chrysaor was used in targeted attacks against journalists and activists, mostly located in Israel, other victims were in Georgia, Turkey, Mexico, the UAE and other countries. Experts believe the Chrysaor espionage Android malware was developed by the Israeli surveillance firm NSO Group Technologies.
Experts believe the Chrysaor espionage Android malware was developed by the Israeli surveillance firm NSO Group Technologies, we met this company when researchers spotted its Pegasus iOS spyware in the wild.
The Chrysaor Android spyware implements several features including:
Exfiltrating data from popular apps including Gmail, WhatsApp, Skype, Facebook, Twitter, Viber, and Kakao.
Controlling device remotely from SMS-based commands.
Recording Live audio and video.
Keylogging and Screenshot capture.
Disabling of system updates to prevent vulnerability patching.
Spying on contacts, text messages, emails and browser history.
Self-destruct to evade detection
The surveillance firm NSO Group Technologies produce the best surveillance technology to governments, law enforcement agencies worldwide, but privacy advocates and activists accuse the firm of selling its malware also to dictatorial regimes.
“Although the applications were never available in Google Play, we immediately identified the scope of the problem by using Verify Apps,” reads a blog post published by Google.
“We’ve contacted the potentially affected users, disabled the applications on affected devices, and implemented changes in Verify Apps to protect all users.”
The threat was hard to analyse because it has the ability to delete itself when detect any suspicious activity that could be related to its detection.
“Pegasus for Android will remove itself from the phone if:
The SIM MCC ID is invalid
An “antidote” file exists
It has not been able to check in with the servers after 60 days
It receives a command from the server to remove itself
rchers believe that Chrysaor APK has also been distributed via SMS-based phishing messages, just like Pegasus infection on iOS devices.” reads the analysis published by Lookout.
Chrysaor exploits a well-known Android-rooting exploit called Framaroot to root the device and gain full control over the mobile device.
The experts noticed that the Chrysaor spyware back to 2014, this means that it is possible that NSO group might have discovered zero-day vulnerabilities in Android OS and has implemented the exploit code in the latest version of Chrysaor spyware.
Lookout published a detailed analysis of the Chrysaor spyware titled “Pegasus for Android: Technical Analysis and Findings of Chrysaor.”
Google just discovered a dangerous Android Spyware that went undetected for 3 Years
4.4.2017 thehackernews Android
An Android version of one of the most sophisticated mobile spyware has been discovered that remained undetected for at least three years due to its smart self-destruction capabilities.
Dubbed Chrysaor, the Android spyware has been used in targeted attacks against activists and journalists mostly in Israel, but also in Georgia, Turkey, Mexico, the UAE and other countries.
Chrysaor espionage malware, uncovered by researchers at Lookout and Google, is believed to be created by the same Israeli surveillance firm NSO Group Technologies, who was behind the Pegasus iOS spyware initially detected in targeted attacks against human rights activists in the United Arab Emirates last year.
NSO Group Technologies is believed to produce the most advanced mobile spyware on the planet and sold them to governments, law enforcement agencies worldwide, as well as dictatorial regimes.
The newly discovered Chrysaor spyware has been found installed on fewer than three-dozen Android devices, although researchers believe that there were more victims before its detection, who most likely have either formatted or upgraded their phones.
"Although the applications were never available in Google Play, we immediately identified the scope of the problem by using Verify Apps," Google said in its own blog post published Monday.
"We've contacted the potentially affected users, disabled the applications on affected devices, and implemented changes in Verify Apps to protect all users."
Just like Pegasus for iOS, the newly discovered Chrysaor for Android also offers a wide array of spying functions, including:
Exfiltrating data from popular apps including Gmail, WhatsApp, Skype, Facebook, Twitter, Viber, and Kakao.
Controlling device remotely from SMS-based commands.
Recording Live audio and video.
Keylogging and Screenshot capture.
Disabling of system updates to prevent vulnerability patching.
Spying on contacts, text messages, emails and browser history.
Self-destruct to evade detection
"If it feels like it's going to be found, it removes itself," said Lookout Security researcher Michael Flossman. "That's why it took so long to find these samples."
Researchers believe that Chrysaor APK has also been distributed via SMS-based phishing messages, just like Pegasus infection on iOS devices.
While Pegasus leveraged three then-zero day vulnerabilities in Apple's iOS operating system to jailbreak the targeted iOS devices, Chrysaor uses a well-known Android-rooting exploit called Framaroot to root the device and gain full control over the operating system.
Since Chrysaor dates back to 2014, there are possibilities that NSO group might have discovered zero-day vulnerabilities in Android and deployed them on the latest version of Chrysaor for Android, Lookout warned.
Lookout has also provided full, technical details on Chrysaor in its report [PDF] titled "Pegasus for Android: Technical Analysis and Findings of Chrysaor." So, you can head on to the link for a more detailed explanation on the malware.
How to Protect your Android device from Hackers? Google recommends users to install apps only from reputable sources, protect your device with pin or password lock, enable ‘verify apps’ feature from settings, and obviously, keep your device always up-to-date with the latest security patches.
No Prizes Awarded in Google's Android Hacking Contest
3.4.2017 thehackernews Android
Google reported last week that its Project Zero Prize contest was not as successful as the company hoped it would be – no valid Android exploits were submitted and no prizes were awarded.
In September, Google announced the start of a six-month Android hacking contest that invited researchers to submit serious vulnerabilities and exploit chains. The first winning entry was offered $200,000, and the second would have received $100,000. Other entries were promised at least $50,000.
While some research teams and individuals informed the company of their intention to take part in the contest, ultimately, no one submitted any valid bugs, said Google Project Zero’s Natalie Silvanovich. Some vulnerability reports were submitted, but they were not eligible for a reward under the rules of the Project Zero Prize.
Google believes three main factors led to the lack of entries. One of them was the level of difficulty – hackers were required to find a full exploit chain that allowed remote code execution on up-to-date Nexus 6P and Nexus 5X devices by knowing only their email address and phone number. The targeted user could only open an email in Gmail or an SMS in Messenger.
Project Zero Prize participants were encouraged to submit partial exploits during the contest as the rules only allowed the first submitter to use a certain vulnerability during the contest.
“We expected these rules to encourage participants to file any bugs they found immediately, as only the first finder could use a specific bug, and multiple reports of the same Android bug are fairly common,” Silvanovich explained. “Instead, some participants chose to save their bugs for other contests that had lower prize amounts but allowed user interaction, and accept the risk that someone else might report them in the meantime.”
The tech giant also believes the prizes offered in the contest may have been too small for the types of vulnerabilities that were required. For example, zero-day acquisition firm Zerodium also offers up to $200,000 for Android rooting exploits and they can fetch much more on the black market.
While this contest was not a success, researchers do find plenty of vulnerabilities in Android. Google revealed recently that it paid out roughly $1 million for Android flaws reported last year through its vulnerability reward program.
Verizon to pre-install a 'Spyware' app on its Android phones to collect user data
31.3.2017 thehackernews Android
If the death of online privacy rules wasn't enough for Internet Service Providers and advertisers to celebrate, Verizon has planned to pre-install spyware on customers' Android devices in order to collect their personal data.
The telecom giant has partnered with Evie Launcher to bring a new application called 'AppFlash' — a universal search bar that will come pre-installed on the home screens of all Verizon Android handsets for quickly finding apps and web content.
AppFlash is simply a Google search bar replacement, but instead of collecting and sending telemetry data including what you search, handset, apps and other online activities to Google, it will send to Verizon.
What's worse? Just like other pre-installed bloatware apps, Android users can't uninstall AppFlash quickly, unless they have rooted their phone.
AppFlash allows you to search inside apps or browse through listings of nearby restaurants and entertainment. The built-in Google Search can also do all these stuff. So, there's nothing this app does that a Google search can’t.
Then what's the need for this app? Of course, selling your data to advertisers or other big data companies and make money — thanks to the US Senate that allowed ISPs to collect and sell your data without permission and banned the FCC from ever passing any rule that would limit these powers.
Here's what the privacy policy of AppFlash reads:
We collect information about your device and your use of the AppFlash services. This information includes your mobile number, device identifiers, device type and operating system, and information about the AppFlash features and services you use and your interactions with them.
We also access information about the list of apps you have on your device. With your permission, AppFlash also collects information about your device’s precise location from your device operating system as well as contact information you store on your device.
AppFlash information may be shared within the Verizon family of companies, including companies like AOL who may use it to help provide more relevant advertising within the AppFlash experiences and in other places, including non-Verizon sites, services, and devices.
What's more? There is a 'Suggested Apps' section on the AppFlash main screen, which means that those apps have paid Verizon a good price to list on the main screen.
How to Get Rid of ‘AppFlash’ on Your Verizon Android Phone
Users can get rid of this bloatware in two ways: you can either root your device and remove the app in question, or only disable the app.
1. Root to remove AppFlash from Android: Since the company has made AppFlash a default app on the home screen of its Android handsets to help users search content and browse the internet, the app can not be uninstalled.
So, in order to uninstall AppFlash, you are required to root your Android device and then delete the app from your storage memory.
2. Disable AppFlash without Root: Since rooting is a dangerous process that void your device warranty, you can simply disable AppFlash.
Disabling bloatware apps on newer phones is easy, as Android has a built-in way to do this, which doesn't require any root access.
Just head on to Settings → Apps (or 'Applications' on some phones) → AppFlash. Now open it and click 'Disable,' 'Force Stop' and then 'Clear Data' as well.
Android Forums Suffers Data Breach
24.3.2017 securityweek Android
Android Forums, one of the most popular online Android communities, informed members this week that the server hosting its website has been breached, allowing attackers to access some user information.
According to representatives of Neverstill Media, which maintains Android Forums, hackers only managed to access information on 2.5 percent of active users. The compromised data includes email addresses, hashed passwords and salts.
Neverstill said usernames and financial data were not accessed. The company also noted that the breach only affected one staff member and only 40 users who registered accounts in 2016 and 2017. More than half of the compromised accounts had never posted anything on Android Forums, leading developers to believe they may have been bots.Android Forums hacked
Affected users have been notified via email and instructed to change their passwords. The passwords of impacted accounts that had not been active were automatically randomized.
The accessed information can be leveraged for spam and phishing campaigns, and users have been advised to be cautious.
“This could be someone who is upset with us who hopes to use the information against staff. They could blackmail us and threaten to publish the information publicly,” Android Forums told users.
The vulnerability exploited by the attackers has been patched and various security improvements are being made to prevent incidents in the future.
This is not the first time Android Forums has suffered a data breach. A similar incident took place in 2012, when more than one million users, including staff, had their details exposed. At the time, attackers accessed usernames, email addresses, hashed and salted passwords, IPs, and other data.
It’s unclear why usernames have not been stolen in the latest breach, but Android Forums has some theories.
“Perhaps just in case a null entry was to be found/flagged. Perhaps they were bound by the limitations of the vector they used. Perhaps they were practicing on us,” users were told. “Or, they could be comparing hashes against the previous set to see what has or has not changed.”
Data breach – Are you an Android Forums user? Resets your passwords now.
24.3.2017 securityaffairs Android
Android Forums notified a data breach, according to the moderators at the site roughly 2.5 percent of users have been affected.
Android Forums is the last victim of a data breach, roughly 2.5 percent of users have been affected.
The moderators at the Android Forums confirmed they’ve been able to identify the alleged compromised accounts, in response to the incident they have reser the passwords for those accounts.
The moderators added that many of the affected accounts were older and half of them had never posted to Android Forums.
“Unfortunately, we were recently informed by our server engineers that the server hosting Android Forums was compromised and the website’s database was accessed.” reads the data breach notification published by Android Forums. “While this breach was relatively small, affecting less than 2.5% of our active users and limited data accessed, we want to provide as much helpful information as possible so you can take some steps to protect yourself.”
The hackers who breached the database of the forum accessed email addresses, hashed passwords, and salt. The moderators warn users of possible spear phishing attacks leveraging on stolen data.
“This could simply be an e-mail harvesting attempt. A spammer could run the acquired email addresses through a validation tool, then bulk e-mail all valid emails in a spam or phishing campaign. Luckily, Gmail and similar e-mail services offer strong spam prevention that automatically filters potential spam and phishing attempts or provides warning.” reads the notification. “At any rate, with emails phishing attempts could be made. They could pretend to be us, with emails sent out. Be cautious with what is asked of you in an email. We will never ask for your password in email.”
Of course, it is strongly suggested to every user of the Android Forum to change their passwords as a precaution measure.
The administrators of the forum have identified and resolved the flaw exploited by the attackers, they have also implemented further measures to harden the site.
Below the data shared by the administrators in the advisory:
The exploit used has been identified and resolved. The server is being further hardened and extra “just in case” actions are being taken.
No other sites in our network appear to have been accessed.
We were able to replay the attack and log the output – identifying all accounts compromised. We have targeted an email, and this notice, to those accounts.
Only 1 staff member was affected. Only about 40 people who have registered in 2016 and 2017. The rest are older accounts.
Over 50% of accounts compromised never posted on the site, leading us to believe many of those were bots.
Information taken: Email address, hashed password, and salt. Usernames were NOT taken.
The Neverstill Team that runs the forum apologized for the incident.
The improvements announced by site administrators include site-wide HTTPS support and a new 2-step authentication requirement for internal staff.
Security Improvements Make Android More Attractive to Business
24.3.2017 securityweek Android
Google Outlines State of Android Security With 2016 Year In Review Report
Accepting Android as a staff BYOD (Bring Your Own Device) option has always been tempered by security officers' understanding that it is less secure than iOS. In the last year, Google has made serious efforts to reduce that perception. The Android Security 2016 Year in Review report (PDF), published this week by Google, describes two areas the company has particularly improved Android security: updates, and the elimination of malicious apps.
Security updates, or patches, have always been a problem in the Android ecosphere. The difficulty is the sheer number of different Android manufacturers involved; some of whom rarely distribute the monthly updates provided by Google. Over the last year, Google has worked on improving this. It has concentrated on two areas: improving the discovery and responsible disclosure of vulnerabilities in its partners' products; and improving the speed and regularity of device patching.
Android Smartphone in BusinessIt has achieved what can be described as partial success. "As of December 2016," says the report, "735 million Android devices report a 2016 security patch level." The downside is it still leaves a similar number that did not. Nevertheless, "Over the course of the year, Android device manufacturers became more efficient at delivering monthly security updates, including expanding their security programs to accept and address security vulnerabilities specific to their devices."
New models of Google's own products, Pixel and Nexus, and several of the major manufacturers such as Samsung and LG, have introduced automatic updating. At the end of 2016, Android 7.1.1 introduced new features to improve updating generally with automatic updates. "To do this," says Google, "devices have two system images: one for the currently active system and one to receive an updated image. When an update is available, the device downloads the new system image in the background. The device seamlessly switches to the new software update the next time it reboots... As more new phones are sold with Android 7.1.1, this feature will become available on a wider variety of devices."
Google also improved its ability to detect and remove potentially harmful apps (PHAs), such as trojans, spyware and phishing apps, both on the device and from within the Google Play Store. "The goal," says Google, "is to provide the right protection at the moment it is needed by the user." During 2016, Google's security services performed over 790 million device security scans daily, covering phones, tablets, watches and TVs. This is up from around 450 million in the previous year.
Similar attention is given to the apps in Google Play, and PHA installations from Play have fallen dramatically: trojan installs fell by 51.5%, hostile downloaders by 54.6%, backdoors by 30.5%, and phishing apps by 73.4%. "By the end of 2016," claims Google, "only 0.05 percent of devices that downloaded apps exclusively from Play contained a PHA; down from 0.15 percent in 2015."
Google accepts that there is still work to do, especially to protect those devices that install apps from outside of Play -- and it expects to do this in the present year. "We believe that advances in machine learning and automation can help reduce PHA rates significantly in 2017, both inside and outside of Google Play."
As it stands, according to Google's figures, users of mainstream Google devices that limit app installations to Google Play are increasingly secure; and already significantly more secure than last year. This has to be good news for all organizations with -- or considering -- an Android-based BYOD policy for staff.
Rogue Cellphone towers used to spread the Android Swearing Trojan
23.3.2017 securityaffairs Android
Chinese scammers are deploying rogue cellphone towers to spread the Android Swearing Trojan via malicious URL in SMS messages.
Chinese scammers are deploying fake mobile base stations to spread the Android Swearing Trojan in text messages.
The attackers have improved the well-known Smishing attack using rogue cell phone towers as the attack vector and distribute the Android banking malware via spoofed SMS messages.
The rogue Cellphone towers send SMS messages include a malicious URL purport to be from China Telecom or China Unicom. According to the experts from Check Point, China’s Tencent has also observed a more conventional malware dropper in infected applications.
With this technique, the scammers avoid being caught by the control implemented by carriers.
The Swearing Trojan is quite similar to other banking trojan, it is able to steal user data and it can bypass 2-factory authentication (2FA) security.
It is able to intercept the one-time code sent to the user via SMS during the authentication phase. By replacing the original Android SMS app with an altered version of its own, Swearing Trojan can intercept incoming SMS messages, rendering two-factor authentication useless.
“By replacing the original Android SMS app with an altered version of its own, Swearing Trojan can intercept incoming SMS messages, rendering two-factor authentication useless.” reads the analysis published by CheckPoint
Since Google Play Store is blocked in China, it is easy for scammers trick users into installing the APK from an untrusted source just by sending an SMS.
“Using a BTS to send fake messages is quite sophisticated, and the SMS content is very deceptive. The message tricks users into clicking a malicious URL which installs malware,” continues CheckPoint Security.
There are more phishing scams Swearing Trojan uses to spread:
Work related documents: A fake SMS message coming from a manager asks the user to download and open an important document right away, and to reply to comments inside.
Photos or videos: A fake SMS message claims to include a picture of a memorable event, or to be of a cheating spouse.
Trending events: A recent example posed as a MMS message including a video of a cheating celebrity wife caught in action.
App update notifications: An SMS message claims to be from a bank or telecom provider, and asks the user to install critical updates.
This version of the Swearing Trojan doesn’t use command and control servers, the malicious code sends information back to the crooks via SMS or email.
Tencent reported the arrest of the cyber criminal gang associated with the Swearing Trojan, the new wave of attacks leveraging on the malware demonstrates that another gang is using the code.
Hackers Using Fake Cellphone Towers to Spread Android Banking Trojan
22.3.2017 thehackernews Android
Chinese Hackers have taken Smishing attack to the next level, using rogue cell phone towers to distribute Android banking malware via spoofed SMS messages.
SMiShing — phishing attacks sent via SMS — is a type of attack wherein fraudsters use number spoofing attack to send conceiving bogus messages to trick mobile users into downloading a malware app onto their smartphones or lures victims into giving up sensitive information.
Security researchers at Check Point Software Technologies have uncovered that Chinese hackers are using fake base transceiver stations (BTS towers) to distribute "Swearing Trojan," an Android banking malware that once appeared neutralized after its authors were arrested in a police raid.
This is the first ever reported real-world case in which criminals played smart in such a way that they used BTS — a piece of equipment usually installed on cellular telephone towers — to spread malware.
The phishing SMS, which masquerades itself as the one coming from Chinese telecom service providers China Mobile and China Unicom, contains very convincing text with a link to download malicious Android APK.
Since Google Play Store is blocked in China, the SMS easily tricks users into installing the APK from an untrusted source.
"Using a BTS to send fake messages is quite sophisticated, and the SMS content is very deceptive. The message tricks users into clicking a malicious URL which installs malware," the researchers said in the blog post.
Once installed, the Swearing malware distributes itself by sending automated phishing SMSes to a victim's contacts.
However the maximum range of a BTS antenna may be as low as 10-22 miles, the technique is very successful and sophisticated in targeted attacks.
Discovered last year by Tencent Security researchers, the Swearing Trojan has the capability to steal bank credentials and other sensitive information from victim Android devices and to bypass two-factor authentication by replacing a user's legit SMS app with a malicious version that intercepts incoming SMS messages.
What's more interesting? To avoid detection of any malicious activity, the Swearing trojan doesn't connect to any remote command-and-control (C&C) server. Instead, it uses SMS or emails to send stolen data back to the hackers.
"This provides the malware with good cover for its communications and hinders attempts to trace any malicious activity."
While this particular malware campaign has usually targeted Chinese users, Check Point researchers warned in a blog post that the threat could quickly spread worldwide when adopted by Western malware.
The malware scheme seems to be larger than previously thought, as according to researchers, only 21cn.com email addresses were used in the initial malware campaign, while new attacks used other popular Chinese email service providers, such as 163.com, sina.cn, and qq.com, and Alibaba Cloud and other cloud service hosted email accounts as well.
Check Point also points out the nasty HummingBad malware trojan that was also discovered in the Chinese mobile market, and "turned out to be early birds which continued to spread worldwide" if adopted by western malware.
Google Kicks Out Largest Android Adware Family From The Play Store
14.3.2017 thehackernews Android
With the rise in the mobile market, Adware has become one of the most prevalent mobile threats in the world. Adware has traditionally been used to aggressively push ads like banners or pop-ups on mobile screens to make money.
The troublesome part is that Adware is now becoming trojanized and more sophisticated, as it aggressively collects personal data from the mobile device it's installed on, including name, birth date, location, serial number, contacts, and browser data without users' consent.
However, the risk is a bit higher on Android than other platforms because of the extra permissions that apps enjoy.
Although Google has stepped up its efforts to remove potentially harmful apps from its Play Store in the past years and added more stringent malware checks for new apps, Adware app eventually finds its way into its mobile app marketplace to target millions of Android users.
In its recent efforts to make its Play Store ecosystem safe, Google has recently discovered a new massive ad-fraud family of a botnet that was infecting Android users through apps hosted on its official Play Store.
Dubbed Chamois, the family of PHAs (potentially harmful applications) was capable of bombarding users with pop-up ads, boosting app promotion by automatically installing other applications in the background, subscribing users to premium services by sending text messages and downloading additional plugins without their knowledge.
Google engineers said they caught Chamois after they discovered suspicious ad traffic while performing a routine ad traffic quality evaluation.
Despite the fact that the app uses obfuscation and anti-analysis techniques to evade detection, Google engineers eventually uncovered a massive network of developers that had tricked users into installing malicious apps on their phones.
The goal behind the malware-laced apps appears to have been ad fraud and make money by employing different techniques to bypass Google's detection and prevention systems.
"We analyzed malicious apps based on Chamois, and found that they employed several methods to avoid detection and tried to trick users into clicking ads by displaying deceptive graphics," security software engineers at Google said in a blog post.
"This sometimes resulted in downloading of other apps that commit SMS fraud. So we blocked the Chamois app family using Verify Apps and also kicked out bad actors who were trying to game our ad systems."
The Chamois apps had a multi-stage payload structure, including a custom encrypted storage area for configuration files and additional code, which required deeper analysis to understand the malicious part.
According to the Google engineers, their security teams had to look through more than 100,000 lines of sophisticated code written by seemingly professional developers in an effort to figure out exactly what the Chamois-related apps were up to.
After the discovery of Chamois, Google blocked the Chamois app family using its Verify Apps and also banned some people who were trying to take advantage of its ad system to make money on the adware apps.
Google also updated its app testing system that is now capable of detecting this new Chamois-related threat.
Enterprises Infected By Pre-installed Android Malware
14.3.2017 securityweek Android
Android devices containing pre-installed malware were recently discovered on 38 mobile devices belonging to two large companies, according to security firm Check Point.
A new report from Check Point reveals that a variety of malware, mostly comprised of info-stealers and sketchy ad networks, though a mobile ransomware family was also discovered among them. What’s also interesting, is that the malware was present on the infected devices before the users received them, although it wasn’t part of the official ROM the vendors supplied.
The security company says that the malicious applications were “added somewhere along the supply chain.” Six of the malware instances, Check Point discovered, were added by a malicious actor using system privileges, meaning that the users had no means to remove the malware unless they re-flashed the ROM.
One of the malicious APKs, com.google.googlesearch, was an adnet present on 6 devices. Another one was the Slocker mobile ransomware, which uses AES encryption to encrypt all files on the device. The malware uses Tor for its command and control (C&C) communications.
The most notable of the threats, however, was the Loki info-stealer and rough adnet, found on devices as the com.androidhelper.sdk APK. The malware, Check Point says, uses several different components, each with its own functionality and role. Loki’s malicious goal, in addition to displaying illegitimate advertisements to generate revenue, is to steal data about the device, while installing itself to the system partition to achieve persistence and take full control of the device.
The infected devices include: Galaxy Note 2, Galaxy Note 3, Galaxy Note 4, Galaxy Note 5, Galaxy Note Edge, Galaxy Note 8.0, Galaxy S7, Galaxy S4, Galaxy A5, Galaxy Tab S2, Galaxy Tab 2, LG G4, ZTE x500, vivo X6 plus, Asus Zenfone 2, Oppo N3, Oppo R7 plus, Xiaomi Mi 4i, Xiaomi Redmi, Lenovo S90, Lenovo A850, Nexus 5, and Nexus 5X.
What the security researchers didn’t reveal was whether the infection was part of a targeted attack against the two affected companies, a large telecommunications company and a multinational technology company.
“Pre-installed malware compromise the security even of the most careful users. In addition, a user who receives a device already containing malware will not be able to notice any change in the device’s activity which often occur once a malware is installed,” Oren Koriat, Check Point Mobile Research Team, says.
Pre-installed malware on mobile devices isn’t new, though it was clear who was to blame for it in previous incidents. In November last year, researchers discovered that the Firmware Over The Air (FOTA) update software system managed by China-based ADUPS performed backdoor activities by collecting information about the devices it was present on. The company said the backdoor was used to im prove user experience.
Also in November 2016, the OTA update mechanism provided by another Chinese company, Ragentek Group, was revealed to expose nearly 3 million devices to Man-in-the-Middle (MitM) attacks and to allow adversaries to execute arbitrary commands with root privileges.
Check Point experts spotted pre-Installed Android Malware on 38 Android devices
12.3.2017 securityaffairs Android
Experts discovered pre-installed malware on 38 high-end smartphone models belonging to popular manufacturing companies such as Samsung, LG, Xiaomi and Asus.
In the past, security experts have already reported cases of pre-installed malware on mobile devices.
In September 2015, security experts at G-Data security firm discovered new cases of Chinese Android mobile devices infected by pre-installed malware.
In December 2016, experts from Doctor Web spotted new Trojans into the firmware of several dozens of low-cost Android smartphones and tablets.
The malicious code allows attackers to control the infected devices, from downloading, installing and executing Android malicious apps, accessing data and to dialing premium phone numbers.
The news of the day is that experts at security firm CheckPoint discovered at least 38 high-end smartphone models belonging to popular manufacturing companies such as Samsung, LG, Xiaomi, Asus, Nexus, Oppo, and Lenovo, which are being distributed by two unidentified companies have been found with pre-installed malware.
The researchers discovered two distinct families of malware, Loki and SLocker, on the mobile devices distributed by the companies.
According to the experts at CheckPoint, the malicious apps were not included in the official ROM firmware that was supplied by the vendors, but evidently, the supply chain is compromised and the devices are commercialized with pre-installed malware.
“According to the findings, the malware were already present on the devices even before the users received them. The malicious apps were not part of the official ROM supplied by the vendor, and were added somewhere along the supply chain.” reads the blog post published by Check Point researchers.
The experts noticed that in some cases the malicious codes were added by using systems privileged making hard the removal of the apps.
“Six of the malware instances were added by a malicious actor to the device’s ROM using system privileges, meaning they couldn’t be removed by the user and the device had to be re-flashed.” continues the analysis.
The Loki malware implements spyware capabilities, it allows attackers to gain full control on the victims’ devices.
The SLocker is a mobile ransomware that locks victims mobile devices and requests the payment of a ransom to unlock them.
Below the list of infected mobile devices is:
Galaxy Note 2
LG G4
Galaxy S7
Galaxy S4
Galaxy Note 4
Galaxy Note 5
Galaxy Note 8
Xiaomi Mi 4i
Galaxy A5
ZTE x500
Galaxy Note 3
Galaxy Note Edge
Galaxy Tab S2
Galaxy Tab 2
Oppo N3
Vivo X6 plus
Nexus 5
Nexus 5X
Asus Zenfone 2
LenovoS90
OppoR7 plus
Xiaomi Redmi
Lenovo A850
The malware is very difficult to uninstall because the are part on device’s ROM using system privileges.
To remove the malware, users have to options:
Root your device and uninstall the malicious apps.
Flash the firmware/ROM.
Beware! Pre-Installed Android Malware Found On 36 High-end Smartphones
11.3.2017 thehackernews Android
Bought a brand new Android Smartphone? Do not expect it to be a clean slate.
At least 36 high-end smartphone models belonging to popular manufacturing companies such as Samsung, LG, Xiaomi, Asus, Nexus, Oppo, and Lenovo, which are being distributed by two unidentified companies have been found pre-loaded with malware programs.
These malware infected devices were identified after a Check Point malware scan was performed on Android devices. Two malware families were detected on the infected devices: Loki and SLocker.
According to a blog post published Friday by Check Point researchers, these malicious software apps were not part of the official ROM firmware supplied by the smartphone manufacturers but were installed later somewhere along the supply chain, before the handsets arrived at the two companies from the manufacturer's factory.
First seen in February 2016, Loki Trojan inject devices right inside core Android operating system processes to gain powerful root privileges. The trojan also includes spyware-like features, such as grabbing the list of current applications, browser history, contact list, call history, and location data.
On the other hand, SLocker is a mobile ransomware that locks victims devices for ransom and communicates through Tor in order to hide the identity of its operators.
List of Popular Smartphones Infected with Malware
Here's the list of infected smartphones:
Galaxy Note 2
LG G4
Galaxy S7
Galaxy S4
Galaxy Note 4
Galaxy Note 5
Galaxy Note 8
Xiaomi Mi 4i
Galaxy A5
ZTE x500
Galaxy Note 3
Galaxy Note Edge
Galaxy Tab S2
Galaxy Tab 2
Oppo N3
Vivo X6 plus
Nexus 5
Nexus 5X
Asus Zenfone 2
LenovoS90
OppoR7 plus
Xiaomi Redmi
Lenovo A850
The malware backdoor offers its operator unrestricted access to these infected devices, from downloading, installing and activating Android malicious apps, deleting user data, uninstalling security software and disabling system apps, to dialing premium phone numbers.
This incident underscores the dangers of untrusted supply chains, and experts are quite worried about the security of the supply chain with reports of over 20 incidents where rogue retailers have managed to pre-install malware on new Android handsets.
Here's How to Remove the Malware Infections:
Since the malware programs were installed to the device's ROM using system privileges, it's hard to get rid of the infections.
To remove the malware from the infected devices, either you can root your device and uninstall the malware apps easily, or you would need to completely reinstall the phone firmware/ROM via a process called "Flashing."
Flashing is a complex process, and it is recommended that users power off their device and approach a certified technician/mobile service provider.
It's not the first time when high-end smartphones have been shipped pre-installed with malicious apps that can covertly siphon sensitive user data.
In December last year, certain low-cost Android smartphones and tablets were found to be shipped with malicious firmware that covertly gathered data about the infected devices, displays ads on top of running apps and downloads unwanted APKs on the victim's devices.
In November, researchers discovered a hidden backdoor in the AdUps firmware of over 700 Million Android smartphones, which also covertly gathered data on phone owners and sent it to a Chinese server without the user's knowledge.
Meanwhile, a flaw in the Ragentek firmware used by certain low-cost Android devices was also discovered that allowed attackers to remotely execute malicious code with root privileges, turning over full control of the devices to hackers
Apps Containing Malicious IFrames Found on Google Play
2.3.2017 securityweek Android
Recent analysis has found 132 Android applications in the official Google Play app store that have been infected with tiny hidden IFrames linking to malicious domains, Palo Alto Networks researchers warn.
The IFrames were found in the applications’ local HTML pages, which is most probably the result of the app developers’ development platforms being infected. According to Palo Alto’s security researchers, the malware infecting these platforms might have been designed to search for HTML pages and inject malicious content at the end of the found pages.
This also means that the mobile malware originated from infected development platforms without developers’ awareness. Previous examples of similar issues include the XcodeGhost compiler malware designed to target iOS and OS X, and the Vpon ad SDK for iOS.
The most popular of the newly discovered infected Android apps had more than 10,000 installs, the researchers note. The Google Security Team was already informed on the matter and all infected apps have been removed from Google Play.
What the infected apps had in common was the use of Android WebView to display static HTML pages, with each page seemingly doing nothing more than loading locally stored pictures and showing hard-coded text. However, the researchers discovered that the actual HTML code included a tiny hidden IFrame linking to well-known malicious domains.
The linked domains were down at the time of investigation, but the security researchers say that one of the infected pages also attempted to download and install a malicious Microsoft Windows executable file (which didn’t execute, since the device wasn’t running Windows). This behavior, however, is classified as Non-Android Threat, a category that includes apps that, although unable to cause harm to the user or Android device, contain components potentially harmful to other platforms.
The infected Android apps were also found to only require Internet permission and to be able to load interstitial advertisements, in addition to the main app. The latter ability, researchers say, instantiates an Android WebView component and displays a local HTML page (the WebView component was also found to have JavaScriptInterface enabled).
The IFrame was hidden in the infected HTML pages either by being tiny (it featured width and height of 1pixel), or by having the display attribute set to None. To ensure that detection based on simple string matching is avoided, the source URLs were obfuscated using HTML number codes, the researchers discovered. Eventually, the linked domains were revealed to be www[.]Brenz[.]pl/rc/ and jL[.]chura[.]pl/rc/, both of which were taken down in 2013 by the Polish CERT (cert.pl), meaning that they are not hosting malware.
The security researchers also discovered a sample that contained entire VBScript injected into the HTML instead. The script contained a Base64-encoded Windows executable, meaning that it didn’t execute on Android. The code was found appended outside the <HTML> tag, meaning that it was an illegal HTML page, but browsers would attempt to render that anyway, for simplicity.
The 132 infected apps were found to belong to seven unrelated developers, though all of them have connections to Indonesia, with a significant number of discovered samples having the word “Indonesia” in their names. The security researchers also note that the HTML files have been infected with malicious IFrames either through file infecting viruses like Ramnit (threats that append IFrames to each HTML file found on compromised hosts) or through an infected IDE.
Palo Alto suggests that the developers are not malicious but victims in this attack, as all samples share similarities in their coding structure, which suggests they may be generated from the same platform, and because the malicious domains used to resolve to sinkholes. The fact that one sample attempts to download a Windows executable is also important, as it shows the attacker does not know about the target platform, which the app developers do.
The researchers warn that an attacker could use this attack method to point to active malicious domains, or could place malicious scripts on the remote server and utilize the JavaScriptInterface to access the infected apps’ native functionality. Thus, the attacker would be able to access all resources within the infected app and could replace them with their own, or could modify the app’s internal logic to add malicious capabilities.
Mobile malware evolution 2016
2.3.2017 Kaspersky Mobil Android Virus
Download PDF version
The year in figures
In 2016, Kaspersky Lab detected the following:
8,526,221 malicious installation packages
128,886 mobile banking Trojans
261,214 mobile ransomware Trojans
Trends of the year
Growth in the popularity of malicious programs using super-user rights, primarily advertising Trojans.
Distribution of malware via Google Play and advertising services.
Emergence of new ways to bypass Android protection mechanisms.
Growth in the volume of mobile ransomware.
Active development of mobile banking Trojans.
Malicious programs using super-user rights
The year’s most prevalent trend was Trojans gaining super-user privileges. To get these privileges, they use a variety of vulnerabilities that are usually patched in the newer versions of Android. Unfortunately, most user devices do not receive the latest system updates, making them vulnerable.
Root privileges provide these Trojans with almost unlimited possibilities, allowing them to secretly install other advertising applications, as well as display ads on the infected device, often making it impossible to use the smartphone. In addition to aggressive advertising and the installation of third-party software, these Trojans can even buy apps on Google Play.
This malware simultaneously installs its modules in the system directory, which makes the treatment of the infected device very difficult. Some advertising Trojans are even able to infect the recovery image, making it impossible to solve the problem by restoring to factory settings.
In addition to the secret installation of advertising apps, these Trojans can also install malware. We have registered installations of the modular trojan Backdoor.AndroidOS.Triada, which modified the Zygote processes. This allowed it to remain in the system and alter text messages sent by other apps, making it possible to steal money from the owner of the infected device. With super-user rights the Trojan can do almost anything, including substitute the URL in the browser.
Representatives of this class of malicious software have been repeatedly found in the official Google Play app store, for example, masquerading as a guide for Pokemon GO. This particular app was downloaded over half a million times and was detected as Trojan.AndroidOS.Ztorg.ad.
Trojan.AndroidOS.Ztorg.ad imitating a guide for Pokemon GO
Cybercriminals continue their use of Google Play
In Google Play in October and November, we detected about 50 new applications infected by Trojan.AndroidOS.Ztorg.am, the new modification of Trojan.AndroidOS.Ztorg.ad. According to installation statistics, many of them were installed more than 100,000 times.
Trojan.AndroidOS.Ztorg.ad imitating a video player
Google Play was used to spread Trojans capable of stealing login credentials. One of them was Trojan-Spy.AndroidOS.Instealy.a which stole logins and passwords for Instagram accounts. Another was Trojan-PSW.AndroidOS.MyVk.a: it was repeatedly published in Google Play and targeted user data from the social networking site VKontakte.
Yet another example is Trojan-Ransom.AndroidOS.Pletor.d, distributed by cybercriminals under the guise of an app for cleaning operating systems. Usually, representatives of the Trojan-Ransom.AndroidOS.Pletor family encrypt files on the victim device, but the detected modification only blocked the gadget and demanded a ransom to unblock it.
Trojan-Ransom.AndroidOS.Pletor.d imitating a system cleaner
Bypassing Android’s protection mechanisms
Cybercriminals are constantly looking for ways to bypass Android’s new protection mechanisms. For instance, in early 2016, we found that some modifications of the Tiny SMS Trojan were able to use their own window to overlay a system message warning users about sending a text message to a premium rate number. As the owner of the smartphone cannot see the original text, they are unaware of what they are agreeing to, and send the message to the number specified by the attacker.
A similar method was used by Trojan-Banker.AndroidOS.Asacub to get administrator rights on the device. The Trojan hides the system request from the user, cheating the latter into granting it extra privileges. In addition, Asacub asks for the right to be the default SMS application, which allows it to steal messages even in newer versions of Android.
The authors of Trojan-Banker.AndroidOS.Gugi went even further. This malicious program is able to bypass two new Android 6 security mechanisms using only social engineering techniques. Without exploiting system vulnerabilities, Gugi bypasses the request for Android’s permission to display its window on top of other applications as well as the dynamic permission requirement for potentially dangerous actions.
Mobile ransomware
While the very first mobile encryptor Trojan really did encrypt user data on a device and demand money to decrypt them, current ransomware simply displays the ransom demand on top of other windows (including system windows), thus making it impossible to use the device.
The same principle was used by the most popular mobile ransom program in 2016 – Trojan-Ransom.AndroidOS.Fusob. Interestingly, this Trojan attacks users in Germany, the US and the UK, but avoids users from the CIS and some neighboring countries (once executed, it runs a check of the device language, after which it may stop working). The cybercriminals behind the Trojan usually demand between $100 and $200 to unblock a device. The ransom has to be paid using codes from pre-paid iTunes cards.
Yet another way to block devices is to use the Trojan-Ransom.AndroidOS.Congur family, which is popular in China. These Trojans change the PIN code for the gadget, or enable this safety function by setting their own PIN. To do this, the ransom program has to get administrator rights. The victim is told to contact the attackers via the QQ messenger to unblock the device.
Mobile banking Trojans continued to evolve through the year. Many of them gained tools to bypass the new Android security mechanisms and were able to continue stealing user information from the most recent versions of the OS. Also, the developers of mobile banking Trojans added more and more new features to their creations. For example, the Marcher family redirected users from financial to phishing sites over a period of several months.
In addition, many mobile banking Trojans include functionality for extorting money: upon receiving a command from a server, they can block the operation of a device with a ransom-demand window. We discovered that one modification of Trojan-Banker.AndroidOS.Faketoken could not only overlay the system interface but also encrypt user data.
It is also worth noting that the cybercriminals behind malicious programs for Android did not forget about one of the hottest topics of 2016 – IoT devices. In particular, we discovered the ‘attack-the-router’ Trojan Switcher which targets the Wi-Fi network an infected device is connected to. If the Trojan manages to guess the password to the router, it changes the DNS settings, implementing a DNS-hijacking attack.
A glance into the Dark Web. Contribution from INTERPOL’s Global Complex for Innovation.
The Dark Web provides a means for criminal actors to communicate and engage in commercial transactions, like buying and selling various products and services, including mobile malware kits. Vendors and buyers increasingly take advantage of the multiple security and business-oriented mechanisms put in place on Tor (The Onion Router) cryptomarkets, such as the use of cryptocurrencies, third-party administration services (escrow), multisignature transactions, encryption, reputation/feedback tracking and others. INTERPOL has looked into major Dark Web platforms and found that mobile malware is offered for sale as software packages (e.g. remote access trojans – RATs); individual solutions; sophisticated tools, like those developed by professional firms; or, on a smaller scale, as part of a ‘Bot as a Service’ model. Mobile malware is also a ‘subject of interest’ on vendor shops, forums and social media.
Marketplaces
A number of mobile malware products and services are offered for sale on Dark Web marketplaces. Mobile malware is often advertised as part of a package, which can include, for instance, remote access trojans (RATs), phishing pages, or ‘hacking’ software bundles which consist of forensic and password-breaking tools. Individual/one piece tools are also offered for sale. For example, DroidJack was offered by different vendors on four major marketplaces. This popular Android RAT is sold openly on the Clearnet for a high price, but on the Dark Web the price is much lower.
Both variants (package and individual) sometimes come with ‘how-to’ guides which explain the methods for hacking popular operating systems, such as Android and iOS. More sophisticated tools are also advertised on the Dark Web, such as Galileo, a remote control system developed by the Italian IT company Hacking Team in order to access remotely and then exploit devices that run Android, iOS, BlackBerry, Windows or OS X. Another example is the source code for Acecard. This malware is known for adding overlay screens on top of mobile banking applications and then forwarding the user’s login credentials to a remote attacker. It can also access SMS, from which potentially useful two-factor authentication codes can be obtained by fraudsters.
The Android bot rent service (BaaS, or Bot as a Service) is also available for purchase. The bot can be used to gather financial information from Android phones and comes with many features and documentation, available in both Russian and English. More features and specifications can be developed on request. This service can cost up to USD 2,500 per month or USD 650 per week.
Mobile phishing products for obtaining financial information, tools that can control phones through Bluetooth or change their IMEI (International Mobile Equipment Identity), and various Android RATs that focus on intercepting text messages, call logs and locations, and accessing the device’s camera, are also displayed on Dark Web marketplaces.
Vendor shops, forums and social media
Vendor shops are standalone platforms created by a single or group of vendors who have built up a customer base on a marketplace and then decided to start their own business. Generally, these shops do not have forums and merely advertise one specific type of illicit item, such as drugs or stolen personal information, but they also sell mobile malware (DroidJack). Tutorials are sometimes attached to mobile malware products, and information on which tools are fit for purpose and how to install and utilize them can also be found in forum threads and on social media. Furthermore, a Tor hidden service focused on hacking news was found to contain information on how to set up Dendroid mobile malware. This RAT, which is capable of intercepting SMS messages, downloading pictures and opening a dialogue box to phish passwords, dates from 2014 but was still offered in 2016 as part of several advertisements (packages) on different marketplaces.
Due to its robust anonymity, OPSEC techniques, low prices and client-oriented strategy, the Dark Web remains an attractive medium for conducting illicit businesses and activities, and one where specific crime areas may arise or grow in the future. The development of innovative technical solutions (in close cooperation with academia, research institutes and private industry), international cooperation and capacity building are fundamental pillars in the fight against the use of Dark Web by criminals.
Statistics
In 2016, the number of malicious installation packages grew considerably, amounting to 8,526,221 – three times more than the previous year. As a comparison, from 2004 to 2013 we detected over 10,000,000 malicious installation packages; in 2014 the figure was nearly 2.5 million.
From the beginning of January till the end of December 2016, Kaspersky Lab registered nearly 40 million attacks by malicious mobile software and protected 4,018,234 unique users of Android-based devices (vs 2.6 million in 2015).
The number of attacks blocked by Kaspersky Lab solutions, 2016
The number of users protected by Kaspersky Lab solutions, 2016
Geography of mobile threats
Attacks by malicious mobile software were recorded in more than 230 countries and territories.
The geography of mobile threats by number of attacked users, 2016
TOP 10 countries by the percentage of users attacked by mobile malware
Country* %**
1 Bangladesh 50.09%
2 Iran 46.87%
3 Nepal 43.21%
4 China 41.85%
5 Indonesia 40.36%
6 Algeria 36.62%
7 Nigeria 35.61%
8 Philippines 34.97%
9 India 34.18%
10 Uzbekistan 31.96%
* We excluded those countries in which the number of users of Kaspersky Lab mobile security products over the reported period was less than 25,000.
** The percentage of attacked unique users as a percentage of all users of Kaspersky Lab’s mobile security products in the country.
China, which topped this rating in 2015, continued to lead the way in the first half of 2016 but dropped to fourth overall for the year, being replaced by Bangladesh, which led similar ratings throughout 2016. More than half of all users of Kaspersky Lab mobile security products in Bangladesh encountered mobile malware.
The most widespread mobile malware targeting users in Bangladesh in 2016 were representatives of advertising Trojans belonging to the Ztorg and Iop families, as well as advertising programs of the Sprovider family. This malware, as well as representatives of the AdWare.AndroidOS.Ewind and AdWare.AndroidOS.Sprovider families were most frequently found on user devices in all the countries in the Top 10, except China and Uzbekistan.
In China, a significant proportion of the attacks involved the Backdoor.AndroidOS.Fakengry.h and Backdoor.AndroidOS.GinMaster.a families as well as representatives of RiskTool.AndroidOS.
Most of the attacks on users in Uzbekistan were carried out by Trojan-SMS.AndroidOS.Podec.a and Trojan-FakeAV.AndroidOS.Mazig.b. Representatives of the advertising Trojans Iop and Ztorg, as well as the advertising programs of the Sprovider family were also quite popular in the country.
Types of mobile malware
Starting this year, we calculate the distribution of mobile software by type, based on the number of detected installation packages, rather than modifications.
Distribution of new mobile malware by type in 2015 and 2016
Over the reporting period, the number of new RiskTool files detected grew significantly – from 29% in 2015 to 43% in 2016. At the same time, the share of new AdWare files fell – 13% vs 21% in the previous year.
For the second year running, the percentage of detected SMS Trojan installation packages continued to decline – from 24% to 11%, which was the most notable fall. Despite this, we cannot say that the SMS Trojan threat is no longer relevant; in 2016, we detected nearly 700,000 new installation packages.
The most considerable growth was shown by Trojan-Ransom: the share of this type of malware among all installation packages detected in 2016 increased almost 6.5 times to 4%. This growth was caused by the active distribution of two families of mobile ransomware – Trojan-Ransom.AndroidOS.Fusob and Trojan-Ransom.AndroidOS.Congur.
Top 20 malicious mobile programs
Please note that the ranking of malicious programs below does not include potentially unwanted programs such as RiskTool or AdWare (advertising programs).
Detection %*
1 DangerousObject.Multi.Generic 67.93%
2 Backdoor.AndroidOS.Ztorg.c 6.58%
3 Trojan-Banker.AndroidOS.Svpeng.q 5.42%
4 Trojan.AndroidOS.Iop.c 5.25%
5 Backdoor.AndroidOS.Ztorg.a 4.83%
6 Trojan.AndroidOS.Agent.gm 3.44%
7 Trojan.AndroidOS.Ztorg.t 3.21%
8 Trojan.AndroidOS.Hiddad.v 3.13%
9 Trojan.AndroidOS.Ztorg.a 3.11%
10 Trojan.AndroidOS.Boogr.gsh 2.51%
11 Trojan.AndroidOS.Muetan.b 2.40%
12 Trojan-Ransom.AndroidOS.Fusob.pac 2.38%
13 Trojan-Ransom.AndroidOS.Fusob.h 2.35%
14 Trojan.AndroidOS.Sivu.c 2.26%
15 Trojan.AndroidOS.Ztorg.ag 2.23%
16 Trojan.AndroidOS.Ztorg.aa 2.16%
17 Trojan.AndroidOS.Hiddad.an 2.12%
18 Trojan.AndroidOS.Ztorg.i 1.95%
19 Trojan-Dropper.AndroidOS.Agent.cv 1.85%
20 Trojan-Dropper.AndroidOS.Triada.d 1.78%
* Percentage of users attacked by the malware in question, relative to all users attacked.
First place in the Top 20 is occupied by DangerousObject.Multi.Generic (67.93%), used in malicious programs detected by cloud technologies. Cloud technologies work when the antivirus database contains neither the signatures nor heuristics to detect a malicious program. This is basically how the very latest malware is detected.
In second place was Backdoor.AndroidOS.Ztorg.c, the advertising Trojan using super-user rights to secretly install various applications. Noticeably, the 2016 rating included 16 advertising Trojans (highlighted in blue in the table), which is four more than in 2015.
The most popular mobile banking Trojan in 2016 was Trojan-Banker.AndroidOS.Svpeng.q in third place. The Trojan became so widespread after being distributing via the AdSense advertising network. Due to a vulnerability in the Chrome browser, the user was not required to take any action to download the Trojan on the device. It should be noted that more than half of the users attacked by mobile banking Trojans in 2016 encountered representatives of the Svpeng family. They use phishing windows to steal credit card data and also attack SMS banking systems.
Representatives of the Fusob family – Trojan-Ransom.AndroidOS.Fusob.pac and Trojan-Ransom.AndroidOS.Fusob.h – claimed 12th and 13th respectively. These Trojans block a device by displaying their own window and demanding a ransom to remove it.
Mobile banking Trojans
In 2016, we detected 128,886 installation packages of mobile banking Trojans, which is 1.6 times more than in 2015.
Number of installation packages of mobile banking Trojans detected by Kaspersky Lab solutions in 2016
In 2016, 305,543 users in 164 countries were attacked by mobile banking Trojans vs 56,194 users in 137 countries the previous year.
Geography of mobile banking threats in 2016 (number of users attacked)
Top 10 countries by the percentage of users attacked by mobile banking Trojans relative to all attacked users
Country* %**
1 Russia 4.01
2 Australia 2.26
3 Ukraine 1.05
4 Uzbekistan 0.70
5 Tajikistan 0.65
6 The Republic of Korea 0.59
7 Kazakhstan 0.57
8 China 0.54
9 Belarus 0.47
10 Moldova 0.39
* We excluded those countries in which the number of users of Kaspersky Lab mobile security products over the reported period was less than 25,000.
** Percentage of unique users attacked by mobile banking Trojans, relative to all users of Kaspersky Lab’s mobile security products in the country.
In Russia – ranked first in the Top 10 – mobile banking Trojans were encountered by 4% of mobile users. This is almost two times higher than in second-placed Australia. The difference is easily explained by the fact that the most popular mobile banking Trojan Svpeng was mostly spread in Russia. Representatives of the Asacub and Faketoken families were also popular there.
In Australia, the Trojan-Banker.AndroidOS.Acecard and Trojan-Banker.AndroidOS.Marcher families were responsible for most infection attempts. In South Korea (7th place) the most popular banking Trojans belonged to the Trojan-Banker.AndroidOS.Wroba family.
In the other countries of the Top 10, the most actively distributed mobile banking Trojan families were Trojan-Banker.AndroidOS.Faketoken and Trojan-Banker.AndroidOS.Svpeng. The representatives of the latter were especially widespread in 2016, with more than half of mobile users encountering them. As we have already mentioned, this was the result of them being distributed via the AdSense advertising network and being loaded stealthily via a mobile browser vulnerability.
The Trojan-Banker.AndroidOS.Faketoken family was in second place in this rating. Some of its modifications were capable of attacking more than 2,000 financial organizations.
Third place was occupied by the Trojan-Banker.AndroidOS.Asacub family, which attacked more than 16% of all users affected by mobile bankers. These Trojans are mainly distributed in Russia, often via SMS spam.
Mobile Trojan-Ransom
In 2016, the volume of mobile ransomware increased considerably both in the number of installation packages detected and in the number of users attacked. Over the reporting period, we detected 261,214 installation packages, which is almost 8.5 times more than in 2015.
Number of mobile Trojan-Ransomware installation packages detected by Kaspersky Lab
(Q1 2016 – Q4 2016)
In 2016, 153,258 unique users from 167 countries were attacked by Trojan-Ransom programs; this is 1.6 times more than in 2015.
Interestingly, a large number of installation packages in the first two quarters of 2016 belonged to the Trojan-Ransom.AndroidOS.Fusob family, though there was a fall in activity in the third quarter. The subsequent growth in the fourth quarter was fueled by an increase in activity by the Trojan-Ransom.AndroidOS.Congur family: it includes relatively simple Trojans that either block a device using their own window, or change the device’s password.
Geography of mobile ransomware threats in 2016 (number of users attacked)
TOP 10 countries attacked by Trojan-Ransom malware – share of users relative to all attacked users in the country.
Country* %**
1 Germany 2.54
2 USA 2.42
3 Canada 2.34
4 Switzerland 1.88
5 Kazakhstan 1.81
6 United Kingdom 1.75
7 Italy 1.63
8 Denmark 1.29
9 Mexico 1.18
10 Australia 1.13
* We excluded those countries in which the number of users of Kaspersky Lab mobile security products over the reported period was less than 25,000.
** Percentage of unique users attacked by mobile Trojan ransomware, relative to all users of Kaspersky Lab’s mobile security products in the country.
The largest percent of mobile users attacked by ransomware was in Germany – over 2.5%. In almost all the countries in this ranking, representatives of the Trojan-Ransom.AndroidOS.Fusob and Trojan-Ransom.AndroidOS.Svpeng families were particularly popular. Kazakhstan (5th place) was the only exception – the most frequently used ransom programs there were various modifications of the Trojan-Ransom.AndroidOS.Small family.
More information about these three families of mobile Trojan ransomware can be found in a dedicated study.
Conclusion
In 2016, the growth in the number of advertising Trojans capable of exploiting super-user rights continued. Throughout the year it was the No. 1 threat, and we see no sign of this trend changing. Cybercriminals are taking advantage of the fact that most devices do not receive OS updates (or receive them late), and are thus vulnerable to old, well-known and readily available exploits.
This year, we will continue to closely monitor the development of mobile banking Trojans: the developers of this class of malware are the first to use new technologies and are always looking for ways to bypass security mechanisms implemented in the latest versions of mobile operating systems.
In 2016, one of the most controversial issues was the safety of IoT devices. Various Internet-connected ‘smart’ devices are becoming increasingly popular, though their level of security is fairly low. Also in 2016, we discovered an ‘attack-the-router’ Trojan. We see that the mobile landscape is getting a little crowded for cybercriminals, and they are beginning to interact more with the world beyond smartphones. Perhaps in 2017 we will see major attacks on IoT components launched from mobile devices.
Android Ransomware Demands Victims Speak Unlock Code
23.2.2017 securityweek Android
A newly discovered Android ransomware variant that packs speech recognition capabilities demands that victims speak a code provided by the attackers to unlock their devices, Symantec warns.
Dubbed Android.Lockdroid.E, the malware has been targeting Android users for over a year, but appears to be under development still, as its author is testing out various capabilities. In addition to locking devices, the new variant leverages speech recognition APIs to determine whether the user has provided it with the necessary passcode to unlock the device.
Most ransomware would ask users to type a passcode to regain access to their smartphone, but Android.Lockdroid.E’s author is experimenting with additional capabilities, Symantec’s Dinesh Venkatesan reveals. Targeting Chinese speakers at the moment, the malware can lock the user out using a SYSTEM type window, after which it displays a ransom note.
Written in Chinese, the note provides users with instructions on how to unlock the device, and also includes a QQ instant messaging ID that users should contact to receive further instructions on how to pay the ransom. However, since the device is already locked, users need a second device to contact the cybercriminals behind the threat and receive an unlock code.
Additionally, the ransom note instructs the victim to press a button to launch the speech recognition functionality. The malware abuses third-party speech recognition APIs for this function, and compares the spoken words heuristically with the expected passcode. The lockscreen is removed if the input matches.
“For some cases, the recognized words are normalized to accommodate any small degree of inaccuracies that an automated speech recognizer is bound to,” Symantec’s researcher explains.
The image used for the lockscreen, as well as the passcode information are stored in the malware’s assets files, in encoded form with additional padding. The researcher managed to extract the passcode using an automated script and says that the threat uses different types of passcodes. In fact, a different passcode is used for each infection.
A previously discovered Android.Lockdroid.E variant was using an inefficient 2D barcode ransom demand, which also required users to have a second device for scanning purposes, thus making it difficult for users to pay the ransom. The new variant doesn’t get any better, as it too requires a second device to contact the cybercriminals.
“While analyzing these latest Android.Lockdroid.E variants, I observed several implementation bugs such as improper speech recognition intent firing and copy/paste errors. It’s clear that the malware authors are continually experimenting with new methods to achieve their goal of extorting money from their victims. We can be certain this isn’t the last trick we’ll see from this threat family,” Venkatesan notes.
As always, users are advised to keep their software up to date and refrain from downloading applications from unfamiliar websites, but use only trusted sources for these operations. Further, users should pay attention to the permissions requested by apps, should keep their data backed up, and should install a suitable mobile security app for additional protection.
Android RAT Targeting Israeli Soldiers Part of Larger Campaign
20.2.2017 securityweek Android
An Android Remote Access Trojan (RAT) recently revealed to be targeting Israeli servicemen is part of a larger campaign that might not be associated with Hamas, as initially believed, security researchers have determined.
The attacks, which appear to have started around July 2016 and already hit more than 100 Israeli soldiers, were initiated through social networks and leveraged sophisticated lures to trick victims into installing malware on their Android devices. Focused on exfiltrating data from the compromised phones, the campaign is ongoing, with the most recent attacks observed in February.
Last month, an Israeli military official revealed that the attackers used ‘honey traps’ in the form of fake Facebook profiles featuring alluring photos of attractive young women, and that dozens of predominantly lower-ranked soldiers were duped into downloading fake apps on their phones. The official claimed that Hamas, the Islamist movement that runs the Gaza Strip, was behind the attacks, but didn’t say how the army came to the conclusion.
Now, Kaspersky security researchers, who worked with the Israeli army on investigating the incidents, reveal that the sophisticated attacks were initiated by a “cunning threat actor” and that Israeli Defense Force (IDF) servicemen of different ranks, most of them serving around the Gaza strip, were targeted. Lookout, which also analyzed the attacks, notes that Hamas doesn’t have a “sophisticated mobile capability,” suggesting that another faction is behind the campaign.
The attacks abused social networks such as Facebook to lure targeted servicemen (only IDF soldiers were targeted) into sharing confidential information and installing malicious apps, researchers say. The actors used avatars of young women pretending to be from different countries, including Canada, Germany, Switzerland and more, and attempted to lure victims using sexual innuendo.
Victims were tricked into manually downloading and installing a malicious application, which was designed to function as a dropper. After compromise, the dropper would fetch a list of installed applications and pretend to serve an update for one of them, depending on the findings: either a WhatsApp or Viber update, if one was found on the device, or a generic System Update, if nothing was discovered.
According to Lookout, which calls this Trojan ViperRAT, the actors used Trojanized versions of apps such as SR Chat and YeeCall Pro, as well as a billiards game, an Israeli Love Songs player, and a Move To iOS app, to masquerade the dropper. Kaspersky, on the other hand, discovered the malware hidden in apps such as a YouTube player (LoveSongs) or messaging software (WowoMessanger, YeeCall).
“Naming additional payload applications as system updates is a clever technique used by malware authors to trick victims into believing a threat isn’t present on their device. ViperRAT takes this one step further by using its dropper app to identify an appropriate second stage ‘update’ that may go unnoticed,” Lookout points out.
The most important part of the attack, however, is the second-stage payload, which includes the surveillanceware capabilities. The malware can collect data from the compromised devices either by executing manual commands from the operator or by performing scheduled tasks (using various Android APIs, the malware collects specific information every 30 seconds).
The exfiltrated data included: contact information, compressed recorded audio, images captured from the device camera, images stored on the device, geolocation information, SMS content, call logs, cell tower information, browser search history and bookmarks, and general information such as network and device metadata (IMEI, operator, device model, SIM information, hardware details, SDK, and the like).
“The actors behind ViperRAT seem to be particularly interested in image data. We were able to identify that 8,929 files had been exfiltrated from compromised devices and that the overwhelming majority of these, 97 percent, were highly likely encrypted images taken using the device camera. We also observed automatically generated files on the C2, indicating the actor behind this campaign also issues commands to search for and exfiltrate PDF and Office documents,” Lookout notes.
According to Kaspersky, because the RAT doesn’t yet have root permissions implemented, it can’t access WhatsApp database along with the encryption key. The security researchers also note that the malware can update itself and that all of the malicious logic associated with the Trojan was implemented without any native or third-party sources. For example, the call-recording is implemented using Android’s API exclusively.
Although media reports have attributed these attacks to Hamas, Lookout believes that another actor is behind them, mainly because Hamas “is not widely known for having a sophisticated mobile capability.” Furthermore, the security firm notes that ViperRAT, which first surfaced in late 2015, features many default strings in Arabic, either because it was targeting Arabic speakers or because its developer is fluent in Arabic.
At the same time, Kaspersky suggests that the attacks observed so far are only the tip of the iceberg, and that the campaign is likely to continue. “The IDF, which led the research along with Kaspersky Lab researchers, has concluded that this is only the opening shot of this operation. Further, that it is by definition a targeted attack against the Israeli Defense Force, aiming to exfiltrate data on how ground forces are spread, which tactics and equipment the IDF is using and real-time intelligence gathering,” Kaspersky concludes.
Trojan Downloader Masquerades as Defunct Flash Player for Android
20.2.2017 securityweek Android
A recently observed malware downloader targeting Android users is masquerading as an update for Adobe Flash Player, ESET researchers warn.
Although the Flash Player for Android was discontinued nearly half a decade ago, cybercriminals are still abusing it to trick unsuspecting users into downloading and installing their malicious programs. As always, the attackers rely on user’s willingness to download and install a fake update when prompted to do so via a well-designed, legitimate-looking update screen.
Dubbed Android/TrojanDownloader.Agent.JI, the newly discovered threat uses this technique to infect the devices of users navigating social media or adult sites. Following installation, the malware presents more deceptive screens to its victims, to trick them into granting it special permissions in the Android accessibility menu, which then allow it to download and execute additional malware.
For that, the Trojan displays a fake screen informing the victim of “too much consumption of energy” and urging that a “Saving Battery” mode is enabled. As most malware, this downloader won’t take no for an answer and would continue to display the message until the user agrees to enable the service.
At this point, the malware takes the victim to the Android Accessibility menu, which displays a list of services with accessibility functions, including a new service that the malware has created during the installation process, called “Saving battery.” When the user enables it, it requests permissions to monitor actions, retrieve window content, and turn on explore by touch.
As soon as the service has been enabled, the fake Flash Player icon is hidden from the user, although the malware runs in the background. It contacts the command and control (C&C) server to deliver information about the infected device and receive a link to a malicious app to download (which could be banking malware, ransomware, adware, or spyware).
After receiving the link, the malware displays a bogus lockscreen that the user can’t dismiss, in an attempt to mask the nefarious activities it is engaged in. Because it has the permission to mimic the user’s clicks, the Trojan can now “download, install, execute and activate device administrator rights for additional malware without the user’s consent, all while remaining unseen under the fake lock screen,” ESET explains.
To remove the malicious program, users should head to Settings -> Application Manager and try to manually uninstall it. However, should the malware have Device admin rights enabled (it requests those as well in some cases), users should head to Settings -> Security -> Flash-Player and deactivate those first.
Uninstalling the downloader, however, might prove only a partial solution, as the malware fetched and installed by the threat would remain on the infected device. Victims should install a mobile security application to perform a full cleanup.
To stay protected, users are advised to avoid installing applications from third-party, untrusted websites, but use only legitimate app stores, such as Google Play, instead. Users should also pay close attention to the permissions newly installed programs request, as those that don’t seem appropriate for the software’s functions might be a giveaway of malicious intent.
App-in-the-Middle Attacks Bypass Android Sandbox: Skycure
17.2.2017 securityweek Android
The Android sandbox environment previously known as Android for Work is susceptible to "app-in-the-middle attacks" that put enterprise data at risk, Skycure security researchers say.
The secure framework, currently referred to as “work features in Android,” is meant to address the BYOD (Bring Your Own Device) approach that brings millions of personal devices into business environments. Introduced in Android 5.0 Lollipop, the feature aims to separate business and personal data on the same device through the use of a second, business profile managed by IT administrators.
Having all of the business applications, email and documents managed and secured within the business profile but leaving the personal profile unrestricted would provide users a sense of increased privacy, because admins would not be able to manage or monitor their personal apps. The feature leverages the mechanism of user separation.
According to Skycure, while Android for Work was designed as an additional sandbox to prevent apps from outside the container from accessing data inside it, two ‘app-in-the-middle’ attacks allow malicious apps in the personal profile to break this wall. Thus, Android for Work is only a seemingly secure framework, and sensitive enterprise information can be accessed and stolen from the personal profile, they say.
The two attacks, however, prey on the weakest link in the security chain, namely the human factor. User interaction is required for both attacks to be successful, the researchers have discovered.
The first such attack, the security firm explains, relies on a malicious application in the personal profile acquiring permissions to view and take action on all notifications, including those from the sandboxed environment. Because Notifications access is a device-level permission, a malicious app would immediately have access to sensitive information such as calendar meetings, email messages and other information in these notifications.
“This capability circumvents the secure separation logic between personal and work profiles, which is offered by Android for Work. An app-in-the-middle attack may manipulate a user to enable the Notification Access permission (even for a legitimate function in the personal persona) in order to gain access to information in the work profile. If the malicious app is designed to transmit the information viewed in notifications to a command and control server, then the information contained in notifications is no longer secure,” Yair Amit, CTO & Co-Founder at Skycure, explains in a blog post.
The security company notes that an attacker could initiate a “forgot password” process on some enterprise systems and hijack the subsequent on-device notification, thus receiving full enterprise access, without being necessarily restrained to the mobile device. By immediately dismissing the notification and archiving the recovering email through the Android Notifications API, the malicious app could prevent the user from noticing the attack.
“This presents a serious threat to the use of Android for Work as a secure sandbox for mobile work productivity, as EMM [Enterprise Mobility Management] solutions have no mechanism to recognize or defend against it. The attacker may even capture 2-factor authentication and administrators will not have any visibility of the theft,” Amit says. The company also published a video to demonstrate this attack.
The second app-in-the-middle attack leverages Android’s Accessibility Service, which was designed to offer user interface enhancements when users interact with their device. Because this service has access to “virtually all content and controls, both reading and writing, on the device,” an application in the personal profile with Accessibility permissions could access applications executed in the sandbox, researchers say.
As detailed in this video demonstration, because the attack resides in the personal profile, which isn’t monitored or controlled from the work profile, IT administrators can’t detect the exposure of sensitive information if the malicious application uses the Accessibility Service, researchers say. However, for such an attack to be possible, an application would have to register as an Accessibility Service and manipulate the user to grant the access.
According to the security company, Android engineers have implemented an API for the whitelisting of Accessibility Services, which EMM vendors can implement in their Android for Work administration interfaces. This API, the company notes, can be circumvented either by a malicious app that has the same package name as a whitelisted legitimate app, or by an existing malicious app-in-the-middle Accessibility service that tricks the user into whitelisting it (because non-system Accessibility services already enabled on the device have to be whitelisted).
“The interesting thing about both of these app-in-the-middle methods of defeating the Android for Work profile separation is that the device and the Android operating system remain operating exactly as designed and intended. It is the user that must be tricked into placing the software on the device and activating the appropriate services that allow the malware access to sensitive information,” the security firm says.
Skycure notes that the Android team has been contacted on this matter but that their investigation determined that the aforementioned application behavior is intended, and not considered a security vulnerability. However, they agreed that the findings should be made public, “to raise awareness to the exposure.” The danger related to these issues, the company says, is the illusion of security that the sandbox offers.
“The attack flows that we uncovered exploit valuable capabilities of Android in a way that transforms these features into a major security risk to organizations that utilize Android for Work and expect it to stay secure. This is a user-experience vs. security tradeoff dilemma. We appreciate Google's commitment to security, but strongly believe that more work needs to be done in order to better protect organizations against App-in-the-Middle attacks,” Amit told SecurityWeek in an email.
Hackers Are Using Android Malware To Spy On Israeli Military Personnel
17.2.2017 thehackernews Android
A group of highly sophisticated state-sponsored hackers is spying on the Israeli military by hacking into the personal Android phones of individual soldiers to monitor their activities and steal data.
A newly released research by Lookout and Kaspersky suggests that more than 100 Israeli servicemen from the Israeli Defense Force (IDF) are believed to have been targeted with spyware.
Dubbed ViperRAT, the malware has specifically been designed to hijack Israeli soldiers’ Android-based smartphones and remotely exfiltrate data of high value, including photos and audio recordings, directly from the compromised devices.
Modus Operandi Identified
According to the security firms, IDF personnel had been compromised by social engineering techniques — where the soldiers were lured via Facebook Messenger and other social networks into entering communications with hackers who posed as attractive women from various countries like Canada, Germany, and Switzerland.
The soldiers were then tricked into installing a trojanized version of two different, typically legitimate Android chat apps, SR Chat and YeeCall Pro, for easier communication.
The malware has also been distributed using a dropper hidden in other Android smartphone applications including a billiards game, an Israeli Love Songs player, and a Move To iOS app, which are common to Israeli citizens and available in the Google Play store.
The app then scanned soldiers' smartphones and downloaded another malicious application that masqueraded as an update for one of the already installed apps, such as WhatsApp, and tricked victims to allow various permissions in order to carry out surveillance.
This, in turn, allowed the attackers to execute on demand commands, enabling them to control phone's microphone and camera, eavesdrop on soldiers' conversations, and peer into live camera footage.
Besides this, the ViperRAT malware gathers a broad range of data from compromised devices including geolocation, call log, personal photos, SMS messages, cell phone tower information, network and device metadata, internet browsing, and app download history.
According to researchers, the hackers were able to successfully establish a widespread cyber espionage campaign by compromising dozens of mobile devices from Samsung, HTC, LG and Huawei belonging to over 100 Israeli soldiers.
Besides, almost 9,000 files stolen from compromised devices (roughly 97 percent) that were exfiltrated from compromised devices were identified by Lookout researchers as being highly encrypted images, which were taken using the device camera.
However, it's likely the IDF is not the only target.
The ViperRAT attack campaign started in July and continued to date, according to Kaspersky researchers.
Is Hamas Behind the Cyber-Spying Operation?
The IDF closely worked with Kaspersky Labs and Lookout to investigate this incident and theorized that Hamas was behind these attacks. However, Lookout researchers have come to doubt that theory.
According to Lookout researchers, "Based on tradecraft, the modular structure of code and use of cryptographic protocols [AES and RSA encryption] the actor appears to be quite sophisticated."
Researchers say Hamas is not known for sophisticated mobile capabilities, which makes it unlikely they are directly responsible for ViperRAT.
The IDF is currently working together with both Lookout and Kaspersky to identify infected targets and protect against further attacks, but there is one simple way to protect against ViperRAT: don't download apps from untrusted third-party sources.
Thousands of Android Devices Infected by Marcher Trojan
13.2.2017 securityweek Android
Researchers at Dutch security firm Securify have conducted a detailed analysis of the Android banking Trojan known as Marcher and discovered that a single botnet has managed to steal a significant number of payment cards.
Marcher has been around since late 2013, but it initially attempted to trick users into handing over their payment card details using Google Play phishing pages. In March 2014, the malware started targeting banks in Germany and, by the summer of 2016, there had already been more than 60 targeted organizations in the U.S., U.K., Australia, France, Poland, Turkey, Spain and other countries.
The malware has been disguised as various popular apps, including Netflix, WhatsApp and Super Mario Run.
Securify has identified nine Marcher botnets over the last 6 months, and each of them has been provided with new modules and targeted web injects by the Trojan’s creators.
One of these botnets, which mainly targets the customers of banks in Germany, Austria and France, has infected more than 11,000 devices, including 5.700 in Germany and 2,200 in France. The attackers’ C&C server stored 1,300 payment card numbers and other banking information.
Based on the analysis of the command and control (C&C) server used by the cybercriminals, researchers determined that a majority of the infected devices had been running Android 6.0.1, but the list of victims also included more than 100 Android 7.0 devices.
Marcher monitors the applications launched by the victim, and when one of the targeted apps is detected, an overlay screen is displayed in an effort to trick the user into handing over sensitive information.
“Marcher is one of the few Android banking Trojans to use the AndroidProcesses library, which enables the application to obtain the name of the Android package that is currently running in the foreground. This library is used because it uses the only (publicly known) way to retrieve this information on Android 6 (using the process OOM score read from the /proc directory),” Securify researchers explained.
In order to avoid being removed by security products, Marcher blocks popular mobile antivirus applications. Seven months ago, researchers said the Trojan had been blocking eight antiviruses, but Securify’s report shows that the malware currently targets nearly two dozen products.
“Based on the statistics we found on this one C2 panel we researched and the amount of different C2 panels out there, we believe that the potential financial losses due to Android banking Trojans are, or will soon be, bigger than the current losses from desktop malware like Gozi and Dridex, especially since hardly any of the banking apps seem to detect the attack,” experts said.