Security researchers have been warning about an ongoing malware campaign hijacking Internet routers to distribute Android banking malware that steals users' sensitive information, login credentials and the secret code for two-factor authentication.
In order to trick victims into installing the Android malware, dubbed Roaming Mantis, hackers have been hijacking DNS settings on vulnerable and poorly secured routers.
DNS hijacking attack allows hackers to intercept traffic, inject rogue ads on web-pages and redirect users to phishing pages designed to trick them into sharing their sensitive information like login credentials, bank account details, and more.
Hijacking routers' DNS for a malicious purpose is not new. Previously we reported about widespread DNSChanger and Switcher—both the malware worked by changing the DNS settings of the wireless routers to redirect traffic to malicious websites controlled by attackers.
Discovered by security researchers at Kaspersky Lab, the new malware campaign has primarily been targeting users in Asian countries, including South Korea, China Bangladesh, and Japan, since February this year.
Once modified, the rogue DNS settings configured by hackers redirect victims to fake versions of legitimate websites they try to visit and displays a pop-up warning message, which says—"To better experience the browsing, update to the latest chrome version."
It then downloads the Roaming Mantis malware app masquerading as Chrome browser app for Android, which takes permission to collect device’ account information, manage SMS/MMS and making calls, record audio, control external storage, check packages, work with file systems, draw overlay windows and so on.
"The redirection led to the installation of Trojanized applications named facebook.apk and chrome.apk that contained Android Trojan-Banker."
If installed, the malicious app overlays all other windows immediately to show a fake warning message (in broken English), which reads, "Account No.exists risks, use after certification."
Roaming Mantis then starts a local web server on the device and launches the web browser to open a fake version of Google website, asking users to fill up their names and date of births.
To convince users into believing that they are handing over this information to Google itself, the fake page displays users' Gmail email ID configured on their infected Android device, as shown in the screenshots.
"After the user enters their name and date of birth, the browser is redirected to a blank page at http://127.0.0.1:${random_port}/submit," researchers said. "Just like the distribution page, the malware supports four locales: Korean, Traditional Chinese, Japanese and English."
Since Roaming Mantis malware app has already gained permission to read and write SMS on the device, it allows attackers to steal the secret verification code for the two-factor authentication for victims' accounts.
While analysing the malware code, Researchers found reference to popular South Korean mobile banking and gaming applications, as well as a function that tries to detect if the infected device is rooted.
"For attackers, this may indicate that a device is owned by an advanced Android user (a signal to stop messing with the device) or, alternatively, a chance to leverage root access to gain access to the whole system," the researchers said.
What's interesting about this malware is that it uses one of the leading Chinese social media websites (my.tv.sohu.com) as its command-and-control server and sends commands to infected devices just via updating the attacker-controlled user profiles.
According to Kaspersky's Telemetry data, the Roaming Mantis malware was detected more than 6,000 times, though the reports came from just 150 unique users.
You are advised to ensure your router is running the latest version of the firmware and protected with a strong password.
You should also disable router's remote administration feature and hardcode a trusted DNS server into the operating system network settings.
2018-04-05T03:17:00-11:00Thursday, April 05, 2018Mohit Kumar
One of the biggest and most popular multi-antivirus scanning engine service has today launched a new Android sandbox service, dubbed VirusTotal Droidy, to help security researchers detect malicious apps based on behavioral analysis.
VirusTotal, owned by Google, is a free online service that allows anyone to upload files to check them for viruses against dozens of antivirus engines simultaneously.
Android Sandbox performs both static and dynamic analysis to automatically detect suspicious applications by executing and monitoring applications in a simulated Android OS environment.
Behavioral reports for Android applications (APKs) is not new to VirusTotal, as the website already had service since 2013 that worked based on Cuckoo Sandbox, an open source automated malware analysis system.
Replacing this existing system, VirusTotal Droidy has been integrated in the context of the multi-sandbox project and can extract "juicy" details, such as:
Network communications and SMS-related activity
Java reflection calls
Filesystem interactions
SQLite database usage
Services started, stopped
Permissions checked
Registered receivers
Crypto-related activity
Here below you can check behavioral analysis reports of some malicious Android apps, showcasing new functionalities of VirusTotal Droidy:
How "VirusTotal Droidy" Is Better Than Older "VirusTotal Sandbox"
VirusTotal also shared another sample report generated using the older version of VirusTotal Sandbox. You can simply click select "VirusTotal Droidy" to see new report for the same sample and compare both technologies at the same time.
For many samples, VirusTotal also offers reports from multiple sandboxes, including Tencent HABO, a service independently developed by Chinese Antivirus firm Tencent.
"The richer the information that we generate for individual data set items, the greater the telescopic capabilities of VirusTotal," the company said. "This is how we manage to fill in the dots and quickly see all activity tied to certain resources that often show up in malware investigations."
Report generated using new VirusTotal Droidy Android sandbox technology also includes interactive data from other services such as VirusTotal Intelligence and VirusTotal Graph.
2017-11-27T02:45:00-11:00Monday, January 01, 2018 Exclusive Deals
Good news, we bring an amazing deal of this month for our readers, where you can get hacking courses for as little as you want to pay and if you beat the average price you will receive the fully upgraded hacking bundle!
Security researchers at Cisco Talos have uncovered variants of a new Android Trojan that are being distributed in the wild disguising as a fake anti-virus application, dubbed "Naver Defender."
Dubbed KevDroid, the malware is a remote administration tool (RAT) designed to steal sensitive information from compromised Android devices, as well as capable of recording phone calls.
Talos researchers published Monday technical details about two recent variants of KevDroid detected in the wild, following the initial discovery of the Trojan by South Korean cybersecurity firm ESTsecurity two weeks ago.
Though researchers haven't attributed the malware to any hacking or state-sponsored group, South Korean media have linked KevDroid with North Korea state-sponsored cyber espionage hacking group "Group 123," primarily known for targeting South Korean targets.
The most recent variant of KevDroid malware, detected in March this year, has the following capabilities:
record phone calls & audio
steal web history and files
gain root access
steal call logs, SMS, emails
collect device' location at every 10 seconds
collect a list of installed applications
Malware uses an open source library, available on GitHub, to gain the ability to record incoming and outgoing calls from the compromised Android device.
Although both malware samples have the same capabilities of stealing information on the compromised device and recording the victim's phone calls, one of the variants even exploits a known Android flaw (CVE-2015-3636) to get root access on the compromised device.
All stolen data is then sent to an attacker-controlled command and control (C2) server, hosted on PubNub global Data Stream Network, using an HTTP POST request.
"If an adversary were successful in obtaining some of the information KevDroid is capable of collecting, it could result in a multitude of issues for the victim," resulting in "the leakage of data, which could lead to a number of things, such as the kidnapping of a loved one, blackmail by using images or information deemed secret, credential harvesting, multi-factor token access (SMS MFA), banking/financial implications and access to privileged information, perhaps via emails/texts," Talos says.
"Many users access their corporate email via mobile devices. This could result in cyber espionage being a potential outcome for KevDroid."
Researchers also discovered another RAT, designed to target Windows users, sharing the same C&C server and also uses PubNub API to send commands to the compromised devices.
How to Keep Your Smartphone Secure
Android users are advised to regularly cross-check apps installed on their devices to find and remove if any malicious/unknown/unnecessary app is there in the list without your knowledge or consent.
Such Android malware can be used to target your devices as well, so you if own an Android device, you are strongly recommended to follow these simple steps to help avoid this happening to you:
Security researchers have discovered a massive continuously growing malware campaign that has already infected nearly 5 million mobile devices worldwide.
Dubbed RottenSys, the malware that disguised as a 'System Wi-Fi service' app came pre-installed on millions of brand new smartphones manufactured by Honor, Huawei, Xiaomi, OPPO, Vivo, Samsung and GIONEE—added somewhere along the supply chain.
All these affected devices were shipped through Tian Pai, a Hangzhou-based mobile phone distributor, but researchers are not sure if the company has direct involvement in this campaign.
According to Check Point Mobile Security Team, who uncovered this campaign, RottenSys is an advanced piece of malware that doesn't provide any secure Wi-Fi related service but takes almost all sensitive Android permissions to enable its malicious activities.
"According to our findings, the RottenSys malware began propagating in September 2016. By March 12, 2018, 4,964,460 devices were infected by RottenSys," researchers said.
To evade detection, the fake System Wi-Fi service app comes initially with no malicious component and doesn’t immediately start any malicious activity.
Instead, RottenSys has been designed to communicate with its command-and-control servers to get the list of required components, which contain the actual malicious code.
RottenSys then downloads and installs each of them accordingly, using the "DOWNLOAD_WITHOUT_NOTIFICATION" permission that does not require any user interaction.
Hackers Earned $115,000 in Just Last 10 Days
At this moment, the massive malware campaign pushes an adware component to all infected devices that aggressively displays advertisements on the device’s home screen, as pop-up windows or full-screen ads to generate fraudulent ad-revenues.
"RottenSys is an extremely aggressive ad network. In the past 10 days alone, it popped aggressive ads 13,250,756 times (called impressions in the ad industry), and 548,822 of which were translated into ad clicks," researchers said.
According to the CheckPoint researchers, the malware has made its authors more than $115,000 in the last 10 days alone, but the attackers are up to "something far more damaging than simply displaying uninvited advertisements."
Since RottenSys has been designed to download and install any new components from its C&C server, attackers can easily weaponize or take full control over millions of infected devices.
The investigation also disclosed some evidence that the RottenSys attackers have already started turning millions of those infected devices into a massive botnet network.
Some infected devices have been found installing a new RottenSys component that gives attackers more extensive abilities, including silently installing additional apps and UI automation.
"Interestingly, a part of the controlling mechanism of the botnet is implemented in Lua scripts. Without intervention, the attackers could re-use their existing malware distribution channel and soon grasp control over millions of devices," researchers noted.
This is not the first time when CheckPoint researchers found top-notch brands affected with the supply chain attack.
Last year, the firm found smartphone belonging to Samsung, LG, Xiaomi, Asus, Nexus, Oppo, and Lenovo, infected with two pieces of pre-installed malware (Loki Trojan and SLocker mobile ransomware) designed to spy on users.
How to Detect and Remove Android Malware?
To check if your device is being infected with this malware, go to Android system settings→ App Manager, and then look for the following possible malware package names:
com.android.yellowcalendarz (每日黄历)
com.changmi.launcher (畅米桌面)
com.android.services.securewifi (系统WIFI服务)
com.system.service.zdsgt
If any of above is in the list of your installed apps, simply uninstall it.
2018-02-06T01:32:00-11:00Tuesday, February 06, 2018Mohit Kumar
Due to the recent surge in cryptocurrency prices, threat actors are increasingly targeting every platform, including IoT, Android, and Windows, with malware that leverages the CPU power of victims' devices to mine cryptocurrency.
Just last month, Kaspersky researchers spotted fake antivirus and porn Android apps infected with malware that mines Monero cryptocurrency, launches DDoS attacks, and performs several other malicious tasks, causing the phone's battery to bulge out of its cover.
Now, security researchers at Chinese IT security firm Qihoo 360 Netlab discovered a new piece of wormable Android malware, dubbed ADB.Miner, that scans wide-range of IP addresses to find vulnerable devices and infect them to mine digital cryptocurrency.
According to the researchers, ADB.Miner is the first Android worm to reuse the scanning code programmed in Mirai—the infamous IoT botnet malware that knocked major Internet companies offline last year by launching massive DDoS attacks against Dyndns.
ADB.Miner scans for Android devices—including smartphones, smart TVs, and TV set-top boxes—with publicly accessible ADB debug interface running over port 5555 and then infects them with a malware that mines Monero cryptocurrency for its operators.
Android Debug Bridge (ADB) is a command-line tool that helps developers debug Android code on the emulator and grants access to some of the operating system’s most sensitive features.
It should be noted that almost all Android devices by default come with the ADB port disabled, so botnet would target only those devices that have manually been configured to enable port 5555.
Besides mining Monero cryptocurrency, ADB.Miner installed on an infected device also attempts to propagate itself by scanning for more targets on the Internet.
Researchers did not reveal exactly how or by exploiting which ADB flaw hackers are installing malware onto Android devices.
However, the researchers believed hackers are not exploiting any vulnerability that targets any specific device vendor since they found devices from a wide range of manufacturers impacted.
According to the researchers, the infection started on January 21, and the number of attacks has increased recently. As of Sunday, the researchers detected 7,400 unique IP addresses using the Monero mining code—that's more than 5,000 impacted devices in just 24 hours.
Based on the scanning IP addresses, the highest number of infection has been noticed in China (40%) and South Korea (31%), the researchers estimated.
In order to fight against such malware Android users are advised not to install unnecessary and untrusted applications from the app store, even from Google Play Store, and keep your devices behind a firewall or a VPN.
A global mobile espionage campaign collecting a trove of sensitive personal information from victims since at least 2012 has accidentally revealed itself—thanks to an exposed server on the open internet.
It's one of the first known examples of a successful large-scale hacking operation of mobile phones rather than computers.
The advanced persistent threat (APT) group, dubbed Dark Caracal, has claimed to have stolen hundreds of gigabytes of data, including personally identifiable information and intellectual property, from thousands of victims in more than 21 different countries, according to a new report from the Electronic Frontier Foundation (EFF) and security firm Lookout.
After mistakenly leaking some of its files to the internet, the shadowy hacking group is traced back to a building owned by the Lebanese General Directorate of General Security (GDGS), one of the country's intelligence agencies, in Beirut.
"Based on the available evidence, it's likely that the GDGS is associated with or directly supporting the actors behind Dark Caracal," the report reads.
According to the 51-page-long report [PDF], the APT group targeted "entities that a nation-state might attack," including governments, military personnel, utilities, financial institutions, manufacturing companies, defence contractors, medical practitioners, education professionals, academics, and civilians from numerous other fields.
Researchers also identified at least four different personas associated with Dark Caracal's infrastructure — i.e. Nancy Razzouk, Hassan Ward, Hadi Mazeh, and Rami Jabbour — with the help of email address op13@mail[.]com.
"The contact details for Nancy present in WHOIS information matched the public listing for a Beirut-based individual by that name. When we looked at the phone number associated with Nancy in the WHOIS information, we discovered the same number listed in exfiltrated content and being used by an individual with the name Hassan Ward."
"During July 2017, Dark Caracal’s internet service provider took the adobeair[.]net command and control server offline. Within a matter of days, we observed it being re-registered to the email address op13@mail[.]com with the name Nancy Razzouk. This allowed us to identify several other domains listed under the same WHOIS email address information, running similar server components. "
Multi-Platform Cyber Espionage Campaign
Dark Caracal has been conducting multi-platform cyber-espionage campaigns and linked to 90 indicators of compromise (IOCs), including 11 Android malware IOCs, 26 desktop malware IOCs across Windows, Mac, and Linux, and 60 domain/IP based IOCs.
However, since at least 2012, the group has run more than ten hacking campaigns aimed mainly at Android users in at least 21 countries, including North America, Europe, the Middle East and Asia.
The data stolen by Dark Caracal on its targets include documents, call records, text messages, audio recordings, secure messaging client content, browsing history, contact information, photos, and location data—basically every information that allows the APT group to identify the person and have an intimate look at his/her life.
To get its job done, Dark Caracal did not rely on any "zero-day exploits," nor did it has to get the malware to the Google Play Store. Instead, the group used basic social engineering via posts on Facebook groups and WhatsApp messages, encouraging users to visit a website controlled by the hackers and application permissions.
"One of the interesting things about this ongoing attack is that it doesn’t require a sophisticated or expensive exploit. Instead, all Dark Caracal needed was application permissions that users themselves granted when they downloaded the apps, not realizing that they contained malware," said EFF Staff Technologist Cooper Quintin.
"This research shows it’s not difficult to create a strategy allowing people and governments to spy on targets around the world."
Here's How Dark Caracal Group Infects Android Users
Once tricked into landing on the malicious websites, the victims were served fake updates to secure messenger apps, including WhatsApp, Signal, Threema Telegram, and Orbot (an open source Tor client for Android), which eventually downloaded the Dark Caracal malware, dubbed Pallas, on targets' mobile devices.
Pallas is a piece of surveillance malware that's capable of taking photographs, stealing data, spying on communications apps, recording video and audio, acquiring location data, and stealing text messages, including two-factor authentication codes, from victims' devices.
"Pallas samples primarily rely on the permissions granted at the installation in order to access sensitive user data. However, there is functionality that allows an attacker to instruct an infected device to download and install additional applications or updates." report says.
"Theoretically, this means it’s possible for the operators behind Pallas to push specific exploit modules to compromised devices in order to gain complete access."
Besides its own custom malware, Dark Caracal also used FinFisher—a highly secret surveillance tool that is often marketed to law enforcement and government agencies—and a newly discovered desktop spyware tool, dubbed CrossRAT, which can infect Windows, Linux, and OS X operating systems.
"Citizen Lab previously flagged the General Directorate of General Security in a 2015 report as one of two Lebanese government organizations using the FinFisher spyware5." report says.
According to the researchers, though Dark Caracal targeted macOS and Windows devices in various campaigns, at least six distinct Android campaigns were found linked to one of its servers that were left open for analysis, revealing 48GB was stolen from around 500 Android phones.
Overall, Dark Caracal successfully managed to steal more than 252,000 contacts, 485,000 text messages and 150,000 call records from infected Android devices. Sensitive data such as personal photos, bank passwords and PIN numbers were also stolen.
The best way to protect yourself from such Android-based malware attacks is to always download applications from the official Google Play Store market rather than from any third-party website.
Even after many efforts made by Google last year, malicious apps always somehow manage to make their ways into Google app store.
Security researchers have now discovered a new piece of malware, dubbed GhostTeam, in at least 56 applications on Google Play Store that is designed to steal Facebook login credentials and aggressively display pop-up advertisements to users.
Discovered independently by two cybersecurity firms, Trend Micro and Avast, the malicious apps disguise as various utility (such as the flashlight, QR code scanner, and compass), performance-boosting (like file-transfer and cleaner), entertainment, lifestyle and video downloader apps.
Like most malware apps, these Android apps themselves don’t contain any malicious code, which is why they managed to end up on Google's official Play Store.
Once installed, it first confirms if the device is not an emulator or a virtual environment and then accordingly downloads the malware payload, which prompts the victim to approve device administrator permissions to gain persistence on the device.
"The downloader app collects information about the device, such as unique device ID, location, language and display parameters," Avast said. "The device’s location is obtained from the IP address that is used when contacting online services that offer geolocation information for IPs."
How Android Malware Steals Your Facebook Account Password
As soon as users open their Facebook app, the malware immediately prompts them to re-verify their account by logging into Facebook. Instead of exploiting any system or application vulnerabilities, the malware uses a classic phishing scheme in order to get the job done.
These fake apps simply launch a WebView component with Facebook look-alike login page and ask users to log-in. Apparently, WebView code steals the victim's Facebook username and password and sends them to a remote hacker-controlled server.
"This is most likely due to developers using embedded web browsers (WebView, WebChromeClient) in their apps, instead of opening the webpage in a browser," Avast said.
Trend Micro researchers warn that these stolen Facebook credentials can later be repurposed to deliver "far more damaging malware" or "amass a zombie social media army" to spread fake news or generate cryptocurrency-mining malware.
Stolen Facebook accounts can also expose "a wealth of other financial and personally identifiable information," which can then be sold in the underground markets.
Security firms believe that GhostTeam has been developed and uploaded to the Play Store by a Vietnamese developer due to considerable use of Vietnamese language in the code.
According to the researchers, the most users affected by the GhostTeam malware reportedly resides in India, Indonesia, Brazil, Vietnam, and the Philippines.
Besides stealing Facebook credentials, the GhostTeam malware also displays pop up adverts aggressively by always keeping the infected device awake by showing unwanted ads in the background.
All the apps have since been removed by Google from the Play Store after researchers reported them to the company. However, users who have already installed one such app on their devices should make sure they have Google Play Protect enabled.
Play Protect security feature uses machine learning and app usage analysis to remove (i.e. uninstall) malicious apps from users Android smartphones in an effort to prevent any further harm.
Although malicious apps floating on the official app store is a never-ending concern, the best way to protect yourself is always to be vigilant when downloading apps, and always verify app permissions and reviews before you download one.
Moreover, you are strongly advised to keep a good antivirus app on your mobile device that can detect and block such threat before they infect your device, and most importantly, always keep your device and apps up-to-date.
2018-01-16T05:42:00-11:00Tuesday, January 16, 2018Mohit Kumar
Security researchers have unveiled one of the most powerful and highly advanced Android spyware tools that give hackers full control of infected devices remotely.
Dubbed Skygofree, the Android spyware has been designed for targeted surveillance, and it is believed to have been targeting a large number of users for the past four years.
Since 2014, the Skygofree implant has gained several novel features previously unseen in the wild, according to a new report published by Russian cybersecurity firm Kaspersky Labs.
The 'remarkable new features' include location-based audio recording using device's microphone, the use of Android Accessibility Services to steal WhatsApp messages, and the ability to connect infected devices to malicious Wi-Fi networks controlled by attackers.
Skygofree is being distributed through fake web pages mimicking leading mobile network operators, most of which have been registered by the attackers since 2015—the year when the distribution campaign was most active, according to Kaspersky's telemetry data.
Italian IT Firm Behind Skygofree Spyware?
Researchers at Kaspersky Lab believe the hacker or hacking group behind this mobile surveillance tool has been active since 2014 and are based in Italy—the home for the infamous 'Hacking Team'—one of the world's bigger players in spyware trading.
"Given the many artifacts we discovered in the malware code, as well as infrastructure analysis, we are pretty confident that the developer of the Skygofree implants is an Italian IT company that works on surveillance solutions, just like HackingTeam," said the report.
Kaspersky found several Italian devices infected with Skygofree, which the firm described as one of the most powerful, advanced mobile implants it has ever seen.
Although the security firm has not confirmed the name of the Italian company behind this spyware, it found multiple references to Rome-based technology company "Negg" in the spyware's code. Negg is also specialised in developing and trading legal hacking tools.
Skygofree: Powerful Android Spyware Tool
Once installed, Skygofree hides its icon and starts background services to conceal further actions from the user. It also includes a self-protection feature, preventing services from being killed.
As of October last year, Skygofree became a sophisticated multi-stage spyware tool that gives attackers full remote control of the infected device using a reverse shell payload and a command and control (C&C) server architecture.
According to the technical details published by researchers, Skygofree includes multiple exploits to escalate privileges for root access, granting it ability to execute most sophisticated payloads on the infected Android devices.
One such payload allows the implant to execute shellcode and steal data belonging to other applications installed on the targeted devices, including Facebook, WhatsApp, Line, and Viber.
"There are multiple, exceptional capabilities: usage of multiple exploits for gaining root privileges, a complex payload structure, [and] never-before-seen surveillance features," the researchers said.
Skygofree’s control (C&C) server also allows attackers to capture pictures and videos remotely, seize call records and SMS, as well as monitor the users' geolocation, calendar events and any information stored in the device's memory.
Besides this, Skygofree also can record audio via the microphone when the infected device was in a specified location and the ability to force the infected device to connect to compromised Wi-Fi networks controlled by the attacker, enabling man-in-the-middle attacks.
The spyware uses "the Android Accessibility Service to get information directly from the displayed elements on the screen, so it waits for the targeted application to be launched and then parses all nodes to find text messages," Kaspersky said.
Kaspersky researchers also found a variant of Skygofree targeting Windows users, suggesting the authors' next area of interest is the Windows platform.
The best way to prevent yourself from being a victim is to avoid downloading apps via third-party websites, app stores or links provided in SMS messages or emails.
2017-12-18T23:22:00-11:00Monday, December 18, 2017Mohit Kumar
Due to the recent surge in cryptocurrency prices, not only hackers but also legitimate website administrators are increasingly using JavaScript-based cryptocurrency miners to monetize by levying the CPU power of your PC to mine Bitcoin or other cryptocurrencies.
Just last week, researchers from AdGuard discovered that some popular video streaming and ripper sites including openload, Streamango, Rapidvideo, and OnlineVideoConverter hijacks CPU cycles from their over hundreds of millions of visitors for mining Monero cryptocurrency.
Now, researchers from Moscow-based cyber security firm Kaspersky Lab have uncovered a new strain of Android malware lurking in fake anti-virus and porn applications, which is capable of performing a plethora of nefarious activities—from mining cryptocurrencies to launching Distributed Denial of Service (DDoS) attacks.
Dubbed Loapi, the new Android Trojan can perform so many more malicious activities at a time that can exploit a handset to the extent that within just two days of infection it can cause the phone's battery to bulge out of its cover.
Described as a "jack-of-all-trades" by the researchers, Loapi has a modular architecture that lets it conduct a variety of malicious activities, including mining the Monero cryptocurrency, launching DDoS attacks, bombarding infected users with constant ads, redirecting web traffic, sending text messages, and downloading and installing other apps.
Loapi Destroyed An Android Phone In Just 2 Days
When analyzed a Loapi sample, Kaspersky's researchers discovered that the malware mines the Monero cryptocurrency so intensely that it destroyed an Android phone after two days of testing, causing the battery to bulge and deforming the phone cover.
According to researchers, the cybercriminals behind Loapi are the same responsible for the 2015 Android malware Podec. They are distributing the malware through third-party app stores and online advertisements that pose as apps for "popular antivirus solutions and even a famous porn site."
A screenshot in the Kaspersky blog suggests that Loapi impersonates as at least 20 variations of adult-content apps and legitimate antivirus software from AVG, Psafe DFNDR, Kaspersky Lab, Norton, Avira, Dr. Web and CM Security, among others.
Upon installation, Loapi forces the user to grant it 'device administrator' permissions by looping a pop-up until a victim clicks yes, which gives the malicious app the same power over your smartphone that you have.
This highest level privilege on a device would also make the Loapi malware ideal for user espionage, though this capability is not yet present in the malware, the Kaspersky researchers think this can be included in the future.
Loapi Malware Aggressively Fights to Protect Itself
Researchers also said the malware "aggressively fights any attempts to revoke device manager permissions" by locking the screen and closing phone windows by itself.
Loapi communicates with the module-specific command and control (C&C) servers, including advertisement module, SMS module and mining module, web crawler, and proxy module, for different functions to be performed on the infected device.
By connecting with one of the above-mentioned C&C servers, Loapi sends a list of legitimate antivirus apps that pose it danger and claims the real app as malware and urges the user to delete it by showing the pop-up in a loop until the user finally deletes the app.
"Loapi is an interesting representative from the world of malicious Android apps. It’s creators have implemented almost the entire spectrum of techniques for attacking devices: the Trojan can subscribe users to paid services, send SMS messages to any number, generate traffic and make money from showing advertisements, use the computing power of a device to mine cryptocurrencies, as well as perform a variety of actions on the internet on behalf of the user/device," the researchers concluded.
Fortunately, Loapi failed to make its ways to Google Play Store, so users who stick to downloads from the official app store are not affected by the malware. But you are advised to remain vigilant even when downloading apps from Play Store as malware often makes its ways to infect Android users.
2017-11-20T06:13:00-11:00Monday, November 20, 2017Mohit Kumar
Even after so many efforts by Google for making its Play Store away from malware, shady apps somehow managed to fool its anti-malware protections and infect people with malicious software.
A team of researchers from several security firms has uncovered two new malware campaigns targeting Google Play Store users, of which one spreads a new version of BankBot, a persistent family of banking Trojan that imitates real banking applications in efforts to steal users' login details.
BankBot has been designed to display fake overlays on legitimate bank apps from major banks around the world, including Citibank, WellsFargo, Chase, and DiBa, to steal sensitive information, including logins and credit card details.
With its primary purpose of displaying fake overlays, BankBot has the ability to perform a broad range of tasks, such as sending and intercepting SMS messages, making calls, tracking infected devices, and stealing contacts.
Google removed at least four previous versions of this banking trojan from its official Android app store platform earlier this year, but BankBot apps always made their ways to Play Store, targeting victims from major banks around the world.
The second campaign spotted by researchers not only spreads the same BankBot trojan as the first campaign but also Mazar and Red Alert. This campaign has been described in detail on ESET blog.
According to an analysis performed by the mobile threat intelligence team at Avast in collaboration with ESET and SfyLabs, the latest variant of BankBot has been hiding in Android apps that pose as supposedly trustworthy, innocent-looking flashlight apps.
First spotted by the researchers on 13 October, the malicious BankBot apps uses special techniques to circumvent Google's automated detection checks, such as starting malicious activities 2 hours after the user gave device admin rights to the app and publishing the apps under different developer names.
After tricking victims into downloading them, the malicious apps check for the applications that are installed on the infected device against a hard-coded, list of 160 mobile apps.
According to the researchers, this list includes apps from Wells Fargo and Chase in the U.S., Credit Agricole in France, Santander in Spain, Commerzbank in Germany and many other financial institutions from around the world.
If it finds one or more apps on the infected smartphone, the malware downloads and installs the BankBot APK from its command-and-control server on the device, and tries to trick the victim into giving it administrator rights by pretending to be a Play Store or system update using a similar icon and package name.
Once it gets the admin privileges, the BankBot app displays overlay on the top of legitimate apps whenever victims launch one of the apps from the malware's list and steal whatever banking info the victim's types on it.
The Avast Threat Labs has also provided a video demonstration while testing this mechanism with the app of the local Czech Airbank. You can see how the app creates an overlay within milliseconds and tricks the user into giving out their bank details to criminals.
Since many banks use two-factor-authentication methods for secure transactions, BankBot includes functionality that allows it to intercept text messages, allowing criminals behind BankBot to steal mobile transaction number (mTAN) sent to the customer's phone and transfer money to their accounts.
Here's one important thing to note is that Android mechanism blocks apps installation from outside the Play Store. Even if you have already permitted installation from unknown sources, Google still requires you to press a button to continue such installations.
"Unlike this newer version of BankBot, droppers from previous campaigns were far more sophisticated," the researchers note. "They applied techniques such as performing clicks in the background via an Accessibility Service to enable the installation from unknown sources."
The latest BankBot version does not utilize this Accessibility Service feature due to Google's recent move of blocking this feature for all applications, except those designed to provide services for the blind.
Google has already removed all recently-discovered BankBot apps after being notified by the researchers.
Although it is a never-ending concern, the best way to protect yourself is always to be vigilant when downloading apps even from Google's official Play store. So, always verify app permissions and reviews before downloading an app from Google Play Store.
Even though the BankBot apps made it way into the Play Store, its payload was downloaded from an external source. So, don't allow any unknown third-party APK to be installed on your smartphone.
To do so, Go to Settings → Security and then Turn OFF "Allow installation of apps from sources other than the Play Store."
Most importantly, be careful which apps you give administrative rights to, as it is powerful and can provide a full app control of your device.
CompTIA, a global provider of vendor-neutral IT certifications, offers a wide range of popular certifications such as A+, Network+, Cloud+, Linux+, and Security+ certifications [...]
Cybercriminals are known to take advantage of everything that's popular among people in order to spread malware, and Google's official Play Store has always proved no less than an excellent place for hackers to get their job done.
Yesterday some users spotted a fake version of the most popular WhatsApp messaging app for Android on the official Google Play Store that has already tricked more than one million users into downloading it.
Dubbed Update WhatsApp Messenger, came from an app developer who pretended to be the actual WhatsApp service with the developer title "WhatsApp Inc."—the same title the actual WhatsApp messenger uses on Google Play.
You might be wondering how the sneaky app developer was able to use the same title as the legitimate Facebook-owned maker of the messaging client—thanks to a Unicode character space.
The app maker added a Unicode character space after the actual WhatsApp Inc. name, which in computer code reads WhatsApp+Inc%C2%A0.
However, this hidden character space at the end of the WhatsApp Inc. would be easily invisible to an average Android user browsing Google Play Store, allowing this dodgy version of the app to masquerade as a product of WhatsApp Inc.
In other words, the titles used by the fake app maker and real WhatsApp service are different but appeared same to a user.
According to Redditors, who first spotted this fake app on Friday, the app was not a chat app; instead, it served Android users with advertisements to download other apps.
"I've also installed the app and decompiled it," one Redditor said. "The app itself has minimal permissions (internet access) but it's basically an ad-loaded wrapper which has some code to download a second apk, also called 'whatsapp.apk.' The app also tries to hide by not having a title and having a blank icon."
Google has now removed the fake WhatsApp Android app from its official Play Store, but this incident once again marked the tech giant's failure to spot the scam on its app platform—even for the program that had more than a million downloads.
It is an unfortunate truth that even after so many efforts by Google (even recently launched Bug Bounty Program), malicious apps continuously somehow managed to fool its Play Store's security mechanism and infect millions of Android users.
Google Play Store is still surrounded by hundreds of other fake and malicious apps that trick users into downloading and installing them and potentially infect their smartphones to carry out malicious things without their knowledge.
So, users are advised to be more vigilant while downloading apps not only from the third-party app store but also from official Play Store in order to protect themselves.
THN Deals Store this week brings you the Cybersecurity Certification Mega Bundle, which will walk you through the skills and concepts you need to master three elite cybersecurity certification exams: CISA, CISM, and CISSP [...]
2017-09-26T02:52:00-11:00Tuesday, September 26, 2017Swati Khandelwal
Nearly a year after the disclosure of the Dirty COW vulnerability that affected the Linux kernel, cybercriminals have started exploiting the vulnerability against Android users, researchers have warned.
Publicly disclosed last year in October, Dirty COW was present in a section of the Linux kernel—a part of virtually every Linux distribution, including Red Hat, Debian, and Ubuntu—for years and was actively exploited in the wild.
The vulnerability allows an unprivileged local attacker to gain root access through a race condition issue, gain access to read-only root-owned executable files, and permit remote attacks.
However, security researchers from Trend Micro published a blog post on Monday disclosing that the privilege escalation vulnerability (CVE-2016-5195), known as Dirty COW, has now been actively exploited by a malware sample of ZNIU, detected as AndroidOS_ZNIU.
This is the first time we have seen a malware sample to contain an exploit for the vulnerability designed to compromise devices running on the mobile platform.
This Dirty Cow Exploit found in Over 1,200 Android Apps
The malware uses the Dirty COW exploit to root Android devices via the copy-on-write (COW) mechanism in Android's Linux kernel and install a backdoor which can then be used by attackers to collect data and generate profit through a premium rate phone number.
Trend Micro researchers detected the ZNIU malware in more than 1,200 malicious Android apps—some of which disguised themselves as pornography and gaming apps—alongside host websites containing malware rootkits that exploit Dirty Cow.
While the Dirty Cow flaw impacts all versions of the Android operating system, the ZNIU's Dirty Cow exploit only affects Android devices with ARM/X86 64-bit architecture. However, the recent exploit can be used to bypass SELinux and plant backdoors.
"We monitored six ZNIU rootkits, four of which were Dirty COW exploits. The other two were KingoRoot, a rooting app, and the Iovyroot exploit (CVE-2015-1805)," the researchers said.
"ZNIU used KingoRoot and Iovyroot because they can root ARM 32-bit CPU devices, which the rootkit for Dirty COW cannot."
Here's How the ZNIU's Dirty Cow exploit Works
Once downloaded and installed, the ZNIU malware-carrying app communicates with its command-and-control (C&C) server to check for code updates, while simultaneously the Dirty Cow exploit provides local privilege escalation to gain root access on the device, bypass system restrictions and "plant a backdoor for potential remote control attacks in the future."
The malware also harvests the carrier information of the user and attempts to send payments via premium SMS messages that were directed to a dummy company in China.
Once the SMS transaction is over, the malware also deletes the messages from the device in order to erase evidence of any compromise.
The researchers found the malware has already infected more than 5,000 Android users across 40 countries in recent weeks, with the majority of victims found in China and India, while other resides in the United States, Japan, Canada, Germany and Indonesia.
Google has released an update for Android that, among other fixes, officially fixes the Dirty COW vulnerability. The tech giant also confirmed that its Play Protect now protects Android users against this malware.
The easiest way to prevent yourself from being targeted by such clever malware is to avoid downloading apps from third-party sources and always stick to the official Google Play Store.
2017-09-14T23:04:00-11:00Thursday, September 14, 2017Swati Khandelwal
Even after so many efforts by Google, malicious apps somehow managed to fool its Play Store's anti-malware protections and infect people with malicious software.
The same happened once again when at least 50 apps managed to make its way onto Google Play Store and were successfully downloaded as many as 4.2 million times—one of the biggest malware outbreaks.
Security firm Check Point on Thursday published a blog post revealing at least 50 Android apps that were free to download on official Play Store and were downloaded between 1 million and 4.2 million times before Google removed them.
These Android apps come with hidden malware payload that secretly registers victims for paid online services, sends fraudulent premium text messages from victims' smartphones and leaves them to pay the bill—all without the knowledge or permission of users.
Dubbed ExpensiveWall by Check Point researchers because it was found in the Lovely Wallpaper app, the malware comes hidden in free wallpaper, video or photo editing apps. It's a new variant of malware that Mcafee spotted earlier this year on the Play Store.
But what makes ExpensiveWall malware different from its other variants is that it makes use of an advanced obfuscation technique called "packed," which compresses malicious code and encrypts it to evade Google Play Store's built-in anti-malware protections.
The researchers notified Google of the malicious apps on August 7, and the software giant quickly removed all of them, but within few days, the malware re-emerged on the Play Store and infected over 5,000 devices before it was removed four days later, Check Point said.
Here's How ExpensiveWall Malware Works:
Once an app with ExpensiveWall—which researchers think came from a software development kit called GTK—is downloaded on a victim's device, the malicious app asks for user's permission to access the Internet, and send and receive SMS messages.
The internet access is used by the malware to connect the victim's device to the attacker's command and control server, where it sends information on the infected handset, including its location alongside unique hardware identifiers, such as MAC and IP addresses, IMSI and IMEI numbers.
The C&C server then sends the malware a URL, which it opens in an embedded WebView window to download JavaScript code that begins to clock up bills for the victim by sending fraudulent premium SMS messages without their knowledge, and uses the victim's phone number to register for paid services.
However, according to the Check Point researchers, it is still unclear how much revenue was generated via ExpensiveWall's premium SMS scam.
Google's Play Store—Home for Malware
Android malware continues to evolve with more sophisticated and never-seen-before capabilities with every passing day, and spotting them on Google Play Store has become quite a common thing.
In July, Lipizzan spyware apps were spotted on Play Store that can steal a whole lot of information on users, including text messages, emails, voice calls, photos, location data, and other files, and spy on them.
In June, more than 800 Xavier-laden apps were discovered on Google Play that had been downloaded millions of times, and the same month researchers found first code injecting rooting malware making rounds on Google Play Store.
A month prior to it, researchers spotted 41 apps on Play Store hidden with the Judy Malware that infected 36.5 million Android devices with malicious ad-click software.
In April, over 40 apps with hidden FalseGuide malware were spotted on Play Store that made 2 Million Android users victims.
Earlier this year, researchers also discovered a new variant of the HummingBad malware, dubbed HummingWhale, hidden in more than 20 apps on Google Play Store, which were downloaded by over 12 Million users.
How to Protect Your Android From Such Malware Apps
Even after Google removed all the malware-tainted apps from its official Play Store marketplace, your smartphones will remain infected with the ExpensiveWall malware until you explicitly uninstall the malicious apps, if you have downloaded any.
Google has recently provided a security feature known as Play Protect that uses machine learning and app usage analysis to automatically remove malicious apps from the affected smartphones to prevent further harm.
However, according to the Check Point researchers, many phones run an older version of Android that does not support the feature, leaving a wide audience open to malware attacks.
You are strongly advised to always keep a good antivirus app on your device that can detect and block any malicious app before it can infect your device, and always keep your device and all apps up-to-date.
2017-08-28T06:32:00-11:00Monday, August 28, 2017Mohit Kumar
Do you believe that just because you have downloaded an app from the official app store, you're safe from malware?
Think twice before believing it.
A team of security researchers from several security firms have uncovered a new, widespread botnet that consists of tens of thousands of hacked Android smartphones.
Dubbed WireX, detected as "Android Clicker," the botnet network primarily includes infected Android devices running one of the hundreds of malicious apps installed from Google Play Store and is designed to conduct massive application layer DDoS attacks.
Researchers from different Internet technology and security companies—which includes Akamai, CloudFlare, Flashpoint, Google, Oracle Dyn, RiskIQ, Team Cymru—spotted a series of cyber attacks earlier this month, and they collaborated to combat it.
Although Android malware campaigns are quite common these days and this newly discovered campaign is also not that much sophisticated, I am quite impressed with the way multiple security firms—where half of them are competitors—came together and shared information to take down a botnet.
WireX botnet was used to launch minor DDoS attacks earlier this month, but after mid-August, the attacks began to escalate.
The "WireX" botnet had already infected over 120,000 Android smartphones at its peak earlier this month, and on 17th August, researchers noticed a massive DDoS attack (primarily HTTP GET requests) originated from more than 70,000 infected mobile devices from over 100 countries.
If your website has been DDoSed, look for the following pattern of User-Agent strings to check if it was WireX botnet:
After further investigation, security researchers identified more than 300 malicious apps on Google’s official Play Store, many of which purported to be media, video players, ringtones, or tools for storage managers and app stores, which include the malicious WireX code.
Just like many malicious apps, WireX apps do not act maliciously immediately after the installation in order to evade detection and make their ways to Google Play Store.
Instead, WireX apps wait patiently for commands from its command and control servers located at multiple subdomains of "axclick.store."
Google has identified and already blocked most of 300 WireX apps, which were mostly downloaded by users in Russia, China, and other Asian countries, although the WireX botnet is still active on a small scale.
If your device is running a newer version of the Android operating system that includes Google's Play Protect feature, the company will automatically remove WireX apps from your device, if you have one installed.
Play Protect is Google's newly launched security feature that uses machine learning and app usage analysis to remove (uninstall) malicious apps from users Android smartphones to prevent further harm.
Also, it is highly recommended to install apps from reputed and verified developers, even when downloading from Google official Play Store and avoid installing unnecessary apps.
Additionally, you are strongly advised to always keep a good antivirus app on your mobile device that can detect and block malicious apps before they can infect your device, and always keep your device and apps up-to-date.
Android malware continues to evolve with more sophisticated and never-seen-before attack vectors and capabilities with every passing day.
Just at the beginning of this week, Google removed over 500 Android apps utilising the rogue SDK—that secretly distribute spyware to users—from its Play Store marketplace.
Last month, we also saw first Android malware with code injecting capabilities making rounds on Google Play Store.
A few days after that, researchers discovered another malicious Android SDK ads library, dubbed "Xavier," found installed on more than 800 different apps that had been downloaded millions of times from Google Play Store.
Over 500 different Android apps that have been downloaded more than 100 million times from the official Google Play Store found to be infected with a malicious ad library that secretly distributes spyware to users and can perform dangerous operations.
Since 90 per cent of Android apps is free to download from Google Play Store, advertising is a key revenue source for app developers. For this, they integrate Android SDK Ads library in their apps, which usually does not affect an app's core functionality.
But security researchers at mobile security firm Lookout have discovered a software development kit (SDK), dubbed Igexin, that has been found delivering spyware on Android devices.
Developed by a Chinese company to offer targeted advertising services to app developers, the rogue 'Igexin' advertising software was spotted in more than 500 apps on Google's official marketplace, most of which included:
Games targeted at teens with as many as 100 million downloads
Weather apps with as many as 5 million downloads
Photo editor apps with 5 Million downloads
Internet radio app with 1 million downloads
Other apps targeted at education, health and fitness, travel, and emoji
Chinese Advertising Firm Spying On Android Users
The Igexin SDK was designed for app developers to serve targeted advertisements to its users and generate revenue. To do so, the SDK also collects user data to help target interest-based ads.
But besides collecting user data, the Lookout researchers said they found the SDK behaved maliciously after they spotted several Igexin-integrated apps communicating with malicious IP addresses that deliver malware to devices unbeknownst to the creators of apps utilizing it.
"We observed an app downloading large, encrypted files after making a series of initial requests to a REST API at http://sdk[.]open[.]phone[.]igexin.com/api.php, which is an endpoint used by the Igexin ad SDK," the researchers explain in a blog post.
"This sort of traffic is often the result of malware that downloads and executes code after an initially "clean" app is installed, in order to evade detection."
Once the malware is delivered to infected devices, the SDK can gather logs of users information from their device, and could also remotely install other plugins to the devices, which could record call logs or reveal information about users activities.
How to Protect Your Android From This Malware
Google has since removed all the Android apps utilizing the rogue SDK from its Play Store marketplace, but those who have already installed one such app on their mobile handsets, make sure your device has Google Play Protect.
Play Protect is Google's newly launched security feature that uses machine learning and app usage analysis to remove (uninstall) malicious apps from users Android smartphones to prevent further harm.
In addition, you are strongly advised to always keep a good antivirus application on your device that can detect and block malicious apps before they can infect your device, and always keep your device and apps up-to-date.
Android malware continues to evolve with more sophisticated and never-seen-before capabilities with every passing day. Last month, we saw first Android malware with code injecting capabilities making rounds on Google Play Store.
A few days after that, researchers discovered another malicious Android SDK ads library, dubbed "Xavier," found installed on more than 800 different apps that had been downloaded millions of times from Google Play Store.
2017-08-17T20:56:00-11:00Thursday, August 17, 2017Mohit Kumar
The infamous mobile banking trojan that recently added ransomware features to steal sensitive data and lock user files at the same time has now been modified to steal credentials from Uber and other booking apps as well.
Security researchers at Kaspersky Lab have discovered a new variant of the Android banking Trojan called Faketoken that now has capabilities to detect and record an infected device's calls and display overlays on top of taxi booking apps to steal banking information.
Dubbed Faketoken.q, the new variant of mobile banking trojan is being distributed using bulk SMS messages as their attack vector, prompting users to download an image file that actually downloads the malware.
Malware Spy On Telephonic Conversations
Once downloaded, the malware installs the necessary modules and the main payload, which hides its shortcut icon and begins monitoring everything—from every calls to launched apps—that happens on the infected Android device.
When calls are made to or received from certain phone numbers on the victim's device, the malware begins to record those conversations and sends the recordings to the attacker's server.
Moreover, Faketoken.q also checks which apps the smartphone owner is using and when detects the launch of an app whose interface it can simulate, the Trojan immediately overlays the app with a fake user interface.
Malware Exploits Overlay Feature to Steal Credit Card Details
In order to achieve this, the Trojan uses the same standard Android feature that is being employed by a whole bunch of legitimate apps, such as Facebook Messenger, window managers, and other apps, to show screen overlays on top of all other apps.
The fake user interface prompts victims to enter his or her payment card data, including the bank’s verification code, which can later be used by attackers to initiate fraudulent transactions.
Faketoken.q is capable of overlaying a large number of mobile banking apps as well as miscellaneous applications, such as:
Android Pay
Google Play Store
Apps for paying traffic tickets
Apps for booking flights and hotel rooms
Apps for booking taxis
Since fraudsters require an SMS code sent by the bank to authorise a transaction, the malware steals incoming SMS message codes and forward them to the attackers command-and-control (C&C) server for a successful attack.
According to the researchers, Faketoken.q has been designed to target Russian-speaking users, as it uses the Russian language on the user interface.
Ways to Protect Against Such Android Banking Trojans
The easiest way to prevent yourself being a victim of such mobile banking Trojans is to avoid downloading apps via links provided in messages or emails, or any third-party app store.
You can also go to Settings → Security and make sure "Unknown sources" option is turned off in order to block installation of apps from unknown sources.
Most importantly, verify app permissions before installing apps, even if it is downloaded from official Google Play. If you find any app asking more than what it is meant for, just do not install it.
It's always a good idea to install an antivirus app from a reputed vendor that can detect and block such malware before it can infect your device, and always keep your system and apps up-to-date.
Cyber criminals are becoming more adept, innovative, and stealthy with each passing day. They have now shifted from traditional to more clandestine techniques that come with limitless attack vectors and are harder to detect.
Security researchers have discovered that one of the most dangerous Android banking Trojan families has now been modified to add a keylogger to its recent strain, giving attackers yet another way to steal victims sensitive data.
Kaspersky Lab's Senior malware analyst Roman Unuchek spotted a new variant of the well-known Android banking Trojan, dubbed Svpeng, in the mid of last month with a new keylogger feature, which takes advantage of Android's Accessibility Services.
Trojan Exploits 'Accessibility Services' to Add Keylogger
Yes, the keylogger added in the new version of Svpeng takes advantage of Accessibility Services — an Android feature that provides users alternative ways to interact with their smartphone devices.
This change makes the Svpeng Trojan able not only to steal entered text from other apps installed on the device and log all keystrokes, but also to grant itself more permissions and rights to prevent victims from uninstalling the Trojan.
In November last year, the Svpeng banking trojan infected over 318,000 Android devices across the world over the span of only two months with the help of Google AdSense advertisements that was abused to spread the malicious banking Trojan.
Over a month ago, researchers also discovered another attack taking advantage of Android's Accessibility Services, called Cloak and Dagger attack, which allows hackers to silently take full control of the infected devices and steal private data.
If You Are Russian, You Are Safe!
Although the new variant of the Svpeng malware is not yet widely deployed, the malware has already hit users in 23 countries over the course of a week, which include Russia, Germany, Turkey, Poland, and France.
But what's worth noticing is that, even though most infected users are from Russia, the new variant of Svpeng Trojan doesn't perform malicious actions on those devices.
According to Unuchek, after infecting the device, the Trojan first checks the device's language. If the language is Russian, the malware prevents further malicious tasks—this suggests the criminal group behind this malware is Russian, who are avoiding to violate Russian laws by hacking locals.
How 'Svpeng' Trojan Steals Your Money
Unuchek says the latest version of Svpeng he spotted in July was being distributed through malicious websites that disguised as a fake Flash Player.
Once installed, as I have mentioned above, the malware first checks for the device language and, if the language is not Russian, asks the device to use Accessibility Services, which opens the infected device to a number of dangerous attacks.
With having access to Accessibility Services, the Trojan grants itself device administrator rights, displays an overlay on the top of legitimate apps, installs itself as a default SMS app, and grants itself some dynamic permissions, such as the ability to make calls, send and receive SMS, and read contacts.
Additionally, using its newly-gained administrative capabilities, the Trojan can block every attempt of victims to remove device administrator rights—thereby preventing the uninstallation of the malware.
Using accessibility services, Svpeng gains access to the inner working of other apps on the device, allowing the Trojan to steal text entered on other apps and take screenshots every time the victim presses a button on the keyboard, and other available data.
"Some apps, mainly banking ones, do not allow screenshots to be taken when they are on top. In such cases, the Trojan has another option to steal data – it draws its phishing window over the attacked app," Unuchek says.
"It is interesting that, in order to find out which app is on top, it uses accessibility services too."
All the stolen information is then uploaded to the attackers' command and control (C&C) server. As part of his research, Unuchek said he managed to intercept an encrypted configuration file from the malware's C&C server.
Decrypting the file helped him find out some of the websites and apps that Svpeng targets, as well as help him obtain a URL with phishing pages for both the PayPal and eBay mobile apps, along with links for banking apps from the United Kingdom, Germany, Turkey, Australia, France, Poland, and Singapore.
Besides URLs, the file also allows the malware to receive various commands from the C&C server, which includes sending SMS, collecting information such as contacts, installed apps and call logs, opening the malicious link, gathering all SMS from the device, and stealing incoming SMS.
Lukas Stefanko, malware researcher at ESET, has shared a video (given below) with The Hacker News, demonstrating the working of this malware.
The Evolution of 'Svpeng' Android Banking Malware
Researchers at Kaspersky Lab initially discovered the Svpeng Android banking malware trojan back in 2013, with primary capability—Phishing.
Back in 2014, the malware was then modified to add a ransomware component that locked victim's device (by FBI because they visited sites containing pornography) and demanded $500 from users.
The malware was among the first to begin attacking SMS banking, use phishing web pages to overlay other apps in an effort to steal banking credentials and to block devices and demand money.
In 2016, cyber criminals were actively distributing Svpeng via Google AdSense using a vulnerability in the Chrome web browser, and now abusing Accessibility Services, which possibly makes Svpeng the most dangerous mobile banking malware family to date that can steal almost anything—from your Facebook credentials to your credit cards and bank accounts.
How to Protect Your Smartphone From Hackers
With just Accessibility Services, this banking Trojan gains all necessary permissions and rights to steal lots of data from the infected devices.
The malicious techniques of the Svpeng malware even work on fully-updated Android devices with the latest Android version and all security updates installed, so it is little users can do in order to protect themselves.
There are standard protection measures you need to follow to remain unaffected:
Always stick to trusted sources, like Google Play Store and the Apple App Store, but only from trusted and verified developers.
Most importantly, verify app permissions before installing apps. If any app is asking more than what it is meant for, just do not install it.
Do not download apps from third party sources, as most often such malware spreads via untrusted third-parties.
Avoid unknown and unsecured Wi-Fi hotspots and Keep your Wi-Fi turned OFF when not in use.
Never click on links provided in an SMS, MMS or email. Even if the email looks legit, go directly to the website of origin and verify any possible updates.
Install a good antivirus app that can detect and block such malware before it can infect your device, and always keep the app up-to-date.
