The Hacker News Logo
Subscribe to Newsletter
CrowdSec

The Hacker News - Most Trusted Cyber Security and Computer Security Analysis: spyware

Researchers Uncover Years-Long Mobile Spyware Campaign Targeting Uyghurs

Researchers Uncover Years-Long Mobile Spyware Campaign Targeting Uyghurs
September 22, 2022Ravie Lakshmanan
A new wave of a mobile surveillance campaign has been observed targeting the Uyghur community as part of a long-standing spyware operation active since at least 2015, cybersecurity researchers disclosed Thursday. The intrusions, originally attributed to a threat actor named  Scarlet Mimic  back in January 2016, is said to have encompassed 20 different variants of the Android malware, which were disguised as books, pictures, and an audio version of the Quran. The malware, while relatively unsophisticated from a technical standpoint, comes with extensive capabilities to steal sensitive data from an infected device, send SMS messages on the victim's behalf, make phone calls, and track their locations. Additionally, it allows the recording of incoming and outgoing phone calls as well as surrounding audio. "All this makes it a powerful and dangerous surveillance tool," Israeli cybersecurity firm Check Point  said  in a technical deepdive, calling the spyware  MobileOrder

Researchers Find New Android Spyware Campaign Targeting Uyghur Community

Researchers Find New Android Spyware Campaign Targeting Uyghur Community
September 06, 2022Ravie Lakshmanan
A previously undocumented strain of Android spyware with extensive information gathering capabilities has been found disguised as a book likely designed to target the  Uyghur community  in China. The malware comes under the guise of a book titled " The China Freedom Trap ," a biography written by the exiled Uyghur leader Dolkun Isa. "In light of the ongoing conflict between the Government of the People's Republic of China and the Uyghur community, the malware disguised as the book is a lucrative bait employed by threat actors (TAs) to spread malicious infection in the targeted community," cybersecurity firm Cyble  said  in a report published Monday. The existence of the malware samples, which come with the package name " com.emc.pdf ," was first disclosed by researchers from the  MalwareHunterTeam  late last month. Distributed outside of the official Google Play Store, the app, once installed and opened, displays a few pages of the book, includi

Candiru Spyware Caught Exploiting Google Chrome Zero-Day to Target Journalists

Candiru Spyware Caught Exploiting Google Chrome Zero-Day to Target Journalists
July 22, 2022Ravie Lakshmanan
The actively exploited but now-fixed Google Chrome zero-day flaw that came to light at the start of this month was weaponized by an Israeli spyware company and used in attacks targeting journalists in the Middle East. Czech cybersecurity firm Avast linked the exploitation to  Candiru  (aka Saito Tech), which has a history of  leveraging previously unknown flaws  to deploy a Windows malware dubbed DevilsTongue , a modular implant with  Pegasus -like capabilities. Candiru, along with NSO Group, Computer Security Initiative Consultancy PTE. LTD., and Positive Technologies, were  added to the entity list  by the U.S. Commerce Department in November 2021 for engaging in "malicious cyber activities." "Specifically, a large portion of the attacks took place in Lebanon, where journalists were among the targeted parties," security researcher Jan Vojtěšek, who reported the discovery of the flaw,  said  in a write-up. "We believe the attacks were highly targeted."

Experts Uncover New CloudMensis Spyware Targeting Apple macOS Users

Experts Uncover New CloudMensis Spyware Targeting Apple macOS Users
July 19, 2022Ravie Lakshmanan
Cybersecurity researchers have taken the wraps off a previously undocumented spyware targeting the Apple macOS operating system. The malware, codenamed  CloudMensis  by Slovak cybersecurity firm ESET, is said to exclusively use public cloud storage services such as pCloud, Yandex Disk, and Dropbox for receiving attacker commands and exfiltrating files. "Its capabilities clearly show that the intent of its operators is to gather information from the victims' Macs by exfiltrating documents, keystrokes, and screen captures," ESET researcher Marc-Etienne M.Léveillé  said  in a report published today. CloudMensis, written in Objective-C, was first discovered in April 2022 and is designed to strike both Intel and Apple silicon architectures. The initial infection vector for the attacks and the targets remain unknown as yet. But its very limited distribution is an indication that the malware is being used as part of a highly targeted operation directed against entities of i

Pegasus Spyware Used to Hack Devices of Pro-Democracy Activists in Thailand

Pegasus Spyware Used to Hack Devices of Pro-Democracy Activists in Thailand
July 18, 2022Ravie Lakshmanan
Thai activists involved in the country's pro-democracy protests have had their smartphones infected with NSO Group's infamous Pegasus government-sponsored spyware. At least 30 individuals, spanning activists, academics, lawyers, and NGO workers, are believed to have been targeted between October 2020 and November 2021, many of whom have been previously detained, arrested and imprisoned for their political activities or criticism of the government. "The timing of the infections is highly relevant to specific political events in Thailand, as well as specific actions by the Thai justice system," the Citizen Lab  said  in a Sunday report. "In many cases, for example, infections occurred slightly before protests and other political activities by the victims." The findings are the result of  threat notifications  sent by Apple last November to alert users it believes have been targeted by state-sponsored attackers. The attacks entailed the use of two zero-cl

Apple's New "Lockdown Mode" Protects iPhone, iPad, and Mac Against Spyware

Apple's New "Lockdown Mode" Protects iPhone, iPad, and Mac Against Spyware
July 07, 2022Ravie Lakshmanan
Apple on Wednesday announced it plans to introduce an enhanced security setting called  Lockdown Mode  in iOS 16, iPadOS 16, and macOS Ventura to safeguard high-risk users against "highly targeted cyberattacks." The "extreme, optional protection" feature, now available for preview in beta versions of its upcoming software, is designed to counter a surge in threats posed by private companies developing state-sponsored surveillanceware such as  Pegasus ,  DevilsTongue ,  Predator , and  Hermit . Lockdown Mode, when enabled, "hardens device defenses and strictly limits certain functionalities, sharply reducing the attack surface that potentially could be exploited by highly targeted mercenary spyware," Apple  said  in a statement. This includes blocking most message attachment types other than images and disabling link previews in Messages; rendering inoperative just-in-time ( JIT ) JavaScript compilation; removing support for shared albums in Photos; a

Google Blocks Dozens of Malicious Domains Operated by Hack-for-Hire Groups

Google Blocks Dozens of Malicious Domains Operated by Hack-for-Hire Groups
June 30, 2022Ravie Lakshmanan
Google's Threat Analysis Group (TAG) on Thursday disclosed it had acted to block as many as 36 malicious domains operated by hack-for-hire groups from India, Russia, and the U.A.E. In a manner analogous to the  surveillanceware ecosystem , hack-for-hire firms equip their clients with capabilities to enable targeted attacks aimed at corporates as well as activists, journalists, politicians, and other high-risk users. Where the two stand apart is that while customers purchase the spyware from commercial vendors and then deploy it themselves, the operators behind hack-for-hire attacks are known to conduct the intrusions on their clients' behalf in order to obscure their role. "The hack-for-hire landscape is fluid, both in how the attackers organize themselves and in the wide range of targets they pursue in a single campaign at the behest of disparate clients," Shane Huntley, director of Google TAG,  said  in a report. "Some hack-for-hire attackers openly adver

Overview of Top Mobile Security Threats in 2022

Overview of Top Mobile Security Threats in 2022
June 28, 2022The Hacker News
Your smartphone is your daily companion. The chances are that most of our activities rely on them, from ordering food to booking medical appointments. However, the threat landscape always reminds us how vulnerable smartphones can be.  Consider the recent  discovery by Oversecured , a security startup. These experts observed the dynamic code loading and its potential dangers. Why is this a problem? Well, the Google app uses code that does not come integrated with the app itself. Okay, this might sound confusing, but it all works in favor of optimizing certain processes. Thus, Google exploits code libraries pre-installed on Android phones to reduce their download size. In fact, many Android apps use this trick to optimize the storage space needed to run.  As revealed by Oversecured, perpetrators could compromise this retrieval of code from libraries. Instead of Google obtaining code from a reliable source, it could be tricked into taking code from malicious apps operating on the devic

Google Says ISPs Helped Attackers Infect Targeted Smartphones with Hermit Spyware

Google Says ISPs Helped Attackers Infect Targeted Smartphones with Hermit Spyware
June 24, 2022Ravie Lakshmanan
A week after it emerged that a sophisticated mobile spyware dubbed Hermit was used by the government of Kazakhstan within its borders, Google said it has notified Android users of infected devices. Additionally, necessary changes have been implemented in  Google Play Protect  — Android's built-in malware defense service — to protect all users, Benoit Sevens and Clement Lecigne of Google Threat Analysis Group (TAG)  said  in a Thursday report. Hermit, the work of an Italian vendor named RCS Lab, was  documented  by Lookout last week, calling out its modular feature-set and its abilities to harvest sensitive information such as call logs, contacts, photos, precise location, and SMS messages. Once the threat has thoroughly insinuated itself into a device, it's also equipped to record audio and make and redirect phone calls, besides abusing its permissions to accessibility services on Android to keep tabs on various foreground apps used by the victims. Its modularity also enab

Researchers Uncover 'Hermit' Android Spyware Used in Kazakhstan, Syria, and Italy

Researchers Uncover 'Hermit' Android Spyware Used in Kazakhstan, Syria, and Italy
June 17, 2022Ravie Lakshmanan
An enterprise-grade surveillanceware dubbed Hermit has been put to use by entities operating from within Kazakhstan, Syria, and Italy over the years since 2019, new research has revealed. Lookout attributed the spy software, which is equipped to target both Android and iOS, to an Italian company named RCS Lab S.p.A and Tykelab Srl, a telecom services provider which it suspects to be a front company. The San Francisco-based cybersecurity firm said it detected the campaign aimed at Kazakhstan in April 2022. Hermit is modular and comes with myriad capabilities that allow it to "exploit a rooted device, record audio and make and redirect phone calls, as well as collect data such as call logs, contacts, photos, device location and SMS messages," Lookout researchers Justin Albrecht and Paul Shunk  said  in a new write-up. The spyware is believed to be distributed via SMS messages that trick users into installing what are seemingly innocuous apps from Samsung, Vivo, and Oppo, w

Cytrox's Predator Spyware Targeted Android Users with Zero-Day Exploits

Cytrox's Predator Spyware Targeted Android Users with Zero-Day Exploits
May 20, 2022Ravie Lakshmanan
Google's Threat Analysis Group (TAG) on Thursday pointed fingers at a North Macedonian spyware developer named Cytrox for developing exploits against five zero-day (aka 0-day) flaws, four in Chrome and one in Android, to target Android users. "The 0-day exploits were used alongside n-day exploits as the developers took advantage of the time difference between when some critical bugs were patched but not flagged as security issues and when these patches were fully deployed across the Android ecosystem," TAG researchers Clement Lecigne and Christian Resell  said . Cytrox is alleged to have packaged the exploits and sold them to different government-backed actors located in Egypt, Armenia, Greece, Madagascar, Côte d'Ivoire, Serbia, Spain, and Indonesia, who, in turn, weaponized the bugs in at least three different campaigns. The commercial surveillance company is the maker of  Predator , an implant  analogous  to that of NSO Group's  Pegasus , and is known to hav

Over 200 Apps on Play Store Caught Spying on Android Users Using Facestealer

Over 200 Apps on Play Store Caught Spying on Android Users Using Facestealer
May 17, 2022Ravie Lakshmanan
More than 200 Android apps masquerading as fitness, photo editing, and puzzle apps have been observed distributing spyware called Facestealer to siphon user credentials and other valuable information.  "Similar to  Joker , another piece of mobile malware, Facestealer changes its code frequently, thus spawning many variants," Trend Micro analysts Cifer Fang, Ford Quin, and Zhengyu Dong  said  in a new report. "Since its discovery, the spyware has continuously beleaguered Google Play." Facestealer, first  documented  by Doctor Web in July 2021, refers to a group of fraudulent apps that invade the official app marketplace for Android with the goal of plundering sensitive data such as Facebook login credentials. Of the 200 apps, 42 are VPN services, followed by a camera (20) and photo editing applications (13). In addition to harvesting credentials, the apps are also designed to collect Facebook cookies and personally identifiable information associated with a vic

Critical Chipset Bugs Open Millions of Android Devices to Remote Spying

Critical Chipset Bugs Open Millions of Android Devices to Remote Spying
April 21, 2022Ravie Lakshmanan
Three security vulnerabilities have been disclosed in the audio decoders of Qualcomm and MediaTek chips that, if left unresolved, could allow an adversary to remotely gain access to media and audio conversations from affected mobile devices. According to Israeli cybersecurity company Check Point , the issues could be used as a launchpad to carry out remote code execution (RCE) attacks simply by sending a specially crafted audio file. "The impact of an RCE vulnerability can range from malware execution to an attacker gaining control over a user's multimedia data, including streaming from a compromised machine's camera," the researchers said in a report shared with The Hacker News. "In addition, an unprivileged Android app could use these vulnerabilities to escalate its privileges and gain access to media data and user conversations." The vulnerabilities, dubbed ALHACK, are rooted in an audio coding format originally developed and open-sourced by Apple i

E.U. Officials Reportedly Targeted with Israeli Pegasus Spyware

E.U. Officials Reportedly Targeted with Israeli Pegasus Spyware
April 12, 2022Ravie Lakshmanan
Senior officials in the European Union were allegedly targeted with NSO Group's infamous Pegasus surveillance tool, according to a  new report  from Reuters. At least five individuals, including European Justice Commissioner Didier Reynders, are said to have been singled out in total, the news agency said, citing documents and two unnamed E.U. officials. However, it's not clear who used the commercial spyware against them or what information was obtained following the attacks. NSO Group said in a statement shared with Reuters that it was not responsible for the hacking attempts, adding that the targeting "could not have happened with NSO's tools." The intrusions are said to have come to light after Apple notified the victims of state-sponsored attacks last November as part of its efforts to stop the Israeli surveillance firm from targeting its customers. That same month, the iPhone maker  filed a lawsuit  against NSO Group, seeking a court-issued injunction

Researchers Uncover New Android Spyware With C2 Server Linked to Turla Hackers

Researchers Uncover New Android Spyware With C2 Server Linked to Turla Hackers
April 04, 2022Ravie Lakshmanan
An Android spyware application has been spotted masquerading as a "Process Manager" service to stealthily siphon sensitive information stored in the infected devices. Interestingly, the app — that has the package name " com.remote.app " — establishes contact with a remote command-and-control server, 82.146.35[.]240, which has been previously identified as infrastructure belonging to the Russia-based hacking group known as  Turla . "When the application is run, a warning appears about the permissions granted to the application," Lab52 researchers  said . "These include screen unlock attempts, lock the screen, set the device global proxy, set screen lock password expiration, set storage encryption and disable cameras." Once the app is "activated," the malware removes its gear-shaped icon from the home screen and runs in the background, abusing its wide permissions to access the device's contacts and call logs, track its location,

EU Data Protection Watchdog Calls for Ban on Pegasus-like Commercial Spyware

EU Data Protection Watchdog Calls for Ban on Pegasus-like Commercial Spyware
February 16, 2022Ravie Lakshmanan
The European Union's data protection authority on Tuesday called for a ban on the development and the use of Pegasus-like commercial spyware in the region, stating that the technology's "unprecedented level of intrusiveness" could endanger users' right to privacy. "Pegasus constitutes a paradigm shift in terms of access to private communications and devices, which is able to affect the very essence of our fundamental rights, in particular the right to privacy," the European Data Protection Supervisor (EDPS)  said  in its preliminary remarks. "This fact makes its use incompatible with our democratic values." Pegasus  is a piece of highly advanced military-grade intrusion software developed by Israeli company NSO Group that's capable of breaking into smartphones running Android and iOS, turning the devices into a remote monitoring tool capable of extracting sensitive information, recording conversations, and tracking users' movements.

Hackers Infect macOS with New DazzleSpy Backdoor in Watering-Hole Attacks

Hackers Infect macOS with New DazzleSpy Backdoor in Watering-Hole Attacks
January 25, 2022Ravie Lakshmanan
A previously undocumented cyber-espionage malware aimed at Apple's macOS operating system leveraged a Safari web browser exploit as part of a watering hole attack targeting politically active, pro-democracy individuals in Hong Kong. Slovak cybersecurity firm ESET  attributed  the intrusion to an actor with "strong technical capabilities," calling out the campaign's overlaps to that of a similar digital offensive  disclosed  by Google Threat Analysis Group (TAG) in November 2021. The attack chain involved compromising a legitimate website belonging to D100 Radio, a pro-democracy internet radio station in Hong Kong, to inject malicious inline frames (aka  iframes ) between September 30 and November 4, 2021. Separately, a fraudulent website called "fightforhk[.]com" was also registered for the purpose of luring liberation activists. In the next phase, the tampered code acted as a conduit to load a  Mach-O  file by leveraging a remote code execution bug in
Online Courses and Software

Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.