Category Archives: android malware

Clipper Malware Found Masquerading as Legitimate Service on Google Play Store

Security researchers discovered a sample of clipper malware that targeted Android users by lurking in the Google Play store.

ESET first came across Android/Clipper.C masquerading as MetaMask, a service that allows users to access Ethereum-enabled distributed applications, in February 2019. This new threat is capable of stealing users’ credentials and private keys to gain access to their Ethereum funds. But Android/Clipper.C is a bit more sophisticated: It’s also a form of clipper malware in that it can replace a bitcoin or Ethereum wallet address copied from the clipboard with one under the attacker’s control.

ESET researchers discovered the malicious app on the Google Play store shortly after it became available for download on Feb. 1. They reported their findings to Google’s security team, which subsequently removed the app from the app marketplace.

Android/Clipper.C is not the only malware sample that’s impersonated MetaMask. Other programs used the MetaMask disguise to phish for sensitive data and steal access to users’ cryptocurrency funds.

The Growing Problem of Clipper Malware

Android/Clipper.C is just the latest instance of clipper malware to prey on users. In March 2018, ESET learned about one sample of this threat category targeting Monero users by masquerading as a Win32 Disk Imager application on download.com.

A few months later, Bleeping Computer discovered another cryptocurrency clipboard hijacker that was monitoring 2.3 million cryptocurrency addresses at the time of discovery. Dr.Web also uncovered an Android clipper in summer 2018, though this threat was not available for download on the Google Play store at that time.

How to Defend Against Disguised Malware Threats

Security professionals can help defend against threats like Android/Clipper.C by investing in a unified endpoint management (UEM) solution that can alert users when malware is detected and automatically uninstall infected apps. They should also leverage artificial intelligence (AI) to spot malicious behaviors and stop malware like Android/Clipper.C in its tracks.

The post Clipper Malware Found Masquerading as Legitimate Service on Google Play Store appeared first on Security Intelligence.

First Android Clipboard Hijacking Crypto Malware Found On Google Play Store

A security researcher has discovered yet another cryptocurrency-stealing malware on the official Google Play Store that was designed to secretly steal bitcoin and cryptocurrency from unwitting users. The malware, described as a "Clipper," masqueraded as a legitimate cryptocurrency app and worked by replacing cryptocurrency wallet addresses copied into the Android clipboard with one belonging

E Hacking News – Latest Hacker News and IT Security News: Popular Android App being Tampered by Hackers to Disseminate Malware


In an attempt to disseminate Triout Android malware, attackers corrupted the widely used Android app in Google Play.
The new (corrupted) version of the app which delivers the malware was discovered by security researchers at Bitdefender. Reportedly, “com.psiphon3”, the app package which is known for giving uncensored access to the content on the internet was exploited by cybercriminals as they reconfigured it with spyware framework.
The threat actors decided to distribute the corrupted version of the app via third-party app stores instead of going conventional by delivering it via the Google Play store and to generate revenue, they tied up the app with Google Ads, Mopub Ads, InMobi Ads, and various other adware components.
 While hiding its presence into the device, Triout Android Malware is programmed to collect phone calls, record videos, take pictures, access text messages, and GPS. It transfers the gathered information to the hackers’ command and control server.
As per the researchers at Bitdefender, the original and the tainted app shares the same UI which means the criminals only inserted the Triout spyware component while tampering the app and they tampered v91 of the app which currently is running on v241.
Referencing from the findings of researchers, “The original legitimate application is advertised as a privacy tool that enables access to the open internet when bundled with the Triout spyware framework it serves the exact opposite purpose.”
 “While the Triout Android spyware framework itself does not seem to have undergone changes in terms of code or capabilities, the fact that new samples are emerging and that threat actors are using extremely popular apps to bundled the malware,” 




E Hacking News - Latest Hacker News and IT Security News

Popular Android App being Tampered by Hackers to Disseminate Malware


In an attempt to disseminate Triout Android malware, attackers corrupted the widely used Android app in Google Play.
The new (corrupted) version of the app which delivers the malware was discovered by security researchers at Bitdefender. Reportedly, “com.psiphon3”, the app package which is known for giving uncensored access to the content on the internet was exploited by cybercriminals as they reconfigured it with spyware framework.
The threat actors decided to distribute the corrupted version of the app via third-party app stores instead of going conventional by delivering it via the Google Play store and to generate revenue, they tied up the app with Google Ads, Mopub Ads, InMobi Ads, and various other adware components.
 While hiding its presence into the device, Triout Android Malware is programmed to collect phone calls, record videos, take pictures, access text messages, and GPS. It transfers the gathered information to the hackers’ command and control server.
As per the researchers at Bitdefender, the original and the tainted app shares the same UI which means the criminals only inserted the Triout spyware component while tampering the app and they tampered v91 of the app which currently is running on v241.
Referencing from the findings of researchers, “The original legitimate application is advertised as a privacy tool that enables access to the open internet when bundled with the Triout spyware framework it serves the exact opposite purpose.”
 “While the Triout Android spyware framework itself does not seem to have undergone changes in terms of code or capabilities, the fact that new samples are emerging and that threat actors are using extremely popular apps to bundled the malware,” 


Several Popular Beauty Camera Apps Caught Stealing Users’ Photos

Just because an app is available on Google Play Store doesn't mean that it is a legitimate app. Despite so many efforts by Google, some fake and malicious apps do sneak in and land millions of unaware users on the hunting ground of scammers and hackers. Cybersecurity firm Trend Micro uncovered at least 29 devious photo apps that managed to make its way onto Google Play Store and have been

A week in security (January 21 – 27)

Last week on the Malwarebytes Labs blog, we took a look at Modlishka, the latest hurdle in two-factor authentication (2FA), the potential for abuse of push notifications, a malware-phishing combo by the name of CryTekk ransomware, and why we detect PUPs, but enforce the power of users’ choice.

We also pushed out the 2019 State of Malware report, which you can readily download here.

Other cybersecurity news

  • Fortnight, the hugely popular video game, uses in-game currency. And this, The Independent has found, is fueling money laundering schemes. (Source: PYMNTS.com)
  • Thanks to the new European General Data Protection Regulation (GDPR) privacy law, a French regulator fined Google to the tune of €50 million ($56.8 million) for not getting enough user consent to data collection and targeted advertising. (Source: The Wall Street Journal)
  • A clever mobile malware affected Android devices is able to elude emulators, tools which are used by security researchers to study potentially malicious apps, by running only when it detects the that device it’s installed in moves. (Source: Ars Technica)
  • A recently released list of top out-of-date (aka vulnerable) applications installed on computer systems include a number of Adobe products, Skype, Firefox, and VLC. If you have any of these installed, now is a good time to update them. (Source: Help Net Security)
  • Automatic license plate recognition (ALPR)—or automatic number plate recognition (ANPR) in the UK—are cameras that track license plates. And some of them are connected to the Internet, leaking sensitive data and vulnerable to attacks. (Source: TechCrunch)
  • Because of authentication weaknesses in GoDaddy, the world’s largest domain name registrar, disruptive spam, malware, and phishing campaigns taking advantage of dormant web sites owned by trusted brands are possible. (Source: KrebsOnSecurity)
  • Japanese car manufacturer, Mitsubishi, has created its own cybersecurity technology for cars, which is inspired by defenses designed for systems in critical infrastructures. (Source: Security Week)
  • Researchers from the Cyprus University of Technology, the University of Alabama at Birmingham, Telefonica Research, and Boston University, authored a paper and created a deep learning classifier algorithm that protects children from videos in YouTube by detecting disturbing content. (Source: Bleeping Computer)
  • A new voicemail phishing campaign that uses recorded messages attached to emails are fooling recipients into verifying their passwords twice to confirm the legitimacy of credentials. (Source: Bleeping Computer)
  • A convincing new attack abusing the App Engine Google Cloud Platform (GCP) comes to light, which is found to be targeting mostly organizations in the financial sector. The Cobalt Strike group is behind this campaign. (Source: Dark Reading)

Stay safe, everyone!

The post A week in security (January 21 – 27) appeared first on Malwarebytes Labs.

New Android Malware Apps Use Motion Sensor to Evade Detection

Even after so many efforts by Google for preventing its Play Store from malware, shady apps somehow managed to fool its anti-malware protections and get into its service to infect Android users with malware. Two such Android apps have recently been spotted on the Google Play Store by security researchers with the Trend Micro malware research team, infecting thousands of Android users who have

Android Malware Intercepts SMS 2FA: We have the Logs!

A couple years ago I was doing some phishing investigations training at the Police School in Santiago, Chile.  One module in my training was called "Logs Don't Lie" which pointed out that in most cases we have everything we need to prioritize a phishing response just by looking at the log files, either on the compromised phishing server, or in the Financial Institutions own logs.

Malware C2 servers are another great place to apply the rule "Logs Don't Lie."  Most security researchers realize that there is a great cloud of fellow researchers on Twitter sharing little tips and glimpses of their investigations.  @LukasStefanko and @nullcookies and I have been looking at a C2 server for a piece of Android malware.  And the Logs are AMAZINGLY helpful at understanding just what kind of damage such a trojan can do!    (Sidenote:  @nullcookies is a monster for finding fresh and interesting phish (and often related tools), while @LukasStefanko is an awesome malware analyst for ESET, specializing in Android-based malware.  You should follow both on Twitter if you care about such things.  Thanks to them both for the pointer that leads to what follows.)

In this case, the malware is believed to be called "Anubis II" and likely uses the "Builder" that is depicted in this YouTube video, titled "Builder Android Bot Anubis 2"

Launcher the APK Builder "Android Botnet Anubis II" 

Malware actor chooses from his list of banking targets
In the comments section of the video, someone has shared a screen shot of the botmaster's control panel.  In this case it is demonstrating that 619 Android phones can be controlled from the botnet:

Phones that can be controlled from Anubis II control panel
In the particular instance referred to by Lukas and NullCookies, the malware seems to have been active primarily in June of 2018.   The server hosting the Anubis II panel has a list of banks that it can present.

The targets which have custom web inject (or phone inject) content include:
  • 7 Austrian banks
  • 18 Australian banks
  • 5 Canadian banks
  • 6 Czech banks
  • 11 German banks
  • 11 Spanish banks
  • 11 French banks
  • 8 Hong Kong banks
  • 11 Indian banks
  • 6 Japanese banks
  • 1 Kenyan bank
  • 4 New Zealand banks
  • 32 Polish banks
  • 4 Romanian banks
  • 9 Turkish banks
  • 10 UK banks (Bank of Scotland, Barclays, CSGCSDNMB, Halifax, HSBC, Natwest, Royal Bank of Scotland, Santander, TSB, Ulster)
  • 10 US banks (Bank of America, Capital One, Chase, Fifth Third, NetTeller, Skrill, SunTrust, USAA, US Bank, Wells Fargo Mobile)

Fake Android Login Pages for Banks 

While each of the 190 sites has a fake login page available, we thought we would show a sampling from banks around the world . . . 

There are also several Crypto Currency organizations listed:
  • blockchaine
  • coinbase
  • localbitcoin
  • unocoin
As well as some Online Payment, Email, and Social Media sites:
  • eBay
  • Facebook
  • Gmail
  • PayPal
  • ZebPay

Each bank on the list has the equivalent of a phishing page that can be presented if the owner of the android phone attempts to log in to the given bank.

 Some of them have silly typographical errors that will hopefully reduce success, such as this Wells Fargo content, inviting the phone owner to "Sing In" to the bank.  Perhaps there is a Wells Fargo Choir?  Hopefully that will cause victims to NOT fall for this particular malware!

The Wells Fargo Choir?  Sing On!


The SMS Intercepts

One of the main benefits of having access to the server was to see so many examples of successful SMS message intercepts!  At the time of the server dump, this one contained 32,900+ unique "keylog" entries and 52,000+ logged SMS messages from at least 47 unique devices.

Here's an example showing a Bank Two Factor Authentication request being forward to the criminals:

Text: Bank of Redacted: 819881 is your authorization code which expires in 10 minutes. If you didn't request the code, call 1.800.xxx.xxxx for assistance.

Keylogging was also enabled, allowing the criminal to see when a bank app was being used:

06/14/2018, 09:07:34 EDT|(FOCUSED)|[From:, REDACTED BANK, Account Number:, ******6680, Date:, May 30, 2018 10:10:42 AM EDT, Status:, Canceled, Amount:, $100.00, Type:, Deposit, Transfer ID:, 25098675]

In this example, an online payment company is sharing a message:

06/29/2018, 15:28:46 EDT|(CLICKED)|[Friendly reminderThis is Mr. XXXXXXX from REDACTED. This is a friendly reminder that you have a payment due today by 6pm If you have any questions or need to make a payment  via phone call 804-999-9999 or we have a new payment processing system that allows , for your convenience, to simply text in the last 4 digits of a card you've previously used and the security code and we're able to process your payment.  Feel free to call  REDACTED with any questions at 804-xxx-xxxx]

Hundreds of Gmail verification codes were found in the logs:

06/14/2018, 00:19:33 EDT|(FOCUSED)|[G-473953 is your Google verification code., 1 min ago]

Quite a few Uber codes were also found in the logs:

Text: [#] 9299 is your Uber code. qlRnn4A1sbt

Paypal, Quickbooks, LinkedIn, Facebook, Stash, and Stripe all had 2FA codes make appearances in the logs:

Text: FREE PayPal: Your security code is: 321842. Your code expires in 10 minutes. Please don't reply.

Text: [Your QuickBooks Self-Employed Code is 952708, 1 min ago]

Text: 383626 is your Facebook password reset code or reset your password here: https://fb.com/l/9wBUVuGxxxx5zC

Text: Your LinkedIn verification code is 967308.

Text: 103-667 is your Stripe verification code to use your payment info with Theresa.

Text: Your Stash verification code is 912037. Happy Stashing!

Text: Cash App: 157-578 is the sign in code you requested.

Text: Your verification code for GotHookup is: 7074

In a directory called "/numers/" there were also examples of address book dumps from phone contacts.  The small number of these seem to indicate this would be a "triggered" request, where the botnet operator would have to request the address book.  In the example we found, with seven area code (404) numbers, four (770) numbers and four (678) numbers, it is likely an Atlanta, Georgia based victim.

The Keylogging feature also seems to be something that is turned on or off by request of the botnet operators.  There were far fewer devices for which keylogs were found.   Example keylog entries looked like this:

A telephone prompt looked like this:


  • 06/15/2018, 14:38:55 EDT|(CLICKED)|[Call management, •, 10m, 4 missed calls, Ashley Brown (3), Mom]
  • 06/15/2018, 14:38:59 EDT|(CLICKED)|[Call Ashley Big Cousin, Quick contact for Ashley Brown]
  • 06/15/2018, 14:39:01 EDT|(CLICKED)|[1 804-999-9999, Mobile, Call Ashley Brown]


Responding to a message looked like this:


  • 06/15/2018, 16:02:34 EDT|(CLICKED)|[Messaging, •, now, Expand button, (804) 999-9999 , Hey Terry can you send the address, REPLY]
  • 06/15/2018, 16:02:37 EDT|(FOCUSED)|[Aa]
  • 06/15/2018, 16:02:46 EDT|(CLICKED)|[Copy, Forward, Delete]
  • 06/15/2018, 16:02:50 EDT|(FOCUSED)|[]
  • 06/15/2018, 16:02:54 EDT|(CLICKED)|[Messaging]
  • 06/15/2018, 16:02:57 EDT|(CLICKED)|[Enter message]
  • 06/15/2018, 16:05:11 EDT|(CLICKED)|[Answer]
  • 06/15/2018, 16:05:29 EDT|(CLICKED)|[]
  • 06/15/2018, 16:10:50 EDT|(FOCUSED)|[]
  • 06/15/2018, 16:10:52 EDT|(CLICKED)|[Enter]
  • 06/15/2018, 16:11:01 EDT|(FOCUSED)|[2007 Their Address Ct  North CityTheyTyped OK 11111]
  • 06/15/2018, 16:11:03 EDT|(FOCUSED)|[]
A YouTube session looked like this:


  • 06/27/2018, 15:23:36 EDT|(CLICKED)|[YouTube]
  • 06/27/2018, 15:23:46 EDT|(CLICKED)|[Pause video]
  • 06/27/2018, 15:41:19 EDT|(FOCUSED)|[14:46, Go to channel, FINDING OUT THE GENDER!!!, Menu, The Rush Fam · 26K views4 hours ago, 6:12, Go to channel, TRY NOT TO CRY CHALLENGE REACTION WITH KID (SHE ACTUALLY CRIED), Menu, CJ SO COOL · 2.5M views · 1 year ago, SUBSCRIBED]
  • 06/27/2018, 15:46:38 EDT|(FOCUSED)|[]
  • 06/27/2018, 15:46:41 EDT|(CLICKED)|[Enter]
  • 06/27/2018, 15:46:53 EDT|(CLICKED)|[Play video]
  • 06/27/2018, 15:48:06 EDT|(CLICKED)|[ · 0:11]
  • 06/27/2018, 15:48:09 EDT|(CLICKED)|[ · 0:09]
  • 06/27/2018, 15:48:10 EDT|(CLICKED)|[ · 0:08]
  • 06/27/2018, 15:54:30 EDT|(CLICKED)|[Suggested: "BREAKING UP IN FRONT OF COMPANY!!" PRANK ON PANTON SQUAD!!!]

Distribution 

From looking for this malware in various collections, such as Virus Total Intelligence, it seems that the malware is fairly common.  Many new versions of the malware show up in their collection every day.   The most common point of distribution seems to be from the Google Play Store.

A popularly reported stream of such apps was reported on by, well, just about everyone in July 2018.  Some of the headlines included:

Anubis Strikes Again: Mobile Malware continues to plague users in Official App Stores  - from IBM X-Force Research's Security Intelligence blog

Best graphic goes to Secure Computing Magazine:

https://www.scmagazine.com/


A more recent post, from AlienVault, (20 days ago):  "Anubis Android Malware in the Play Store

A search in VirusTotal Intelligence reveals 62 new filehashes ONLY FROM TODAY (September 10, 2018) that match a definition name of "Anubis".  Some of the more popular names for the trojan on VirusTotal include:

DrWeb:  Android.BankBot.1679
Ikarus: Trojan-Banker.AndroidOS.Anubis
Kaspersky: HEUR:Trojan-Dropper.AndroidOS.Hqwar.bbSophos: Andr/BankSpy-AH 




Kaspersky authored a special article on this banking trojan, which they call "HQWar" back in April under the headline "Phantom menace: mobile banking trojan modifications reach all-time high: Mobile banking Trojans hit the list of cyber-headaches in Q2 2018"   In that article they said they have documented 61,000 versions! 

Kaspersky: Phantom Menace
As I mentioned Lukas at the beginning of this blog, ESET has produced an amazing number of articles on Android banking trojans lurking in the Google Play store.  Here are a few of them:

Multisandbox project welcomes Cyber adAPT ApkRecon


Two weeks ago we announced the release of our new VirusTotal Droidy Android sandbox, a virtual environment that executes Android applications in an automated fashion in order to capture all the actions that the given app performs on the operating system.

Today we are excited to announce that Cyber adAPT is becoming a multisandbox project partner and will be contributing data from its ApkRecon product to the fight against malware. Like Droidy, its solution also focuses on the Android environment. In their own words:

ApkRecon is a sandbox environment developed by the research team at Cyber adAPT.  Amongst many features, the sandbox boasts a baited Android environment, a decrypted network application level capture, and an attack payload triggering system to gain insight into the true intent of each piece of analyzed malware. ApkRecon is also used to generate detection logic for Cyber adAPT’s Mobile Threat Detection product to keep users safe all around the world.

These are some example reports displaying the data contributed by Cyber adAPT:


It is worth highlighting the usefulness of this kind of data. When facing unknown files for which you have no context it can be very rich contextual information that allows analysts to have an initial judgement of the file before diving into dissecting it. For example, looking at the last example report above we notice that the file performs an HTTP POST to:

hxxp://85.206.166.7/index.php?action=command

This is a URL that we can look up in VirusTotal Graph and jump to the host referenced in the URL, i.e. 85.206.166.7. When exploring this host we notice that only the file under consideration has communicated with it, however, we do notice that expansions are available according to the referrer files relationship. This relationship pinpoints files that contain the given host within its body, even if they have not been seen communicating with it. Let’s follow this notion, something shady seems to be going on:


Badness is much easier to spot when studying the sample characterised in this other report:

In this case the APK reaches out to the URL:

hxxp://zzwx.ru/apkfff?keyword=BBM

From there we can jump to the domain entity, i.e. zzwx.ru, and expand URLs observed under such domain, as well as files communicating with it. Just two hops and we already have a preliminary idea about the initial APK that reached out to the aforementioned URL being malicious:


These examples highlight the importance of extracting as many attributes and behavioral details as possible from files, not only because they allow us to better understand a particular threat, but because they connect the dots and reveal entire campaigns. For instance, very often blocking a given network location will render ineffective all malware variants of a given campaign (inability to reach the mothership server), so even when certain variants fly under detection radars, there is still hope that network security measures will stop a given attack.

This kind of approach to block badness is something that we have shaped into a particular paper hosted in our www.virustotal.com/learn space, more specifically the paper entitled VirusTotal Intelligence for banking trojans. In this paper malicious network infrastructure is shut down by contacting the pertinent domain registrars and hosting providers, however, organizations can also blacklist these locations in their network security controls.

Meet VirusTotal Droidy, our new Android sandbox

Recently we called out Additional crispinness on the MacOS box of apples sandbox, continuing with our effort to improve our malware behavior analysis infrastructure we are happy to announce the deployment of a new Android sandbox that replaces the existing system that was developed back in 2013.

This setup characterises the actions that Android APKs perform when installed and opened; it has been baptised as “VirusTotal Droidy”. Droidy has been integrated in the context of the multisandbox project and extracts juicy details such as:
  • Network communications and SMS-related activity. 
  • Java reflection calls. 
  • Filesystem interactions. 
  • SQLite database usage. 
  • Services started, stopped, etc. 
  • Permissions checked. 
  • Registered receivers. 
  • Crypto-related activity. 
  • Etc. 

You may find below a couple of reports showcasing this new functionality. Just select the “VirusTotal Droidy” entry in the multisandbox report selector (whenever there are multiple reports):

Don’t forget to also check the detailed report:


This advanced view allows you to dig into the hooked calls and take a look at the screenshots generated when running the apps:


The multisandbox project is in good shape, and now many samples have reports for multiple sandboxes. For instance, the following report allows you to see the output of Tencent HABO and VirusTotal Droidy:
As you can see, they are pretty complementary, proving the value of having different sandboxing technologies studying the same files.

To understand the extent to which this is an improvement with respect to the 2013 setup, you can take a look at the following report. It displays by default the output of the old sandbox. Use the selector to see the new report with VirusTotal Droidy:

Now, these may seem like minimal features to improve VirusTotal’s “microscope” capabilities for better understanding a particular threat. In fact, the changes go much deeper. All of our sandboxing information nurtures other services such as VirusTotal Intelligence and VirusTotal Graph. The richer the information that we generate for individual data set items, the greater the telescopic capabilities of VirusTotal. This is how we manage to fill in the dots and quickly see all activity tied to certain resources that often show up in malware investigations. For example, let us look at the graph of one of the domains seen in the previous reports:


At a glance you can understand that something shady is going on with wonderf00l.gq and you are able to discover other malicious domains such as flashinglight.tk, checkingupd.tk, flashupdservice.cf, etc. Some of these, for instance checkolimpupd.tk, are not only used as C2 infrastructure for malware but also serve as malware distribution points.

Very often during an investigation, you might not have enough context about an individual threat, and so being able to look at the connected URLs, domains, files, IP addresses, etc. becomes crucial in understanding what is going on. My colleague Evan explains this far better than I can do in just a couple of paragraphs, so make sure you check out his video dissecting a cryptomining attack at https://www.virustotal.com/learn/watch/.

Wrapping up, don’t think of this as just new functionality to dissect individual threats. All of this data contributes to the bigger picture and increases the power of our telescope lens that sheds light into malicious behaviors on the Internet.