Security researcher Lukas Stefanko from ESET discovered the first Android cryptocurrency clipboard hijacker impersonating MetaMask on the official Google Play store.
“This dangerous form of malware first made its rounds in 2017 on the Windows platform and was spotted in shady Android app stores in the summer of 2018. In February 2019, we discovered a malicious clipper on Google Play, the official Android app store.” reads the post published by ESET.
The Clipboard Hikacker poses itself as a mobile version of the legitimate service
MetaMask.io which is designed to run Ethereum decentralized apps in a browser, without having to run a full Ethereum node.
However, the legitimate service currently does not offer a mobile app.
Lukas Stefanko discovered that the app was able to steal cryptocurrency using two different attack methods.
The first attack scenario sees attackers using the app to attempt to steal the private keys and seeds of an Ethereum wallet when a user adds it to the app. Once the attackers obtain this data send it to a Telegram account.
The second attack scenario sees attackers monitoring the clipboard for Ethereum and Bitcoin addresses, and when one is detected, replace it with the attackers’ address.
In June 2017, security researchers from Qihoo 360 Total Security spotted a new malware campaign spreading a clipboard hijacker, tracked as ClipboardWalletHijacker, that infected over 300,000 computers. Most of the victims are located in Asia, mainly China.
In July 2017, a CryptoCurrency Clipboard Hijackers was discovered by BleepingComputer while monitoring more than 2.3 million addresses.
In March 2018, security researchers at Palo Alto Networks, spotted a strain of malware dubbed
The post MetaMask app on Google Play was a Clipboard Hijacker appeared first on Security Affairs.
Security researchers discovered a sample of clipper malware that targeted Android users by lurking in the Google Play store.
ESET first came across Android/Clipper.C masquerading as MetaMask, a service that allows users to access Ethereum-enabled distributed applications, in February 2019. This new threat is capable of stealing users’ credentials and private keys to gain access to their Ethereum funds. But Android/Clipper.C is a bit more sophisticated: It’s also a form of clipper malware in that it can replace a bitcoin or Ethereum wallet address copied from the clipboard with one under the attacker’s control.
ESET researchers discovered the malicious app on the Google Play store shortly after it became available for download on Feb. 1. They reported their findings to Google’s security team, which subsequently removed the app from the app marketplace.
Android/Clipper.C is not the only malware sample that’s impersonated MetaMask. Other programs used the MetaMask disguise to phish for sensitive data and steal access to users’ cryptocurrency funds.
The Growing Problem of Clipper Malware
Android/Clipper.C is just the latest instance of clipper malware to prey on users. In March 2018, ESET learned about one sample of this threat category targeting Monero users by masquerading as a Win32 Disk Imager application on download.com.
A few months later, Bleeping Computer discovered another cryptocurrency clipboard hijacker that was monitoring 2.3 million cryptocurrency addresses at the time of discovery. Dr.Web also uncovered an Android clipper in summer 2018, though this threat was not available for download on the Google Play store at that time.
How to Defend Against Disguised Malware Threats
Security professionals can help defend against threats like Android/Clipper.C by investing in a unified endpoint management (UEM) solution that can alert users when malware is detected and automatically uninstall infected apps. They should also leverage artificial intelligence (AI) to spot malicious behaviors and stop malware like Android/Clipper.C in its tracks.
The post Clipper Malware Found Masquerading as Legitimate Service on Google Play Store appeared first on Security Intelligence.
Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about how hackers are improving their breach strategies. Also, learn about new spyware attacks via URLs, websites, and mobile apps.
Maintaining protection over an enterprise’s critical data, systems and assets is a continual uphill battle. Hackers are bolstering their capabilities to silently breach platforms and staying under the radar.
In a global survey of 1,125 IT executives, Trend Micro discovered that enterprise cybersecurity staff feels unsupported by their enterprises, with 33 percent feeling isolated in their positions.
As hackers continually shift and improve upon their attack and breach strategies, IT and security stakeholders must do their best to keep up and remain informed of these trends.
Facebook has been secretly paying people to install a “Facebook Research” VPN that lets the company suck in all of a user’s phone and web activity.
Cybercriminals use websites created using the PHP framework to breach web servers via dictionary attacks on default credentials and gain control of these routers for distributed denial of service attacks.
A bug has been discovered that lets you call anyone with FaceTime and immediately hear the audio coming from their phone — before the person on the other end has accepted or rejected the incoming call.
Trend Micro discovered several beauty camera apps on Google Play that are capable of accessing remote ad configuration servers that can be used for malicious purposes.
Microsoft Exchange 2013 and newer versions are vulnerable to a privilege escalation attack that gives anyone with a mailbox a way to gain domain administrator rights at potentially 90% of organizations running Active Directory and Exchange.
Owners and administrators of WordPress websites that use the “Total Donations” plugin are advised to remove the plugin after a zero-day vulnerability and design flaws were seen actively exploited.
A U.S. judge rejected Yahoo’s proposed settlement with millions of people whose email addresses and other personal information were stolen in the largest data breach in history, faulting the Internet services provider for a lack of transparency.
On January 20, a security researcher going by FewAtoms spotted a malicious URL in the wild. The URL is an open directory that leads would-be victims to a malicious self-extracting archive.
Which spyware attack were you most surprised to hear about? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.
The post This Week in Security News: Hacker Strategies and Spyware Attacks appeared first on .
Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about a spyware that disguised itself as an Android application to gather information from users. Also, find out the biggest global data breaches of 2018 and how millions of personal records were compromised last year.
The combination of new application technology with existing legacy architectures and deployment models leads to greater IT complexity and difficulties.
Several U.S. newspapers came under attack from apparent hackers, preventing some from printing and distributing their daily editions.
Trend Micro discovered a spyware (detected as ANDROIDOS_MOBSTSPY) which disguised itself as legitimate Android applications to gather information from users.
A pair of hackers have found a way to broadcast propaganda for YouTube celebrity PewDiePie because thousands of people left their Google Chromecasts and smart televisions wide open.
Data breaches continued to be a major issue in 2018 with a series of serious cases ranging from retailers to social networks, resulting in millions of personal records being compromised.
Hundreds of cities have adopted or begun planning smart cities projects, but they frequently lack the expertise to understand privacy, security and financial implications of such arrangements.
What are your thoughts on smart cities and privacy? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.
The post This Week in Security News: Spyware and Data Breaches appeared first on .
Malware C2 servers are another great place to apply the rule "Logs Don't Lie." Most security researchers realize that there is a great cloud of fellow researchers on Twitter sharing little tips and glimpses of their investigations. @LukasStefanko and @nullcookies and I have been looking at a C2 server for a piece of Android malware. And the Logs are AMAZINGLY helpful at understanding just what kind of damage such a trojan can do! (Sidenote: @nullcookies is a monster for finding fresh and interesting phish (and often related tools), while @LukasStefanko is an awesome malware analyst for ESET, specializing in Android-based malware. You should follow both on Twitter if you care about such things. Thanks to them both for the pointer that leads to what follows.)
In this case, the malware is believed to be called "Anubis II" and likely uses the "Builder" that is depicted in this YouTube video, titled "Builder Android Bot Anubis 2"
|Launcher the APK Builder "Android Botnet Anubis II"|
|Malware actor chooses from his list of banking targets|
|Phones that can be controlled from Anubis II control panel|
The targets which have custom web inject (or phone inject) content include:
- 7 Austrian banks
- 18 Australian banks
- 5 Canadian banks
- 6 Czech banks
- 11 German banks
- 11 Spanish banks
- 11 French banks
- 8 Hong Kong banks
- 11 Indian banks
- 6 Japanese banks
- 1 Kenyan bank
- 4 New Zealand banks
- 32 Polish banks
- 4 Romanian banks
- 9 Turkish banks
- 10 UK banks (Bank of Scotland, Barclays, CSGCSDNMB, Halifax, HSBC, Natwest, Royal Bank of Scotland, Santander, TSB, Ulster)
- 10 US banks (Bank of America, Capital One, Chase, Fifth Third, NetTeller, Skrill, SunTrust, USAA, US Bank, Wells Fargo Mobile)
Fake Android Login Pages for Banks
As well as some Online Payment, Email, and Social Media sites:
Each bank on the list has the equivalent of a phishing page that can be presented if the owner of the android phone attempts to log in to the given bank.
Some of them have silly typographical errors that will hopefully reduce success, such as this Wells Fargo content, inviting the phone owner to "Sing In" to the bank. Perhaps there is a Wells Fargo Choir? Hopefully that will cause victims to NOT fall for this particular malware!
|The Wells Fargo Choir? Sing On!|
One of the main benefits of having access to the server was to see so many examples of successful SMS message intercepts! At the time of the server dump, this one contained 32,900+ unique "keylog" entries and 52,000+ logged SMS messages from at least 47 unique devices.
The SMS Intercepts
Here's an example showing a Bank Two Factor Authentication request being forward to the criminals:
Text: Bank of Redacted: 819881 is your authorization code which expires in 10 minutes. If you didn't request the code, call 1.800.xxx.xxxx for assistance.
Keylogging was also enabled, allowing the criminal to see when a bank app was being used:
06/14/2018, 09:07:34 EDT|(FOCUSED)|[From:, REDACTED BANK, Account Number:, ******6680, Date:, May 30, 2018 10:10:42 AM EDT, Status:, Canceled, Amount:, $100.00, Type:, Deposit, Transfer ID:, 25098675]
In this example, an online payment company is sharing a message:
06/29/2018, 15:28:46 EDT|(CLICKED)|[Friendly reminderThis is Mr. XXXXXXX from REDACTED. This is a friendly reminder that you have a payment due today by 6pm If you have any questions or need to make a payment via phone call 804-999-9999 or we have a new payment processing system that allows , for your convenience, to simply text in the last 4 digits of a card you've previously used and the security code and we're able to process your payment. Feel free to call REDACTED with any questions at 804-xxx-xxxx]
Hundreds of Gmail verification codes were found in the logs:
06/14/2018, 00:19:33 EDT|(FOCUSED)|[G-473953 is your Google verification code., 1 min ago]
Quite a few Uber codes were also found in the logs:
Text: [#] 9299 is your Uber code. qlRnn4A1sbt
Paypal, Quickbooks, LinkedIn, Facebook, Stash, and Stripe all had 2FA codes make appearances in the logs:
Text: FREE PayPal: Your security code is: 321842. Your code expires in 10 minutes. Please don't reply.
Text: [Your QuickBooks Self-Employed Code is 952708, 1 min ago]
Text: 383626 is your Facebook password reset code or reset your password here: https://fb.com/l/9wBUVuGxxxx5zC
Text: Your LinkedIn verification code is 967308.
Text: 103-667 is your Stripe verification code to use your payment info with Theresa.
Text: Your Stash verification code is 912037. Happy Stashing!
Text: Cash App: 157-578 is the sign in code you requested.
Text: Your verification code for GotHookup is: 7074
In a directory called "/numers/" there were also examples of address book dumps from phone contacts. The small number of these seem to indicate this would be a "triggered" request, where the botnet operator would have to request the address book. In the example we found, with seven area code (404) numbers, four (770) numbers and four (678) numbers, it is likely an Atlanta, Georgia based victim.
The Keylogging feature also seems to be something that is turned on or off by request of the botnet operators. There were far fewer devices for which keylogs were found. Example keylog entries looked like this:
A telephone prompt looked like this:
- 06/15/2018, 14:38:55 EDT|(CLICKED)|[Call management, •, 10m, 4 missed calls, Ashley Brown (3), Mom]
- 06/15/2018, 14:38:59 EDT|(CLICKED)|[Call Ashley Big Cousin, Quick contact for Ashley Brown]
- 06/15/2018, 14:39:01 EDT|(CLICKED)|[1 804-999-9999, Mobile, Call Ashley Brown]
Responding to a message looked like this:
- 06/15/2018, 16:02:34 EDT|(CLICKED)|[Messaging, •, now, Expand button, (804) 999-9999 , Hey Terry can you send the address, REPLY]
- 06/15/2018, 16:02:37 EDT|(FOCUSED)|[Aa]
- 06/15/2018, 16:02:46 EDT|(CLICKED)|[Copy, Forward, Delete]
- 06/15/2018, 16:02:50 EDT|(FOCUSED)|
- 06/15/2018, 16:02:54 EDT|(CLICKED)|[Messaging]
- 06/15/2018, 16:02:57 EDT|(CLICKED)|[Enter message]
- 06/15/2018, 16:05:11 EDT|(CLICKED)|[Answer]
- 06/15/2018, 16:05:29 EDT|(CLICKED)|
- 06/15/2018, 16:10:50 EDT|(FOCUSED)|
- 06/15/2018, 16:10:52 EDT|(CLICKED)|[Enter]
- 06/15/2018, 16:11:01 EDT|(FOCUSED)|[2007 Their Address Ct North CityTheyTyped OK 11111]
- 06/15/2018, 16:11:03 EDT|(FOCUSED)|
- 06/27/2018, 15:23:36 EDT|(CLICKED)|[YouTube]
- 06/27/2018, 15:23:46 EDT|(CLICKED)|[Pause video]
- 06/27/2018, 15:41:19 EDT|(FOCUSED)|[14:46, Go to channel, FINDING OUT THE GENDER!!!, Menu, The Rush Fam · 26K views4 hours ago, 6:12, Go to channel, TRY NOT TO CRY CHALLENGE REACTION WITH KID (SHE ACTUALLY CRIED), Menu, CJ SO COOL · 2.5M views · 1 year ago, SUBSCRIBED]
- 06/27/2018, 15:46:38 EDT|(FOCUSED)|
- 06/27/2018, 15:46:41 EDT|(CLICKED)|[Enter]
- 06/27/2018, 15:46:53 EDT|(CLICKED)|[Play video]
- 06/27/2018, 15:48:06 EDT|(CLICKED)|[ · 0:11]
- 06/27/2018, 15:48:09 EDT|(CLICKED)|[ · 0:09]
- 06/27/2018, 15:48:10 EDT|(CLICKED)|[ · 0:08]
- 06/27/2018, 15:54:30 EDT|(CLICKED)|[Suggested: "BREAKING UP IN FRONT OF COMPANY!!" PRANK ON PANTON SQUAD!!!]
Kaspersky: HEUR:Trojan-Dropper.AndroidOS.Hqwar.bbSophos: Andr/BankSpy-AH
|Kaspersky: Phantom Menace|