Now Grab $2 PUBG Mobile Play Store Credit
PlayerUnknown’s Battlegrounds (PUBG), the most popular online multiplayer battle royale game, is offering free in-game credits up to $2.
PUBG, which just won the Best Game Award of 2018 in Google Play, has decided to thank its players for the honor by giving away free credits up to $2. However, the free credits are only available for all Android players in the U.S.
We just won the Google Play Best of 2018 BEST GAME AWARD! As a token of appreciation for all of your support, all US Google Play Android players can claim up to $2 of in-game credit for FREE! Head to the Best Games of 2018 section of the Google Play Store to redeem your credit. pic.twitter.com/4xyuJOAwpV
— PUBG MOBILE (@PUBGMOBILE) December 5, 2018
All those PUBG fans who wish to redeem free $2 credits can go to Google Play Store and claim their free reward. Just follow the steps below to redeem the credit.
- Open Google Play Store.
- Then, head to the ‘Best Games of 2018’ section.
- Scroll down and click on “Get up to $2 off PUBG.”
Once you redeem your $2 credit, you can use the same to purchase an item on PUBG Mobile by paying directly from Google Play Credits. Further, ensure that you redeem these free credits before the expiry date. This free credit is valid for a single transaction only.
The post PUBG Mobile is offering free $2 worth of in-game credits appeared first on TechWorm.
Fake voice apps have been spotted on Google Play, and researchers suggested that more could be on the way.
As reported by Trend Micro, multiple malicious voice communication and messaging apps have been spotted on Google Play in the last month. While they appear legitimate at first glance, these messaging platforms leverage modular downloaders to contact command-and-control (C&C) servers, obtain payloads and serve up fake surveys designed to steal user data. They’re lightweight and minimally invasive, reducing the chance of detection by users or device security systems.
Once installed, the app contacts a C&C server for its payload. This contains an “Icon” module that hides the application’s actual icon to subvert uninstall attempts, and a “Wpp” module that opens arbitrary browser URLs and allows the malware to generate fake surveys intended to capture personal information such as names, phone numbers and home addresses. In addition, these apps contain a dynamic library module called “Socks” that integrates with Ares-C. While the researchers didn’t see Socks in action, they believe it may be a developing feature for use in new malware iterations.
Based on code similarities, Trend Micro believes these fake apps have the same authors and suggested that, despite Google’s removal of these apps from the Play Store, more are likely on the way as malware makers discover better ways to obscure malicious code.
What Is the Impact to Users?
For users, the immediate impact of these fake voice apps is having to deal with random URLs and persistent fake surveys. Uninstallation is also frustrating, since the applications take steps to prevent easy removal.
Trend Micro speculated that the malware operators’ current campaign may be a test run for a larger-scale botnet. Here, the ongoing impact is more worrisome: If whisper-quiet voice apps make their way onto user devices, compromise them without notice and leverage them for botnet-based attacks, the sheer numbers could be daunting at best and devastating at worst — especially if these applications make their way into popular download platforms.
Be Vigilant to Spot Fake Voice Apps
Google has taken steps to remove these applications from the Play Store. But with the specter of new versions on the way, users and organizations must take steps to protect mobile devices from these trash-talking apps.
From an end-user standpoint, IBM X-Force recommends regular software updates for both operating systems and antivirus solutions to help reduce the success rate of fake application infections. Meanwhile, IBM security experts advise enterprises to invest in unified endpoint management (UEM) tools that enable IT teams to view, manage and protect all corporate-connected devices before they become fake voice app victims.
Source: Trend Micro
Last week on Malwarebytes Labs, we took a look at a devastating business email compromise attack, web skimming antics, and the fresh perils of Deepfakes. We also checked out some Chrome bug issues, and took the deepest of deep dives into DNA testing.
Other cybersecurity news
- Adobe Flash bug—get patching! (Source: Adobe)
- Accidental Tesla forum access granted (Source: Dan’s Deals)
- LastPass suffered power outage, other frustrations (Source: The Register)
- US Justice Department investigates whether last year’s Bitcoin rally was a result of manipulation (Source: Bloomberg)
- Tumblr combats exploitation content (Source: Tumblr)
- Plane crash used as phishing bait (Source: Gizmodo)
- Was hacker tessa88’s true identity revealed? (Source: Insikt Group)
- More bogus apps on Google Play discovered (Source: ESET)
- Huge losses from online payment fraud to reach $48 billion annually (Source: Help Net Security)
Stay safe, everyone!
Malware C2 servers are another great place to apply the rule "Logs Don't Lie." Most security researchers realize that there is a great cloud of fellow researchers on Twitter sharing little tips and glimpses of their investigations. @LukasStefanko and @nullcookies and I have been looking at a C2 server for a piece of Android malware. And the Logs are AMAZINGLY helpful at understanding just what kind of damage such a trojan can do! (Sidenote: @nullcookies is a monster for finding fresh and interesting phish (and often related tools), while @LukasStefanko is an awesome malware analyst for ESET, specializing in Android-based malware. You should follow both on Twitter if you care about such things. Thanks to them both for the pointer that leads to what follows.)
In this case, the malware is believed to be called "Anubis II" and likely uses the "Builder" that is depicted in this YouTube video, titled "Builder Android Bot Anubis 2"
|Launcher the APK Builder "Android Botnet Anubis II"|
|Malware actor chooses from his list of banking targets|
|Phones that can be controlled from Anubis II control panel|
The targets which have custom web inject (or phone inject) content include:
- 7 Austrian banks
- 18 Australian banks
- 5 Canadian banks
- 6 Czech banks
- 11 German banks
- 11 Spanish banks
- 11 French banks
- 8 Hong Kong banks
- 11 Indian banks
- 6 Japanese banks
- 1 Kenyan bank
- 4 New Zealand banks
- 32 Polish banks
- 4 Romanian banks
- 9 Turkish banks
- 10 UK banks (Bank of Scotland, Barclays, CSGCSDNMB, Halifax, HSBC, Natwest, Royal Bank of Scotland, Santander, TSB, Ulster)
- 10 US banks (Bank of America, Capital One, Chase, Fifth Third, NetTeller, Skrill, SunTrust, USAA, US Bank, Wells Fargo Mobile)
Fake Android Login Pages for Banks
As well as some Online Payment, Email, and Social Media sites:
Each bank on the list has the equivalent of a phishing page that can be presented if the owner of the android phone attempts to log in to the given bank.
Some of them have silly typographical errors that will hopefully reduce success, such as this Wells Fargo content, inviting the phone owner to "Sing In" to the bank. Perhaps there is a Wells Fargo Choir? Hopefully that will cause victims to NOT fall for this particular malware!
|The Wells Fargo Choir? Sing On!|
One of the main benefits of having access to the server was to see so many examples of successful SMS message intercepts! At the time of the server dump, this one contained 32,900+ unique "keylog" entries and 52,000+ logged SMS messages from at least 47 unique devices.
The SMS Intercepts
Here's an example showing a Bank Two Factor Authentication request being forward to the criminals:
Text: Bank of Redacted: 819881 is your authorization code which expires in 10 minutes. If you didn't request the code, call 1.800.xxx.xxxx for assistance.
Keylogging was also enabled, allowing the criminal to see when a bank app was being used:
06/14/2018, 09:07:34 EDT|(FOCUSED)|[From:, REDACTED BANK, Account Number:, ******6680, Date:, May 30, 2018 10:10:42 AM EDT, Status:, Canceled, Amount:, $100.00, Type:, Deposit, Transfer ID:, 25098675]
In this example, an online payment company is sharing a message:
06/29/2018, 15:28:46 EDT|(CLICKED)|[Friendly reminderThis is Mr. XXXXXXX from REDACTED. This is a friendly reminder that you have a payment due today by 6pm If you have any questions or need to make a payment via phone call 804-999-9999 or we have a new payment processing system that allows , for your convenience, to simply text in the last 4 digits of a card you've previously used and the security code and we're able to process your payment. Feel free to call REDACTED with any questions at 804-xxx-xxxx]
Hundreds of Gmail verification codes were found in the logs:
06/14/2018, 00:19:33 EDT|(FOCUSED)|[G-473953 is your Google verification code., 1 min ago]
Quite a few Uber codes were also found in the logs:
Text: [#] 9299 is your Uber code. qlRnn4A1sbt
Paypal, Quickbooks, LinkedIn, Facebook, Stash, and Stripe all had 2FA codes make appearances in the logs:
Text: FREE PayPal: Your security code is: 321842. Your code expires in 10 minutes. Please don't reply.
Text: [Your QuickBooks Self-Employed Code is 952708, 1 min ago]
Text: 383626 is your Facebook password reset code or reset your password here: https://fb.com/l/9wBUVuGxxxx5zC
Text: Your LinkedIn verification code is 967308.
Text: 103-667 is your Stripe verification code to use your payment info with Theresa.
Text: Your Stash verification code is 912037. Happy Stashing!
Text: Cash App: 157-578 is the sign in code you requested.
Text: Your verification code for GotHookup is: 7074
In a directory called "/numers/" there were also examples of address book dumps from phone contacts. The small number of these seem to indicate this would be a "triggered" request, where the botnet operator would have to request the address book. In the example we found, with seven area code (404) numbers, four (770) numbers and four (678) numbers, it is likely an Atlanta, Georgia based victim.
The Keylogging feature also seems to be something that is turned on or off by request of the botnet operators. There were far fewer devices for which keylogs were found. Example keylog entries looked like this:
A telephone prompt looked like this:
- 06/15/2018, 14:38:55 EDT|(CLICKED)|[Call management, •, 10m, 4 missed calls, Ashley Brown (3), Mom]
- 06/15/2018, 14:38:59 EDT|(CLICKED)|[Call Ashley Big Cousin, Quick contact for Ashley Brown]
- 06/15/2018, 14:39:01 EDT|(CLICKED)|[1 804-999-9999, Mobile, Call Ashley Brown]
Responding to a message looked like this:
- 06/15/2018, 16:02:34 EDT|(CLICKED)|[Messaging, •, now, Expand button, (804) 999-9999 , Hey Terry can you send the address, REPLY]
- 06/15/2018, 16:02:37 EDT|(FOCUSED)|[Aa]
- 06/15/2018, 16:02:46 EDT|(CLICKED)|[Copy, Forward, Delete]
- 06/15/2018, 16:02:50 EDT|(FOCUSED)|
- 06/15/2018, 16:02:54 EDT|(CLICKED)|[Messaging]
- 06/15/2018, 16:02:57 EDT|(CLICKED)|[Enter message]
- 06/15/2018, 16:05:11 EDT|(CLICKED)|[Answer]
- 06/15/2018, 16:05:29 EDT|(CLICKED)|
- 06/15/2018, 16:10:50 EDT|(FOCUSED)|
- 06/15/2018, 16:10:52 EDT|(CLICKED)|[Enter]
- 06/15/2018, 16:11:01 EDT|(FOCUSED)|[2007 Their Address Ct North CityTheyTyped OK 11111]
- 06/15/2018, 16:11:03 EDT|(FOCUSED)|
- 06/27/2018, 15:23:36 EDT|(CLICKED)|[YouTube]
- 06/27/2018, 15:23:46 EDT|(CLICKED)|[Pause video]
- 06/27/2018, 15:41:19 EDT|(FOCUSED)|[14:46, Go to channel, FINDING OUT THE GENDER!!!, Menu, The Rush Fam · 26K views4 hours ago, 6:12, Go to channel, TRY NOT TO CRY CHALLENGE REACTION WITH KID (SHE ACTUALLY CRIED), Menu, CJ SO COOL · 2.5M views · 1 year ago, SUBSCRIBED]
- 06/27/2018, 15:46:38 EDT|(FOCUSED)|
- 06/27/2018, 15:46:41 EDT|(CLICKED)|[Enter]
- 06/27/2018, 15:46:53 EDT|(CLICKED)|[Play video]
- 06/27/2018, 15:48:06 EDT|(CLICKED)|[ · 0:11]
- 06/27/2018, 15:48:09 EDT|(CLICKED)|[ · 0:09]
- 06/27/2018, 15:48:10 EDT|(CLICKED)|[ · 0:08]
- 06/27/2018, 15:54:30 EDT|(CLICKED)|[Suggested: "BREAKING UP IN FRONT OF COMPANY!!" PRANK ON PANTON SQUAD!!!]
Kaspersky: HEUR:Trojan-Dropper.AndroidOS.Hqwar.bbSophos: Andr/BankSpy-AH
|Kaspersky: Phantom Menace|