Category Archives: Mobile Security

Securelist – Kaspersky Lab’s cyberthreat research and reports: I know where your pet is

Kaspersky Lab’s many years of cyberthreat research would suggest that any device with access to the Internet will inevitably be hacked. In recent years, we have seen hacked toys, kettles, cameras, and irons. It would seem that no gadget has escaped the attention of hackers, yet there is one last bastion: “smart” devices for animals. For example, trackers to monitor their location. Such gadgets can have access to the owner’s home network and phone, and their pet’s location.

This report highlights the potential risks for users and manufacturers. In it, we examine several trackers for potential vulnerabilities. For the study, we chose some popular models that have received positive reviews:

Technologies used: Bluetooth LE

The four trackers in the study use Bluetooth Low Energy (BLE), which in many cases is the weak spot in the device’s protective armor. Let’s take a closer look at this technology. BLE is an energy-saving Bluetooth specification widely used in IoT devices. What we’re interested in is the lack of authentication and the availability of services and characteristics.

Unlike “classic” Bluetooth, where peer devices are connected using a PIN code, BLE is aimed at non-peer devices, one of which may not have a screen or keyboard. Thus, PIN code protection is not implemented in BLE — authentication depends entirely on the developers of the device, and experience shows that it is often neglected.

The second feature of interest to us is the availability of services, characteristics, and descriptors. They form the basis for data transfer between devices in the BLE specification. As we already noted, BLE works with non-peer devices, one of which (the one that does the connecting) is usually a smartphone. The other device, in our case, is a tracker. After connecting to it, several BLE services are available to the smartphone. Each of them contains characteristics which in turn may have descriptors. Both characteristics and descriptors can be used for data transfer.

Hence, the correct approach to device security in the case of BLE involves pre-authentication before characteristics and descriptors are made available for reading and writing. Moreover, it is good practice to break the link shortly after connecting if the pre-authentication stage is not passed. In this case, authentication should be based on something secret that is not accessible to the attacker—for example, the first part of the data can be encrypted with a specific key on the server (rather than the app) side. Or transmitted data and the MAC address of the connected device can be confirmed via additional communication channels, for example, a built-in SIM card.

Kippy Vita

This tracker transfers GPS coordinates to the server via its built-in SIM card, and the pet’s location is displayed in the mobile app. The tracker does not interface “directly” with the smartphone. We could not detect any problems in the device itself, so we turned our focus to the mobile apps.

Here, too, everything looked pretty good: SSL Pinning was implemented, unlike in any other app we tested. Moreover, the Android app encrypts important data before saving it to its own folder.

The only problem we did detect was that the app for Android logs data that is transmitted to the server. This data can include the user’s password and login, as well as an authentication token.

Output of the Kippy Vita app with user login and password

Despite the fact that not all apps can read logs (only system apps or ones with superuser rights), it is still a major security issue.

Registered CVE:

This tracker monitors the pet’s location via GPS and transfers coordinates via the built-in SIM card. What’s more, it can interface with the owner’s phone directly — via Bluetooth LE. And this means that it is always ready to connect devices, which makes a good starting point for the study.

We were pleasantly surprised by Link AKC: the developers did everything right in terms of securing the connection to the smartphone. We couldn’t find any major problems, which is rare for devices with BLE support.

After the smartphone connects to the device and discovers services, it should enable notifications (that is, inform the tracker of expected changes) in two characteristics and a descriptor (otherwise the tracker breaks the link). After that Link AKC is ready to receive commands. They should contain the user ID; if the user does not have rights to use the tracker, the command is not executed. This maintains control over access rights. Even using the ID obtained from the tested device, we could not make the gadget execute a command from another smartphone—it appears that the tracker checks the smartphone’s MAC address.

However, the device cannot be described as completely secure. In the app for Android, we found that the developers had forgotten to disable logging. As a result, the app transfers lots of data to logcat, including:

  • the app’s authorization token, which if intercepted can be used to sign into the service and discover the pet’s location:

  • User registration data, including name and email address:

  • Device coordinates:

Starting with Android 4.1, only some system apps or apps with superuser rights can read the logs of other programs. It is also possible to gain access when connecting the smartphone to a computer, but this requires Android developer mode to be activated.

Despite these restrictions, it is still a problem: attackers can get hold of data to access the victim’s account, even if the likelihood of this happening is small.

On top of that, the Android app does not verify the server’s HTTPS certificate, exposing it to man-in-the-middle (MITM) attacks. For a successful attack, attackers need only install their own certificate on the smartphone (which is quite simple to do), allowing them to intercept all transmitted data, including passwords and tokens used for account access:

The Link AKC app for Android is vulnerable to MITM attacks

The authorization token is also stored in unencrypted form in the app folder. Although superuser rights are needed to access it, it is still not the best place to store important data.

The authorization token is stored in unencrypted form

Registered CVE:


In terms of functionality, Nuzzle is like the previous tracker: It too uses a SIM card to transmit the pet’s GPS coordinates and can directly connect to a smartphone via BLE. But on the latter point, Nuzzle performed less well than Link AKC: the lack of authorization and access control means that the device is ready to interface with any smartphone. This lets an attacker take control of the device, just like the owner. For example, it can quickly discharge the battery by turning on the light bulb (for which the value of just one attribute needs changing).

An attacker can receive data from the device as soon as a connection is made. Data is available in two characteristics: one contains telemetry information, including device location, while the other provides device status information (in particular, temperature and battery charge).

What is worse, the continuous reading of data from the telemetry characteristic results in the device being “lost”: to save battery power, the gadget does not transmit coordinates via the mobile network if they have already been sent via BLE. Thus, it is possible to conceal the location of the pet simply by connecting to the tracker using a smartphone.

We detected another security hole in the process of updating the device firmware. The integrity control was found to be easy to bypass. Basically, the firmware consists of two files with the extensions DAT and BIN. The first contains information about the firmware, including the checksum (CRC16) used in the integrity control, and the second contains the firmware itself. All it takes to install modified software on the tracker is to change the checksum in the DAT file.

AT commands in Nuzzle firmware

To cripple the device, we didn’t even need to analyze the firmware: it is not encrypted or packed, so just by opening it in a hex editor we were able to find the AT commands and the host used to send data by means of the SIM card. After we changed several bytes in the host, updated the firmware checksum, and uploaded it to the device, the tracker stopped working.

As in the case of Link AKC, the Nuzzle app for Android does not check the server certificate, and the authentication token and user email address are stored in the app folder in unencrypted form.

Unencrypted authorization token and user email address

Registered CVE:


Two TrackR devices featured in our study: Bravo and Pixel. These “trinkets” differ from previous devices in that their tracking range (if indeed they are intended to track pets) is limited to 100 meters: unlike other models, they have no GPS module or SIM card, and the only link to them is via Bluetooth LE. Their main purpose is to locate keys, remote controls, etc. around the apartment. However, the developers have equipped the devices with an option that lets them partially track the movements of something: the trackers location can be  transmitted “via” the smartphones of other TrackR app users. If the app is running on the smartphone, it will transfer data to the service about all “trinkets” detected nearby, together with the smartphone coordinates. Therein lies the first defect: anyone can sign into the mobile app and send fake coordinates.

We managed to identify a few more problems, but as it turned out, most of them had already been discovered by our colleagues at Rapid7. Although their research was published more than a year ago, some vulnerabilities had yet to be fixed at the time of penning this article.

For instance, the devices have no authentication when connecting via Bluetooth LE, which means they are open to intruders. An attacker could easily connect and turn on the audio signal, for example, simply by changing the value of one characteristics. This could let an attacker find the animal before its owner does or run down the tracker battery.

Structure of TrackR services and attributes

Besides, the app for Android does not verify server certificates, meaning that an MITM attack could lead to the interception of the password, authentication token, user email address, and device coordinates.

TrackR Android app requests contain an authentication token

On the bright side, the app does not store the authentication token or password in their own folder, which is the proper way to guard against Trojans that use superuser rights to steal data.

Registered CVE:


Unlike most devices we studied, this tracker does not communicate directly with the smartphone—only through its own servers. This approach is secure enough, but we detected some minor issues in the Android app. First, as in other cases, it does not verify the server certificate, which facilitates MITM attacks. What’s more, the app stores the authentication token in unencrypted form:

As well as pet movement data:

It should be noted that this data is not so easy to steal, since other apps cannot read it. But there are Trojans that can steal data from other apps by exploiting superuser rights.

Weenect WE301

This is another tracker that doesn’t interface with the owner’s smartphone directly, but transfers pet coordinates to the server via a built-in SIM card. We didn’t encounter any security issues with this tracker, but problems similar to those in Tractive were detected in the Android version of the app.

First, it does not prevent MITM attacks, allowing attackers to access the user’s account or intercept geoinformation. Second, authentication data is stored in the app folder in unencrypted form, exposing it to Trojans with superuser rights on the device.

Whistle 3

This is one of the most technically interesting trackers in the study. It can transfer GPS coordinates via its built-in SIM card, via Wi-Fi to its server (if the owner provides a Wi-Fi network password), or directly to the owner’s smartphone via BLE.

We looked at Wi-Fi first of all and found that the developers had taken care to secure the connection: The device transmits small portions of data over HTTPS (that is, in encrypted form).

Wi-Fi data transfer is secured using HTTPS

Next, we checked the BLE connection and found many security issues. The first is the lack of proper authentication. After connecting, the device waits for a certain sequence of actions to be performed, which could be described as pre-authentication. The sequence is so simple that a third party can easily reproduce it. All it takes is to connect to the device, transfer two characteristics to WRITE_TYPE_NO_RESPONSE mode, request a change in the size of transmitted data (MTU), turn on notifications for one characteristics, and transfer a certain number to another characteristics.

Now the tracker is ready to receive and execute commands that do not contain a user ID, which means that anyone can send them. For example, it is possible to send an initiateSession command, and in response the device will send an unencrypted set of data, including the device coordinates. What’s more, if this command is continuously transmitted, the gadget will not send location data via the SIM card, since it will assume that such data has already been received “directly.” Thus, it is possible to “hide” the tracker from its owner.

There is one more problem: the tracker transmits data to the server without any authentication. This means that anyone can substitute it, altering the coordinates in the process.

The app transmits data received from the tracker via BLE

The Android app uses the HTTPS protocol (which is good), but does not verify the server certificate.

MITM attacks can intercept user data

Not only that, the smartphone app stores user data in unencrypted form in its own folder, exposing it to theft by a Trojan with superuser rights. However, authentication data is stored correctly.

Tracker coordinates from the app database

Note that the Android app writes data to logcat. As mentioned above, despite the fact that other app logs can read only some system utilities or apps with superuser rights, there is no need to write important data to the log.

The Android app can log user and pet data (activity, email address, name, owner’s phone number), as well as one of the used tokens

Registered CVE:


GPS trackers have long been applied successfully in many areas, but using them to track the location of pets is a step beyond their traditional scope of application for this, they need to be upgraded with new “user communication interfaces” and “trained” to work with cloud services, etc. If security is not properly addressed, user data becomes accessible to intruders, endangering both users and pets.

Research results: four trackers use Bluetooth LE technology to communicate with the owner’s smartphone, but only one does so correctly. The rest can receive and execute commands from anyone. Moreover, they can be disabled or hidden from the owner—all that’s required is proximity to the tracker.

Just one of the tested Android apps verifies the certificate of its server, without relying solely on the system. As a result, they are vulnerable to MITM attacks—intruders can intercept transmitted data by “persuading” victims to install their certificate.


Securelist - Kaspersky Lab’s cyberthreat research and reports

Will Two-Factor Authentication Ever Get Its Time in the Sun?

Decades into the campaign, the effort to wean users off simple password protection hasn’t gone very well. Fingerprints, iris scans, tokens… these methods have all been tried and met with only limited success. The security industry’s best chance yet? It’s a sort of half-measure that lets users keep their passwords but adds a second element (or “factor”) to logins.

However, data about the uptake of two-factor authentication (2FA) means this once-promising strategy also hasn’t succeeded. A combination of usability, fallibility and just-plain stubbornness has preserved the role of plain-old passwords at many places.

What’s so fallible about 2FA? It often relies on consumers’ smartphones. A bit like Social Security numbers in the U.S., it’s a role smartphones weren’t designed to play. So, many implementations haven’t proven to be robust.

Help might be on the way, however, as mobile carriers are working together on a solution. If they pull it off, perhaps two-factor might finally catch on with the masses — but that seems a distant possibility at the moment.

2FA or not 2FA?

Dismal data points for two-factor uptake are easy to find. The latest: 90 percent of Gmail users still haven’t turned it on, according to The Register, even though Google introduced two-factor tools seven years ago. Grzegorz Milka, a Google engineer, revealed this depressing reality at the Usenix conference in January 2018. When asked why Google didn’t require two-factor, Milka gave the answer almost all security professionals would.

“The answer is usability,” Milka told The Register. “It’s about how many people would we drive out if we force them to use additional security.”

Only 28 percent of people use 2FA anywhere, CyberScoop reported — and more than half of Americans don’t even recognize the term. That’s not much to show for a nearly 10-year campaign.

Why So Much Hate for 2FA?

At sites like Amazon, Facebook and Instagram, it’s really not that hard to turn on two-factor. Users can do it within a few clicks. The real reason for user indifference might not be usability so much as the irregularity. It seems each implementation of 2FA is slightly different.

One site requires users to enter an SMS text message that will be sent to their phone — woe to that user with a nearly dead cellphone battery. Another will ask for a token code generated by an authenticator app. Facebook generates its own token from within its app. Perhaps the state of affairs is not as bad as the 150 passwords that the average consumer must remember to navigate their digital lives, according to Dashlane, but the inconsistency itself can be maddening.

Is 2FA Really That Great?

Making matters worse, the most popular implementation — the something-you-know and something-you-have kind, which requires SMS text messages — isn’t all it’s cracked up to be. In fact, it’s been cracked, and it’s quite possible consumers have caught on.

Cybercriminals have used a variety of techniques to intercept authentication codes sent over mobile networks — rendering SMS nearly useless as a second factor. However, these attacks don’t seem to be in widespread use yet, so it can be said that two-factor SMS is still better a single password.

Yet, as with all such techniques, criminals will continue to share it and slowly make SMS only about as safe as the passwords themselves. Security professionals already concede this point. As The Verge reported, the National Institute of Standards and Technology withdrew its support for SMS-based 2FA in summer of 2016, citing interception and spoofing risks.

A Glimmer of Hope for 2FA

A consortium of mobile carriers led by AT&T, Sprint, T-Mobile and Verizon announced recently the creation of a “next-generation mobile authentication platform.” Calling themselves the Mobile Authentication Taskforce, the group promised in 2017 to be working hard on the spoofing and interception problem. In March 2018, the Mobile Authentication Taskforce revealed a few details about its plans in a statement.

“The [group] has been working with operators around the world to bring a consistent and interoperable, secure identity service and this task force will strengthen that effort by enabling a simple user experience quickly and conveniently in the US market,” said Alex Sinclair, chief technology officer at trade group GSMA.

The Mobile Authentication Taskforce also said in the statement that it had developed a technique that would utilize the “collective network intelligence” of the carriers. The strategy includes a “cryptographically verified phone number,” inspection of characteristics like phone number tenure, account type and IP address, as well as other advanced analytics that will be used to assess risk.

Further details are still elusive. However, the group promised it would begin testing soon, launch a website later this year and make the solution available by the end of the year. Meanwhile, the carriers’ chance to seize a privileged spot in the authentication game might already be slipping away. Token apps like Google’s Authenticator, which doesn’t require network access to generate a code, seem to bypass the carriers.

But IT professionals don’t need to wait around to see who wins that battle. Users can be forced to add another factor to their logins, of course, but perhaps there’s a better way. Some organizations lure users to turn on 2FA by giving them a discount when they do. And sometimes, an incentive is better than a threat.

Read the interactive white paper: Upgrade your security with mobile multi-factor authentication

“Attackers take advantage of security missteps and shortcuts to gain access to secure systems and sensitive files

The post Will Two-Factor Authentication Ever Get Its Time in the Sun? appeared first on Security Intelligence.

It’s a Zoo Out There! Data Analysis of Alleged ZooPark Dump

In early May, researchers disclosed a Mobile malware campaign by a group focused on Middle Eastern targets. This actor was found to be an evolving and sophisticated group using fake Android apps, namely Telegram, to trick users into installing malicious software. They have been active since 2015 and evolved over several campaigns into 2018. On May 14, a Reddit post linked to LamePT, claiming to have leaked their infrastructure including a database containing victim information.

Figure 1 – Screenshot of the site hosting the leaked data

The current leaked assets include:

  • MYSQL database
  • Audio recordings
  • The old C2 server and assets
  • AppData folder (presumably of the C2 server)
  • Current C2 server and control panel

Further leaked documents are behind a paywall payable to a fresh bitcoin address. The first payment was made on May 13th, 2018 leaving a balance of $1,110.87. It’s difficult to verify if someone paid to have the first dataset released or the actor paid themselves to appear more authentic. With that said, the authenticity of the data is still in question as we have some significant doubts on at least a portion of the data. For example, the following SMS caught our attention:

“ she knew the time of murder exactly”.

This text can be found in an SMS spam dataset used for training spam engines. Many other English based SMS messages can also be found here. “will be office around 4 pm. Now I am going hospital” is another example. Universities tend to use these datasets to teach computer science concepts. In this case, the concept is likely related to machine learning techniques for categorizing messages into spam. One university came up often when searching for these messages based on its Computer Science I: Fundamentals homework postings. Other messages could be found in cached websites.

“Credit shuma ka mast jahat ezdiad credit ba hesab tan shumarai 222 ra dair namoda w aba taqeeb aan code 14 raqami ra dakhel nomaed .”

This translates to “Credit card is not available for sale at 222 days or less than 142 days.” and found cached in a language translation site. This particular phrase was being translated from Turkish to Urdu. Not all of the messages were found publicly online. Most of the messages were in Middle Eastern languages presenting its own challenges. Other sources were found such as Facebook posts; however, sources for the vast majority of the SMS message have not yet been located. For these reasons, we remain skeptical of the authenticity of the data.

Figure 2 – Facebook post with the same text as an SMS message

Other data such as the recordings do not appear to be publicly available. After sampling 100 of these files we’ve found them to sound like authentic recordings. The majority are in 7 minute 59 second .3gpp files. Most appear to be ambient conversations and daily activities and not phone calls as was expected. Searching for public audio is difficult but we can verify that the hashes of the 100 are not publicly indexed by major search engines nor are the file names themselves.

Until we know for certain whether the data is authentic we cannot grantee that this data dump represents ZooPark and its capabilities but we can look at what they could be up to. After reviewing the leaked MySQL database we’ve learned much about the ZooPark’s potential operations.

Tables Included:

  • Appinfotracking
  • Audiotracking
  • Calltracking
  • Emailtracking
  • geolog
  • gpslocation
  • phonebookaccess
  • phototracking
  • recordcall
  • registration
  • sales_user_info
  • settings
  • smstracking
  • urltracking

From the table names alone, we can infer a lot of the access ZooPark had to user devices and the data they were after. Call tracing, phonebook access, and SMS tracking are unfortunately very common to collect amongst malicious app developers. However, audio tracking caught our attention. While we are still analyzing the dataset, the database records indicate over 102,571 recordings have been uploaded to their C2 server between 2015 and 2018. The dump contains approximately 3,887 of these, jeopardizing private and potentially highly sensitive conversations. Our sampling of these files indicate that the audio was recorded in roughly 8-minute blocks. Most, but not all audio files took place with time gaps between them. There was at least one group conversation that continued on for at least 3 recorded blocks. A surprisingly low number of phone numbers generated these recordings. Only eight phone numbers are part of the recording available through this data dump.

Other conversations were also captured such as SMS texts although portions of these have been found publicly in open datasets. Conceivably, these could have been generated by researchers investigating the malicious Android apps but it’s more likely they were generated by the data leaker to sell the dump. The SMS texts contain much of what you expect such as general chat, and advertisements. However, it’s also riddled with embarrassing or explicit texts which could be used against the users should they prove legitimate. Additionally, we’ve found cleartext two-factor authentication messages from major services such as Google and LinkedIn, and popular chat apps such as Telegram. ZooPark could have used these to gain access to additional services unbeknownst to the victims. After attempting and failing to rebuild several English based conversations we have little confidence that the entire data set came from ZooPark. However, It does exemplify the real danger of sensitive conversations being collected by Zoopark and available for their operations.

Another surprising find is in the Appinfotracking table, where there are 1541 unique apps listed, indicating a very large campaign. Here are a few notable ones:

  • Youtube
  • Wikipedia
  • WhatsApp
  • WinZip
  • Weather
  • VLC
  • Twitter
  • Telegram
  • TrueCaller
  • Tango
  • Pinterest
  • ICQ
  • Flashlight
  • Facebook
  • DUO
  • Dropbox
  • Crunchyroll

There were relatively few games listed compared to other social and utility apps, perhaps suggesting a more utilitarian or professional target. Approximately, 92 phone numbers are listed in relation to the apps. Of the GPS coordinates we’ve checked the middle east is still the main focus, with a significant footprint in Egypt.

While the data leakers request is for Bitcoin payment, we believe they are primarily interested in acquiring Monero coin. Once payments are made the actors use a popular tool called ShapeShift to turn the Bitcoin into Monero (XMR). Shapeshift allows the actors to pay in from one cryptocoin and receive a payout in another without creating an account for the service. The added Monero features enable them to maintain greater anonymity during the transfer. It is anonymity that usually motivates cybercriminals to move to Monero.  Monero coins are of interest due to their improved anonymity and privacy-related improvements, making it difficult to for law enforcement and security researchers to trace.

Shapeshift Transaction from BitCoin (BTC) to Monero (XMR)

The actor who leaked this data is obviously motivated by money as evidenced by the requested payment for further data leaks. Fake datasets, especially those that contain credit card information, email addresses and passwords, have been known to be for sale to scam other cybercriminals. It’s a distinct possibility that this could be the case with the current data dump but it has yet to be determined. However, competition also can play a primary motivator. Many times competing bad actors will attempt to sabotage others in the space. Altruism can play a role as well. Some vigilante actors may believe that their motivations are for the greater good regardless of the laws they break and collateral damage. Whatever the motivations are, data leaks like these can be embarrassing, damaging and in some cases dangerous for the victims whose information it may contain.
Other points of interest:

  • There are a surprisingly low number of unique victim numbers in the database with only 169.
  • The latest URL record is as recent as May 12,2018
  • The latest SMS record is as recent as May 8,2018
  • 81 unique numbers had 47,784 records of GPS data stored

Bitcoin Address:

  • 1AUMs2ieZ7qN4d3M1oUPCuP3CH9WGQxpbd

The post It’s a Zoo Out There! Data Analysis of Alleged ZooPark Dump appeared first on McAfee Blogs.

Malware on Google Play Targets North Korean Defectors

Earlier this year, McAfee researchers predicted in the McAfee Mobile Threat Report that we expect the number of targeted attacks on mobile devices to increase due to their ubiquitous growth combined with the sophisticated tactics used by malware authors. Last year we posted the first public blog about the Lazarus group operating in the mobile landscape. Our recent discovery of the campaign we have named RedDawn on Google Play just a few weeks after the release of our report proves that targeted attacks on mobile devices are here to stay.

RedDawn is the second campaign we have seen this year from the “Sun Team” hacking group. In January, the McAfee Mobile Research Team wrote about Android malware targeting North Korean defectors and journalists. McAfee researchers recently found new malware developed by the same actors that was uploaded on Google Play as “unreleased” versions. We notified both Google, which has removed the malware from Google Play, and the Korea Internet & Security Agency.

Our findings indicate that the Sun Team is still actively trying to implant spyware on Korean victims’ devices. (The number of North Korean defectors who came to South Korea exceeded 30,000 in 2016, according to Radio Free Asia.) Once the malware is installed, it copies sensitive information including personal photos, contacts, and SMS messages and sends them to the threat actors. We have seen no public reports of infections. We identified these malwares at an early stage; the number of infections is quite low compared with previous campaigns, about 100 infections from Google Play.

Malware on Google Play

Malware uploaded on Google Play (now deleted).

We found three apps uploaded by the actor we named Sun Team, based on email accounts and Android devices used in the previous attack. The first app in this attack, 음식궁합 (Food Ingredients Info), offers information about food; the other two apps, Fast AppLock and AppLockFree, are security related. 음식궁합 and Fast AppLock secretly steal device information and receive commands and additional executable (.dex) files from a cloud control server. We believe that these apps are multi-staged, with several components. AppLockFree is part of the reconnaissance stage we believe, setting the foundation for the next stage unlike the other two apps. The malwares were spread to friends, asking them to install the apps and offer feedback via a Facebook account with a fake profile promoted 음식궁합.

Links to Previous Operations

After infecting a device, the malware uses Dropbox and Yandex to upload data and issue commands, including additional plug-in dex files; this is a similar tactic to earlier Sun Team attacks. From these cloud storage sites, we found information logs from the same test Android devices that Sun Team used for the malware campaign we reported in January. The logs had a similar format and used the same abbreviations for fields as in other Sun Team logs. Further, the email addresses of the new malware’s developer are identical to the earlier email addresses associated with the Sun Team. The relationship among email addresses and test devices is explained in the following diagram.

The use of identical email addresses ties the two malware campaigns to the same attacker.

About the Actors

After tracking Sun Team’s operations, we were able to uncover different versions of their malware. Following diagram shows the timeline of the versions.

Timeline of different malware versions of Sun Team.

Timeline shows us that malwares became active in 2017. Sun Team’s only purpose is to extract information from devices as all of the malwares are spywares. Malwares on Google Play stayed online for about 2 months before being deleted.

In our post of the earlier attack by this actor, we observed that some of the Korean words found on the malware’s control server are not in South Korean vocabulary and that an exposed IP address points to North Korea. Also, Dropbox accounts were names from South Korean drama or celebrities.

In the new malware on Google Play, we again see that the Korean writing in the description is awkward. As in the previous operation, the Dropbox account name follows a similar pattern of using names of celebrities, such as Jack Black, who appeared on Korean TV. These features are strong evidence that the actors behind these campaigns are not native South Koreans but are familiar with the culture and language. These elements are suggestive though not a confirmation of the nationality of the actors behind these malware campaigns.

Sun Team’s test devices originate from various countries.

Moreover, we uncovered information about the attacker’s Android test devices and exploits they tried to use. The devices are manufactured in several countries and carry installed Korean apps, another clue that the threat actors can read Korean. The exploits codes were found uploaded on one of the cloud storages used by Sun Team which are modified versions of publicly available sandbox escape, privilege escalation, code execution exploits that added functions to drop their own Trojans on victims’ devices. The modified exploits suggest that the attackers are not skillful enough to find zero days and write their own exploits. However, it is likely just a matter of time before they start to exploit vulnerabilities.

Modified exploits installing the Sun Team’s Trojan.

The most concerning thing about this Sun Team operation is that they use photos uploaded on social network services and identities of South Koreans to create fake accounts. We have found evidence that some people have had their identities stolen; more could follow. They are using texting and calling services to generate virtual phone numbers so they can sign up for South Korean online services.


This malware campaign used Facebook to distribute links to malicious apps that were labeled as unreleased versions. From our analysis, we conclude that the actor behind both campaigns is Sun Team. Be cautious when installing unreleased or beta versions of any app. Also, check the number of downloads to see if an app is widely installed; avoid obscure apps.

McAfee Mobile Security detects this malware as Android/RedDawn.A, B. Always keep your mobile security application updated to the latest version.

The post Malware on Google Play Targets North Korean Defectors appeared first on McAfee Blogs.

How to decrease the data usage on your phone?

If you are one of the lucky ones who recently switched to a new smartphone, you might have noticed that your cell data usage has increased without any significant changes in your habits. The truth is that the more advanced cellphones get, the more data they require to operate. Newer devices come with improved cameras that capture fantastic quality content that not only take more space on your device but also drains your data when you upload it to social media. The bigger screens and higher resolutions often used in new smartphone models also negatively impact the data usage.

Using too much data could end up being costly too as mobile carriers here in the US do not make your life easier. They want you to use more data, Verizon Wireless even created an app called go90 so they can encourage users to use more data. Even though mobile carriers claim that they offer unlimited data plans, those plans are never genuinely unlimited. In most cases, there is a cutoff limit which varies depending on the wireless carrier of your choice and when you reach it – you get to experience something you wouldn’t wish on your worst enemy – the modern day nightmare of 3G internet speeds.

Whatever the reason – avoiding high bills or slow internet – our suggestions will help you decrease the data usage on your smartphone.

How to decrease the data usage on your smartphone

Perform app updates only when connected to a Wi-Fi network

One of the best ways to decrease your data usage is to make sure that you always download updates for apps when you are connected to a Wi-Fi. On average, people tend to have about 30 apps on their smartphone. App updates are issued more often than we want and quite regularly updates end up more than 100mb.

If every app receives an update once a month, and the update is about 100mb, you will end up using nearly 3GB of data to simply keep your phone running. Go to settings and switch off the app updating when not connected to a Wi-Fi, spare yourself those 3GB for something more refreshing such as watching a few episodes on The Big Bang Theory on your way to work.

Turn Off Wi-Fi Assist or Smart Network Switch

Both iOS’ Wi-Fi Assist and Android’s Smart Network Switch were put in place for people who cannot afford to have a lousy internet connection on their smartphones. However, both have proven to be controversial as sometimes those functions may overuse your cellphone data while you think you are connected to a Wi-Fi network.

Avoid disappointment by switching them off. Unless you need them all the time, the best option would be to keep the functions turned off and take advantage of them only when a stable connection is necessary.

Stop autoplay

This is starting to be one of the biggest reasons for the increase in data consumption. More and more apps are bombarding us with oddly satisfying video content. While apps such as FOX Sports and Comedy are in place to entertain us and autoplay is generally expected there, non-video apps are integrating this feature starting the videos as soon as you scroll over them.

Once the video has begun the chances of you continuing to watch are increasing hand in hand with your chances of getting a data overage on your next monthly cell phone bill. To be on the safe side, go ahead and turn off autoplay on every app.

Terminate all unneeded background processes

Those are the little pieces of software that continuously transmit data to their mothership – you need to find a way to stop them from doing so. And as we all know, sometimes it can be a bit overwhelming to have to dig in settings and terminate processes manually.

This is why there are user-friendly task killers that can do the job for you. With a task killer app, you are only a few clicks away from terminating all these background processes that drain your data usage and battery life.

Most reputable antivirus software solutions include such features in their flagship mobile internet security products.

Download Google Maps

If you’ve been looking for a reason to ditch Waze or Apple Maps, this might be a good one for you. We are getting more and more dependent on our mobile devices, especially on their GPS functions. Sadly, even though GPS usage is not one of the main reasons for generating a significant increase in data usage, it is indeed worth mentioning that Google Maps have the option to use the maps offline.

Open Google Maps, go up in the menu and then hit the offline ‘maps button’ and download the area you need. Make sure you are connected to a Wi-Fi! This is how you can save on GPS data usage, and you will have the much-needed piece of mind that you will be able always to find your way back home when you’ve used all your data, and your carrier has switched you to an unusable 3G connection.

We are confident that you now have what is needed to switch to a lower tier data plan and decrease your monthly cell phone bill, or to avoid reaching the cutoff limit wireless carriers impose on you. Whatever your goal is, make sure your precious connected device is protected with antivirus software – this is the one task you cannot afford to kill.

Download Panda Mobile Security

The post How to decrease the data usage on your phone? appeared first on Panda Security Mediacenter.

Protecting your business behind a shield of privacy

In this podcast recorded at RSA Conference 2018, Francis Knott, VP of Business Development at Silent Circle, talks about the modern privacy landscape, and introduces Silent Circle’s Silent Phone and GoSilent products. Here’s a transcript of the podcast for your convenience. We are here at the RSA Conference with Francis Knott, the VP of Business Development at Silent Circle, to discuss the recent claims by Homeland Security that the organization has observed anomalous activity in … More

The post Protecting your business behind a shield of privacy appeared first on Help Net Security.

Google Makes it Mandatory for OEMs to Roll Out Android Security Updates Regularly

Security of Android devices has been a nightmare since its inception, and the biggest reason being is that users don't receive latest security patch updates regularly. Precisely, it's your device manufacturer (Android OEMs) actually who takes time to roll out security patches for your devices and sometimes, even has been caught lying about security updates, telling customers that their

Connect the Dots: IoT Security Risks in an Increasingly Connected World

Nowadays, there is a lot of noise about the Internet of Things (IoT), as the technology has finally emerged into mainstream public view. IoT technology includes everything from wearable devices equipped with sensors that collect biometric data and smart home systems that enable users to control their lights and thermostats to connected toothbrushes designed to help improve brushing habits. These devices typically come with built-in electronics, software, sensors and actuators. They are also assigned unique IP addresses, which enable them to communicate and exchange data with other machines.

IoT devices make our lives easier. Smart home technology, for example, can help users improve energy efficiency by enabling them to turn on (and off) lights and appliances with the tap of a touchscreen. Some connected devices, such as smart medical equipment and alarm systems, can even help save lives.

However, there are also serious security risks associated with this technology. As the IoT ecosystem expands, so does the attack surface for cybercriminals to exploit. In other words, the more we rely on connected technology in our day-to-day lives, the more vulnerable we are to the cyberthreats that are increasingly tailored to exploit vulnerabilities and design flaws in IoT devices.

This presents a daunting challenge for cybersecurity professionals. They must not only protect their own devices, but they must also defend against threats targeting external machines that might connect to their networks.

Avoiding IoT Security Pitfalls

Potential consequences of an IoT data breach include loss of sensitive personal or enterprise information, which can lead to significant financial and reputational damage, massive distributed denial-of-service (DDoS) attacks designed to take down major websites and more. These incidents often stem from misconfigurations, default or easy-to-guess passwords and inherent vulnerabilities in the devices themselves.

Although many experts are calling for regulatory bodies to implement industrywide standards to hold IoT device manufacturers and developers accountable for these pervasive flaws, progress has been slow on that front. In the meantime, IT professionals and device owners must take security into their own hands by following basic IoT best practices.

The most important rule of thumb for IoT devices manufacturers is to test security during each phase of the development process. It is much easier (and less costly) to nip security issues in the bud during the prerelease stages than to waste resources fixing bugs after devices have infiltrated the market. Once developed, devices should undergo rigorous application security testing, security architecture review and network vulnerability assessment.

When devices ship to end users, they should not come with default passwords. Instead, they should require users to establish strong, unique credentials during the installation process. Since IoT devices collect so much personal data, including biometric information, credit card details and locational data, it’s important to embed encryption capabilities according to the least privilege principle.

Protecting Data Privacy

For organizations deploying IoT technology, it’s crucial to establish an incident response team to remediate vulnerabilities and disclose data breaches to the public. All devices should be capable of receiving remote updates to minimize the potential for threat actors to exploit outlying weaknesses to steal data. In addition, security leaders must invest in reliable data protection and storage solutions to protect users’ privacy and sensitive enterprise assets.

This is especially critical given the increasing need to align with data privacy laws, many of which impose steep fines for noncompliance. Because some regulations afford users the right to demand the erasure of their personal information, this capability must be built into all IoT devices that collect user data. Organizations must also establish policies to define how data is collected, consumed and retained in the IT environment.

To ensure the ongoing integrity of IoT deployments, security teams should conduct regular gap analyses to monitor the data generated by connected devices. This analysis should include both flow- and packet-based anomaly detection.

Awareness Is the Key to IoT Security

As with any technology, an organization’s IoT deployment is only as secure as the human beings who operate it. Awareness training and ongoing education throughout all levels of the enterprise, therefore, are critical. This applies to both device manufacturers and the companies that invest in their technology.

The IoT has the potential to boost efficiency and productivity in both domestic and enterprise settings. However, the exposure of IoT data — or the illegal takeover of devices themselves — can cause immeasurable damage to a business’ bottom line and reputation. The keys to unlocking the benefits and avoiding the pitfalls of this technology include embedding security into apps and devices throughout the development life cycle, investing in robust data protection solutions and prioritizing security education throughout the organization.

Listen to the podcast series: Five Indisputable Facts about IoT Security

The post Connect the Dots: IoT Security Risks in an Increasingly Connected World appeared first on Security Intelligence.

You, Your Company, and BYOD: A Love Triangle

BYOD, or bring your own device, has become the new normal in the corporate workplace. But with this convenience comes impending security concerns. Although BYOD costs companies less, mobile devices are often used without proper security measures in place. This makes it difficult for employers to determine how much access employees should receive to company networks. The more access an employee has to company networks, the more opportunities for not only their personal information becoming vulnerable, but company data as well. With BYOD becoming more prevalent in the workplace, it is vital companies and employees understand the perks and security concerns that are associated with BYOD and take necessary steps to ensure personal devices and company information is protected.

BYOD can offer some really great perks: 1) employers spend less on technology and providing devices to employees thus saving the company money and 2) you get to use your own device(s) with which you are already accustomed to. Your company may already allow BYOD in your office, but do you know the associated security risks? They are complicated. Three looming concerns of BYOD that companies and employees should be addressing are accessibility to company data, lost or stolen devices, and overall maintenance. Let’s delve into why these concerns are the most pressing.

  1. Accessibility. The overarching question of BYOD is who gets access to company data on their personal devices, when and where? For example, if you are at a meeting, outside of the office and you are on a limited-access BYOD policy with your employer, you would only be able to access work email and contact but nothing stored on the company servers. If your client asks to see a specific document hosted on your company server during the meeting, you won’t be able to access it because it is sensitive and lives on the private severs. This is where BYOD backfires for the employee.
  2. Lost or stolen devices. A personal device that contains confidential company information poses a huge security threat if it is lost or stolen, and begs the question: who is responsible for retrieving the device and/or data? What is the proper response to this sort of breach? It is your personal device, with both personal and company data, so should it be locked, tracked and retrieved, or completely wiped immediately? There is no clear or correct answer, which is why companies need a clear BYOD policy and culture of security that fits both parties’ needs.
  3. Maintenance and malware. Frequency of device maintenance, software updates and uniformed app downloads can open the door to a slew of security vulnerabilities. Organizations have a hard-enough time implementing their own software across the corporate network, let alone ensuring all employees are adhering to the required software updates from device operating systems and applications. With the breadth of different phones and tablets being used around the globe, it can be nearly impossible to keep track of employees’ security posture on their personal devices.

Without the right security measures in place, there is the possibility of malware being downloaded through sketchy apps or unpatched versions of software, which could be transferred onto corporate servers depending on the employee’s access level. McAfee Labs detected over 16 million mobile malware infestations in the third quarter of 2017 alone, nearly doubling the number one year previously. This uptick in cyberattacks on mobile devices illustrates the importance of comprehensive cybersecurity policies across the board.

So how do you protect yourself when it comes to using your smartphone or tablet for both business and pleasure? Here are a few tips:

  • Practice discretion when alternating between personal and business tasks on your mobile device. Separate the two by using different, verified apps for company and personal uses to maintain safety.
  • Avoid downloading apps from third-party vendors that could make your device prone to malware, and always check permissions of any apps before downloading, particularly those that ask for to access to your device’s data.
  • Regularly update your device to ensure they are equipped with vital patches that protect against flaws and bugs that cybercriminals can exploit.
  • Avoid accessing data-sensitive apps on your device over public Wi-Fi. Cybercriminals could use this as an opportunity to take a look at your mobile data.
  • Keep your personal and work information secure with comprehensive mobile security, such as McAfee® Mobile Security, that will not only scan your device for viruses and threats but also help you identify apps that are accessing too much of your valuable personal information.

McAfee is the device-to-cloud cybersecurity company helping to secure data at all levels, on all devices. We’re helping you stop threats and protect your data wherever it resides, from your fingertips to the skies, enabling you to protect what matters on your digital journey.

Interested in learning more about IoT and mobile security tips and trends? Follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

The post You, Your Company, and BYOD: A Love Triangle appeared first on McAfee Blogs.

Securing Your Devices from Mobile Malware

As the world has gone mobile, so too have the cybercriminals. With users now spending an average of four hours a day on multiple mobile devices that store mountains of sensitive information, it’s no wonder that mobile malware has become one of the most effective ways to capture our money and data.

That’s probably why mobile malware increased by 46% in the last year, with new mobile threats like ransomware and ad click malware making our digital lives even more complicated.

Of course, risky apps remain the persistent threat. These days, even official app stores aren’t completely safe. For instance, McAfee noted a 30% increase in threat families found in the Google Play Store over the last year alone. These included fake versions of legitimate apps designed to steal personal information, and apps that signed users up for premium services without their consent, leaving them with hefty bills.

But one of the biggest threats we saw was the rise of cryptocurrencies miners. They can hide in the background of seemingly harmless apps, and use your device’s computing power to mine for Bitcoin and other digital currencies. This type of mobile malware can even cause your phone to overheat and stop functioning all together.

In addition to risky apps, dangers lurk when you connect your mobile devices to public Wi-Fi networks, which are often unsecured. Public networks, like those in hotels and airports, have become hunting grounds for cybercriminals who can set up fake Wi-Fi hotspots and use them to deliver malware. They can also potentially eavesdrop on your private data, including passwords and credit card numbers, as they are sent from your device to the router.

Finally, the explosion of devices known as the Internet of Things (IoT), which include IP cameras, interactive speakers, and smart appliances, offer another avenue of attack for the cybercriminals. Since these devices usually come with few security features, they can easily be hacked and used to spread malware to other more data-rich devices connected on the same network.

Given these escalating risks, it’s essential for mobile users to learn how to secure their mobile devices, and all the valuable information that they hold.

Tips for avoiding mobile malware: 

  1. Use Mobile Security—Make sure all your devices are protected from malware and other emerging mobile threats by using security software that can warn you about risky apps and dangerous links, as well as help you locate and lock down a missing device.
  2. Avoid Risky Apps—Stick to downloading highly-rated apps from official app stores. You should also check the app’s permissions to see how much of your private information the app is trying to access. Limit access to only what the app needs to function properly. For instance, a calculator app shouldn’t need your location or contact details.
  3. Choose Strong Passwords—A complicated, hard-to-guess password is your first line of defense when it comes to protecting your online accounts and information. You may want to consider using a password manager that generates strong passwords and keeps them in a secure vault so you don’t have to remember them all. Look into comprehensive security software that includes a password manager.
  4. Keep your IoT devices separate—Since many IoT devices have very low security, you may want to consider keeping them on a separate network from your smartphones, tablets, and computers since these usually contain private information. Read your router’s user manual to learn how to setup a second “guest” network. Or, you can invest in a router with built-in security that protects all the devices on the network.
  5. Stay Informed—Given our reliance on mobile devices, mobile malware is unlikely to go away anytime soon. Make sure you stay up-to-date on emerging threats and the steps you need to take to protect yourself.

Looking for more mobile security tips and trends? Be sure to follow @McAfee Home on Twitter, and like us on Facebook.

The post Securing Your Devices from Mobile Malware appeared first on McAfee Blogs.

Security Calling: Celebrate National Telephone Day by Securing Your Mobile Devices

April 25 – otherwise known as National Telephone Day – rolls around once a year to remind us of the sheer technologic prowess and influence of the phone. What first started as an industrial revolution invention from Alexander Graham Bell, the phone has undergone quite a remarkable evolution over its nearly 150 years of existence. When people say the word ‘phone’ today, the device they’re talking about is widely different. The phone of the past has become the gateway into our digital identities and now holds the keys to all the connected things in our homes. As dependency on our mobile devices continues to grow, potential cyberthreats and need for mobile security does as well.

Consumers have been quick to adopt mobile phones, more so than at any point in the telephone’s storied history. It’s estimated that 95% of Americans own a cell phone today. This goes to show that the phone has not only become an instrumental device in today’s society, but it also speaks to how it has evolved beyond its initial capabilities to serve as a device that contains our digital persona. A phone is no longer a convenient piece of equipment but a fundamental element of many people’s lifestyles, so much so that many can’t even unplug while on vacation—only 27% say they’re unwilling to leave their smartphones at home when on vacation. As today’s world becomes more digital and interconnected, our mobile phones are at the heart of this transformation.

Of course, with any device that contains this much power and influence, the mobile phone has also become the target of cybercriminals and hackers, making mobile security a cause for much concern. McAfee Labs detected over 16 million mobile malware infestations in the third quarter of 2017, and new threats continue to emerge around the world, most of which target a consumer’s money. However, according to a recent CES Survey, 52% of respondents are either unsure of or have no idea how to check to see if their mobile devices and apps are secure against these kinds of threats—which is worrisome considering these latest mobile trends:

  • More targeted attacks – Following the money, a global spike in banking Trojans has occurred, targeting large multinationals and small regional banks.
  • Virtual bank robberies – With the growing interest in cryptocurrencies, cybercriminals are attempting virtual bank robberies by distributing fake mobile wallets and targeting the cryptocurrency industry.
  • States using malware – North Korean dissidents and journalists using the popular South Korean chat app KakaoTalk were recently targeted in a State-instigated malware attack, with the aim of implanting spyware on the victim’s device.
  • Persistent threats – The increasing proliferation of Internet of Things (IoT) devices are significantly heightening the threat landscape, increasing the number of possible points of attack.

In order to feel safe and secure when you shout “Call me, maybe!”, take some time out of whatever festivities you may have planned for National Telephone Day to consider these tips on how to keep your mobile phones and devices secure:

  • Update regularly – Regularly updating your devices helps ensure they are armed with critical patches that protect against bugs or flaws in their operating systems that cybercriminals can leverage. Though it’s very tempting to skip out on these updates, taking a few minutes to download them means you aren’t recklessly leaving your devices open for hackers. This also applies to apps on your phone as well.
  • Use a complex password – A complex password is a secure password, so there’s no excuse to skate by with your own birthdate or a “1234” code for your mobile devices anymore. It’s good practice to have distinct passwords for every device, even though it’s a bit more burdensome on you. Still, choosing a safe and secure password is always the priority. Be sure to throw in a mix of numbers and symbols to avoid making it easy for potential hackers.
  • Turn off geolocation – When it comes to geolocation or sharing your location with apps and other services on your phone, approach with caution. It’s a good rule of thumb to only activate geolocation permissions when it’s crucial for an app’s ability to work (i.e. Uber, Google Maps, etc.). Otherwise, hackers can start to uncover your exact whereabouts and understand your movement patterns.
  • Use security software – Finally, I can’t stress enough how important it is to use comprehensive security software to protect your mobile phones and devices from the inside out.

Interested in learning more about IoT and mobile security tips and trends? Follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

The post Security Calling: Celebrate National Telephone Day by Securing Your Mobile Devices appeared first on McAfee Blogs.

Seven Android Apps Infected With Adware, Downloaded Over 500,000 Times

The amount we use our apps and the amount of apps we use has shown no signs of slowing. And as the McAfee Labs Threats Report: March 2018 tells us, mobile malware has shown no signs of slowing either. Now, a tricky Android malware dubbbed Andr/HiddnAd-AJ is adding to the plethora of mobile strains out there. The malware managed to sneak onto the Google Play Store disguised as seven different apps – which have collectively been downloaded over 500,000 times.

Slipping onto the Google Play store via six QR reader apps and one smart compass app, the malware manages to sneak past security checks through a combination of unique code and no initial malicious activity. Following installation, Andr/HiddnAd-AJ waits for six hours before it serves up adware. When it does, it floods a user’s screen with full-screen ads, opens ads on web pages, and sends various notifications containing ad-related links, all with the goal of generating click-based revenue for the attackers.

These apps have since been taken down by Google, however, it’s still crucial that Android users are on the lookout for Andr/HiddnAd-AJ malware and other adware schemes like it. Start by following these security tips:

  • Do your homework. Before you download an app, make sure you head to the reviews section of an app store first. Be sure to thoroughly sift through the reviews and read through the comments section; Andr/HiddnAd-AJ may have been avoided if a user read one of the comments and saw that the app was full of unnecessary advertisements. When in doubt, don’t download any app that is remotely questionable.
  • Limit the amount of apps. Only install apps you think you need and will use regularly. And if you no longer use an app, uninstall it. This will help you save memory and reduce your exposure to threats such as Andr/HiddnAd-AJ.
  • Don’t click. This may go without saying, but since this is a click-generated revenue scheme, do whatever you can to avoid clicking pop-ups and unwarranted advertisements. The less you click, the less cybercriminals will profit.
  • Use a mobile security solution. As malware and adware campaigns continue to infect mobile applications, make sure your mobile devices are prepared for any threat coming their way. To do just that, cover these devices with a mobile security solution, such as McAfee Mobile Security.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Seven Android Apps Infected With Adware, Downloaded Over 500,000 Times appeared first on McAfee Blogs.

Kick Off Your Digital Spring Cleaning Efforts During World Backup Day

As spring blossoms into full-force, millions of people will start to shed the heavy baggage and gear that kept them warm during winter by partaking in a tried and true practice: spring cleaning. While whipping yourself into a cleaning frenzy around your home, take a moment to extend your spring cleaning efforts into your digital environments as well. And there’s no better time to kick off a digital spring cleaning than during World Backup Day.

What exactly is World Backup Day? I’m glad you asked.

In today’s day and age, data is basically digital gold. It’s imperative to ensure your information is organized and backed up—not just for peace-of-mind, but to protect yourself against potential malware and ransomware threats. Still, a large number of people have never backed up their files, leaving themselves vulnerable to losing everything. In fact, this has become such a systemic problem that a whole day has been devoted to reversing this trend: World Backup Day. One of the main goals of the World Backup Day initiative is to reach people who have never backed their data up or people who aren’t even aware that data backups are a thing, let alone a crucial security measure.

For those who may not know, a backup is a second copy of all your important files and information, everything from photos and documents to emails and passwords. Storing all of that data in one place, like a personal computer or smartphone, is a woefully unsafe practice. Creating another copy of that data through a backup will ensure that it’s stored and kept safe somewhere else should catastrophe befall your personal mobile devices, or if they’re lost or stolen.

Data loss isn’t something that only happens to huge conglomerates or to unsuspecting victims in spy movies. Every individual is susceptible to data loss or theft, and backing up that data is an easy, relatively painless step to protect all of your personal information and prevent pesky hackers from truly swiping your stuff.

Think about it—if you’re targeted by a nasty piece of ransomware but have successfully performed a data backup, there’s absolutely no need for you to pay the ransom because you have a second, secure copy of all that data. It’s a simple preventative measure that can pay off big time should worse come to worst. Even the STOP. THINK. CONNECT. campaign, dedicated to increase awareness around cybersecurity and provide information to help digital citizens protect against malware, lists regular data backups as an important security action to safeguard yourself against cybercrime.

There are two main approaches to backing up your data: either in the cloud or on an external hard drive. A cloud-based backup solution is great for people who don’t want to actively back up their devices and data or worry about the space constraints that come with most external hard drives. Simply subscribing to one of these cloud solutions will do the trick—your device’s files and data will automatically be backed up and protected without you having to lift more than a finger. Cloud-based services typically come with a monthly fee, and you’ll need a good internet connection to access them. If your connection is wonky or the site is undergoing maintenance, it can be difficult to access your backed-up data.

With an external hard drive, you can manually back up all your data and files yourself onto a physical device that you have access to anytime, anywhere. These drives are extremely reliable and a great way to achieve data redundancy. An external hard drive doesn’t hinge on internet access like cloud-based services and is an easy fix when transferring data to a new device. However, using external hard drives requires a more hands-on approach when it comes to actually backing up your data. The responsibility falls upon you to regularly perform these backups yourself. Storage space can also pose a problem. Look for an external drive with at least a terabyte of space to accommodate all of your data, which tends to accumulate quickly.

Here are some other digital spring cleaning tips to consider this World Backup Day:

  • Play it extra safe and go both routes for a thorough backup by using an external drive and subscribing to a cloud-based solution. After all, it’s better safe than sorry when it comes to your personal data.
  • Back up data from your mobile devices onto a central laptop or personal computer for an added layer of security and protection. Then work on backing up these devices with one (or both) of the methods laid out above.
  • Have at least one backup of your initial backup as a fail-safe measure.
  • Test your ability to restore data from backups regularly to ensure your backups have been performed correctly and that they haven’t been compromised.
  • Back up your data with a process and system that’s simple and works best for you—there’s no need to over complicate it!

Interested in learning more about IoT and mobile security tips and trends? Follow @McAfee_Home on Twitter, and ‘Like’ us on Facebook.

The post Kick Off Your Digital Spring Cleaning Efforts During World Backup Day appeared first on McAfee Blogs.

McAfee Safe Connect, Two Gold Award Winners of 2018 Info Security PG’s Global Excellence Awards®

On February 28th, Info Security Products Guide Global Excellence Awards presented their 2018 award winners. We are humbled to have received two golds in the Product or Service Excellence of the Year — Security Information and Website & Web Application Security for McAfee Safe Connect.

Product Overview:

McAfee Safe Connect is a VPN (Virtual Private Network) that helps users create secure online connections while using the internet.  Doing so helps our customers minimize their individual security risks and helps keep their data private – especially when connecting to a public or open Wi-Fi network. Unlike home Wi-Fi, many public Wi-Fi networks (commonly offered at cafés, airports and hotels) aren’t password-protected and don’t encrypt the user data being transmitted through. Therefore, when you connect to a hotspot, your online activities from your social media activity to your online purchase history and even your bank account credentials may be wide open to hackers. With McAfee Safe Connect, you can rest assured that your information and online activities are encrypted.

McAfee has a proven record of providing security for consumers in the digital age. To address growing concerns over Wi-Fi security, we created an award-winning VPN that would keep users’ personal information secure from online threats and unsecure networks.

McAfee Safe Connect has over 1 million downloads across Google Play and the App Store with an impressive 4.3-star rating. It is available in over 20 languages to users worldwide.

Tech behemoth Samsung also chose McAfee Safe Connect VPN for their Galaxy Note 8 – Secure Wi-Fi feature and expanded collaboration with its newly announced Galaxy S9 Smartphones.

About Info Security PG’s Global Excellence Awards

Info Security Products Guide sponsors the Global Excellence Awards and plays a vital role in keeping individuals informed of the choices they can make when it comes to protecting their digital resources and assets. The guide is written expressly for those who wish to stay informed about recent security threats and the preventive measure they can take. You will discover a wealth of information in this guide including tomorrow’s technology today, best deployment scenarios, people and technologies shaping cyber security and industry predictions & directions that facilitate in making the most pertinent security decisions. Visit for the complete list of winners.

We are proud of recognition given to McAfee Safe Connect, which aims to safeguard every Internet user’s online privacy. Please check out our award-winning Wi-Fi Privacy VPN product: McAfee Safe Connect.

Interested in learning more about McAfee Safe Connect and mobile security tips and trends? Follow @McAfee_Home on Twitter, and ‘Like’ us on Facebook.

The post McAfee Safe Connect, Two Gold Award Winners of 2018 Info Security PG’s Global Excellence Awards® appeared first on McAfee Blogs.

McAfee Safe Connect RT2Win Sweepstakes Terms and Conditions

Just a few weeks back, Info Security Products Guide awarded McAfee Safe Connect with two Gold-Level Global Excellence Awards for Product or Service Excellence of the YearSecurity Information and Website & Web Application Security!

To celebrate, we’re treating you to a #RT2Win Sweepstakes on the @McAfee_Home Twitter handle. Ten [10] lucky winners of the Sweepstakes drawing will receive a one-year free subscription of McAfee Safe Connect to provide security and privacy across your PC, iOS, and Android devices when connecting to Wi-Fi hotspots and private networks.

All you have to do is simply retweet one of our contest tweets between March 26, 2018 – April 17, 2018 for your chance to win. Sweepstake tweets will include “#McAfeeSafeConnect, #RT2Win, and #Sweepstakes”. Terms and conditions below.

#McAfeeSafeConnect #RT2Win Sweepstakes Official Rules

  • To enter, go to, and find the #RT2Win sweepstakes tweet.
  • The sweepstakes tweet will be released on Monday, March 26. This tweet will include the hashtags: #McAfeeSafeConnect, #RT2Win, and #Sweepstakes.
  • Retweet the sweepstakes tweet released on the above date, from your own handle. The #McAfeeSafeConnect AND #RT2Win hashtags must be included to be entered.
  • Winners will be notified on Wednesday, April 18, 2018 via Twitter direct message.
  • Limit one entry per person.

How to Win:

Retweet one of our contest tweets on @McAfee_Home that include “#RT2Win, #Sweepstakes, and #McAfeeSafeConnect” for a chance to win a one-year free subscription to McAfee Safe Connect. Ten [10] total winners will be selected and announced on April 18, 2018. Winners will be notified by direct message on Twitter. For full Sweepstakes details, please see the Terms and Conditions, below.

McAfee Safe Connect #RT2Win Sweepstakes Terms and Conditions

How to Enter: 

No purchase necessary. A purchase will not increase your chances of winning. McAfee Safe Connect #RT2Win Sweepstakes will be conducted from March 26, 2018 through April 17, 2018. All entries for each day of the McAfee Safe Connect #RT2Win Sweepstakes must be received during the time allotted for the McAfee Safe Connect #RT2Win Sweepstakes. Pacific Daylight Time shall control the McAfee Safe Connect #RT2Win Sweepstakes. The McAfee Safe Connect #RT2Win Sweepstakes duration is as follows.

McAfee Safe Connect #RT2Win Sweepstakes Duration:

  • Begins Monday, March 26, 2018­­ at 12:00pm PST
  • Ends: Tuesday, April 17, 2018 at 12:00am PST
  • Ten [10] winners will be announced: Wednesday, April 18th

For the McAfee Safe Connect #RT2Win Sweepstakes, participants must complete the following steps during the time allotted for the McAfee Safe Connect #RT2Win Sweepstakes:

  1. Find the sweepstakes tweet of the day posted on @McAfee_Home which will include the hashtags: #RT2Win, #Sweepstakes, and #McAfeeSafeConnect.
  2. Retweet the sweepstakes tweet of the day and make sure it includes the #RT2Win, #Sweepstakes, and #McAfeeSafeConnect hashtags.
  3. Note: Tweets that do not contain the #RT2Win, #Sweepstakes, and #McAfeeSafeConnect hashtags will not be considered for entry.
  4. Limit one entry per person.

Ten [10] winners will be chosen for the McAfee Safe Connect #RT2Win Sweepstakes tweet from the viable pool of entries that retweeted and included #RT2Win, #Sweepstakes, #McAfeeSafeConnect. McAfee and the McAfee social team will choose winners from all the viable entries. The winners will be announced and privately messaged on April 18, 2018 on the @McAfee_Home Twitter handle. No other method of entry will be accepted besides Twitter. Only one entry per user is allowed, per Sweepstakes.   


McAfee Safe Connect #RT2Win Sweepstakes is open to all legal residents of the 50 United States who are 18 years of age or older on the dates of the McAfee Safe Connect #RT2Win Sweepstakes begins and live in a jurisdiction where this prize and McAfee Safe Connect #RT2Win Sweepstakes are not prohibited. Employees of Sponsor and its subsidiaries, affiliates, prize suppliers, and advertising and promotional agencies, their immediate families (spouses, parents, children, and siblings and their spouses), and individuals living in the same household as such employees are ineligible.

Winner Selection:

Winners will be selected at random from all eligible retweets received during the McAfee Safe Connect #RT2Win Sweepstakes drawing entry period. Sponsor will select the names of ten [10] potential winners of the prizes in a random drawing from among all eligible submissions at the address listed below. The odds of winning depend on the number of eligible entries received. By participating, entrants agree to be bound by the Official McAfee Safe Connect #RT2Win Sweepstakes Rules and the decisions of the coordinators, which shall be final and binding in all respects.

Winner Notification: 

Each winner will be notified via direct message (“DM”) on by April 18th. Prize winners may be required to sign an Affidavit of Eligibility and Liability/Publicity Release (where permitted by law) to be returned within ten [10] days of written notification, or prize may be forfeited, and an alternate winner selected. If a prize notification is returned as unclaimed or undeliverable to a potential winner, if potential winner cannot be reached within twenty-four [24] hours from the first DM notification attempt, or if potential winner fails to return requisite document within the specified time period, or if a potential winner is not in compliance with these Official Rules, then such person shall be disqualified and, at Sponsor’s sole discretion, an alternate winner may be selected for the prize at issue based on the winner selection process described above.


The prize for the McAfee Safe Connect #RT2Win Sweepstakes is a one-year free subscription to McAfee Safe Connect. Entrants agree that Sponsor has the sole right to determine the winners of the McAfee Safe Connect #RT2Win Sweepstakes and all matters or disputes arising from the McAfee Safe Connect #RT2Win Sweepstakes and that its determination is final and binding. There are no prize substitutions, transfers or cash equivalents permitted except at the sole discretion of Sponsor. Sponsor will not replace any lost or stolen prizes. Sponsor is not responsible for delays in prize delivery beyond its control. All other expenses and items not specifically mentioned in these Official Rules are not included and are the prize winners’ sole responsibility.

General Conditions: 

Entrants agree that by entering they agree to be bound by these rules. All federal, state and local taxes, fees, and surcharges on prize packages are the sole responsibility of the prizewinner. Sponsor is not responsible for incorrect or inaccurate entry information, whether caused by any of the equipment or programming associated with or utilized in the McAfee Safe Connect #RT2Win Sweepstakes, or by any technical or human error, which may occur in the processing of the McAfee Safe Connect #RT2Win Sweepstakes entries. By entering, participants release and hold harmless Sponsor and its respective parents, subsidiaries, affiliates, directors, officers, employees, attorneys, agents, and representatives from any and all liability for any injuries, loss, claim, action, demand, or damage of any kind arising from or in connection with the McAfee Safe Connect #RT2Win Sweepstakes, any prize won, any misuse or malfunction of any prize awarded, participation in any McAfee Safe Connect #RT2Win Sweepstakes-related activity, or participation in the McAfee Safe Connect #RT2Win Sweepstakes. Except for applicable manufacturer’s standard warranties, the prizes are awarded “AS IS” and WITHOUT WARRANTY OF ANY KIND, express or implied (including any implied warranty of merchantability or fitness for a particular purpose).

Limitations of Liability; Releases:

By entering the Sweepstakes, you release Sponsor and all Released Parties from any liability whatsoever, and waive any and all causes of action, related to any claims, costs, injuries, losses, or damages of any kind arising out of or in connection with the Sweepstakes or delivery, misdelivery, acceptance, possession, use of or inability to use any prize (including claims, costs, injuries, losses and damages related to rights of publicity or privacy, defamation or portrayal in a false light, whether intentional or unintentional), whether under a theory of contract, tort (including negligence), warranty or other theory.

To the fullest extent permitted by applicable law, in no event will the sponsor or the released parties be liable for any special, indirect, incidental, or consequential damages, including loss of use, loss of profits or loss of data, whether in an action in contract, tort (including, negligence) or otherwise, arising out of or in any way connected to your participation in the sweepstakes or use or inability to use any equipment provided for use in the sweepstakes or any prize, even if a released party has been advised of the possibility of such damages.

  1. To the fullest extent permitted by applicable law, in no event will the aggregate liability of the released parties (jointly) arising out of or relating to your participation in the sweepstakes or use of or inability to use any equipment provided for use in the sweepstakes or any prize exceed $10. The limitations set forth in this section will not exclude or limit liability for personal injury or property damage caused by products rented from the sponsor, or for the released parties’ gross negligence, intentional misconduct, or for fraud.
  2. Use of Winner’s Name, Likeness, etc.: Except where prohibited by law, entry into the Sweepstakes constitutes permission to use your name, hometown, aural and visual likeness and prize information for advertising, marketing, and promotional purposes without further permission or compensation (including in a public-facing winner list).  As a condition of being awarded any prize, except where prohibited by law, winner may be required to execute a consent to the use of their name, hometown, aural and visual likeness and prize information for advertising, marketing, and promotional purposes without further permission or compensation. By entering this Sweepstakes, you consent to being contacted by Sponsor for any purpose in connection with this Sweepstakes.

Prize Forfeiture:

If winner cannot be notified, does not respond to notification, does not meet eligibility requirements, or otherwise does not comply with these prize McAfee Safe Connect #RT2Win Sweepstakes rules, then the winner will forfeit the prize and an alternate winner will be selected from remaining eligible entry forms for each McAfee Safe Connect #RT2Win Sweepstakes.

Dispute Resolution:

Entrants agree that Sponsor has the sole right to determine the winners of the McAfee Safe Connect #RT2Win Sweepstakes and all matters or disputes arising from the McAfee Safe Connect #RT2Win Sweepstakes and that its determination is final and binding. There are no prize substitutions, transfers or cash equivalents permitted except at the sole discretion of Sponsor.

Governing Law & Disputes:

Each entrant agrees that any disputes, claims, and causes of action arising out of or connected with these sweepstakes or any prize awarded will be resolved individually, without resort to any form of class action and these rules will be construed in accordance with the laws, jurisdiction, and venue of Delaware.

Privacy Policy: 

Personal information obtained in connection with this prize McAfee Safe Connect #RT2Win Sweepstakes will be handled in accordance policy set forth at

  1. Winner List; Rules Request: For a copy of the winner list, send a stamped, self-addressed, business-size envelope for arrival after March 26th 2018 and before April 17th 2018 to the address listed below, Attn: #RT2Win at CES Sweepstakes.  To obtain a copy of these Official Rules, visit this link or send a stamped, self-addressed business-size envelope to the address listed in below, Attn: Sarah Grayson. VT residents may omit return postage.
  2. Intellectual Property Notice: McAfee and the McAfee logo are registered trademarks of McAfee, LLC. The Sweepstakes and all accompanying materials are copyright © 2018 by McAfee, LLC.  All rights reserved.
  3. Sponsor: McAfee, LLC, Corporate Headquarters 2821 Mission College Blvd. Santa Clara, CA 95054 USA

The post McAfee Safe Connect RT2Win Sweepstakes Terms and Conditions appeared first on McAfee Blogs.

RottenSys Malware Reminds Users to Think Twice Before Buying a Bargain Phone

China is a region that has been targeted with mobile malware for over a decade, as malware authors there are continually looking at different tactics to lure victims. One of the most innovative tactics that we have come across in the past several years is to get victims to buy discounted devices from sellers that have compromised a smartphone. And now, one of these campaigns, Android.MobilePay (aka dubbed RottenSys) is making headlines, though McAfee has been aware of it for over two years. The tactic used by the author(s)/distributors is straightforward; they install fake apps on a device that pretend to provide a critical function, but often don’t get used.

RottenSys is stealthy. It doesn’t provide any secure Wi-Fi related service but is rather an advanced strain of malware that swoops almost all sensitive Android permissions to enable its malicious activities. In order to avoid detection, RottenSys doesn’t come with an initial malicious component and or immediately initiate malicious activity. The strain has rather been designed to communicate with its command-and-control servers to obtain the actual malicious code in order to execute it and following which installs the malicious code onto the device.

Given it installs any new malicious components from its C&C server, RottenSys can be used to weaponize or take full control over millions of infected devices. In fact, it already seems that the hackers behind RottenSys have already started turning infected devices into a massive botnet network.

This attack acts as an indication of change, as over the past two years the mechanism of fraud has adapted. In the past, scams such as this typically have used premium SMS scams to generate revenue, which reach out to a premium number and make small charges that go unnoticed over the course of an extensive period. As described in detail in our Mobile Threat Report: March 2018, we have seen traditional attack vectors, such as premium text messages and toll fraud replaced by botnet ad fraud, pay-per-download distribution scams, and crypto mining malware that can generate millions in revenue.

Long story short – it’s important to still take precautionary steps to avoid future infection from this type of malware scheme. The good news is, you can easily check if your device is being infected with RottenSys. Go to Android system settings→ App Manager, and then look for the following possible malware package names:

  • android.yellowcalendarz
  • changmi.launcher
  • system.service.zdsgt

Beyond that, you can protect your device by following these tips:

  • Buy with security in mind. When looking to purchase your next mobile device, make sure to do a factory reset as soon as you turn it on for the first time.
  • Delete any unnecessary apps. Most mobile providers allow users to delete pre-installed apps. So, if there’s a pre-installed app you don’t use, or seems unknown to you, go ahead and remove it from your device entirely.
  • Always scan your device, even if it’s new. One of the first applications you should load onto a new device is an anti-malware scanner, like McAfee Mobile Security. It can detect and alert users to malicious behavior on their devices. In this case, if a malware variant is detected, new users can see if they can return their infected devices in exchange for a clean one.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post RottenSys Malware Reminds Users to Think Twice Before Buying a Bargain Phone appeared first on McAfee Blogs.

AV Test Android Results 2018

2017 marked not only an explosion in mobile malware but also showed dramatic changes in the mobile landscape, setting up this year to be one of the riskiest years yet. In 2018, there will be an estimated five billion mobile subscribers worldwide which could be enticing bait for malware authors, who have ramped up the number of attacks and their sophistication.

With so many offerings in the mobile security space, independent testing such as AV-Test and AV Comparatives serve a critical role in separating marketing hype from reality. Not only do consumers benefit, but ultimately so do the respective vendors participating in the testing.

McAfee Labs detected more than 16 million mobile malware infestations in the third quarter of 2017 alone, nearly doubling the number we saw a year earlier. The latest round of testing from AV-Test in January 2018, provides some key insights into where the current threat landscape stands not to mention trends about where the threat landscape is heading.

AV-Test evaluates each vendor out of a possible 13 points. Six points for protection, six for usability/performance and one point for bonus features.

Twenty-one Android antivirus solutions were put to the test against 6,000 Android malware samples. Threats targeting consumers in every major category are proportionally selected to represent the wild, a term used by the cybersecurity industry to represent real-world conditions. 3,000 non-malicious programs were also tested to ensure that the antivirus product didn’t wrongly identify them as malware – a term known as False Positives.

McAfee Mobile Security 4.9 achieved a perfect score of 13 out of 13 again and remains one of the best-in-class mobile security products available today.

Data published in the latest security report from Google, shows that the risk to the Android ecosystem is very real. 39 million threats were removed last year from Google Play. Depending on the built in security measure is no longer enough, consumers need to have an additional security product.

The post AV Test Android Results 2018 appeared first on McAfee Blogs.

‘McAfee Labs Threats Report’ Examines Cryptocurrency Hijacking, Ransomware, Fileless Malware

Today McAfee published the McAfee Labs Threats Report: March 2018. The report looks into the growth and trends of new malware, ransomware, and other threats in Q4 2017. McAfee Labs saw on average eight new threat samples per second, and the increasing use of fileless malware attacks leveraging Microsoft PowerShell. The Q4 spike in Bitcoin value prompted cybercriminals to focus on cryptocurrency hijacking through a variety of methods, including malicious Android apps.

Each quarter, McAfee Labs, led by the Advanced Threat Research team, assesses the state of the cyber threat landscape based on threat data gathered by the McAfee Global Threat Intelligence cloud from hundreds of millions of sensors across multiple threat vectors around the world. McAfee Advanced Threat Research complements McAfee Labs by providing in-depth investigative analysis of cyberattacks from around the globe.

Cybercriminals Take on New Strategies, Tactics

The fourth quarter of 2017 saw the rise of newly diversified cybercriminals, as a significant number of actors embraced novel criminal activities to capture new revenue streams. For instance, the spike in the value of Bitcoin prompted actors to branch out from moneymakers such as ransomware, to the practice of hijacking Bitcoin and Monero wallets. McAfee researchers discovered Android apps developed exclusively for the purpose of cryptocurrency mining and observed discussions in underground forums suggesting Litecoin as a safer model than Bitcoin, with less chance of exposure.

Cybercriminals also continued to adopt fileless malware leveraging Microsoft PowerShell, which surged 432% over the course of 2017, as the threat category became a go-to toolbox. The scripting language was used within Microsoft Office files to execute the first stage of attacks.

Health Care Targeted

Although publicly disclosed security incidents targeting health care decreased by 78% in the fourth quarter of 2017, the sector experienced a dramatic 210% overall increase in incidents in 2017. Through their investigations, McAfee Advanced Threat Research analysts conclude many incidents were caused by organizational failure to comply with security best practices or address known vulnerabilities in medical software.

McAfee Advanced Threat Research analysts looked into possible attack vectors related to health care data, finding exposed sensitive images and vulnerable software. Combining these attack vectors, analysts were able to reconstruct patient body parts, and create three-dimensional models.

Q4 2017 Threats Activity

Fileless malware. In Q4 JavaScript malware growth continued to slow with new samples decreasing by 9%, while new PowerShell malware more than tripled, growing 267%.

Security incidents. McAfee Labs counted 222 publicly disclosed security incidents in Q4, a decrease of 15% from Q3. 30% of all publicly disclosed security incidents in Q4 took place in the Americas, followed by 14% in Europe and 11% in Asia.

Vertical industry targets. Public, health care, education, and finance, respectively, led vertical sector security incidents for 2017.

  • Health Care. Disclosed incidents experienced a surge in 2017, rising 210%, while falling 78% in Q4.
  • Public sector. Disclosed incidents decreased 15% in 2017, down 37% in Q4.
  • Disclosed incidents rose 125% in 2017, remaining stagnant in Q4.
  • Disclosed incidents rose 16% in 2017, falling 29% in Q4. 

Regional targets

  • Disclosed incidents rose 46% in 2017, falling 46% in Q4.
  • Disclosed incidents fell 58% in 2017, rising 28% in Q4.
  • Disclosed incidents fell 20% in 2017, rising 18% in Q4.
  • Disclosed incidents rose 42% in 2017, falling 33% in Q4. 

Attack vectors. In Q4 and 2017 overall, malware led disclosed attack vectors, followed by account hijacking, leaks, distributed denial of service, and code injection.

Ransomware. The fourth quarter saw notable industry and law enforcement successes against criminals responsible for ransomware campaigns. New ransomware samples grew 59% over the last four quarters, while new ransomware samples growth rose 35% in Q4. The total number of ransomware samples increased 16% in the last quarter to 14.8 million samples.

Mobile malware. New mobile malware decreased by 35% from Q3. In 2017 total mobile malware experienced a 55% increase, while new samples declined by 3%.

Malware overall. New malware samples increased in Q4 by 32%. The total number of malware samples grew 10% in the past four quarters.

Mac malware. New Mac OS malware samples increased by 24% in Q4. Total Mac OS malware grew 58% in 2017.*

Macro malware. New macro malware increased by 53% in Q4, declined by 35% in 2017.

Spam campaigns. 97% of spam botnet traffic in Q4 was driven by Necurs—recent purveyor of “lonely girl” spam, pump-and-dump stock spam, and Locky ransomware downloaders—and by Gamut—sender of job offer–themed phishing and money mule recruitment emails.

*This blog post has been edited to correct the percentage increase of Mac OS malware in 2017.

For more information on these threat trends and statistics, please visit:

Twitter @Raj_Samani & @McAfee_Labs.

The post ‘McAfee Labs Threats Report’ Examines Cryptocurrency Hijacking, Ransomware, Fileless Malware appeared first on McAfee Blogs.

McAfee CEO Chris Young Talks About the Impact of Connected Devices in MWC 2018 Keynote

MWC 2018 came and went in the blink of an eye and new mobile innovations and exciting announcements emerged from vendors across the globe. Though we had our fair share of unique insights and innovations to share, we also had the pleasure of leading the conversation around the foundations of the digital economy, as McAfee CEO Chris Young was a keynote speaker on this topic.

The keynote dives into how the digital economy has been catalyzed by the rapid growth of mobile technologies in the hands of billions of people, and how these devices will continue to transform how we do business. Chris Young adds his unique security perspective on this phenomenon and explores how mobile applications have changed the way we live and secure our personal lives. He notes that the world is now at a precipice, and asks the important question – how can we secure a large-scale connected device ecosystem without stifling the growth and innovation of this ecosystem?

Find out his proposed answer and learn more about the state of the mobile security landscape by watching Chris’ keynote (his part starts around 33 minutes) here:

To stay up-to-date all McAfee MWC news, be sure to follow us at @McAfee and @McAfee_Home, and ‘Like’ us on Facebook.

The post McAfee CEO Chris Young Talks About the Impact of Connected Devices in MWC 2018 Keynote appeared first on McAfee Blogs.

MWC 2018: Takeaways on the Key Devices and Innovations

It’s hard to believe that MWC 2018 is already over! Though the event came and went in the blink of an eye, MWC 2018 managed to deliver, showcasing some of the most exciting mobile and connected device innovation out there today. While there was a variety of new tech at the event, a few showstoppers managed to catch everyone’s eye and some key trends emerged. Here are some of my takeaways from the event:

The mobile showstoppers

The Samsung Galaxy S9 was a clear winner at this year’s event. Between the low light photography, AR emojis, and super slow motion — the new flagship device had everyone at MWC talking. But that doesn’t mean nostalgia was totally lost on MWC goers, as the Nokia 8110 ensured what’s old is new. The device was a revamped the classic slider phone, just with a few social media apps added to the mix.

There was also the Vivo Apex, which took the all-screen phone to a new level. It features a fingerprint sensor underneath the OLED screen itself and instead of a speaker the whole phone vibrates to conduct sound during a call or media playback.

5G hype becomes reality

Ultra-fast 5G (the new generation of wireless technology) has been all the hype for a while now, but the technology was just that – hype. That is, until this MWC, where 77 companies (largely from North America and Asia) announced they are officially trialing 5G across 49 countries. In fact, MWC 2018 saw a quite a large number of Chinese mobile equipment makers, including Huawei to ZTE, working to get a piece of the 5G action. The action even went beyond just a few proofs of concept and also spread across a broad creative range of connected devices.

Securing the connected lifestyle

In fact, this plethora of connected devices – at both MWC and beyond – is a trend that inspired the McAfee key MWC innovations. First, there was the award-winning new McAfee Secure Home Platform skill for Amazon Alexa, which showed how we’re adapting our security solutions to protected today’s connected home. We also extended our security capabilities through strategic partnerships. These include: an expanded partnership with Samsung to safeguard all Galaxy S9 smartphones, the Galaxy Note8, along with Samsung smart TVs, PCs and notebooks, a partnership with Telefónica that will provide always on protection for every connected device in the home, a strategic partnership with Türk Telekom to deliver cross-device security protection, and one with NTT DOCOMO that will deliver Wi-Fi protection and security to NTT DOCOMO mobile users.

Overall, this year’s MWC was not only exciting but proved that providers everywhere, including McAfee, are working hard to adapt their solutions to the modern digital lifestyle and ensure users everywhere have a seamless and secure experience when using their favorite device.

To stay on top of McAfee’s MWC news, and, of course, the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post MWC 2018: Takeaways on the Key Devices and Innovations appeared first on McAfee Blogs.

Key Mobile Threat Takeaways from the 2018 Mobile Threat Report

The term “mobile” has come to encompass a wide range of devices these days. Mobile devices have become much more than our Androids and iPhones. Wearable watches, tablets, even home devices all fall under the mobile umbrella of IoT and have the ability to impact our lives for better, or for worse.

This rich IoT landscape holds the key to your digital identity, your connected home and potentially, even your kid’s digital future. Gartner predicts that by the year 2020, 20.8 billion connected devices will populate the consumer home. (Current global population is 7.6 billion people.) As these devices continue to increase in presence in our daily lives, it’s important to understand not only the convenience they offer, but the threats they pose as well.

With the dawn of an even more connected era fast approaching, we at McAfee are examining the mobile threats that might be waiting on the horizon. This year’s Mobile Threat Report, takes a deep dive into some significant trends that demonstrate just how these mobile platforms are targeting what’s most sacred to us – our home. Let’s take a look into some of the most common trends in mobile malware, and a few tips on how to protect your home.

Mobile Malware in the IoT Home  

According to Gartner, 8.4 billion connected “things” were in use last year, and chances are one or more of these devices is living in your home today. While many of these devices bring convenience and ease to the home, it’s important to note that they also significantly increase the risk of attack. Many of these devices are developed with innovation in mind, and little to no focus on – security. With that being said, everyday users of mobile devices have grown phenomenally, hence the increased need for security as the frequency of mobile attacks continues to grow.

DDoS Causes SOS  

IoT attacks such as Mirai and Reaper showed the world just how vulnerable smart homes and connected devices can be to malicious code. These attacks targeted millions of IoT devices with the intent of creating a botnet army from trusted connected items within the household.

The Mirai malware authors, leveraged consumer devices such as IP cameras and home routers to create a botnet army, launching distributed denial of service (DDoS) attacks against popular websites. By taking advantage of the low-levels of security on most home connected devices, this malware was able to seize control of millions of devices. All it had to do was guess the factory default password.

The “Reaper” malware strain also took advantage of limited security of many connected home devices. However, these malware authors evolved their tactics by looking for devices with known vulnerabilities to exploit and by implementing a set of hacking tools that showed greater sophistication. The IoT reaper clocked in as many as 2 million infected devices, at nearly ten times the rate as Mirai.

The evolution of the malicious code targeting mobile and IoT devices represents a growing threat to consumers who wish to embrace a culture of connected living. So how can we welcome these devices into our homes without opening the door to cyberthreats? Here are a few tips to consider:

  • Protect your devices, protect your home. As we continue to embrace a culture of smart homes and connected devices, it is also important for us to embrace internet security at a network level. With the presence of targeted attacks growing globally, we must remain vigilant in protecting our connected lives by making sure each individual device is secure, especially the home network. The MTR has dubbed 2018 as “The Year of Mobile Malware,” and very tech user should consider using a home gateway with built-in security to ensure every device in their home is protected.


  • Download apps with caution and update them regularly. Malware campaigns having been targeting users on the Google Play stores almost since its inception. In fact, McAfee recently discovered Android Grabos, one of the most significant campaigns of this year, found present within 144 apps on Google Play. Stay current on which applications are supported in your application store and update them regularly. If an app is no longer supported in the play store, delete it immediately.


  • Invest in comprehensive security. I can’t stress enough how important is to use comprehensive security software to protect your personal devices. Malware is constantly evolving with technology, so ensure your all of your devices are secured with built-in protection.

Interested in learning more about IoT and mobile security tips and trends? Follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

The post Key Mobile Threat Takeaways from the 2018 Mobile Threat Report appeared first on McAfee Blogs.

MWC 2018: Digital and Mobile Security in the 5G IoT Era

Mobile World Congress 2018 is upon us and the big news includes the launch of a bunch of new devices, including the Sony Xperia XZ2 Compact, Samsung Galaxy S9, Sony Xperia XZ Premium 2 and Samsung Galaxy Tab S4.

In addition to these and dozens of other devices launching at this year’s event in Barcelona, we are seeing the acceleration of the trend for domestic and industrial smart devices, voice-controlled digital assistants and other internet of things (IoT) enabled smart devices.

Google, for example, is using MWC 2018 as a platform to publicise Google Assistant and the Google Home smart speaker, though one thing we still haven’t heard enough about are the many new security threats and issues surrounding new smart devices, digital assistants and IoT technologies.

Biometric Authentication, 5G Realities and IoT security

Another notable trend at MWC 2018 has been the focus from Samsung and some of the other major mobile players on improved forms of biometric authentication, with Samsung releasing a much-improved Iris Scanner as part of the new Galaxy S9 range.

It’s certainly a really positive move to see this focus on identity authentication at this year’s show, with a notable shift at this year’s event from the hype surrounding virtual and augmented reality and voice-controlled smart homes to far more realistic and practical concerns around security, biometrics and the real-world use cases of superfast 5G networking tech.

Much of the conversation around 5G, of course, is still dominated around how edge computing and low latency in 5G networks will actually translate into valuable and useable services for consumers and businesses alike.

These new 5G use cases dominated the IoT news at MWC 2018, with numerous exhibitors talking up their latest 5G IoT applications and concepts. And almost by default digital security has also become one of the hottest topics in Barcelona this year, as small developers and the major multinational mobile brands alike wake up to the fact that security is of paramount importance across the entire IoT supply chain

Evolving Digital Security for the 5G IoT Era

Firms are realising that their digital security strategy has to evolve at the same pace as the many new developments in the current buzzword bingo card such as 5G IoT, artificial intelligence (AI) and machine learning.

Failure to undertake the appropriate due diligence in these new emerging technologies open them up for significant penalties when the inevitable data breaches occur.

In addition to the focus on improving mobile handset security and raising awareness of digital security issues in the smart home, the onus for 5G network level security really needs to shift back to the telecommunications companies themselves.

The 5G Security Challenge for Telecoms

The bottom line is this: the security of 5G networks presents a fundamental challenge to the telecommunications industry at large. Something that the hype machine surrounding 5G at MWC 2018 generally fails to highlight, for obvious reasons!

The promise of 5G-enabled services in smart cities, connected cars and across the burgeoning e-health sector, for example, is clear. Yet the fact that network-wide security and security across the IoT value chain is fundamental to these types of applications and services operating safely is still too often overlooked.

Driverless cars, smart surgery and IoT applications across the manufacturing sector are good examples to cite, where digital security is crucial.

All of which is why we as an industry have to work better together – from digital security specialists through to 5G IoT app and hardware developers through to the multinational telecommunications companies themselves – to ensure that we are doing all we can to meet the security challenges and the many increasingly sophisticated attacks that are sure to come in the 5G era.

The post MWC 2018: Digital and Mobile Security in the 5G IoT Era appeared first on McAfee Blogs.

How McAfee is Adapting to the Mobile Landscape with New Partnerships and Innovation

Mobile World Congress (MWC) 2018 is finally upon us, and mobile and security providers from around the world are in Barcelona presenting the latest and greatest insight and innovation. At this year’s MWC, McAfee is excited to present our own unique insights and innovations, some of which are supported by our partners. These include: McAfee Secure Home Platform Skill for Amazon Alexa, the 2018 McAfee Mobile Threat Report, and our industry partnerships with Samsung, Telefónica, Türk Telekom, NTT DOCOMO.

Adapting to Alexa

As we know, the growing type and number of connected devices has changed the way security operates – which is why our team created McAfee Secure Home Platform in the first place. But now, we’re excited to announce the planned launch of the new McAfee Secure Home Platform skill for Amazon Alexa, one of the most popular connected devices out there today. Customers with a McAfee Secure Home Platform enabled router can easily manage their connected home’s network security using their voice. And it’s already gaining traction with MWC attendees, as McAfee just won “Best of MWC 2018” from PC Mag for the Alexa skill!

Insight on the changing mobile landscape

Your phone is not just a phone. It is a rich computing environment that contains the keys to your connected life. And as the 2018 McAfee Mobile Threat Report reveals, cybercriminals know that, and are tailoring their strategy to our dependency on our mobile devices. The report aims to provide insight on the explosion of mobile malware and dramatic changes to the mobile landscape. The report also tells us that there have been over 16 million infestations detected in the third quarter of 2017 alone – nearly double the number from last year.

Partnerships that strengthen our customers’ security

The ever-changing mobile landscape is precisely why we’re working with our partners to find new ways to secure our customers’ mobile devices and digital lives. McAfee is today announcing key partnerships to ensure security is built-in across devices and networks. It’s more important than ever that the entire ecosystem works together to protect consumers around the world from these attacks and deliver them peace of mind. So, how exactly are we doing this? For starters, our partnership with Samsung has expanded to safeguard all Galaxy S9 smartphones, the Galaxy Note8, along with Samsung smart TVs, PCs and notebooks. We also announced a partnership with Telefónica, which will help protect Telefónica customers, and provide always on protection for every connected device in the home. We also announced a strategic partnership with Türk Telekom to deliver cross-device security protection. What’s more – NTT DOCOMO and McAfee now have an extended partnership in order to deliver Wi-Fi protection and security to NTT DOCOMO mobile users.

We’re excited to see what’s to come for the rest of MWC, and how these announcements will help improve our customers’ lives. With these new innovations, we hope our 400 million customers can live their digital lives with confidence and comfort.

To stay on top of McAfee’s MWC news, and, of course, the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, and ‘Like’ us on Facebook.

The post How McAfee is Adapting to the Mobile Landscape with New Partnerships and Innovation appeared first on McAfee Blogs.

Why is the Technology Industry Shirking its Security Responsibilities?

No sooner have we had time to recover from the post-CES jet-lag in January than Mobile World Congress 2018 rolls around. These two events have cemented themselves into the mobile and consumer technology industries’ calendars as key opportunities to showcase the latest hardware and software products and services, amidst a flurry of media hype and eager expectation from early adopters worldwide. So what’s in store for the technology industry and its eager consumers in 2018?

If anything, CES this year was a little flat, with little to see in the way of real innovation. This year’s show was a year of ‘iteration’ not ‘innovation’, particularly in the IT security industry, where the conversation at the show was dominated by promises of ‘security by design’ but no real demonstration of this. I was personally very interested to find out more about the latest smart safe that was unveiled at the show, billed as “a smarter way to keep valuables safe”.

Here was a new IoT device that, if anything, surely had to have the best digital security baked into it by design, no?

Unfortunately, that particular internet-connected safe turned out to be something of a damp squib, mainly because it proved to be incredibly easy to crack open. One BBC Tech reporter reported a worrying error that failed to trigger a theft alert. We simply banged on the top of the safe and it opened. What is more remarkable is that this vulnerability is well known,  I had an issue with a smart safe of my own when the battery ran out and of course I lost my key.  One quick search on YouTube revealed banging on the top of the safe would work, and guess what… it actually did! So much for ‘digital peace of mind’…

That’s merely one example of a slightly broken product that clearly needs a little more development before it hits the market. But that single widely-publicized security snafu was, unfortunately, tellingly symptomatic of an industry-wide trend of shirking responsibility for consumers’ digital (and physical) security.

All too often, digital and mobile security is still considered to be an afterthought, by hardware manufacturers and software developers alike, which is simply no longer viable. Particularly given the context of the increasing number and sophistication of cyber-attacks on mobile devices. See, for a very good example of this, the results of McAfee’s latest Mobile Threat Report 2018 – to be released at MWC 2018 – which reveals an explosion in mobile malware and dramatic changes in the mobile landscape over the last year.

If smartphone manufacturers genuinely wish to charge consumers in excess of £1000 for handsets, and provide finance plans to fund them then simply put, we need to know they are trustworthy. Shifting the blame onto the user, rather than building adequate methods of prevention into our business models is not acceptable.

So onto Mobile World Congress 2018 in Barcelona this year, we will be making some major announcements regarding a number of strategic partnerships with some of the world’s telecoms giants, designed to keep mobile users and the data on their increasingly number of smart devices safe, both in the home and on the go.

After all, it’s not that flash £1000 phone in your pocket that the real cybercrimals are after. It’s the data that’s stored within it, that can potentially give them complete access to your bank account, your confidential business data and more. And as the number of devices we have in our homes, our bags, our cars and our offices continues to proliferate, so does the number of attack vectors that cybercriminals can use to fraudulently obtain money.

The post Why is the Technology Industry Shirking its Security Responsibilities? appeared first on McAfee Blogs.

MWC Preview: Tailoring Security to the Modern Connected Lifestyle

In 2018, we’re officially living in the “future” imagined by popular 80s movies. No, we still don’t have flying cars, but what we do have is many unique internet-connected devices. These devices can do it all – track our fitness, turn our lights on and off, allow us to live in a virtual reality – the list goes on. Even our mobile devices have become multi-purpose, giving us the ability to stay in touch with loved ones in a multitude of ways. So, as we’re about to enter the biggest collection of mobile innovation, Mobile World Congress (MWC), let’s take a look at the current state of the connected lifestyle, and the important role security plays in it.

The modern connected lifestyle

Looking back at the takeaways from last year’s MWC, it’s clear providers are tailoring mobile devices to our modern needs. Specifically, they designed new and improved features in order to meet those needs, including: high-quality photography, waterproof hardware, and improved charging capabilities and battery. The same goes for IoT devices – manufacturers are creating more personalized and advanced products in order to keep pace with how we live our lives in 2018. And the trend has seen traction amongst consumers, as users are practically glued to their devices now more than ever and live a completely connected lifestyle these days. What’s more – entire ecosystems will be connected as well with 5G just around the corner, making it clear this trend shows no signs of slowly down.

Protecting what matters

So, as we embrace our digital future, it’s important that we ensure our online activity and personal data stay secure. We’ve seen the threats coming after our devices adapt and become more advanced – some transform hundreds of apps into Trojanized versions of themselves, others infect our devices only to enslave them into a botnet army. That’s why at this year’s MWC, McAfee is excited to display how we plan on protecting the ”connected everything” world we live in.

McAfee and our partners aim to keep our 400M+ customers safe in this modern age by recognizing that security is more than just anti-virus. Whether you’re at home, work, or on the go, your personal information will be safeguarded by solutions that will help keep you safe online and allow you to enjoy your ‘digital life’ to the max. Mind you, we can’t do it alone – as our partners, such as Samsung and Telefónica, share our belief that security needs to be built in from the start​, and support us in our mission to secure the entire digital lifestyle.

To discuss how we’re achieving this even further, McAfee CEO Chris Young will be a keynote speaker at this year’s MWC. He will be exploring how the digital economy is catalyzed by the rapid proliferation of mobile technologies in the hands of billions of people, and how this growth will continue to transform how we do business.

So, whether you’re headed to MWC or just watching from afar, be sure to stay tuned to learn more about McAfee’s mission to secure the digital future. And, of course, stay on top of the latest consumer and mobile security threats by following me and @McAfee_Home on Twitter, listening to our podcast Hackable? and ‘Like’ us on Facebook.

The post MWC Preview: Tailoring Security to the Modern Connected Lifestyle appeared first on McAfee Blogs.

Warning: Crypto-Currency Mining is Targeting Your Android

Cryptocurrency, a virtual form of currency designed to work as a secure form of exchange, has gained a lot of traction in the world of finance and technology. But for many, the concept of obtaining cryptocurrency, or “crypto-mining,” is obscure. Investopedia defines crypto-mining as, “the process by which transactions are verified and added to the public ledger, known as the blockchain, and also the means through which new currencies such as Bitcoin and Ethereum are released.”

The practice has been around since 2009, and anyone with access to the Internet, the required programs and hardware can participate in mining. In fact, by the end of this month, Forbes Magazine will have published its first “Top Richest” list dedicated to Crypto Millionaires.

With the rise in popularity of digital currency, it’s no surprise that cybercriminals across the globe are leveraging malicious code to obtain it. Hackers would rather develop or utilize mining malware instead of paying the expensive price tag associated with mining machines, which can be upwards of $5000. In China, the ADB Miner malware is spreading and targeting thousands of Android devices for the primary purpose of mining cryptocurrency. The malware is spread through the publicly accessible Android Debug Bridge (abd) on an opened port 5555. This port is typically closed but can be opened by an ADB debug tool. Once infected, a device will look for other devices with the same vulnerability to spread the malware and leverage other Android-based smartphones, tablets, and televisions for crypto-mining.

So why are cybercriminals now targeting Android mobile devices? This could be due to the fact that hackers know they can easily manipulate vulnerabilities in Google Play’s app vetting system. Last year McAfee Mobile Threat Research identified more than 4,000 apps that were removed from Google Play without notification to users. Currently, the app store does not have consistent or centralized reporting available for app purchasers. Even if an app is supported by Google Play at the time of download, it could later be identified as malicious and Android users may be unaware of the fact that they’re harboring a bad app.

Researchers have found over 600 blacklisted malicious cryptocurrency apps across 20 app stores including Apple and Google Play. Google Play was found to have the highest amount of malicious crypto apps, with 272 available for download. In the United States, researchers have found another crypto-mining malware that is so demanding of phone processors, its causing them to implode. Loapi, a newly-discovered Trojan crypto-miner, can cause phone batteries to swell up and burst open the device’s back cover, and has been found in up to 20 mobile apps.

Crypto-mining malware isn’t a new phenomenon. Before the WannaCry attacks last summer, cryptocurrency malware sprung up as another malicious software looking to take advantage of the same Windows vulnerabilities that WannaCry exploited. But, instead of locking down systems with ransomware, these cybercriminals were putting them to work, using a cryptocurrency mining malware called Adylkuzz.

Here are a few tips to ensure your Android-devices are protected from crypto-mining malware:

  • Download your apps from a legitimate source. While some malicious apps may slip through the cracks, app stores like Google Play do have security measures in place to protect users, and it’s much safer than downloading from an unknown source.
  • Delete any apps that you haven’t used over the past 6-months. An app’s security can change over time; applications that were once supported by an app store can be flagged as malicious and removed from the platform without notification. If an app is no longer supported in the app store, you should delete it immediately.
  • Keep all of your software up to date. Many of the more harmful malware attacks we’ve seen, like the Equifax data breach, take advantage of software vulnerabilities in common applications, such as operating systems and browsers. Having the latest software and application versions ensures that any known bugs or exploits are patched, and is one of the best defenses against viruses and malware.
  • Double up on your mobile security software. I can’t stress enough how important is to use comprehensive security software to protect your personal devices.

Interested in learning more about IoT and mobile security tips and trends? Follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.


The post Warning: Crypto-Currency Mining is Targeting Your Android appeared first on McAfee Blogs.

Share Your Heart, Not Your Identity: Here’s How You Can Stay Safe on Valentine’s Day

I love Valentine’s day, it’s the one day of the year exclusively dedicated to sharing: we share our feelings, our affection, and special gifts with our loved ones. It’s a great time to show the people in our lives just how much they mean to us. Thanks to social media and mobile friendly retailers, giving your loved ones the world is just a few clicks away.

Tech devices have made it so much easier to share our hearts with the people we care about. But, could our emotional vulnerability ultimately leave us vulnerable to cyber-attacks? Historically, Valentine’s day has been a big day for cybercrime. Criminals have found clever ways to take advantage of retail, online dating platforms, and social media to launch attacks against romantic hopefuls. If you’re wondering how to avoid the most common V-day scams, here are a few things to remember when sharing the love online, and some useful tips to keep your precious data safe.

Dating Apps Are a Data Goldmine

Apps like Tinder or Zoosk are very attractive to hackers around this time of year. Considering the amount of intimate details shared on these platforms, dating apps are prime targets for cybercriminals looking to gain access to personal data and even payment information. In fact, online dating has seen a growing number of cyber-threats since 2015.

If you’re wondering “what’s the worst that could happen if my Tinder account is hacked?”, look no further than the hundreds of pages of data that the app keeps stored on its users. This particular dating app doesn’t just match singles looking to spark a connection, it also collects behavioral data, such as how often you connect, when and where you connect, and even your “likes” and posts from other associated accounts. Some of this data might seem trivial to unsuspecting users, but if placed in the wrong hands this information could be detrimental to the security of your identity.

Florist Are a Favorite for Phishing Scams

A bright, beautiful bouquet of roses is my favorite gift to receive when February 14th rolls around. Unsurprisingly, flowers make one of the most common gifts given around Valentine’s Day but, sending and receiving flowers may not be as harmless as it seems. In 2016, cybercriminals leveraged the popularity of flower services to attack unsuspecting vendors through a series of DDoS attacks designed to extort money from them. While these attacks did not result in leaked information, it’s important to be cautious of which vendors you allow to keep your credit card information on file. After all, you’re expecting your florist to deliver an assortment of beautiful flowers, not a bouquet of personal data to cyber criminals!

If an attack on your friendly florist isn’t enough to peak your senses, hackers have also been known to take advantage of admirers looking to send flowers. Cybercriminals prey on the likelihood that you’ve sent flowers to your loved ones to launch phishing scams, using bogus packages and “Failure to Deliver” notices to collect your data.

Social Media Isn’t Always Your “Friend” 

Valentine’s day is easily one of the most socially sharable days of the year. With so much love in the air, you can’t help but share pictures and posts about your loved ones with other friends and family online. Although most people associate cyber-attacks with some form of malware, many do not realize how vulnerable they are when sharing personal information on social media. Through social engineering, hackers use the information you share online to exploit you. The more personal information you choose to share on social media, the easier it is to exploit that information. Through social media, hackers can find out information about your job, the places you frequent, and even your mother’s maiden name. But don’t worry, we’ve got a few tips up our sleeve to help you share all of the love you want across social.

Seasonal events, like Valentine’s Day, present an opportunity for cybercriminals to leverage their schemes. But don’t be deterred from sharing the love— here’s how you can connect securely and keep your data safe from hackers:

  • Get friendly with your privacy settings on your social media apps. Social platforms like Facebook are making it easier to adjust your privacy settings through a  “privacy center” so you can stay on top of the information you share and who you share it with.
  • Be careful of which accounts you link. Being connected to your online community is great, but linking accounts across platforms only gives cybercriminals easier access to your data. While Tinder does require you to link your Facebook account to sign up, you can turn off Tinder Social so that Tinder won’t be able to post anything to Facebook. And, when possible, avoid linking your dating profiles to other personal accounts.
  • Think before you click that link. Hover over it to see if the URL address looks legitimate to avoid phishing scams. If you know you didn’t send flowers, send that scam to your spam.
  • Double up on your security software. There are plenty of apps that keep your phone safe from malicious attacks. Consider using a service for your phone that offers web protection and antivirus.

Interested in learning more about IoT and mobile security tips and trends? Follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.


The post Share Your Heart, Not Your Identity: Here’s How You Can Stay Safe on Valentine’s Day appeared first on McAfee Blogs.

8 Easy Ways to Hack-Proof Your Family’s Smartphones

Smartphones have changed the face of parenting in profound ways. But for all the efficiency they’ve introduced into family life, those same devices simultaneously bring risk.

With smartphone and tablet use growing at ten times the rate of PCs, hackers know precisely where to shift their focus these days. Cyber thieves love smartphones because once inside, they can access private information, location, email, photos, social media, and bank accounts.

If you’re a parent, a smartphone breach is an even bigger deal. Shoring up the security gaps in your phone isn’t a big deal but what about the other four or more smartphones under your roof? If you were to multiply the risk, you’d soon realize the potential havoc that’s looming.

While you can’t shut out every digital risk, you can tackle the most prominent ones. Let’s get started!

8 Ways to Hack-Proof Your Family’s Smartphones

  1. Think Like a Criminal. Work a potential hack backward. Look at every possible entryway into your phone and ask yourself, “How could I get into this phone if I were determined?” Then, methodically lock up each digital door. Challenge yourself to find every security gap. Examine your password strength, social profiles, web browsing security, general and app settings.
  2. Juice Up Your Password. How do you create a password that a criminal can’t hack? With great intention and a few extra layers. 1) Avoid the common error of using easy passwords such as “12345” or “password.” Get complex and create a combination that isn’t logical. 2) Use multi-factor authentication (MFA). Having multiple factors to authenticate your phone use such as your fingerprint, face, or a trusted device, increases security. Most smartphones offer MFA so, even if it seems tedious, use it. The more factors — or digital layers — you can combine, the more protected your smartphone will be. Too many passwords crowding your brain? Consider a password manager.
  3. Trust No App. Not all apps you download to your phone are created equal. Many third-party apps do not go through rigorous security vetting of Google or Apple. Hackers can infect apps with malware or viruses that demolish your phone’s security and allow hackers access to your data. Beware. Examine all apps, read reviews, and steer clear of apps that ask for too much access. Even legitimate apps can be used for malicious purposes such as listening in via a phone’s microphones and even spying using a phone’s camera. To pull back an app’s access, just go to your settings. On Android: Go to Apps and Notifications, choose App Permissions and make changes. On iOS: Go to your settings, select Privacy, and make changes to app permissions accordingly.
  4. Passcode, Track Your Phone. Be proactive in case your phone gets stolen or lost. Make sure your device is passcode and fingerprint protected. Take a few minutes to enable phone tracking. For Android, you’ll download the app Find My Device and for Apple use Find My iPhone. Make sure those apps are always enabled on your phone. If your phone is lost or stolen it can be tracked online.
  5. Log out, Lock Online Services. If you bank, shop, or access sensitive accounts via your smartphone do it with extreme care. This means logging out and locking those accounts when not in use and avoiding using auto-login features. Instead, use a password manager app the forces you to re-enter a master password each time you want to access an account. It’s worth the extra step. An essential part of this equation is disabling keychain and auto-fill in your browser. You can do this by finding your web browser in Settings and toggling each option to OFF. Also, avoid using public Wi-Fi for accessing sensitive accounts or conducting any transactions.
  6. Turn Off Bluetooth. Bluetooth carries inherent vulnerabilities and is another open door for hackers to enter. When Bluetooth is turned on it is constantly looking for other open connections. Hackers work quickly through open Bluetooth connections, and often victims don’t even know there’s been a breach (there’s no evidence a phone has connected with a criminal source). Make sure to switch Bluetooth off if you are not using it.
  7. Take Updates Seriously. Because people design phones, phones will be flawed. And, it’s just a matter of time before a hacker discovers and exploits those flaws. Developers use updates to combat all kinds of breaches, which make them critical to your phone’s security. Along with staying on top of updates, consider the added safeguard of antivirus, identity, and privacy protection that covers all family devices.
  8. Stop! Don’t Click that Link. Unless you are 100% sure of the legitimacy of a link sent to you through text, email, or direct message, do not click it. Random links sent by hackers to access your data are getting more and more sophisticated as well as destructive.


toni page birdsong



Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her on Twitter @McAfee_Family. (Disclosures). 

The post 8 Easy Ways to Hack-Proof Your Family’s Smartphones appeared first on McAfee Blogs.

How to keep our kids safe online – start by talking about it

Whether or not you’re lucky enough to be a parent or grandparent, as adults we should all be concerned about the safety of children online. That’s why, on Safer Internet Day, a day dedicated to promoting the safe and positive use of digital technology for children and young people, I wanted to share some thoughts on what we can do about it. Because we all have a responsibility to look out for the generation of tomorrow.

Firstly, let’s agree on a few basic truths. Today’s generation of children are unlike any that have come before them. The fortunate ones have grown up with technology all around them, and children are engaging and interacting with technology from an ever-younger age. What’s more, this isn’t always a case of stealing mum’s mobile phone, or dad’s iPad. No, much of it is technology aimed specifically at kids.

It’s not a surprise therefore that today’s generation of children are often seen glued to their phones, tablets and connected toys. And while most of this technology is incredible stuff, the unfortunate reality is that it often opens children up to a whole host of dangers. These might seem like trivialities to the younger generation, but how many children forget to inform their parents about who they are talking to online, the pages they are visiting and what they are sharing.

So what can be done about it, and how can we ensure that children are able to take advantage of the many benefits of technology, while also protecting them from its darker side? As with many things in this world, talking about it helps.

Below are some conversation starters you can use to help talk about these issues with children. These are from Safer Internet Day’s online resource, but there are lots of others out there should you want more inspiration.

Get the conversation started on a positive note:

  • Ask them what they like most about the internet and why?
  • What’s their favourite game/app/site?
  • Ask them to show you the most creative thing they’ve made online, e.g. a video they’ve made, or picture they’ve drawn.
  • Explain how the internet offers brilliant opportunities for making connections with others. Ask them who they like to keep in touch with online and what apps or services do they use?

Talk about safety:

  • Ask them what they would do if they saw that a friend online needed some help or support?
  • Ask them how they stay safe online? What tips do they have and where did they learn them?
  • Ask them to show you how to do something better or safer online.
  • Ask them to tell you what it’s okay to share online. What is it not okay to share online?
  • Do they know where to go for help, where to find safety advice and how to use safety tools on their favourite apps and games?

Discuss digital lives and wellbeing:

  • Ask them how the internet and technology makes their life better?
  • Ask how does the internet make them feel? Do different apps and games makes them feel differently?
  • Ask what could they do if being online was making them feel worse rather than better?
  • Ask them how might they know if they were using the internet and technology too much?

Talk about respect:

  • Ask what could they do if someone online was making them or someone they know feel worried or upset?
  • Who do they look up to or respect online? Why?
  • Ask them if people can say or do whatever they want online? Why / why not?
  • Ask what is different about talking online to someone compared to talking face to face? Is there anything that is the same?
  • Do they have any tips for how to be positive and show respect online?

In the hyper-connected world in which we live, it really is the responsibility of all adults to protect children online. And Safer Internet Day is the perfect opportunity to talk to your child about using the internet safely, responsibly and positively.

If you want to find out more there’s a whole host of resources to be found on the Safer Internet Day website, here:

And if you’re interested in joining the discussion on how to keep children safe online, we’ll be hosting a Twitter chat from 13:00 GMT today. You can get involved by including #SetUpSafe in your tweet.

The post How to keep our kids safe online – start by talking about it appeared first on McAfee Blogs.

The Future of IoT: What to Expect From Our Devices This Year

The beginning of the new year is always an exciting time for consumer technology enthusiasts. Business leaders, pioneers and forward-thinking companies gather in Las Vegas to showcase their latest devices at The International Consumer Electronics Show (CES), where next-generation innovations take center-stage and the world gets a glimpse into the future of IoT. I had the pleasure of attending CES with my colleagues this year and was blown away by the breadth of technology showcased. While the innovations stretched across many industries, I’d like to focus on the reoccurring themes in home and personal technology and how we can secure ourselves through the gadget-filled year ahead:

Smart Homes Will Become “Smarter” 

My favorite devices are the ones designed to enhance the smart home. Companies are striving to advance technology and make our lives easier in the comfort of our homes. From smart thermostats to smart assistants, there is certainly no shortage of household innovation; and companies like Google and Samsung are making strides to contribute to the smart home ecosystem. During CES, Samsung pledged to make all of its devices “smarter” by 2020, linking together all devices via its SmartThings cloud. Meanwhile, Google announced that Google Assistant will now be built in (or compatible) with a range of household products including your smart doorbell and ceiling fan.

As our homes become increasingly connected, the need to secure our internet-connected devices is critical. More IoT devices mean more points of data to attack and leverage for cybercrime. Hackers have the ability to access your personal information through connected home devices, which poses a threat to your identity. Consider using a service with built-in security to ensure every device in your home is well protected― especially the ones that often fly under the radar. Secure routers and gateways can protect all of your connected devices, even the ones without screens.

Smart Technology Will Track Your Sleep 

Technology is even changing the way we sleep, with smart sleep solutions for consumers. At CES 2018, Terraillon announced HOMNI, a device designed to help improve a user’s sleep environment. This device tracks the sleeper’s movement, sending your sleep data to a free app so that users can see how well they’ve slept. There’s nothing technology can’t solve for, including a good night’s sleep. However, when it comes to our personal data, it’s wise to be aware of how your data is being tracked or used.

As the use of connected devices in our homes and personal lives grow, so does the need for security beyond your PC or mobile phone. Many of the devices that we welcome into our daily routine aren’t equipped with proper security controls. It’s important to remember that these connected devices often run on our personal information, information such as your name, age, location –and in this case, your sleeping habits. While a sleep tracker may collect your information with the intentions of helping perfect your sleeping patterns, it has the potential to put your information in places that you might not intend. This is another example of why it’s exceedingly important to secure the connection at its source: your home.

“Ask Alexa” Will Live in Your Eyewear

Amazon Alexa has the ability to communicate with just about every connected device, so it’s no wonder that the Alexa Voice Service will have the ability to connect with your glasses soon, too. During CES, Vuzix announced that its latest pair of AR glasses, the Vuzix Blade, can communicate with Amazon Alexa. Blending augmented reality with AI assistant’s functionality, this headset acts as a fully functional computer with the ability to send email and text notifications via Bluetooth through the processing power of Android and unparalleled display.

Amazon Alexa has become a pseudo-family member in many households, offering assistance in the kitchen and even reading bedtime stories to children. To keep Cybercriminals from gaining access to your personal data , be sure you enable an extra measure of security, like setting up a PIN code for your voice command purchases.

Adding an extra layer of security to your smart devices is key to becoming an empowered consumer in today’s day and age. By taking these extra steps you’ll be able to enjoy the benefits of a secured smart home.

Interested in learning more about IoT and mobile security tips and trends? Follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.


The post The Future of IoT: What to Expect From Our Devices This Year appeared first on McAfee Blogs.

How to Treat Your Family’s Personal Data Like Gold in a Hyper-Connected World

Tomorrow, January 28, is National Data Privacy Day. While that may not mean a lot to you at first glance, the day shines a light on one of the most critical issues facing families today — protecting personal information in a hyper-connected world.

The day gives us an opportunity to 1) honestly examine the many ways our lives are connected and, 2) to take responsibility (and steps) to safeguard each area of personal privacy we expose — or potentially misuse — every time we power up.

Data Channels

Every day we connect our lives to external sources that are useful, productive, and entertaining without even realizing the many ways others can exploit our digital connections. There are the obvious sources that present a risk to our data such as social networks, online shopping, web browsing, and apps. Then there are the not-so-obvious sources that gather our information such as medical offices, schools, financial institutions, retail businesses, household assistants, TVs, home security systems, appliances, toys, and wearables.

Studies show that most of us certainly are not going to give up our connected lives to prevent a data breach. So, the next practical step is to get more intentional about our family’s privacy and take specific actions to minimize our risk.

The Risks Are Real

If you’ve never suffered the consequences of another person or organization exploiting your personal information, then you may not understand the seriousness of protecting it. However, as we all become more seamlessly connected in an Internet of Things (IoT) world, chances are you will experience some data misuse or abuse in the future. Those acts might be large-scale breaches such as the ones we’ve seen with Equifax, Uber, and Verizon or the breach may be on a smaller scale but just as financially and emotionally damaging.

When personal data gets hacked, sold, or exploited several things can happen. Digital fallout includes identity theft, credit card fraud, medical fraud, home break-ins, data misuse by companies, reputation damage, location and purchasing tracking, ransomware, and much more.

So the technology-driven future we’ve imagined is here — and it’s pretty awesome — but so too are the risks. And who among us could have guessed that parenting in the 21st century would include teaching kids about cybercriminals, data mining, and privacy breaches?

Step-Up Family Privacy

Treat privacy like gold. If more of us saw our personal information the way cybercriminals see it — like gold — then we may be more inclined to lock it up. Guiding your family in this mind-shift requires real effort. Teach your kids to view their personal information — address, habits, personal routine, school name, relationships, passwords, connected devices — as gold. Gold is to be treasured, locked up, and shared with great discernment. This attitude change may take time but, hopefully, the return on investment will mean your kids pause before handing over personal info to an app, a social network, a retail store, or even to friends.

Stress responsibility and respect. Stopping to think before you share online or connect a digital device is a key to safeguarding digital privacy. By teaching your kids that living in a connected world comes with responsibility for one’s actions and respect for others, you a leap in securing our family’s online privacy.

Routinely secure the basics. There are fundamental security measures under our roofs that cybercriminals are counting on all of us to neglect (and many of us do just that). Powerful security steps include: 1) Update all software (PC, phone, tablets, etc.) routinely 2) Establish and maintain strong passwords 3) Secure privacy settings on all social networks 4) Lock down your home network 5) Don’t overshare family details (names, travel, location, address, friends) online.

Make privacy fun. Here’s something to ponder. Challenge your kids to keep a low profile online. Talk about the power of being discreet, private, and mysterious in their digital peer group. Encourage them to set themselves apart by being the one who isn’t so easily accessed. Ask: Is digital sharing an enjoyable thing or, in reality, has it become an exhausting habit? Challenge them to go undercover (dark) online for a week and journal the pros and cons of being hyper private online. Come up with an incentive that works for your family.

Enjoy the Wows

Overall, stop and consider what your digital devices, apps, games, and products are asking of you. Is that fitness tracker getting a little too personal? Does that new toy, home security system, or household assistant know more than your family than your own mother does?Then don’t fill in every blank box. Go into the privacy settings and shore up product access, freshen up your passwords, and make sure you stay on top of software updates. Stop giving retailers, government agencies, and online marketers your email address. In short — pay attention, protect, and cherish your personal data. You can enjoy the wows of your technology without opening up your family’s privacy.

toni page birdsong



Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her on Twitter @McAfee_Family. (Disclosures). 

The post How to Treat Your Family’s Personal Data Like Gold in a Hyper-Connected World appeared first on McAfee Blogs.

What are you doing? – DSEncrypt Malware

Executive Summary

Have you ever downloaded and installed a large Android application that had very few actual UI elements or functionality? Recently, FireEye Labs mobile security researchers have discovered a new kind of mobile malware that encrypts an embedded Android application with an attachment in an asset folder – concealing all malicious activities within a seemingly benign application.

The malware app disguises itself as the Google Play store app, placing its similar icon close to the real Google Play store icon on the homescreen. Once installed, the hacker uses a dynamic DNS server with the Gmail SSL protocol to collect text messages, signature certificates and bank passwords from the Android devices.

The relationship between the main application, the attached application and the malicious classes are shown below.

[caption id="attachment_5675" align="alignnone" width="552"]Fig. 1. The relationship of the mask app and the embedded malware. Fig. 1. The relationship of the masked app and the embedded malware.[/caption]

The malware package name is com.sdwiurse and the app title is “google app stoy.” Android users can’t remove the app once the device is infected because the “uninstall” function is disabled and the app continues to run as services in the back-end. These services can be killed manually but will restart once the Android phone is restarted.

Owing to the unique nature of how the malware is packaged, as of June 13, 2014, the Virus Total score for this app is only 3 out of 51 anti-virus vendors. Because most vendors only use signature-based algorithms to detect malware, they fail to detect the malicious content concealed within apps that appear to be basic or run-of-the-mill.

[caption id="attachment_5700" align="alignnone" width="533"] Fig. 2. The Virus Total detection out of 51 AV vendors. The score was taken on 06/13/2014.[/caption]

The app we observed only has 711 lines of code but is over 1.7MB in size upon downloading. The single largest file, named “ds,” is embedded in the asset folder and is 597KB. After decryption and decompression however, the real dex package file expands up to 2.2MB with the full malware. The little amount of code in the superficial app is one of the evasion techniques used by the hackers to mask the malicious classes that swell the app’s size.

User Experience

After installation, a new icon of “googl app stoy” is shown on the Android homescreen. The icon is the same as “Google Play” to confuse users into clicking it. Once clicked, the app asks for administrator privileges of the device as shown in figure three.

[caption id="attachment_5681" align="alignnone" width="547"]Fig. 3. The newly installed icon on Android desktop and the activation page. Fig. 3. The newly installed icon on the Android desktop and the activation page.[/caption]

When we observe the app in action, the sole user interface for the app contains pops up saying “Program Error” and “It’s Deleted!” when translated to English from Korean. Next, the app terminates and a notification message appears reading “Unfortunately, google app stoy has stopped.” After this occurs, the app icon on the homescreen is removed, tricking the user into thinking it’s gone as shown in figure four.

[caption id="attachment_5683" align="alignnone" width="541"] Fig. 4. The misleading "uninstalling" page and Toast message.[/caption]

However, when opening “Setting->Apps,” we can still find the app in the “Downloaded” tab and “Running Apps” tab. Furthermore, in the “Downloaded” tab, the app cannot be stopped or uninstalled:

[caption id="attachment_5684" align="alignnone" width="547"] Fig. 5. The app can't be removed in the "Settings-Downloaded" page.[/caption]

In the “Running Apps” tab, there are five services running that were started by the malicious app:

1.    uploadContentService

2.    UninstallerService

3.    SoftService

4.    uploadPhone

5.    autoRunService

[caption id="attachment_5685" align="alignnone" width="548"] Fig. 6. The 5 background services started by the app. You won't discover them unless digging into the long list of "Running App" tab.[/caption]


The file is encrypted using the javax.crypto package of Java Cryptographic Extension (JCE) framework as shown below.

[caption id="attachment_5686" align="alignnone" width="422"]Fig. 7. Decipher code. Fig. 7. Decipher code.[/caption]

The cryptographic algorithm is based on the Data Encryption Standard (DES). The key string is “gjaoun” as shown in the code below. After the file is decrypted, it's loaded as the dex class:

[caption id="attachment_5688" align="alignnone" width="488"]Fig. 8. The embedded and encrypted dex file.  Fig. 8. The code of decryption and class loading for the embedded file.[/caption]

All the malicious activities and services happen in the loaded dex file.

Malicious Methods

In the source code of the malicious dex package, “class.dex” is decompressed from the decrypted file “” Analyzing this code, we found there are three ways to steal private information from the infected Android device. We will first introduce how the malware works and then analyze the network traffic as evidence of the malicious behaviors.

1. SMS Message Theft

[caption id="attachment_5689" align="alignnone" width="542"]Fig. 9. The code to steal personal SMS. Fig. 9. The code to steal personal SMS.[/caption]

In the code, ak40.txt is a file in /storage/sdcard0/temp/ folder containing a string. When the content equals to “1,” the SMS message is sent to an email address. The email address and password are stored among other files in /storage/sdcard0/temp/. The hacker is smart enough to use the Gmail SSL protocol to evade the signature detection in network traffic by most AV vendors.

2. Signature Certificate and Key Theft

[caption id="attachment_5691" align="alignnone" width="546"]Fig. 11. The code to steal signature certificate and keys. Fig. 11. The code to steal signature certificate and keys.[/caption]

The variable v1 is the phone number of the compromised Android phone, while the Url.getSDPath() is the “temp” folder in the mounted storage:

[caption id="attachment_5692" align="alignnone" width="533"]Fig. 12. The location of the temporary folder that the malware app uses to collect signature certificate and keys. Fig. 12. The location of the temporary folder that the malware app uses to collect signature certificate and keys.[/caption]

The same zip file is named as “” to upload to a server and also named as “{PHONE_NUMBER}” to send through Gmail as an attachment.

3. Bank Account Password Theft

[caption id="attachment_5693" align="alignnone" width="545"]Fig. 13. The code to steal personal bank account and password. Fig. 13. The code to steal personal bank account and password.[/caption]

Network Traffic

We have intercepted the network traffic of the malicious app in the FireEye Mobile Threat Prevention (MTP) Platform to verify the malicious activities we found in the code above.

1. SMS Message Transmission

Because the destination, including the email address and the password is stored in a cached file on the phone, we have replaced it with a testing email account and redirected a testing SMS to the newly created email address to simulate the scenario of receiving SMS in the MTP platform. Here is an example of the SMS messages that we have intercepted from the testing email account:

[caption id="attachment_5694" align="alignnone" width="541"]Fig. 14. The testing email and SMS we intercepted in the FireEye MTP platform. Fig. 14. The testing email and SMS we intercepted in the FireEye MTP platform.[/caption]

The time stamp shows the email address received the content (at 9:39 PM) of the victim’s incoming SMS (at 9:38 PM) within 1 minute.

2. Signature Certificate and Key Transmission

We captured the PCap information in the FireEye MTP platform. The PCap shows that the “” is uploaded to domain “”.

[caption id="attachment_5695" align="alignnone" width="557"]Fig. 15. The PCap of the signature certificate and keys. Fig. 15. The PCap of the signature certificate and keys.[/caption]

The same file is renamed to {PHONE_NUMBER} and sent as Gmail attachment using SSL configuration. The picture below shows the signature certificate file and signature primary key after unzipping from the attachment that the malware app leaks to the SMTP server.

[caption id="attachment_5696" align="alignnone" width="554"]Fig. 16. The content of the signature certificate and keys. Fig. 16. The content of the signature certificate and keys.[/caption]

3. Bank Account Password Transmission

We have found email evidence containing victims’ bank accounts and passwords and worked with Google’s Gmail team to take down hacker’s email accounts.

JS-Binding-Over-HTTP Vulnerability and JavaScript Sidedoor: Security Risks Affecting Billions of Android App Downloads

Third-party libraries, especially ad libraries, are widely used in Android apps. Unfortunately, many of them have security and privacy issues. In this blog, we summarize our findings related to the insecure usage of JavaScript binding in ad libraries.

First, we describe a widespread security issue with using JavaScript binding (addJavascriptInterface) and loading WebView content over HTTP, which allows a network attacker to take control of the application by hijacking the HTTP traffic. We call this the JavaScript-Binding-Over-HTTP (JS-Binding-Over-HTTP) vulnerability. Our analysis shows that, currently, at least 47 percent of the top 40 ad libraries have this vulnerability in at least one of their versions that are in active use by popular apps on Google Play.

Second, we describe a new security issue with the JavaScript binding annotation, which we call JavaScript Sidedoor. Starting with Android 4.2, Google introduced the @JavascriptInterface annotation to explicitly designate and limit which public methods in Java objects are accessible from JavaScript. If an ad library uses @JavascriptInterface annotation to expose security-sensitive interfaces, and uses HTTP to load content in the WebView, then an attacker over the network could inject malicious content into the WebView to misuse the exposed interfaces through the JS binding annotation. We call these exposed JS binding annotation interfaces JS sidedoors.

Our analysis shows that these security issues are widespread, have affected popular apps on Google Play accounting for literally billions of app downloads. The parties we notified about these issues have been actively addressing them.

Security Issues with JavaScript Binding over HTTP

Android uses the JavaScript binding method addJavascriptInterface to enable JavaScript code running inside a WebView to access the app’s Java methods. However, it is widely known that this feature, if not used carefully, presents a potential security risk when running on Android 4.1 or below. As noted by Google: “Use of this method in a WebView containing untrusted content could allow an attacker to manipulate the host application in unintended ways, executing Java code with the permissions of the host application.” [1]

In particular, if an app running on Android 4.1 or below uses the JavaScript binding method addJavascriptInterface and loads the content in the WebView over HTTP, then an attacker over the network could hijack the HTTP traffic, e.g., through WiFi or DNS hijacking, to inject malicious content into the WebView – and thus take control over the host application. We call this the JavaScript-Binding-Over-HTTP (JS-Binding-Over-HTTP) vulnerability. If an app containing such vulnerability has sensitive Android permissions such as access to the camera, then a remote attacker could exploit this vulnerability to perform sensitive tasks such as taking photos or record video in this case, over the Internet, without a user’s consent.

We have analyzed the top 40 third-party ad libraries (not including Google Ads) used by Android apps. Among the apps with over 100,000 downloads each on Google Play, over 42 percent of the free apps currently contain at least one of these top ad libraries. The total download count of such apps now exceeds 12.4 billion. From our analysis, at least 47 percent of these top 40 ad libraries have at least one version of their code in active use by popular apps on Google Play, and contain the JS-Binding-Over-HTTP vulnerability. As an example, InMobi versions 2.5.0 and above use the JavaScript binding method addJavascriptInterface and load content in the WebView using HTTP.

Security Issues with JavaScript Binding Annotation

Starting with Android 4.2, Google introduced the @JavascriptInterface annotation to explicitly designate and limit which public Java methods in the app are accessible from JavaScript running inside a WebView. However, note that the @JavascriptInterface annotation does not provide any protection for devices using Android 4.1 or below, which is still running on more than 80 percent of Android devices worldwide.

We discovered a new class of security issues, which we call JavaScript Sidedoor (JS sidedoor), in ad libraries. If an ad library uses the @JavascriptInterface annotation to expose security-sensitive interfaces, and uses HTTP to load content in the WebView, then it is vulnerable to attacks where an attacker over the network (e.g., via WIFI or DNS hijacking) could inject malicious content into the WebView to misuse the interfaces exposed through the JS binding annotation. We call these exposed JS binding annotation interfaces JS sidedoors.

For example, starting with version 3.6.2, InMobi added the @JavascriptInterface JS binding annotation. The list of exposed methods through the JS binding annotation in InMobi includes:

  • createCalendarEvent (version 3.7.0 and above)
  • makeCall (version 3.6.2 and above)
  • postToSocial (version 3.7.0 and above)
  • sendMail (version 3.6.2 and above)
  • sendSMS (version 3.6.2 and above)
  • takeCameraPicture (version 3.7.0 and above)
  • getGalleryImage (version 3.7.0 and above)
  • registerMicListener (version 3.7.0 and above)

InMobi also provides JavaScript wrappers to these methods in the JavaScript code served from their ad servers, as shown in Appendix A.

InMobi also loads content in the WebView using HTTP. If an app has the Android permission CALL_PHONE, and is using InMobi versions 3.6.2 to 4.0.2, an attacker over the network (for example, using Wi-Fi or DNS hijacking) could abuse the makeCall annotation in the app to make phone calls on the device without a user’s consent – including to premium numbers.

In addition, without requiring special Android permissions in the host app, attackers over the network, via HTTP or DNS hijacking, could also misuse the aforementioned exposed methods to misguide the user to post to the user’s social network from the device (postToSocial in version 3.7.0 and above), send email to any designated recipient with a pre-crafted title and email body (sendMail in version 3.6.2 and above), send SMS to premium numbers (sendSMS in version 3.6.2 and above), create calendar events on the device (createCalendarEvent in version 3.7.0 and above), and to take pictures and access the photo gallery on the device (takeCameraPicture and getGalleryImage in version 3.7.0 and above). To complete these actions, the user would need to click on certain consent buttons. However, as generally known, users are quite vulnerable to social engineering attacks through which attackers could trick users to give consent.

We have identified more than 3,000 apps on Google Play that contain versions 2.5.0 to 4.0.2 of InMobi – and which have over 100,000 downloads each as of December, 2013. Currently, the total download count for these affected apps is greater than 3.7 billion.

We have informed both Google and InMobi of our findings, and they have been actively working to address them.

New InMobi Update after FireEye Notification

After we notified the InMobi vendor about these security issues, they promptly released new SDK versions 4.0.3 and 4.0.4. The 4.0.3 SDK, marked as “Internal release”, was superseded by 4.0.4 after one day. The 4.0.4 SDK made the following changes:

  1. Changed its method exposed through annotation for making phone calls (makeCall) to require user’s consent.
  2. Added a new storePicture interface to download and save specified files from the Internet to the user’s Downloads folder. Despite the name, it can be used for any file, not just images.
  3. Compared with InMobi’s earlier versions, we consider change No. 1 as an improvement that addresses the aforementioned issue of an attacker making phone calls without a user’s consent. We are glad to see that InMobi made this change after our notification.

    InMobi recently released a new SDK version 4.1.0. Compared with SDK version 4.0.4, we haven't seen any changes to JS Binding usage from a security perspective in this new SDK version 4.1.0.

    Moving Forward: Improving Security for JS Binding in Third-party Libraries

    In summary, the insecure usage of JS Binding and JS Binding annotations in third-party libraries exposes many apps that contain these libraries to security risks.

    App developers and third-party library vendors often focus on new features and rich functionalities. However, this needs to be balanced with a consideration for security and privacy risks. We propose the following to the mobile application development and library vendor community:

    1. Third-party library vendors need to explicitly disclose security-sensitive features in their privacy policies and/or their app developer SDK guides.
    2. Third-party library vendors need to educate the app developers with information, knowledge, and best practices regarding security and privacy when leveraging their SDK.
    3. App developers need to use caution when leveraging third-party libraries, apply best practices on security and privacy, and in particular, avoid misusing vulnerable APIs or packages.
    4. When third-party libraries use JS Binding, we recommend using HTTPS for loading content.
    5. Since customers may have different requirements regarding security and privacy, apps with JS-Binding-Over-HTTP vulnerabilities and JS sidedoors can introduce risks to security-sensitive environments such as enterprise networks. FireEye Mobile Threat Prevention provides protection to our customers from these kinds of security threats.


      We thank our team members Adrian Mettler and Zheng Bu for their help in writing this blog.

      Appendix A: JavaScript Code Snippets Served from InMobi Ad Servers

      a.takeCameraPicture = function () {



      a.getGalleryImage = function () {



      a.makeCall = function (f) {

      try {


      } catch (d) {

      a.showAlert("makeCall: " + d)



      a.sendMail = function (f, d, b) {

      try {

      utilityController.sendMail(f, d, b)

      } catch (c) {

      a.showAlert("sendMail: " + c)



      a.sendSMS = function (f, d) {

      try {

      utilityController.sendSMS(f, d)

      } catch (b) {

      a.showAlert("sendSMS: " + b)



      a.postToSocial = function (a, c, b, e) {

      a = parseInt(a);

      isNaN(a) && window.mraid.broadcastEvent("error", "socialType must be an integer", "postToSocial");

      "string" != typeof c && (c = "");

      "string" != typeof b && (b = "");

      "string" != typeof e && (e = "");

      utilityController.postToSocial(a, c, b, e)


      a.createCalendarEvent = function (a) {

      "object" != typeof a && window.mraid.broadcastEvent("error",

      "createCalendarEvent method expects parameter", "createCalendarEvent");

      "string" != typeof a.start || "string" != typeof a.end ?


      "createCalendarEvent method expects string parameters for start and end dates",

      "createCalendarEvent") :

      ("string" != typeof a.location && (a.location = ""),

      "string" != typeof a.description && (a.description = ""),

      utilityController.createCalendarEvent(a.start, a.end, a.location, a.description))


      a.registerMicListener=function() {



      Monitoring Vulnaggressive Apps on Google Play

      Vulnaggressive Characteristics in Mobile Apps and Libraries

      FireEye mobile security researchers have discovered a rapidly-growing class of mobile threats represented by popular ad libraries affecting apps with billions of downloads. These ad libraries are aggressive at collecting sensitive data and able to perform dangerous operations such as downloading and running new code on demand. They are also plagued with various classes of vulnerabilities that enable attackers to turn their aggressive behaviors against users. We coined the term “vulnaggressive” to describe this class of vulnerable and aggressive characteristics. We have published some of our findings in our two recent blogs about these threats: “Ad Vulna: A Vulnaggressive (Vulnerable & Aggressive) Adware Threatening Millions” and “Update: Ad Vulna Continues”.

      As we reported in our earlier blog “Update: Ad Vulna Continues”, we have observed that some vulnaggressive apps have been removed from Google Play, and some app developers have upgraded their apps to a more secure version either by removing the vulnaggressive libraries entirely or by upgrading the relevant libraries to a more secure version which address the security issues. However, many app developers are still not aware of these security issues and have not taken such needed steps. We need to make a community effort to help app developers and library vendors to be more aware of these security issues and address them in a timely fashion.

      To aid this community effort, we present the data to illustrate the changes over time as vulnaggressive apps are upgraded to a more secure version or removed from Google Play after our notification. We summarize our observations below, although we do not have specific information about the reasons that caused these changes we are reporting.

      We currently only show the chart for one such vulnaggressive library, AppLovin (previously referred to by us as Ad Vulna for anonymity). We will add the charts for other vulnaggressive libraries as we complete our notification/disclosure process and the corresponding libraries make available new versions that fix the issues.

      The Chart of Apps Affected by AppLovin

      AppLovin (Vulna)’s vulnerable versions include 3.x, 4.x and 5.0.x. AppLovin 5.1 fixed most of the reported security issues. We urge app developers to upgrade AppLovin to the latest version and ask their users to update their apps as soon as the newer versions are available.

      The figure below illustrates the change over time of the status of vulnerable apps affected by AppLovin on Google Play. In particular, we collect and depict the statistics of apps that we have observed on Google Play with at least 100k downloads and with at least one version containing the vulnerable versions of AppLovin starting September 20. Over time, a vulnerable app may be removed by Google Play (which we call “removed apps”, represented in gray), have a new version available on Google Play that addresses the security issues either by removing AppLovin entirely or by upgrading the embedded AppLovin to 5.1 or above (which we call “upgradable apps”, represented in green), or remain vulnerable (which we call “vulnerable apps”, represented in red), as shown in the legend in the chart.

      Please note that we started collecting the data of app removal from Google Play on October 20, 2013. Thus, any relevant app removal between September 20 and October 20 will be counted and shown on October 20. Also, for each app included in the chart, Google Play shows a range of its number of downloads, e.g., between 1M and 5M. We use the lower end of the range in our download count so the statistics we show are conservative estimates.


      We are glad to see that over time, many vulnerable apps have been either removed from Google Play or have more secure versions available on Google Play. However, apps with hundreds of millions of downloads in total still remain vulnerable. In addition, note that while removing vulnaggressive apps from Google Play prevents more people from being affected, the millions of devices that already downloaded them remain vulnerable since they are not automatically removed from the devices. Furthermore, because many users do not update their downloaded apps often and older versions of Android do not auto-update apps, even after the new, more secure version of a vulnerable app is available on Google Play, millions of users of these apps will remain vulnerable until they update to the new versions of these apps on their devices. FireEye recently announced FireEye Mobile Threat Prevention. It is uniquely capable of protecting its customers from such threats.