Search This Blog

Showing posts with label Android. Show all posts

This Banking Trojan is Targeting Users of Spanish Financial Services

 

A previously unreported Android banking trojan targeting users of the Spanish financial services business BBVA has been spotted in the wild. 

The malware, named 'Revive' by Italian cybersecurity firm Cleafy and believed to be in its early stages of development, was first discovered on June 15, 2022, and propagated via phishing operations. 

"The name Revive has been chosen since one of the functionality of the malware (called by the [threat actors] precisely 'revive') is restarting in case the malware stops working," Cleafy researchers Federico Valentini and Francesco Iubatti said in a Monday write-up. 

Downloadable from malicious phishing websites ("bbva.appsecureguide[.]com" or "bbva.european2fa[.]com"), the malware impersonates the bank's two-factor authentication (2FA) app as a bait to mislead users into installing the software and is reported to be inspired by open-source spyware dubbed Teardroid, with the authors altering the original source code to integrate new features.

In contrast to other banking malware that are known to target a wide range of financial apps, Revive is targeted for a single target, in this case, the BBVA bank. However, it is similar to its competitors in that it uses Android's accessibility services API to achieve its operational goals. 

Revive is primarily designed to gather the bank's login credentials via lookalike websites and allow account takeover attacks. It also has a keylogger module to record keystrokes and the ability to intercept SMS messages sent by the bank, particularly one-time passwords and two-factor authentication codes. 

"When the victim opens the malicious app for the first time, Revive asks to accept two permissions related to the SMS and phone calls. After that, a clone page (of the targeted bank) appears to the user and if the login credentials are inserted, they are sent to the [command-and-control server] of the TAs," the researchers further stated.

The findings emphasise the importance of exercising caution while installing software from unknown third-party sources.

Safeguarding Android Users From Zero-Day Attacks

 

The term "zero-day" refers to newly found security flaws that hackers can exploit to attack systems. It refers to the fact that the vendor or developer only recently discovered the fault, leaving them with "zero days" to repair it. A zero-day attack is when a zero-day exploit is used to harm or steal data from a system that has been exposed to a vulnerability.

Google's Threat Analysis Group (TAG) is always on the lookout for zero-day exploits. In 2021, it revealed nine zero-day exploits impacting Chrome, Android, Apple, and Microsoft, resulting in updates to safeguard consumers. Google believes that these attacks were bundled by a single commercial monitoring firm called Cytrox.

Cytrox is a North Macedonian firm with offices in Israel and Hungary that was exposed in late 2021 as the creator and maintainer of the spyware "Predator". 

According to new Google research, Cytrox offers new exploits to government-backed actors, who subsequently deploy them in three separate attack campaigns. Egypt, Armenia, Greece, Madagascar, Côte d'Ivoire, Serbia, Spain, and Indonesia are among the actors who purchased Cytrox services. 

The hackers take advantage of the time differential between when some significant problems were patched but not identified as security issues and when these fixes were fully propagated across the Android ecosystem, using 0-day exploits alongside n-day exploits. 

These findings highlight the extent to which commercial surveillance vendors have proliferated capabilities that were previously solely available to governments with the technical know-how to build and deploy exploits. TAG is actively tracking more than 30 vendors providing exploits or surveillance capabilities to government-backed entities, with different levels of sophistication and public exposure.

The three initiatives were all emailed to targeted Android users with one-time URLs that looked like URL shortener services. The campaign was small - researchers estimate that the number of users targeted in each case was in the tens of thousands. When the link was clicked, the target was sent to an attacker-controlled domain that provided the bugs before redirecting the browser to a legitimate website. The user was forwarded to a valid website if the link was not active. These ads are believed to be transmitted by ALIEN, a simple Android malware capable of loading PREDATOR, an Android implant first reported by CitizenLab in December 2021. 

  • Campaign 1 – Chrome redirection to SBrowser (CVE-2021-38000): In August 2021, the first campaign was discovered using Chrome on a Samsung Galaxy S21, and the webserver immediately responded with an HTTP redirect (302) pointing to the following intended URL. This URL took use of a logic issue in Chrome to force the Samsung Browser to load another URL without user intervention or warnings. 
  • Campaign 2 – Chrome sandbox escape: TAG discovered a campaign in September 2021, in which the exploit chain was sent to a fully updated Samsung Galaxy S10 running Chrome. The exploit that was utilized to get out of the Chrome Sandbox was retrieved, but not the original RCE exploit. The libchrome-embedded sandbox escape was loaded directly as an ELF binary. Libmojo bridge is also custom. The exploit was found to have two separate vulnerabilities in Chrome that are given below: 
  1. CVE-2021-37973: In the handling of Portals API and Fenced subframes, there is a use-after-free vulnerability. 
  2. CVE-2021-37976: A memory instrumentation. mojom. Coordinator information leak allows privileged programs to obtain Global Memory Dumps. These dumps contain sensitive data (addresses) that can be utilized to circumvent ASLR. After escaping the sandbox, the vulnerability downloaded another exploit to raise privileges and install the implant in /data/data/com.android.chrome/p.so. 
  • Campaign 3 – Android 0-day exploit chain in its entirety (CVE-2021-38003, CVE-2021-1048): A full chain exploits on an up-to-date Samsung phone running the newest version of Chrome in October 2021. Two zero-day exploits were included in the chain: CVE-2021-38003, a JSON renderer 0-day vulnerability. The whole value is leaked, allowing the attacker to totally exploit the renderer. The sandbox escape relied on a Linux kernel fault in the epoll() system call. The attacker can use this system call to escape the BPF sandbox and compromise the system by injecting code into privileged processes. 
Google hasn't been able to locate a copy of the exploit and will continue to keep the community informed as they learn more about these campaigns. To combat these issues, a robust, comprehensive approach will be required, involving collaboration between threat intelligence teams, network defenders, university researchers, and technology platforms.

Critical Chipset Flaws Enable Remote Spying on Millions of Android Devices

 

Three security flaws in Qualcomm and MediaTek audio decoders have been discovered, if left unpatched which might permit an adversary to remotely access media and audio chats from compromised mobile devices. According to Israeli cybersecurity firm Check Point, the flaws might be exploited to execute remote code execution (RCE) attacks by delivering a carefully prepared audio file. 

The researchers said in a report shared with The Hacker News, "The impact of an RCE vulnerability can range from malware execution to an attacker gaining control over a user's multimedia data, including streaming from a compromised machine's camera. In addition, an unprivileged Android app could use these vulnerabilities to escalate its privileges and gain access to media data and user conversations." 

The flaws, termed ALHACK, are based on an audio coding system that Apple created and made open-source in 2011. The Apple Lossless Audio Codec (ALAC) or Apple Lossless audio codec format is used to compress digital music in a lossless manner. Since then, other third-party suppliers have used Apple's reference audio codec implementation as the basis for their own audio decoders, including Qualcomm and MediaTek. While Apple has constantly patched and fixed security problems in their proprietary version of ALAC, the open-source version of the codec has not gotten a single update since it was first uploaded to GitHub on October 27, 2011. 

Check Point revealed three vulnerabilities in this ported ALAC code, two of which were found in MediaTek CPUs and one in Qualcomm chipsets. – 
• CVE-2021-0674 (CVSS score: 5.5, MediaTek) - A case of improper input validation in ALAC decoder leading to information disclosure without any user interaction 
• CVE-2021-0675 (CVSS score: 7.8, MediaTek) - A local privilege escalation flaw in the ALAC decoder stemming from out-of-bounds write 
• CVE-2021-30351 (CVSS score: 9.8, Qualcomm) - An out-of-bound memory access due to improper validation of a number of frames being passed during music playback 

The vulnerabilities allowed Check Point to "grab the phone's camera feed" in a proof-of-concept exploit, according to security researcher Slava Makkaveev, who discovered the issues alongside Netanel Ben Simon. All three vulnerabilities were addressed by the individual chipset manufacturers in December 2021, following responsible disclosure. 

"The vulnerabilities were easily exploitable. A threat actor could have sent a song (media file) and when played by a potential victim, it could have injected code in the privileged media service. The threat actor could have seen what the mobile phone user sees on their phone," Makkaveev explained.

Google Strengthens Android Security With a New Set of Dev Policy Updates

 

Google has announced several important policy changes for Android app developers that will improve the security of users, Google Play, and the apps available through the service. 
These new developer requirements will be in effect from May 11th through November 1st, 2022, allowing developers plenty of time to adjust. The following are the most important policy changes related to cybersecurity and fraud that will be implemented: 
  • New API level target requirements.
  • Banning of loan apps whose Annual Percentage Rate (APR) is 36% or higher.
  • Prohibiting the abuse of the Accessibility API.
  • New policy changes for the permission to install packages from external sources.
All newly released/published apps must target an Android API level released within one year of the most recent major Android version release starting November 1, 2022. Those who do not comply with this criterion will have their apps banned from the Play Store, Android's official app store. 

Existing apps that do not target an API level within two years of the most recent major Android version will be eliminated from the Play Store and become undiscoverable. This change is intended to compel app developers to follow the tougher API regulations that underpin newer Android releases, such as better permission management and revoking, notification anti-hijacking, data privacy enhancements, phishing detection, splash screen limits, and other features. 

According to Google's blog article on the new policy: "users with the latest devices or those who are fully caught up on Android updates expect to realize the full potential of all the privacy and security protections Android has to offer." 

App developers who require extra time to migrate to more recent API levels can request a six-month extension, albeit this is not guaranteed. Many outdated apps will be forced to adopt better secure methods as a result of this policy change. 

Accessibility API abuse

The Accessibility API for Android enables developers to design apps that are accessible to people with disabilities, enabling the creation of new ways to operate the device using its applications. However, malware frequently exploits this capability to do actions on an Android smartphone without the user's permission or knowledge. As noted below, Google's new policies further restrict how this policy can be applied: 
  • Change user settings without their permission or prevent the ability for users to disable or uninstall any app or service unless authorized by a parent or guardian through a parental control app or by authorized administrators through enterprise management software; 
  • Workaround Android built-in privacy controls and notifications; or
  • Change or leverage the user interface deceptively or otherwise violates Google Play Developer Policies.
Google has also released a policy change that tightens the "REQUEST INSTALL PACKAGES" permission. Many malicious software publishers hide package-fetching technology that downloads malicious modules after installation to have their submission accepted on the Play Store. Users interpret these activities as "request to update" or "download new content," and they either authorise the action when presented with the corresponding prompt or don't notice because it occurs in the background. 

Google aims to narrow this loophole by imposing new permission requirements, bringing light to an area that was previously unregulated. Apps that use this permission must now only fetch digitally signed packages, and self-updates, code modifications, or bundling of APKs in the asset file will still require the user's authorization. For all apps using API level 25 (Android 7.1) or higher, the new REQUEST INSTALL PACKAGES policies will enter into force on July 11th, 2022.

Top Israeli Officials Duped by Bearded Barbie Hackers

 

Cybercriminals appear to be aggressively promoting the Remcos RAT that first appeared in hacking forums in 2016 and was marketed sold, and offered cracks on a variety of websites and forums. In 2017, researchers discovered Remcos being distributed via a malicious PowerPoint slideshow with a CVE-2017-0199 exploit. Remcos RAT is a piece of commercial software which may be purchased online. 

An "elaborate effort" targeting high-profile Israeli individuals working in critical defense, law enforcement, and emergency services sectors has been traced to a threat actor associated with Hamas' cyber warfare section. The Hamas-backed hacker outfit dubbed 'APT-C-23' was discovered catfishing Israeli officials in defense, law enforcement, and government institutions, resulting in the deployment of new malware. 

Before delivering spyware, the campaign uses advanced social engineering techniques like creating phony social media identities and maintaining a strong partnership with the targets. AridViper has previously targeted Palestinian law enforcement, military, or educational institutions, as well as the Israel Security Agency, with spear-phishing assaults (ISA). Researchers from Cisco Talos discovered AridViper assaults against activists involved in the Israel-Palestine conflict in February.

Malicious actors have built several phony Facebook pages utilizing forged credentials and pirated or AI-generated photographs of attractive women, and have used these profiles to approach their targets. The operators have spent months curating these profiles to make them appear legitimate, posting in Hebrew and alike organizations and prominent pages in Israel. The creators of these profiles create a network of friends who are actually people who work in Israel's police, defense forces, emergency services, or government. The opponents recommend transferring the chat to WhatsApp, ostensibly for more privacy, after building the target's trust by talking with individuals for a while. 

The Android app is actually the virus VolatileVenom.The icon is concealed on pre-Android 10 devices; with Android 10, the virus utilizes the Google Play installation icon. When the victim tries to sign into the Wink Chat, an error message appears, stating the app will be deleted. With a wide spectrum of espionage capabilities, VolatileVenom continues to function in the background. 

The malicious actors will eventually email the target a RAR file containing supposedly explicit photographs or videos as part of the catfishing attempts. This RAR file, on the other hand, contains the Barb(ie) installer malware, which installs the BarbWire backdoor. The filename of a sample of Barb(ie) detected by Cybereason is "Windows Notifications," and when it is made to run, it performs basic anti-analysis checks. If the host is deemed appropriate, the downloader links to an integrated C2 server. 

The BarbWire Backdoor is sent by the C2 server. The downloader contains a backup technique for finding a different C2. If the attackers need to modify the C2 from the one inserted, they can simply send an SMS message with the new destination. All inbound SMS messages are intercepted by the downloader. If one is provided by the intruders, it can just extract the new C2 information and install the backdoor. BarbWire steals data from PDFs, Office files, archives, picture files, movies, and photos, among other file types. It also checks for external media, such as a CD-ROM file, implying it's hunting for highly sensitive material which is carried around physically or over the internet. The stolen information is stored in a RAR archive and then sent to the attackers' C2 server. 

APT-C-23 employs several approaches which have been used in previous operations against Israeli targets, but it is constantly evolving with new tools and more intricate social engineering efforts. The lack of overlapping infrastructure distinguishes Operation Bearded Barbie from past missions, indicating the group's goal of avoiding notice. Another escalation for the threat actor is the usage of two backdoors, one for Windows and one for Android, resulting in very active espionage for the compromised targets.

Google Authenticator Codes for Android is Targeted by Nefarious Escobar Banking Trojan

 


'Escobar' virus has resurfaced in the form of a novel threat, this time targeting Google Authenticator MFA codes. 

The spyware, which goes by the package name com.escobar.pablo is the latest Aberebot version which was discovered by researchers from Cyble, a security research firm, who combed through a cybercrime-related forum. Virtual view, phishing overlays, screen captures, text-message captures, and even multi-factor authentication capture are all included in the feature set. 

All of these characteristics are utilized in conjunction with a scheme to steal a user's financial data. This malware even tries to pass itself off as McAfee antivirus software, with the McAfee logo as its icon. It is not uncommon for malware to disguise itself as a security software; in fact, it was recently reported that the malware was installed straight inside of a completely functional 2-factor authentication app. 

The malicious author is leasing the beta version of the malware to a maximum of five customers for $3,000 per month, with threat actors getting three days to test the bot for free. After development, the threat actor intends to raise the malware's price to $5,000. 

Even if the overlay injections are curtailed in some way, the malware has various other capabilities to make it effective against any Android version. In the most recent version, the authors increased the number of aimed banks and financial organizations to 190 entities from 18 countries. 

The malware asks a total of 25 rights, 15 of which are employed nefariously. To name a few, accessibility, audio recording, read SMS, read/write storage, acquiring account lists, disabling keylock, making calls, and accessing precise device locations. Everything the virus captures, including SMS call records, key logs, notifications, and Google Authenticator codes, is sent to the C2 server. 

It is too soon to gauge the popularity of the new Escobar malware among cybercriminals, especially given its exorbitant price. Nonetheless, it has grown in strength to the point that it can now lure a wider audience. 

In general, avoiding the installation of APKs outside of Google Play, utilizing a mobile security application, and ensuring the Google Play Protect is enabled on your device will reduce, the chances of being infected with Android trojans.

Samsung Delivered 100 Million Phones with Faulty Encryption

 

Samsung is thought to have shipped 100 million smartphones with flawed encryption, including models ranging from the 2017 Galaxy S8 to last year's Galaxy S21. Tel Aviv University researchers discovered "serious" cryptographic design defects that might have allowed attackers to steal the devices' hardware-based cryptographic keys, keys that unlock the vast trove of security-critical data present in smartphones. 

To keep crucial security operations isolated from normal apps, Android devices, which almost all employ Arm-compatible silicon, rely on a Trusted Execution Environment (TEE) backed by Arm's TrustZone technology. TEEs use their own operating system, TrustZone Operating System (TZOS), and it is up to suppliers to integrate cryptographic features within TZOS. 

According to the researchers, the Android Keystore provides hardware-backed cryptographic key management via the Keymaster Hardware Abstraction Layer (HAL). Samsung implemented the HAL with Keymaster TA, a Trusted Application running in the TrustZone that performs cryptographic activities such as key generation, encryption, attestation, and signature creation in a safe environment. The outcomes of these TEE crypto calculations can subsequently be used in apps that run in less secure Android environments. 

The Keymaster TA saves cryptographic keys as blobs — the keys are wrapped (encrypted using AES-GCM) so that they may be saved in the Android file system. They should, in theory, only be readable within the TEE. 

Samsung, on the other hand, failed to successfully deploy Keymaster TA in its Galaxy S8, S9, S10, S20, and S21 phones. The researchers reverse engineered the Keymaster application and demonstrated that they could use an Initialization Vector (IV) reuse attack to get keys from hardware-protected key blobs. The IV is supposed to be a unique number each time, ensuring that the AES-GCM encryption operation provides a different result even when the same plain text is encrypted multiple times. 

According to the experts, the problem isn't simply with how Samsung handled encryption. According to the Tel Aviv University's study, these issues arise as a result of companies – specifically, Samsung and Qualcomm – keeping their cryptography designs close to the vest.

“Vendors including Samsung and Qualcomm maintain secrecy around their implementation and design of TZOSs and TAs,” they wrote in their paper. “As we have shown, there are dangerous pitfalls when dealing with cryptographic systems. The design and implementation details should be well audited and reviewed by independent researchers and should not rely on the difficulty of reverse engineering proprietary systems.”

Every Tenth Stalking and Espionage Attack in the World is Directed at Android Users from Russia

 

According to analysts at ESET (an international developer of antivirus software headquartered in Slovakia), commercial developers who openly offer spyware to control spouses or children are gaining popularity. 

"ESET global telemetry data for the period from September to December 2021 shows an increase in spyware activity by more than 20%. At the same time, every tenth stalking and espionage attack in the world is directed at Android users from Russia," the company's press service reported. 

ESET threat researcher Lukas Stefanko reported that unwanted stalking software, according to him, in most cases is distributed by attackers through clones of legal applications downloaded from unofficial stores. 

Alexander Dvoryansky, Director of Special Projects at Angara Security, confirms that Android spyware is very common and continues to gain popularity. According to him, it is advantageous for attackers to develop malicious software for this operating system because of its widespread use. Android smartphones accounted for 84.5% of total device sales in 2021. 

According to Lucas Stefanko, it is not uncommon for stalker software to be installed on smartphones to track them in case they are stolen or lost. Despite Google's ban on advertising stalker apps, there are apps available on Google Play that are positioned as private detective or parental control tools. In 2018, the Supreme Court allowed the acquisition and use of spy equipment to ensure their own security, so the demand for software promoted as "monitoring one's mobile devices" has increased. But many install it covertly on the phones of relatives or employees for espionage. 

If the program is installed on the phone openly and with the consent of a person, then there will be nothing illegal in tracking geolocation, as well as obtaining other information, says lawyer KA Pen & Paper by Alexander Kharin. However, secretly installing a spyware program on a phone can result in a penalty of up to two years in prison, and for a developer, the term can be up to four years. But so far, criminal cases on the fact of stalking are rarely initiated. 

Earlier, CySecurity News reported that the exact location of any Russian on the black market can be found for about 130 dollars.

Facebook Patched a Vulnerability that Exposed the Identity of Page Admins

 

Facebook gave a $4,750 bug bounty reward to a teenage researcher from Nepal for discovering a vulnerability that might have been abused to reveal the identity of a page's administrator. Businesses can use Facebook Pages to boost brand visibility on the social media network, but the Facebook account that has administrative rights over the page stays private. Sudip Shah, a 19-year-old from Pokhara, Nepal, identified an insecure direct object reference (IDOR) vulnerability in Facebook for Android that may be abused to reveal the identity of the page admin. 

Insecure direct object references (IDOR) are a form of access control vulnerability that occurs when an application directly accesses objects using user-supplied input. The term IDOR gained popularity after appearing in the OWASP Top Ten in 2007. It is, however, simply one of several access control implementation errors that can lead to access controls being evaded. IDOR vulnerabilities are most often connected with horizontal privilege escalation, although they can also occur in the context of vertical privilege escalation. 

Consider a website that accesses the customer account page via the URL https://insecure-website.com/customer account?customer number=132355 by retrieving information from the back-end database. In this case, the customer number is directly used as a record index in queries made on the back-end database. If no other restrictions are in place, an attacker can simply change the customer number value, allowing them to examine the records of other customers while avoiding access controls. This is an example of an IDOR vulnerability that results in horizontal privilege escalation. 

Shah noticed that altering the page id in a request containing a vulnerable endpoint resulted in the broadcaster id parameter in the response containing the admin ID while navigating to another page's live video section in Facebook for Android. “It leads to page admin disclosure which is a privacy issue to the page. The impact is high because the page’s admin information is meant to be kept private and not shown to the public,” the researcher says. 

The issue only affected pages with a live video function enabled, although Shah believes that most pages were affected because the feature is present on the majority of them. He further notes that an attacker would have needed a script to automatically modify the page id in the request and capture the broadcaster id in the response for mass exploitation.

The researcher also found a variation of the security flaw in which the attacker might have the admin ID disclosed in the response by including a modified live_video_id in the request. The underlying source of the issue, however, remained the same.

Android Devices being Targeted by Flubot

 

The National Cyber Security Centre of Finland (NCSC-FI) has recently released a "severe alert" over a major campaign targeting the nation's Android users with Flubot banking malware delivered through text messages sent out by hacked devices. 

This is the second greatest Flubot operation to strike Finland this year, with a previous set of cyberattacks SMS spamming thousands of Finns each day from early June to mid-August 2021. The latest spam campaign, like the previous one, has a voicemail theme, encouraging recipients to click a link that will enable them to retrieve a voicemail message or a message from the mobile operator. 

Rather than being made to open a voicemail, SMS recipients are led to malicious websites that push APK installers to install the Flubot banking virus on their Android devices. 

“According to our current estimate, approximately 70,000 messages have been sent in the last 24 hours. If the current campaign is as aggressive as the one in the summer, we expect the number of messages to increase to hundreds of thousands in the coming days. There are already dozens of confirmed cases where devices have been infected," the Finnish National Cyber Security Centre said in the alert issued on Friday. 

"We managed to almost eliminate FluBot from Finland at the end of summer thanks to cooperation among the authorities and telecommunications operators. The currently active malware campaign is a new one because the previously implemented control measures are not effective," said NCSC-FI information security adviser Aino-Maria Väyrynen. 

Those who have been affected should do a factory reset on their Android device to remove the virus. When iOS users get FluBot messages and click on the associated link, they will be forwarded to fraud and phishing websites rather than being forced to install an app. 

FluBot, once installed on a device, may browse the contacts list, spam texts to other individuals, read messages, steal credit card information and passwords as they are typed into apps, install other apps, and engage in other nefarious activities. Android users who get Flubot spam messages or emails should avoid opening attached links or downloading files shared through the link to their cellphones. 

The virus family has also been discovered on other websites, where anybody can come into contact with the harmful code. Netcraft, a provider of internet services, announced on Monday that it had discovered nearly 10,000 websites that were disseminating FluBot malware.

Researchers: Iranian Users Beware of Widespread SMS Phishing Campaigns

 

Socially engineered SMS texts are being utilized to install malware on Android smartphones, as part of a large phishing operation that impersonates the Iranian government and social security authorities in order to steal credit card information and funds from victims' bank accounts, 

Unlike other types of banking malware that use overlay attacks to steal sensitive data without the victim's knowledge, the financially motivated operation discovered by Check Point Research is developed to trick victims into handing over their credit card information by sending them a legitimate-looking SMS message with a link that, when clicked, downloads a malware-laced app onto their devices. 

Check Point researcher Shmuel Cohen stated in a new report published Wednesday, "The malicious application not only collects the victim's credit card numbers, but also gains access to their 2FA authentication SMS, and turn[s] the victim's device into a bot capable of spreading similar phishing SMS to other potential victims." 

As per the cybersecurity firm, it discovered hundreds of distinct phishing Android apps masquerading as device tracking apps, Iranian banks, dating and shopping sites, cryptocurrency exchanges, and government-related services, with these botnets sold as a "ready-to-use mobile campaign kit" on Telegram channels for somewhere between $50 and $150. 

The infection chain of the smishing botnet begins with a bogus notification from the Iranian judiciary requesting users to evaluate a fictitious complaint made against the message's receivers. The complaint link takes victims to what appears to be a government website, where they are requested to provide personal information (e.g., name, phone number, etc.) and download an Android APK file. 

Once downloaded, the rogue app not only demands invasive rights to execute operations typically not associated with such government applications, but it also displays a false login page that resembles Sana, the country's electronic judicial notice system, and prompts the victim to pay a $1 payment to proceed. Users who choose to do so are then sent to a bogus payment page that captures the credit card information submitted, while the installed software acts as a covert backdoor to harvest one-time passcodes given by the credit card provider and assist more fraud. 

Furthermore, the malware has a plethora of functionality, including the ability to exfiltrate all SMS messages received by a device to an attacker-controlled server, conceal its icon from the home screen to circumvent attempts to remove the app, deploy extra payloads, and obtain worm-like powers to broaden its attack surface. 

Prevent data breaches 

Cohen explained, "This allows the actors to distribute phishing messages from the phone numbers of typical users instead of from a centralized place and not be limited to a small set of phone numbers that could be easily blocked. This means that technically, there are no 'malicious' numbers that can be blocked by the telecommunication companies or traced back to the attacker." 

To make matters worse, the attackers behind the operation were discovered to have inadequate operational security (OPSEC), enabling any third party to openly access the phone numbers, contacts, SMS messages, and list of any online bots stored on their servers. 

"Stealing 2FA dynamic codes allows the actors to slowly but steadily withdraw significant amounts of money from the victims' accounts, even in cases when due to the bank limitations each distinct operation might garner only tens of dollars." 

"Together with the easy adoption of the 'botnet as a service' business model, it should come as no surprise that the number of such applications for Android and the number of people selling them is growing," he added.

Android Malware BrazKing Makes a Comeback as a Stealthier Banking Trojan

 

The Android banking trojan BrazKing has returned, this time with dynamic banking overlays and a new implementation trick that allows it to operate without seeking potentially dangerous permissions. IBM Trusteer researchers analyzed a new malware sample they discovered outside of the Play Store, on sites where individuals end up after getting smishing (SMS) messages. These HTTPS sites notify potential victims that their Android version is outdated and offer an APK that would supposedly update them to the most recent version. 

BrazKing took advantage of the accessibility service in the previous version to figure out which app the user had accessed. When the malware recognized the launch of a targeted banking app, it displayed an overlay screen pulled from a hardcoded URL on top of the real app. It now makes a live call to the attacker's server, requesting those matches. The virus now detects which app is being used on the server-side, and it sends on-screen material to the C2 on a regular basis. Credential grabbing is then initiated by the C2 server rather than by a command from the malware. 

The added agility here is that the attacker can choose or avoid the following action based on the victim's IP address (Brazilian/other) or whether the malware is being run on an emulator. They have the ability to change what is returned. They can change the target list at any time without having to change the malware.  

BrazKing loads the fake screen's URL from the C2 into a webview in a window when it displays its overlay screen. Users can open links within apps using Android System webview without having to exit the app. When adding the webview from within the accessibility service, BrazKing utilizes TYPE_ACCESSIBILITY_OVERLAY as the type of window. 

Internal resources are protected in the new version of BrazKing by performing an XOR operation using a hardcoded key and then encoding them with Base64. Although analysts can rapidly reverse these procedures, they nonetheless aid the malware's ability to remain undetected when nested in the victim's device. If the user tries to remove the malware, it rapidly taps the 'Back' or 'Home' buttons to stop it. 

When a user tries to start an antivirus app in the hopes of scanning and removing malware, the same method is performed. As Android's security tightens, malware developers quickly adapt to deliver stealthier versions of their tools, as shown by BrazKing's progression.

Google Releases New Android Fixes, Warns Users of Dangerous Zero Day Vulnerabilities

 

Google recently released its monthly security patches for Android with patches for 39 flaws, which also includes a zero-day vulnerability which it said is currently being exploited in the open in targeted, limited attacks. Known as CVE-2021-1048, the zero-day vulnerability is known as a use-after-free vulnerability in the kernel that can also be exploited for local escalation privileges. These vulnerabilities can be dangerous as they can allow an attacker to get access or reference memory once it has been freed, which leads to a 'write what where' situation resulting in the implementation of arbitrary code to get access over the target's device. 

There are hints that CVE-2021-1048 may be under restricted, specific exploit, said the company in its November notification without unveiling any technical information of the flaw, the nature of the exploit, and attackers' identity that may have exploited the vulnerability. Security patches also fixed two other RCE (critical remote code execution) flaws, CVE-2021-0918 and CVE-2021-0930, in the device component, allowing remote threat actors to launch malicious codes with the assistance of privileged mechanisms via sending a specifically built transmission to attack victim targets. 

"Two more critical flaws, CVE-2021-1924 and CVE-2021-1975, affect Qualcomm closed-source components, while a fifth critical vulnerability in Android TV (CVE-2021-0889) could permit an attacker in close proximity to silently pair with a TV and execute arbitrary code with no privileges or user interaction required," reports the hacker news. As per the latest Google security patches, it identified a total of six zero-day vulnerabilities from January 2021 in the android devices. 

Google says security vulnerabilities that are documented in this security bulletin are required to declare the latest security patch level on Android devices. Additional security vulnerabilities that are documented in the device / partner security bulletins are not required for declaring a security patch level. Android device and chipset manufacturers may also publish security vulnerability details specific to their products, such as Google, Huawei, LGE, Motorola, Nokia, or Samsung. To know in detail about Google's security patches released recently, readers can visit Google's source website. Stay updated with Cy Security to know more.

Alert: Android Users Should Delete These 151 Apps Immediately

 

A total of 151 scam applications have been identified and deleted from the Google Play Store, but Android users should double-check that none of them is installed.

Avast, a cybersecurity software company, has detected a massive premium SMS fraud running on the official Google Play Store, according to BGR. It's been termed the UltimaSMS campaign by Avast (because the first scam software uncovered during the investigation was Ultima Keyboard 3D Pro), and it's made up of 151 fraudulent applications that have been downloaded over 10.5 million times in over 80 countries. 

Custom keyboards, QR code scanners, video and photo editors, spam call blockers, camera filters, and games are just some of the applications that are disguised as legitimate tools. However, they all have the same goal in mind: to sign users up for premium SMS services. 

Every app follows the same methodology: The area code and language to use are determined by checking the phone's location, International Mobile Equipment Identity (IMEI), and phone number once it has been installed. Prompts then ask for the user's phone number and, in some instances, their email address. 

This information is then utilised to sign them up for premium SMS services without the user's knowledge. The charges are typical $40 or more each month, and users may not be aware of them for weeks or months. Once an UltimaSMS app has reached its objective, it often stops running or advertises more subscription choices instead of the promised features. The concern is that premium subscriptions will continue to deduct money from users' accounts even if they remove the app. 

Avast compiled a list of all 151 applications involved in the fraud and every Android user should examine it. If anyone has any of these applications installed (or have had them installed in the past), uninstall them immediately. 

However, if anyone notices any unexpected charges, examine the statements and contact the carrier. If users wish to avoid this sort of fraud in the future, then should ask their carrier to disable premium SMS options on the account.

Hydra Malware Targets Germany's Second Largest Bank Customers

 

The Hydra banking trojan has resurfaced to target European e-banking platform users, especially Commerzbank customers, Germany's second-largest financial institution. 

MalwareHunterTeam discovered the two-year-old virus in a fresh dissemination operation that targets German users with a malicious APK called 'Commerzbank Security' with a lookalike icon to the legitimate application. 

This grabbed the attention of Cyble researchers, who sampled the file for a more in-depth study, revealing a sophisticated phishing tool with broad rights access. 

According to Cyble experts, Hydra is still evolving; the variations used in the latest campaign include TeamViewer features, similar to the S.O.V.A. Android banking Trojan, and utilize various encryption methods to avoid detection, as well as Tor for communication. 

The latest version additionally allows to turn off the Play Protect Android security function. The virus demands two very hazardous permissions, BIND_ACCESSIBILITY_PERMISSION and BIND_DEVICE_ADMIN, according to the experts. 

The Accessibility Service is a background service that assists users with disabilities, and the BIND_ACCESSIBILITY_SERVICE permission permits the app to access it. 

The analysis published by Cyble states, “Malware authors abuse this service to intercept and monitor all activities happening on the device’s screen. For example, using Accessibility Service, malware authors can intercept the credentials entered on another app.” 

“BIND_DEVICE_ADMIN is a permission that allows fake apps to get admin privileges on the infected device. Hydra can abuse this permission to lock the device, modify or reset the screen lock PIN, etc.” 

Other rights are requested by the malware to carry out harmful activities such as accessing SMS content, sending SMSs, making calls, modifying device settings, spying on user activity, and sending bulk SMSs to the victim's contacts: 
  • CHANGE_WIFI_STATE : Modify Device’s Wi-Fi settings 
  • READ_CONTACTS: Access to phone contacts 
  • READ_EXTERNAL_STORAGE: Access device external storage 
  • WRITE_EXTERNAL_STORAGE: Modify device external storage 
  • READ_PHONE_STATE: Access phone state and information 
  • CALL_PHONE: Perform call without user intervention 
  • READ_SMS : Access user’s SMSs stored in the device 
  • REQUEST_INSTALL_PACKAGES : Install applications without user interaction 
  • SEND_SMS: This allows the app to send SMS messages 
  • SYSTEM_ALERT_WINDOW: The display of system alerts over other apps 
The code analysis shows that many classes are missing from the APK file. To avoid signature-based detection, the malicious code uses a custom packer. 

Cyble concluded, “We have also observed that the malware authors of Hydra are incorporating new technology to steal information and money from its victims. Alongside these features, the recent trojans have incorporated sophisticated features. We observed the new variants have TeamViewer or VNC functionality and TOR for communication, which shows that TAs are enhancing their TTPs.” 

“Based on this pattern that we have observed, malware authors are constantly adding new features to the banking trojans to evade detection by security software and to entice cybercriminals to buy the malware. To protect themselves from these threats, users should only install applications from the official Google Play Store.” 

18 million potential targets

Commerzbank has 13 million German clients and another 5 million in Central and Eastern Europe. This amounts to a total of 18 million potential targets, which is always an important factor for malware distributors. 

Typically, threat actors utilise SMS, social media, and forum postings to direct potential victims to malicious landing pages that install the APK on German devices. 

If anyone believes they have already fallen into Hydra's trap, it is suggested that they clean their device with a trustworthy vendor's security tool and then do a factory reset.

Thousands of University Wi-Fi Networks Dislcose Log-In Credentials

 

Multiple configuration vulnerabilities in a free Wi-Fi network used by several colleges can enable access to the usernames and passwords of students and teachers who connect to the system using Android and Windows devices, according to the findings by researchers. 

WizCase researchers lead by researcher Ata Hakçl evaluated 3,100 Eduroam setups at universities throughout Europe and discovered that more than half of them have vulnerabilities that threat actors might exploit. 

They noted that the risk of misconfiguration might spread to other companies throughout the world. Eduroam offers free Wi-Fi access at participating institutions. It provides log-in credentials to students, researchers, and faculty members, allowing them to access the internet across many universities by utilizing credentials from their own university. 

Researchers found vulnerabilities in the execution of the Extensible Authentication Protocol (EAP) used by Eduroam, which offers numerous levels of authentication when individuals connect to the network. Some of these authentication steps are not implemented properly in some colleges, causing security flaws.

Researchers wrote in a report posted Wednesday, “Any students or faculty members using Eduroam or similar EAP-based Wi-Fi networks in their faculties with the wrong configuration are at risk.” 

“If you are using an Android device and have Eduroam Wi-Fi set to auto-connect, malicious people could capture your plaintext username and password by only getting 20 or so meters in the range of you.” 

WizCase evaluated several configuration guidelines and built a test environment with multiple attack scenarios for the study. Overall, their analysis indicated that in the majority of institutions with misconfigured networks, threat actors may establish an “evil twin”, Eduroam network that a user would mistake for the actual network, especially on Android devices. 

Referring to Eduroam's catalogue application that performs certificate checks, researchers stated, “This could result in these devices automatically sending their stored credentials in order to connect to the evil twin Wi-Fi network for users not using eduroamCAT.” 

Researchers emphasized that the issue is not due to any technical flaw in Eduroam's services or technology, but rather due to improper setup instructions provided by the institutions' own network administrators to those setting up access. 

Moreover, while each institution supplies resources and personnel to assist Eduroam functioning, researchers discovered that there is no centralized management for the network – either as a whole or at each university where the system is in place. This signifies that a minor misconfiguration may make it a target for hackers. 

Researchers narrowed down the issue further by dissecting the numerous consecutive steps of EAP authentication, discovering that inadequate implementation of the last level of this authentication, known as "Inner Authentication," is at the foundation of the problem. Inner Authentication is accomplished in one of two methods in EAP. 

One method is to utilize the Plain Authentication Protocol (PAP), which sends users' credentials to the authentication server in plaintext and relies on Outer Authentication to completely encrypt the traffic with a server certificate. 

The alternative method utilizes Microsoft Challenge Handshake Authentication Protocol version 2 (MSCHAPv2), which understands that there may be errors in the “Outer Authentication stage, and transfers the password in a hashed, non-plaintext form. 

Mismanaged Certificate Checks 
“When a network with the same Wi-Fi name appears, Android devices will not check whether this certificate is trustworthy or not, and will not even notify the user about the certificate before connecting,” they explained. 

Even an operating system that properly performs certificate checks can disclose data since many users do not understand what a certificate check implies and will permit the connection to proceed even if they get an alert concerning the certificate. 

According to the researchers, this indicates that the problem can arise on Windows as well if a system is misconfigured. iOS devices are not vulnerable to the vulnerability since they do not enable connections to EAP networks without first installing the EAP configuration file, which ensures the validity of the server-side certificate. 

As per the researchers, 2,100 of the 3,100 Eduroam participating university setups examined by WizCase are possibly impacted by the issue. 

According to the firm, it may be prevented by returning to the second technique of Inner Authentication. WizCase contacted Eduroam in December to share their results and received a response the same day. 

In accordance with WizCase, Eduroam officials stated that they are aware of “Eduroam identity providers who do not follow the requirements of the Eduroam policy and leave their own users unprotected,” agreeing with researchers that this conduct is “unacceptable.” It is unknown whether Eduroam contacted its customers to alert them about the issue.

Turkish National Charged for DDoS Attack on U.S. Company

 

Authorities in the United States charged a Turkish national for launching distributed denial-of-service (DDoS) assaults against a Chicago-based multinational hospitality company using a now-defunct malware botnet. 

Izzet Mert Ozek, 32, is accused of launching attacks against the Chicago multinational in August 2017 using WireX, a botnet developed using Android malware. 

According to authorities, Ozek's attacks caused infected Android devices to transmit massive volumes of online traffic to the company's public website and online booking service, leading servers to crash. As per the news release from the US Department of Justice, the charges were announced on September 29 in the Northern District of Illinois. 

The press release stated, “In August 2017, IZZET MERT OZEK used the WireX botnet, which consisted of compromised Google Android devices, to direct large amounts of network traffic to the hospitality company’s website, preventing legitimate users from completing hotel bookings, according to an indictment returned Tuesday in U.S. District Court in Chicago. The hospitality company, which managed luxury hotels and resorts, was headquartered in Chicago and the servers for its website were located in northern Illinois.” 

“The indictment charges Ozek, 32, with one count of intentionally causing damage to a protected computer. Ozek is believed to be residing in Turkey, and a warrant for his arrest will be issued.” 

The official statement and indictment do not specify whether Ozek developed the WireX botnet himself or bought it from a third party. The botnet, which was created just a month before in July 2017, soon grew to gigantic size of more than 120,000 bots after its creator attacked Android smartphones with fraudulent Android apps. 

Months after the disastrous Mirai malware attacks at the end of 2016, the cyber-security industry responded quickly to eliminate the emerging danger while it was still in its early phases. 

A coalition of security firms, including Akamai, Cloudflare, Flashpoint, Google, Dyn, RiskIQ, and Team Cymr, launched an investigation weeks after the attack on the Chicago multinational company to track WireX’s bots and backend infrastructure and then seize and take down its command and control systems.

Hackers Can Use the SSID Stripping Flaw to Mimic Real Wireless APs

 

A group of researchers discovered what appears to be a new way for threat actors to mislead people into connecting to their wireless access points (APs). The method, called SSID Stripping, was revealed on Monday by AirEye, a wireless security company. It was discovered in conjunction with Technion - Israel Institute of Technology researchers.

Simply put, unwary users might be duped into connecting to hacker-created Wi-Fi hotspots. This vulnerability exposes users to data theft as well as access to their personal information on their devices. Because it affects nearly all software systems, including MS Windows, macOS, Apple iOS, Ubuntu, and Android, SSID Stripping has emerged as a serious concern. 

A user can see a connection that resembles the name of one of their trusted connections in an SSID Stripping attack, according to researchers. The catch is that the user must manually join the false network. The network, on the other hand, will get through the device's security restrictions since the original SSID name will be saved in the string the attacker has added, which the user won't be able to see on the screen. As a result, people will connect to the phoney AP.

“The SSID published by any AP in the proximity of a wireless client is processed by that client – regardless of whether there is any trust between the client device and the AP. Hence an attacker may attempt to include malicious payload within the SSID in an attempt to exploit a vulnerable client implementation,” researchers noted. 

They were able to create three different sorts of "display errors," as they call them. One of these entails adding a NULL byte into the SSID, which causes Apple devices to show just the portion of the name preceding this byte. To achieve the same effect on Windows machines, the attacker may utilize "new line" characters. 

Non-printable characters are used to represent the second sort of display error, which is more prevalent. Without notifying the user, an attacker may add unusual characters to the SSID's name. For example, instead of aireye_network, the attacker can show aireye_x1cnetwork, where x1c indicates a byte having a hex value of 0x1c. 

The third display error removes a section of the network name from the viewable region of the screen. In this case, an iPhone may show an SSID named aireye_networknnnnnnnnnnnrogue as aireye_network, eliminating the word rogue. This method, along with the second type of error, can successfully disguise the suffix of a rogue network name.

Cybercriminals Tricked Britons into Downloading Flubot Malware

 

Hackers are mimicking delivery services and sending phishing text messages to Britons in an attempt to get them to download the Flubot malware. It's capable of intercepting messages and stealing financial information. Three, one of the UK's most popular mobile networks, has issued a warning about a phishing scam that has reportedly affected all network operators. “Many people in the UK have been targeted with a text message that looks like it’s from a delivery service, or it may say that you’ve received a voicemail,” the company warned in a blog post.

The message instructs you to install an app in order to monitor a package or listen to voicemail. Some messages claim to be from DHL, Amazon, Asda, and Argos. If a victim is tricked into participating in the malicious campaign, the scammer has access to their entire Android smartphone. This includes the possibility of stealing credit card data and online banking login passwords. 

To evade detection, the attacker disables the Android OS's built-in protection and prevents the installation of many third-party security software packages, which many users would employ to remove unwanted malware. 

First, the victim receives an SMS message impersonating a well-known shipping logistics company, such as FedEx, DHL, or Correos. The message's call to action is for the user to click a link to download and install an app with the same familiar branding as the SMS message, but which is actually harmful and contains the FluBot malware.

FluBot, once installed and given the necessary rights, unleashes a slew of features, including SMS spamming, credit card and banking credential theft, and spyware. The contact list is taken from the device and sent to the threat actor's servers, giving them access to more personal information and allowing them to launch new attacks on other potential victims. 

SMS and notifications from telecom carriers can be intercepted, browser sites can be visited, and overlays can be presented to capture credentials. To prevent detection by the operating system's built-in security, the malicious app also disables Google Play Protect. 

According to Three, this fraud attack has impacted all network operators. Despite the fact that the majority of messages were blocked, a tiny number of Three subscribers may have received them. As a result, the company advises staying aware and being cautious when clicking on any links sent by text message. 

“If your device has been infected with the Flubot malware, you may have been charged for text messages over your plan. If so, we’ll arrange a refund for you as soon as possible,” the company stated.

UBEL is the Android Malware Successor to Oscorp

 

As part of a fresh campaign that began in May 2021, an Android malware that was discovered misusing accessibility features in the device to steal user credentials from European banking applications has morphed into an altogether new botnet. Oscorp, a mobile malware built to attack several financial targets with the purpose of stealing funds from unsuspecting users, was revealed by Italy's CERT-AGID in late January. 

The Oscorp malware, like other Android malware, convinces users to provide them access to the Android Accessibility Service, which allows them to read text on the phone screen, determine an app installation prompt, traverse through the permission list, and install apps on the user's behalf. “Not being able to access the private files of other applications, the actions of these malicious apps are “limited” to the theft of credentials through phishing pages, to blocking the device and possibly to the capture of audio and video,” read the advisory published by Italy’s CERT-AGID. 

Malicious SMS messages were used to spread the malware, with attackers pretending as bank operators to deceive targets over the phone and secretly get access to the infected device using WebRTC protocol, allowing them to execute unlawful bank transfers. While no fresh activities have been detected since then, it appears as Oscorp has returned after a brief hiatus in the shape of the UBEL Android botnet. 

"By analysing some related samples, we found multiple indicators linking Oscorp and UBEL to the same malicious codebase, suggesting a fork of the same original project or just a rebrand by other affiliates, as its source-code appears to be shared between multiple [threat actors]," Italian cybersecurity company Cleafy said on Tuesday, charting the malware's evolution. 

UBEL, like its predecessor, is marketed on underground forums for $980 and asks for invasive permissions that allow it to read and send SMS messages, record audio, install and delete apps, initiate itself automatically after system boot, and exploit Android accessibility services to collect confidential data such as login credentials and two-factor authentication codes, the results of which are exfiltrated back to a remote server. 

Once installed on the system, the malware tries to disguise itself as a service and hide its presence from the target, allowing for long-term persistence. Surprisingly, using WebRTC to communicate with the hijacked Android phone in real-time eliminates the requirement to enroll a new device and take over an account in order to commit fraud. 

"The main goal for this [threat actor] by using this feature, is to avoid a 'new device enrolment', thus drastically reducing the possibility of being flagged 'as suspicious' since device's fingerprinting indicators are well-known from the bank's perspective," the researchers said.