Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Android Malware. Show all posts
User Privacy
Android Malware data security File Encryption Mobile Security Ransomware User Privacy

Beware of This Dangerous Android malware As It Can Hold Your Phone Hostage

 

A brand-new Android malware has been discovered in the wild that is capable of evading antivirus apps, stealing a tonne of private and financial information, and even encrypting all of the contents on an infected smartphone by using ransomware. 

According to a recent report from the cybersecurity company CloudSEK, this new Android malware, known as "Daam" by its experts, poses a serious threat to the greatest Android phones due to its advanced capabilities. 

As of right now, CloudSEK has discovered the Daam malware in the APK or Android app installation files for the Psiphon, Boulders, and Currency Pro apps, which appear to be sideloaded apps that the Daam malware uses to infect Android smartphones. Psiphon is a VPN programme; Boulders is a smartphone game; and Currency Pro is, as its name implies, a currency converter. 

Your Android phone may be infected with the Daam malware if you installed any of these apps via sideloading rather than through approved app stores like the Google Play Store. The malware can evade detection by antivirus software, and it may already have locked the files on your smartphone by using ransomware, so there may not be a simple remedy. 

File encryption 

The Daam malware is quite complex and has a variety of features intended to steal your data and jeopardise your privacy. For instance, the malware is capable of recording all active VoIP and phone calls, including WhatsApp calls. However, it can also steal your smartphone's files and even contacts. Surprisingly, the Daam malware can not only collect information from your existing contacts but also from newly added contacts. 

The hackers behind this malware campaign's command and control (C&C) server get all of the data that Daam has stolen before sending it back. It's important to note that after installation, dangerous apps used to spread malware request access to private device permissions in order to virtually completely control your Android smartphone. 

As if having all of this private information stolen wasn't bad enough, the Daam malware also encrypts all of the files on an infected Android smartphone using the AES encryption algorithm without getting permission from the user. The device password or PIN on a smartphone can also be changed at the same moment, locking you out totally. 

Mitigation tips

Normally, protecting yourself from mobile malware would only require installing one of the top Android antivirus programmes and turning on Google Play Protect on your phone. 

In this instance, though, the Daam malware was made to evade antivirus apps. Because of this, the best method to safeguard yourself against it is to be extra cautious while downloading new programmes. Although sideloading apps may be practical, doing so puts your Android smartphone at risk of becoming infected with malware. For this reason, you should only download apps from authorised Android app shops. Similar to this, you should still read reviews and check an app's rating before installing it because bad apps occasionally manage to get past Google's security checks.

At the same time, you should refrain from clicking any links sent to your smartphone by email or text message from unidentified senders. These links may take you to malicious websites that could trick you into installing malware or use phishing to collect your information. 

Although the Daam malware is relatively new, it is already quite capable of data theft and making life tough for Android smartphone owners. Because of this, we'll probably continue to hear about it.
Read more »
User Privacy
Android Malware Banking Trojan Crypto Apps data security Mobile Security User Privacy

Beware of this Android Banking Trojan that Steals Banking Credentials

 

A financial trojan called "Godfather" which is capable of stealing account credentials from more than 400 different banking and cryptocurrency apps is presently targeting Android users in 16 other countries. 

According to a recent report from the cybersecurity company Group-IB, the Godfather trojan, which was initially uncovered by ThreatFabric back in March of last year, has been dramatically upgraded and updated since then. 

In a second report, the dark web and cybercrime monitoring company Cyble describes how Godfather is also being disseminated in Turkey through a malicious app that has been downloaded 10 million times and pretends to be a well-known music application. 

Godfather is thought to be the replacement for Anubis, a well-known and widely-used banking Trojan before it lost the capacity to get past updated Android defenses, BleepingComputer reported. 

Banking and cryptocurrency apps on the hit list 

The banking trojan has targeted users of more than 400 apps since it first debuted last year, including 215 banking apps, 94 cryptocurrency wallets, and 110 crypto trading platforms. The malware also targeted 49 banking apps in the US, 31 in Turkey, 30 in Spain, 22 in Canada, 20 in France, 19 in Germany, and 17 in the UK, among other nations. 

Surprisingly, Group-IB discovered a section in Godfather's code that stops the malware from aiming for users from former Soviet Union nations and users in Russia, indicating that its developers speak Russian. The malware checks the system language on an Android device after installation to see if it is Russian, Azerbaijani, Armenian, Belarusian, Kazakh, Kyrgyz, Moldovan, Uzbek, or Tajik. If so, Godfather shuts down and doesn't attempt to steal any stored cryptocurrency or banking accounts.

Modus operandi 

Godfather attempts to acquire persistence on an Android phone after being installed via a malicious app or file by impersonating Google Protect. Once you download an app from the Google Play Store, this genuine software begins to execute. 

The banking trojan then claims to be "scanning" when, in fact, it is hiding its icon from the list of installed apps and creating a pinned "Google Project" notice. Because of this, malware is more likely to blend into the background and is more challenging to remove. 

A targeted user goes about their normal activities because Godfather's symbol is missing. To steal user passwords and empty their accounts, the malware then applies false overlays to well-known banking and cryptocurrency apps. Additionally, Godfather employs a smart tactic to direct people to phishing websites. It accomplishes this by displaying a fake notification that impersonates one of its smartphone's loaded banking or cryptocurrency apps. 

In addition to stealing credentials, the malware is able to record a user's screen, launch keyloggers to capture their keystrokes, route calls to get around two-factor authentication (2FA), and send SMS messages from infected devices. 

Mitigation Tips 

Installing new apps from a third party other than the Google Play Store or other official app stores like the Amazon App Store or Samsung Galaxy Store puts you at risk for Godfather and other Android malware. While sideloading apps could be alluring, since they are uploaded without any security checks, they may be infected with malware and other viruses. 

Additionally, make sure Google Play Protect is turned on so that it can scan both new and old apps for malware. However, you might also want to download one of the top Android antivirus apps for additional security.
Read more »
Tactics
Android Malware Apps Banking Trojan BRATA malware phishing Tactics

This Android-wiping Malware is Evolving into a Constant Threat

 

The threat actors responsible for the BRATA banking trojan have refined their techniques and enhanced the malware with data-stealing capabilities. Cleafy, an Italian mobile security business, has been following BRATA activity and has discovered variations in the most recent campaigns that lead to extended persistence on the device. 

"The modus operandi now fits into an Advanced Persistent Threat (APT) activity pattern. This term is used to describe an attack campaign in which criminals establish a long-term presence on a targeted network to steal sensitive information," explains Cleafy in a report this week.

The malware has also been modified with new phishing tactics, new classes for requesting further device permissions, and the inclusion of a second-stage payload from the command and control (C2) server. BRATA malware is also more focused, as researchers determined that it concentrates on one financial institution at a time and only switches to another when countermeasures render its attacks ineffective.

For example, instead of getting a list of installed applications and retrieving the appropriate injections from the C2, BRATA now comes pre-loaded with a single phishing overlay. This reduces harmful network traffic as well as interactions with the host device. 

In a later version, BRATA gains greater rights to transmit and receive SMS, which can aid attackers in stealing temporary codes such as one-time passwords (OTPs) and two-factor authentication (2FA) that banks send to their clients. After nesting into a device, BRATA retrieves a ZIP archive containing a JAR ("unrar.jar") package from the C2 server. 

This keylogging utility tracks app-generated events and records them locally on the device along with the text contents and a timestamp. Cleafy's analysts discovered that this tool is still in its early stages of development. The researchers believe the author's ultimate purpose is to exploit the Accessibility Service to obtain data from other apps. 

BRATA's development 

In 2019, BRATA emerged as a banking trojan capable of screen capture, app installation, and turning off the screen to make the device look powered down. BRATA initially appeared in Europe in June 2021, utilising bogus anti-spam apps as a lure and employing fake support personnel who duped victims and fooled them into handing them entire control of their devices. 

In January 2022, a new version of BRATA appeared in the wild, employing GPS tracking, several C2 communication channels, and customised versions for different locations. Cleafy has discovered a new project: an SMS stealer app that talks with the same C2 infrastructure as the current BRATA version and the shift in tactics. 

It uses the same structure and class names as BRATA but appears to be limited to syphoning brief text messages. It currently targets the United Kingdom, Italy, and Spain. To intercept incoming SMS messages, the application requests that the user designate it as the default messaging app, as well as authorization to access contacts on the device. 

For the time being, it's unclear whether this is only an experiment in the BRATA team' to produce smaller apps focused on certain roles. What is obvious is that BRATA continues to evolve at a two-month interval. It is critical to be watchful, keep your device updated, and avoid installing apps from unapproved or dubious sources.
Read more »
WhatsApp
Android Malware BRATA Data Hacking data steal malware Ransomware Security WhatsApp

This Android Malware Wipes Your Device After Stealing Data

 

The BRATA Android malware has been updated to include additional functions such as GPS tracking and the ability to execute a factory reset on the device. 

The Android RAT BRATA (the term originates from 'Brazilian RAT Android') was founded in 2019 by Kaspersky security professionals and was used to eavesdrop on Brazilian users. In January 2019, the BRATA RAT was discovered circulating over WhatsApp and SMS communications. 

The RAT was distributed both through Google's official Play Store and through alternative Android app marketplaces. The majority of the infected apps masquerade as an update to the popular instant messaging service WhatsApp, claiming to fix the CVE-2019-3568 vulnerability in the app. The malware will begin keylogging after it has infected the victim's device, adding real-time streaming features to it. 

To connect with other apps on the victim's device, the malware makes use of the Android Accessibility Service function. Many instructions are supported by BRATA, including unlocking the victims' devices, gathering device information, shutting off the device's screen to run tasks in the background, executing any specific application, uninstalling itself, and removing any infection traces. 

Researchers from security firm Cleafy discovered a new variation affecting Android banking users in Europe in December 2021, with the goal of stealing their passwords. The same researchers have now discovered a new version that has the new features mentioned above. 

The Android RAT's current version is aimed at e-banking users in the United Kingdom, Poland, Italy, Spain, China, and Latin America. It uses custom overlay pages to target specific banking applications and steal users’ PINs. All the versions employ the same obfuscation strategies, allowing the danger to remain undetected. 

The following is a list of new features in the most recent BRATA releases: 

• Capability to perform the device factory reset: it appears that TAs are leveraging this feature to erase any trace, right after an unauthorized wire transfer attempt. 
• GPS tracking capability 
• Capability to use multiple communication channels (HTTP and TCP) between the device and the C2 server to keep a persistent connection. 
• Capability to continuously monitor the victim’s bank application through VNC and keylogging techniques. 

Researchers believe that the factory reset option enables threat actors to erase all signs of a hack once it has been completed or when the application detects that it is running in a virtual environment for analysis. 

The report stated, “this mechanism represents a kill switch for this malware. In fact, it was also observed that this function is executed in two cases: 
• A bank fraud has been completed successfully. In this way, the victim is going to lose even more time before understanding that a malicious action happened. 
• The application is installed in a virtual environment. BRATA tries to prevent dynamic analysis through the execution of this feature.” 

The BRATA RAT's recent evolution implies that threat actors are working to improve it in order to broaden its target demographic.
Read more »
User Security
Android Malware Malicious Android Apps Mobile Security User Security

Notorious ‘Joker’ Malware Infects Google Play App with 500,000 Downloads

 

An Android app with more than half a million downloads from the Google Play app store has been discovered hosting malware that secretly transmits users’ contact lists to an attacker-controlled server and signs them up for expensive subscriptions without their knowledge.

Cybersecurity researchers at Pradeo discovered the Joker malware in a messaging-focused app called Color Message which Google has now removed from its official Android app marketplace. The malicious app claimed to make user SMS texting more fun with new emojis. In addition, the researchers have observed the Joker malware replicating clicks in order to generate revenue from malicious ads and connecting to servers hosted in Russia.

“Our analysis of the Color Message application through the Pradeo Security engine shows that it accesses users’ contact list and exfiltrates it over the network,” mobile security firm Pradeo stated. 

“Simultaneously, the application automatically subscribes to unwanted paid services unbeknownst to users. To make it difficult to be removed, the application has the capability to hide its icon once installed.” 

The reviews of the malicious app on the Play Store indicated that some users have observed the unauthorized behavior, with complaints about being charged for services they didn't request access to. Google Play Store has already banned the app from the store. However, the app still poses security concerns for those users who had downloaded it in the past and are advised by researchers to uninstall the app immediately. 

Joker, since its discovery in 2017, has been a notorious fleeceware that is hard to notice because of the tiny footprint of its code and the techniques its developers use to stash it. Over the past few years, the malware has been identified lurking in hundreds of apps downloaded by millions of people and performing an array of malicious activities, including billing fraud and intercepting SMS messages, contact details, and device information of users.

"We are [sic] committed to ensuring that the app is as useful and efficient as possible. For that reason, we reserve the right to make changes to the app or to charge for its services, at any time and for any reason. We will never charge you for the app or its services without making it very clear to you exactly what you're paying for,” the developers behind Color Message state in their terms and conditions.
Read more »
Netflix
Android Malware Financial Credentials Instagram Mobile Security Netflix

Users of Netflix, Instagram, and Twitter are all Targeted by the MasterFred Malware

 

MasterFred is a new Android malware that steals credit card information from Netflix, Instagram, and Twitter users via bogus login overlays. With unique fake login overlays in several languages, this new Android banking virus also targets bank clients. In June 2021, a MasterFred sample was uploaded to VirusTotal for the first time, and it was discovered in June. One week ago, malware analyst Alberto Segura released a second sample online, claiming that it was deployed against Android users in Poland and Turkey. 

Avast Threat Labs researchers uncovered APIs given by the built-in Android Accessibility service to show the malicious overlays after examining the new malware. "By utilizing the Application Accessibility toolkit installed on Android by default, the attacker is able to use the application to implement the Overlay attack to trick the user into entering credit card information for fake account breaches on both Netflix and Twitter," Avast said. 

Malware creators have been utilizing the Accessibility service to simulate taps and traverse the Android UI to install their payloads, download and install other malware, and do various background operations for a long time. MasterFred, on the other hand, stands out in a few ways. One of them is that the malicious apps that transmit malware to Android devices also include HTML overlays that display bogus login forms and collect financial information from users. 

The malware also sends the stolen data to Tor network servers controlled by its operator via the Onion.ws dark web gateway (aka Tor2Web proxy). Because at least one of the malicious apps bundled with the MasterFred banker was recently available in Google's Play Store, it's safe to assume that MasterFred's operators are also distributing this new malware through third-party stores.

"We can say that at least one application was delivered via Google play. We believe that it has been removed already," Avast's research team said. 

Another Android malware was identified in September that managed to infect over 10 million devices in over 70 countries. GriftHorse is the name of the malware, which was found by researchers at mobile security firm Zimperium. GriftHorse's success, according to Zimperium researchers, Aazim Yaswant and Nipun Gupta, is due to the malware's "code quality, which uses a wide range of websites (194 domains), malicious apps, and developer identities to infect people and avoid detection for as long as possible."
Read more »
Mobile Virus
Android Malware Hacking Mobile Mobile Security Mobile Virus

Kaspersky Lab has reported about Android viruses designed to steal money automatically

Viktor Chebyshev, a leading researcher of mobile threats at Kaspersky Lab, spoke in an interview with Russian newspaper Izvestia about Android Trojans that automatically interact with banking applications. After infiltrating the smartphone, Trojans motivate the user to open the application of a particular credit institution and log in to it. And then the malware automatically clicks the necessary "buttons" for the money transfer. This happens so quickly that the victim does not have time to suspect anything by visual signs.

"The developers of such Trojans thoroughly study the structure of the target banking application. Attackers find out that there is a "Login" button in the application and in which area of the screen it is displayed. They know that after clicking on "Log in", fields for entering a username and password appear. And then there is a money transfer button. Based on this information, attackers create a Trojan that uses the documented capabilities of Android for malicious purposes, which allows it to automatically click buttons in the banking application,” the expert said.

At the moment, Kaspersky Lab knows only about one case of the spread of such a virus. However, the expert believes that soon there will be more such viruses since they are very convenient for cybercriminals.

In addition, mister Chebyshev was asked which platform users are more at risk of encountering banking Trojans. He responded that Android. According to the expert, 99.9% of mobile financial threats target Android.

The expert stressed that Russia remains in the top ten countries in terms of the share of users who have faced financial attacks. He added that mobile threats are still active and continue to develop since it is difficult to find both victims and attackers.

Read more »
Security Alert
Android Malware Android Users Joker malware malware Security Alert

Joker Malware Targeting Android Users Again

 

Recently Joker virus has been discovered in a few Google Play Store apps. The malware infiltrates a user's device through applications, collects data, and then subscribes these users to premium memberships without the individual's consent or agreement. 

Since three years, the Joker Trojan malware has been discovered in Google Play Store apps. In July 2020, the Joker virus infected over 40 Android apps available on Google Play Store, forcing Google to remove the compromised apps from the Play Store. Users' data is stolen, including SMS, contact lists, device information, OTPs, and other major data.

Quick Heal Security Labs recently discovered 8 Joker malware on the Google Play Store. These eight apps were reported to Google, and the company has since deleted them all from its store. 

The following are the eight apps that have recently been discovered to be infected with the Joker Trojan virus and should be deleted from any Android device: 
-Auxiliary Message 
-Fast Magic SMS 
-Free CamScanner 
-Super Message 
-Element Scanner 
-Go Messages 
-Travel Wallpapers 
-Super SMS 

Through SMS messages, contact lists, and device information, the Joker Trojan collects information from the victim's device. The Trojan then interacts discreetly with advertising websites and, without the victim's knowledge, subscribes them to premium services. 

According to the Quick Heal report, these applications request notification access at launch, which is then utilised to obtain notification data. After that, the programme takes SMS data from the notification and requests Contacts access. When permission is granted, the app makes and manages phone calls. Afterwards, it keeps working without displaying any suspicious attacks to the user. 

“Joker is one of the most prominent malware families that continually targets Android devices. Despite awareness of this particular malware, it keeps finding its way into Google’s official application market by employing changes in its code, execution methods, or payload-retrieving techniques. This spyware is designed to steal SMS messages, contact lists, and device information along with silently signing up the victim for premium wireless application protocol (WAP) services,” Zcaler stated in a blog post.
Read more »
Phishing Attack
Android Malware Cybersecurity phishing Phishing Attack

Android Malware, FakeSpy Spying on Users' Banking Information Acting as Postal Services


A new Android malware, FakeSpy that can potentially steal an individual's banking details, read contact lists, application, and account information along with other personal data, is seen to be spreading across the globe. Earlier, the Android malware was targeting limited regions; the new campaign propagating the malware spreads itself using SMS phishing attacks.

The Android malware was originally discovered in 2017 while it was attacking users in Japan and South Korea, however, now security researchers have identified more potent variants of the malware attacking users in various countries like United States, Germany, France, Taiwan, United Kingdom, and China to name a few.

FakeSpy, labeled as 'the information stealer', is evolving rapidly, undergoing active development that can be seen in the weekly release of new variants of malware with different levels of potential and evasion capabilities.

"The malware authors seem to be putting a lot of effort into improving this malware, bundling it with numerous new upgrades that make it more sophisticated, evasive, and well-equipped. These improvements render FakeSpy one of the most powerful information stealers on the market. We anticipate this malware to continue to evolve with additional new features; the only question now is when we will
see the next wave," Security researchers at Cybereason told.

The tailored attacks are being found to be linked with a financially motivated Korean-or Chinese-speaking cybercriminal group known as 'Roaming Mantis' that had been involved in other similar operations, according to the research carried out by researchers at Cybereason.

FakeSpy is operating with the agenda of making financial gains through stolen credentials and banking information of users, the campaign includes sending postal-themed messages to the targeted user's contacts.

While giving insights into the attack, Assaf Dahan, senior director and head of threat research at Cybereason told ZDNet, "We are under the impression that this attack is what we often refer to as "spray and pray." I don't believe they are aimed at a particular individual, but instead, the threat actors try their luck, casting a rather wide net, and waiting for someone to take a bite."

"We see new developments and features added to the code all the time, so my guess is that business is good for them," he further added.
Read more »
Mobile Malware
Android Android Malware Coronavirus malware Mobile Malware

Android users may face hacker attacks under the guise of applications about coronavirus


Cybercriminals attack users of Android mobile devices using malicious applications disguised as legitimate information software about the new COVID-19 coronavirus infection. After installing the malicious app, the hacker gained control of the victim's Android device through access to calls, SMS, calendar, files, contacts, microphone, and camera.

Hackers continue to exploit people's fear of spreading the virus: malicious applications were found by experts on sites with domains associated with the coronavirus. Researchers have not yet discovered such applications on the Google Play Store.

Experts report that the apps were created using the Metasploit tool used for penetration testing. This software allows anyone with basic computer knowledge to create malicious applications in just 15 minutes: it’s enough to configure Metasploit for your goal, select the exploit and payload.

Such applications can easily gain control of the device. After launching on a device running on the Android operating system, the application hides the icon from the screen so that it is more difficult to detect and remove it.

Vasily Diaghilev, head of Check Point Software Technologies representative office in Russia and the CIS, says that in the current situation, the most alarming thing is how quickly and easily malicious applications can be created and reminds us of the need to follow the rules of digital hygiene.

Check Point researchers previously reported that more than 30,103 new coronavirus-related domains were registered in the past few weeks, of which 0.4% (131) were malicious and 9% (2,777) were suspicious. In total, since January 2020, more than 51 thousand domains associated with the coronavirus have been registered.
Read more »
Mobile Malware
Android Android Malware Check Point Google Play Store malware Mobile Malware

Check Point: 56 apps from the Google Play Store hide a new dangerous malware


Check Point experts have identified a new family of malware in the Google Play Store. It was installed in 56 Google Play Store apps that have been downloaded almost a million times by users worldwide. 24 apps among the damaged 56 are children's games, as well as utilities such as calculators, translators, cooking apps and others. As it is specified, applications emulate the behavior of a real user.

Tekya malware uses the MotionEvent mechanism in Android that simulates a click on an ad banner (first discovered in 2019) to simulate user actions and generate clicks.

Imitating the actions of a real person does not allow the program or a third-party observer to understand the presence of fraud. This helps hackers to attack online stores, make fraudulent ads, promote advertising, promote sites in search engine results, and also serve to carry out banking operations and other illegal actions.

During the research, Tekya went unnoticed by the VirusTotal and Google Play Protect programs.
Hackers created copies of official popular apps to attract an audience, mostly children since most apps with Tekya malware are children's games.

However, the good news is that all infected apps have already been removed from the Google Play.
This case shows that malicious app features can still be found in Google Play. Users have access to almost 3 million apps in the Google Play Store, and hundreds of new ones are downloaded daily, making it difficult to check the security of each individual app.

Although Google is taking steps to ensure security and prevent malicious activity on the Google Play Store, hackers are finding ways to access users' devices through the app store. So, in February, the Haken family of malware was installed on more than 50 thousand Android devices through various applications that initially seemed safe.
Read more »
Russian Cyber Security
Android Malware malware Russia Russian Cyber Security

Russian banks discovered a new virus to steal money


From this year, hackers began to use new viruses that can enter the bank’s application on a mobile device and withdraw money from the victim’s account. Two Russian banks have already reported on this type of fraud.

Hackers use a new type of attack for the Android operating system. Fraudsters disguise viruses as applications or distribute them as links. After downloading and installing such a file, the virus begins to perform its functions without the user's knowledge. The programs are able to automatically transfer money from the victim's account to cybercriminals through the available mobile banking application.
Group-IB specialists first discovered such an attack in the spring of 2019. Then the new mobile Trojan Gustuff was modified, which appeared in December 2018 and created by a Russian-speaking hacker. This type of virus, experts noted, threatened only 100 foreign banks.

A new type of Trojan attacked at least two Russian banks in 2019 - Moscow Credit Bank and Post Bank. Representatives of the first noted that there are few cases of theft. The second confirmed one-time problems and talked about preventing fraud.

"From July 2018 to June 2019, hackers were able to steal 110 million rubles (1,7 million $) with the help of Trojans for Android," reported Group-IB.
However, compared to the same period last year, the indicator fell by 43%. It is reported that now hackers have mainly switched to the international market and only in rare cases continue to modify the application to attack the Russians.

According to the representative of Group-IB, the activity of Trojans in Russia decreased after the detention of the owners of the largest Android botnets, as a result of which hackers switched to the international market.

"However, some attackers modify applications and sell Trojans for subsequent attacks on users in Russia. This is a rare practice."

Earlier, the head of the Computer Security Association, Roman Romachev, said that data leaks will continue until banks become responsible for this.
Read more »
malware
Android Malware malware

Experts found a fraudulent network that infected about 800 thousand Android phones in the Russian Federation


A large-scale hacker attack was discovered, the victims of which were about 800 thousand smartphones in Russia. Criminals managed to get access to several million Euros in the Bank accounts of Russians.

It is clarified that Avast specialists determined that the Russian smartphones were attacked by a banking botnet that collects information and personal data. The infection has occurred since 2016.

It turned out that all infected devices were connected to Geost. As a result, attackers were able to remotely control the gadget. Hackers could send and receive SMS messages. The dangerous program was disguised as various banking services and social media applications, so it was easy to download it. The main targets of the Trojan were five banks located in Russia and Android devices.

Geost botnet used 13 command and control servers to launch hundreds of malicious domains. It was possible to expose it because of the mistake made by the scammers. They used a proxy network created by the malware HtBot, in which information was not encrypted. So, experts were able to find personal correspondence of criminals, which mentioned money laundering.

According to Avast employee Anna Shirokova, the company managed to gain access to the correspondence of cybercriminals and malware. "We got a really unprecedented idea of how such groups work," Shirokova shares her success. In total, experts studied eight months of correspondence, which was attended by 29 of the attackers.

The exact amount of theft is not called. Avast also did not specify who exactly was involved in the creation of the botnet.

According to researchers, the Geost botnet could control several billion rubles in the accounts of victims.

Earlier, E Hacking News reported that International company Group-IB has recorded a new Android Trojan campaign, the victims of which are customers of 70 banks, payment systems, web-wallets in the Russian Federation and the CIS. The potential damage from the Trojan, called FANTA, amounted to at least 35 million rubles ($547,000). According to the company, the Trojan is aimed, in particular, at users who place purchase and sale advertisements on a Russian classified advertisements website Avito.
Read more »
malware
Android Android Malware Group-IB Information Security News malware

Avito users were targeted by a dangerous Android Trojan


International company Group-IB, which specializes in the prevention of cyber attacks, has recorded a new Android Trojan campaign, the victims of which are customers of 70 banks, payment systems, web-wallets in the Russian Federation and the CIS. The potential damage from the Trojan, called FANTA, amounted to at least 35 million rubles ($547,000).

FANTA belongs to the Flexnet malware family, which is known to experts since 2015 and studied in detail. The Trojan and its associated infrastructure are constantly evolving: attackers are developing more effective distribution schemes, adding new functionality to more effectively steal money from infected devices and bypass security measures.

According to the company, the Trojan is aimed, in particular, at users who place purchase and sale advertisements on a Russian classified advertisements website Avito.

Attackers find contact details of sellers in a network, and after a while the victim receives personalised SMS about the transfer of full cost of goods to his account. The message contains a link where sellers can find payment details. Then the link opens a phishing page on the Avito website, which notifies the seller of the purchase and contains a description of his goods and the amount received from the sale of the goods. After clicking on the "Continue" bottom, FANTA malware disguised as the Avito application is downloaded to the phone.

The receipt of bank card data is carried out in a standard way for Android Trojans: the user opens phishing site that disguises as legitimate mobile banking application where the victim enters their bank card details", the Group-IB described the scheme of attackers.

Moreover, FANTA analyzes which apps are running on the infected device. Experts found that in addition to demonstrating pre-prepared phishing pages, FANTA also reads the notifications text about 70 banking applications, fast payment systems and e-wallets. In addition, an important feature of FANTA, which the creators paid special attention, is the bypass of anti-virus tools.

According to Group-IB, the latest attack was aimed at Russian — speaking users, most of the infected devices are located in Russia, a smaller part is in Ukraine, Kazakhstan and Belarus.
It's interesting to note that FANTA developers are able to hack the devices of users of about 30 different Internet services, such as AliExpress, Youla, Pandao, Aviasales, Booking, Trivago, as well as taxi and car sharing services.

Earlier in another Russian service of free ads Youla stated that the company plan to completely remove the display numbers, keeping all communications within the service.
Read more »
Malware in Google Play
Android Malware Apps Fake Apps Google Google Play Malware in Google Play

Google removes 16 apps infected by 'Agent Smith' malware

Every now and then, Android keeps getting visited from deadly malware attacks that put user and their data at lots of risks. This time, it's a new malware called Agent Smith and like its name, this malware is sneaky in what it's designed to do - bombard your phone with ads. Agent Smith also has properties to stick to other apps installed on the phone and ensure that the malware infection stays the same. The malware was first detected by Check Point and after working with Google, the infected apps have been removed from Google Play Store.

After it was informed of the infection, Google has identified and removed 16 apps from the Play Store that are known to be infected by Agent Smith. These apps are no longer available for download from the Play Store and there won't be further updates for these apps via the Play Store. However, Google can only remove the app from the Play Store but it can't wipe these apps from an individual's Android phone. Hence, if you have the following apps installed on your Android phone, you should uninstall them immediately.

Ludo Master - New Ludo Game 2019 For Free

Sky Warriors: General Attack

Color Phone Flash - Call Screen Theme

Bio Blast - Infinity Battle Shoot virus

Shooting Jet

Photo Projector

Gun Hero - Gunman Game for Free

Cooking Witch

Blockman Go: Free Realms & Mini Games

Crazy Juicer - Hot Knife Hit Game & Juice Blast

Clash of Virus

Angry Virus

Rabbit Temple

Star Range

Kiss Game: Touch Her Heart

Girl Cloth Xray Scan Simulator

However, Agent Smith can cling on to other popular apps and make it difficult for users to identify which app has been affected by it. Two most popular apps in India include WhatsApp - through which it has infected 1.5 crore Android phones, and Flipkart.
Read more »
Hacking
Android Malware BasBanke Business hacking. Cyber Crime Hacking

“BasBanke”: Android Malware That Hacks Financial/ Personal Data!








Introducing “BasBanke”, another malware in the already long list of Android malware, with Brazilians’ financial and personal details on the target.

Credit/debit card numbers, other financial data, and personal data of Brazilians is what the cyber-cons are hunting for, via the malware.

This malware has been effective through malicious applications since 2018 Brazilian elections. Downloads of over 10,000 from the Google store were made.

By way of social media platforms like Facebook and WhatsApp the user were tricked into downloading the malware.



Later on attacks like ‘keystroke logging’, ‘SMS interception’ and ‘screen recording’ were also observed.

The advertising campaign’s URL hinted to the legitimate Google Play Store.
A malicious app which goes by the name of “CleanDroid” is another of the malicious apps which was advertised about on Facebook along with a download link.

The aforementioned application pretends to help in protecting the victim’s device from viruses and optimizing memory space.


Google play store hosts a lot of such illegitimate android apps who pretend to be QR readers or travel guides all the way tricking the victim.

A similar malicious campaign was discovered by a leading anti-virus organization but with relatively less distribution rates.

On the distributor front, social media played a vital role in it too.



Hunting and hacking down the metadata such as IMEI, telephone numbers, device names along with other personal stuff is the main agenda.

This data after getting collected is sent to the HQ of the cyber-hackers via C2 server.

Platforms like Netflix, YouTube and Spotify immediately turned up their security measures after perceiving that the banking details were being hunted.

Read more »
Google Ads
Android Malware cyber-criminals Google Ads

Popular Android App being Tampered by Hackers to Disseminate Malware


In an attempt to disseminate Triout Android malware, attackers corrupted the widely used Android app in Google Play.
The new (corrupted) version of the app which delivers the malware was discovered by security researchers at Bitdefender. Reportedly, “com.psiphon3”, the app package which is known for giving uncensored access to the content on the internet was exploited by cybercriminals as they reconfigured it with spyware framework.
The threat actors decided to distribute the corrupted version of the app via third-party app stores instead of going conventional by delivering it via the Google Play store and to generate revenue, they tied up the app with Google Ads, Mopub Ads, InMobi Ads, and various other adware components.
 While hiding its presence into the device, Triout Android Malware is programmed to collect phone calls, record videos, take pictures, access text messages, and GPS. It transfers the gathered information to the hackers’ command and control server.
As per the researchers at Bitdefender, the original and the tainted app shares the same UI which means the criminals only inserted the Triout spyware component while tampering the app and they tampered v91 of the app which currently is running on v241.
Referencing from the findings of researchers, “The original legitimate application is advertised as a privacy tool that enables access to the open internet when bundled with the Triout spyware framework it serves the exact opposite purpose.”
 “While the Triout Android spyware framework itself does not seem to have undergone changes in terms of code or capabilities, the fact that new samples are emerging and that threat actors are using extremely popular apps to bundled the malware,” 


Read more »
Spyware
Adobe Reader Android Malware APK Files PDFs Spyware

Malware through PDF Attachments..?





A recent malicious campaign discovers the delivery of PDF documents to the users as an attachment through phishing messages in order for them to download a malicious Android executable file.

The PDFs utilize various ways such as “To open this document, update the adobe reader” or “To unlock this document press below button" to grab the user's attention. At the point when the user finally perform the requested click activity on that document, a malevolent APK (Android executable) file is downloaded from a link that was present in that PDF, which further downloads original Adobe Reader.


This malware additionally has the ability to peruse contacts, read, the browser bookmarks, and key-logging and to inhibit the background processes.

It distinguishes whether the phone is rooted or non-rooted and proceeds accordingly at the same time gathering information on the longitude and latitude  data while tracking SMS notifications and call status'  and then sending the information to the servers controlled by the attackers.


It is therefore recommended for the users to abstain from downloading applications from the third-party application stores or links and other connections given in SMSs or emails. Also to avoid opening mails and attachments from obscure sources and to dependably keep 'Unknown Sources' disabled as enabling this option permits the installation certain applications from obscure sources.

But more importantly, to keep the device OS and mobile security application always updated in order to protect their privacy.

Read more »
PayPal
Android Malware PayPal

An Android Malware's Robbing PayPal Accounts!



Security researchers have advised the Android users to keep a check on their PayPal accounts as quite recently, an Android malware has emerged which could easily dodge the security authentication of the application.

Not of late, a case got reported wherein a 1,000 pounds attempt at pilfering the victim’s PayPal account was made.

The attacking cyber-con enters the victim’s PayPal account on their own and easily penetrates the application’s Two-Factor-Authentication (2FA). There’s no role of harvesting login credentials.
 
The users, who have and haven’t activated their Two-Factor-Authentication, are susceptible to this attack alike.

The malware which is reportedly being distributed by a third party, primarily, has the Android’s PayPal app on its radar. Other malware with the same disposition have also been dug out.

By manipulating Android’s Accessibility Services is how the cyber-con behind it all, targets its aim on PayPal.

A researching organization got its hands on the malware which is distributed on third-party app stores and was concealed behind the veil of a battery optimization tool which goes by the name of “Optimization Android”.
Google Play Store has been a part of hearsay because of other malware that have been found on it which possess a similar flair for targeting banking apps.

The aforementioned malware’s key operation is to pilfer money from its target’s PayPal account by initiating a malicious service into the victim’s system.

And to activate this service a request is sent to the victim by the so called bland “Enable Statistics Service”.

If on a vulnerable device the official PayPal is downloaded, the malware would flash a notification to launch it.

The attacker need only wait for the user to log into the app. Once that happens, the “Accessibility Service” would start to impersonate the user’s click and will transfer the money from the victim’s account to the PayPal Address of the cyber-con.

According to the researchers, the attack doesn’t take more than seconds to fall through and in no practical reality can a user stop it in time.


The kind of currency that gets transferred hinges on the victim’s location. The work’s done within a short duration of 5 seconds.
 
The only loophole for the attackers and the only chance at the users’ safety is the kind of balance the victim has. That is, if there is less balance in the account than what the attacker has asked for and no payment cards attached to the account.

Every time the official PayPal application is launched onto the system, the improper “Accessibility Service” gets activated, making the device vulnerable to numerous more attacks.

PayPal has been officially contacted and informed about the erroneous makeup of the application and the risk the users entail.

Five other applications with an analogous disposition to the Optimization Android have been exposed in recent times, on the Google App store.

Rumor has it, that the users with this app already on their ‘downloaded apps’ list have potentially by now entered the trap and fallen prey to the attack.

A few users in Brazil have also come across this unfortunate attack.


Remedies And Advice From The Researchers
·         Keep on checking the application for any fishy transactions. If found, contact the PayPal Resolution Center and report the issue.
·         Keep track of the PayPal account balance.
·         It would really help to change the internet banking and connected e-mail passwords.
·         Try using “Android’s Safe Mode” and try uninstalling the app with the name, “Optimization Android”.
·         Keep your devices updated.
·         Keep a check on what permissions you grant to the application so downloaded.
·         Only use the official Google Play Store App to download other applications.


Read more »
Subscribe to: Posts (Atom)