New variant of Java RAT can use your Android device to mine Litecoin

A new variant of old Java RAT "UNRECOM" is being distributed via spam emails, detected by TrendMicro.

One such spam mail is pretending to be from American Express, informs recipients that their account have been suspended due to suspicious activity.

"Attached to this mail is your statement with the irregular activities highlighted. Please fill in the required information in the form also attached, this is required for us to continue to offer you service in a safe and risk free environment" The spam mail reads.

The attachment is none other than the Java Remote Access Trojan.


So, What is New ?
We aware this Java RAT can run on multiple platforms.  Now, it is capable of running on Android Devices. It has also Litecoin-mining plugin.  Other than that, it can capture screenshots and display messages.

In addition, the malware has also APK binder component, means it can be used to take legitimate android apps and turn them into malware.

Android malware iBanking helps attackers to hack Facebook account

An attacker can't hack a facebook account which has enabled two-step authentication, even if he know the username and password.  But, if you think Two-Step authentication is enough to keep your faebook account safe from hackers, Think Again!

Cyber criminals have started to use Android Banking Trojan "iBanking" to bypass Facebook's two-factor verification.

iBanking is malicious android application capable of intercepting SMS messages, forwarding incoming voice calls to any number and record victim's voice using mic.

Recently, RSA noted the release of source code for the iBanking trojan.  This source code leak helped other cyber criminals to customize this trojan according to their needs.

ESET reports that a customized iBanking malware targeting Facebook users is being delivered via a new variant of Computer Banking Trojan Qadars 

When a system is infected with Qadars Trojan, it will show a message when user is logging into Facebook telling them "Facebook introduces new extra safety protection system" and instructs them to install an android app.  This app will help cybercriminals to intercept SMS so that they can bypass the Facebook's two-factor verification.

"The way iBanking is installed on the user’s mobile is quite common, but it is the first time we have seen such a mobile application targeting Facebook users for account fraud." Researchers said.

Android malware steals money from QIWI Wallets

Cyber criminals are continually finding new ways to earn money using infected devices.  We aware of SMS Trojans that earn money by sending out premium-rated messages from the infected android devices.

Experts at Kaspersky have recently spotted a new Android Trojan that not only send SMSs to premium-rate numbers but also steals money from QIWI electronic wallet.

Visa QIWI Wallet is electronic payment service can be used to pay for goods and services around the world, receive payments, and transfer money.

Once installed on a device, the malware, dubbed as 'Waller', attempts to communicate with Command and control (C& C) server located at playerhome.info and awaits further commands.

Malware is capable of checking the balance of infected phone by sending SMS to mobile network operator and intercepts the reply, send SMS, open web pages, download and install other malware.  It is also capable of updating itself and send SMS to victim's contact list.

This trojan also checks the balance in the QIWI Wallet by sending an SMS to 7494.  The response messages is intercepted by the trojan and forwarded to the cyber criminals.  If there is money in the Wallet, the malware will send message to 7494 with attacker's wallet number and the amount to be transferred.

The Trojan is being distributed via SMS spam and cybercriminal's site disguising as various applications.

Pileup flaw: Android updates can be exploited by malware to gain permissions

Upgrading an operating system patches the security holes in the previous versions.  However, researchers found a bug in upgrading process of Android itself, which can be exploited by malicious apps.

A team of researchers from Indiana University and Microsoft have published a paper explains a new critical security bugs which are referred as "Pileup flaws".  The vulnerability exists in Package Management Service (PMS) of Android.

When a user upgrades android to the latest version, a malicious app with few or no permission in the old version can exploit this vulnerability to update itself with new set of permissions.

An attacker can exploit this vulnerability to steal sensitive information from the compromised device, change security configurations and also prevent installation of critical system services.

Researchers say they have confirmed the presence of security hole on all official android versions as well as 3,000 customized android versions.

Researchers also have developed a new service called 'SecUp' which is capable of detecting the malicious apps designed to exploit PileUp vulnerabilities.

Dendroid, a new Android malware toolkit

Number of malware for Android platform is increasing day by day.  Cybercriminals trying to sell android-malware toolkit to others.  The first Android Remote admin tool is AndroRAT which is believed to first ever malware APK binder.

Symantec researchers have come to know another android malware toolkit called "Dendroid" is being sold in the underground forums.

A cybercriminal going by online handle "soccer" in the underground forum is selling this HTTP based RAT which is said to be having many malicious features.

The toolkit is able to create malicious apk file capable of 'deleting call logs', 'call to any number', 'open webpages', 'record calls', 'intercept sms', 'take and upload photos&videos', 'dos attack'.

Researchers say the cybercriminal also offer 24/7 support for this RAT.  Others can buy this toolkit by paying $300 through crypto currencies such as Bitcoins, Litecoins.

Experts have mentioned that this RAT has some link with the previous AndroRAT saying "the author of the Dendroid APK binder included with this package had assistance writing this APK binder from the author of the original AndroRAT APK binder.   "

Android SMS malware hosted on Google Play infects 1.2 Million users


Experts often suggest to download android apps only from Google Play to avoid malware infection.  But, it doesn't mean that we can trust all of the apps hosted on Google.  

Security researchers from Panda security has found more than five malicious apps being hosted on Google play.

The apps in question appear to be targeting users in Spain.  Name of the apps are in Spanish: “Peinados F├íciles” (Easy Hairdos), “Dietas para Reducir el Abdomen” (Abs Diets), “Rutinas Ejercicios para el Gym” (Workout Routines) and “Cupcakes Recetas” (Cupcake Recipes).

The apps obtain phone number of the infected device from WhatsApp and uses it to sign the victim up to a premium rated SMS subscription services.

Researchers say that each of these apps have been downloaded by between 50k and 100k users. It means that between 300k and 1.2 Million users might have affected this malware.

“The truth is that fraudsters are making insane amounts of money from these premium services. A conservative estimate of, let’s say, €20 paid by each user would result in a huge sum of 6 to 24 million euros stolen from victims”, said Luis Corrons, Technical Director of PandaLabs.

Android malware delivered via windows, when debugging-mode enabled

Be careful if you are connecting your android device to others computers! 
A New windows-based malware installs malicious application in debugging-mode enabled android devices.

Usually, malware applications get installed in your device, only if you have changed the default security settings to allow apps from third-party app stores.  But, Malware analysts at Sophos say a malware still can reach your device, even if you have not enabled so-called "off-market" apps.

When you have enabled USB debugging mode,  you can install apps directly from your windows machine.  A new windows-based malware appears to be taking advantage of this facility.

The malware first register itself as a system service and downloads a configuration file "iconfig.txt".  The iconfig.txt file contains the list of exe files to be downloaded in the infected machine.

"Samsung.exe, LG.exe, AdbWinApi.dll, AdbWinUsbApi.dll, aadpt.exe, adb.exe, AV-cdk.apk, ok.bat" are the files downloaded by the malware.

The "ok.bat" is a batch file that runs "C:\Users\Yourname> adb install AV-cdk.apk" in your command prompt, results in the malicious apk file getting installed in your android device.

The name of apk file sounds like it is pretending to be an Antivirus, but once installed, the app disguise itself as "Google Play store".

Researchers suggest to turn it off the Android Debugging option, when you don't need it.

Android Malware HeHe steals messages and Intercepts phone calls


Security Researchers from FireEye Labs have discovered six variants of a new Android malware dubbed as "Android.HeHe" which is capable of stealing SMS and intercepting phone calls.

The malware is being distributed as a security update for the Android OS. Once it infects a device, it communicates with the command and control(C&C) server and monitoring incoming SMS.

Phone details including IMEI, IMSI(International mobile Subscriber Identity), phone number, OS version, model of the phone are being transfered to the C&C server.

It also checks whether the IMSI code is null so that it can determine whether it is being executed in Emulator or in real device(Emulators don't have IMSI code).

The C&C server responds to the device with a list of phone numbers. If the infected device receives SMS or phone call from one of these numbers, the threat intercepts the message or call.

Text messages from one of these numbers are captured and stored in the attacker's server. Any phone calls from these numbers are silenced and rejected.

Fake Minecraft Android App sold at cheap price contains virus code


A fake version of Android app "Minecraft - Pocket Edition" is found to be hosted on third-party marketplaces which contains a malware code.

These kind of fake and malicious version of apps are usually available for free.  However, cyber criminals made some exception for this app which is being sold for half of the actual price of the original app.

PC Magazine reports that F-Secure researchers have discovered a trojanized version of the Minecraft PE asking users to pay 2.50 Euros- the original app costs5.49 Euros.

The cyber criminals didn't stop by just scamming with fake version, they also added malicious code.  It will send SMS to premium rated phone numbers and sign up victims to expensive services.

Researchers have noticed that this malicious app is using a hacking tool called "Smalihook" to bypass "an authentication routine that causes it to fail to run if it does a certificate verification check and doesn't find the correct certificate". 

The good news is that it is only hosted in some third-party app stores but not in the official Google Play store.  This is one more example why you should never trust third party app stores, always download apps from Google Play.

One of the largest Android Botnet 'MisoSMS' steals messages

Security researchers from FireEye have uncovered one of the largest Android botnet which they dubbed as "MisoSMS".  The botnet is said to have been used in at least 64 spyware campaigns.

According to the report, the malware disguised as an "Android settings" application used for adminstrative tasks.

 The threat is designed to steal messages from victims and emails the messages to a Command and control(C&C) server located in china.

 the most of the infected devices are from Korea.  The cybercriminals behind this botnet logged into the server from Korea, China and few other locations in order to read the stolen messages.

FireEye said they are collaborating with the Koran law enforcement and Chinese webmail vendor in a effort to disrupt this botnet.

New variant of Mouabad malware can make phone calls from Your Android Mobile

We already aware that there are android malware which are capable of making money for cyber criminals by sending SMS to premium rated numbers.

A New variant of Android mobile malware 'Mouabad' spotted by Lookout allows cyber criminals to make phone calls from infected devices without user intervention.

The malware is cleverly designed to avoid detection, it attempts to make phone calls only when the device is locked. When the victim unlocks the devices, it ends the call.

However, it can be easily detected by looking at the call histories, as the malware is not designed to delete the call logs.

Fortunately, the malware only works on android older than version 3.1. So, those who have the latest android version need not to worry.