Malware detected in Martel’s cameras used by police department

iPower Technologies, a U.S security company and network integrator, has discovered a copies of Conficker malware in the Martel Frontline Camera with GPS, one of the largest manufacturers of police in-car video systems in America, whose product is being sold and marketed as a body camera for official police department.

The Florida-based company, which is currently working to develop a cloud based video storage system for government agencies and police departments to store and search camera video, said that it had received cameras from the supplier Martel Electronics were loaded with 2009's baddest botware.

It was not the first time, the Conficker flaw was discovered in late 2008 when researchers found that the malware, which at that point had already infected millions of PCs, had been set to perform an unspecified update activity on April 1, 2009.

Jarrett Pavao and Charles Auchinleck, researchers from the security company, found that when the cameras were connected to a computer, they tried to execute the Worm ‘Win32/Conficker.B!inf variant’.

“When the camera was connected to a computer, iPower's antivirus software immediately caught the virus and quarantined it.  However, if the computer did not have antivirus actively protecting the computer it would automatically run and start propagating itself through the network and internet, iPower said in a post.

"In the iPower virtual lab environment, packet captures were also run on the infected PC to view the viruses' network activity using Wireshark. The virus, classified as a worm virus, immediately started to attempt to spread to other machines on the iPower lab network, and also attempted several phone home calls to internet sites," the post added.

After the findings, iPower said to have tried to contact Martel Frontline Camera in order to report the flaws. However, the company concerned is yet to give any response. 

Researchers find new POS malwares

Researchers have now discovered two new and different strains of point of sale (POS) malware including one that has gone largely undetected for the past five years.

Researchers have described Cherry Picker, a set of PoS malware which in one form or another has been targeting businesses that sell food and beverage since 2011.

The malware is reportedly said to be used in a recent breach at an unidentified U.S. restaurant chain.
The new form of memory-scraping POS malware has become a threat for retailers.

The Federal Bureau of Investigation (FBI) has released a warning to keep guards against the malware as it can infect any Windows-based POS network and can encrypt the data stolen, making detection difficult.
Researchers with Trustwave have noticed some basic elements of the malware back in 2011 but the malware has gone through three iterations in the years since, adding new configuration files, ways to scrape memory, and remain persistent. 

The malware has managed to stay covert since many years by using a combination of configuration files, encryption, obfuscation, and command line arguments. 

During his research Eric Merritt, the primary researcher who observed the malware found a file on a system infected by Cherry Picker that helped cover the malware’s tracks all these years, too. The file contains hardcoded paths to the malware, exfiltration files, and legitimate files on the system. A special “custom shredder function” in the code goes ahead and overwrites the file multiple times with 00’s, FF’s, and “cryptographic junk” before going on to shred a list of malware and exfiltration file locations, and the executable itself. From there, the code removes any remaining traces of the PoS malware.

With this reaserchers have also discovered the existence of another type of POS malware known as Abaddon. This is relatively newer to Cherry Picker.

Vawtrak, a banking Trojan, downloaded TinyLoader, a downloader which in turn, downloaded another downloader which downloaded shellcode that turned into Abaddon.

“AbbadonPOS appears to have features for anti-analysis, code obfuscation, persistence, location of credit card data, and a custom protocol for exfiltrating data. Much like malware as a general category, the sophistication of this new malware over prior malware continues to increase,” said Kevin Epstein, Vice President of Threat Operations at the firm.

In addition, security firm Trend Micro is warning of a new malware called Malum POS which targets the Oracle Micros POS system.

Attackers are going to have several choices when it comes to POS malware this season.

18,000 Android apps found with malicious code that steals messages

Researchers from Palo Alto Networks, has confirmed that Taomike, a Chinese mobile advertising company, has been distributing a malicious Software Development Kit (SDK) that allows Android developers for implementing in-app purchases (IAPs) for Android apps.

The SDK, which can be downloaded for free via Taomike, steals all messages on infected phones and sends them to the Taomike controlled server.

The SDK is being offered as a free download by Chinese company Taomike, and can be used to allow Android developers to create mobile apps that provide in-app purchases via SMS messages.

Palo Alto Networks posted in a blog stating since August 1, Palo Alto Networks WildFire has captured over 18,000 Android apps that contain the library. These apps are not hosted inside the Google Play store, but are distributed via third party distribution mechanisms in China.

Taomike provides the SDK and services to help developers display rich advertisements with a high pay rate. Although, it has not previously been associated with malicious activity, a recent update to their software added SMS theft functionality.

According to a report published in MNR Daily, there has been an increment in the number of cases of Chinese advertising company's developing malicious SDKs and APIs being used by developers to develop their own apps.

But, these apps built using the malicious SDKs and APIs have been found to steal private information and data from the handsets on which the infected apps have been installed.

They have been providing datas, which include device login and password details, to the companies who have developed the SDKs and APIs.

“Among these malware, we have found many that are created by “mobile monetization” companies who distribute apps that provide little value but have a high cost to the user. These apps are often installed by tricking users into clicking a pop-up, only to find later that a charge has appeared on their phone bill,” they added.

The researchers suggested that when developers incorporate the libraries into their apps they needed to carefully test them and monitor for any abnormal activities.

“Identifying monetization and advertising platforms that behave poorly and abuse their users is something that our industry must to do ensure the safety of all mobile devices and their users,” they concluded. 

Kemoge mobile malware infecting in more than 20 countries

If you are Android user and you have an app  Talking Tom 3, Smart Touch, Privacy Lock then you should be vary.

FirmEye, a Security and cyber-attack firm tracked  down a new mobile malware that is threat in more than 20 countries worldwide.

Kemoge, an Android-affecting malware which you can install via ads,  poses a security threat. The apps are duplicates of software that can be found on the Google Play Store; the key difference is that they attack the user's device after installation.

On its blog, FireEye says, "The attacker uploads the apps to third-party app stores and promotes the download links via websites and in-app ads. Some aggressive ad networks gaining root privilege can also automatically install the samples. On the initial launch, Kemoge collects device information and uploads it to the ad server, then it pervasively serves ads from the background. Victims see ad banners periodically regardless of the current activity (ads even pop up when the user stays on the Android home screen)."

Your data such as the phone's IMEI, IMSI, and storage information are then remotely sent to a third-party server.

FireEye said that “Kemoge has self-preservation features, and can uninstall other software including anti-virus applications. Google has been notified of the threat, and everyone else is advised not to download dodgy looking things from third-party websites.”

FireEye suggest Android users not to click on the suspicious links from emails/SMS/websites/advertisements, don’t install apps outside the official app store, Keep Android devices updated to avoid being rooted by public known bugs.

New Malware forces you to change your Wifi's default password

Ifwatch, a custom-built vigilant malware software changed the Wi-Fi passwords of  nearly 10000 routers to make it more secure.

According to researchers at the cyber security firm Symantec, the software is actually used to defend the machine from the hackers and provides solution for the other malware infections.

“We have not seen any malicious activity whatsoever,” said Symantec threat intelligence officer Val Saengphaibul. “However, in the legal sense, this is illegal activity. It’s accessing computers on a network without the owner’s permission.”

Ifwatch software infect the routers with a mysterious piece of “malware” through Telnet ports, which are often protected by default security credentials that could be easily for accessed for malicious attack, and then prompts the users to change their Telnet passwords.

The software is spreading quickly around the world but found mostly in China and Brazil. It was first discovered by an independent researcher in 2014.

“We have no idea who is behind this — or what their full intention is,” Saengphaibul said.

Will 'Green Dispenser' Take of all your Money?

(pc- google images)
ATM malwares are no myth to the cyber world and this time is no different than the earlier. a team of security researchers from PointProof have unraveled the veil off a new malware, named GreenDispenser, that gives the capability to hackers to attack compromised ATMs and drain all of it's cash.

This malware acts on the basic principle of a primitive DDoS action in which the machine displays an 'out of service' message on the screen but in the meanwhile can crack open the bank vaults through correct pin number, looting a lot of money with no trace of robbery at all.

Such kind of activities were first reported in Mexico and similar abuses have been reported in other countries ever since. GreenDispenser, unlike its predecessors, Ploutus and Tyupkin; requires no physical access for the installation procedure and hence makes it easier for the hacker to break into the machine and subsequently; the server.

It is being doubted that cyber criminal bosses now have an mobile app that provides them with a two-step encryption and creates a firewall of authorisation for malwares such as GreenDispenser itself.

ProofPoint, in another post explained such encryption; an extract from which is given below:-
GreenDispenser employs authentication using a static hardcoded PIN, followed by a second layer of authentication using a dynamic PIN, which is unique for each run of the malware. The attacker derives this second PIN from a QR code displayed on the screen of the infected ATM. We suspect that the attacker has an application that can run on a mobile phone with functionality to scan the barcode and derive the second PIN – a two-factor authentication of sorts.

Now, these malwares are evolving with the passage of time, making ATMs more vulnerable. ATMs being the primary target results as a threat to the financial institutions. Thus, security with credit and debit card credentials should be also enhanced accordingly. The question arises; How long to completely secure the parameters?

Once again a malicious application found on Google Play Store

Researchers at Check Point Threat Prevention have detected a malicious application and said to have affected some one million people, which was published twice in the Google Play Store. The malware was packaged within an Android game called “Brain Test”.

According to the researchers, the malware was reported to Google Play twice. Each instance had between 100,000 and 500,000 downloads as per the Google Play statistics. Check Point reached out to Google on September 10, 2015, and the app containing the malware was removed from Google Play on September 15, 2015.

“The malware was first detected on a Nexus 5 smartphone, and although the user attempted to remove the infected app, the malware reappeared on the same device shortly thereafter. Our analysis of the malware shows it uses multiple, advanced techniques to avoid Google Play malware detection and to maintain persistency on target devices, the researchers wrote in a blog post.

Although, the reported the malware to Google, and the company concerned removed the app from the Google Play Store, it manages to bypass malware detection through several sophisticated techniques. It also installs an application similar to itself and so these two monitor the removal of each other and actually protects each other from being removed.

The researchers suggested that in order to prevent yourself from the malware, you must have an up-to-date anti-malware software on your mobile device. It has already infected anyone’s phone, he/she has to re-flash it with an official ROM.

Security experts detects Odlanor malware that cheats at poker

Security experts from at ESET have discovered a malware that targets Pokerstars’ users and Full Tilt Poker and that lets competitors (crooks) cheat their way to winning games by leaking their information about their cards to their competitors.

It affects people who have accounts on PokerStars and Full Tilt Poker.

Researchers have said that the hackers have been using the malware dubbed Odlanor to sneak a look at a player's virtual poker hand on popular gambling sites. They are then signing into the same game and betting against their victim to up the stakes and steal their money.

It is said that the malware is a successor to the Zynga-targeting Pokeragent Facebook worm, which was discovered two years ago.

According to the researchers, once the Odlanor executed, it will be used to create screenshots of the window of the two targeted poker clients PokerStars or Full Tilt Poker, if the victim is running either of them. The screenshots are then sent to the attacker’s remote computer.

Then, the cheating attackers can retrieve the screenshots. They reveal not only the hands of the infected opponent but also the player ID. Both of the targeted poker sites allow searching for players by their player IDs, hence the attacker can easily connect to the tables on which they’re playing.

New Android Ransomware locks Victim's Phone Permanently

Security researchers at ESET have discovered the first malware that could allow an attacker to reset the PIN of anyone’s phone to permanently lock them out of their own device.

“This ransomware also uses a nasty trick to obtain and preserve Device Administrator privileges so as to prevent uninstallation. This is the first case in which we have observed this aggressive method in Android malware,” the researchers said in a blogpost.

The malware dubbed LockerPin, which spreads via an adult entertainment app called Porn Droid, could change the infected device's lock screen PIN code and leaves victims with a locked mobile screen, demanding a $500 ransom.

Researchers said that there was no effective way to regain access to infected devices without losing personal data. Rebooting the device in Safe Mode, uninstalling the offending application and using Android Debug Bridge (ADB) could not solve the problem.

In order to unlock the device to perform factory reset that wipes out all the personal data and apps stored on users device.

According to the researchers, as the lock screen PIN is reset randomly, paying the ransom amount won't give the users back their device access, because even the attackers don't know the randomly changed PIN code of their device. This is a novelty among ransomware, usually they do everything possible to unlock the device, up to and including live tech support.

If the ransomware gets installed on anyone’s smartphone, the app first tricks users into granting it device administrator rights. It does so by disguising itself as an "Update patch installation" window.
After gaining the control over phone, the malicious app goes on to change the user's lock screen PIN code, using a randomly generated number. Though the majority of infected devices are detected within the United States, the researchers have spotted the infections worldwide.

Researchers have suggested that in order to protect our smartphone from the ransomware, please do not install apps outside of the Google Play Store. Similarly, don't grant administrator privileges to apps unless you truly trust them.

CAPTCHA-bypassing malware found in Google Play

(PC-google images)
Bitdefender Security Researcher, Liviu Arsene has recently revealed that a malware, identified as Android.Trojan.MKero.A has found its way into the highly legitimate apps in Android powered Google Play Store by successfully evading the Google Bouncer's vetting algorithms. This can cause a lot of trouble for the vendors who provide paid premium services of their products as the malware can now make the services available for free.

To bypass CAPTCHA authentication systems, the trojan redirects the requests to an online image-to-text recognition service, Since the online service relies on actual individuals to recognize CAPTPCHA images, requests are sent back to the malware within seconds so that it can proceed with the covert subscription process.

After receiving the sent back request, the Trojan interacts with a command-and-control (C&C) infrastructure which loads the CAPTCHA code on the target link, parses an SMS code for an activation , and ultimately subscribe the user to the premium service.

Google Play has been notified of at least seven apps that exhibit this type of behavior, two of which have been downloaded between 100,000 and 500,000 times. Moreover, these seven malware-harboring Google Play applications have been analysed and a list of 29 randomly generated C&C servers names were recovered from a single sample which did not have any encrypted strings. Hence, if any one of these locations became unresponsive –due to a takedown or any other reason – the malware on any infected device will automatically reconnect to the next C&C server in the preconfigured list and proceed with the preset instructions.

The total financial losses have been estimated to amount to a staggering $250,000, which is just  from the minimum $0.50 charged for sending the subscription SMS messages.

iOS malware steals over 225,000 Apple accounts to create free App Utopia

Researcher from Palo Alto Networks, a computer security firm, have found out that hackers, who have targeting jail-broken iPhones, have raided more than 225,000 Apple accounts, using them for app buying sprees or to hold phones for ransom.

The jailbreak is a tool in iPhones to use additional iThing tweaks available through the alternative Cydia store, and for some to pirate software by installing ripped-off apps for free.

“In cooperation with WeipTech, we have identified 92 samples of a new iOS malware family in the wild. We have analyzed the samples to determine the author’s ultimate goal and have named this malware “KeyRaider”. We believe this to be the largest known Apple account theft caused by malware,” the researchers posted in a blog.

Claud Xiao, a researcher, said that the KeyRaider malware, hidden in jailbreaking utilities, is slurping login credentials and GUIDs from the user's iTunes data, and siphoning them off to remote servers.

"We believe this to be the largest known Apple account theft caused by malware," Xiao said. "The malware hooks system processes through MobileSubstrate, and steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device.”

He confirmed that the purpose of the attack was to make it possible for users of two iOS jailbreak tweaks to download applications from the official App Store and make in-app purchases without actually paying.

It is said that especially the people in China got affected but herald from 17 other countries including France, Russia, Japan, United Kingdom, United States, Canada, Germany, Australia, Israel, Italy, Spain, Singapore, and South Korea from the attack.

Similarly, some people said that they were being locked out of phones and forced to pay ransoms.

According to the researchers, the attack was discovered by a Yangzhou University student known as i_82 who worked with Xiao alongside a group. They exploited an SQL injection vulnerability on the bad guy's server to learn about the attack. They siphoned about half of the stolen accounts before the VXer became savvy and punted the white hats. They have now set up a website for users to check if they are impacted. 

Researchers detect a new Android Trojan targeting users from china

Photo Courtesy: Dr. Web

Security researchers from Doctor Web, Russian anti-virus software developer, have detected another new Android Trojan, which is said to be distributed among users from china to spy on their victims.

Previously, the researchers had found an Android Trojan, which spreads as a security certificate that tricks users into thinking it must be installed onto users device. That Trojan had made two-Step authentication feature insecure when it got infected users' device  with a new malware which was capable of intercepting their messages and forwarding them to cybercriminals.

The Trojan dubbed Android.Backdoor.260.origin can intercept SMS messages, record phone calls, track GPS coordinates of the infected device, take screenshots, and even collect data entered by the user.

“Due to the fact that Android.Backdoor.260.origin is distributed as “AndroidUpdate”, potential victims are very likely to install it on their mobile devices,” the researchers posted in a blog.

According to the researchers, the Trojan has main malicious features that are implemented in special modules incorporated into the malware's software package. Once it gets activated, the Trojan extracts the following additional components: super, detect,,,, 1.dat,,, substrate_signed.apk and cInstall.

“Next, it tries to run the binary cInstall file (detected by Dr.Web as Android.BackDoor.41) with root privileges. If the attempt is successful, this malicious module plants a number of files extracted earlier into system folders and tries to stealthily install a utility called “Substrate”. This tool expands functionality of applications and is used by Android.Backdoor.260.origin to intercept entered data. If the Trojan does not succeed in acquiring root privileges, then, most likely, it will fail to install necessary components. As a result, the malware will not be able to perform the majority of its functions properly,” the researchers added.

Once all the modules get installed, the Trojan removes its entire shortcut created earlier and launches the malicious service called PowerDetectService which runs the malicious module with the name It also has been added to Dr.Web virus database under the name of Android.BackDoor.42, and Substrate.

“In fact, this tool is not actually malicious and can be easily downloaded from Google Play. However, cybercriminals have modified the original application and incorporated the new version into Android.Backdoor.260.origin. As a result, the tool became potentially dangerous for mobile devices' users,” the researchers explained.

The researchers have now warned the users not to install applications from unreliable sources. And it is important to protect their mobile device with reliable anti-virus software.

Researchers detect Malvertising in PlentyOfFish

Photo Courtesy: Malwarebytes

Researchers from Malwarebytes Unpacked, a security firm, have detected a malvertising, which derived from “malicious advertising" uses online advertising to spread malware and it involves malware-laden advertisements into legitimate online advertising websites, in the PlentyOfFish, a Vancouver-based online dating service which makes money from advertising.

The researcher have warned the users not to click on the adverts as they are automatically targeted by using an attack that detects if their computer can be infected (via outdated software), and launches directly that way.

Soon after the flaw detected, they have contacted the company concerned to make them aware of this issue.

According to the researchers, the attack chain uses the Google URL shortener as intermediary to load the Nuclear exploit kit.

“While we see this mechanism quite frequently within our telemetry, it is particularly difficult to reproduce it in a lab environment,” the researcher wrote in a blogpost. The ad network involved in the malvertising campaign ( was familiar and it turns out that we had observed it in a rare attack captured by our honeypots just one day prior.”

The sample was collected from the Tinba banking Trojan. Given that the time frame of both attacks and that the ad network involved is the same, chances are high that pof[dot]com dropped that Trojan as well.

According to a news report published in The Register, the attack against PlentyOfFish comes against the backdrop of the fallout from the data dump by hackers who breached cheaters’ hook-up website Ashley Madison, and the earlier attack against AdultFriendFinder.

 There’s nothing to link the three attacks directly, however it’s fair to say that dating and adult hook-up websites are very much in the firing line of hackers, so extra precautions ought to be applied.

Beware of “unbreakable” Cryptolocker virus

Photo Courtesy: ABC

Many people are becoming victims of an encryption virus dubbed Cryptolocker which hijacks computer files and demands a ransom, if anyone wants to restore them.

A report in ABC confirms that now, Australians are paying thousands of dollars to overseas hackers to rid their computers of Cryptolocker, which comes in a number of versions and the latest capitalizing on the release of Windows 10.

The deputy chairperson of the Australian Competition and Consumer Commission (ACCC), Delia Rickard, said over the past two months, the number of victim of the scam had been increasing. They have received 2,500 complaints this year and estimates about $400,000 has been paid to the hackers.

As per the report, the "ransomware" infects computers through programs and credible-looking emails, taking computer files and photographs hostage. It can arrive in an email disguised as an installer of the new operating system in a zip file.

Experts have found it more complicated than other viruses.

Josh Lindsay, IT technician, told ABC that he had been repairing computers for 15 years but the current form of the virus was "unbreakable".

It is said that the hackers have been offering computer owners a chance to retrieve data but only if they pay a ransom using the electronic currency Bitcoin.

Michael Bailey from Tasmanian Chamber of Commerce and Industry (TCCI) said when his organization was hit by the overseas hackers, his company paid a ransom equivalent to $US350.

Fake Android Virus alert says "Your Mobile compromised by Chinese Hackers"

Fake virus alert is the technique used by the Cyber criminals to trick users into thinking their system have a virus then tell them to install or buy fake applications, sometimes redirect them to spam websites.

A New fake virus alert spotted by Malware Bytes team says users that their device infected by a dangerous virus created by Chinese Hackers.

"whoever put this one together is watching all those APT news stories with glee and weaving them into their efforts below." Malware Bytes blog post reads.

Anyone passing through the page paulgrenwood[dot]com/US/smart/index[dot]html, receives the following message:

Warning! Your phone is attacked by severe virus that can steal your privacy which created by Chinese hackers on [date].
Please clear this virus immediately.

There is another fake warning message on the next page with “Android App on Google Play” button underneath the message and list of infections.

A rotator URL (clmbtrk(dot)com/?a=17990&c=81777&s1= )  is being used to send visitors to a variety of random adverts depending on geographical location.

Visiting the URL with a standard desktop setup would, more often than not, lead to a blank page. The bulk of the pages seen were dating sites with a lot of flesh on display, and even one hardcore pornography site

There’s no infection, so no need to panic.

Cyber Criminals abuse Yahoo's advertising network to spread malware

Cyber Criminals are targeting Yahoo’s advertising networks to deliver malware directly to the computers of users who is viewing the ads.

Security firm Malwarebytes, who discovered the attack on July 28, says that Yahoo is a victim of malvartising attacks in which exploit kits are used to redirect victims to the malware website.

The malvertising attack which does not require any user interaction, is believed to be one of the biggest in recent times due to the massive amount of traffic in Yahoo. 

In one of the campaigns, the attackers used the Angler Exploit Kit - This exploit kit usually infect victim's machine with annoying software and malware that forces victims to pay the money to unlock their system.

The security firm said that it had informed Yahoo about the attack the very same day. Yahoo said that the malware campaign has been stopped and that the company is investigating the matter.

Although it is not yet possible to determine exactly how many people have been affected by the hack, but it could be large as Yahoo gets 6.9 billion visits a month.

Attackers exploit the Privilege Escalation 0-day in Mac

Adam Thomas, a researcher from Malwarebytes, has discovered a new adware installer that exploits of a zero vulnerability in Apple's DYLD_PRINT_TO_FILE variable in the wild which helps to uses to install unwanted programs including VSearch, a variant of the Genieo package, and the MacKeeper junkware.

The vulnerability which is being exploited by this adware was first uncovered by a researcher Stefan Esser a month ago. However, this researcher did not first report about the flaw to the company concerned.

The adware was able to change the Sudoers file - s a hidden Unix file that determines, among other things, who is allowed to get root permissions in a Unix shell, and how.

 The modification made to the sudoers file, in this case, allowed the app to gain root permissions via a Unix shell without needing a password.

According to a post by MalwareBytes, if anyone installs VSearch, the installer will also install a variant of the Genieo adware and the MacKeeper junkware. As its final operation, it directs the user to the Download Shuttle app on the Mac App Store.

However, Apple has still not turned up to fix the problem. 

Russian APT attackers control the Hacked Machines using Twitter, Github

Russian APT attackers have used an advanced type of backdoor which tries to avoid detection by adding layers of obfuscation and mimicking the behavior of legitimate users. 

The attackers used popular legitimate websites such as Twitter, Github and other compromised web servers to send instructions and steal data from the compromised machines, according to a APT report published by the security firm FireEye.

The group is known as APT29, which creates an algorithm that generates daily Twitter handles and embedding pictures with commands. 

The attackers post instructions for their backdoors in a tweet, which contains a URL and a hashtag.  The malware will download contents hosted in the specific URL including all images in the page. 

They hide the data and other instructions within an Image file using a technology called Steganography. 

The Hashtag contains a number representing a location within the image file and a few characters that should be appended to the decryption key.  The key will be used for retrieving the data stored in the  image.

The instructions also contains where to upload the stolen data - It uploads to a specific account on a cloud storage service using the login credentials.

APT 29 is suspected to be in Russia since it is active during normal working hours in Moscow.

Researchers find out New Linux Backdoor

Security researchers from Doctor Web, a Russian Anti-malware company, have detected a new backdoor dubbed Linux.BackDoor.Dklkt.1 that targets Linux operating systems.

However, the signature of the backdoor has been added to Dr.Web virus databases. So, its Linux users are under reliable protection.

“It clear that creators of this malicious program planned to equip it with wide variety of powerful features, but bringing all their intentions to life proved rather problematic at the moment, not all of the program's components work as they should,” the researchers wrote in a blog.

The researchers have claimed that backdoor is supposedly of Chinese origin. They have said that the virus makers tried to create a multi-component malicious program encompassing a large number of functional properties.

“For example, they wanted to equip it with functions typical of file managers, DDoS Trojans, proxy servers, and so on,” they added. “However, not all of these plans were destined to see the light. Moreover, virus makers attempted to make a cross-platform program out of their creation; so that the executable file could be assembled both for Linux and Windows architectures. However, due to carelessness of cybercriminals, the disassembled code contains some strange constructions that have absolutely nothing to do with Linux.”

According to the researchers, the backdoor checks the folder from which it is run for the configuration file containing all operating settings. The file has three addresses of command and control servers. One of them is used by the backdoor, while the other two are stored for backup purposes. The configuration file is encrypted with Base64.

Once the backdoor gets activated, it tries to register itself in the system as a domain (system service). If the attempt fails, the backdoor terminates its work.

“Once the malicious program is successfully run, it sends the server information on the infected system; at that, the transmitted data is compressed with LZO and encrypted with the Blowfish algorithm. In addition to that, every packet contains a checksum, so that the recipient could verify data integrity,” the researchers explained.

Researchers have said that then Linux.BackDoor.Dklkt.1 waits for incoming commands that can include launching a DDoS attack, starting SOCKS proxy server, running a specified application, rebooting the computer or turning it off.

‘Android games on Google Play steal Facebook credentials,’ say researchers

This may come as a shock to many of the game lovers that Cowboy Adventure, a popular Android game on Google Play store, because researchers, from ESET, have revealed that the game has compromised the Facebook login credentials of over a million users who downloaded that Android game.

According to a post by the researcher on July 9, the Cowboy Adventure app on the Google Play store was able to steal personal information of the users.

With 500,000 – 1,000,000 installs, the developer of the Cowboy Adventure app also used it as a tool to harvest Facebook credentials.

However, the Google has taken down both of the apps from their app store and also warns against their installation on Android devices.

“It was one of two games spotted by ESET malware researchers that contained this malicious functionality, the other one being Jump Chess,” according to a report on Welivesecurity.

The report said that unlike some other Android malware, these apps did contain legitimate functionality (they actually were real games) in addition to the fraud. The problem lies in the fact that when the app is launched, a fake Facebook login window is displayed to the user. If victims fell for the scam, their Facebook credentials would be sent to the attackers’ server.

It is said that the latest version of the app at the time Google took it down from their official market last week was 1.3. This trojanized game had been available for download from Google Play since at least April 16, 2015, when the app was updated.

“We are not sure how many users had their Facebook credentials compromised,” the report read.

 “Our analysis of these malicious games has shown that the applications were written in C# using the Mono Framework. The phishing code is located inside TinkerAccountLibrary.dll. The app communicates with its C&C server through HTTPS and the address to which to send the harvested credentials (also known as the ‘drop zone’) is loaded from the server dynamically,” the report read.

The researchers have said always download apps from the official Google Play store than from alternative app stores or other unknown sources and always check the ratings and user comments.  

“Even though Google Play is not 100% malware free, they do have strong security mechanisms to keep trojans out,” the researchers added.