New variant of Android Ransomware 'SimpLocker' spotted


A New variant of the Android Ransomware known as 'SimpLocker' has been spotted by Security researchers at ESET.

This new variant has a few significant improvements including the language in which the fake warning message is written, it is now in English rather than Russian.

The malware is masquerading as a flash player for the Android and tricks users into installing it with administrator privileges .

Once the device is infected, it will show a ransom message saying that your device is locked because you were doing illegal things and demands you to pay around $300.

One of the variant attaches the photo of the victim taken by the front camera in the ransom message.  This trick will definitely scare victims into paying the ransom.

One of the worst features added to this variant is now it encrypts the compressed files such as ZIP, RAR and 7ZIP.  It means even your backup files are being encrypted by this trojan.

ESET has released a tool to decrypt the files that have been encrypted by Simplocker.  The say prevention is better than cure, so better focus on prevention - Be careful while installing apps from unknown sources.

Kronos: A new Banking Trojan for sale in Underground forums

Researchers from Trusteer have discovered a new Banking Trojan dubbed as "Kronos" which is being sold in the Underground forum.

The malware is being sold for $7,000 and the cyber criminals are offering one week test for the price of $1,000 with full access to the command and control server without any limitation.

Similar to other banking Trojans, this new malware also capable of doing form grabbing and HTML Injection.

Kronos has user-mode rootkit(ring3) capabilities that will help this trojan to defend itself from other pieces of malware, will work in both 32bit and 64 bit Operating systems.

It is also designed to evade antivirus software and bypass Sandbox. The malware use encryption to communicate with the C&C server.

Trusteer said it has not yet analyzed the malware sample in order to validate the seller’s claims, all the information provided are based on the advertisement in the underground forum.

Researchers say GameOver malware is back

Last month, DOJ announced that International law enforcement agencies disrupted the Game Over Botnet.   However, Researchers at Sophos say the GameOver malware is back.

Researchers spotted several spam campaign and analyzed a few samples of the new version.

The new version has few modifications.  One of them is removing Necurs rootkit part from the malware.

The second modification is using Domain generation algorithm(DGA) as the primary command and control mechanism instead of Peer-to-Peer protocol.

"We do not know if it is being operated by the same people that were indicted last month, or a subset of them, or indeed a different group altogether that has obtained the Gameover source code." researcher said.

Dailymotion website visitors redirected to malicious web page


Attackers managed to compromise the popular video sharing website dailymotion and redirected visitors to malicious web page that installs malware in victim's machine.

On June 28, Symantec researchers identified an iframe in Dailymotion.com which sends users to different website hosting Sweet Orange Exploit kit.

Sweet Orange Exploit Kit is a malware toolkit used by attackers to infect victim's machine with malware by exploiting software vulnerabilities on their machine.

The vulnerabilities that Sweet Orange attempts to exploit are : Java Vulnerability(CVE-2013-2460), Adobe Flash Player vulnerability(CVE-2014-0515), Internet Explorer Vulnerability(CVE-2013-2551).

If the user's machine is vulnerable, then Trojan.Adclicker was downloaded onto the victim’s computer.

"This malware forces the compromised computer to artificially generate traffic to pay-per-click Web advertisements in order to generate revenue for the attackers" the symantec researchers said.

South Korean Bank Customers targeted by Android Malware


A Mobile software company Cheetah Mobile has identified a malicious piece of Android malware that replaces the legitimate banking apps with fake versions.

According to the Cheetah Mobile report, the Trojan disguises itself as popular game or application on third party android application markets in Korea and tricks users into installing the app.

Once it is installed, the Trojan searches for the official online banking applications of south Korean Banks including Nong Hyup Bank, Sinhan Bank, Woori, Kookmin, Hana N Bank, Busan Bank and Korean Federation of Community Credit Cooperatives.

If one of these banking apps is found to be installed on the victim's device, the malware displays an alert saying that the banking app needs to be updated.  Once the update is approved,  the legitimate banking app will be replaced with the fake one.

The fake version then asks victims to enter the password to their security certificate(which is required by the South Korean government in order to access many online services).

The app then asks victims to provide their bank account number, passwords and bank security number.

At the end, the malware simply displays a fake error message informing victims that there is no Internet connection.  The malware then deletes itself from the device.

"With the information that they stole, the hackers can apply for a new certificate, which they then use to freely access the victim's bank account."says Cheetah Mobile.

The company said more than 3,000 devices have been infected in the last week alone.

Simplocker : First Android Ransomware that Encrypts files in Your Device

Ransomware is a type of malware that locks you out of your computer until you pay a ransom.  In some cases, it can actually cause more serious problems by encrypting the files on your system's hard drive.

Last year, Symantec discovered an android malware with hybrid characteristics of Fake AV and Ransomware. Last month, Bitdefender identified an android version of Ransomware which was being sold in the underground market.  The malware bluffed victims into paying a ransom but didn't actually encrypt the files.

Until now, there have been no reports of android malware that encrypts the files.

Security researchers at ESET say they have spotted the first variant of Ransomware that encrypts files in your Android Device.

The malware, dubbed as Simplocker, shows a ransom message written in Russian which informs victims that their device is locked for  viewing and distribution child porn.

It scans the SD card for certain file types such as image, document or videos, encrypts them using Advanced Encryption Standard(AES), and demands money in order to decrypt them.


It also gathers information about the infected device and sends to a command and control server.  The server is located in Tor ".onion" domain for purposes of anonymity.

Don't Pay:
"We strongly recommend against paying up – not only because that will only motivate other malware authors to continue these kinds of filthy operations, but also because there is no guarantee that the crook will keep their part of the deal and actually decrypt them" Researchers at ESET say. 

Game Over for GameOver Zeus and Cryptolocker malware that stole millions

Image Credits: Symantec

The U.S Department of Justice announced that FBI and other international Law enforcements have disrupted two of the world's most notorious botnets: GameOver Zeus and Cryptolocker ransomware.

Game Over Zeus is one of the most notorious botnets which first emerged in September 2011 responsible for millions of infections worldwide.  It is based on the original Zeus malware, attempts to steal financial information from the victim.

According to the United States Department of Justice report, the cybercriminals behind the GameOver Zeus have stolen more than $100 million.

Evgeniy Mikhailovich Bogachev, 30-year-old Russian, has been charged for his alleged role as an admin of the Gameover Zeus botnet.

Cryptolocker is a particularly nasty piece of malware that encrypts all files on the infected machine, then demands a ransom to unlock it.  If the files are important one and no backup is there, victims don't have choice other than paying ransom to get a key to unlock.

DOJ report suggests that more than 200k computers have been infected by this ransomware as of April.  The malware appeared in September 2013, within two months cyber criminals collected more than $27 million.

Symantec has also released a tool to remove GameOver malware completely from your computer.  You can download it from here.

Be careful when You Browse Adult contents in your Android phone

CryptoLocker Ransomware which is so far making trouble for Desktop users by scaring them into pay a fine to unlock their locked hard devices is now started to target Android users.

BitDefender have identified a new mobile version of the Ransomware which is being sold by the same group responsible for the Desktop version of Ransomware malware.

The malware dubbed as 'Android.Trojan. Koler.A' is being served to the mobile devices, when the users are browsing certain adult content websites.

The malware disguise itself as badoink, a video player that needs to be installed to get premium access to porn and tricks users into installing the app.

Once installed, the malware finds the location of victims and shows a fake warning message in their local language.

"Attention! Your Phone has been blocked up for safety reasons listed below.  All the action peformed on this phone are fixed.  All your files are encrypted.  Conducted Audio and Video" The fake message reads.

The warning message informs the victims that their files have been encrypted and they have to pay $300 ransom in order to unlock their device. 

But, No Need to Panic ! The files stored on the device are not actually encrypted as the warning message claims.  By pressing Home button, you can return to Home screen. You will have 5 seconds to Uninstall the app from your device.

Safe Mode to Remove the malicious app:
This malicious app is Not Sophisticated one, you can uninstall the app by booting the device in Safe Mode.

"The group behind this exploit is falsely and egregiously using the BaDoink
brand and logo, a brand that adult consumers have trusted for 8 years, to
spread this Ransomware."In an email sent to EHN, the company behind the legitimate version of Badoink, has clarified that they've nothing to do with this ransomware.

New Android malware 'Samsapo' spreads via Text Messages

If you get a SMS from your friend asking "is this your photo?" with a link, will you open the link or not? We want a honest answer.  Most of the people will do click the link.

If you do so, your device might get infected by a new type of Android worm!

Malware analyst from security firm ESET have discovered an interesting piece of malware, called "Android/Samsapo.A" that spreads via Text messages.

So far, the malware appears to be targeting Russian users.  Once your device is infected with this worm, it will attempt to send SMS with a malware-link to your contact list in an attempt to infect your friends.

Cyber Criminals use the old social engineering trick to lure users into install the malware.  It sends a message that says "is this your photo" in Russian language(Это твои фото?) with a link to Android application package(APK).

The malware is capable of downloading additional malicious files.  It is also capable of stealing phone numbers, text messages, personal data, device info from the infected device.  It doesn't stop with spying, it also register the victim's number to premium-rate services.  So, the victims will lose money. 

Bitcoin-Mining android malware found on Google Play Store

No matter how much Security mechanism Google try to implement to keep the malware from getting placed in Google Play store, Cyber Criminals are still able to upload their malicious apps.

We recently learned a 'fake' android anti-virus application found on Play Store and tricked more than 10,000 users into buying it.  But, Google which doesn't want to lose its reputation gave refund and $5 promo credit to those individuals scammed by this app.

Now, Researchers from Security firm LookOut have spotted another set of malicious apps on Google's Play store which turns the infected devices into a distributed bitcoin mining system.

Dubbed as 'BadLepricon', the malware disguise itself as a Live wallpaper app for android.  These five malicious apps had been downloaded between 100-500 times before Google removed them.

It seems like cybercriminals' interest in using the infected android devices to mine cryptocurrencies is increasing day by day.

Last month, LookOut reported that CoinKrypt malware hijacked mobile phones in order to use it to generate digital currency.  Few days back, TrendMicro also discovered a Java RAT which is capable of abusing the android devices to mine Litecoin.

New variant of Java RAT can use your Android device to mine Litecoin

A new variant of old Java RAT "UNRECOM" is being distributed via spam emails, detected by TrendMicro.

One such spam mail is pretending to be from American Express, informs recipients that their account have been suspended due to suspicious activity.

"Attached to this mail is your statement with the irregular activities highlighted. Please fill in the required information in the form also attached, this is required for us to continue to offer you service in a safe and risk free environment" The spam mail reads.

The attachment is none other than the Java Remote Access Trojan.


So, What is New ?
We aware this Java RAT can run on multiple platforms.  Now, it is capable of running on Android Devices. It has also Litecoin-mining plugin.  Other than that, it can capture screenshots and display messages.

In addition, the malware has also APK binder component, means it can be used to take legitimate android apps and turn them into malware.

Android malware iBanking helps attackers to hack Facebook account

An attacker can't hack a facebook account which has enabled two-step authentication, even if he know the username and password.  But, if you think Two-Step authentication is enough to keep your faebook account safe from hackers, Think Again!

Cyber criminals have started to use Android Banking Trojan "iBanking" to bypass Facebook's two-factor verification.

iBanking is malicious android application capable of intercepting SMS messages, forwarding incoming voice calls to any number and record victim's voice using mic.

Recently, RSA noted the release of source code for the iBanking trojan.  This source code leak helped other cyber criminals to customize this trojan according to their needs.

ESET reports that a customized iBanking malware targeting Facebook users is being delivered via a new variant of Computer Banking Trojan Qadars 

When a system is infected with Qadars Trojan, it will show a message when user is logging into Facebook telling them "Facebook introduces new extra safety protection system" and instructs them to install an android app.  This app will help cybercriminals to intercept SMS so that they can bypass the Facebook's two-factor verification.

"The way iBanking is installed on the user’s mobile is quite common, but it is the first time we have seen such a mobile application targeting Facebook users for account fraud." Researchers said.

Android malware steals money from QIWI Wallets

Cyber criminals are continually finding new ways to earn money using infected devices.  We aware of SMS Trojans that earn money by sending out premium-rated messages from the infected android devices.

Experts at Kaspersky have recently spotted a new Android Trojan that not only send SMSs to premium-rate numbers but also steals money from QIWI electronic wallet.

Visa QIWI Wallet is electronic payment service can be used to pay for goods and services around the world, receive payments, and transfer money.

Once installed on a device, the malware, dubbed as 'Waller', attempts to communicate with Command and control (C& C) server located at playerhome.info and awaits further commands.

Malware is capable of checking the balance of infected phone by sending SMS to mobile network operator and intercepts the reply, send SMS, open web pages, download and install other malware.  It is also capable of updating itself and send SMS to victim's contact list.

This trojan also checks the balance in the QIWI Wallet by sending an SMS to 7494.  The response messages is intercepted by the trojan and forwarded to the cyber criminals.  If there is money in the Wallet, the malware will send message to 7494 with attacker's wallet number and the amount to be transferred.

The Trojan is being distributed via SMS spam and cybercriminal's site disguising as various applications.

Malware uses Your Phone to generate virtual currency for cybercriminals


Is your android mobile phone often overheating or the battery draining faster than normal? There are chances that your mobile phone is infected with a malware that will use your phone to generate money for cyber criminals.

Researchers at Lookout have spotted a new piece of malware targeting android devices on some spanish forums that distributes pirated software.

This malware, referred as 'CoinKrypt', is not designed to steal any information from the infected devices.  However, that doesn't mean that it is not harmful.  It will use the maximum computation power of your device to generate virtual currencies.

It will result in the infected device getting overheated and will affect the battery life.

The malware appears to be targeting only newer virtual currencies such as Litecoin, Dogecoin, Casinocoin.  Since, one will need high computing power to generate the popular and most valuable virtual currency 'Bitcoin', the cyber criminals didn't include the bitcoin mining process in this malware.

At this time, it is almost one million times easier to mine Litecoin than Bitcoin and over 3.5 million times easier to mine Dogecoin. Even though these newer coins are not as valuable as Bitcoins(1BTC is around $650, 1LTC is reaching $20), cyber criminals are probably hoping that one day they will reach high value like Bitcoins.

Variant of Zbot makes money for cybercriminals via pay-per-click ads


Zeus(ZBot) is the notorious trojan known for stealing login credentials associated with online banking, continues to evolve.

A new variant spotted by TrendMicro security researchers is doing totally different task than other variants.  This variant displays websites containing advertisements..

Every time user try do something on the infected machine, these websites will get occupied on the entire screen preventing user from accessing other windows or files.

Even though victim can access the desktop by pressing the 'show desktop' shortcut(win+d),  but the websites still being displayed in the background.

"It should be noted that the sites being displayed are all legitimate–running from gaming sites, ticketing sites, music sites to search engines." researcher said.

"Users can actually navigate these displayed sites. One curious feature of this malware is that it also performs various mouse movements and scrolling when the mouse is idle."

Interestingly, this variant doesn't include a module to steal banking credentials.  However, it achieves the main goal of stealing credentials - making money for cyber criminals.

Dendroid, a new Android malware toolkit

Number of malware for Android platform is increasing day by day.  Cybercriminals trying to sell android-malware toolkit to others.  The first Android Remote admin tool is AndroRAT which is believed to first ever malware APK binder.

Symantec researchers have come to know another android malware toolkit called "Dendroid" is being sold in the underground forums.

A cybercriminal going by online handle "soccer" in the underground forum is selling this HTTP based RAT which is said to be having many malicious features.

The toolkit is able to create malicious apk file capable of 'deleting call logs', 'call to any number', 'open webpages', 'record calls', 'intercept sms', 'take and upload photos&videos', 'dos attack'.

Researchers say the cybercriminal also offer 24/7 support for this RAT.  Others can buy this toolkit by paying $300 through crypto currencies such as Bitcoins, Litecoins.

Experts have mentioned that this RAT has some link with the previous AndroRAT saying "the author of the Dendroid APK binder included with this package had assistance writing this APK binder from the author of the original AndroRAT APK binder.   "

YouTube ads serve Banking Trojan Caphaw


Number of Malvertising attacks are appeared to be increasing day by day, even top websites fall victim to such kind of attacks - YouTube is to be the latest popular organization affected by malicious ads.

Security experts from Bromium have discovered that the cyber criminals were distributing a malware via YouTube ads.

According to researchers,  malicious ads attempt to exploit vulnerabilities in outdated Java.  It loads different malicious jar file, to ensure the exploit is compatible with the installed java version.

The Exploit kit used in this attack "Styx Exploit Kit" which was the same one used by cybercriminals to infect users of toy maker Hasbro.com.

If the user's machine is having vulnerable plugins, it will exploit the vulnerability and drops a Banking Trojan known as "Caphaw".  Researchers say they are working with Google Security team. 

Android SMS malware hosted on Google Play infects 1.2 Million users


Experts often suggest to download android apps only from Google Play to avoid malware infection.  But, it doesn't mean that we can trust all of the apps hosted on Google.  

Security researchers from Panda security has found more than five malicious apps being hosted on Google play.

The apps in question appear to be targeting users in Spain.  Name of the apps are in Spanish: “Peinados Fáciles” (Easy Hairdos), “Dietas para Reducir el Abdomen” (Abs Diets), “Rutinas Ejercicios para el Gym” (Workout Routines) and “Cupcakes Recetas” (Cupcake Recipes).

The apps obtain phone number of the infected device from WhatsApp and uses it to sign the victim up to a premium rated SMS subscription services.

Researchers say that each of these apps have been downloaded by between 50k and 100k users. It means that between 300k and 1.2 Million users might have affected this malware.

“The truth is that fraudsters are making insane amounts of money from these premium services. A conservative estimate of, let’s say, €20 paid by each user would result in a huge sum of 6 to 24 million euros stolen from victims”, said Luis Corrons, Technical Director of PandaLabs.

Bitcoin stealing Mac malware found to be hosted on Download.com and MacUpdate.com

Image Credits: ThreatPost.
Another variant of the recently discovered Mac Trojan "OSX/CoinThief" is found to be hosted on two popular download websites Download.com and MacUpdate.com.

CoinThief malware is designed to steal Bitcoins login credentials from victim as well as Mac's username and UUID(unique identifier), also collects information about the list of Bitcoin related apps installed on the system.

Few days back, SecureMac spotted this Trojan is being hosted under the name of "Stealthbit" on GitHub and downloaded by hundreds of users.  One user from reddit also pointed out the similarity between an one year old fake bitcoin related app "BitVanity" and stealthbit.

Now, experts at SecureMac have spotted one more variant being hosted under the name of "Bitcoin Ticker TTM" and "Litecoin Ticker" on popular download sites.  These app names appear to have been taken from legitimate apps in the Mac app store.

This version also installs fake browser extension called as Pop-up Blocker in Chrome, safari and firefox.  The malicious extension attempts to sniff on the web traffic to steal  bitcoin login credentials.  It will communicate with the background process and send collected data to a remote server.

SecureMac has explained how to check whether malware is installed on your system and how to remove this CoinThief malware.

The developer of legitimate Bitcoin Ticker TTM app said he has no connection with download.com & Macupdate.com and recommends users to download the app from Mac app store.

JackPos, a new Point of Sale malware stole thousands of Credit card data

Cyber criminals keep targeting Point of Sale(POS) with malware in an effort to steal credit card data.  A new malware targeting POS have been uncovered security researchers.

According to the cyber intelligence firm IntelCrawler, the new POS malware dubbed as "JackPos" which is being distributed through drive-by download attack disguise itself as Java Standard Edition binary, replaces the legitimate Java Update Scheduler file in the infected system. 

The loaders used in the "Drive-by" download attack has been written in obfuscated and compiled AutoIt Script.  Researcher says it is a technique to avoid AV detection and unpack additional malicious codes that will receive instructions from C&C server.

"The Cybercriminals have used some sophisticated scanning, loading, and propagating techniques to attack these vectors to look to get into the merchants system through external perimeters and then move to card processing areas, which were possibly not separated in compliance with PCI polices."IntelCrawler said.


At least 4,000 credit card data appeared to be stolen from several countries.  The list of target countries including Canada, Brazil, India, France, Spain, United states, Argentina, Korea and others.

According to Globe and Mail, more than 400 card data have been stolen from Bangalore City, India. 3,000 cards' data stolen from Sao Paulo, Brazil.  700 cards data from Canada, 230 cards data from Madrid have also been compromised.