Researchers detect a new Android Trojan targeting users from china

Photo Courtesy: Dr. Web

Security researchers from Doctor Web, Russian anti-virus software developer, have detected another new Android Trojan, which is said to be distributed among users from china to spy on their victims.

Previously, the researchers had found an Android Trojan, which spreads as a security certificate that tricks users into thinking it must be installed onto users device. That Trojan had made two-Step authentication feature insecure when it got infected users' device  with a new malware which was capable of intercepting their messages and forwarding them to cybercriminals.

The Trojan dubbed Android.Backdoor.260.origin can intercept SMS messages, record phone calls, track GPS coordinates of the infected device, take screenshots, and even collect data entered by the user.

“Due to the fact that Android.Backdoor.260.origin is distributed as “AndroidUpdate”, potential victims are very likely to install it on their mobile devices,” the researchers posted in a blog.

According to the researchers, the Trojan has main malicious features that are implemented in special modules incorporated into the malware's software package. Once it gets activated, the Trojan extracts the following additional components: super, detect, liblocSDK4b.so, libnativeLoad.so, libPowerDetect.cy.so, 1.dat, libstay2.so, libsleep4.so, substrate_signed.apk and cInstall.

“Next, it tries to run the binary cInstall file (detected by Dr.Web as Android.BackDoor.41) with root privileges. If the attempt is successful, this malicious module plants a number of files extracted earlier into system folders and tries to stealthily install a utility called “Substrate”. This tool expands functionality of applications and is used by Android.Backdoor.260.origin to intercept entered data. If the Trojan does not succeed in acquiring root privileges, then, most likely, it will fail to install necessary components. As a result, the malware will not be able to perform the majority of its functions properly,” the researchers added.

Once all the modules get installed, the Trojan removes its entire shortcut created earlier and launches the malicious service called PowerDetectService which runs the malicious module with the name libnativeLoad.so. It also has been added to Dr.Web virus database under the name of Android.BackDoor.42, and Substrate.

“In fact, this tool is not actually malicious and can be easily downloaded from Google Play. However, cybercriminals have modified the original application and incorporated the new version into Android.Backdoor.260.origin. As a result, the tool became potentially dangerous for mobile devices' users,” the researchers explained.

The researchers have now warned the users not to install applications from unreliable sources. And it is important to protect their mobile device with reliable anti-virus software.

Researchers detect Malvertising in PlentyOfFish

Photo Courtesy: Malwarebytes

Researchers from Malwarebytes Unpacked, a security firm, have detected a malvertising, which derived from “malicious advertising" uses online advertising to spread malware and it involves malware-laden advertisements into legitimate online advertising websites, in the PlentyOfFish, a Vancouver-based online dating service which makes money from advertising.

The researcher have warned the users not to click on the adverts as they are automatically targeted by using an attack that detects if their computer can be infected (via outdated software), and launches directly that way.

Soon after the flaw detected, they have contacted the company concerned to make them aware of this issue.

According to the researchers, the attack chain uses the Google URL shortener goo.gl as intermediary to load the Nuclear exploit kit.

“While we see this mechanism quite frequently within our telemetry, it is particularly difficult to reproduce it in a lab environment,” the researcher wrote in a blogpost. The ad network involved in the malvertising campaign (ad.360yield.com) was familiar and it turns out that we had observed it in a rare attack captured by our honeypots just one day prior.”

The sample was collected from the Tinba banking Trojan. Given that the time frame of both attacks and that the ad network involved is the same, chances are high that pof[dot]com dropped that Trojan as well.

According to a news report published in The Register, the attack against PlentyOfFish comes against the backdrop of the fallout from the data dump by hackers who breached cheaters’ hook-up website Ashley Madison, and the earlier attack against AdultFriendFinder.

 There’s nothing to link the three attacks directly, however it’s fair to say that dating and adult hook-up websites are very much in the firing line of hackers, so extra precautions ought to be applied.

Beware of “unbreakable” Cryptolocker virus

Photo Courtesy: ABC

Many people are becoming victims of an encryption virus dubbed Cryptolocker which hijacks computer files and demands a ransom, if anyone wants to restore them.

A report in ABC confirms that now, Australians are paying thousands of dollars to overseas hackers to rid their computers of Cryptolocker, which comes in a number of versions and the latest capitalizing on the release of Windows 10.

The deputy chairperson of the Australian Competition and Consumer Commission (ACCC), Delia Rickard, said over the past two months, the number of victim of the scam had been increasing. They have received 2,500 complaints this year and estimates about $400,000 has been paid to the hackers.

As per the report, the "ransomware" infects computers through programs and credible-looking emails, taking computer files and photographs hostage. It can arrive in an email disguised as an installer of the new operating system in a zip file.

Experts have found it more complicated than other viruses.

Josh Lindsay, IT technician, told ABC that he had been repairing computers for 15 years but the current form of the virus was "unbreakable".

It is said that the hackers have been offering computer owners a chance to retrieve data but only if they pay a ransom using the electronic currency Bitcoin.


Michael Bailey from Tasmanian Chamber of Commerce and Industry (TCCI) said when his organization was hit by the overseas hackers, his company paid a ransom equivalent to $US350.

Fake Android Virus alert says "Your Mobile compromised by Chinese Hackers"


Fake virus alert is the technique used by the Cyber criminals to trick users into thinking their system have a virus then tell them to install or buy fake applications, sometimes redirect them to spam websites.

A New fake virus alert spotted by Malware Bytes team says users that their device infected by a dangerous virus created by Chinese Hackers.

"whoever put this one together is watching all those APT news stories with glee and weaving them into their efforts below." Malware Bytes blog post reads.

Anyone passing through the page paulgrenwood[dot]com/US/smart/index[dot]html, receives the following message:

Warning! Your phone is attacked by severe virus that can steal your privacy which created by Chinese hackers on [date].
Please clear this virus immediately.

There is another fake warning message on the next page with “Android App on Google Play” button underneath the message and list of infections.

A rotator URL (clmbtrk(dot)com/?a=17990&c=81777&s1= )  is being used to send visitors to a variety of random adverts depending on geographical location.

Visiting the URL with a standard desktop setup would, more often than not, lead to a blank page. The bulk of the pages seen were dating sites with a lot of flesh on display, and even one hardcore pornography site

There’s no infection, so no need to panic.

Cyber Criminals abuse Yahoo's advertising network to spread malware


Cyber Criminals are targeting Yahoo’s advertising networks to deliver malware directly to the computers of users who is viewing the ads.

Security firm Malwarebytes, who discovered the attack on July 28, says that Yahoo is a victim of malvartising attacks in which exploit kits are used to redirect victims to the malware website.

The malvertising attack which does not require any user interaction, is believed to be one of the biggest in recent times due to the massive amount of traffic in Yahoo. 

In one of the campaigns, the attackers used the Angler Exploit Kit - This exploit kit usually infect victim's machine with annoying software and malware that forces victims to pay the money to unlock their system.

The security firm said that it had informed Yahoo about the attack the very same day. Yahoo said that the malware campaign has been stopped and that the company is investigating the matter.

Although it is not yet possible to determine exactly how many people have been affected by the hack, but it could be large as Yahoo gets 6.9 billion visits a month.

Attackers exploit the Privilege Escalation 0-day in Mac


Adam Thomas, a researcher from Malwarebytes, has discovered a new adware installer that exploits of a zero vulnerability in Apple's DYLD_PRINT_TO_FILE variable in the wild which helps to uses to install unwanted programs including VSearch, a variant of the Genieo package, and the MacKeeper junkware.

The vulnerability which is being exploited by this adware was first uncovered by a researcher Stefan Esser a month ago. However, this researcher did not first report about the flaw to the company concerned.

The adware was able to change the Sudoers file - s a hidden Unix file that determines, among other things, who is allowed to get root permissions in a Unix shell, and how.

 The modification made to the sudoers file, in this case, allowed the app to gain root permissions via a Unix shell without needing a password.

According to a post by MalwareBytes, if anyone installs VSearch, the installer will also install a variant of the Genieo adware and the MacKeeper junkware. As its final operation, it directs the user to the Download Shuttle app on the Mac App Store.

However, Apple has still not turned up to fix the problem.