Alleged Author of Android "Heart App" virus arrested

 
An Android Virus spotted by security researchers at Sophos Labs spreads by sending SMS containing a download link to the first 99 contacts of victims.

The malware goes by the name XXshenqi in Chinese and being called as "Heart App" in English.

After sending SMS to the first 99 entries of victim's contact list, the malware sends a confirmation message to the attacker's number.

The malware also asks victims to register and asks them to enter their personal details including Resident Identity card number, Full name. Once the victim clicks the register button, the data entered by victim will be SMSed to the attacker's number.

It also tricks victims into installing a secondary component (com.android.Trogoogle) that doesn't show up on the regular "Apps" page.  Trogoogle is capable of reading your incoming messages.

An unnamed 19 year old Software engineering student was arrested by by police in Shenzhen accused of being author of the "Heart App" malware.

To remove this virus completely, go to "Settings -> Apps -> Downloaded" and Uninstall both 'com.android.Trogoogle' and 'XX神器'

New Crypto-Ransomware variants spotted


Security Researchers have come across a new variants of the Crypto-Ransomware that is designed to encrypt files on infected machines.

One of the variants spotted by Trend Micro, dubbed as CryptoBlocker, infects only files smaller than 100Mb in size and will not infect system and application files. 

TrendMicro said this new variant does not use CryptoAPIs and uses Advanced Encryption Standard(AES) to encrypt files instead of RSA.

Researchers believe the author of this variant might be new to creation of ransomware because the compiler notes haven't been removed from this binary.

Another variant spotted by both Symantec and TrendMicro Researchers uses GnuPG, an open source implementation of the OpenPGP standard, to encrypt files.

"The threat downloads the 1024-bit RSA public key and imports this key through an option in GnuPG. The malware then encrypts the victims’ files by using GnuPG’s Encrypt Files option with the public key." Symantec researchers wrote.

The victims won't be able to decrypt the encrypted files without the private key which is in the hands of cyber criminals.  The malware asks users to pay about $200 to get the key.

One more variant of the Ransomware spotted by TrendMicro as Critroni or Curve-Tor-Bitcoin (CTB) Locker, uses TOR to mask its command and control server(C&C) communications.

New variant of Android Ransomware 'SimpLocker' spotted


A New variant of the Android Ransomware known as 'SimpLocker' has been spotted by Security researchers at ESET.

This new variant has a few significant improvements including the language in which the fake warning message is written, it is now in English rather than Russian.

The malware is masquerading as a flash player for the Android and tricks users into installing it with administrator privileges .

Once the device is infected, it will show a ransom message saying that your device is locked because you were doing illegal things and demands you to pay around $300.

One of the variant attaches the photo of the victim taken by the front camera in the ransom message.  This trick will definitely scare victims into paying the ransom.

One of the worst features added to this variant is now it encrypts the compressed files such as ZIP, RAR and 7ZIP.  It means even your backup files are being encrypted by this trojan.

ESET has released a tool to decrypt the files that have been encrypted by Simplocker.  The say prevention is better than cure, so better focus on prevention - Be careful while installing apps from unknown sources.

Kronos: A new Banking Trojan for sale in Underground forums

Researchers from Trusteer have discovered a new Banking Trojan dubbed as "Kronos" which is being sold in the Underground forum.

The malware is being sold for $7,000 and the cyber criminals are offering one week test for the price of $1,000 with full access to the command and control server without any limitation.

Similar to other banking Trojans, this new malware also capable of doing form grabbing and HTML Injection.

Kronos has user-mode rootkit(ring3) capabilities that will help this trojan to defend itself from other pieces of malware, will work in both 32bit and 64 bit Operating systems.

It is also designed to evade antivirus software and bypass Sandbox. The malware use encryption to communicate with the C&C server.

Trusteer said it has not yet analyzed the malware sample in order to validate the seller’s claims, all the information provided are based on the advertisement in the underground forum.

Researchers say GameOver malware is back

Last month, DOJ announced that International law enforcement agencies disrupted the Game Over Botnet.   However, Researchers at Sophos say the GameOver malware is back.

Researchers spotted several spam campaign and analyzed a few samples of the new version.

The new version has few modifications.  One of them is removing Necurs rootkit part from the malware.

The second modification is using Domain generation algorithm(DGA) as the primary command and control mechanism instead of Peer-to-Peer protocol.

"We do not know if it is being operated by the same people that were indicted last month, or a subset of them, or indeed a different group altogether that has obtained the Gameover source code." researcher said.

Dailymotion website visitors redirected to malicious web page


Attackers managed to compromise the popular video sharing website dailymotion and redirected visitors to malicious web page that installs malware in victim's machine.

On June 28, Symantec researchers identified an iframe in Dailymotion.com which sends users to different website hosting Sweet Orange Exploit kit.

Sweet Orange Exploit Kit is a malware toolkit used by attackers to infect victim's machine with malware by exploiting software vulnerabilities on their machine.

The vulnerabilities that Sweet Orange attempts to exploit are : Java Vulnerability(CVE-2013-2460), Adobe Flash Player vulnerability(CVE-2014-0515), Internet Explorer Vulnerability(CVE-2013-2551).

If the user's machine is vulnerable, then Trojan.Adclicker was downloaded onto the victim’s computer.

"This malware forces the compromised computer to artificially generate traffic to pay-per-click Web advertisements in order to generate revenue for the attackers" the symantec researchers said.