Search This Blog

Showing posts with label Android. Show all posts

Avito users were targeted by a dangerous Android Trojan


International company Group-IB, which specializes in the prevention of cyber attacks, has recorded a new Android Trojan campaign, the victims of which are customers of 70 banks, payment systems, web-wallets in the Russian Federation and the CIS. The potential damage from the Trojan, called FANTA, amounted to at least 35 million rubles ($547,000).

FANTA belongs to the Flexnet malware family, which is known to experts since 2015 and studied in detail. The Trojan and its associated infrastructure are constantly evolving: attackers are developing more effective distribution schemes, adding new functionality to more effectively steal money from infected devices and bypass security measures.

According to the company, the Trojan is aimed, in particular, at users who place purchase and sale advertisements on a Russian classified advertisements website Avito.

Attackers find contact details of sellers in a network, and after a while the victim receives personalised SMS about the transfer of full cost of goods to his account. The message contains a link where sellers can find payment details. Then the link opens a phishing page on the Avito website, which notifies the seller of the purchase and contains a description of his goods and the amount received from the sale of the goods. After clicking on the "Continue" bottom, FANTA malware disguised as the Avito application is downloaded to the phone.

The receipt of bank card data is carried out in a standard way for Android Trojans: the user opens phishing site that disguises as legitimate mobile banking application where the victim enters their bank card details", the Group-IB described the scheme of attackers.

Moreover, FANTA analyzes which apps are running on the infected device. Experts found that in addition to demonstrating pre-prepared phishing pages, FANTA also reads the notifications text about 70 banking applications, fast payment systems and e-wallets. In addition, an important feature of FANTA, which the creators paid special attention, is the bypass of anti-virus tools.

According to Group-IB, the latest attack was aimed at Russian — speaking users, most of the infected devices are located in Russia, a smaller part is in Ukraine, Kazakhstan and Belarus.
It's interesting to note that FANTA developers are able to hack the devices of users of about 30 different Internet services, such as AliExpress, Youla, Pandao, Aviasales, Booking, Trivago, as well as taxi and car sharing services.

Earlier in another Russian service of free ads Youla stated that the company plan to completely remove the display numbers, keeping all communications within the service.

ATTENTION ANDROID USERS: REMOVE THESE APPS IMMEDIATELY!




A minimum of 24 extremely popular android applications were found to be infested with malware. They were tested positively with Trojan which is known by the name of “Joker”.

Per sources, this Trojan provokes the interaction of the device with advertisement websites. It could steal SMS messages and private data.

As per the sources following are the names of the applications that are being said to be infested with the Trojan:
  • Beach Camera 4.2
  • Mini Camera 1.0.2
  • Soby Camera 1.0.1
  • Declare Message 10.02
  • Rapid Face Scanner 10.02
  • Leaf Face Scanner 1.0.3
  • Spark Wallpaper 1.1.11
  • Humour Camera 1.1.5
  • Rudy SMS Mod
  • Antivirus Security – Security Scan, App Lock 1.1.2
  • Collate Face Scanner 1.1.2
  • Ignite Clean 7.3
  • Advocate Wallpaper 1.1.9
  • Print Plan scan 1.03
  • Great VPN 2.0
  • Climate SMS 3.5
  • Dazzle Wallpaper 1.0.1
  • Cute Camera 1.04
  • Board Picture editing 1.1.2
  • Altar Message 1.5
  • Age Face 1.1.2
  • Reward Clean 1.1.6
  • Certain Wallpaper 1.02
  • Mini Camera 1.0.2

Security researchers strictly advise every user to uninstall any of these applications if found in their devices.

Android phones vulnerable to Qualcomm bugs

Security researchers from Tencent’s Blade Team are warning Android smartphone and tablet users of flaws in Qualcomm chipsets, called QualPwn. The bugs collectively allow hackers to compromise Android devices remotely simply by sending malicious packets over-the-air – no user interaction required.

Three bugs make up QualPwn (CVE-2019-10539, CVE-2019-10540 and CVE-2019-10538). The prerequisite for the attack is that both the attacker and targeted Android device must be active on the same shared Wi-Fi network.

“One of the vulnerabilities allows attackers to compromise the WLAN and modem, over-the-air. The other allows attackers to compromise the Android kernel from the WLAN chip. The full exploit chain allows attackers to compromise the Android kernel over-the-air in some circumstances,” wrote researchers.

All three vulnerabilities have been reported to Qualcomm and Google’s Android security team and patches are available for handsets. “We have not found this vulnerability to have a public full exploit code,” according to a brief public disclosure of the flaws by the Tencent Blade Team.

Researchers said their focus was on Google Pixel2 and Pixel3 handsets and that its tests indicated that unpatched phones running on Qualcomm Snapdragon 835 and Snapdragon 845 chips may be vulnerable.

A Qualcomm spokesperson told Threatpost in a statement: “Providing technologies that support robust security and privacy is a priority for Qualcomm. We commend the security researchers from Tencent for using industry-standard coordinated disclosure practices through our Vulnerability Rewards Program. Qualcomm Technologies has already issued fixes to OEMs, and we encourage end users to update their devices as patches become available from OEMs.”

The first critical bug (CVE-2019-10539) is identified by researchers as a “buffer copy without checking size of input in WLAN.” Qualcomm describes it as a “possible buffer overflow issue due to lack of length check when parsing the extended cap IE header length.”

FaceApp has access to more than 150 Million user's faces and names








Everyone is busy posting pictures of themselves how they will look in the future, while security researchers are really worried about the data that users are giving them. 

The Cybersecurity experts at Checkpoint have said that the Russian owned app doesn't have access to your camera roll, but it 'might store' the image that you modified. 

Till now, more than 100 million people have downloaded the app from the Google Play store. While it is a top-ranked app on the iOS App Store. 

According to the terms and condition of the FaceApp, ‘You grant FaceApp a perpetual, irrevocable, nonexclusive, royalty-free, worldwide, fully-paid, transferable sub-licensable license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, publicly perform and display your User Content and any name, username or likeness provided in connection with your User Content in all media formats and channels now known or later developed, without compensation to you. When you post or otherwise share User Content on or through our Services, you understand that your User Content and any associated information (such as your [username], location or profile photo) will be visible to the public.’

However, the firm addressed the privacy concerns saying that they are storing the uploaded photo in the cloud to increase their performance and deal with the traffic.

In the statement released they clarified that even though their 'core R&D team is located in Russia, none of the user data is transferred to Russia'. 



Agent Smith malware replaces apps with malicious versions










A new mobile malware dubbed as “Agent Smith” has infected more than 25 million devices by impersonating as a Google-related app, and exploited known Android vulnerabilities.

The name was given after the Matrix’s main villain, which was discovered by security firm Check Point. It has penetrated some of the major apps like WhatsApp. 

The malware extracts the list of the app that is installed on the devices, then it automatically selects its target app, replaces the original version with the malicious version without the user’s knowledge.

"The core malware extracts the device's installed app list. If it finds apps on its prey list (hard-coded or sent from C&C server), it will extract the base APK of the target innocent app on the device, patch the APK with malicious ads modules, install the APK back and replace the original one as if it is an update," Check Point's researchers explained.

"In this case, "Agent Smith" is being used for financial gain through the use of malicious advertisements. However, it could easily be used for far more intrusive and harmful purposes such as banking credential theft. Indeed, due to its ability to hide it's an icon from the launcher and impersonates any popular existing apps on a device, there are endless possibilities for this sort of malware to harm a user's device."

According to the Check Point researchers,  it was made by a Chinese company that helps immature developers to publish their apps overseas, in order to make some money. 

The company also suggests that it will take more time to protect from such attacks: "The 'Agent Smith' campaign serves as a sharp reminder that effort from system developers alone is not enough to build a secure Android eco-system. It requires attention and action from system developers, device manufacturers, app developers, and users, so that vulnerability fixes are patched, distributed, adopted and installed in time."



A New Smartphone Malware Infects 25 Million Devices Worldwide


A new smartphone malware that has infected 25 million devices around the world, including 15 million in India has been recently discovered by a team of cyber security specialists. Being dubbed as "Agent Smith”, the malware camouflages itself as a Google-related application and then replaces the installed applications with pernicious versions of them utilizing known Android vulnerabilities without the users' knowledge.

'Agent Smith' utilizes its access to Android devices in order to display fake ads for financial gain, yet given its access, it can likewise be utilized for increasingly accursed purposes.

Checkpoint research team which specializes in analysing global cyber threats , notes that the activity of Agent Smith takes after how other malware like CopyCat, Gooligan, and HummingBad have operated in the recent years and each of the three campaigns have utilized infected devices to generate fake ad revenue 'to the tune of millions of dollars'.

'Agent Smith' is said to have been originated on prevalent third-party application store 9Apps and has focused predominantly on Arabic, Hindi, Indonesian, and Russian speakers. Majority of the malware's victims were reported to be from India and neighbouring nations like Bangladesh and Pakistan yet as indicated by certain confirmations there are quite a few infected devices in nations like Australia, UK, and USA too.
 
Agent Smith infection world heat map
Some of the apps that have been utilized to infect devices by means of 9Apps store are Color Phone Flash – Call Screen Theme, Photo Projector, Rabbit Temple, and Kiss Game: Touch Her Heart, and Girl Cloth XRay Scan Simulator.

What's more is that, after the inceptive attack vector by means of 9Apps, the makers of Agent Smith shifted their focus towards Google Play Store and had the option to push at least 11 malware laden app in the store.

Android apps infected with Agent Smith in Google Play Store and 9Apps


While Google has removed all the apps from Google Play, users are cautioned against having any of these applications installed as they will be no doubt infected by the Agent Smith malware. Check Point Research adds further, saying that the Android users should only utilize trusted application stores to download applications as "third party app stores often lack the security measures required to block adware loaded apps."

The Rise of Fingerprinting and Monitoring Of Our Digital Activities




 The concept of digital privacy has evolved so much with time that regardless of whether we secure our data to ensure that we are not tracked on the web, the ad tech industry, through some way or different finds ways to monitor our digital activities.

Being alluded to as a cutting edge tracking technology by security researchers, the fingerprinting technology has for sure achieved new statures.

While it incorporates taking a look at the many characteristics of the user's mobile device or computer, like the screen resolution, operating system and model, it likewise very effectively while triangulating this data, pinpoints and follows the user as they browse the web and make use of the other apps.

Presently since the technique happens imperceptibly out of sight in applications and websites, it becomes very hard to block the particular technology at whatever point it isn't required.

In the course of the most recent couple of years, tech companies like Apple and Mozilla 'introduced aggressive privacy protections' in their internet browsers to make it harder for advertisers to follow the users around the web and serve targeted ads on promotions.

But since a large number of those technologies ended up getting blocked by default, the advertisers needed to come up with an alternate method to track more users.

That is when the fingerprinting technology becomes an integral factor, as it gathers apparently harmless attributes that are commonly shared as default to make applications and sites work appropriately, which happens when the users gives an application the consent to access their location data, their camera and microphone. Thus, many other browsers likewise require the permission before a website can access those sensors.

While some state that the fingerprint method can be dependable and reliable, others say that it is abusive on the grounds that in contrast to cookies, which the users can see and delete, one for the most part can't tell it is going on and can't opt out it.

Nonetheless the solutions for averting fingerprinting are generally new, and some are still being developed. Thus it is difficult to tell how powerful they are since fingerprinting happens undetectably. So here are a few solutions for blocking browser fingerprinting.
  1. Apple users can make use of the protections installed in the Safari browser for computers and mobile devices.
  2. Android users and Windows users can try the Firefox web browser.
  3. Furthermore, the other desktop browsers can easily install an add-on.

In case of mobile users:
Privacy Pro and Disconnect Premium can examine the application activities on the device to recognize and block trackers, including finger printers.

Since Fingerprinting is a perplexing subject since the tracking method applies to both the web and mobile applications it is thusly recommended for the users to become familiar with it and be one at least one step ahead in ensuring their privacy protection themselves.

Over 2,000 malicious apps exists on Play Store

If you thought that the quality control issues plaguing the Google Play Store for Android were finally being ironed out, it couldn't be further from the truth. A two-year-study by the University of Sydney and CSIRO’s Data61 has come to the conclusion that there are at least 2,040 counterfeit apps on Google Play Store. Over 2,000 of those apps impersonated popular games and had malware. The paper, a Multi-modal Neural Embedding Approach for Detecting Mobile Counterfeit Apps, was presented at the World Wide Web Conference in California in May documenting the results.

The study shows that there is a massive number of impersonated popular gaming apps available on Play store. They include fake versions of popular games such as Temple Run, Free Flow and Hill Climb Racing. The study investigated around 1.2 million apps on Google Play Store, available in Android, and identified a set of potential counterfeits for the top 10,000 apps.

Counterfeit apps impersonate popular apps and try to misguide users`. “Many counterfeit apps can be identified once installed. However, even a tech-savvy user may struggle to detect them before installation,” the study says.

It also points out that fake apps are often used by hackers to steal user data or infect a device with malware. “Installing counterfeit apps can lead to a hacker accessing personal data and can have serious consequences like financial losses or identity theft,” reads a blog post by the university.

The study also found that 1,565 asked for at least five dangerous permissions and 1407 had at least five embedded third-party ad libraries.

To investigate these applications on Google Play store the researchers used neural networks.

Google has acknowledged the problem of “malicious apps and developers” in a blog post by Google Play product manager Andrew Ahn on February 13, 2019.

According to Google, the company now removes malicious developers from Play store much faster when compared to previous years. The company says that in 2018 it stopped more malicious apps from entering the store than ever before.

A Google spokesperson, in response to a TOI email, said, “When we find that an app has violated our policies, we remove it from Google Play.”

Google Confirms Several Android Devices Shipped With a Malware




Google tackles yet another vulnerability dubbed as Triada, a malware in the form of a code that affected some Android devices even before they shipped.

The malware is such cunningly structured by the hackers, that it displays ads and spam on a cell phone, on endless Android smartphones and stays undetected for long.

Google, in a rather detailed blog post, clarifies "Triada infects device system images through a third-party during the production process. Sometimes OEMs want to include features that aren't part of the Android Open Source Project, such as face unlock. The OEM might partner with a third-party that can develop the desired feature and send the whole system image to that vendor for development...Based on analysis; we believe that a vendor using the name Yehuo or Blazefire infected the returned system image with Triada."

The activities of Triada were first discovered by Kaspersky Labs through the two posts which had stayed profound into the workings of the malware, first was back in March 2016 and the other in a consequent post in June 2016.

What makes this Trojan progressively perilous is simply the way that it hides itself from the list of applications running and installed on the Android smartphone, making it unimaginable for the anti-virus applications and anti-malware applications to identify it, then again it makes it hard for the framework to distinguish if a peculiar or an undesirable procedure is running in the background.

Triada is additionally known to modify the Android's Zygote process too.

Google, upon finding out about the functions and workings of Triada in 2016, had immediately removed the malware from all devices utilizing Google Play Protect. In any case, the malevolent actors amped up their endeavors and discharged a much smarter version of the Trojan in 2017.

What's more, since this more 'smarter version' was implanted in the system libraries it could furtively download and run noxious modules. The most concerning fact being that it can't be erased utilizing the standard techniques and methods.

As indicated by a well-known software suite Dr.Web, the modified version of Traida is known to be found on several mobile devices, including Leagoo M5 Plus, Leagoo M8, Nomu S10, and Nomu S20.

Many Android devices had pre-installed backdoor: Google

Earlier this year, Forbes reported how a banking Trojan called Triada had been found on a bunch of brand new budget Android smartphones. Google has now confirmed that threat actors did, indeed, manage to compromise Android smartphones with the installation of a backdoor as part of a supply chain attack.

Two years later, on Thursday, Google has now admitted that criminals in 2017 indeed managed to get an advanced backdoor preinstalled on Android devices, even before these left the factories of manufacturers.

The list of affected devices includes Leagoo M5 Plus, Leagoo M8, Nomu S10 and Nomu S20.

To understand what has happened here, we need to go back to 2016 when Kaspersky Lab researchers first uncovered what they called one of the most advanced mobile Trojans Kaspersky malware analysts had ever seen. They named that Trojan "Triada" and explained how it existed mainly in the smartphone's random access memory (RAM) using root privileges to replace system files with malicious ones. Android phones were spotted to have Triada as a preloaded backdoor in 2017.

The firm, Dr. Web’s, researchers had found Triada embedded into one of the OS libraries and located in the system section. Not just that, the Trojan couldn’t be detected or deleted using standard methods.

Triada had, the researchers found, used a call in the Android framework log function instead. In other words, the infected devices had a backdoor installed. This meant that every time an app, any app, attempted to log something the function was called and that backdoor code executed. The Triada Trojan could now execute code in pretty much any app context courtesy of this backdoor; a backdoor that came factory-fitted.

The Mountain View, California-headquartered company initially removed Triada samples from all Android devices using Google Play Protect. But in 2017, it was found that Triada evolved and ultimately became a preloaded backdoor on Android devices. Notably, the latest phones aren't likely to be affected by what has been discovered by Google. The vulnerability did have an impact on various models in the past, though.

Google restricts Huawei’s access to Android apps





Google restricts the access of its Android operating system and apps for Chinese tech giant Huawei after US’s President Donald Trump administration blacklisted the firm.

The order not only impacted Google but the US chip-makers as well.  Intel Corp, Qualcomm Inc., Xilinx Inc., and Broadcom Inc. have all stopped doing business with the Chinese tech giant

"We are complying with the order and reviewing the implications," a Google spokesperson said on Monday. Huawei, the world's No. 2 smartphone seller, relies on a suite of Google services for its devices, including the Android system and the Google Play app store.

Huawei will now only be able to use the public version of Android and the new phones will not have Google play store, Gmail, and other services provided by Google.

The users who are now using the Huawei smartphones will not be affected by this order, but they won’t be able to update their phones. 

However, the Chinese tech company claim that for the last three years that have been working on their own operating system.

"Huawei has been building an alternative operating system just in case it is needed," said Huawei spokesperson Glenn Schloss. "We would like to be able to continue operating in the Microsoft and Google ecosystems," he added.

The company has bought Microsoft’s operating system license for its laptops and tablets. Meanwhile, Microsoft (MSFT) did not immediately respond to a request for comment.


Hackers Now Tricking Users with Fake Address Bars on Chrome



Hackers now take the aid of another and a rather refined phishing attack on Android Chrome only so to shroud the original address bar's screen space by showing its very own fake URL bar when the user scrolls down the site's page.

The fake address bar that relates with the phishing website page posed with real webpage URL by intercepting the original chrome bar. Typically, when users scroll down the site's page, the browser shrouds the URL bar and the page covers overlaps on it in light of the fact that the page is accessible to by means of a "trustworthy browser UI".

Here, the phishing site manhandles this procedure by displaying its very own fake URL bar that acted like an authentic one and trapped users to give away their own personal information.
Security researcher James Fisher exhibited this phishing attack by facilitating his own domain (jameshfisher.com), as he exploited the blemish in chrome browser for mobile.

Fisher used the HSBC domain (www.hsbc.com) as a fake URL bar to proceed with the said demonstration  and by utilizing a similar way the attackers resort to when they utilize any legitimate site, intercept the URL bar and steal the information.

Specialist call it as "scroll jail", when this attack gets even worse for wear, for the most part when the users look up the site page however again reach the first URL bar, here the attackers trap the users to never return on the original URL bar.

According to Fisher, the attack resembles in a dream in inception, the user believes that they're in their own browser, yet they're actually in a browser inside their browser.

 “Is this a serious security flaw? Well, even I, as the creator of the inception bar, found myself accidentally using it! So I can imagine this technique fooling users who are less aware of it, and who are less technically literate. The only time the user has the opportunity to verify the true URL is on page load, before scrolling the page. After that, there’s not much escape”, says Fisher, who is also of the believe that it might be a security flaw in Chrome browser causing the commotion.