Search This Blog

Showing posts with label Android. Show all posts

Hackers Can Use the SSID Stripping Flaw to Mimic Real Wireless APs

 

A group of researchers discovered what appears to be a new way for threat actors to mislead people into connecting to their wireless access points (APs). The method, called SSID Stripping, was revealed on Monday by AirEye, a wireless security company. It was discovered in conjunction with Technion - Israel Institute of Technology researchers.

Simply put, unwary users might be duped into connecting to hacker-created Wi-Fi hotspots. This vulnerability exposes users to data theft as well as access to their personal information on their devices. Because it affects nearly all software systems, including MS Windows, macOS, Apple iOS, Ubuntu, and Android, SSID Stripping has emerged as a serious concern. 

A user can see a connection that resembles the name of one of their trusted connections in an SSID Stripping attack, according to researchers. The catch is that the user must manually join the false network. The network, on the other hand, will get through the device's security restrictions since the original SSID name will be saved in the string the attacker has added, which the user won't be able to see on the screen. As a result, people will connect to the phoney AP.

“The SSID published by any AP in the proximity of a wireless client is processed by that client – regardless of whether there is any trust between the client device and the AP. Hence an attacker may attempt to include malicious payload within the SSID in an attempt to exploit a vulnerable client implementation,” researchers noted. 

They were able to create three different sorts of "display errors," as they call them. One of these entails adding a NULL byte into the SSID, which causes Apple devices to show just the portion of the name preceding this byte. To achieve the same effect on Windows machines, the attacker may utilize "new line" characters. 

Non-printable characters are used to represent the second sort of display error, which is more prevalent. Without notifying the user, an attacker may add unusual characters to the SSID's name. For example, instead of aireye_network, the attacker can show aireye_x1cnetwork, where x1c indicates a byte having a hex value of 0x1c. 

The third display error removes a section of the network name from the viewable region of the screen. In this case, an iPhone may show an SSID named aireye_networknnnnnnnnnnnrogue as aireye_network, eliminating the word rogue. This method, along with the second type of error, can successfully disguise the suffix of a rogue network name.

Cybercriminals Tricked Britons into Downloading Flubot Malware

 

Hackers are mimicking delivery services and sending phishing text messages to Britons in an attempt to get them to download the Flubot malware. It's capable of intercepting messages and stealing financial information. Three, one of the UK's most popular mobile networks, has issued a warning about a phishing scam that has reportedly affected all network operators. “Many people in the UK have been targeted with a text message that looks like it’s from a delivery service, or it may say that you’ve received a voicemail,” the company warned in a blog post.

The message instructs you to install an app in order to monitor a package or listen to voicemail. Some messages claim to be from DHL, Amazon, Asda, and Argos. If a victim is tricked into participating in the malicious campaign, the scammer has access to their entire Android smartphone. This includes the possibility of stealing credit card data and online banking login passwords. 

To evade detection, the attacker disables the Android OS's built-in protection and prevents the installation of many third-party security software packages, which many users would employ to remove unwanted malware. 

First, the victim receives an SMS message impersonating a well-known shipping logistics company, such as FedEx, DHL, or Correos. The message's call to action is for the user to click a link to download and install an app with the same familiar branding as the SMS message, but which is actually harmful and contains the FluBot malware.

FluBot, once installed and given the necessary rights, unleashes a slew of features, including SMS spamming, credit card and banking credential theft, and spyware. The contact list is taken from the device and sent to the threat actor's servers, giving them access to more personal information and allowing them to launch new attacks on other potential victims. 

SMS and notifications from telecom carriers can be intercepted, browser sites can be visited, and overlays can be presented to capture credentials. To prevent detection by the operating system's built-in security, the malicious app also disables Google Play Protect. 

According to Three, this fraud attack has impacted all network operators. Despite the fact that the majority of messages were blocked, a tiny number of Three subscribers may have received them. As a result, the company advises staying aware and being cautious when clicking on any links sent by text message. 

“If your device has been infected with the Flubot malware, you may have been charged for text messages over your plan. If so, we’ll arrange a refund for you as soon as possible,” the company stated.

UBEL is the Android Malware Successor to Oscorp

 

As part of a fresh campaign that began in May 2021, an Android malware that was discovered misusing accessibility features in the device to steal user credentials from European banking applications has morphed into an altogether new botnet. Oscorp, a mobile malware built to attack several financial targets with the purpose of stealing funds from unsuspecting users, was revealed by Italy's CERT-AGID in late January. 

The Oscorp malware, like other Android malware, convinces users to provide them access to the Android Accessibility Service, which allows them to read text on the phone screen, determine an app installation prompt, traverse through the permission list, and install apps on the user's behalf. “Not being able to access the private files of other applications, the actions of these malicious apps are “limited” to the theft of credentials through phishing pages, to blocking the device and possibly to the capture of audio and video,” read the advisory published by Italy’s CERT-AGID. 

Malicious SMS messages were used to spread the malware, with attackers pretending as bank operators to deceive targets over the phone and secretly get access to the infected device using WebRTC protocol, allowing them to execute unlawful bank transfers. While no fresh activities have been detected since then, it appears as Oscorp has returned after a brief hiatus in the shape of the UBEL Android botnet. 

"By analysing some related samples, we found multiple indicators linking Oscorp and UBEL to the same malicious codebase, suggesting a fork of the same original project or just a rebrand by other affiliates, as its source-code appears to be shared between multiple [threat actors]," Italian cybersecurity company Cleafy said on Tuesday, charting the malware's evolution. 

UBEL, like its predecessor, is marketed on underground forums for $980 and asks for invasive permissions that allow it to read and send SMS messages, record audio, install and delete apps, initiate itself automatically after system boot, and exploit Android accessibility services to collect confidential data such as login credentials and two-factor authentication codes, the results of which are exfiltrated back to a remote server. 

Once installed on the system, the malware tries to disguise itself as a service and hide its presence from the target, allowing for long-term persistence. Surprisingly, using WebRTC to communicate with the hijacked Android phone in real-time eliminates the requirement to enroll a new device and take over an account in order to commit fraud. 

"The main goal for this [threat actor] by using this feature, is to avoid a 'new device enrolment', thus drastically reducing the possibility of being flagged 'as suspicious' since device's fingerprinting indicators are well-known from the bank's perspective," the researchers said.

Pegasus: The Case of the Infamous Spyware

 

The case of the infamous spyware Pegasus has taken the world by storm, with news revealing its unlawful use infringing on many people's basic human rights. With such remote surveillance now accessible via an infected device, the issue of cybersecurity has grown more pressing than ever. According to sources from throughout the world, NSO Group's software was used to spy on around 50,000 people, including politicians, businessmen, journalists, and activists. 

Dmitry Galov, a security researcher at Kaspersky's GReAT, describes the Pegasus spyware's beginnings and how it differs from vulnerabilities. “Pegasus is a spyware with versions for both iOS and Android devices,” he explains. Even in 2017, the criminal had the ability to “read the victim's SMS and emails, listen to calls, take screenshots, record keystrokes, and access contacts and browser history, among other things.” To clarify, Galov argues that Pegasus is a sophisticated and costly malware. It was created with the intent of spying on people of particular interest. As a result, the typical user is unlikely to be a target. 

However, the spyware's sophistication makes it one of the most powerful tools for spying on one's smartphone. Pegasus has evolved over time to attack a number of zero-day vulnerabilities in Android and iOS. Although it tries to remove its own traces from an infected device, some of them can still be seen under forensic examination. According to Galov, many parties on the darknet can sell and buy malware as well as zero-day vulnerabilities. Vulnerabilities can cost up to $2.5 million - that's how much the whole chain of Android vulnerabilities was offered for, in 2019. 

Amnesty International researchers have created a toolkit that can assist consumers to determine whether their phone has been infected with spyware. The open-source toolkit has been made accessible on GitHub by Amnesty International. Users must first download and install a python package from the MVT (Mobile Verification Toolkit) website's documentation. It also contains advice on how to complete the procedure on both iOS and Android. Users must take a backup of their iOS device before launching MVT. 

According to Amnesty International, the goal of MVT is to make it easier to conduct a "consensual forensic study" of devices belonging to people who may be the victims of sophisticated mobile spyware attacks. “We do not want MVT to enable privacy violations of non-consenting individuals,” Amnesty said. “Therefore, the goal of this license is to prohibit the use of MVT (and any other software licensed the same) for the purpose of adversarial forensics.”

Tim Cook Claims Android has 47 Times the Amount of Malware as iOS

 

During a live chat, Apple CEO Tim Cook stated that Android has more malware than iOS and that "sideloading" mobile software is not in the "best interests of users." Sideloading apps entails manually downloading and installing software over the Internet rather than from an app store. Apple's security and privacy would be ruined if it were compelled to enable side-loading programmes, as Android does, he stated on June 16 while speaking remotely at the VivaTech 2021 conference in Paris, France. 

When asked about the planned European law known as the Digital Markets Act (DMA), which attempts to prohibit big digital corporations from monopolizing their market position, Cook stated that Apple opposes it because it would require the company to allow consumers to install apps outside of the App Store. Cook also stated that Android has "47 times more malware" than Apple since iOS is created with a single app store. 

Explaining the reason, Cook added, "It's because we've designed iOS in such a way that there's one app store and all of the apps are reviewed prior to going on the store. And so that keeps a lot of this malware stuff out of our ecosystem, and customers have told us very continuously how much they value that, and so we're going to be standing up for the user in the discussions." 

Cook further claimed that the DMA's present language, which will compel side-loading on the iPhone, will "destroy the security" of the smartphone and many of the App Store's privacy measures. 

DMA targets firms with a huge user base, such as Apple, Google, and Amazon, and encourages them to open up their platforms to competitors. The proposed rule also intends to provide a more level playing field for businesses and individuals who rely on large "gatekeeper" online platforms to sell their goods and services in a single market. 

“We've been focusing on privacy for over a decade,” Cook stated when asked about Apple's commitment to privacy. “We see it as a basic human right. A fundamental human right. And we've been focused on privacy for decades. Steve used to say privacy was stating in plain language what people are signing up for and getting their permission. And that permission should be asked repeatedly. We've always tried to live up to that.”

Facebook Messenger Rooms Exploit Bypasses Android Screen Lock Protection

 

As a result of a security flaw in Facebook's Messenger Rooms video chat function, attackers are able to gain access to a victim's private Facebook photographs and videos, as well as submit posts, from their locked Android screen. Messenger Rooms, Facebook's newest video conferencing service, allows up to 50 individuals to video chat at the same time. You can converse for as long as you want, and you don't need a Facebook account to join a room. 

Rooms calls, like Zoom calls, are not secured end-to-end. Unless you change your preferences, the room will be open to anybody you're friends with on Facebook when you create it; they'll not only be able to join, but they'll also see it at the top of their News Feed. According to a proof-of-concept video supplied to Facebook with the vulnerability report, a user's Facebook account may be hacked by inviting them to a Messenger Room, then calling and answering the call from the target device before clicking on the chat function. 

Despite the fact that physical access to a victim's device is required, the assault could be carried out without the victim's smartphone or tablet being unlocked, earning Nepalese security researcher Samip Aryal a $3,000 bug bounty. 

Aryal's newest discovery was inspired by a similar Facebook Messenger flaw he discovered in October 2020, in which users' private, saved videos and watching history might be exposed during a Messenger call via the Watch Together function. The fault, which could be exploited by an attacker with physical access to a locked Android smartphone, was patched along with other comparable flaws by requiring users to unlock their phones before utilizing the impacted features. 

The researcher, who was logged into a Facebook account through a desktop PC, hosted a Messenger Room and invited an account that was active on an Android device to join. After entering the room with the 'malicious' account, he called the victim's device from the 'invited users' section, and the target, screen-locked smartphone began ringing within seconds. “I then picked up the call and tried all previously known sensitive features like ‘watch together’, ‘add people’, etc. but all of them needed to first unlock the phone before using them,” said Aryal. 

The discovery came when the researcher saw a request in the top right-hand corner of the call screen to ‘chat' with other participants. “I found that I could access all private photos/videos on that device without even unlocking the phone, as well as submit posts by clicking on the ‘edit’ option for any media”, he said.

167 Fake iOS & Android Trading Apps Brought to Light by Researchers

 

Sophos, a worldwide leader in cybersecurity, has found 167 fake Android and iOS apps that criminals have been using to rob people who still believe they have a very well, trustworthy financial trading, banking, or cryptocurrency application. A research article titled, ‘Fake Android and iOS apps disguised as trading and cryptocurrency apps,’ illustrates how criminals utilized social technology, fake web pages like a fake iOS App Slot, and an iOS app tester to deliver the fake apps to unsuspecting customers. 

Fake applications were investigated and the results showed that all were very similar to each other, as stated by Sophos researchers. Many have included the "chat" option to integrate customer service. When researchers attempt to communicate by using chat with support teams, answers were almost alike. They also discovered a single server loaded with 167 counterfeit trading and cryptocurrency applications. In combination, this indicates that, according to Sophos, all fraud might be carried out by the same party. 

In one of the scenarios examined, the scammers approached the customers through a dating app by creating a profile and exchanging messages with specific objectives before attempting to encourage them to download and add money and cryptocurrency to a counterfeit application. The attackers blocked access when their targets later tried to withdraw funds or close the account. 

In other instances, websites built to resemble a reputable company, such as a bank, have been able to attract the targets. To persuade the users to install an app from the genuine App Store, they have even developed a fake "iOS App Store" download page with fabricated customer reviews. 

When the visitors pressed upon the links to install fake apps for Android or iOS, something like a smartphone web app was obtained but was only a shortcut icon connected to a fake website. 

Technicians have also delivered fake iOS applications via third-party websites to encourage developers towards testing new applications with a small number of Apple device users before applying to the official App Store. 

“People trust the brands and people they know – or think they know – and the operators behind these fake trading and cryptocurrency scams ruthlessly take advantage of that,” said Jagadeesh Chandraiah, a senior threat researcher at Sophos. “The fake applications we uncovered impersonate popular and trusted financial apps from all over the world, while the dating site sting begins with a friendly exchange of messages to build trust before the target is asked to install a fake app. Such tactics make the fraud seem very believable.”

“To avoid falling prey to such malicious apps, users should only install apps from trusted sources such as Google Play and Apple’s app store. Developers of popular apps often have a website, which directs users to the genuine app and, if they have the skills to do so, users should verify if the app they are about to install was created by its actual developer. Last, but not least, if something seems risky or too good to be true – high returns on investment or someone from a dating site asking you to transfer money or cryptocurrency assets into some ‘great’ account – then sadly it probably is,” he further added.

Sophos also recommends the user install an anti-virus program on the mobile device to defend Android and iOS devices from cyber attacks, like the Intercept X for Mobile.

Modem Vulnerabilty Attacks Android Phones, Steals Data and Records Calls

Google and Android manufacturers always aim to keep their hardware and software security robust. However, a vulnerability found in Qualcomm SoCs recently revealed by Check Point Research is quite frightening. The vulnerability can allow a harmful application to patch software with MSM Qualcomm modem chips, which gives the actor access to call logs and chat history and can even record conversations. Check Point Research's breaking down of vulnerability is quite technical. "QMI is present on approximately 30% of all mobile phones in the world but little is known about its role as a possible attack vector," the report says. 

In simple terms, it found vulnerabilities in QMI (Qualcomm Modem Interface) software modem layer and debugger service connections, that let the vulnerability to patch software dynamically and escape the general security mechanisms. General 3rd party applications do not have the safety mechanisms to gain access to QMI, however, if any more critical aspects are exploited in Android, the attack can prove beneficial. Researchers that found the vulnerabilities believe that harmful apps can secretly listen to your calls and also record them, unlock a sim card and even steal call logs and messages. 

Experts believe that the vulnerable QMI software found during the investigation might be present in around 40% of smartphones, from brands Google, LG, Xiaomi, OnePlus, Samsung, etc. Basic info regarding the methods used in the attack was explained by the experts, but the technicalities of the attack weren't mentioned in the report to prevent any malicious actor from learning how to use the vulnerabilities. Currently, no evidence suggests that the attack is being used in the open. 

Check Point Research says "we discovered a vulnerability in a modem data service that can be used to control the modem and dynamically patch it from the application processor. An attacker can use such a vulnerability to inject malicious code into the modem from Android. It gives the attacker access to the user’s call history and SMS, as well as the ability to listen to the user’s conversations. A hacker can exploit the vulnerability to unlock the SIM, thereby overcoming the limitations of the service providers imposed on the mobile device."

Smishing Campaign: Roaming Mantis Attacks OS Android Systems With Malware

A smishing campaign which goes by the name Roaming Mantis is imitating a logistics firm to hack SMS messages and contact list of Android users from Asia since 2018. Last year, Roaming Mantis advanced its campaign impact by sending phishing URL messages and dynamic DNS services that attacked targets with duplicate Chrome extension "MoqHao." From the start of 2021, Mcafee Mobile Research Team has confirmed that the group is attacking users from Japan with the latest malware named SmsSpy. 

The corrupted code infects Android users that use either one of the two versions that depend upon variants of operating systems used by attacked systems. The phishing technique incorporated here shares similarities with earlier campaigns, still, the Roaming Mantis URL has the title "post" in composition. A different phishing message impersonates to be a Bitcoin handler and then takes the target to a malicious site (phishing) where the victim is requested to allow an unauthorized login attempt. 

McAfee reports, "During our investigation, we observed the phishing website hxxps://bitfiye[.]com redirect to hxxps://post.hygvv[.]com. The redirected URL contains the word “post” as well and follows the same format as the first screenshot. In this way, the actors behind the attack attempt to expand the variation of the SMS phishing campaign by redirecting from a domain that resembles a target company and service." Different malware, as a characteristic of the Malware distribution program, is sent which depends upon the Android OS variant that gained login to the phishing site. In Android OS 10 and later variants, malicious Google Play applications will get downloaded. In Android OS 9 and earlier variants, malicious Chrome applications will get downloaded. 

Because the infected code needs to be updated with each Android OS update, the malware actor targets more systems by spreading the malware that finds OS, instead of just trying to gain a small set with a single malware type. "The main purpose of this malware is to steal phone numbers and SMS messages from infected devices. After it runs, the malware pretends to be a Chrome or Google Play app that then requests the default messaging application to read the victim’s contacts and SMS messages," said McAfee.

40% of all Android Phones Affected by Qualcomm Snapdragon Vulnerability

 

Security scientists who believe that a weakness that can be used to insert malicious code mostly on mobile by using the Android operating system itself as a port of entry has recently been reported as a grave security flaw concerning Qualcomm mobile station modems (MSM). The impacted chip(s) would connect nearly 40% of all smartphones, such as Samsung and other OEM's high-end phones, in the world. 

Qualcomm MSM is a 2G, 3G, 4G, and 5G-capable Chip System (SoC) used by several vendors, such as Samsung, Google, LG, OnePlus, and Xiaomi, for approximately 40 percent of cell phones. 

"If exploited, the vulnerability would have allowed an attacker to use Android OS itself as an entry point to inject malicious and invisible code into phones," as per the Check Point researchers who found the vulnerability tracked as CVE-2020-11292. 

The security vulnerability can also allow attackers to activate the SIM module used to safely store the network authentication information and contact details on mobile devices. 

The criminals have to misuse a stack overflow vulnerability in the Qualcomm MSM Interface (QMI), which is being used by the cellular processors for interface with the software stack, to exploit CVE-2020-11292 and monitor the modem and remotely repair it from the application processor.

Malicious apps could then use the loophole to mask their activities from the modem chip on its own and effectively invisibly track malicious behavior using Android security features. 

"Going forward, our research can hopefully open the door for other security researchers to assist Qualcomm and other vendors to create better and more secure chips, helping us foster better online protection and security for everyone." 

Following the study, Qualcomm produced security patches to resolve the security problem CVE-2020-11292 and delivered them to all affected vendors in December 2020, two months later. Qualcomm's priorities are the availability of solutions supporting comprehensive safety and privacy. While in December 2020, Qualcomm Technologies provided OEMs with updates and they encourage end-users to upgrade their devices when patches are available. 

As Qualcomm sent the CVE-2020-11292 patches to OEMs last year, it ought to be safe against efforts to jeopardize any modernized devices for Android users with newer devices often receiving security and system updates. Unfortunately, it might not be that lucky for all those who didn't upgrade to a new smartphone promoting newer Android launches over the last few years. 

Given the reality, about 19% of all Android devices run Android Pie 9.0 (launched in August 2018) and over 9% Android 8.1 Oreo (launched in December 2017) as per the Stat Counter data. 

Last year Qualcomm rectified the Digital Signal Processor Chip (DSP), which allows attackers to monitor smartphones, spy on the users, and build immovable malware which can avoid detection, with much more vulnerabilities that could impact Snapdragon. 

KrØØk was also repaired by Qualcomm in July 2020, a security bug that can be used to decipher certain WPA 2 encrypted wireless network packets. In 2019, yet another bug was fixed which enabled access to sensitive data and two faults in the SoC WLAN firmware that permitted over the air compromise of the modem and kernel.

Flubot can Spy on Phones and can Gather Online Banking Details

 

Experts cautioned that a text message scam infecting Android phones is expanding across the UK. The message, which appears to be from a parcel delivery company and instructs users to download a tracking program, is actually a malicious piece of spyware. Flubot can seize over smartphones and spy on phones in order to collect sensitive data, such as online banking information. Vodafone, the network provider, said that millions of text messages had now been transmitted through all networks. 

Flubot is the name of malicious malware that attacks Android devices. Flubot is distributed by cybercriminals through SMS messages that include links to download websites for a bogus FedEx program (in at least three languages, including German, Polish, and Hungarian). These websites download a malicious APK file (Android Package File) that installs the banking malware Flubot. 

“We believe this current wave of Flubot malware SMS attacks will gain serious traction very quickly, and it's something that needs awareness to stop the spread," a spokesman said. Customers should "be extra cautious about this specific piece of malware,” he said, and avoid clicking on any links in text messages. 

Later, the National Cyber Security Centre (NCSC) provided guidelines on the threat, with instructions on what to do if you accidentally accessed the attacker's program. "If users have clicked a malicious link it's important not to panic - there are actionable steps they can take to protect their devices and their accounts," the NCSC said in a statement. The ransomware may also send further text messages to the contacts of an infected person, aiding its propagation. 

"The seriousness of these malicious text messages is underlined by Vodafone making the decision to alert its customers," said Ben Wood, chief analyst at CCS Insight. "This has the potential to become a denial-of-service attack on mobile networks, given the clear risk that a rogue application can be installed on users' smartphones and start spewing out endless text messages. The broader risk for users is a loss of highly sensitive personal data from their phones," he added. 

Although text message scams pretending to be from a package delivery company are popular, they have mainly focused on phishing, which involves tricking the recipient into filling out a form with personal information such as bank account numbers.

CERT-In Issues "High" Severity Rating Advisory for WhatsApp Threats

 

The Indian Computer Emergency Response Team (CERT-In) has cautioned WhatsApp clients in India of various vulnerabilities it identified in the instant messaging platform, which could lead to a breach of sensitive client information and personal information. In a "high" severity rating advisory, the CERT-In said that the vulnerabilities had been recognized in specific versions of WhatsApp and WhatsApp Business for both Android and iOS platforms. 

The Indian Computer Emergency Response Team (CERT-In) is an office inside the Ministry of Electronics and Information Technology of the Government of India. It is the nodal agency to deal with cybersecurity threats like hacking and phishing. It strengthens the security-related defense of the Indian Internet domain. A memorandum of understanding (MoU) was endorsed in May 2016 between the Indian Computer Emergency Response Team (CERT-In) and the Ministry of Cabinet Office, UK.

With the MoUs, participating nations can trade technical data on Cyber assaults, respond to cybersecurity incidents, and discover solutions to counter the cyber assaults. They can likewise trade data on predominant cybersecurity policies and best practices. The MoUs help to strengthen the cyberspace of signing countries, capacity building and improving relationships between them. 

"Multiple vulnerabilities have been reported in WhatsApp applications which could allow a remote attacker to execute arbitrary code or access sensitive information on a targeted system," the advisory said. Describing the risk in detail, it said that these vulnerabilities "exist in WhatsApp applications due to a cache configuration issue and missing bounds check within the audio decoding pipeline." 

"Successful exploitation of these vulnerabilities could allow the attacker to execute arbitrary code or access sensitive information on a targeted system," it said. 

To forestall the danger, the government’s cybersecurity agency has requested that clients update their WhatsApp on Android and iOS to the most recent versions. This isn't the first occasion when that CERT-In has given a "high" severity rating advisory, cautioning clients of the presence of various vulnerabilities in the instant messaging platform.

In November 2019, CERT-In had cautioned WhatsApp clients about a buffer overflow vulnerability with the platform, which permitted an assailant to remotely target a system by sending a specially crafted MP4 audio or video file. The CERT-In had then cautioned that successful exploitation of this vulnerability would permit an attacker to cause remote code execution or denial of service condition for the clients.

Fleeceware apps earned over $400 million on Android and iOS

 

Researchers at Avast have found an aggregate of 204 fleece ware applications with over a billion downloads and more than $400 million in revenue on the Apple App Store and Google Play Store. The purpose of these applications is to bring clients into a free trial to "test" the application, after which they overcharge them through subscriptions which sometimes run as high as $3,432 each year. These applications have no unique functionality and are only conduits for fleece ware scams. Avast has reported the fleece ware applications to both Apple and Google for audit.

Fleece ware is a recently coined term that alludes to a mobile application that accompanies extreme subscription fees. Most applications incorporate a short free trial to attract the client. The application exploits clients who are inexperienced with how subscriptions work on cell phones, implying that clients can be charged even after they've erased the offending application.

The fleece ware applications found comprise predominantly of musical instrument apps, palm readers, image editors, camera filters, fortune tellers, QR code and PDF readers, and ‘slime simulators’. While the applications for the most part satisfy their expected purpose, it is far-fetched that a client would purposely want to pay such a significant recurring fee for these applications, particularly when there are less expensive or even free options available. 

It creates the impression that part of the fleece ware strategy is to target more youthful crowds through playful themes and catchy ads on famous social networks with guarantees of ‘free installation’ or ‘free to download’. The information is alarming: with almost a billion downloads and hundreds of millions of dollars in revenue, this model is drawing in more developers and there is proof to recommend a few famous existing applications have updated to incorporate the free trial subscription with high recurring fees.

Regardless of whether a client erases the application after they notice outgoing payments, this doesn't mean their subscription stops - which permits the developer to cash in further. Google and Apple are not answerable for refunds after a specific time-frame, and keeping in mind that the organizations may decide to refund as a goodwill gesture in some cases however they are not obliged to do so. Along these lines, the lone choices might be to attempt to contact developers directly or to demand a bank chargeback.

Rogue: An Android Malware That Gives Hackers Full Control Over a Phone

 

Another sort of Android malware that provides hackers with nearly-full access to a client's Android cell phone is doing rounds on underground forums. Colloquially known as 'Rogue' Remote Administration Tool (RAT), the malware infects victims with a keylogger – permitting attackers to effectively monitor the utilization of sites and applications to take usernames and passwords, just as more delicate data like a client's financial data. The malware, as per reports, is accessible on underground forums for as low as $29.99 (generally Rs 2,200).

This low-cost malware undermines a full-scale takeover of a victim's cell phone, observing the GPS area on the target, taking screenshots, utilizing the camera to take pictures, secretly recording sound from calls, and more. The virus does this while being hidden from the owner of the cell phone. All an attacker requires is their own cell phone to give commands on an infected device. This malware has been detailed by cybersecurity researchers at Checkpoint Research as a mix of two past groups of Android RATs - Cosmos and Hawkshaw - and exhibits the advancement of malware improvement on the dark web. 

Rogue is crafted by Triangulum and HeXaGoN Dev, known Android malware creators that have been selling their vindictive products on underground markets for quite a long while. For the development of Rogue, the malware creator evidently joined forces with HexaGoN Dev, which specializes in the building of Android RATs. Beforehand, Triangulum bought projects from NexaGoN Dev. "The mix of HeXaGon Dev's programming skills and Triangulum's social marketing abilities clearly posed a legitimate threat," Check Point's security researchers note.

While there is no single manner by which hackers introduce Rogue, it is normally pushed on a victim's cell phone either by phishing, malevolent applications, or other such techniques. In the wake of being downloaded on a cell phone, Rogue asks for permissions that it needs for the hacker to remotely get to a cell phone. When the permissions are in all actuality, Rogue registers itself as the device administrator and conceals its icon from the home screen. 

The best way to try not to succumb to this is to not click on suspicious links or download applications from outside sources other than Google Play and Apple App Store. Further, it is additionally imperative to ensure all security updates are installed on the device.

Fleeceware Apps Prey on Android Users

 

A fleeceware application isn't customary Android malware as it doesn't contain pernicious code. Rather, the danger comes from unnecessary subscription charges that it may not clearly specify to mobile clients. Fleeceware tricks a victim into downloading an application that intrigues them. At that point, the developer relies on the client overlooking the program as well as neglecting to see the actual subscription charge. These developers target more youthful clients who probably won't focus on the subscription details. The developer fleeces the victim by fooling them into paying cash for something they probably won't need. Chances are, they won't realize they have or they may have gotten somewhere else complimentary or free of charge.

In January 2020, SophosLabs uncovered that it had distinguished more than 20 fleeceware applications hiding out in the Android market place. These applications acquired an aggregate all out of more than 600 million installations. One of those applications charged clients $3,639.48‬ yearly, or $69.99 every week, for showing day by day horoscopes. A couple of months after the fact, Google updated its policies to guarantee that clients comprehended the full price of an application subscription when free trials and introductory offers end and how to deal with their application subscriptions. That didn't prevent a few people from endeavoring to get around Google's policies. In August 2020, Google eliminated some fleeceware applications for neglecting to incorporate a dismiss button and for showing subscription data in small, light font styles. 

Avast reported seven fleeceware applications to Google Play in mid-November. A large portion of these applications professed to offer Minecraft-related skins, maps, and additionally mods for the well-known game. Others offered skins for different games or advertised themes and wallpapers for Android devices. Utilizing those disguises, the entirety of the applications figured out how to pull in excess of 100,000 individuals before Avast found them. Five of them flaunted more than 1,000,000 downloads. 

Associations can help safeguard their clients against fleeceware applications, for example, by utilizing Mobile Device Management (MDM) to restrict the functionality of applications introduced on corporately owned cell phones. They can likewise utilize ongoing security awareness training and incorporate a list of permitted mobile applications and market places that employees can use on their cell phones.

Hackers Use Bugs To Attack iOS and Android Devices; Google Doesn't Disclose Details

 

Google's cybersecurity team found a cluster of high-end vulnerabilities in iOS, Windows, Android, and Chrome earlier this week. According to Google, these vulnerabilities were in high usage, which means hackers used them to carry out attacks. It is an alarming issue for cybersecurity. Besides this, the vulnerabilities share some similarities, says Motherboard. One can assume that the same cybercriminals exploited them. According to cybersecurity findings, few vulnerabilities hid in font libraries, few in chrome's sandbox to escape, and others controlled the systems. 

It means that the bugs belonged to a string of vulnerabilities used to attack user's devices. As of now, there's no concrete information about who the hacker is and their targets. Usually, whenever bugs are found, it is ethically disclosed to release security patches to fix the issue, before the hackers can exploit them. However, in the current case, it is confirmed that the hackers are using the bugs. In 2019, in a quite similar incident, google had found a string of vulnerabilities that hackers used to attack the Uighur community. In China, the government conducts a massive scale campaign of surveillance and monitoring on the Muslim community. 

Vice reports, "according to a source with knowledge of the vulnerabilities, all these seven bugs are related to each other, who asked to remain anonymous as they were not allowed to talk to the press." However, the experts don't have any information on the present situation, as Google hasn't disclosed anything about the vulnerabilities, the hackers, or the targets. Fortunately, Apple released iOS 12 (released in 2018) security patch, which can fix Apple devices up to the iPhone 5 series. 

It so happens that when a company releases a security patch that fixes old machines, it generally means that the bug is highly dangerous. Still, we can only assume, as no data is available. "In any case, some of these bugs were very critical and gave hackers a lot of power when they used them. The iOS bugs, for example, were so dangerous that Apple pushed updates not just for the current iOS 14, but also for the older, not usually supported, iOS 12," reports the Vice.

'InterPlanetary Storm' Botnet Now Targeting MAC and IoT Devices


First discovered in 2019, the InterPlanetary Storm malware has resurfaced with a new variant targeting Mac and Android along with Windows and Linux machines, as per the findings by researchers at IT security firm, Barracuda Networks.

The malware is known as ‘InterPlanetary Storm’ as it makes use of InterPlanetary File System (IFES) peer-to-peer (p2p) network - using a legitimate p2p network makes it difficult to identify the malicious traffic because it gets intermixed with legitimate traffic. The malware targets Windows machines and lets the attacker execute any arbitrary PowerShell code on the compromised systems.

“The malware detects the CPU architecture and running OS of its victims, and it can run on ARM-based machines, an architecture that is quite common with routers and other IoT devices,” the researchers noted.

The earlier versions of the Interplanetary Storm malware that surfaced in May 2019 compromised Windows-based devices, however, by June 2019; the botnet could also infect Linux machines. The new versions with add-on capabilities attempt to infect machines via a dictionary attack, it’s a form of brute force attack technique that involves breaking into a password-protected system by systematically guessing passwords. The most recent version detected in August is configured to infect Mac along with IoT devices like televisions running the Android OS, as per a report published on Thursday by Barracuda Networks.

In the report, Erez Turjeman, a researcher with Barracuda, says, "The malware detects the CPU architecture and running OS of its victims, and it can run on ARM-based machines, an architecture that is quite common with routers and other [internet of things] devices.” "The malware is called InterPlanetary Storm because it uses the InterPlanetary File System (IPFS) p2p network and its underlying libp2p implementation," the report further notes.

"This allows infected nodes to communicate with each other directly or through other nodes (i.e., relays).”

The malware was found building a botnet that has infected approximately 13,000 devices in 84 different countries worldwide including the U.S., Brazil, Europe, and Canada. However, the majority of targets were based in Asia constituting a total of 64%. Infections found in South Korea, Taiwan, and Hong Kong amounted to a total of 59%. Russia and Ukraine constituted 8% to the total and United States and Canada did 5%. Rest, China and Sweden constituted 3% each.

WhatsApp to Allow Users to Sync Chat Between iOS and Android


When switching devices from Android to iOS or the other way round, users were not able to retain the chat histories despite the backup option as WhatsApp didn’t provide a means to synchronize chat histories between the two platforms. Although, for the iOS users the chat histories are backed up on the iCloud and similarly, for Android, Google’s cloud gets the work done as long as the platform remains unchanged, having a method to drag the backup to a new platform would add a lot more convenience to both the universes.

Facebook-owned WhatsApp has been working on a new feature aiming to resolve the issue pertaining to the syncing of chats across platforms; the company is planning to come up with a functionality that will allow users to use a single phone number, i.e., one account on multiple devices, as per the sources.

Reports suggest that WhatsApp could allow users to use a single account on four different devices simultaneously. However, as per the idea revolving around this new feature, a Wi-Fi facility will become a must for users as a lot of data will be required for the uploading and downloading of all the multimedia along with the messages, while syncing the chat histories between devices.

Notably, the development came in the wake of users' complaints and demand regarding being able to use one account on multiple devices. Once WhatsApp will securely copy the chat history to the other device, users will finally be able to use their account from it. During the process, the encryption keys will be changed and all active chats will be notified about the same.

Referencing from the report by WABetainfo, “When the user wants to use WhatsApp on a second device, there is the need to copy the chat history. In this case, WhatsApp always requires a Wi-Fi connection, because it may use a large amount of your data plan,”

“Note that any message will be delivered to all your family devices, so your chat history will be always synced across platforms, and when you use or remove a device, your encryption key changes,”

“In this case, WhatsApp Desktop was used for the test, but it will work on a second mobile device too, but it’s really possible that WhatsApp will allow mobile devices to be connected to your main device later than WhatsApp Desktop. Note that, using this feature, an Internet connection on your device will no longer be needed to use WhatsApp Desktop,” read the report. 

Welcome Chat App Harvesting User Data and Storing it in Unsecure Location


A messaging platform for Android, Welcome Chat spies upon its users and stores their data in an unsafe location that is accessible to the public. The authors of the app claim it to be available on the Google Play store, meanwhile, marketing it to be a secure platform for exchanging messages which however is not true by any means.

The website of the malicious 'Welcome Chat' app publicizes the platform as a secure communication Android solution, however, security researchers from ESET discovered the app being associated to a malicious operation having links to a Windows Trojan called 'BadPatch' which was employed by Gaza Hackers in a malicious campaign – a long-running cyber espionage campaign in the Middle-East. While the origins of the website advertising the app are unknown, the domain was registered by the developers in October 2019. Interestingly, the app doesn't only function as spyware but works perfectly as a chatting platform as well.

After downloading the app, users need to give permission for allowing installation from unknown sources as the app was not installed via the official app store. Once the Welcome Chat is activated, it asks permission to access the user's contacts, files, SMS, location details, and record audio. Although the list of permissions gets pretty exhaustive for a user to not doubt it, then again they are used to it, especially in case of a messaging platform.

As soon as the app receives all the permissions, it starts mining the victim's data which includes phone recordings, location details, SMS messages and sends it to the cybercriminals behind the malicious operation.

While giving insights about the app, Lukáš Štefanko, researcher at ESET, told, “In addition to Welcome Chat being an espionage tool, its operators left the data harvested from their victims freely available on the internet. And the app was never available on the official Android app store.”

“We did our best to discover a clean version of this app, to make its developer aware of the vulnerability. But our best guess is that no such app exists. Naturally, we made no effort to reach out to the malicious actors behind the espionage operation,” added Štefanko.

StrandHogg is Back and Stronger As a More Sophisticated Vulnerability


Android is vulnerable anew owing it to a new vulnerability which goes by the name of “StrandHogg 2.0”

That is right. StrandHogg is back and now has affected numerous Android devices putting over a Billion Android devices in jeopardy.

The vulnerability is a pretty typical way aids hackers disguise illegitimate applications as legitimate ones with the ultimate aim of making them grant permissions which could end up releasing really important information.

The posing applications then find a way to the users’ sensitive data that too in real-time. Surprisingly, the worst part about the vulnerability is that the users would have no idea at all that they have been attacked and they’d be completely unaware of the malicious applications on their device.

This vulnerability is referenced as “CVE-2020-0096” and is known by the name “StrandHogg 2.0”. This version aids the hackers to make more sophisticated attacks.

As of last year StrandHogg was already listening in on conversations and recording them, accessing login credentials, read/sending unwanted texts and with complete control of the photo album, call logs, and contacts.

Allegedly, StrandHogg 2.0 excepting the latest version of the Android 10 OS, exists on most Android devices.

As per sources, the Google website has it that from a minimum of 2 Billion Android users, just 16% of them have updated to Android 10 hence the rest are allegedly vulnerable.

To fight or prevent any mishap that could be caused by StrandHogg 2.0, steer clear off pop up notifications asking permission for sending notifications, messages, or other related things and applications asking to log in again despite being already logged in.

Due to the Coronavirus Pandemic, not as per usual, Google will be releasing its Android 11 Beta version via an online conference at the Google I/O. Reportedly this conference is scheduled for June 3, 2020.

Sources mention that this conference will be a fresh source for many new updates and news about official events. The schedule for the launching of Android 11 has been released and according to it Android 11 will undergo 3 Beta releases in the upcoming months that are June, July, and August. Word has it that the official version would finally hash out in or near October.