All posts in “malware”

This new Android malware may be the most twisted yet

This new Android malware may be the most twisted yet.

An interesting new type of malware has been uncovered, coded within two dozen Android apps that have accumulated hundreds of thousands of downloads in the Google Play store.

Android users who downloaded any of the apps embedded with this malware, dubbed “the Joker,” will need to check their credit card bills. Joker’s purpose, once deployed, is to sign up its victims to subscription services without their knowledge or consent. This new malware was first detected by CSIS Security Group malware analyst Aleksejs Kuprins, who has been monitoring the malicious code and penned a detailed analysis on Joker.

According to Kuprins, the malware “delivers a second stage component, which silently simulates the interaction with advertisement websites, steals the victim’s SMS messages, the contact list and device info.” Basically, any user that was infected by Joker possibly had their phone’s texts and contact list stolen, too.

But the simulated interactions are where Joker gets a bit more twisted. 

“The automated interaction with the advertisement websites includes simulation of clicks and entering of the authorization codes for premium service subscriptions,” writes Kuprins. “For example, in Denmark, Joker can silently sign the victim up for a 50 DKK/week service (roughly ~6,71 EUR). This strategy works by automating the necessary interaction with the premium offer’s webpage, entering the operator’s offer code, then waiting for a SMS message with a confirmation code and extracting it using regular expressions. Finally, the Joker submits the extracted code to the offer’s webpage, in order to authorize the premium subscription.”

According to Lifehacker, the list of apps harboring the Joker malware include Advocate Wallpaper, Age Face, Altar Message, Antivirus Security – Security Scan, Beach Camera, Board picture editing, Certain Wallpaper, Climate SMS, Collate Face Scanner, Cute Camera, Dazzle Wallpaper, Declare Message, Display Camera, Great VPN, Humour Camera, Ignite Clean, Leaf Face Scanner, Mini Camera, Print Plant scan, Rapid Face Scanner, Reward Clean, Ruddy SMS, Soby Camera, and Spark Wallpaper.

Kuprins says that in total, the 24 apps racked up more than 472,000 downloads in the Google Play store. The apps have since been removed. If a user has any of those apps on their phone, they should be deleted.

According to the report, the current iteration of Joker malware campaign appears to go back as far as June of this year. Kuprins notes that Google removed the apps before his security firm reached out to the company, so it appears that the tech giant has been monitoring the situation as well.

Malware has long been a problem plaguing Android devices. Facebook has even gone so far as to file a lawsuit last month against one developer, whose malware-ridden Android app engaged in click fraud on the social media company’s ad network.

While other recent Android-targeted malware campaigns have had broader reach, such as “Agent Smith,” which has infected 25 million devices, Joker’s automated subscription attack certainly makes it among the more interesting.

Uploads%252fvideo uploaders%252fdistribution thumb%252fimage%252f92430%252f783af22e 23b7 4806 ba40 91931d2e09fc.png%252foriginal.png?signature=q1 purgs4ndsxqi50xz7lsiabuq=&source=https%3a%2f%2fblueprint api production.s3.amazonaws

Police hijack a botnet and remotely kill 850,000 malware infections

In a rare feat, French police have hijacked and neutralized a massive cryptocurrency mining botnet controlling close to a million infected computers.

The notorious Retadup malware infects computers and starts mining cryptocurrency by sapping power from a computer’s processor. Although the malware was used to generate money, the malware operators easily could have run other malicious code, like spyware or ransomware. The malware also has wormable properties, allowing it to spread from computer to computer.

Since its first appearance, the cryptocurrency mining malware has spread across the world, including the U.S., Russia, and Central and South America.

According to a blog post announcing the bust, security firm Avast confirmed the operation was successful.

The security firm got involved after it discovered a design flaw in the malware’s command and control server. That flaw, if properly exploited, would have “allowed us to remove the malware from its victims’ computers” without pushing any code to victims’ computers, the researchers said.

The exploit would have dismantled the operation, but the researchers lacked the legal authority to push ahead. Because most of the malware’s infrastructure was located in France, Avast contacted French police. After receiving the go-ahead from prosecutors in July, the police went ahead with the operation to take control of the server and disinfect affected computers.

The French police called the botnet “one of the largest networks” of hijacked computers in the world.

The operation worked by secretly obtaining a snapshot of the malware’s command and control server with cooperation from its web host. The researchers said they had to work carefully as to not be noticed by the malware operators, fearing the malware operators could retaliate.

“The malware authors were mostly distributing cryptocurrency miners, making for a very good passive income,” the security company said. “But if they realized that we were about to take down Retadup in its entirety, they might’ve pushed ransomware to hundreds of thousands of computers while trying to milk their malware for some last profits.”

With a copy of the malicious command and control server in hand, the researchers built their own replica, which disinfected victim computers instead of causing infections.

“[The police] replaced the malicious [command and control] server with a prepared disinfection server that made connected instances of Retadup self-destruct,” said Avast in a blog post. “In the very first second of its activity, several thousand bots connected to it in order to fetch commands from the server. The disinfection server responded to them and disinfected them, abusing the protocol design flaw.”

In doing so, the company was able to stop the malware from operating and remove the malicious code to over 850,000 infected computers.

Jean-Dominique Nollet, head of the French police’s cyber unit, said the malware operators generated several million euros worth of cryptocurrency.

Remotely shutting down a malware botnet is a rare achievement — but difficult to carry out.

Several years ago the U.S. government revoked Rule 41, which now allows judges to issue search and seizure warrants outside of their jurisdiction. Many saw the move as an effort by the FBI to conduct remote hacking operations without being hindered by the locality of a judge’s jurisdiction. Critics argued it would set a dangerous precedent to hack into countless number of computers on a single warrant from a friendly judge.

Since then the amended rule has been used to dismantle at least one major malware operation, the so-called Joanap botnet, linked to hackers working for the North Korean regime.

The computer worm that changed the world

The premiere episode of Kernel Panic takes viewers back to the very beginning: the world’s first major Internet attack. This groundbreaking malware was known as the Morris Worm, and in 1988 the virus spread across global networks, leaving significant outages and panic in its wake. The Morris Worm opened the world’s eyes to unforeseen vulnerabilities, planting the seeds of public mistrust that have steadily grown for decades and, today, are flourishing.

The untold stories behind the world’s worst cyberattacks

The misuse of technology has become the darkest danger of the digital age. In the new original video series Kernel Panic, Mashable and PCMag dive deep into the worst cybersecurity breaches of all time. From the very first computer worm in 1988 to the most dangerous malware the world has ever seen, Kernel Panic is an unsettling and eye-opening examination of the dramatic moments that shaped the digital world as we know it.

‘Agent Smith’ Android malware infected 25M devices

Image: Jaap Arriens/NurPhoto via Getty Images


PCMag.com is a leading authority on technology, delivering Labs-based, independent reviews of the latest products and services. Our expert industry analysis and practical solutions help you make better buying decisions and get more from technology.

A new strain of Android malware has infected 25 million devices and modified legitimate apps with a malicious ads module, according to a report by the security company Check Point.

It’s believed the malware originated from a Chinese internet company that helps Chinese Android developers publish and promote their apps in foreign markets. The malware was disguised as Google-related updaters and “vending modules,” which hid its own app icons and automatically replaced already-installed legitimate apps with its own version without the user knowing. This lead the researchers to name the malware “Agent Smith” because its behavior is similar to the character in the film The Matrix of the same name.

The malware first appeared in popular third-party app store 9Apps and targeted mostly Indian, Pakistani and Bangladeshi users. However, of the 25 million affected devices, 303,000 infections were detected in the US, and 137,000 in the UK.

Apps that were modified include WhatsApp, Opera Mini, Flipkart, as well as software from Lenovo and Swiftkey. The malware detected which apps were installed, patched them with a malicious ads modules, and then re-installed them on the device. For the user, it simply looks like the app is being updated as expected. Once the update is complete, the owner of the malware can then profit from the newly included ads.

Check Point believes the same malware could also be used for more malicious purposes such as credit card theft, with the company’s report stating, “due to [the malware’s] ability to hide its icon from the launcher and impersonates any popular existing apps on a device, there are endless possibilities for this sort of malware to harm a user’s device.”

The security firm says they submitted data to Google and law enforcement agencies, and as of publishing no malicious apps remain on the Play Store. Nevertheless, the malware managed to survive for as long as it did because, despite the original vulnerability Agent Smith was based on being patched in Android years ago, developers did not sufficiently update their applications.

Malware like this, “requires attention and action from system developers, device manufacturers, app developers, and users, so that vulnerability fixes are patched, distributed, adopted and installed in time,” Check Point says.

Cms%252f2019%252f7%252f4587fd73 33e1 dd09%252fthumb%252f00001.jpg%252foriginal.jpg?signature=iq1axcoplwrh2aadxzqauxdh0x0=&source=https%3a%2f%2fvdist.aws.mashable

This article originally published at PCMag
here