All posts in “malware”

‘Agent Smith’ Android malware infected 25M devices

Image: Jaap Arriens/NurPhoto via Getty Images


PCMag.com is a leading authority on technology, delivering Labs-based, independent reviews of the latest products and services. Our expert industry analysis and practical solutions help you make better buying decisions and get more from technology.

A new strain of Android malware has infected 25 million devices and modified legitimate apps with a malicious ads module, according to a report by the security company Check Point.

It’s believed the malware originated from a Chinese internet company that helps Chinese Android developers publish and promote their apps in foreign markets. The malware was disguised as Google-related updaters and “vending modules,” which hid its own app icons and automatically replaced already-installed legitimate apps with its own version without the user knowing. This lead the researchers to name the malware “Agent Smith” because its behavior is similar to the character in the film The Matrix of the same name.

The malware first appeared in popular third-party app store 9Apps and targeted mostly Indian, Pakistani and Bangladeshi users. However, of the 25 million affected devices, 303,000 infections were detected in the US, and 137,000 in the UK.

Apps that were modified include WhatsApp, Opera Mini, Flipkart, as well as software from Lenovo and Swiftkey. The malware detected which apps were installed, patched them with a malicious ads modules, and then re-installed them on the device. For the user, it simply looks like the app is being updated as expected. Once the update is complete, the owner of the malware can then profit from the newly included ads.

Check Point believes the same malware could also be used for more malicious purposes such as credit card theft, with the company’s report stating, “due to [the malware’s] ability to hide its icon from the launcher and impersonates any popular existing apps on a device, there are endless possibilities for this sort of malware to harm a user’s device.”

The security firm says they submitted data to Google and law enforcement agencies, and as of publishing no malicious apps remain on the Play Store. Nevertheless, the malware managed to survive for as long as it did because, despite the original vulnerability Agent Smith was based on being patched in Android years ago, developers did not sufficiently update their applications.

Malware like this, “requires attention and action from system developers, device manufacturers, app developers, and users, so that vulnerability fixes are patched, distributed, adopted and installed in time,” Check Point says.

Cms%252f2019%252f7%252f4587fd73 33e1 dd09%252fthumb%252f00001.jpg%252foriginal.jpg?signature=iq1axcoplwrh2aadxzqauxdh0x0=&source=https%3a%2f%2fvdist.aws.mashable

This article originally published at PCMag
here

What CISOs need to learn from WannaCry

In 2017 — for the first time in over a decade — a computer worm ran rampage across the internet, threatening to disrupt businesses, industries, governments and national infrastructure across several continents.

The WannaCry ransomware attack became the biggest threat to the internet since the Mydoom worm in 2004. On May 12, 2017, the worm infected millions of computers, encrypting their files and holding them hostage to a bitcoin payment.

Train stations, government departments, and Fortune 500 companies were hit by the surprise attack. The U.K.’s National Health Service (NHS) was one of the biggest organizations hit, forcing doctors to turn patients away and emergency rooms to close.

Earlier this week we reported a deep-dive story into the 2017 cyberattack that’s never been told before.

British security researchers — Marcus Hutchins and Jamie Hankins — registered a domain name found in WannaCry’s code in order to track the infection. It took them three hours to realize they had inadvertently stopped the attack dead in its tracks. That domain became the now-infamous “kill switch” that instantly stopped the spread of the ransomware.

As long as the kill switch remains online, no computer infected with WannaCry would have its files encrypted.

But the attack was far from over.

In the days following, the researchers were attacked from an angry botnet operator pummeling the domain with junk traffic to try to knock it offline and two of their servers were seized by police in France thinking they were contributing to the spread of the ransomware.

Worse, their exhaustion and lack of sleep threatened to derail the operation. The kill switch was later moved to Cloudflare, which has the technical and infrastructure support to keep it alive.

Hankins described it as the “most stressful thing” he’s ever experienced. “The last thing you need is the idea of the entire NHS on fire,” he told TechCrunch.

Although the kill switch is in good hands, the internet is just one domain failure away from another massive WannaCry outbreak. Just last month two Cloudflare failures threatened to bring the kill switch domain offline. Thankfully, it stayed up without a hitch.

CISOs and CSOs take note: here’s what you need to know.

How Marcin Kleczynski went from message boards to founding anti-malware startup Malwarebytes

Marcin Kleczynski is a shining example of the American dream.

A Polish-born immigrant turned naturalized citizen, Kleczynski grew up in the Chicago suburbs spending much of his time on computers and the early days of the world wide web. He couldn’t afford to buy computer games; instead, he downloaded them from the internet — and usually malware along with it. Frustrated that his computer’s anti-malware didn’t prevent the infection, he took to seeking help from security message boards to troubleshoot and remove the malware by hand.

That’s where Kleczynski thought he could do better, and so he founded Malwarebytes .

In early 2008, his company’s first anti-malware product was released. To no surprise, the very people on the message boards who helped Kleczynski recover his computer were the same championing his debut software. So much so that Kleczynski hired one of the people from the message board who helped him rid the malware from his computer as one of his first employees. Within months, Malwarebytes was turning over a couple of hundred thousand dollars, Kleczynski told TechCrunch.

By August came the question of whether he would run his company or go to university.

“After about a 15-second conversation with my mother, she quickly informed me that I would be attending university,” he said.

And so he did both.

Fast-forward to today, the company is a multi-million dollar anti-malware giant serving 150 million consumer customers and 50,000 paying small to medium-sized business and enterprise customers from its five offices — two in the U.S., as well as Estonia, Ireland and Singapore.

Scammers use tax-themed emails to infect PCs with malware

Image: Getty Images/iStockphoto


PCMag.com is a leading authority on technology, delivering Labs-based, independent reviews of the latest products and services. Our expert industry analysis and practical solutions help you make better buying decisions and get more from technology.

Watch out for tax scams popping up in your email inbox. They can often be rigged to secretly install malware onto your computer.

As the April 15th filing deadline approaches, IBM says it’s recently detected a wave of tax-themed phishing messages targeting both businesses and personal email addresses. The emails have been crafted to deliver a Trojan called Trickbot, which can steal bank account information from your internet sessions.

According to IBM, the scammers have been delivering the Trickbot Trojan by pretending to send emails from well-known payroll and HR firms such as Paychex and ADP. Unlike shoddy spam email campaigns, the messages from the scammers will generally be free of spelling or grammar mistakes.

The same messages will also come from legitimate-looking email addresses such as “@adpnote.com” or “@paychex.mail.” But in reality, the domains are actually under the scammers’ control.

Image: ibm

“The messages were quite simple, only claiming to contain an attachment of tax or billing records,” IBM said in a report, documenting the attacks. “To reinforce the illusion of legitimacy, the signatures of each of the emails mimic typical business signatures, including a name, job title and contact details, as well as mock email footers that the cybercriminals may have copied from legitimate business emails.”

Image: ibm

Victims fooled by the official-looking emails will open the attachment not realizing it’s been rigged to deliver the Trickbot malware to their computer. The attachment will appear as a Microsoft Excel document, but it actually contains a secret macrocommand that’s designed to download and execute Trickbot’s malicious code over a PC.

Although Trickbot has been largely used to steal banking login credentials from victims, it can be used to cause all kinds of mayhem. “If your computer is infected with TrickBot, the cybercriminals operating it have complete control and can do just about anything they wish on your device, including spreading to other computers on your network and emptying your company’s bank accounts, potentially costing millions of dollars,” IBM said.

The infection will also occur in the PC’s background processes, so most users probably won’t even be aware that anything is wrong. But once activated, the Trojan can takeover your PC’s browser to direct you to look-alike banking webpages that the scammers have designed to steal your login information.

According to IBM, the scammers have been busying sending their tax-theme messages since late January. To stay safe, the company encourages users to disable macros by default on Office documents. If you do choose to enable macros on a document, make sure whomever sent it is a trusted source.

Image: screenshot/pcmag

Microsoft has also noticed tax-themed phishing messages targeting users. Some of them will include an Office document in the attachment that even tries to trick you into enabling macros. For instance, the attachments will claim your software is out-of-date or needs to be updated for security purposes.

Uploads%252fvideo uploaders%252fdistribution thumb%252fimage%252f90971%252fd51ceae9 162e 4581 911a d11da2724c7e.jpg%252foriginal.jpg?signature=uxslwv jv2wd9gwhtt0bhj8epxm=&source=https%3a%2f%2fblueprint api production.s3.amazonaws

This article originally published at PCMag
here