Android Malware – Persian Version

Google Makes it Tough for Rogue App Developers Get Back on Android Play Store

Even after Google’s security oversight over its already-huge Android ecosystem has evolved over the years, malware apps still keep coming back to Google Play Store.

Sometimes just reposting an already detected malware app from a newly created Play Store account, or using other developers’ existing accounts, is enough for ‘bad-faith’ developers to trick the Play Store into distributing unsafe apps to Android users.

Since the mobile device platform is growing rapidly, every new effort Google makes apparently comes with trade-offs.

For example, Google recently made some changes in its Play Store policies and added new restriction in Android APIs that now makes it mandatory for every new app to undergo rigorous security testing and review process before appearing in the Google Play Store.

These efforts also include:

Unfortunately, many developers are not happy with the process, and handling of manually reviewed cases after the team of experts at Google made false-positive malware and policy violation detections and failed to timely respond developers on whether their apps meet policy requirements.

“When we began enforcing these new SMS and Call Log policies, many of you expressed frustration about the decision making process,” Sameer Samat, VP of Product Management, Android & Google Play says in a blog post.

Continuing its efforts over this ground, Google has now announced the company’s plan to adopt more detailed communication with developers, explaining why a decision was made, as well as offering improved and transparent evaluations and appeal process.

Google says the company is expanding its “team to help accelerate the appeals process.”

Besides this, Google has also planned to spend more time in reviewing Android apps by new developers before approving them to go live in Google Play Store in an effort to avoid taking decisions in error.

The review for an app from any new developer who doesn’t have a proven track record with the tech giant will now take “days, not weeks,” allowing the company to do “more thorough checks” before approving apps to publish over the Play Store.

“While the vast majority of developers on Android are well-meaning, some accounts are suspended for serious, repeated violation of policies that protect our shared users,” Android developers say in a blog post.

“While 99%+ of these suspension decisions are correct, we are also very sensitive to how impactful it can be if your account has been disabled in error.”

From now, those developer accounts disable in error can immediately appeal any enforcement, which will be carefully reviewed by the Android team. If the team discover that an error has been made, it will restore the account.

Let’s block ads! (Why?)

Link to original source

Scranos: New Rapidly Evolving Rootkit-Enabled Spyware Discovered

A new powerful rootkit-enabled spyware operation has been discovered wherein hackers are distributing multifunctional malware disguised as cracked software or trojanized app posing as legitimate software like video players, drivers and even anti-virus products.

While the rootkit malware—dubbed Scranos—which was first discovered late last year, still appears to be a work in progress, it is continuously evolving, testing new components and regularly making an improvement to old components, which makes it a significant threat.

Scranos features a modular design that has already gained capabilities to steal login credentials and payment accounts from various popular services, exfiltrate browsing history and cookies, get YouTube subscribers, display ads, as well as download and execute any payload.

According to a 48 page in-depth report Bitdefender shared with The Hacker News prior to its release, the malware gains persistence on infected machines by installing a digitally-signed rootkit driver.

Researchers believe attackers obtained the valid digital code-signing certificate fraudulently, which was originally issued to Yun Yu Health Management Consulting (Shanghai) Co., Ltd. and has not been revoked at the time of writing.

“The rootkit registers a Shutdown callback to achieve persistence. At shutdown, the driver is written to disk, and a start-up service key is created in the Registry,” the researchers say.

Upon infection, the rootkit malware injects a downloader into a legitimate process which then communicates with the attacker-controlled Command-and-Control (C&C) server and downloads one or more payloads.

Here we have listed a few data and password-stealing payloads:

Password and Browsing History Stealing Payload — The main dropper steals browser cookies and login credentials from Google Chrome, Chromium, Mozilla Firefox, Opera, Microsoft Edge, Internet Explorer, Baidu Browser and Yandex. It can also steal cookies and login info from victims’ accounts on Facebook, YouTube, Amazon, and Airbnb.

Extension Installer Payload — This payload installs adware extensions in Chrome and injects malicious or malware-laden ads on all webpages users visit. A few samples also found installing fake browser extensions, such as Chrome Filter, Fierce-tips and PDF Maker.

Steam Data Stealer Payload — This component steals and sends victims’ Steam account credentials and information, including the list of installed apps and games, as well as hardcoded version, to the attacker’s server.

Malware Interacts with Facebook and YouTube on Victims’ Behalf

Some other payloads can even interact with various websites on the victim’s behalf, such as:

YouTube subscriber payload — This payload manipulates YouTube pages by running Chrome in debugging mode, instructing the browser to take various actions on a webpage like starting a video, muting a video, subscribing to a channel, and clicking ads.

Facebook Spammer Payload — Using collected cookies and other tokens, attackers can command malware to send Facebook friend requests to other users. It can also send private messages to the victim’s Facebook friends with links to malicious Android APKs.

Android Adware App — Disguised as the legitimate “Accurate scanning of QR code” app available on Google Play Store, the malware app aggressively displays ads, tracks infected victims and uses same C&C server as the Windows malware.

Scranos Steals Payment Information from Popular Websites

Here’s the list of DLLs contained in the main dropper:

Facebook DLL — This DLL extracts information about the user Facebook accounts including their payment accounts, their list of friends, and if they are an administrator of a page.

Amazon DLL — This DLL extracts information from the user’s Amazon account. Researchers even found a version of this DLL that has been designed to extract information from logged-in Airbnb accounts.

According to the telemetry gathered by Bitdefender researchers, Scranos is targeting users worldwide, but “it seems more prevalent in India, Romania, Brazil, France, Italy, and Indonesia.”

The oldest sample of this malware traced back to November 2018, with a massive spike in December and January, but in March 2019, Scranos was started pushing other strains of malware, which researchers say is “a clear indicator that the network is now affiliated with third parties in pay-per install schemes.”

Let’s block ads! (Why?)

Link to original source

'Exodus' Surveillance Malware Found Targeting Apple iOS Users

Cybersecurity researchers have discovered an iOS version of the powerful mobile phone surveillance app that was initially targeting Android devices through apps on the official Google Play Store.

Dubbed Exodus, as the malware is called, the iOS version of the spyware was discovered by security researchers at LookOut during their analysis of its Android samples they had found last year.

Unlike its Android variant, the iOS version of Exodus has been distributed outside of the official App Store, primarily through phishing websites that imitate Italian and Turkmenistani mobile carriers.

Since Apple restricts direct installation of apps outside of its official app store, the iOS version of Exodus is abusing the Apple Developer Enterprise program, which allows enterprises to distribute their own in-house apps directly to their employees without needing to use the iOS App Store.

“Each of the phishing sites contained links to a distribution manifest, which contained metadata such as the application name, version, icon, and a URL for the IPA file,” the researchers say in a blog post.

“All these packages used provisioning profiles with distribution certificates associated with the company Connexxa S.R.L.”

Though the iOS variant is less sophisticated than its Android counterpart, the spyware can still be able to exfiltrate information from targeted iPhone devices including, contacts, audio recordings, photos, videos, GPS location, and device information.

The stolen data is then transmitted via HTTP PUT requests to an endpoint on the attackers controlled command and control server, which is the same CnC infrastructure as the Android version and uses similar communications protocols.

ios malware apple enterprise developer program

Several technical details indicated that Exodus was “likely the product of a well-funded development effort” and aimed to target the government or law-enforcement sectors.

“These included the use of certificate pinning and public key encryption for C2 communications, geo-restrictions imposed by the C2 when delivering the second stage, and the comprehensive and well-implemented suite of surveillance features,” the researchers say.

Developed by Italy-based company called Connexxa S.R.L., Exodus came to light late last month when white hat hackers from Security Without Borders discovered nearly 25 different apps disguised as service applications on Google Play Store, which the tech giant removed after being notified.

Under development for at least five years, Exodus for Android usually consists of three distinct stages. First, there is a small dropper that collected basic identifying information, like the IMEI and phone number, about the targeted device.

The second stage consists of multiple binary packages that deploy a well-implemented suite of surveillance functionalities.

Finally, the third stage uses the infamous DirtyCOW exploit (CVE-2016-5195) to gain root control over the infected phones. Once successfully installed, Exodus can carry out an extensive amount of surveillance.

The Android variant is also designed to keep running on the infected device even when the screen is switched off.

While the Android version of Exodus had potentially infected “several hundreds if not a thousand or more” devices, it’s not clear how many iPhones were infected by the iOS Exodus variant.

After being notified of the spyware by the Lookout researchers, Apple revoked the enterprise certificate, preventing malicious apps from being installed on new iPhones and run on infected devices.

This is the second instance in the past year when an Italian software company has been caught distributing spyware. Earlier last year, another undisclosed Italian firm was found distributing “Skygofree,” a dangerous Android spying tool that gives hackers full control of infected devices remotely.

Let’s block ads! (Why?)

Link to original source

First Android Clipboard Hijacking Crypto Malware Found On Google Play Store

A security researcher has discovered yet another cryptocurrency-stealing malware on the official Google Play Store that was designed to secretly steal bitcoin and cryptocurrency from unwitting users.

The malware, described as a “Clipper,” masqueraded as a legitimate cryptocurrency app and worked by replacing cryptocurrency wallet addresses copied into the Android clipboard with one belonging to attackers, ESET researcher Lukas Stefanko explained in a blog post.

Since cryptocurrency wallet addresses are made up of long strings of characters for security reasons, users usually prefer copying and pasting the wallet addresses using the clipboard over typing them out.

The newly discovered clipper malware, dubbed Android/Clipper.C by ESET, took advantage of this behavior to steal users cryptocurrency.

To do this, attackers first tricked users into installing the malicious app that impersonated a legitimate cryptocurrency service called MetaMask, claiming to let users run Ethereum decentralized apps in their web browsers without having to run a full Ethereum node.

Officially, the legitimate version of MetaMask is only available as a web browser extension for Chrome, Firefox, Opera, or Brave, and is not yet launched on any mobile app stores.

However, Stefanko spotted the malicious MetaMask app on Play Store targeting users who want to use the mobile version of the service by changing their legitimate cryptocurrency wallet address to the hacker’s own address via the clipboard.

[embedded content]

As a result, users who intended to transfer funds into a cryptocurrency wallet of their choice would instead make a deposit into the attacker’s wallet address pasted by the malicious app.

“Several malicious apps have been caught previously on Google Play impersonating MetaMask. However, they merely phished for sensitive information with the goal of accessing the victims’ cryptocurrency funds,” Stefanko said.

“Android Clipper targeted Bitcoin and Ethereum cryptocurrency addresses when being copied in to clipboard and replaced them with the attacker’s wallet address. Once this transaction is sent, it can not be canceled.”

Stefanko spotted the malicious MetaMask app, which he believes was the first Android Trojan Clipper to be discovered on Play Store, shortly after its introduction to the app store on February 1.

Google took down the malicious app almost immediately after being notified by the researcher.

While the bitcoin price has been dropped steadily since hitting its all-time high in December 2017, there is no reduction (in fact rise) in the cryptocurrency scandals, thefts, and scams that continue to plague the industry.

Just last week, The Hacker News reported how customers of the largest Canadian bitcoin exchange QuadrigaCX lost $145 million in cryptocurrency after the sudden death of its owner who was the only one with access to the company’s cold (offline) storage wallets. However, some users and researchers are suggesting the incident could be an exit scam.

Let’s block ads! (Why?)

Link to original source

Several Popular Beauty Camera Apps Caught Stealing Users' Photos

Just because an app is available on Google Play Store doesn’t mean that it is a legitimate app. Despite so many efforts by Google, some fake and malicious apps do sneak in and land millions of unaware users on the hunting ground of scammers and hackers.

Cybersecurity firm Trend Micro uncovered at least 29 devious photo apps that managed to make its way onto Google Play Store and have been downloaded more than 4 million times before Google removed them from its app store.

The mobile apps in question disguised as photo editing and beauty apps purporting to use your mobile phone’s camera to take better pictures or beautify the snaps you shoot, but were found including code that performs malicious activities on their users’ smartphone.

Three of the rogue apps—Pro Camera Beauty, Cartoon Art Photo and Emoji Camera—have been downloaded more than a million times each, with Artistic Effect Filter being installed over 500,000 times and another seven apps in the list over 100,000 times.

Once installed, some of these apps would push full-screen advertisements on victim’s device for fraudulent or pornographic content every time the infected phone is unlocked, and some would even redirect victims to phishing sites in an attempt to steal their personal information by tricking them into believing they have won a contest.

29 Fake Android Apps – Ones to Look Out For

Another group of camera apps that specifically meant to beautify photos were actually found including malicious code that uploads user’s photos to an external remote server controlled by the app maker.

However, instead of displaying a final result with the edited photo, the app serves users with a fake update prompt in nine different languages which lead, again, to a phishing site.

“The authors can collect the photos uploaded in the app, and possibly use them for malicious purposes — for example as fake profile pics in social media,” Trend Micro researchers wrote in a blog post.

In an attempt to hide their activities, some of these apps used various methods, including hiding the app icon from the drawer/launcher, which would make it more difficult for regular users to spot and uninstall the offending apps.

After being made aware of the malicious apps, Google removed them from its Play Store, but this is unlikely to prevent malicious apps from plaguing the Android app store in the future.

Android malware continues to evolve with more sophisticated and never-seen-before capabilities with every passing day, and spotting them on Google Play Store doesn’t come up as a surprise.

The best way to prevent yourself from falling victim to such fishy applications in the future is always to download apps from trusted brands only, even when downloading from the official app store.

Moreover, look at the app reviews left by other users before downloading any app and avoid those that mention any suspicious behavior or unwanted pop-ups after installing.

Last but not least, always keep a good antivirus app on your Android device that can detect and block such malicious activities before they can infect your device, and keep them up-to-date.

Let’s block ads! (Why?)

Link to original source