Tag Archives: Android

Android Banking Trojans Now Include Ransomware

Posted on January 6, 2017 | Leave a comment

The newest generation of banking Trojans is now equipped with ransomware, creating a hybrid malware. The primary function of banking Trojans is still to collect login credentials for banking portals and instant messaging applications. However, with the addition of ransomware, cybercriminals are increasing the odds that they collect on every device that has been infected.

Mobile Banking Trojans

If you own a smartphone, it’s very likely you also have a bank card. Since banks use mobile phone numbers for authorization, it makes sense for cybercriminals to penetrate this channel of communication to execute payments and transfers from your account. Banking Trojans are the most prominent mobile threat, constituting over 95% of mobile malware. Over 98% of mobile banking Trojan attacks target Android devices, which should also come as no surprise, as Android is the most popular platform for mobile devices.

How do cybercriminals infiltrate Android devices with banking Trojans? Trojans are less dangerous than viruses because they require action on the user’s end, however, through social engineering, cybercriminals lure users into performing such actions. Trojans can mimic applications and prompt the user to run an important update or activate a bonus level for your favorite game. Exploits are also able to run the malware automatically, once the user accidently executes the malicious file. Once the malware is installed, there are three major methods that banking Trojans employ:

  • Hiding Text Messages: Malware on phones hides incoming SMS from banks and then sends them to cybercriminals who then proceed to transfer money to their accounts.
  • Small Cash Movements: Cybercriminals will occasionally transfer relevantly small amounts of money to fraudulent accounts from an infected user’s account, hoping it won’t be noticed so that they can continue to do so.
  • App Mirroring: Malware mimics a bank’s mobile application and gathers login credentials on the infected device. Once the credentials are gathered, cybercriminals are able to perform the two actions above.
Banking Trojans with Ransomware

Not all users who have been infected with an Android banking Trojan use banking applications, which is where the ransomware features come into play. The ransomware essentially acts as a backup plan for cybercriminals to increase their chances of extracting some form of payment from their victims.

Android.SmsSpy, Fanta SDK, and Svpeng are the first banking trojans to add ransomware-like features to their malware; locking user’s screen with a random PIN. This feature is to keep users busy while cybercriminals initiate fraudulent transactions. While the user is trying to figure out how to unlock their phone, hackers hope the victim will be too busy to see the text or email alerts they receive for large or fraudulent transactions that take place on their bank account. This gives cybercriminals hours, or even days, to transfer the stolen money to different bank accounts and withdraw the money from ATMs. By the time it’s discovered, police will be unable to identify the criminals as the money has likely been transferred through several fake bank accounts before being cashed out.

Faketoken and Tordow 2.0

Faketoken and Tordow 2.0 are the first to fully implement ransomware into their banking Trojans. Faketoken’s primary function is to generate fake login screens for more than 2,000 financial applications in order to steal login credentials. Creators of Faketoken have now added the capability to encrypt user files stored on the phone’s SD card. Once the relevant command is received, the Trojan compiles a list of files located on the device and encrypts them.

Tordow 2.0 can make phone calls, control text messages, download and install programs, steal login credentials, access contacts, visit web pages, manipulate banking data, remove security software, reboot devices, rename files, encrypt files, and act as ransomware. To date, Tordow 2.0 has infected 16,000 devices in 27 countries with most of them located in Russia, Ukraine, Germany, and Thailand.

Once infected with the ransomware feature, victims will see something similar to the image below appear on their screens.

With the fully integrated ransomware feature, cybercriminals are targeting the least technical savvy users possible. If you think about it, encrypting files on a mobile device is essentially pointless. The point of ransomware is to encrypt files on a device and demand a ransom to get the decryption key. However, many files stored on mobile devices are backed up by cloud services. Therefore, users who have been infected could easily wipe their phone clean and download all their files from the cloud service they use. If they haven’t backed up for awhile, data may be lost, but it typically wouldn’t be anything of great value.

Outlook

It’s still very early in the development stages of banking Trojans being paired with ransomware. Thus, the encryption of files is likely to have the same purpose of locking users’ screens which is to give cybercriminals time to perform fraudulent transfers before users can figure out how to restore their mobile phones.

We recommend that Android users only install applications from the official Google Play store and should make sure that their phones don’t allow the installation of applications from unknown sources. Lastly, it’s a good idea to read user reviews and only download highly rated applications.

Leave a comment

Posted in Cyber Security, Encryption, Hacking, Security

Tagged , ,

Scary iPhone malware that steals your data is a reminder no platform is ever safe.

Posted on August 29, 2016 | Leave a comment

Iphone_IOS

If you haven’t done so already, go and update your iPhone, iPad or iPod touch to iOS 9.3.5 right now. To update, go to Settings > General > Software Update.

It may not seem urgent because it’s only a “point release,” but the update is crucial or you risk having all of your data secretly stolen by invisible malware that can install itself on your device and even uninstall itself without leaving any traces behind.

Two reports from the New York Times and Motherboard published on Thursday detail how three major security holes, patched via the update, could be exploited by hackers to track and steal practically all of the private data on your iOS device.

According to both reports, Ahmed Mansoor, a human rights activist from the United Arab Emirates, discovered the vulnerabilities when he received a suspicious text message with a link that would have provided “new secrets about torture of Emiratis in state prisons.”

Had Mansoor clicked on the link, he would have been directed to a website that would have exploited all three security holes and installed malware onto his iPhone, giving remote hackers full access to his device.

Thankfully, Mansoor didn’t click the link. Instead, he alerted Citizen Lab, an interdisciplinary lab based at the Munk School of Global Affairs at the University of Toronto that focuses its research on the intersection of human rights and security.

Citizen Lab identified the link as belonging to NSO Group, an Israel-based “cyberwar” company reportedly owned by American venture capital firm Francisco Partners Management, which sells spyware solutions to government agencies.

Along with additional research from cybersecurity firm Lookout, it has been revealed the three exploits (dubbed “Trident”) are “zero-day” level, meaning the malware kicks in immediately as soon as it’s activated (in this case, once the link is opened, the malware automatically installs itself and starts tracking everything).

“Once infected, Mansoor’s phone would have become a digital spy in his pocket, capable of employing his iPhone’s camera and microphone to snoop on activity in the vicinity of the device, recording his WhatsApp and Viber calls, logging messages sent in mobile chat apps, and tracking his movements,” writes Bill Marczak and John Scott-Railton, two Citizen Lab senior researchers.

According to Lookout, the software is highly flexible and can be configured in a number of ways to target different countries and apps:

The spyware capabilities include accessing messages, calls, emails, logs, and more from apps including Gmail, Facebook, Skype, WhatsApp, Viber, FaceTime, Calendar, Line, Mail.Ru, WeChat, SS, Tango, and others. The kit appears to persist even when the device software is updated and can update itself to easily replace exploits if they become obsolete.

Upon discovery, the two organizations immediately notified Apple and the iPhone maker immediately got to work on iOS 9.3.5, which was released on Thursday.

Though Trident and the type of malware NSO sells (called “Pegasus”) is mainly used by governments to target dissidents, activists and journalists in volatile countries like United Arab Emirates, Mexico, Kenya, Mozambique, Yemen and Turkey, it can be used to target any iOS device.

The very idea of having all your data stolen without any real effort should scare everyone into updating their iOS devices.

As we’ve entrusted our smartphones and tablets with more and more of our personal data, it’s more important than ever to always be running the latest software with the most up-to-date security patches to prevent digital spying and theft.

Quicker to protect iOS than Android

It took 10 days for Apple to release an update to close the holes after Citizen Lab and Lookout alerted the company.

Ten days may seem like a long time, but when you compare it to how long it would take for Android devices to get updated for such a critical patch, it’s like hyper speed.

One of the benefits of iOS is its tightly-integrated software and hardware. Because there are fewer devices and they all run the same core software, Apple can test and deploy security updates quickly and easily with fewer chances of something going wrong.

Android, on the hand, is fragmented into tens of thousands of distinct devices, and customized in too many versions for even the most diehard Android fan to remember. This makes it extremely challenging for phone makers to test and release updates to plug up dangerous security holes quickly.

Google’s Nexus devices are quicker to get software updates because they all run stock Android and Google can push them out in a similar way to Apple. Same goes for Samsung and its Galaxy phones.

But there’s often little incentive for Android phone makers to update their devices. Software maintenance is costly and that’s why you’ll see many Android devices from lesser-known brands either update their phones months or years later or never at all.

No platforms are ever truly secure

The publishing of the security flaws and how serious it could be if you were to fall victim invites another conversation: media portrayal.

Android bears the brunt when it comes to being portrayed as the less secure platform, but as this revelation has revealed, no matter which platform is really more secure, all platforms are susceptible to hackers.

Security is an ongoing and never-ending battle between phone makers like Apple and Google and hackers. It’s a constant cat-and-mouse game where each side is always one step ahead or behind the other.

Had Mansoor not alerted Citizen Lab, the Trident exploit would have continued to exist without anyone knowing. Lookout believes the malware has existed since iOS 7. NSO Group’s Pegasus malware can also be used to target Android and BlackBerry devices, too.

While no platform will ever be truly secure, updating to the latest version of your phone’s software is the best way to remain safe.

 

Leave a comment

Posted in Cyber Security, Data Breach, Hacking, Security

Tagged , , ,

Dozens of Malicious Apps on Play Store can Root & Hack 90% of Android Devices

Posted on June 28, 2016 | Leave a comment

Android
It’s not at all surprising that the Google Play Store is surrounded by a large number of malicious apps that has the ability to gain users’ attention into falling victim for one, but this time, it is even worse than most people realize.

Researchers at Trend Micro have detected a family of malicious apps, dubbed ‘Godless,’ that has the capability of secretly rooting almost 90 percent of all Android phones.

Well, that’s slightly terrifying.

The malicious apps are distributed via different methods and variety of app stores, including Google Play Store, which is usually considered as a safe option for downloading apps.

The malicious apps packed with Godless contain a collection of open-source or leaked Android rooting exploits that works on any device running Android 5.1 Lollipop or earlier.

90% Android Devices are Vulnerable to Godless Rooting Malware

Since Android ecosystem is so broken that around 90 percent of all Android devices are vulnerable to this malicious software. Godless apps have already been installed on more than 850,000 devices worldwide so far.

Rooting a device could expose a user to several security risks as it practically opens the door to unwanted access, hardware failure, data leaks and information theft, and so on if the developer has malicious intent.

Based on the source code they analyzed, Trend Micro researchers say that once an app with Godless malware is installed on a victim’s device, it uses a framework known as “android-rooting-tools” to gain root access to the victim’s device.

From there, the malware will make sure the victim’s screen is turned off before executing the malicious code.

Here’s what a Godless-Packed App can do to your Device:
Once Godless gained root privileges, it starts communicating with a command and control (C&C) server, from where it gets an apps list to be installed on the rooted device and installs them without the users knowledge, and all of this can be done remotely as well.

“With root privilege, the malware can then receive remote instructions on which app to download and silently install on mobile devices,” Trend Micro says. “This can then lead to affected users receiving unwanted apps, which may then lead to unwanted ads. Even worse, these threats can also be used to install backdoors and spy on users.”

The researchers say the malware has the ability to bypass security checks done Google Play store and other online app stores.

Although there are several apps in Google Play, including utility apps like flashlights, Wi-Fi apps, and popular game apps, that contain the malicious Godless code, Trend Micro had identified only one such Android app by name.

Dubbed Summer Flashlight, the malicious app had been installed from 1,000 to 5,000 times, and was recently removed from the Google Play store, but it’s still listed in search engine caches for the time being.

Godless is the latest Android malware to use rooting exploits in order to gain a persistent foothold on victims’ handsets. Based on the graphic, most victims are located in India, followed by Indonesia, and Thailand (9.47 percent). The US also has around 17,000 Godless downloads.

“Unknown developers with very little or no background information may be the source of these malicious apps,” Trend Micro notes.

So, in order to avoid being a victim to one such app, Android users are advised to avoid using third-party app stores and always “review the developer” when downloading apps even from Google’s official store.

 

Leave a comment

Posted in Cyber Security, Data Breach, Hacking, Malware

Tagged ,