Viry a Červi

iOS jailbreak exploit published by Google

Sophos Naked Security - 12 Prosinec, 2017 - 18:50
Has Google just given the crooks an early Christmas present?

Ransom email scam from ‘hitman’ demands: pay up or die

Sophos Naked Security - 12 Prosinec, 2017 - 17:44
It's a horrible email scam that's supposed to scare the life out of you

Man apologizes after photo of ‘racist’ woman goes viral

Sophos Naked Security - 12 Prosinec, 2017 - 17:08
A viral post that turned the internet into a torch-bearing mob.

Brrr! It's a snow day and someone has pwned the chuffin' school heating

The Register - Anti-Virus - 12 Prosinec, 2017 - 16:02
Building management systems easily hackable – researchers

Britain's freezing weather has reanimated the issue of insecure building control systems.…

Kategorie: Viry a Červi

Coinbase: don’t expect to trade your cryptocurrency at busy times

Sophos Naked Security - 12 Prosinec, 2017 - 14:45
It’s OK to be excited about Bitcoin and other digital currencies, according to Brian Armstrong, CEO of digital currency exchange Coinbase... just maybe not that excited.

Spies are watching… on LinkedIn

Sophos Naked Security - 12 Prosinec, 2017 - 12:38
The young professionals portrayed in the LinkedIn listings are hot, enticing, and fictitious.

Why bother cracking PCs? Spot o' malware on PLCs... Done. Industrial control network pwned

The Register - Anti-Virus - 12 Prosinec, 2017 - 11:56
Jumping the air gap

Security researchers have demonstrated a new technique for hacking air-gapped industrial control system networks, and hope their work will encourage the development of more robust defences for SCADA-based systems.…

Kategorie: Viry a Červi

Still Stealing

Kaspersky Securelist - 12 Prosinec, 2017 - 11:00

Two years ago in October 2015 we published a blogpost about a popular malware that was being distributed from the Google Play Store. Over the next two years we detected several similar apps on Google Play, but in October and November 2017 we found 85 new malicious apps on Google Play that are stealing credentials for VK.com. All of them have been detected by Kaspersky Lab products as Trojan-PSW.AndroidOS.MyVk.o. We reported 72 of them to Google and they deleted these malicious apps from Google Play Store, 13 other apps were already deleted. Furthermore, we reported these apps with technical details to VK.com. One of these apps was masquerading as a game and was installed more than a million times according to Google Play Store.

One of the apps detected as Trojan-PSW.AndroidOS.MyVk.o was distributed as a game.

There were some other popular apps among them too – seven apps had 10,000-100,000 installations from Google Play and nine apps had 1,000-10,000 installation. All other apps had fewer than 1,000 installations.

App detected as Trojan-PSW.AndroidOS.MyVk.o on Google Play Store

Most of these apps were uploaded to Google Play in October 2017, but several of them were uploaded in July 2017, so they were being distributed for as long as 3 months. Moreover, the most popular app was initially uploaded to the Google Play Store on March 2017, but without any malicious code—it was just a game. Cybercriminals updated this app with a malicious version only in October 2017, having waited more than 7 months to do so!

Most of these apps looked like apps for VK.com – for listening to music or for monitoring user page visits.

App detected as Trojan-PSW.AndroidOS.MyVk.o on Google Play Store

Sure, such apps need a user to login into an account – that’s why they didn’t look suspicious. The only apps whose functionality was not VK-related were game apps. Because VK is popular mostly in CIS countries, cybercriminals checked the device language and asked for VK credentials only from users with certain languages – Russian, Ukrainian, Kazakh, Armenian, Azerbaijani, Belarusian, Kyrgyz, Romanian, Tajik, and Uzbek.

Code where a Trojan checks the device language.

These cybercriminals were publishing their malicious apps on Google Play Store for more than two years, so they had to modify their code to bypass detection. In these apps they used a modified VK SDK with tricky code–users logged on to the standard page, but the cybercriminals used malicious JS code to get the credentials from the login page and pass them back to the app.

Malicious code where a Trojan executes JS code to get VK credentials.

Then the credentials are encrypted and uploaded to the malicious website.

Code where a Trojan decrypts a malicious URL, encrypts stolen credentials and uploads them.

The interesting thing is that although most of these malicious apps had a described functionality, a few of them were slightly different—they also used malicious JS code from the OnPageFinished method, but not only for extracting credentials but for uploading them too.

Malicious code where a Trojan executes JS code to get and upload VK credentials

We think that cybercriminals use stolen credentials mostly for promoting groups in VK.com. They silently add users to promote various groups and increase their popularity by doing so. We have reason to think so because there were complaints from some infected users that their accounts had been silently added to such groups.

Another reason to think so is that we were able to find several other apps on Google Play that were published by the same cybercriminals responsible for Trojan-PSW.AndroidOS.MyVk.o. They were published as unofficial clients for Telegram, a popular messaging app. All of them were detected by Kaspersky Lab products as not-a-virus:HEUR:RiskTool.AndroidOS.Hcatam.a. We notified Google about these apps too and they deleted them from Google Play Store.

App infected with not-a-virus:HEUR:RiskTool.AndroidOS.Hcatam.a on Google Play Store

These apps were not only masquerading as Telegram apps, they were actually built using an open source Telegram SDK and work almost like every other such app. Except one thing – they added users to promoted groups/chats. These apps receive a list with groups/chats from their server. What’s more, they can add users to groups anytime – to do so they steal a GCM token which allows cybercriminals to send commands 24/7.

We also discovered an interesting thing about the malicious website extensionsapiversion.space. According to KSN statistics, in some cases it was used for mining cryptocurrencies by using an API from http://coinhive.com.

CNC
  • space
  • guest-stat.com
APPS Package name MD5 com.parmrp.rump F5F8DF1F35A942F9092BDE9F277B7120 com.weeclient.clientold 6B55AF8C4FB6968082CA2C88745043A1 com.anocat.stelth C70DCF9F0441E3230F2F338467CD9CB7 com.xclient.old 6D6B0B97FACAA2E6D4E985FA5E3332A1 com.junglebeat.musicplayer.offmus 238B6B7069815D0187C7F39E1114C38 com.yourmusicoff.yourmusickoff 1A623B3784256105333962DDCA50785F com.sharp.playerru 1A7B22616C3B8223116B542D5AFD5C05 com.musicould.close 053E2CF49A5D818663D9010344AA3329 com.prostie.dvijenija 2B39B22EF2384F0AA529705AF68B1192 com.appoffline.musicplayer 6974770565C5F0FFDD52FC74F1BCA732 com.planeplane.paperplane 6CBC63CBE753B2E4CB6B9A8505775389

Google's Project Zero reveals Apple jailbreak exploit

The Register - Anti-Virus - 12 Prosinec, 2017 - 03:02
Holy Moley! iOS and MacOS were wholly holey

Ian Beer of Google's Project Zero has followed up on a “coming soon” Twitter teaser with a jailbreakable iOS and Mac OS vulnerability.…

Kategorie: Viry a Červi

Archive of 1.4 BEEELLION credentials in clear text found in dark web archive

The Register - Anti-Virus - 12 Prosinec, 2017 - 02:05
Find shows people still suck at passwords

A data dump containing over 1.4 billion email addresses, passwords, and other credentials, all in clear text, has been found online by security shop @4iQ.…

Kategorie: Viry a Červi

HP leaves accidental keylogger in laptop keyboard driver

Sophos Naked Security - 12 Prosinec, 2017 - 01:35
HP didnt beat around the bush - when a researcher found a left-over keylogger, the company fessed up and fixed it fast. Result!

Vulnerability Found in Two Keyless Entry Locks

VirusList.com - 12 Prosinec, 2017 - 00:34
Researchers are warning of a default-configuration vulnerability in the enterprise-class keyless entry products made by AMAG Technology.
Kategorie: Viry a Červi

Mailsploit: using emails to attack mail software

Sophos Naked Security - 11 Prosinec, 2017 - 21:56
Mailsploit bugs allow attackers to bypass anti-spam protections and, in some cases, run hostile code

Leftover Debugger Doubles as a Keylogger on Hundreds of HP Laptop Models

VirusList.com - 11 Prosinec, 2017 - 18:59
HP released an update that fixes debugger code that could allow an attacker to use a Synaptics Touchpad driver as a keylogger.
Kategorie: Viry a Červi

New Ruski hacker clan exposed: They're called MoneyTaker, and they're gonna take your money

The Register - Anti-Virus - 11 Prosinec, 2017 - 18:58
Subtly named group has gone largely unnoticed until now

Security researchers have lifted the lid on a gang of Russian-speaking cybercrooks, dubbed MoneyTaker.…

Kategorie: Viry a Červi

Lifestyle pin-up site Pinterest: Hack attempts blamed on 'credential stuffing'

The Register - Anti-Virus - 11 Prosinec, 2017 - 17:04
You might just have to wing it with that potpourri recipe

There’s a chill going around cyberspace with an upsurge of people concerned that their Pinterest account has been hacked.…

Kategorie: Viry a Červi

Lil Bub, a special-needs celebrity cat, gets hacked

Sophos Naked Security - 11 Prosinec, 2017 - 14:51
The Instagram account of a kitty who suffers from extreme feline dwarfism and terminal cuteness has been hacked by somebody who says they're 11.

Blighty flogs Qatar a bunch of missiles and Typhoon fighter jets

The Register - Anti-Virus - 11 Prosinec, 2017 - 14:09
And Hawk training aircraft as well. Just don't say 'despite Br-'

Qatar has agreed its long-awaited order for 24 British-built Eurofighter Typhoon fighter jets and a billion pounds' worth of missiles assembled in the UK to go with them.…

Kategorie: Viry a Červi

Hackers' delight: Mobile bank app security flaw could have smacked millions

The Register - Anti-Virus - 11 Prosinec, 2017 - 13:33
Certificate pinning unpicked

Security researchers from the University of Birmingham, UK, last week went public about security shortcomings in mobile banking apps that leave millions of users at a heightened risk of hacking.…

Kategorie: Viry a Červi

Warrantless surveillance can continue until April, say Feds

Sophos Naked Security - 11 Prosinec, 2017 - 13:15
Thought FISA Section 702 was due to bite the dust on New Year's Eve? Think again, say Trump's lawyers: you're stuck with it until the spring
Syndikovat obsah