Viry a Červi

It’s baaaack: Locky ransomware is on the rise again

Sophos Naked Security - 17 Srpen, 2017 - 12:45
Locky had been quiet until new variants started appearing last week. Here's what you need to know

Booking a Taxi for Faketoken

Kaspersky Securelist - 17 Srpen, 2017 - 11:00

The Trojan-Banker.AndroidOS.Faketoken malware has been known about for already more than a year. Throughout the time of its existence, it has worked its way up from a primitive Trojan intercepting mTAN codes to an encrypter. The authors of its newer modifications continue to upgrade the malware, while its geographical spread is growing. Some of these modifications contain overlay mechanisms for about 2,000 financial apps. In one of the newest versions, we also detected a mechanism for attacking apps for booking taxis and paying traffic tickets issued by the Main Directorate for Road Traffic Safety.

Not so long ago, thanks to our colleagues from a large Russian bank, we detected a new Trojan sample, Faketoken.q, which contained a number of curious features.

Infection

We have not yet managed to reconstruct the entire chain of events leading to infection, but the application icon suggests that the malware sneaks onto smartphones through bulk SMS messages with a prompt to download some pictures.

The malware icon

The structure of the malware

The mobile Trojan that we examined consists of two parts. The first part is an obfuscated dropper (verdict: Trojan-Banker.AndroidOS.Fyec.az): files like this are usually obfuscated on the server side in order to resist detection. At first glance, it may seem that its code is gibberish:

However, this is code works quite well. It decrypts and launches the second part of the malware. This is standard practice these days, whereas unpacked Trojans are very rare.

The second part of the malware, which is a file with DAT extensions, contains the malware’s main features. The data becomes encrypted:

By decrypting the data, it is possible to obtain a rather legible code:

After the Trojan initiates, it hides its shortcut icon and starts to monitor all of the calls and whichever apps the user launches. Upon receiving a call from (or making a call to) a certain phone number, the malware begins to record the conversation and sends it to evildoers shortly after the conversation ends.

The code for recording a conversation

The authors of Faketoken.q kept the overlay features and simplified them considerably. So, the Trojan is capable of overlaying several banking and miscellaneous applications, such as Android Pay, Google Play Store, and apps for paying traffic tickets and booking flights, hotel rooms, and taxis.

Faketoken.q monitors active apps and, as soon as the user launches a specific one, it substitutes its UI with a fake one, prompting the victim to enter his or her bank card data. The substitution happens instantaneously, and the colors of the fake UI correspond to those of the original launched app.

It should be noted that all of the apps attacked by this malware sample have support for linking bank cards in order to make payments. However, the terms of some apps make it mandatory to link a bank card in order to use the service. As millions of Android users have these applications installed, the damage caused by Faketoken can be significant.

However, the following question may arise: what do fraudsters do in order to process a payment if they have to enter an SMS code sent by the bank? Evildoers successfully accomplish this by stealing incoming SMS messages and forwarding them to command-and-control servers.

We are inclined to believe that the version that we got our hands on is still unfinished, as screen overlays contain formatting artifacts, which make it easy for a victim to identify it as fake:

The screen overlays for the UI of a taxi-booking app

As screen overlays are a documented feature widely used in a large number of apps (window managers, messengers, etc.), protecting yourself against such fake overlays is quite complicated, a fact that is exploited by evildoers.

To this day we still have not registered a large number of attacks with the Faketoken sample, and we are inclined to believe that this is one of its test versions. According to the list of attacked applications, the Russian UI of the overlays, and the Russian language in the code, Faketoken.q is focused on attacking users from Russia and CIS countries.

Precautions

In order to avoid falling victim to Faketoken and apps similar to it, we strongly discourage the installation of third-party software on your Android device. A mobile security solution like Kaspersky Mobile Antivirus: Web Security & AppLock would be quite helpful too.

MD5

CF401E5D21DE36FF583B416FA06231D5

UK govt steams ahead with £5m facial recog system amid furore over innocents' mugshots

The Register - Anti-Virus - 17 Srpen, 2017 - 08:03
Contract ignores lack of strategy, growing criticism

The UK Home Office has put out to tender a £4.6m ($5.9m) contract for facial recognition software – despite the fact its biometrics strategy and retention systems remain embroiled in controversy.…

Kategorie: Viry a Červi

Bank IT fella accused of masterminding multimillion-dollar insider-trading scam

The Register - Anti-Virus - 17 Srpen, 2017 - 07:03
Consultant was all too app-y to break law, claim investigators

A banking IT expert orchestrated an insider-trading caper that raked in millions of dollars for him and his pals, it was claimed on Wednesday.…

Kategorie: Viry a Červi

Rowhammer RAM attack adapted to hit flash storage

The Register - Anti-Virus - 17 Srpen, 2017 - 06:27
Project Zero's two-year-old dog learns a new trick

It's Rowhammer, Jim, but not as we know it: IBM boffins have taken the DRAM-bit-flipping-as-attack-vector trick found by Google and applied it to MLC NAND Flash.…

Kategorie: Viry a Červi

NotPetya ransomware attack cost us $300m – shipping giant Maersk

The Register - Anti-Virus - 17 Srpen, 2017 - 00:15
IT crippled so badly firm relied on WhatsApp

The world's largest container shipping biz has revealed the losses it suffered after getting hit by the NotPetya ransomware outbreak, and the results aren't pretty.…

Kategorie: Viry a Červi

Locky Ransomware Variant Slips Past Some Defenses

VirusList.com - 16 Srpen, 2017 - 23:41
Ransomware called IKARUSdilapidated is managing to slip into unsuspecting organizations as an unknown file.
Kategorie: Viry a Červi

Disgraced US Secret Service agent coughs to second Bitcoin heist

The Register - Anti-Virus - 16 Srpen, 2017 - 21:04
Fox, meet henhouse

An ex-Secret Service agent who stole Bitcoins from the Silk Road dark web drugs bazaar he was supposed to be investigating has admitted stealing even more sacks of the digital currency.…

Kategorie: Viry a Červi

News in brief: micro robots heal mice; Scottish Parliament hacked; Google Allo on desktops

Sophos Naked Security - 16 Srpen, 2017 - 20:27
Your daily round-up of some of the other stories in the news

Flash’s Final Countdown Has Begun

VirusList.com - 16 Srpen, 2017 - 19:59
The impending demise of Adobe Flash will create legacy challenges similar to Windows XP as companies begin to wean themselves off the vulnerable code base.
Kategorie: Viry a Červi

Maersk Shipping Reports $300M Loss Stemming from NotPetya Attack

VirusList.com - 16 Srpen, 2017 - 19:33
A.P. Moller -Maersk said June's NotPetya wiper malware attacks would cost the world's largest shipping container company $300M USD in lost revenue.
Kategorie: Viry a Červi

Judge orders LinkedIn to stop blocking third-party use of your data

Sophos Naked Security - 16 Srpen, 2017 - 18:44
How do you feel about other companies scraping your public information from LinkedIn and monetizing it?

Who will own the data from your autonomous car?

Sophos Naked Security - 16 Srpen, 2017 - 18:00
If you're hoping that Congress to lock in protection for your privacy, you should probably lower your expectations

Google Removes Chrome Extension Used in Banking Fraud

VirusList.com - 16 Srpen, 2017 - 17:14
Google has removed the Interface Online Chrome extension from the Chrome Web Store. The plugin was used by criminals in Brazil to target corporate users with the aim of stealing banking credentials.
Kategorie: Viry a Červi

HBO <i>Game Of Thrones</i> leak: Four 'techies' arrested in India

The Register - Anti-Virus - 16 Srpen, 2017 - 15:27
GoT suspects cuffed

Four arrests connected with the leak of an unaired Game of Thrones episode have been made in India.…

Kategorie: Viry a Červi

Bot armies of fake followers are the footsoldiers of fake news

Sophos Naked Security - 16 Srpen, 2017 - 14:35
Actual humans are left in the dust by the army of bots who pick up and amplify fake news - but how should they be stopped?

Toronto woman joins the fight against creepshot image sites

Sophos Naked Security - 16 Srpen, 2017 - 13:11
There are tools that can help track down and take down stolen and creepshot images of women - but the challenge is a tough one

She's arrived! HMS <i>Queen Lizzie</i> enters Portsmouth Naval Base

The Register - Anti-Virus - 16 Srpen, 2017 - 12:59
65,000 tonnes and 4.5 acres of British sovereign territory – but is she worth it?

Pics  Britain’s newest warship, its biggest warship of all time, HMS Queen Elizabeth, entered Portsmouth Harbour for the first time this morning.…

Kategorie: Viry a Červi

Och. Scottish Parliament under siege from brute-force cyber attack

The Register - Anti-Virus - 16 Srpen, 2017 - 12:37
Unidentified hackers attempt to bust open email accounts

Hackers are trying to break into Scottish Parliament email accounts weeks after similar campaigns against Westminster.…

Kategorie: Viry a Červi
Syndikovat obsah