- Android -

Last update 04.10.2017 16:16:35

Introduction  List  Kategorie  Subcategory  0  1  2  3  4  5  6  7  8



Google Boosts Protection of Backups in Android
18.10.2018 securityweek
Android

The latest Android iteration leverages Google Cloud’s Titan technology to better protect users’ backed-up application data, Google says.

The functionality combines Android’s Backup Service and Google Cloud’s Titan technology, ensuring that user privacy is maintained, the Internet giant explains.

Backed-up application data in Android 9 can only be decrypted by a key generated at the client and encrypted using the user's lock-screen PIN/pattern/passcode.

The passcode-protected key material is then encrypted to a Titan security chip on Google’s datacenter, which is configured to release the key only “when presented with a correct claim derived from the user's passcode.”

“Because the Titan chip must authorize every access to the decryption key, it can permanently block access after too many incorrect attempts at guessing the user’s passcode, thus mitigating brute force attacks,” Google reveals.

The Internet search company also says that custom Titan firmware that cannot be updated without completely erasing the chip is in charge with strictly enforcing the limited number of incorrect attempts. This should prevent access to a user's backed-up application data without the passcode.

The setup, Google says, was meant to prevent all unauthorized access to the data, including that of Google employees. The strong security stance this provides has been already verified through a security audit performed by the NCC Group.

The audit, which looked into the Google Cloud Key Vault as a whole, did find issues (including two critical ones in the firmware, both immediately addressed), but concluded that Google has implemented mitigations for a broad range of attack scenarios (including internal threats) right from the design phase.

“NCC Group was impressed by both the well-rounded design and the high-quality code which took security into consideration. Numerous possible avenues of achieving a compromise were investigated and most of these ended with a determination that the design and implementation were already taking the particular attack into account and had sufficient mitigations,” NCC Group notes in their report (PDF).

According to Google, it aims to maintain transparency and openness through external reviews of its security efforts, so that users could feel safe when it comes to their data.

Last week, however, the company proved that it isn’t always as transparent, when it publicly revealed that it learned in March of a vulnerability in one of its APIs that exposed Google+ user data to any application using that API. Google chose not to disclose the issue for over six months.


Google Hardens Android Kernel
12.10.2018 securityweek
Android

Google this week revealed that Android’s kernel is becoming more resilient to code reuse attacks, courtesy of implemented support for LLVM’s Control Flow Integrity (CFI).

CFI support, Google says, was added to Android kernel versions 4.9 and 4.14 and the feature is available to all device vendors. However, Google Pixel 3, which was launched earlier this week, is the first device to take advantage of the new security mitigations.

One of the manners in which attackers achieve code execution even without injecting executable code of their own, Google reveals, is by abusing kernel bugs to overwrite a function pointer stored in memory. The method is popular with the kernel given the large number of function pointers the latter uses and the protections that make code injection difficult.

CFI, however, was designed to mitigate these attacks through additional checks applied to the kernel's control flow. While this still allows an attacker to change a function pointer if a bug provides write access to one, it significantly restricts the valid call targets, thus making exploitation more difficult.

LLVM's solution to CFI also requires the use of Link Time Optimization (LTO), which also requires the adoption of LLVM's integrated assembler for inline assembly. The GNU toolchain, which Linux kernel relies on for assembling, compiling, and linking the kernel, will continue to be used for stand-alone assembly code.

“LLVM's CFI implementation adds a check before each indirect branch to confirm that the target address points to a valid function with a correct signature. This prevents an indirect branch from jumping to an arbitrary code location and even limits the functions that can be called,” Google explains.

Kernel modules, which are loaded at runtime and can be compiled independently from the rest of the kernel, add another complication to CFI and Google implemented LLVM's cross-DSO CFI support in the kernel, to ensure kernel modules are supported.

“When compiled with cross-DSO support, each kernel module contains information about valid local branch targets, and the kernel looks up information from the correct module based on the target address and the modules' memory layout,” Google explains.

The CFI checks add overhead to indirect branches, but aggressive optimizations result in the overall system performance getting improved even 1-2% in many cases.

CFI for arm64, Google notes, requires clang version 5.0 and higher, as well as binutils 2.27 and higher. The LLVMgold.so plug-in should also be available in LD_LIBRARY_PATH. Google has already added pre-built toolchain binaries for clang and binutils in AOSP, but says that upstream binaries can also be used.

The use of CFI comes with its own pitfalls, such as violations caused by function pointer type mismatches, which Google has encountered plenty. Address space conflicts could also arise, and CFI can also be tripped by memory corruption errors that would normally result in random kernel crashes.

“If you are shipping a new arm64 device running Android 9, we strongly recommend enabling kernel CFI to help protect against kernel vulnerabilities. LLVM's CFI protects indirect branches against attackers who manage to gain access to a function pointer stored in kernel memory. This makes a common method of exploiting the kernel more difficult,” Google says.

The tech giant also plans on protecting function return addresses from similar attacks with the help of LLVM's Shadow Call Stack. This change, however, will be available in an upcoming compiler release.


Hide 'N Seek IoT Botnet Now Targets Android Devices
28.9.2018 securityweek
Android

After being observed targeting smart homes just two months ago, the Hide ‘N Seek Internet of Things (IoT) botnet is now capable of infecting Android devices.

First detailed in January by Bitdefender, the botnet originally targeted home routers and IP cameras, but later evolved from performing brute force attacks over Telnet to leveraging injection exploits, thus greatly expanding its list of targeted device types.

Featuring a decentralized, peer-to-peer architecture, the botnet was able to abuse the various compromise methods to ensnare over 90,000 unique devices by May.

In early July, Hide ‘N Seek was observed targeting OrientDB and CouchDB database servers, and the malware evolved into targeting a remote code execution vulnerability in HomeMatic Zentrale CCU2, the central element of Smart Home devices from the German manufacturer eQ-3.

Bitdefender now says that newly identified samples of the malware target the Android Debug Bridge (ADB) over Wi-Fi feature to infect devices.

Normally used for troubleshooting and supposedly disabled by default, ADB was found enabled on commercially available Android devices, exposing them to attacks on TCP port 5555. The issue resides with vendors neglecting to disable ADB when shipping devices.

“Any remote connection to the device is performed unauthenticated and allows for shell access, practically enabling attackers to perform any task in administrator mode,” Bitdefender Senior Cybersecurity Analyst Liviu Arsene points out.

Hide ‘n Seek, however, is not the first malware to target the Android devices found to be shipping with ADB enabled. In July, a botnet was observed attempting to ensnare these devices for crypto-currency mining purposes.

With the addition of this new capability, Hide ‘n Seek might be able to amass at least another 40,000 new devices, Arsene believes. Most of the potentially affected devices appear to be located in Taiwan, Korea and China, while some of them are in the United States and Russia.

While some of the devices with ADB enabled might be hidden behind routers, the fact that the routers themselves are among the most vulnerable Internet-connected devices suggests that it’s not only Internet-facing Android devices that are at risk.

“It’s safe to say that not just Android-running smartphones are affected — smart TVs, DVRs and practically any other device that has ADB over Wi-Fi enabled could be affected too,” Arsene notes.

He also points out that Hide ‘n Seek’s operators are likely seeking new means to ensnare as many devices as possible, although they haven’t revealed the true purpose of the botnet just yet.


QRecorder app in the Play Store was hiding a Banking Trojan that targets European banks
28.9.2018 securityaffairs
Android

The QRecorder app in the Play Store impersonating a phone call and voice recording utility embedded a banking malware used to target European banks.
Security experts from ESET have discovered a malicious app in the official Google Play Store that impersonates a phone call and voice recording utility, it was hiding a banking malware used to target customers of European banks.

The malware, tracked as Razdel, is a variant of BankBot mobile banking Trojan.

According to the Czech Television, the malicious code targets apps from Raiffeisen Bank, as well as ÈSOB and Èeská Spoøitelna.

Czech Police shared the identikit and pictures from ATM security camera of a money mule withdrawing money from one of the Prague ATM from affected victims accounts.

The malware was hidden in the QRecorder app and according to the ESET security researcher Lukas Stefanko, the banking Trojan was downloaded and installed by over 10,000.

QRecorder app malware

The malicious QRecorder app is able to intercept SMS two-factor authentication (2FA) messages and ask for permission to display overlays on top of legitimate bank apps to control what the user sees on his device.

To avoid raising suspicions, the malicious application correctly implements the audio recording features.

Stefanko discovered that the threat actor behind the operator sends commands to the app within 24 hours from installation, for example, it scans the device for specific banking apps.

Attacker leverages Google Firebase messages to communicate with compromised devices. If one of the targeted apps is installed on the device, before downloading payload it would request the user to activate Accessibility service and using this permission it would automatically download and execute the malicious payload.

Once the malicious payload is downloaded it sets triggers for legitimate banking apps. If one of the targeted apps is launched by the user, the malware displays overlay to steal credentials.

“Before downloading payload it would request user to activate Accessibility service and using this permission it would automatically download, install and open malicious payload.” wrote Stefanko.

“Once payload is downloaded it sets triggers for legitimate banking apps. If one of the targeted apps is launched it would create similar like looking activity that overlays official app demanding credentials.”

According to official statement of Czech police, QRecorder infected five victims in Czech Republic stealing a total of over 78,000 Euros from their accounts.

The analysis of the code revealed that the QRecorder malware is able to monitor a large number of banks, including Air Bank, Equa, ING, Bawag, Fio, Oberbank, and Bank Austria.

One of the most interesting aspects of this malware is that the threat actor created different payloads for each targeted bank.

QRecorder app was removed from the official Android store, below a video that shows how the app operates.


Google's Android Team Finds Serious Flaw in Honeywell Devices
18.9.2018 securityweek
Android

Members of Google’s Android team discovered that some of Honeywell’s Android-based handheld computers are affected by a high severity privilege escalation vulnerability. The vendor has released software updates that should address the flaw.

Honeywell’s handheld computers are advertised as devices that combine the advantages provided by consumer PDAs with high-end industrial mobile computers. These rugged devices run Android or Windows operating systems and they provide a wide range of useful functions and connectivity features, including Wi-Fi, Bluetooth and compatibility with Cisco products. The devices are used worldwide in the commercial facilities, critical manufacturing, energy and healthcare sectors.Honeywell handheld computers affected by vulnerability

According to ICS-CERT, the vulnerability found by Google employees affects 17 handheld computers from Honeywell, including CT60, CN80, CT40, CK75, CN75, CT50, D75e, CN51, and EDA series devices running various versions of Android, from 4.4 through 8.1.

If a malicious application makes its way onto an affected device, it can allow its creators to elevate privileges on the system and gain unauthorized access to sensitive information, including keystrokes, passwords, photos, emails, and business-critical documents.

“A skilled attacker with advanced knowledge of the target system could exploit this vulnerability by creating an application that would successfully bind to the service and gain elevated system privileges,” ICS-CERT said in its advisory.

Honeywell handheld computers affected by vulnerability

The flaw is tracked as CVE-2018-14825 and it has been assigned a CVSS score of 7.6, which makes it “high severity.” The national CERTs of several countries have published advisories to warn organizations about the vulnerability.

While the security hole has been found by Google’s Android team, Honeywell told SecurityWeek that the issue is specific to its products and it does not impact Android in general.

“Honeywell has identified a potential vulnerability on select versions of our rugged mobile computers and issued a software patch to update these devices.” Eric Krantz, a Honeywell spokesperson, said via email.

ICS-CERT provides a complete list of impacted devices and Android versions, along with the software releases containing a patch. In addition to applying the fixes, Honeywell has advised customers to whitelist trusted applications in an effort to limit the risk of malicious apps getting on devices.


Google Android team found high severity flaw in Honeywell Android-based handheld computers
18.9.2018 securityaffairs
Android

Experts at the Google Android team have discovered high severity privilege escalation vulnerability in some of Honeywell Android-based handheld computers.
Security experts from the Google Android team have discovered a high severity privilege escalation vulnerability in some of Honeywell Android-based handheld computers that could be exploited by an attacker to gain elevated privileges.

According to the vendor, Honeywell handheld computers combine the advantages of consumer PDAs and high-end industrial mobile computers into a single rugged package.

The rugged devices provide enhanced connectivity, including industry standard 802.11x, Cisco compatibility, and Bluetooth, they are widely adopted in many sectors, including energy, healthcare, critical manufacturing, and commercial facilities.

The US ICS-CERT published a security advisory to warn of the vulnerability that affects several models of Honeywell Android handheld computers, including CT60, CN80, CT40, CK75, CN75, CT50, D75e, CN51, and EDA series.

The affected devices run various Android version between 4.4 and 8.1.

“A vulnerability in a system service on CT60, CN80, CT40, CK75, CN75, CT50, D75e, CN51, and EDA series mobile computers running the Android Operating System (OS) could allow a malicious third-party application to gain elevated privileges.” reads the advisory published by the US ICS-CERT.

The flaw, tracked as CVE-2018-14825, received a CVSS v3 base score of 7.6).

Customers should whitelist trusted applications to avoid malicious apps accessing the devices with high privileges.

An attacker could exploit the flaw to gain elevated privileges and unauthorized access e to sensitive information such as passwords and confidential documents.

“A skilled attacker with advanced knowledge of the target system could exploit this vulnerability by creating an application that would successfully bind to the service and gain elevated system privileges.” continues the advisory.

“This could enable the attacker to obtain access to keystrokes, passwords, personal identifiable information, photos, emails, or business-critical documents.”


Android September 2018 Patches Fix Critical Flaws

10.9.2018 securityweek Android

Google has released its September 2018 security patches for Android, which resolves more than 50 vulnerabilities in the operating system.

The September 2018 Android Security Bulletin is split into two parts, the 2018-09-01 security patch level, which resolves 24 bugs, and the 2018-09-05 security patch level, which addresses a total of 35 bugs.

Five of the vulnerabilities patched with the 2018-09-01 security patch level were rated Critical severity. Three of these are elevation of privilege bugs that impact System, while the remaining two are remote code execution flaws in Media framework.

“The most severe of these issues is a critical security vulnerability in Media framework that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process,” Google explains.

Google also addressed High risk vulnerabilities in Android runtime, framework, Library, Media framework and System, as well as two Medium severity issues in Media framework and System.

Most of the addressed vulnerabilities impact Android versions 7.0, 7.1.1, 7.1.2, 8.0, 8.1, and 9.0, but some were only found to affect Android 8.0 and newer platform releases.

Of the 35 flaws addressed with the 2018-09-05 security patch level, 6 are rated Critical severity, 27 are High risk flaws, and two are considered Medium severity.

The bugs were found in Framework, Kernel components, Qualcomm components, and Qualcomm closed-source components.

Last month, Google said that monthly patches are the recommended best practice for Android manufacturers and revealed that it has developed security update testing systems to ensure that vendors don’t omit patches when releasing security updates.

“Devices that use the security patch level of 2018-09-05 or newer must include all applicable patches in this (and previous) security bulletins,” Google notes in its latest advisory.

Also released this month, the September 2018 Pixel / Nexus Security Bulletin addresses a total of 15 vulnerabilities in Kernel and Qualcomm components. All of the bugs are rated Medium severity, Google reveals.

The update includes a series of functional patches for Google devices as well. Thus, the firmware release improves battery charge in Retail Mode on Pixel 2 and Pixel 2 XL, and also improves SW Version reporting and audio quality over car speakers on Pixel, Pixel XL, Pixel 2, and Pixel 2 XL devices.


Android System Broadcasts Expose Device Information
5.9.2018 securityweek  Android

Android device details are being exposed to running applications via Wi-Fi broadcasts in the mobile operating system, Nightwatch Cybersecurity has discovered.

The exposed information includes the WiFi network name, BSSID, local IP addresses, DNS server information, and the MAC address. Normally, extra permissions are required to access such details, but Wi-Fi broadcasts allow all applications to capture the information, thus bypassing existing mitigations.

Furthermore, Nightwatch Cybersecurity’s researchers argue that the MAC address, which is tied to the hardware, can be used to “uniquely identify and track any Android device.” Information such as network name and BSSID allow for the geolocation of users, while other information can be leveraged for other attacks.

Tracked as CVE-2018-9489, the vulnerability was addressed in the recently released Android 9, but previous platform iterations continue to be impacted, ths security firm says. Thus, all devices running under those OS versions, including forks such as Amazon’s FireOS for the Kindle, are believed to be vulnerable.

The issue, the security researchers say, is that application developers neglect to implement restrictions or mask sensitive data when it comes to the use of “Intents” in their applications. These Intents are system-wide messages that both apps and the OS can send, and which other applications can listen to.

The Android platform, the security researchers explain, regularly broadcasts information about the WiFi connection and the WiFi network interface and uses WifiManager’s NETWORK_STATE_CHANGED_ACTION and WifiP2pManager’s WIFI_P2P_THIS_DEVICE_CHANGED_ACTION Intents for that.

“This information includes the MAC address of the device, the BSSID and network name of the WiFi access point, and various networking information such as the local IP range, gateway IP and DNS server addresses. This information is available to all applications running on the user’s device,” the researchers note.

Applications looking to access the information via the WifiManager would normally require the “ACCESS_WIFI_STATE” permission in the application manifest. Apps looking to access geolocation via WiFi require the “ACCESS_FINE_LOCATION” or “ACCESS_COARSE_LOCATION” permissions.

Applications listening for system broadcasts, however, don’t need these permissions and can capture the details without user’s knowledge. They can even capture the real MAC address, although it is no longer available via APIs on Android 6 or higher.

“We performed testing using a test farm of mobile device ranging across multiple types of hardware and Android versions. All devices and versions of Android tested confirmed this behavior, although some devices do not display the real MAC address in the “NETWORK_STATE_CHANGED_ACTION” intent but they still do within the “WIFI_P2P_THIS_DEVICE_CHANGED_ACTION” intent,” the researchers said.

Given that Google addressed the issue in Android 9 only, users are encouraged to upgrade to this platform iteration to ensure they remain protected.


BusyGasper – the unfriendly spy
31.8.2018 Kaspersky Android
In early 2018 our mobile intruder-detection technology was triggered by a suspicious Android sample that, as it turned out, belonged to an unknown spyware family. Further investigation showed that the malware, which we named BusyGasper, is not all that sophisticated, but demonstrates some unusual features for this type of threat. From a technical point of view, the sample is a unique spy implant with stand-out features such as device sensors listeners, including motion detectors that have been implemented with a degree of originality. It has an incredibly wide-ranging protocol – about 100 commands – and an ability to bypass the Doze battery saver. As a modern Android spyware it is also capable of exfiltrating data from messaging applications (WhatsApp, Viber, Facebook). Moreover, BusyGasper boasts some keylogging tools – the malware processes every user tap, gathering its coordinates and calculating characters by matching given values with hardcoded ones.

The sample has a multicomponent structure and can download a payload or updates from its C&C server, which happens to be an FTP server belonging to the free Russian web hosting service Ucoz. It is noteworthy that BusyGasper supports the IRC protocol which is rarely seen among Android malware. In addition, the malware can log in to the attacker’s email inbox, parse emails in a special folder for commands and save any payloads to a device from email attachments.

This particular operation has been active since approximately May 2016 up to the present time.

Infection vector and victims
While looking for the infection vector, we found no evidence of spear phishing or any of the other common vectors. But some clues, such as the existence of a hidden menu for operator control, point to a manual installation method – the attackers used physical access to a victim’s device to install the malware. This would explain the number of victims – there are less than 10 of them and according to our detection statistics, they are all located in the Russia.

Intrigued, we continued our search and found more interesting clues that could reveal some detailed information about the owners of the infected devices. Several TXT files with commands on the attacker’s FTP server contain a victim identifier in the names that was probably added by the criminals:

CMDS10114-Sun1.txt
CMDS10134-Ju_ASUS.txt
CMDS10134-Tad.txt
CMDS10166-Jana.txt
CMDS10187-Sun2.txt
CMDS10194-SlavaAl.txt
CMDS10209-Nikusha.txt
Some of them sound like Russian names: Jana, SlavaAl, Nikusha.

As we know from the FTP dump analysis, there was a firmware component from ASUS firmware, indicating the attacker’s interest in ASUS devices, which explains the victim file name that mentions “ASUS”.

Information gathered from the email account provides a lot of the victims’ personal data, including messages from IM applications.

Gathered file Type Description
lock Text Implant log
ldata sqlite3 Location data based on network (cell_id)
gdata sqlite3 Location data based on GPS coordinates
sdata sqlite3 SMS messages
f.db sqlite3 Facebook messages
v.db sqlite3 Viber messages
w.db sqlite3 WhatsApp messages
Among the other data gathered were SMS banking messages that revealed an account with a balance of more than US$10,000.But as far as we know, the attacker behind this campaign is not interested in stealing the victims’ money.

We found no similarities to commercial spyware products or to other known spyware variants, which suggests BusyGasper is self-developed and used by a single threat actor. At the same time, the lack of encryption, use of a public FTP server and the low opsec level could indicate that less skilled attackers are behind the malware.

Technical details
Here is the meta information for the observed samples, certificates and hardcoded version stamps:

Certificate MD5 Module Version
Serial Number: 0x76607c02
Issuer: CN=Ron
Validity: from = Tue Aug 30 13:01:30 MSK 2016
to = Sat Aug 24 13:01:30 MSK 2041
Subject: CN=Ron 9e005144ea1a583531f86663a5f14607 1 –
18abe28730c53de6d9e4786c7765c3d8 2 2.0
Serial Number: 0x6a0d1fec
Issuer: CN=Sun
Validity: from = Mon May 16 17:42:40 MSK 2016
to = Fri May 10 17:42:40 MSK 2041
Subject: CN=Sun 9ffc350ef94ef840728564846f2802b0 2 v2.51sun
6c246bbb40b7c6e75c60a55c0da9e2f2 2 v2.96s
7c8a12e56e3e03938788b26b84b80bd6 2 v3.09s
bde7847487125084f9e03f2b6b05adc3 2 v3.12s
2560942bb50ee6e6f55afc495d238a12 2 v3.18s
It’s interesting that the issuer “Sun” matches the “Sun1” and “Sun2” identifiers of infected devices from the FTP server, suggesting they may be test devices.

The analyzed implant has a complex structure, and for now we have observed two modules.

First (start) module
The first module, which was installed on the targeted device, could be controlled over the IRC protocol and enable deployment of other components by downloading a payload from the FTP server:

@install command

As can be seen from the screenshot above, a new component was copied in the system path, though that sort of operation is impossible without root privileges. At the time of writing we had no evidence of an exploit being used to obtain root privileges, though it is possible that the attackers used some unseen component to implement this feature.

Here is a full list of possible commands that can be executed by the first module:

Command name Description
@stop Stop IRC
@quit System.exit(0)
@start Start IRC
@server Set IRC server (default value is “irc.freenode.net”), port is always 6667
@boss Set IRC command and control nickname (default value is “ISeency”)
@nick Set IRC client nickname
@screen Report every time when screen is on (enable/disable)
@root Use root features (enable/disable)
@timer Set period of IRCService start
@hide Hide implant icon
@unhide Unhide implant icon
@run Execute specified shell
@broadcast Send command to the second module
@echo Write specified message to log
@install Download and copy specified component to the system path
The implant uses a complex intent-based communication mechanism between its components to broadcast commands:

Approximate graph of relationships between BusyGasper components

Second (main) module
This module writes a log of the command execution history to the file named “lock”, which is later exfiltrated. Below is a fragment of such a log:

Log with specified command

Log files can be uploaded to the FTP server and sent to the attacker’s email inbox. It’s even possible to send log messages via SMS to the attacker’s number.

As the screenshot above shows, the malware has its own command syntax that represents a combination of characters while the “#” symbol is a delimiter. A full list of all possible commands with descriptions can be found in Appendix II below.

The malware has all the popular capabilities of modern spyware. Below is a description of the most noteworthy:

The implant is able to spy on all available device sensors and to log registered events. Moreover, there is a special handler for the accelerometer that is able to calculate and log the device’s speed:

This feature is used in particular by the command “tk0” that mutes the device, disables keyguard, turns off the brightness, uses wakelock and listens to device sensors. This allows it to silently execute any backdoor activity without the user knowing that the device is in an active state. As soon as the user picks up the device, the implant will detect a motion event and execute the “tk1” and “input keyevent 3” commands.

“tk1” will disable all the effects of the “tk0” command, while “input keyevent 3” is the shell command that simulates the pressing of the ‘home’ button so all the current activities will be minimized and the user won’t suspect anything.

Location services to enable (GPS/network) tracking:

The email command and control protocol. The implant can log in to the attackers email inbox, parse emails for commands in a special “Cmd” folder and save any payloads to a device from email attachments.

Accessing the “Cmd” folder in the attacker’s email box

Moreover, it can send a specified file or all the gathered data from the victim device via email.

Emergency SMS commands. If an incoming SMS contains one of the following magic strings: ” 2736428734″ or ” 7238742800″ the malware will execute multiple initial commands:

Keylogger implementation
Keylogging is implemented in an original manner.

Immediately after activation, the malware creates a textView element in a new window with the following layout parameters:

All these parameters ensure the element is hidden from the user.

Then it adds onTouchListener to this textView and is able to process every user tap.

Interestingly, there is a whitelist of tapped activities:

ui.ConversationActivity
ui.ConversationListActivity
SemcInCallScreen
Quadrapop
SocialPhonebookActivity
The listener can operate with only coordinates, so it calculates pressed characters by matching given values with hardcoded ones:

Additionally, if there is a predefined command, the keylogger can make a screenshot of the tapped display area:

Manual access and operator menu
There is a hidden menu (Activity) for controlling implant features that looks like it was created for manual operator control. To activate this menu the operator needs to call the hardcoded number “9909” from the infected device:

A hidden menu then instantly appears on the device display:

The operator can use this interface to type any command for execution. It also shows a current malware log.

Infrastructure
FTP server
The attackers used ftp://213.174.157[.]151/ as a command and control server. The IP belongs to the free Russian web hosting service Ucoz.

Files Description
CMDS*.txt Text files with commands to execute
supersu.apk SuperSU(eu.chainfire.supersu) tool
246.us
us.x SuperSU ELF binaries
supersu.cfg
supersu.cfg.ju
supersu.cfg.old SuperSU configs with spyware implant mention
bb.txt BusyBox v1.26.2 ELF file
bdata.xml Config file for excluding malware components from Android battery saver feature Doze
bdatas.apk Main implant module
com.android.network.irc.apk Start implant module
MobileManagerService.apk ASUS firmware system component (clean)
mobilemanager.apk Corrupted archive
privapp.txt Looks like a list of system applications (including spyware components) from the infected device
run-as.x
run-as.y Run-as tool ELF file
SuperSU config fragment for implant components and the busybox tool supersu.cfg:

This config allows the implant to use all root features silently.

Content of bdata.xml file:

It can be added to the /system/etc/sysconfig/ path to whitelist specified implant components from the battery saving system.

Email account
A Gmail account with password is mentioned in the sample’s code:

It contains the victim’s exfiltrated data and “cmd” directory with commands for victim devices.

Appendix I: Indicators of compromise
MD5
9E005144EA1A583531F86663A5F14607
18ABE28730C53DE6D9E4786C7765C3D8
2560942BB50EE6E6F55AFC495D238A12
6C246BBB40B7C6E75C60A55C0DA9E2F2
7C8A12E56E3E03938788B26B84B80BD6
9FFC350EF94EF840728564846F2802B0
BDE7847487125084F9E03F2B6B05ADC3

C2
ftp://213.174.157[.]151/

Appendix II: List of all possible commands
These values are valid for the most recently observed version (v3.18s).

Decimal Char Description
33 ! Interrupt previous command execution
36 $ Make a screenshot
48 0 Execute following shell: rm c/*; rm p/*; rm sdcard/Android/system/tmp/r/* (wipe environment paths?)
63 ? Log device info and implant meta information
66(98) B(b) Broadcast specified command to another component
67(99) C(c) Set specified command on timer to execute
Debug
68(100) 65(97) D(d) A(a) Log last 10 tasks by getRecentTasks api
68(100) 83(115) D(d) S(s) Log info about device sensors (motion, air temperature and pressure, etc.)
68(100) 84(116) D(d) T(t) Log stack trace and thread information
GPS module
101 e Broadcast command to GPS-tracking external component
71(103) G(g) Location tracking GPS/network
Interaction with operators
73(105) 102 114 I(i) f r Get specified file from FTP (default – CMDS file with commands)
73(105) 102 115 I(i) f s Upload exfiltrated data
73(105) 73(105) I(i) I(i) Start/stop IRC service
73(105) 76(108) I(i) L(l) Send current location to IRC
73(105) 77(109) I(i) M(m) Push specified message to IRC
73(105) 82(114) I(i) R(r) Read commands from the email inbox
73(105) 83(115) I(i) S(s) Send specified file or all gathered data in email with UID as a subject
Network geolocation
76(108) L(l) Get info on current cell_id
Camera features
77(109) 99 M(m) c Capture photo
77(109) 108 M(m) l Log information about available cameras
77(109) 114 97 M(m) r a Start/stop audio recording (default duration – 2 minutes)
77(109) 114 98 M(m) r b Start/stop audio recording with specified duration
77(109) 114 44(114) M(m) r ,(r) Start fully customizable recording (allow to choose specific mic etc.)
77(109) 114 115 M(m) r s Stop previous recording
77(109) 114 116 M(m) r t Set recording duration
77(109) 118 M(m) v Capture video with specified duration and quality
Common
79(111) 102 O(o) f Hard stop of implant services, unregister receivers
79(111) 110 O(o) n Start main implant service with all components
80(112) P(p) Find specified images and scale them with “inSampleSize” API
81(113) Q(q) Stop main implant service
82(114) R(r) Execute specified shell command
Shared preferences setup
83(115) 33 S(s) ! On/off hidden operator activity
83(115) 61 S(s) = Shared preferences control (set/remove specified value)
83(115) 98 S(s) b On/off sending SMS message after device boot
83(115) 99 S(s) c Put boolean value in shared preference “cpyl”
83(115) 100 S(s) d Put boolean value in shared preference “dconn”
83(115) 101 S(s) e On/off periodically reenabling data connectivity
83(115) 102 S(s) f Set GPS location update period
83(115) 105 S(s) i Put boolean value in shared preference “imsg”
83(115) 108 97 S(s) l a On/off foreground process activity logging
83(115) 108 99 S(s) l c Start watching on captured photos and videos
83(115) 108 102 S(s) l f Start watching on Facebook messenger database changes
83(115) 108 108 S(s) l l On/off browser history logging
83(115) 108 116 S(s) l t Start watching on Telegram messenger cache database changes
83(115) 108 118 S(s) l v Start watching on Viber messenger database changes
83(115) 108 119 S(s) l w Start watching on WhatsApp messenger database changes
83(115) 109 S(s) m On/off sending log SMS messages
83(115) 110(112) S(s) o(p) Set operator telephone number (for SMS logging)
83(115) 113 S(s) q Set implant stop-mode (full or only main service)
83(115) 114 S(s) r On/off execution shell as root
83(115) 115 S(s) s On/off screen state logging
83(115) 116 S(s) t On/off screen touches logging and number of related screenshots
83(115) 117 S(s) u On/off debug logging mode with system thread info
83(115) 120 S(s) x Use FTP connection via busybox or default Socket API
Sensor and display control
84(116) 98 T(t) b On/off screen brightness
84(116) 100 T(t) d On/off network data (internet)
84(116) 75(107) 48 T(t) K(k) 0 Mute, turn off brightness, disable keyguard, use wakelock and listen on device sensors.
84(116) 75(107) 49 T(t) K(k) 1 Disable features from previous command
84(116) 75(107) 50 T(t) K(k) 2 Disable Keyguard instance
84(116) 75(107) 51 T(t) K(k) 3 Write “userActivity” to log
84(116) 115 48 T(t) s 0 Disable sensor listener
84(116) 115 49 T(t) s 1 Register listener for specified sensor
84(116) 115 108 T(t) s l Log int value from file /dev/lightsensor
84(116) 119 48 T(t) w 0 Turn WiFi off
84(116) 119 49 T(t) w 1 Turn WiFi on
84(116) 119 108 T(t) w l Control WiFi lock
Common backdoor commands
85(117) U(u) Download payload, remount “system” path and push payload there. Based on the code commentaries, this feature might be used to update implant components
87(119) W(w) Send SMS with specified text and number
Updates from the newest version
122 33 z ! Reboot device
122 99 z c Dump call logs
122 102 z f p Send gathered data to FTP
122 102 z f g Get CMDS* text file and execute contained commands
122 103 z g Get GPS location (without log, only intent broadcasting)
122 108 102 z l f Dump Facebook messages during specified period
122 108 116 z l t Dump Telegram cache
122 108 118 z l v Dump Viber messages during specified period
122 108 119 z l w Dump WhatsApp messages during specified period
122 110 z n Get number of all SMS messages
122 111 z o Set ringer mode to silent
122 112 z p Open specified URL in webview
122 114 z r Delete all raw SMS messages
122 116 z t Set all internal service timers
122 122 z z Remove shared preferences and restart the main service
126 ~ On/off advanced logging mode with SMS and UI activity


BusyGasper spyware remained undetected for two years while spying Russians
31.8.2018 securityaffairs  Android  CyberSpy

Security experts from Kaspersky Lab have uncovered a new strain of Android malware dubbed BusyGasper that remained hidden for two years.
The BusyGasper Android spyware has been active since May 2016, it implements unusual features for this type of malware. Experts explained it is a unique spy implant with stand-out features such as device sensors listeners. BusyGasper can spy on all device sensors and enable GPS/network tracking, and it can run multiple initial commands if an incoming SMS contains a specific string.

The malware has an incredibly wide-ranging protocol, it is able to support about 100 commands and to bypass the Doze battery saver.

BusyGasper can exfiltrate data from several messaging applications, including WhatsApp, Viber, Facebook, and implements keylogging capabilities.

“Further investigation showed that the malware, which we named BusyGasper, is not all that sophisticated, but demonstrates some unusual features for this type of threat.” reads the report published by Kaspersky.

“The sample has a multicomponent structure and can download a payload or updates from its C&C server, which happens to be an FTP server belonging to the free Russian web hosting service Ucoz.”

BusyGasper

According to the researchers, the malware is installed manually through physical access to the target devices, Kaspersky has identified less than 10 victims to date, all of them located in Russia.

The Android malware also supports the IRC protocol that is very uncommon for Android malware.

The malicious code can log in to the attacker’s email inbox, parse emails in a special folder for commands and save any payloads to a device from email attachments.

The analysis of the malware revealed the attackers used the malware to gather victims’ personal data, including messages from IM applications and SMS banking messages.

“We found no similarities to commercial spyware products or to other known spyware variants, which suggests BusyGasper is self-developed and used by a single threat actor.” continues Kaspersky.

“At the same time, the lack of encryption, use of a public FTP server and the low opsec level could indicate that less skilled attackers are behind the malware”

The first module installed on the targeted device can be controlled over the IRC protocol and allows attackers to deploy additional components. The module seems to have root privileges, but malware researchers did not find evidence of the user of an exploit.

The module supports a wide range of commands including start/stop IRC, manage IRC settings, exit, use root features, report when the screen is on, hide/unhide the implant icon, execute shell, send commands to the second module, download and copy component to the system path, and write specified message to log.

The second module writes a log of the command execution history to a file named “lock,” which is later uploaded on the C&C server. Log messages can also be sent via SMS to the attacker’s number.

“Log files can be uploaded to the FTP server and sent to the attacker’s email inbox. It’s even possible to send log messages via SMS to the attacker’s number.” continues Kaspersky.

“As the screenshot above shows, the malware has its own command syntax that represents a combination of characters while the “#” symbol is a delimiter. A full list of all possible commands with descriptions can be found in Appendix II below.”

Experts discovered a hidden menu that could be used for manual operator control, it can be activated if the operator calls the hardcoded number “9909” from the infected device.

Kaspersky included in the report the IoCs.


The rise of mobile banker Asacub
30.8.2018 Kaspersky Android

We encountered the Trojan-Banker.AndroidOS.Asacub family for the first time in 2015, when the first versions of the malware were detected, analyzed, and found to be more adept at spying than stealing funds. The Trojan has evolved since then, aided by a large-scale distribution campaign by its creators (in spring-summer 2017), helping Asacub to claim top spots in last year’s ranking by number of attacks among mobile banking Trojans, outperforming other families such as Svpeng and Faketoken.

We decided to take a peek under the hood of a modern member of the Asacub family. Our eyes fell on the latest version of the Trojan, which is designed to steal money from owners of Android devices connected to the mobile banking service of one of Russia’s largest banks.

Asacub versions
Sewn into the body of the Trojan is the version number, consisting of two or three digits separated by periods. The numbering seems to have started anew after the version 9.

The name Asacub appeared with version 4 in late 2015; previous versions were known as Trojan-SMS.AndroidOS.Smaps. Versions 5.X.X-8.X.X were active in 2016, and versions 9.X.X-1.X.X in 2017. In 2018, the most actively distributed versions were 5.0.0 and 5.0.3.

Communication with C&C
Although Asacub’s capabilities gradually evolved, its network behavior and method of communication with the command-and-control (C&C) server changed little. This strongly suggested that the banking Trojans, despite differing in terms of capability, belong to the same family.

Data was always sent to the C&C server via HTTP in the body of a POST request in encrypted form to the relative address /something/index.php. In earlier versions, the something part of the relative path was a partially intelligible, yet random mix of words and short combinations of letters and numbers separated by an underscore, for example, “bee_bomb” or “my_te2_mms”.

Example of traffic from an early version of Asacub (2015)

The data transmitted and received is encrypted with the RC4 algorithm and encoded using the base64 standard. The C&C address and the encryption key (one for different modifications in versions 4.x and 5.x, and distinct for different C&Cs in later versions) are stitched into the body of the Trojan. In early versions of Asacub, .com, .biz, .info, .in, .pw were used as top-level domains. In the 2016 version, the value of the User-Agent header changed, as did the method of generating the relative path in the URL: now the part before /index.php is a mix of a pronounceable (if not entirely meaningful) word and random letters and numbers, for example, “muromec280j9tqeyjy5sm1qy71” or “parabbelumf8jgybdd6w0qa0”. Moreover, incoming traffic from the C&C server began to use gzip compression, and the top-level domain for all C&Cs was .com:

Since December 2016, the changes in C&C communication methods have affected only how the relative path in the URL is generated: the pronounceable word was replaced by a rather long random combination of letters and numbers, for example, “ozvi4malen7dwdh” or “f29u8oi77024clufhw1u5ws62”. At the time of writing this article, no other significant changes in Asacub’s network behavior had been observed:

The origin of Asacub
It is fairly safe to say that the Asacub family evolved from Trojan-SMS.AndroidOS.Smaps. Communication between both Trojans and their C&C servers is based on the same principle, the relative addresses to which Trojans send network requests are generated in a similar manner, and the set of possible commands that the two Trojans can perform also overlaps. What’s more, the numbering of Asacub versions is a continuation of the Smaps system. The main difference is that Smaps transmits data as plain text, while Asacub encrypts data with the RC4 algorithm and then encodes it into base64 format.

Let’s compare examples of traffic from Smaps and Asacub — an initializing request to the C&C server with information about the infected device and a response from the server with a command for execution:

Smaps request

Asacub request

Decrypted data from Asacub traffic:

{“id”:”532bf15a-b784-47e5-92fa-72198a2929f5″,”type”:”get”,”info”:”imei:365548770159066, country:PL, cell:Tele2, android:4.2.2, model:GT-N5100, phonenumber:+486679225120, sim:6337076348906359089f, app:null, ver:5.0.2″}

Data sent to the server

[{“command”:”sent&&&”,”params”:{“to”:”+79262000900″,”body”:”\u0410\u0412\u0422\u041e\u041f\u041b\u0410\u0422\u0415\u0416 1000 50″,”timestamp”:”1452272572″}},
{“command”:”sent&&&”,”params”:{“to”:”+79262000900″,”body”:”BALANCE”,”timestamp”:”1452272573″}}]
Instructions received from the server

A comparison can also be made of the format in which Asacub and Smaps forward incoming SMS (encoded with the base64 algorithm) from the device to the C&C server:

Smaps format

Asacub format

Decrypted data from Asacub traffic:

{“data”:”2015:10:14_02:41:15″,”id”:”532bf15a-b784-47e5-92fa-72198a2929f5″,”text”:”SSB0aG91Z2h0IHdlIGdvdCBwYXN0IHRoaXMhISBJJ20gbm90IGh1bmdyeSBhbmQgbmU=”,”number”:”1790″,”type”:”load”}

Propagation
The banking Trojan is propagated via phishing SMS containing a link and an offer to view a photo or MMS. The link points to a web page with a similar sentence and a button for downloading the APK file of the Trojan to the device.

The Trojan download window

Asacub masquerades under the guise of an MMS app or a client of a popular free ads service. We came across the names Photo, Message, Avito Offer, and MMS Message.

App icons under which Asacub masks itself

The APK files of the Trojan are downloaded from sites such as mmsprivate[.]site, photolike[.]fun, you-foto[.]site, and mms4you[.]me under names in the format:

photo_[number]_img.apk,
mms_[number]_img.apk
avito_[number].apk,
mms.img_[number]_photo.apk,
mms[number]_photo.image.apk,
mms[number]_photo.img.apk,
mms.img.photo_[number].apk,
photo_[number]_obmen.img.apk.
For the Trojan to install, the user must allow installation of apps from unknown sources in the device settings.

Infection
During installation, depending on the version of the Trojan, Asacub prompts the user either for Device Administrator rights or for permission to use AccessibilityService. After receiving the rights, it sets itself as the default SMS app and disappears from the device screen. If the user ignores or rejects the request, the window reopens every few seconds.

The Trojan requests Device Administrator rights

The Trojan requests permission to use AccessibilityService

After installation, the Trojan starts communicating with the cybercriminals’ C&C server. All data is transmitted in JSON format (after decryption). It includes information about the smartphone model, the OS version, the mobile operator, and the Trojan version.

Let’s take an in-depth look at Asacub 5.0.3, the most widespread version in 2018.

Structure of data sent to the server:

{
“type”:int,
“data”:{
data
},
“id”:hex
}
1
2
3
4
5
6
7
{
“type”:int,
“data”:{
data
},
“id”:hex
}
Structure of data received from the server:

{
“command”:int,
“params”:{
params,
“timestamp”:int,
“x”:int
},
“waitrun”:int
}
1
2
3
4
5
6
7
8
9
{
“command”:int,
“params”:{
params,
“timestamp”:int,
“x”:int
},
“waitrun”:int
}
To begin with, the Trojan sends information about the device to the server:

{
“type”:1,
“data”:{
“model”:string,
“ver”:”5.0.3″,
“android”:string,
“cell”:string,
“x”:int,
“country”:int, //optional
“imei”:int //optional
},
“id”:hex
}
1
2
3
4
5
6
7
8
9
10
11
12
13
{
“type”:1,
“data”:{
“model”:string,
“ver”:“5.0.3”,
“android”:string,
“cell”:string,
“x”:int,
“country”:int, //optional
“imei”:int //optional
},
“id”:hex
}
In response, the server sends the code of the command for execution (“command”), its parameters (“params”), and the time delay before execution (“waitrun” in milliseconds).

List of commands sewn into the body of the Trojan:

Command code Parameters Actions
2 – Sending a list of contacts from the address book of the infected device to the C&C server
7 “to”:int Calling the specified number
11 “to”:int, “body”:string Sending an SMS with the specified text to the specified number
19 “text”:string, “n”:string Sending SMS with the specified text to numbers from the address book of the infected device, with the name of the addressee from the address book substituted into the message text
40 “text”:string Shutting down applications with specific names (antivirus and banking applications)
The set of possible commands is the most significant difference between the various flavors of Asacub. In the 2015-early 2016 versions examined in this article, C&C instructions in JSON format contained the name of the command in text form (“get_sms”, “block_phone”). In later versions, instead of the name of the command, its numerical code was transmitted. The same numerical code corresponded to one command in different versions, but the set of supported commands varied. For example, version 9.0.7 (2017) featured the following set of commands: 2, 4, 8, 11, 12, 15, 16, 17, 18, 19, 20.

After receiving the command, the Trojan attempts to execute it, before informing C&C of the execution status and any data received. The “id” value inside the “data” block is equal to the “timestamp” value of the relevant command:

{
“type”:3,
“data”:{
“data”:JSONArray,
“command”:int,
“id”:int,
“post”:boolean,
“status”:resultCode
},
“id”:hex
}
1
2
3
4
5
6
7
8
9
10
11
{
“type”:3,
“data”:{
“data”:JSONArray,
“command”:int,
“id”:int,
“post”:boolean,
“status”:resultCode
},
“id”:hex
}
In addition, the Trojan sets itself as the default SMS application and, on receiving a new SMS, forwards the sender’s number and the message text in base64 format to the cybercriminal:

{
“type”:2,
“data”:{
“n”:string,
“t”:string
},
“id”:hex
}
1
2
3
4
5
6
7
8
{
“type”:2,
“data”:{
“n”:string,
“t”:string
},
“id”:hex
}
Thus, Asacub can withdraw funds from a bank card linked to the phone by sending SMS for the transfer of funds to another account using the number of the card or mobile phone. Moreover, the Trojan intercepts SMS from the bank that contain one-time passwords and information about the balance of the linked bank card. Some versions of the Trojan can autonomously retrieve confirmation codes from such SMS and send them to the required number. What’s more, the user cannot check the balance via mobile banking or change any settings there, because after receiving the command with code 40, the Trojan prevents the banking app from running on the phone.

User messages created by the Trojan during installation typically contain grammatical and spelling errors, and use a mixture of Cyrillic and Latin characters.

The Trojan also employs various obfuscation methods: from the simplest, such as string concatenation and renaming of classes and methods, to implementing functions in native code and embedding SO libraries in C/C++ in the APK file, which requires the use of additional tools or dynamic analysis for deobfuscation, since most tools for static analysis of Android apps support only Dalvik bytecode. In some versions of Asacub, strings in the app are encrypted using the same algorithm as data sent to C&C, but with different keys.

Example of using native code for obfuscation

Examples of using string concatenation for obfuscation

Example of encrypting strings in the Trojan

Asacub distribution geography
Asacub is primarily aimed at Russian users: 98% of infections (225,000) occur in Russia, since the cybercriminals specifically target clients of a major Russian bank. The Trojan also hit users from Ukraine, Turkey, Germany, Belarus, Poland, Armenia, Kazakhstan, the US, and other countries.

Conclusion
The case of Asacub shows that mobile malware can function for several years with minimal changes to the distribution scheme.

It is basically SMS spam: many people still follow suspicious links, install software from third-party sources, and give permissions to apps without a second thought. At the same time, cybercriminals are reluctant to change the method of communication with the C&C server, since this would require more effort and reap less benefit than modifying the executable file. The most significant change in this particular Trojan’s history was the encryption of data sent between the device and C&C. That said, so as to hinder detection of new versions, the Trojan’s APK file and the C&C server domains are changed regularly, and the Trojan download links are often one-time-use.

IOCs
C&C IP addresses:

155.133.82.181
155.133.82.240
155.133.82.244
185.234.218.59
195.22.126.160
195.22.126.163
195.22.126.80
195.22.126.81
5.45.73.24
5.45.74.130
IP addresses from which the Trojan was downloaded:

185.174.173.31
185.234.218.59
188.166.156.110
195.22.126.160
195.22.126.80
195.22.126.81
195.22.126.82
195.22.126.83


Advanced Android Spyware Remained Hidden for Two Years
30.8.2018 securityweek Android

A newly detailed Android spyware that has an incredibly wide-ranging protocol has been active since May 2016, Kaspersky Lab warns.

Dubbed BusyGasper, the malware includes device sensors listeners (such as motion detectors), can exfiltrate data from messaging applications (WhatsApp, Viber, Facebook), includes keylogging capabilities, and supports 100 commands.

Featuring a multicomponent architecture, the malware can download payloads and updates from the command and control (C&C) server, an FTP server belonging to the free Russian web hosting service Ucoz.

The spyware also includes support for the IRC protocol and can “can log in to the attacker’s email inbox, parse emails in a special folder for commands and save any payloads to a device from email attachments,” Kaspersky’s security researchers reveal.

The malware is apparently being installed manually, likely through physical access to a compromised device. Thus, fewer than 10 victims have been identified to date, all of them located in Russia.

The attackers collected victims’ personal data, including messages from IM applications, and SMS banking messages, yet the actor doesn’t appear interested in stealing the victims’ money.

“We found no similarities to commercial spyware products or to other known spyware variants, which suggests BusyGasper is self-developed and used by a single threat actor. At the same time, the lack of encryption, use of a public FTP server and the low opsec level could indicate that less skilled attackers are behind the malware,” Kaspersky says.

An initial module installed on the targeted device can be controlled over the IRC protocol and allows operators to deploy additional components. The module apparently has root privileges, yet the researchers found no evidence of an exploit being used to obtain such rights.

The first module can start/stop IRC, manipulate IRC settings, exit, use root features, report when the screen is on, hide/unhide the implant icon, execute shell, send commands to the second module, download and copy component to the system path, and write specified message to log.

The second module writes a log of the command execution history to a file named “lock,” which can be exfiltrated to the C&C server. Log messages can also be sent via SMS to the attacker’s number.

“The malware has its own command syntax that represents a combination of characters while the “#” symbol is a delimiter,” Kaspersky explains.

Featuring all of the capabilities found in modern spyware, the threat can spy on all available device sensors and can log registered events, can enable GPS/network tracking, and can execute multiple initial commands if an incoming SMS contains a specific string.

BusyGasper’s kelogging capabilities have been implemented in an original manner, Kaspersky says. The malware creates a textView element hidden from the user, then adds onTouchListener to it, to process every user tap. The listener only processes coordinates, which it matches with hardcoded ones.

A hidden menu that provides control of implant features appears to have been created for manual operator control. The menu is activated if the operator calls the hardcoded number “9909” from the infected device.

A full list of commands supported by the malware shows that it can capture photos, record audio and video, execute specified shell commands, monitor and exfiltrate messages, update itself, and perform various backdoor commands.


Google researcher found Fortnite Android App vulnerable to Man-in-the-Disk attacks
27.8.2018 securityaffairs Android

A Google security researcher disclosed a vulnerability in the newcome Fortnite Android App that exposes it to Man-in-the-Disk attacks.
After a long wait, Fortnite Android app has finally arrived but it hides an ugly surprise, it is vulnerable to Man-in-the-Disk (MitD) attacks that can allow a third-party application to crash it or run malicious code.

The flaw was discovered by Google security researchers, it could be exploited by low-privileged malicious apps already installed on a users’ phone to hijack the Fortnite Android app.

Threat actor can carry out MitD attacks when an Android app stores data outside its highly-secured Internal Storage space, for example on an External Storage, that is shared by all apps.

The attacker could tamper with the data stored in the external storage space.

The attacker could hijack the installation process and install other malicious apps with higher permissions.

Epic Games, the authors of the popular game, have promptly released a new version (ver. 2.1.0) that addresses the issue.
Fortnite Android app
The Android Fortnite app is merely an installer, once users install the app, this installer leverages the device’s External Storage space to download and install the actual game.

“The Fortnite APK (com.epicgames.fortnite) is downloaded by the Fortnite Installer (com.epicgames.portal) to external storage:” reads a bug report published by a Google researcher.

“Any app with the WRITE_EXTERNAL_STORAGE permission can substitute the APK immediately after the download is completed and the fingerprint is verified. This is easily done using a FileObserver. The Fortnite Installer will proceed to install the substituted (fake) APK,”

The Fortnite Android App was made available for specific Samsung device models, its Installer performs the APK install silently via a private Galaxy Apps API. The only check made by the API is that the APK being installed has the package name com.epicgames.fortnite. An attacker can use a fake APK with the same package name to silently install the malicious code.
“If the fake APK has a targetSdkVersion of 22 or lower, it will be granted all permissions it requests at install-time. This vulnerability allows an app on the device to hijack the Fortnite Installer to instead install a fake APK with any permissions that would normally require user disclosure,” continues the researcher.

Below a video PoC of the attack shared by Google researcher and published by BleepingComputer:

Epic Games is disappointed by the way Google has disclosed the bug, the CEO Tim Sweeney explained to have asked Google wait more time to allow the new update to be installed by a large part of its players, but the company immediately published the news due to the risks for Android users.

“We asked Google to hold the disclosure until the update was more widely installed. They refused, creating an unnecessary risk for Android users in order to score cheap PR points,” Sweeney said on Twitter.

Tim Sweeney
@TimSweeneyEpic
· Aug 25, 2018
Replying to @manfightdragon and 2 others
Android is an open platform. We released software for it. When Google identified a security flaw, we worked around the clock (literally) to fix it and release an update.

The only irresponsible thing here is Google’s rapid public release of technical details.

Tim Sweeney
@TimSweeneyEpic
We asked Google to hold the disclosure until the update was more widely installed. They refused, creating an unnecessary risk for Android users in order to score cheap PR points.

7:34 AM - Aug 25, 2018
14
16 people are talking about this
Twitter Ads info and privacy
Is this a Google’s revenge because Epic Games is not distributing the Fortnite Android App?
Google, that is monitoring the installations of the game, privately explained to Epic Games CEO that there weren’t many unpatched installs remaining.

Lance McDonald
@manfightdragon
· Aug 25, 2018
Replying to @TimSweeneyEpic and 3 others
I noticed in the bug tracker they just said "As per the email" with regard to choosing only to wait 7 days. Did their email elaborate at all on why they did this? It seems like there's no good reason for it.

Tim Sweeney
@TimSweeneyEpic
Google did privately communicate something to the effect that they’re monitoring Fortnite installations on all Android devices(!) and felt that there weren’t many unpatched installs remaining.

7:56 AM - Aug 25, 2018
1
See Tim Sweeney's other Tweets
Twitter Ads info and privacy
But while a reason was not left in the original bug report, in a subsequent tweet, Sweeney revealed that Google engineers provided an explanation for their decision in private.


Android mobile devices from 11 vendors are exposed to AT Commands attacks
27.8.2018 securityaffairs Android

A group of researchers has conducted an interesting study on AT commands attacks on modern Android devices discovering that models of 11 vendors are at risk
A group of researchers from the University of Florida, Stony Brook University, and Samsung Research America, has conducted an interesting research on the set of AT commands that are currently supported on modern Android devices.

The experts published a research paper titled “ATtention Spanned: Comprehensive Vulnerability Analysis of AT Commands Within the Android Ecosystem,” the findings of their study has been presented at the Usenix Security Symposium a few days ago.

The research revealed that millions of mobile devices from eleven smartphone vendors are vulnerable to attacks carried out using AT commands.

AT (ATtention) commands is a set of short text strings that can be combined to perform a series for operations on mobile devices, including dialing, hanging up, and changing the parameters of the connection.

The AT commands can be transmitted via phone lines and control modems

Even if international telecommunications regulators have defined the list of AT commands that all smartphones must implement, many vendors have also added custom AT command sets that could be used to manage some specific features of the devices (i.e. camera control).

The experts analyzed over 2,000 Android firmware images from eleven Android OEMs (ASUS, Google, HTC, Huawei, Lenovo, LG, LineageOS, Motorola, Samsung, Sony, and ZTE) and discovered that the devices support over 3,500 different types of AT commands.

The researchers shared their findings with all affected vendors. The team published a website containing the list of phone models and firmware versions that expose the AT interface.

In some cases, using the custom AT commands it was possible to access very dangerous features implemented by the vendors. In many cases, the commands are not documented by vendors.

The experts discovered that almost any devices accept AT commands via the phone’s USB interface. To abuse the AT commands, the attacker needs to have physical access to the device or use an evil component in a USB dock or a charger.

“we systematically retrieve and extract 3,500 AT commands from over 2,000 Android smartphone firmware images across 11 vendors. We methodically test our corpus of AT commands against eight Android devices from four different vendors through their USB interface and characterize the powerful functionality exposed, including the ability to rewrite device firmware, bypass Android security mechanisms, exfiltrate sensitive device information, perform screen unlocks, and inject touch events solely through the use of AT commands.” reads the research paper.

“We demonstrate that the AT command interface contains an alarming amount of unconstrained functionality and represents a broad attack surface on Android devices.”

Experts explained that AT commands could be abused by attackers to rewrite device firmware, bypass Android security mechanisms, exfiltrate sensitive device information, and perform other malicious activities.

At commands

Another disconcerting discovery made by the experts is that it is possible to submit AT commands even if the phone had entered a locked state.

“In many cases, these commands are completely undocumented,” said Kevin Butler, an associate professor in the University of Florida Herbert Wertheim College of Engineering and a member of the research team, revealing that an OEM’s documentation doesn’t even mention their presence.

In the following videos, it is possible to see how it is possible to use AT commands to carry out an attack against mobile devices.

Experts demonstrated that arbitrary touchscreen events can be injected over USB mimicking touchscreen taps, a trick that could give an attacker the take full control over a mobile device.
“Commands for sending touchscreen events and keystrokes are also discovered for LG phones and the S8+; we can see the indications on the screen. We suspect these AT commands were mainly designed for UI automation testing, since they mimic human interactions. Unfortunately, they also enable more complicated attacks which only requires a USB connection” continues the paper.
The researchers published a Shell script that they used during for their tests, it allowed them to find strings containing ATcommands in the examined images.

“AT commands have become an integral part of the Android ecosystem, yet the extent of their functionality is unclear and poorly documented.” concludes the experts.

“We demonstrate that the AT command interface contains an alarming amount of unconstrained functionality and represents a broad attack surface on Android devices.”


Monthly Patches Are Recommended Best Practice for Android, Google Says
24.8.2018 securityweek Android

The timely delivery of security updates for Android smartphones is a highly important defense-in-depth strategy, Google says.

Each month for the past three years, the search company has been releasing security patches for the Android platform and has been also urging device manufacturers to push the updates to their users in a timely manner.

In October last year, Kaspersky revealed that the security fixes were still slow to arrive on many devices. Things aren’t looking much better this year either, as Security Research Labs revealed in April: manufacturers often omit patches when releasing security updates.

Now, three years after the critical Stagefright flaw prompted Google to take a more active stance on addressing vulnerabilities in Android, the Internet giant says that monthly security updates are the recommended best practice for Android smartphones.

Google is providing manufacturers with monthly Android source code patches so they can include those in firmware updates, and also allows them to leverage the Google firmware over-the-air (FOTA) servers for free.

Moreover, the search company pushes its own set of updates over-the-air to Pixel devices and also requires that these monthly patches be released for all devices in the Android One program.

According to Google, Android manufacturers should at least deliver regular “security updates in advance of coordinated disclosure of high severity vulnerabilities,” which are usually published in Android bulletins.

“Since the common vulnerability disclosure window is 90 days, updates on a 90-day frequency represents a minimum security hygiene requirement,” Google notes.

This is also one of the requirements for Android devices to be listed in the Android Enterprise Recommended program: devices should receive security patches at least every 90 days, with monthly updates strongly recommended.

To make the update process easier for device makers, Google has improved Android’s modularity, so that subsystems can be updated individually, without impacting others.

“The modularity strategy applies equally well for security updates, as a framework security update can be performed independently of device specific components,” Google explains.

The company also developed security update testing systems that are meant to ensure patches aren’t omitted when security updates are released.

A new testing infrastructure allows manufacturers “to develop and deploy automated tests across lower levels of the firmware stack that were previously relegated to manual testing,” Google says. The Android build approval process now also scans device images for specific patterns to reduce the risk of omission.

Last year, security updates arrived on around a billion Android devices, a 30% growth over the preceding year, and Google expects the growth to continue. Thus, the company aims to decrease the incidence of potentially harmful exploitation of bugs.

“We continue to work hard devising thoughtful strategies to make Android easier to update by introducing improved processes and programs for the ecosystem. In addition, we are also working to drive increased and more expedient partner adoption of our security update and compliance requirements,” Google reveals.


Bitdefender spotted Triout, a new powerful Android Spyware Framework

23.8.2018 securityaffairs Android

Security researchers from Bitdefender have spotted a new Android spyware framework dubbed Triout that could be used to create malware with extensive surveillance capabilities.
Bitdefender researchers have identified a new spyware framework can be used to spy into Android applications, it is tracked as Triout and first appeared in the wild on May 15.

The researcher revealed that the command and control (C&C) server has been running since May 2018 and at the time of the report it was still up and running.

Triout was first submitted on May 15 to VirusTotal, although the first sample was uploaded from Russia, most of the other ones came from Israel.

The malware was likely spread through third-party marketplaces or domains controlled by the attackers that host the malicious code.

“Discovered by Bitdefender’s machine learning algorithms on 20.07.2018, the sample’s first appearance seems to be 15.05.2018, when it was uploaded to VirusTotal. The application seems to be a repackaged version of “com.xapps.SexGameForAdults” (MD5: 51df2597faa3fce38a4c5ae024f97b1c) and the tainted .apk fi le is named 208822308.apk.” reads the report published by Bitdefender.

“The original app seems to have been available in Google Play in 2016, but it has since been removed. While it’s unclear how the tainted sample is being disseminated, third-party marketplaces or some other attacker-controlled domains are likely used to host the sample.”

Bitdefender pointed out that the analyzed sample was unobfuscated a circumstance that leads the experts into believing the framework may be a work-in-progress.

“This could suggest the framework may be a work-in-progress, with developers testing features and compatibility with devices,” continues the report.

The Triout spyware was discovered analyzing a tainted application that maintained all the original features. The sample analyzed by Bitdefender was a repackaged version of an adult application that was listed in Google Play in 2016, but was since removed. This means that attackers might have made it available through third-party channels.

Triout

Triout implements extensive surveillance capabilities, including:

Records every phone call (literally the conversation as a media fi le), then sends it together with the caller id to the C&C (incall3.php and outcall3.php)
logs every incoming SMS message (SMS body and SMS sender) to C&C (script3.php)
Has capability to hide self
Can send all call logs (“content://call_log/calls”, info: callname, callnum, calldate, calltype, callduration) to C&C (calllog. php)
Whenever the user snaps a picture, either with the front or rear camera, it gets sent to the C&C (uppc.php, fi npic.php or reqpic.php)
Can send GPS coordinates to C&C (gps3.php)
Technical details are included in the report published by Bitdefender.


Fortnite APK is coming soon, but it will not be available on the Google Play Store
6.8.2018 securityaffairs Android

Fortnite, the most popular game will be soon available for Android users but the Fortnite APK will not be in the Play Store.
Fortnite continues to be the most popular game, it is a co-op sandbox survival game developed by Epic Games and People Can Fly.

The great success obtained by the Fortnite attracted cyber criminals that are attempting to exploit its popularity to target its fans.

Unfortunately for Android users, Fortnite for Android devices is not available yet, it is currently under development while the iOS version was released in March by Epic Games.

In the recent months, crooks attempted to take advantage of Android users’ interest in an alleged version for their devices of the popular game.

Experts discovered many blog posts and video tutorial with instructions to install fake Fortnite Android App.

Scammers are exploiting this interest to trick Android fans into downloading tainted version of the game that can compromise Android devices.

Fortnite APK

Now there is a news for the Android fans of the popular game, Epic Games confirmed the Fortnite APK for Android will be available for download exclusively only through its official website and not through the official Google Play Store.

According to the Epic Games CEO Tim Sweeney in this way, the company will have “have a direct relationship” with its consumers and will allow saving 30 percent fee that Google maintains when users download a software from the Play Store.

“The awesome thing about Fortnite is it’s brought a huge volume of digital commerce to Epic. We can now do that very efficiently. We can handle payment processing and customer support and download bandwidth with some great deals. We’re passing the savings along with the Unreal Engine Marketplace. We’ve change the royalty split from the 30/70 you see everywhere to developers getting 88 percent. We find that’s a great boon for developers.” Sweeney told GamesBeat.

Sweeney explained that the share of profits for the version running on Microsoft or Nintendo is right because the “enormous investment in hardware, often sold below cost, and marketing campaigns in broad partnership with publishers.”

Sweeney considers disproportionate 30% cut on the fee applied by Google for its services but evidently doesn’t evaluate the security features implemented by the Google store to avoid crooks will serve tainted versions of the Fortnite APK.

Even if in the past we have found several malicious apps uploaded to the Play Store, we cannot underestimate the Google’s efforts for the security of its users.

The availability of Fortnite APK on a third-party website could expose Android users to the risk of infection.

The only way to download an APK from a third-party store is to manually enable “Install Apps from Unknown Sources” option in the settings.

A large number of Android users will search “how to install Fortnite on Android,” these fans could be targeted in various ways, for example in black SEO campaigns devised to infect their devices.

“The move will simply encourage users to manually enable “Install Apps from Unknown Sources” option in the settings menu or accept a variety of Android security prompts in order to install Fortnite game directly from the Epic Games website.” reported The Hacker News.

“So, thousands of people out there searching, “how to install Fortnite on Android” or “how to download Fortnite APK for Android” on the Internet, could land themselves on unofficial websites, ending up installing malware.”

In order to install Fortnite on Android, players will have to download the Fortnite Launcher from the official Epic website, then it will allow them to load the Fortnite Battle Royale onto their devices.

Attackers can impersonate the legitimate source, for example by carrying out phishing campaign to trick Android users into downloading tainted version of Fortnite APK.


Analyzing the Telegram-based Android remote access trojan HeroRAT
3.8.2018 securityaffairs Android

Researchers at CSE Cybsec ZLab analyzed shared published their analysis of the Telegram-based Android RAT tracked as HeroRAT.
In June, researchers from security firm ESET discovered a new family of Android Remote Administration Tool (RAT), dubbed HeroRAT, that leverages the Telegram BOT API to communicate with the attacker.

The use of Telegram API can be considered a new trend in Android RAT landscape, because other RAT families implementing the same functionalities, such as TeleRAT and IRRAT, were discovered in the wild before HeroRAT.

HeroRAT appeared very active in Iran where it was spreading through third-party app stores, through tainted social media and messaging apps.

ESET experts speculate that the HeroRAT borrows the source code of a malware appeared in the hacking community in March 2018, however, it has some characteristics that distinguish it different from IRRAT and TeleRAT. One of these features is the usage of the Xamarin Framework and TeleSharp Library for the development of the RAT.

HeroRAT is offered for sale on a dedicated Telegram channel, the author offers three different variants depending on its functionalities: bronze (25 USD), silver (50 USD) and gold panels (100 USD). The malware author also released a demo video in which explains the RAT functionalities; below we have a screenshot from this demo video, showing the differences between the three variants.

Figure 1 – Differences between the RAT variants

Further details on the RAT analyzed by CSE Cybsec, including the IoCs and Yara Rules are available in the report published by researchers at ZLAb.


Hundreds of apps removed from Google Play store because were carrying Windows malware
2.8.2018 securityweek Android

Google recently removed 145 applications from the official Google Play store because they were found to carry malicious Windows executables inside.
Researchers from Palo Alto Networks revealed that Google removed more than 145 apps from the Play store because they were carrying a Windows malware,

The apps were uploaded to the Google Play store between October and November 2017, this means that for months Android users were exposed to the attack. In some cases, the apps have been downloaded thousands of times and were rated with 4-stars.

The malicious code included in the code of the app was developed to compromised Windows systems and leverage the Android device as an attack vector.

“Notably, the infected APK files do not pose any threat to Android devices, as these embedded Windows executable binaries can only run on Windows systems: they are inert and ineffective on the Android platform.” reads the analysis published by Palo Alto networks.

“The fact that these APK files are infected indicates that the developers are creating the software on compromised Windows systems that are infected with malware. This type of infection is a threat to the software supply chain, as compromising software developers has proven to be an effective tactic for wide scale attacks.”

Palo Alto Networks reported that the malicious PE files when executed on a Windows system will perform these suspicious activities:

Creates executable and hidden files in Windows system folders, including copying itself
Changes Windows registry to auto-start themselves after restarting
Attempts to sleep for a long period
Has suspicious network connection activities to IP address 87.98.185.184 via port 8829
Some of the apps included multiple malicious PE files at different locations, with different file names, anyway the experts the experts noticed that malware were found embedded in most applications.

The researchers discovered that one of malware was included in 142 APKs, a second malicious code was found in 21 APKs. 15 apps were found containing both PE files inside.

In one case, the malicious PE file that was included in the APK of most of the Android apps was a keylogger.

“After investigating all those malicious PE files, we found that there is one PE file which infects most of the Android apps, and the malicious activity of that PE file is key logging.” continues the analysis.

“On a Windows system, this key logger attempts to log keystrokes, which can include sensitive information like credit card numbers, social security numbers and passwords.”

Google play store infected apps

The attackers attempted to conceive the PE files by using fake names that look like legitimate, such as Android.exe, my music.exe, COPY_DOKKEP.exe, js.exe, gallery.exe, images.exe, msn.exe and css.exe.

The researchers discovered that not all the apps uploaded by the same developers were infected with the malicious files, likely because they were using different development platform for the apps.

“The malicious PE files cannot directly run on the Android hosts. However, if the APK file is unpacked on a Windows machine and the PE files are accidentally executed, or the developers also issue Windows-based software, or if the developers are infected with malicious files runnable on Android platforms, the situation will go much worse.” concludes Palo Alto Networks.

“The development environment is a critical part of the software development life cycle. We should always try to secure it first. Otherwise other security countermeasures could just be attempts in vain,”


Android Apps Carrying Windows Malware Yanked From Google Play
1.8.2018 securityweek   Android

Google recently removed 145 applications from Google Play after they were found to carry malicious Windows executables inside, Palo Alto Networks reveals.

Most of the infected applications, Palo Alto's researchers say, were uploaded to the application store between October and November 2017 and remained there for over half a year. Google removed all of them after being alerted on the issue.

While not representing a threat to the Android users who downloaded and installed them, the malicious code within these APKs is proof of the dangers posed by supply chain attacks: the software developers built these applications on compromised Windows systems.

Some of the infected Android applications had over 1000 downloads and 4-star ratings before being removed from Google Play.

The security researchers discovered that some of the infected APKs contained multiple malicious PE files at different locations, with different names. However, two malicious files were found embedded in most applications.

One of the files was present in 142 APKs, while the second had infected 21 APKs. The security firm also found 15 apps with both PE files inside, as well as some APKs with a number of other malicious PE files inside.

The researchers also note that one malicious PE file that infected most of the Android apps was a keylogger. The malicious program attempted to log keystrokes, including sensitive information like credit card numbers, social security numbers and passwords.

To appear legitimate, these files use fake names, including Android.exe, my music.exe, COPY_DOKKEP.exe, js.exe, gallery.exe, images.exe, msn.exe and css.exe.

When executed on Windows systems, the malicious PE files would create executable and hidden files in Windows system folders, including copies of themselves, would change Windows registry to auto-start after system restart, would attempt to sleep for long periods of time, and also showed suspicious network connection activities to IP address 87.98.185.184 via port 8829.

“Interestingly, we saw a mixture of infected and non-infected apps from the same developers. We believe the reason might be that developers used different development environment for different apps,” Palo Alto Networks says.

The malicious PE files cannot directly run on Android devices, but, if the APK is unpacked on a Windows machine and malicious code executed, the system becomes infected. As Palo Alto Networks points out, the situation could become much worse if the developers are infected with malicious files that can run on Android.

“The development environment is a critical part of the software development life cycle. We should always try to secure it first. Otherwise other security countermeasures could just be attempts in vain,” the security firm concludes.


Android Debugging Tools Also Useful for Compromising Devices, Mining Cryptocurrency
24.7.2018 securityaffairs Android  Cryptocurrency

It is common for developers to use debugging tools with elevated privileges while they are trying to troubleshoot their code. But crooks can abuse them too.
In an ideal world, all of the security controls are applied and all of the debugging tools are removed or disabled before the code is released to the public. In reality, devices are sometimes released in a vulnerable state without the end users’ knowledge.

Based upon recent spikes in scans of TCP port 5555, someone believes that there is an exploitable vulnerability out there.

The Android software development kit (SDK) provides a tool for developers to debug their code called the Android Debug Bridge (adb.) According to the Google developer portal,

“The adb command facilitates a variety of device actions, such as installing and debugging apps, and it provides access to a Unix shell that you can use to run a variety of commands on a device.”

These are very powerful functions for debugging tools, and also useful for executing malicious code without being trapped by the usual security controls. As long as the adb tools is being used in a secured environment, it presents little risk. It is recommended that the adb service is disabled before releasing devices to consumers and it is common for the adb service to be restricted to USB connectivity only.

In early June security researcher Kevin Beaumont, warned that, “Unfortunately, vendors have been shipping products with Android Debug Bridge enabled. It listens on port 5555, and enables anybody to connect over the internet to a device. It is also clear some people are insecurely rooting their devices, too.” He goes on to describe the types of Android-based devices that were found to be in a vulnerable state and accessible from the Internet, “[…] we’ve found everything from tankers in the US to DVRs in Hong Kong to mobile telephones in South Korea. As an example, a specific Android TV device was also found to ship in this condition.” It only took one month from this warning until researchers at Trend Micro identified suspicious port scans on TCP port 5555.

According to the Trend Micro blog, “We found a new exploit using port 5555 after detecting two suspicious spikes in activity on July 9-10 and July 15. […] Our data shows that the first wave of network traffic came mainly from China and the US, while the second wave primarily involved Korea.”

ADBPort debugging tools

The Trend Micro researchers’ analysis shows a fairly typical command & control (C&C) malware infection process with many similarities to the Satori variant of the Mirai botnet. Once an open adb port is identified, the malware drops a stage 1 shell script onto the device which, when launched, downloads two additional (stage 2) shell scripts which then download the “next stage binary for several architectures and launch the corresponding one.” The binary establishes a connection to the C&C server, then scans processes running on the compromised device and attempts to kill any that are running the CoinHive script that could be mining Monero. At the same time, the binary attempts to spread to other devices as a worm.

It isn’t clear what the intent for the compromised devices is. Analysis of the code indicates that it could be used as a distributed denial of service (DDoS) platform if enough devices are compromised. Since it appears to be killing Monero mining processes, the compromised devices could be retasked to mine cryptocurrency for a different group. After Kevin Beaumont’s warning in June, IoT search engine Shodan added the ability to search for adb vulnerable systems and currently lists over 48,000 potentially vulnerable devices.

The Trend Micro researchers offer a few suggestions to reduce your risk:

On your mobile device, go to settings, select “Developer Options” and ensure that “ADB (USB) debugging and “Apps from Unknown Sources” are turned off
Apply recommended patches and updates from the vendor
Perform a factory reset to erase the malware if you feel you are infected
Update intrusion prevention systems (IPS) to identify potentially malicious code from reaching your device
The Android operating system was developed to run on a wide variety of devices. It is a flexible and complex solution that has encouraged a wide range of vendors to implement solutions based on Android. Some of these vendors have robust quality assurance processes in place and their solutions are “safe” while others allow mistakes to slip through the process and allow the vulnerabilities to land in the hands of end users. These users often aren’t aware of what operating system their devices are running and have no idea what vulnerabilities may exist until it is too late. It appears there are at least 48,000 examples of this waiting to be exploited.


The source code of the Exobot Android banking trojan has been leaked online
23.7.2018 securityaffairs Android

The source code of the Exobot Android banking trojan has been leaked online, researchers already verified its authenticity.
The source code of the Exobot Android banking trojan has been leaked online and experts believe that we will soon assist at a new wave of attacks based on the malware.

The Exobot Android banking trojan was first spotted at the end of 2016 when its authors were advertising it on the dark web.

The authors were advertising it saying that it can be used for phishing attacks, it implements various features of most common banking Trojan such as intercepting SMS messages.

Exobot is a powerful banking malware that is able of infecting even smartphones running the latest Android versions.

In January, the authors decided to stop working at the malware and offered for sale its source code.

Now researchers from Bleeping Computer confirmed to have received a copy of the source code from an unknown individual and shared it with malware researchers from ESET and ThreatFabric in order to verify its authenticity.
“The code proved to be version 2.5 of the Exobot banking trojan, also known as the “Trump Edition,” one of Exobot’s last version before its original author gave up on its development.” reads a blog post published by Bleeping Computer.

Exobot Android banking trojan

According to experts from ThreatFabric the version provided to Bleeping Computer was leaked online in May. It seems that one of the users that purchased the malicious code decided to leak it online.

According to the experts, the source code for the Exobot Android banking Trojan is now being distributed on a few underground hacking forums, this means that threat actors can now work on their own version and also offer it with a malware-as-a-service model.

“In the coming months, we may see Android malware devs slowly migrating their campaigns from BankBot to Exobot, as few will decline a “free upgrade” to a better code.” concluded Bleeping Computers.


Google July 2018 Android patches fixes critical vulnerabilities
7.7.2018 securityaffairs Android

This week Google released the July 2018 Android patches that address tens of vulnerabilities in the popular mobile operating system.
Google released the July 2018 Android patches that address a total of 11 vulnerabilities, including three Critical issues and 8 High-risk flaws that affect the framework, media framework, and system.

The critical vulnerabilities are remote code execution issues, the other flaws include information disclosure bugs, denial of service and elevation of privilege issues.

The most severe vulnerability affecting the Framework (CVE-2018-9433) could be exploited by a remote attacker using a specially crafted pac file to execute arbitrary code within the context of a privileged process.

“The most severe vulnerability in this section could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process,” reads the security advisory.

The most severe vulnerability in System (CVE-2018-9365) component could be exploited by a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process.

The most severe vulnerability in the Media framework component (CVE-2018-9411) could be exploited by a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process.

Affected Android versions are Android 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, and 8.1.

July 2018 Android patches

Google also addressed a total of 32 vulnerabilities as part of the 2018-07-05 security patch level, 8 critical issues and 24 rated as High risk.

These vulnerabilities affect the Kernel (4 elevation of privilege bugs), Qualcomm (6, 1 Critical RCE flaw, one High severity RCE, 2 High-risk information High-risk issues, and 2 elevation of privilege vulnerabilities), and Qualcomm closed-source (22, 7 Critical issues and 15 High risk flaws) components.


Rowhammer Evolves into RAMpage Exploit, Targeting Android Phones Since 2012
4.7.2018 securityaffairs Android

rThis week researchers demonstrated that most Android phones released since 2012 are still vulnerable to the RAMpage attack.
In 2012, security researchers identified a bug in modern DRAM (dynamic random access memory) chips that could lead to memory corruption.

In 2015, Google Project Zero researchers demonstrated “rowhammer“, a working exploit of this attack providing privilege escalation on vulnerable Linux and Windows systems. In 2016, researchers at VUSec published Drammer, demonstrating that the rowhammer technique could be used to gain root on Android devices. Google scrambled to fix the vulnerability in 2016, but this week researchers demonstrated that those fixes are incomplete and most Android phones released since 2012 are still vulnerable to the latest iteration of the attack, known as RAMpage. Since this is a hardware vulnerability, it is very difficult to retroactively “fix.”

The problem results from memory chips that leverage very small internal data paths to maximize “speed.” We may want to ensure that computer memory is free from corruption and consistent, the physics involved at the tiny memory scale have unintended consequences.

As written in the original academic paper, “[…] as DRAM process technology scales down to smaller dimensions, it becomes more difficult to prevent DRAM cells from electrically interacting with each other. […] By reading from the same row in DRAM, we show that it is possible to corrupt data in nearby addresses.” Flipping Bits in Memory Without Accessing Them: An Experimental Study of DRAM Disturbance Errors, (Yoongu Kim, Ross Daly, Jeremie Kim, Chris Fallin, Ji Hye Lee, Donghyuk Lee, Chris Wilkerson, Konrad Lai, Onur Mutlu.) In other words, by repeatedly and quickly reading memory contents in DRAM Row 2, it may be possible to cause individual bits in Rows 1 or 3 to change from a 1 to a 0 or vice versa.

An interesting physical outcome and concerning, but it wasn’t until Google Zero Project researchers published a working exploit in 2015 that the risks became significant.

RAMpage_Android_Rowhammer

In the 2015 blog post, “Exploiting the DRAM rowhammer bug to gain kernel privileges”, Google security researchers explained that by using the rowhammer technique on two rows simultaneously (double-sided hammering), they were able to induce bit flips on a DRAM memory location between the two rows being read. Corrupting memory with electrical interference is a neat trick, but being able to change the memory bits to your choice is the start of a practical exploit and the researchers demonstrated an ability to gain privilege escalation on Windows and Linux systems. With privilege escalation, it may be possible to execute any malicious code on the target system. There are mitigations available to reduce the risks from rowhammer, but they require changes to hardware and some result in increased power consumption and reduced performance. Perhaps acceptable in desktop and server environments where security concerns override power consumption, but power is a prime concern in mobile devices — which were first shown to be vulnerable to rowhammer attacks in 2016.

Security researchers from VUSec in Amsterdam published a blog posti n 2016 titled, “Drammer: Flip Feng Shui Goes Mobile.” In this post, they described how a rowhammer attack could be used against mobile devices running Android OS to gain “root access” to the devices. The attack can be launched “by hiding it in a malicious app that requires no permissions.” Once the attacker has root access, they have full control of your mobile device and the information on that device. A patch for the Android kernel ION subsystem was released in November of 2016 which addresses the Drammer attack. Unfortunately, the Android environments still suffer from fragmentation and distribution challenges so you can expect that many vulnerable devices have not yet received this patch. Of course, as we learned this week, even if you did receive the patch, you may still be vulnerable.

An international team of system security researchers published the paper, “GuardION: Practical Mitigation of DMA-based Rowhammer Attacks on ARM” which describes an evolution of the rowhammer attack into the attack they dub, RAMPAGE. From the paper, RAMPAGE is described as, “a set of DMA-based Rowhammer attacks
against the latest Android OS, consisting of (1) a root exploit, and (2) a series of app-to-app exploit scenarios that bypass all defenses.” Acknowledging that the patch released in 2016 did address the “double-sided hammer” vulnerability, these researchers determined that combining an attack that consumes all ION internal memory pools with their Flip Feng Shui exploit they were still able to gain root on the target Android device. As always, once the bad actors have root, they have access to everything on your phone.

Since the theoretical proposal in 2012, we have seen the same memory vulnerability exploited repeatedly with greater impact and relative ease. In the RAMpage researchers’ own words, “Over the last two years, the Rowhammer bug transformed from a hard-to-exploit DRAM disturbance error into a fully weaponized attack vector.” Being hardware-based, memory attacks like these are notoriously difficult to defend against. And if there is a viable defence, it usually increases costs or reduces performance making it less likely to be deployed We have to recognize that mobile devices are as capable as desktop computers and accept that they require similar protections, vulnerability management procedures and upgrades.

Do you consider your ability to patch and protect mobile systems when purchasing?


Researchers Devise Rowhammer Attacks Against Latest Android Versions
29.6.2018 securityweek  Android  Attack 

A team of researchers from universities worldwide have devised a new set of DMA-based Rowhammer attacks against the latest Android OS, along with a lightweight defense to prevent such attacks on ARM-based devices.

Rowhammer is a vulnerability impacting dynamic random-access memory (DRAM) chips that can be abused to gain kernel privileges on Linux systems. Discovered in 2012 but documented only in 2014, the bug can also be exploited remotely using JavaScript or via graphics processing units (GPUs).

Last year, researchers from Graz University of Technology, the University of Pennsylvania (and University of Maryland), and University of Adelaide revealed a series of attack methods able to bypass existing defenses against Rowhammer.

Now, eight researchers from Vrije Universiteit Amsterdam, Amrita University India, UC Santa Barbara, and EURECOM propose RAMpage, a set of attacks that target the latest Android versions with a root exploit and app-to-app exploits that bypass all defenses.

In a research paper (PDF), they also propose GuardION, lightweight defenses that mitigate Rowhammer exploitation on ARM systems by isolating DMA buffers with DRAM-level guard rows.

Furthermore, the researchers claim that re-enabling higher order allocations, which Google disabled to prevent attacks, would improve system performance.

Rowhammer is a hardware bug that “consists of the leakage of charge between adjacent memory cells on a densely packed DRAM chip.” This means that, when a row of bits in the DRAM module is used, the neighboring rows are slightly affected, and attackers can abuse this to completely subvert a system’s security.

The issue is particularly serious on mobile devices, where hardware upgrades are not possible, the security researchers argue. They also note that existing software defenses are not effective and present attacks can circumvent all currently proposed and implemented defense techniques.

To exploit Rawhammer, an attacker needs to land a security-sensitive page into a vulnerable physical memory location and also needs to access the DRAM chip fast enough to hit the same rows before they are refreshed. They also have to determine the virtual addresses that map to the two physical rows adjacent to the victim row.

To mitigate the risks, Google disabled the contiguous heap, but left the system heap available. The company also reduced internal system heap pools to two and enforced that the system heap only returns memory pages from highmem.

By exhausting the system heap, the researchers were able to get contiguous pages and find exploitable bit flips via double-sided Rowhammer. The researchers then tricked the system into releasing pre-allocated cached memory, including the row with the vulnerable page, and developed a root exploit leveraging this attack technique.

The researchers also say it is possible to corrupt buffers belonging to another app or process, an attack scenario that could abuse privileged apps for increased damage. They also argue that an attacker could try to exhaust the Contiguous Memory Allocator (CMA) bit map, or to corrupt system memory from CMA-allocated memory. Such attacks, however, are technically challenging, the experts admit.

GuardION, the newly proposed mitigation against DMA-based Rowhammer exploits on mobile devices, focuses on limiting the capabilities of an attacker’s uncached allocations. Expensive fine-grained isolation can be applied for each DMA allocation, and GuardION isolates buffers with two guard rows: one at the ‘top’ and another at the ‘bottom’.

“This enforces a strict containment policy in which bit flips that are triggered by reading from uncached memory cannot occur outside the boundaries of that DMA buffer. In effect, this design defends against Rowhammer by eradicating the ability of the attacker to inject bit flips in sensitive data,” the researchers claim.

The mitigation, however, is based on the premises that bit flips don’t occur in memory pages physically located more than one row away from the aggressor rows. Such flips have never been reported before and the Rowhammer attack itself makes such incidents unlikely to ever occur.

According to the research paper, not only is GuardION’s performance impact negligible, but its integration with the current Android code base is rather easy. A prototype implementation contains only 844 lines of code and touches only 9 files in the Android source code. The researchers are in the process of submitting the patch to Google for adoption.


Google Expands Android's Compiler-Based Mitigations
29.6.2018 securityweek  Android

Google this week announced expanded compiler-based mitigations in Android P, in an attempt to make bugs harder to exploit and prevent specific types of issues from becoming vulnerabilities.

One of these is Control Flow Integrity (CFI), which represents a set of mitigations meant to “confine a program's control flow to a call graph of valid targets determined at compile-time.” Android already supports CFI implementation in select components, but the next platform release will expand that support, the search giant says.

“This implementation focuses on preventing control flow manipulation via indirect branches, such as function pointers and virtual functions,” Google explains.

The idea is to use valid branch targets to reduce the set of allowable destinations an attacker can call, while indirect branches are used to detect runtime violations of the statically determined set of allowable targets, in which case the process aborts.

By restricting control flow to a small set of legitimate targets, Google attempts to make code-reuse attacks much harder to execute, while also making memory corruption vulnerabilities more difficult or even impossible to exploit.

CFI requires compiling with Link-Time Optimization (LTO), which also results in reduced binary size and improved performance, although compile time increases. According to Google, testing has revealed “negligible overhead to code size and performance.”

In Android P, CFI will be enabled by default widely within the media frameworks and other security-critical components, including NFC and Bluetooth.

Android P also expands the number of libraries that will benefit from Integer Overflow Sanitization, which was meant to safely abort process execution when an overflow is detected. Thus, an entire class of memory corruption and information disclosure vulnerabilities are mitigated.

Google has expanded the use of these sanitizers in the media framework with each release and also improved them to reduce performance impact.

“In testing, these improvements reduced the sanitizers' performance overhead by over 75% in Android's 32-bit libstagefright library for some codecs. Improved Android build system support, such as better diagnostics support, more sensible crashes, and globally sanitized integer overflow targets for testing have also expedited the rollout of these sanitizers,” the Internet company says.

Google decided to bring integer overflow sanitization to libraries where complex untrusted input is processed or security bulletin-level integer overflow flaws were reported. Thus, in Android P, the libui, libnl, libmediaplayerservice, libexif, libdrmclearkeyplugin, and libreverbwrapper libraries will benefit from these sanitizers.

“Moving forward, we're expanding our use of these mitigation technologies and we strongly encourage vendors to do the same with their customizations,” Google notes.


Red Alert Android Trojan for Rent at $500 Per Month
22.6.2018 securityweek  Android

The Red Alert 2.0 Android Trojan first detailed in September last year is currently available for rent on underground forums at $500 per month, Trustwave reports.

It is also capable of stealing information from the infected devices, including SMS messages and contact details, can block calls from banks, and can also keep in touch with bots via Twitter in the event its command and control (C&C) server is taken online.

When they detailed the threat in September last year, SfyLabs’ researchers said the malware included around 60 60 HTML overlays used to steal login credentials, but also revealed that the Trojan’s actor was constantly releasing updates for their malicious program.

A Trustwave report published this week reveals that the malware author is currently advertising the Trojan as targeting nearly 120 banks in Australia, Austria, Canada, Czech Republic, Poland, Denmark, Germany, France, Lithuania, India, Italy, Ireland, Japan, New Zeeland, Romania, Spain, Sweden, Turkey, United Kingdom, and the United States.

Additionally, the malware developer claims the Trojan is targeting payment systems (PayPal, Airbnb, Coinbase, Poker Stars, Neteller, Skrill, and Unocoin Bitcoin Wallet India) and CC+VBV Grabbers (Amazon, eBay, LINE, GetTaxi, Snapchat, Viber, Instagram, Facebook, Skype, UBER, WeChat, and WhatsApp) too.

Red Alert 2.0 is also advertised as able to intercept and send SMS messages and launch APKs. The author also claims new functionality is being developed, that injects can be built per customer request, and that updates are being released every two weeks. Miscreants can rent the Trojan starting at $200 for 7 days, $500 for a month, or $999 for 2 months.

As part of the analyzed Red Alert 2.0 attack, the malware was being distributed attached to spam messages. Although the threat is currently detected by nearly half of the VirusTotal anti-virus companies, the distribution method is still interesting for an Android malware family.

While analyzing the threat, the researchers discovered that it requests permissions to write, read, and receive SMS messages, make calls, and change network state, consistent with the advertised functionality.

The Trojan also includes services such as a watchdog that ensures it is running, services that register the device bot and wait for commands from the command and control (C&C) server, one that ensures the device is connected to the C&C, one that ensures the malware runs at reboot, and a SMS interceptor.

Another component is in charge of requesting permissions from the user and overlaying templates received from the C&C on top of legitimate apps. The malware also sets itself as the default telephony provider and requests device admin access (which allows it to completely wipe all data from the device).

C&C communication is performed using HTTP POST requests to a specific URL. If the website is not available, the malware attempts to connect with the operator through a Twitter message.

“At the time of our analysis, there were no longer any live C&C servers running and so we were unable to observe any traffic between the malware and the C&C server. We couldn't complete the reverse-engineering of some of the commands due to some issues, including no traffic observed, heavily obfuscated code, but also extremely buggy malware that crashed several times when we sent it a command,” the researchers note.


Google Marks APKs Distributed by Google Play
22.6.2018 securityweek Android

Google this week announced that it is adding a small amount of security metadata on top of APKs distributed by Google Play in order to verify their authenticity.

Initially announced in December 2017, the new change is designed to verify product authenticity from Google Play and is accompanied by an adjusted Google Play maximum APK size to take into account the small metadata addition.

The metadata is meant to work similarly as the official labels or badges that manufacturers place on physical products to mark their authenticity. The metadata will signify Play’s badge of authenticity for all Android apps distributed through the official marketplace.

“One of the reasons we're doing this is to help developers reach a wider audience, particularly in countries where peer-to-peer app sharing is common because of costly data plans and limited connectivity,” James Bender, Product Manager, Google Play, says.

According to Bender, the new “badge” will help determine the app authenticity for apps obtained through Play-approved distribution channels when the device is offline. These shared apps will be added to a Play Library and app updates management will be possible when the device has connectivity.

“This will give people more confidence when using Play-approved peer-to-peer sharing apps,” he notes.

Developers are also expected to benefit from this change, not only because a Play-authorized offline distribution channel will be available for them, but also because, once the peer-to-peer shared apps are added to the Play library, they become eligible for updates from Play.

Google says no action is required from the developers or from the users of their applications. The small metadata addition is inserted into the APK Signing Block and is expected to improve the integrity of Google Play's mobile app ecosystem.

Beginning in August 2018, developers will need to target API level 26 (Android 8.0) or higher with their new apps. Starting November this year, app updates will have to comply to this requirement as well. Existing applications that don’t receive updates won’t be affected by these changes.


Red Alert 2.0 Android Trojan available for rent in the underground at $500 per Month
22.6.2018 securityaffairs Android

According to researchers at Trustwave, the source code of the Red Alert 2.0 Android Trojan is now available for rent on cybercrime underground forums at $500 per month.
The experts discovered the latest variant because received a malicious apk via mail and analyzed it.

“It all started with a spam message, which curiously had an Android App attachment. The spam email vaguely claims that the attachment was a dating app for finding anonymous sex-acquaintances called SilverBox.” reads the analysis published by Trustwave.

“We Googled some of the strings from the decompiled source code and found this bot was known as RED ALERT v2.0 BOT and is being rented out for at least $200 for 7 days test usage, $500 for a month and up to $999 for 2 months.”

The Red Alert 2.0 Android Trojan was being distributed through spam messages, the detection rate at the time of analysis was 25 out of 59 of the VirusTotal anti-virus solutions.

The Red Alert 2.0 Android Trojan was first spotted in September by researchers at security firm SfyLabs, it was being offered for rent on many dark websites for $500 per month.

The Red Alert 2.0 Android banking malware was developed from scratch and has been offered for rent via many online hacking forums. The authors of the malware are continuously updating it, adding new features.

Red Alert 2.0 banking Trojan

The malware implements a broad range of stealing abilities, it is capable to exfiltrate information from the infected mobile devices, such as contact details and SMS messages. The malware is able to block calls from banks and it implements a backup C&C mechanism through bots via Twitter.

C&C communications are via HTTP POST requests to a specific UR, in case the C&C is not available, the malicious code receives instructions from the operator through a Twitter message.

The malware also displays an overlay on the top of legitimate apps, at the time of its first discovery experts observed around 60 HTML overlays for banking apps.

According to the Trustwave, the authors have expanded this capability and currently the Red Alert 2.0 Android Trojan is able to target more than 120 banks in Australia, Austria, Canada, Czech Republic, Poland, Denmark, Germany, France, Lithuania, India, Italy, Ireland, Japan, New Zeeland, Romania, Spain, Sweden, Turkey, United Kingdom, and the United States.

The authors’ adv also claims that the malware is able to target popular payment systems (PayPal, Airbnb, Coinbase, Poker Stars, Neteller, Skrill, and Unocoin Bitcoin Wallet India) and CC+VBV Grabbers (Amazon, eBay, LINE, GetTaxi, Snapchat, Viber, Instagram, Facebook, Skype, UBER, WeChat, and WhatsApp) too.

Red Alert 2.0 is able to intercept and send SMS messages, launch APKs and inject HTML, this latter feature could be customized on demand. The author claims to produce new updates every two weeks.

The malware uses a number of services to handle it life cycle and keep it running at all times, some of them are:

WatchDogService: sets timers to ensure that malware is running periodically.
ControlService: registers the device bot, as well as starting up the ReadCommandThread: waits for instructions from the C&C server
Ensures that device is connected to the C&C server
BootReceiver: ensures all functionality is up and running when machine is rebooted. This boot receiver ensures that the watchdog service is run every 10 secs or 30 secs depending on the version of the OS.
SmsReceiver: intercepts SMS messages.
The Red Alert 2.0 also includes a UI module used to request for permissions from the victims and to overlay some templates received from the C&C server on top of other apps.

red alert

Below a video published by the researchers that shows the malware in action:

Are you curious?

Well, you can rent the malware starting at $200 for 7 days, $500 for a month, or $999 for 2 months.

Let’s close with a consideration, the method to spread an Android malware via spam messages is not effective and it is rare to see crooks spreading malicious Android apps in this way as confirmed by the experts.

“To wrap-up, we had fun reverse engineering this Android malware and learned a lot. It was interesting to see APK malware being spammed via email, but we wonder how effective the strategy really is for the bad guys.” concludes Trustwave.

“The malware required the user to OK to install, and Android pops up plenty of warnings about permissions. Also, Google Play Protect was detecting this threat, so in order to get the malware installed on Android we also had to disable Play Protect. We haven’t seen any more samples being spammed, so perhaps the email campaign was not so successful after all.”


HeroRat Controls Infected Android Devices via Telegram
19.6.2018 securityweek Android 
Virus

A newly detailed Android remote access Trojan (RAT) is leveraging Telegram’s bot functionality to control infected devices, ESET reveals.

Dubbed HeroRat, the malware has been spreading since at least August 2017. As of March 2018, the Trojan’s source code has been available for free on Telegram hacking channels, resulting in hundreds of variants emerging in attacks.

Although the source code is available for free, one of these variants is being sold on a dedicated Telegram channel at three price points, depending on functionality. A support video channel is also available, the security company has discovered.

“It is unclear whether this variant was created from the leaked source code, or if it is the ‘original’ whose source code was leaked,” ESET’s Lukas Stefanko notes in a blog post.

HeroRat differs from other Telegram-abusing Android RATs in that it has been developed from scratch in C#, using the Xamarin framework, Stefanko says. This is a rare combination for Android malware, as previously analyzed Trojans were written in standard Android Java.

Moreover, the malware author has adapted the Telegram protocol to the used programming language. Instead of using the Telegram Bot API as other RATs, the new threat uses Telesharp, a library for creating Telegram bots with C#. All communication to and from the infected devices is performed using the Telegram protocol.

The new malware is being distributed via third-party app stores, social media, and messaging apps, in various appealing guises (apps promising free Bitcoins, free Internet, and more followers on social media), mostly in Iran.

The malicious program is compatible with all Android versions, but it requires users to grant it a broad range of permissions, sometimes even activating its app as device administrator. Based on these permissions, the threat can then erase all data on the device, lock the screen, change passwords, and change password rules.

After the installation has been completed and the malware is launched, a popup appears (in either English or Persian), claiming that the app can’t run and that it is being uninstalled. The victim is then informed the uninstallation has been completed, and the app icon disappears.

The malware, however, continues to run in the background, and the attacker can start using Telegram’s bot functionality to control the newly infected device. A bot operated via the Telegram app controls each compromised device, Stefanko says.

HeroRat can spy on victims and exfiltrate files from the infected devices. It can intercept text messages, steal contacts, send text messages, and make calls, record audio and screen, obtain device location, and control the device’s settings.

These capabilities are accessible through clickable buttons in the Telegram bot interface, making it very easy for attackers to control victimized devices.

The malware author has put for sale bronze, silver, and gold panels, offered at $25, $50, and $100, respectively. The malware’s source code, on the other hand, is available at $650, offered by HeroRat’s (ambitious) author themselves.

“With the malware’s source code recently made available for free, new mutations could be developed and deployed anywhere in the world,” Stefanko notes.

“To avoid falling victim to Android malware, stick to the official Google Play store when downloading apps, make sure to read user reviews before downloading anything to your device and pay attention to what permissions you grant to apps both before and after installation,” the researcher concludes.


HeroRAT – A totally new Telegram-based Android RAT is spreading in the wild
19.6.2018 securityaffairs Android

Malware researchers from ESET have discovered a new strain of Android RAT, tracked as HeroRat, that leverages Telegram protocol for command and control, and data exfiltration.
HeroRat isn’t the first malware abusing Telegram protocol, past investigation reported similar threats like TeleRAT and IRRAT.

The new RAT has been in the wild at least since August 2017 and in March 2018 its source code was released for free on Telegram hacking channels allowing various threat actors to create their own variant.

HeroRat is born in this way, but it appears quite different from other variants that borrowed the source code. HeroRat is the first Telegram-based malware developed from scratch in C# using the Xamarin framework, previous ones were written in Java.

The RAT leverages Telesharp library for creating Telegram bots with C#.

“One of these variants is different from the rest – despite the freely available source code, it is offered for sale on a dedicated Telegram channel, marketed under the name HeroRat.” reads the analysis published by ESET.

“It is available in three pricing models according to functionality, and comes with a support video channel. It is unclear whether this variant was created from the leaked source code, or if it is the “original” whose source code was leaked.”

The malware is spread through different channels, it is spread third-party app stores through disguised as social media and messaging apps.

Researchers observed the largest number of infection in Iran where malicious apps are offered promising free bitcoins, free internet connections, and additional followers on social media.

herorat telegram

The apps analyzed by ESET shows a strange behavior, after the malware is installed and launched on the victim’s device, it displays a small popup claiming the application can’t run on the device and for this reason, it will be uninstalled.

Once the uninstallation is seemingly completed, the icon associated with the app disappears, unfortunately, the attacker has already obtained the control of the victim’s device.

The attacker leverages the Telegram bot functionality to control the infected device, the malware is able to execute a broad range of commands such as data exfiltration and audio/video recording.

“The malware has a wide array of spying and file exfiltration capabilities, including intercepting text messages and contacts, sending text messages and making calls, audio and screen recording, obtaining device location, and controlling the device’s settings.“continues the analysis.

The source code of the HeroRat is offered for sale for 650 USD, the authors offer three packages of the malware depending on the features implemented., bronze, silver, and gold that go for 25, 50, and 100 USD, respectively.

The malware’s capabilities are accessible in the form of clickable buttons in the Telegram bot interface. Attackers can control victimized devices by simply tapping the buttons available in the version of the malware they are operating.

herorat telegram 3

The availability of the source code online will push new versions, the best way to check if your mobile has been infected is to scan it using a reliable mobile security solution.


Don’t install Fortnite Android APK because it could infect your mobile device
19.6.2018 securityaffairs Android

Fortnite is currently the most popular game, crooks are attempting to exploit the interest in forthcoming Fortnite Android to infect millions of fans.
No doubt, Fortnite is currently the most popular game, it is a co-op sandbox survival game developed by Epic Games and People Can Fly.

The game was released as a paid-for early access title for Microsoft Windows, macOS, PlayStation 4 and Xbox One on July 25, 2017, with a full free-to-play releases in 2018.

The Fortnite game has now more than 125 million active users.

The great success obtained by the Fortnite attracted cyber criminals that are attempting to exploit its popularity to target the fans.

Unfortunately for Android users, Fortnite for Android devices is not available yet, it is currently under development while the iOS version was released in March by Epic Games.

Fortnite Android 2

The company announced that the Battle Royale game is planned to be released for Android devices this summer.

In the recent weeks, crooks attempted to take advantage of Android users’ interest in an alleged version for their devices of the popular game.

Surfing online it is quite easy to find blog posts and video tutorial with instructions to install fake Fortnite Android App.

I spent an entire week to explain to my son and his friends the risks of installing APK from untrusted sources, believe me … it was the unique real battle royal of this story 🙂

Just searching for ‘Fortnite Android App’ on YouTube you will get an impressive number of videos on “How to install Fortnite on Android,” many of these videos were viewed millions of times also include links to actual Fortnite APK files.

Fortnite Android

A growing number of users is searching for Fortnite Android as reported by Google Trends:

Scammers are exploiting this interest to trick Android fans into downloading tainted version of the game that can compromise Android devices.

Some video tutorials appeared online recommend Android users to “install a few other apps” to unlock the Android Fortnite game. These apps could hide any kind of code, from cryptocurrency miners to apps used to generate revenue for their developers.

Lukas Stefanko
@LukasStefanko
Millions of views on YouTube for fake "How to install Fortnite on Android" videos including links to actual APK files.
Don't install #Fortnite for Android, it's all fake or malicious! Official app is not released yet.
They mostly generate revenue for developers.

9:30 AM - Jun 12, 2018
131
97 people are talking about this
Twitter Ads info and privacy
An impressive number of links purport to be official Fortnite app downloads, are used by crooks to deliver malicious applications.

If you are a fan of the Fornite game you have to wait until next summer for the official Android version, meantime don’t install alleged beta versions of the popular game from third-party stores.

Lukas Stefanko
@LukasStefanko
12 Jun
Millions of views on YouTube for fake "How to install Fortnite on Android" videos including links to actual APK files.
Don't install #Fortnite for Android, it's all fake or malicious! Official app is not released yet.
They mostly generate revenue for developers. pic.twitter.com/xpDcqbs3G2

Lukas Stefanko
@LukasStefanko
People are willing to do and believe anything to play #Fortnite on Android. pic.twitter.com/e4TASictqW

9:59 AM - Jun 12, 2018
View image on TwitterView image on TwitterView image on Twitter
15
See Lukas Stefanko's other Tweets
Twitter Ads info and privacy
Even if you see the Fortnite Android version in the official Google Play store, do not download it, unfortunately, scammers are able to deploy fake apps also on the official store.


Android-based devices Amazon Fire TV and Fire Stick hit by cryptomining malware
18.6.2018 securityaffairs Android

A new crypto mining malicious code dubbed ADB.miner is targeting Android-based devices Amazon Fire TV and Fire Stick.
Recently, security experts spotted the crypto mining malware ADB.miner (Android.CoinMine.15) targeting Amazon Fire TV and Fire TV Stick devices.

The malicious code is active at least since February when researchers at Qihoo 360’s Netlab have spotted the Android mining botnet that targets Android devices by scanning for open ADB debugging interface (port 5555) and infects them with a Monero cryptocurrency miner.

The port 5555 is the working port ADB debug interface on Android device that should be shut down normally. The devices infected by ADB.miner are devices where users or vendors have voluntary enabled the debugging port 5555.

The Amazon devices hit by the ADB.miner leverages the ADB (Android Debug Bridge) for uninterrupted internet connections it is no surprise that they are now under attack.

Many Amazon Fire TV owners reported through a thread on the XDA forums that they streaming media players have been infected by the malware.

“hi guys ! i have a question i hope someone can help me with. I have a Gen 2 Firestick and for 2 days now this app called “test” keeps popping up at all times, i have no clue why its doing this. I have uninstalled the app and it comes back and ive even tryed to run the app and its tells me the App needs updated to run on my device, look for an updated version on my store.. and yeah the app dont exist on the store.. What is up with this thing?” wrote one of the Amazon Fire TV owners.

Once the malware has infected the device, it will abuse its resources to mine cryptocurrency and disrupts video playback feature.

The infected devices display the official Android logo and a message that states “Test.”

“Infected devices will become very slow to use. Loading apps will take longer than usual. This is because the malware is using 100% of the device’s processor to mine cryptocurrency. A screen that says “Test” with a green Android robot icon will also occasionally appear randomly on infected devices. This screen causes video playback and apps to abruptly stop, making the device difficult to use normally.” states an analysis published on Aftvnews.com.

Amazon Fire TV malware

Reverse engineering the code of the Test app the experts discovered it is a variation of ADB.Miner that opens a single HTML page, containing the CoinHive script, in the Android Webview to mine Monero. Below the code that included in the app.


Amazon Fire TV devices that have developer options disable cannot be infected by the ADB.miner.

It the Amazon device has already been infected it is possible to install the Total Commander app that will remove the ADB.miner.

To discover if your device is infected

Install Total Commander from the Amazon Appstore onto your Fire TV device.
Launch Total Commander and select the “Installed Apps” menu item.
If you see an app called “Test” installed on your device, then your device is infected.
Another way to remove the malicious code is to force a factory reset for the device, but If you do not want to factory reset your device install a modified version of the malicious app.

“If you do not want to factory reset your device and/or the malware keeps reappearing because your Fire TV keeps getting reinfected, you can try installing a modified version of the malware that doesn’t actually mine cryptocurrency. An XDA user by the name of innovaciones created this modified version of the malware. When installed, it updates the existing malware to a version that essentially turns off the miner.” concludes aftvnews.com.

“You can get the modified APK from this XDA post or from the short URL http://bit.ly/testappfix.”


Mysterybot, a new LokiBot-Linked Android Trojan Emerges
16.6.2018 securityaffairs Android

Threat Fabric reports of a newly discovered banking Trojan, dubbed Mysterybot, targeting Android 7 and 8 versions, the malware seems to be linked to Lokibot.
Threat Fabric (formerly known as SfyLabs) reports of a newly discovered banking Trojan targeting Android 7 and 8 versions. It seems to be linked to Lokibot, the hydra of the Android malware zoo, because it uses the same command and control (C&C) server.

Mysterybot

The recently discovered banking Trojan, dubbed Mysterybot, seems to be an update of Lokibot, or belonging to the same family of Trojan malware.

Lokibot is known as the hydra of the Android malware zoo, because it has Android Trojan and ransomware capabilities. Killing one does not kill the other.

Mysterybot features improved commands compared to Lokibot, a new name, and modified network communication.

“Although certain Android banking malware families such as but not limited to ExoBot 2.5, Anubis II, DiseaseBot have been exploring new techniques to perform overlay attacks on Android 7 and 8, it seems that the actor(s) behind Mysterybot have successfully implemented a workaround solution and have spent some time on innovation,”

Here is a list of the ‘innovative’ features the researchers discovered:

The supported commands include: call a given phone number, fetch contact list information, forward calls, copy all SMS messages, log keystrokes, encrypt files on external storage and delete all contacts, send an SMS message to all contacts, change default SMS app, call a USSD number, delete all SMS messages and send SMS messages.
Phishing functionality by using a new technique to overlay phishing pages on top of legitimate apps on Android 7 and 8 devices. Restrictions in Security-Enhanced Linux (SELinux) and other security controls in new Android versions were built to prevent malware from displaying fake windows over legitimate apps. The new technique leverages the Android PACKAGE_USAGE_STATS permission (Usage Access permission) to bypass the restrictions, and also abuses the AccessibilityService to get the permission.
The Mysterybot malware use case works like this: the malware, posing as an Adobe Flash Player App, asks the victim to grant it the Usage Access permission, which enables its villainous capabilities. The malware then attempts to monitor package names of the applications in the foreground. It targets over 100 applications with the overlays, including mobile banking and social platform apps.
Next to this Mysterybot uses a new method of logging keystrokes: it calculates the location of the keys on the screen and places a different View over each of them, allowing it to register which keys have been pressed. However, it seems to be under development, because Mysterybot can’t yet send the logged keystrokes to the C&C server.
As Lokibot, Mysterybot also has ransomware capabilities, managed from a separate dashboard than the Trojan. It encrypts each file in the External Storage Directory, and then deletes the original ones. Mysterybot places each file in a ZIP archive (password-protected), but uses the same password for all archives (runtime-generated key). After the encryption is ready, the malware displays a dialogue claiming the victim watched pornographic material and instructing them to contact the attacker via email.
The passwords Mysterybot uses for the ZIP archive are 8 characters long, Latin alphabet characters (upper and lowercase) combined with numbers.
It seems the IDs assigned to the victims can be used for multiple victims, because the IDs assigned to each victim can only be a number between 0 and 9,999.
Mysterybot seems to be the next step in the evolution of Android banking malware, inheriting from the hydra Lokibot, and at the same time improving it by being a banking Trojan, ransomware, and keylogger in one malware agent.

About the author

Cordny Nederkoorn

Software test engineer, Founder TestingSaaS, a social network about researching cloud applications with a focus on forensics, software testing and security.


New LokiBot-Linked Android Trojan Emerges
15.6.2018 securityweek Android

A newly discovered banking Trojan targeting Android 7 and 8 versions is using the same command and control (C&C) server as LokiBot, Threat Fabric (formerly known as SfyLabs) reports.

Dubbed MysteryBot, the new threat appears to be either an update for LokiBot or a brand new malware family from the same threat actor. It features improved commands compared to LokiBot, a new name, and modified network communication.

Although featuring generic Android banking Trojan functionalities, the new malware stands out in the crowd, courtesy of novel overlay, keylogging, and ransomware capabilities, researchers discovered.

The list of supported commands includes: call a given phone number, fetch contact list information, forward calls, copy all SMS messages, log keystrokes, encrypt files on external storage and delete all contacts, send an SMS message to all contacts, change default SMS app, call a USSD number, delete all SMS messages, and send SMS messages.

In addition to these capabilities, the Trojan can overlay phishing pages on top of legitimate applications, and uses a novel technique for that, to ensure success on Android 7 and 8 devices as well.

Restrictions in Security-Enhanced Linux (SELinux) and other security controls in new Android versions were meant to prevent malware from displaying fake windows over legitimate apps. The new technique leverages the Android PACKAGE_USAGE_STATS permission (Usage Access permission) to bypass the restrictions, and also abuses the AccessibilityService to get the permission.

Posing as an Adobe Flash Player app, the malware asks the victim to grant it the Usage Access permission, which enables its nefarious capabilities. The malware then attempts to monitor package names of the applications in the foreground. It targets over 100 applications with the overlays, including mobile banking and social platform apps.

MysteryBot also uses a new method of logging keystrokes: it calculates the location of the keys on the screen (it considers that each key has a set location on the screen), and places a different View over each of them (width and height of 0 pixels), which allows it to register which keys have been pressed.

The code, however, appears to be under development, as the malware doesn’t yet include the capability to send the logged keystrokes to the C&C server.

The malware also includes locker/ransomware capabilities, which are managed from a separate dashboard than the Trojan, the researchers reveal. MysteryBot can encrypt individually each file in the External Storage directory, and then delete the original files.

The malware places each file in a password-protected ZIP archive, but uses the same password for all archives (the key is generated during runtime). When completing the encryption, the malware displays a dialogue claiming the victim watched pornographic material and instructing them to contact the attacker via email.

The security researchers discovered that the passwords the malware uses are only 8 characters long, and that only characters of the Latin alphabet (upper and lower case) combined with numbers are used. Moreover, the IDs assigned to each victim can only be a number between 0 and 9,999, meaning that the same ID could actually be assigned to multiple victims.

“Although certain Android banking malware families such as but not limited to ExoBot 2.5, Anubis II, DiseaseBot have been exploring new techniques to perform overlay attacks on Android 7 and 8, it seems that the actor(s) behind MysteryBot have successfully implemented a workaround solution and have spent some time on innovation,” Threat Fabric concludes.


Many Android Devices Ship with ADB Enabled
11.6.2018 securityweek Android

Many vendors ship Android devices with the Android Debug Bridge (ADB) feature enabled, thus rendering them exposed to various attacks, security researcher Kevin Beaumont has discovered.

ADB is a feature meant to provide developers with the ability to easily communicate with devices remotely, to execute commands and fully control the device. Because it doesn’t require authentication, ADB allows anyone to connect to a device, install apps and execute commands.

In theory, the device should be first connected via USB to enable ADB, but Beaumont has discovered that some vendors ship Android devices with the feature enabled right from the start. The Debug Bridge listens on port 5555, and anyone can connect to the device over the Internet.

“During research for this article, we’ve found everything from tankers in the US to DVRs in Hong Kong to mobile telephones in South Korea. As an example, a specific Android TV device was also found to ship in this condition,” the security researcher notes.

This is clearly a major issue, as anyone can remotely access devices with ADB enabled and, without any password but with root privileges, can silently install software and execute malicious functions.

The issue is not related to ADB itself, as it wasn’t designed to be deployed in this manner, but with devices having the feature enabled. Furthermore, root access should not be available in non-development builds, but this can be bypassed on some devices, not to mention that some users enabled root on their own.

To make matters worse, the security researcher also discovered a worm taking advantage of this security slip and attempting to infect devices via ADB.

Starting February 1, there was a massive increase in scans for TCP port 5555 (the Android Debug Bridge port), with “nearly ten thousand unique IP addresses scanning in any 24 hour window.” There are over a hundred thousand IP addresses scanning each 30 days, but the security researcher couldn’t determine the exact number of infected devices.

“These devices are currently being used for cryptocurrency mining, where computing resources is misused without the owner’s permission to generate profits for criminals,” Beaumont notes.

Qihoo 360’s Netlab issued a warning on the matter on February 4, but the problem continued to grow, mostly in Asia.

Analysis of the worm revealed it is spreading using a modified version of Mirai’s code, leveraging the official Android ADB tools. It lacks a command and control (C&C) server and moves peer-to-peer via port 5555. Because of various bugs in its code, the malware only works on certain types of devices.

The issue, however, is larger than a simple botnet abusing devices for cryptocurrency mining. The fact that the impacted devices ship misconfigured is the actual problem, especially with some of them used in corporate environments.

“If somebody wanted to, they could run something other than cryptocurrency mining — which could develop into a serious issue,” Beaumont points out.

Searching for devices listening to port 5555 and filtering the results using Metasploit’s module adb_server_exec, the researcher discovered over 80,000 devices residing in China alone.

“It’s very clear through digging through data and feeds that a huge number of misconfigured devices exist, hence all the scanning for port 5555,” the researcher notes.

According to Beaumont, vendors should make sure they do not ship products with ADB enabled over a network, especially on devices designed to stay connected to the Internet, as these devices remain exposed and can be misused, while also placing users in harm’s way. Vendors are also advised to release updates to correct the issue.


Pre-installed malware found in 141 low-cost Android devices in over 90 countries
26.5.2018 securityaffairs Android

Researchers from Avast the antivirus firm are investigating the discovery of pre-installed malware found in 141 low-cost Android devices in over 90 countries.
Security experts from Antivirus firm Avast have discovered a new case of pre-installed malware on low-cost Android devices, crooks injected the malicious code in the firmware of 141 models.

The operation is linked to the discovery made in December 2016 by researchers at antivirus firm Dr. Web, when the experts reported a crime gang that had compromised the supply-chain of several mobile carriers, infecting mobile devices with malware.

In 2016, the malware infected the firmware of at least 26 low-cost Android smartphone and tablets models. The firmware of a large number of popular Android devices operating on the MediaTek platform was compromised with at least two types of downloader Trojans.
Both malware found in low-cost Android mobile devices, detected as Android.DownLoader.473.origin and Android.Sprovider.7 were able to collect users’ data, displays advertisements on top of running applications and downloads unwanted apps. These low-cost Android smartphones and tablets were mostly marketed in Russia.

Back in the present, Avast experts believe the same criminal gang is still active and is continuing the same operation by compromising the firmware of many other devices by injecting a malware dubbed Cosiloon.

The researchers discovered infected devices in over 90 countries, and all of them use a Mediatek chipset, but MediaTek is not the root cause of the infections because only the firmware for some devices from an affected smartphone model is tainted with malware. This means that attackers did not compromise the MediaTek firmware components.

“The adware we analyzed has previously been described by Dr. Web and goes by the name “Cosiloon.” As can be seen in the screenshots below, the adware creates an overlay to display an ad over a webpage within the users’ browser. The adware has been active for at least three years, and is difficult to remove as it is installed on the firmware level and uses strong obfuscation.” reads the analysis published by Avast.

“Thousands of users are affected, and in the past month alone we have seen the latest version of the adware on around 18,000 devices belonging to Avast users located in more than 100 countries including Russia, Italy, Germany, the UK, as well as some users in the U.S.”

Avast published a list of over 140 Android smartphones and tablets on which it says it found the group’s malware —which they named Cosiloon.

The Cosiloon malware is the same that was spotted in 2015 by Dr. Web and according to the experts it hasn’t received any updates.

The malware is composed of two separate APKs, the dropper, and the payload. In the older versions of the malware, the experts noticed a separate adware app pre-installed in the /system partition, in most recent variants the researchers found a new dropped payload.

“A second variant of the dropper is a bit more interesting. The code is pretty much the same as the first variant, but it is not a separate system application. The code is embedded in SystemUI.apk, an integral part of the Android OS. This makes the dropper pretty much impossible to remove by the user.” continues the analysis.

The dropper runs from the “/system” folder with full root privileges, it downloads an XML file from a remote server and then installs other malicious apps.

In almost any infection, the malicious codes were used to display ads on top of mobile apps or the Android OS interface.

Cosiloon pre-installed malware

The experts noticed the pre-installed malware doesn’t drop any malicious app if the device language is set to Chinese, when the device’s public IP address is also from a Chinese IP range, and when the number of installed apps is below three (a circumstance that could indicate that the malware is running in a test environment).

Avast researchers confirmed that the infection point is still a mystery due to the large number of vendors involved, the detection of the dropper in very complicated as explained in the analysis.

“Detecting the dropper is further complicated by the fact that it is a system app, part of the devices’ read-only firmware, which is integrated in the device shipped from the factory.” continues the analysis.

“Also, it is likely odexed in most firmwares, meaning the app’s code was removed from the original APK file, optimized and stored separately during the firmware’s build process. As a result, cybersecurity firms are likely missing many of the dropper samples and have to rely on the payload for detection and statistics.”

Experts believe the attackers are opportunistic and target in some way the supply chain at random, every time they have the possibility to compromise the firmware of the vendors.

The control server was up until April 2018, crooks have produced new payloads over the time while new devices were shipped by several manufacturers with the pre-installed dropper.

The experts have attempted to disable Cosiloon’s C&C server by sending takedown requests to the domain registrar and server providers. While the ZenLayer provider quickly shut down the server, but crooks moved their activities to another provider that did not respond to Avast’s request.

“Avast Mobile Security can detect and uninstall the payload, but it cannot acquire the permissions required to disable the dropper, so Google Play Protect has to do the heavy lifting.” concluded Avast.

“If your device is infected, it should automatically disable both the dropper and the payload. We know this works because we have observed a drop in the number of devices infected by new payload versions after Play Protect started detecting Cosiloon.”

Further details, including IoCs for the Cosiloon pre-installed malware are reported in the Avast analysis.


Android Malware Targets North Korean Deflectors
21.5.2018 securityweek  Android

Recent attacks orchestrated by a hacking group referred to as “Sun Team” have targeted North Korean deflectors via malicious applications in the Google Play store, McAfee reports.

Referred to as RedDawn, this is the second campaign attributed to the group this year, but is the first to abuse the legitimate Google Play storefront for malware distribution. In January, the security firm revealed that North Korean deflectors and journalists were being targeted via social networks, email, and chat apps.

McAfee’s security researchers found the malware uploaded on Google Play as ‘unreleased’ versions and reports that only around 100 infections occurred via the application marketplace. Google has already removed the malicious programs.

Once installed, the malware starts copying sensitive information from the device, including personal photos, contacts, and SMS messages, and then sends them to the threat actors.

McAfee found that the hackers managed to upload three applications to Google Play – based on the email accounts and Android devices used in the previous attack. The apps include Food Ingredients Info, Fast AppLock, and AppLockFree. They stayed in Google Play for about 2 months before being removed.

Food Ingredients Info and Fast AppLock can “secretly steal device information and receive commands and additional executable (.dex) files from a cloud control server. We believe that these apps are multi-staged, with several components,” McAfee reports.

AppLockFree, on the other hand, appears to be part of the reconnaissance stage, setting the foundation for additional malware. The malicious programs would “spread to friends, asking them to install the apps and offer feedback via a Facebook account with a fake profile” that promoted Food Ingredients Info.

“After infecting a device, the malware uses Dropbox and Yandex to upload data and issue commands, including additional plug-in dex files; this is a similar tactic to earlier Sun Team attacks. From these cloud storage sites, we found information logs from the same test Android devices that Sun Team used for the malware campaign we reported in January,” McAfee reports.

The logs have a similar format and use the same abbreviations as in other logs previously associated with Sun Team. Furthermore, the hackers used already known Sun Team email addresses for the malware’s developer.

The group’s malware has been active since 2017 and went through multiple versions since. The hackers continue to focus on extracting information from infected devices (they only use spyware).

The same as in previous attacks, the new malware showed the use of Korean words and the Dropbox account naming used a similar pattern of celebrity names. This suggests that the actors are not native South Korean, but familiar with the culture and language.

The researchers also discovered that the Android devices the attackers tested their malware on are “manufactured in several countries and carry installed Korean apps.” Exploit code found in a cloud storage revealed modified “versions of publicly available sandbox escape, privilege escalation, code execution exploits” with added functions to drop custom Trojans on infected devices.

“The modified exploits suggest that the attackers are not skillful enough to find zero days and write their own exploits. However, it is likely just a matter of time before they start to exploit vulnerabilities,” the researchers note.

The Sun Team hackers were observed creating fake accounts using photos from social networks and the identities of South Koreans. In addition to stealing identities, the hackers are using texting and calling services to generate virtual phone numbers that allow them to sign up for online services in South Korea.


Roaming Mantis gang evolves and broadens its operations
21.5.2018 securityaffairs   Android

Roaming Mantis malware initially targeting Android devices, now has broadened both its geographic range and its targets.
Security experts from Kaspersky Lab discovered that the operators behind the Roaming Mantis campaign continue to improve their malware broadening their targets, their geographic range and their functional scope.

Roaming Mantis surfaced in March 2018 when hacked routers in Japan redirecting users to compromised websites. Investigation by Kaspersky Lab indicates that the attack was targeting users in Asia with fake websites customized for English, Korean, Simplified Chinese and Japanese. Most impacted users were in Bangladesh, Japan, and South Korea.

“Our research revealed that the malware (sic) contains Android application IDs for popular mobile banking and game applications in South Korea. The malware is most prevalent in South Korea, and Korean is the first language targeted in HTML and test.dex. Based on our findings, it appears the malicious app was originally distributed to South Korean targets. Support was then added for Traditional Chinese, English, and Japanese, broadening its target base in the Asian region.”

The dreaded DNS hijacking malware was originally designed to steal users’ login credentials and the secret code for two-factor authentication from Android devices, it has evolved and recently was spotted targeting iOS devices as well as desktop users.

“In April 2018, Kaspersky Lab published a blog post titled ‘Roaming Mantis uses DNS hijacking to infect Android smartphones’. Roaming Mantis uses Android malware which is designed to spread via DNS hijacking and targets Android devices.” reads the analysis published by Kaspersky.

“In May, while monitoring Roaming Mantis, aka MoqHao and XLoader, we observed significant changes in their M.O. The group’s activity expanded geographically and they broadened their attack/evasion methods. Their landing pages and malicious apk files now support 27 languages covering Europe and the Middle East. In addition, the criminals added a phishing option for iOS devices, and crypto-mining capabilities for the PC.”

Operators behind the Roaming Mantis malware recently added the support for 27 languages to broaden their operations.

The versions of the Roaming Mantis malware continue to be spread via DNS hijacking, attackers used rogue websites to serve fake apps infected with banking malware to Android users, phishing sites to iOS users, and redirect users to websites hosting cryptocurrency mining script.

To evade detection, malicious websites used in the campaign generate new packages in real time.

“Aside from the filename, we also observed that all the downloaded malicious apk files are unique due to package generation in real time as of May 16, 2018.It seems the actor added automatic generation of apk per download to avoid blacklisting by file hashes.” continues the analysis.
“This is a new feature. According to our monitoring, the apk samples downloaded on May 8, 2018 were all the same.”

According to Kaspersky, the recent malicious apk now implements 19 backdoor commands, including the new one “ping” and sendSms, setWifi, gcont, lock, onRecordAction, call, get_apps,

Owners of iOS devices are redirected to a phishing site (http://security[.]apple[.]com/) that mimics the Apple website in the attempt of stealing user credentials and financial data (user ID, password, card number, card expiration date and CVV number).

Roaming Mantis

The Roaming Mantis operators have recently started targeting PC platforms, users are redirected to websites running the Coinhive web miner scripts.

The level of sophistication of the operations conducted by the Roaming Mantis gang and the rapid growth of the campaign lead the researchers into believing that the group has a strong financial motivation and is well-funded.

“The evasion techniques used by Roaming Mantis have also become more sophisticated. Several examples of recent additions described in this post include a new method of retrieving the C2 by using the email POP protocol, server side dynamic auto-generation of changing apk file/filenames, and the inclusion of an additional command to potentially assist in identifying research environments, have all been added.” concludes Kaspersky.
“The rapid growth of the campaign implies that those behind it have a strong financial motivation and are probably well-funded.”

Further details, including IoCs are available in the report published by Kaspersky.