Fake Android Apps Ran Adware Campaign For Months

 

Researchers caught a sneaky adware campaign targeting Android users for months. This campaign used several fake Android apps mimicking different utilities like pdf readers, weather apps, VPNs, game cracks, streaming services such as Netflix and YouTube, etc.

Fake Android Apps Deployed Adware

According to a recent report from Bitdefender, they detected 60,000 fake Android apps stealthily running adware campaign since (at least) October 2022.

The researchers caught the malware following the alerts from the anomaly detection technology in the Bitdefender Mobile Security.

Briefly, unlike most adware campaigns exhibiting intrusive behavior, this campaign spread organically. The malicious apps would appear to a target user upon searching for certain apps, such as mod games, free VPNs, etc. Then, owing to their apparent legitimacy, the app ads would lure users into downloading the malicious app.

After reaching the device, the malware relies on the default strategy for Android app installation, requiring user input. Then, once the user taps the “Open” button to launch the newly installed app, the malware executes in the background.

However, on the screen, an error message appears to trick the user into believing that the app failed to install. Yet, the lack of an app icon makes it difficult for the victim to uninstall it.

Upon gaining persistence on the device, the malware remains dormant for some time. Then, after receiving the relevant commands from its servers, the malware starts displaying ads on the device when the user unlocks the phone.

Bitdefender caught this campaign because the malware used the device’s browser to show the malicious ad, which their Mobile Security tool efficiently detected. Similarly, the malware also displays full-screen web view of ads.

The researchers have shared the following demonstration of the malware in action.

As always, to repel such threats, users must avoid interacting with apps or links from unknown sources. Likewise, equipping their devices with robust antimalware solutions is the key to preventing most malware attacks.

Let us know your thoughts in the comments.

Google Removes Around 500 Malicious Apps From Play Store

Google Removes Around 500 Malicious Apps From Play Store

CyberSecurity Company Lookout researched on Android Apps and found around 500 Malicious apps on Google Play store. Theses apps are being used to Spy on users.

Security research company Lookout said, The Lookout Security Intelligence team has discovered an advertising software development kit (SDK) called Igexin that had the capability of spying on victims through otherwise benign apps by downloading malicious plugins. Over 500 apps available on Google Play used the Igexin ad SDK. While not all of these applications have been confirmed to download the malicious spying capability, Igexin could have introduced that functionality at their convenience. Apps containing the affected SDK were downloaded over 100 million times across the Android ecosystem.

Company observed an app downloading large, encrypted files after making a series of initial requests to a REST API at http://sdk[.]open[.]phone[.]igexin.com/api.php, which is an endpoint used by the Igexin ad SDK.

This sort of traffic is often the result of malware that downloads and executes code after an initially "clean" app is installed, in order to evade detection. The encrypted file downloads and the presence of calls within the com.igexin namespace to Android's dalvik.system.DexClassLoader(used to load classes from a .jar or .apk file) were enough to warrant more in-depth analysis for possible malware hiding in its payload.  

Not all versions of the Igexin ad SDK deliver malicious functionality. The malicious versions implement a plugin framework that allows the client to load arbitrary code, as directed by responses to requests made to a REST API endpoint hosted at http://sdk[.]open[.]phone[.]igexin[.]com/api.php.

By using this SDK, Cybercriminals are developing Malwares to spy on mobile users and other devices by injecting the malicious code into Vulnerable apps.

As soon as Google got to know about these Malicious Apps, Google instantly removed it from Play Store.

And one major issue here was users were not able to identify that they have become victims of this Malvertising.

Company introduced Google Play Protect to secure an Android Application that automatically scans APK before users install it into their devices. Google always keeps trying to keep malicious apps out of the Play Store. Hope the upcoming Google Android Oreo will offer more protection to its users.

New Android Malware GhostCtrl Can Take Full Control Of Your Phone

New Android Malware GhostCtrl Can Take Full Control Of Your Phone

• This Malware infects Android devices and it spreads via Apps like Whatsapp, MMS and even Pokeman GO. 
• It steals Call Logs, SMS, Contacts, Location and more Mobile activities.
• It can access your Phone Camera or record Audio. 

The Trend Micro security researchers warns of New Android Malware called GhostCtrl and its variant of the OmniRAT was found in year of 2015 which was known for remotely taking control of many OS including Linux, Mac and Windows with the touch of an Android device’s button.

How it Infects?

The APK forces the user to install the malicious app, when user tries to cancel the installation, the APK will keep displaying the prompt. According to report, When the app is launched, its base64-decodes a string from the resource file and writes it down, which is actually the malicious Android Application Package (APK).

How To Protect?

• Always Keep the device updated: Android patching is fragmented and organizations may have custom requirements or configurations needed to keep the device updated, so enterprises need to balance productivity and security
• Apply the principle of least privilege—restrict user permissions for BYOD devices to prevent unauthorized access and installation of dubious apps
• Implement an app reputation system that can detect and block malicious and suspicious apps
• Deploy firewalls, intrusion detection, and prevention systems at both the endpoint and mobile device levels to preempt the malware’s malicious network activities
• Enforce and strengthen your mobile device management policies to further reduce potential security risks
• Employ encryption, network segmentation and data segregation to limit further exposure or damage to data
• Regularly back up data in case of device loss, theft, or malicious encryption.

Adwind RAT Returns! Cross-Platform Malware Targeting Aerospace Industries

Hackers and cyber criminals are becoming dramatically more adept, innovative, and stealthy with each passing day.

While other operating systems are more widely in use, cybercriminals have now shifted from traditional activities to more clandestine techniques that come with limitless attack vectors, support for cross platforms and low detection rates.
Security researchers have discovered that infamous Adwind, a popular cross-platform Remote Access Trojan written in Java, has re-emerged and currently being used to "target enterprises in the aerospace industry, with Switzerland, Austria, Ukraine, and the US the most affected countries."

Adwind — also known as AlienSpy, Frutas, jFrutas, Unrecom, Sockrat, JSocket, and jRat — has been in development since 2013 and is capable of infecting all the major operating systems, including Windows, Mac, Linux, and Android.

Adwind has several malicious capabilities including stealing credentials, keylogging, taking pictures or screenshots, data gathering and exfiltrate data. The trojan can even turn infected machines into botnets to abuse them for destructing online services by carrying out DDoS attacks.

Researchers from Trend Micro recently noticed a sudden rise in the number of Adwind infections during June 2017 — at least 117,649 instances in the wild, which is 107 percent more than the previous month.
According to a blog post published today, the malicious campaign was noticed on two different occasions.

First was observed on June 7 and used a link to divert victims to their .NET-written malware equipped with spyware capabilities, while the second wave was noticed on June 14 and used different domains hosting their malware and command-and-control servers.

Both waves eventually employed a similar social engineering tactic to trick victims into clicking the malicious links within a spam email that impersonate the chair of the Mediterranean Yacht Broker Association (MYBA) Charter Committee.

Once infected, the malware also collects system's fingerprints, along with the list of installed antivirus and firewall applications.

"It can also perform reflection, a dynamic code generation in Java. The latter is a particularly useful feature in Java that enables developers/programmers to dynamically inspect, call, and instantiate attributes and classes at runtime. In cybercriminal hands, it can be abused to evade static analysis from traditional antivirus (AV) solutions," the researchers wrote.

My advice for users to remain protected from such malware is always to be suspicious of uninvited documents sent over an email and never click on links inside those documents unless verifying the source.

Additionally, keep your systems and antivirus products up-to-date in order to protect against any latest threat.

Wikileaks Vault-7 Publishes New CIA Exploit Tools BothanSpy And Gyrfalcon

Wikileaks Vault-7 Publishes New CIA Exploit Tools BothanSpy And Gyrfalcon

The latest addition of Wikileaks Vault 7 of CIA tools is BothanSpy and Gyrfalcon, used for a remotely cyber attack on Windows and Linux systems to steal SSH Credentials.

BothanSpy is used for targeting on Windows computer system, whereas Gyrfalcon for Linux Machines. Gyrfalcon encrypts and stores the data into a file on Linux Computer system. The attacker must have knowledge of Linux/Unix commands and shells like sh, csh and bash.

In the documents from the BothanSpy and Gyrfalcon projects of the CIA. The implants described in both projects are designed to intercept and exfiltrate SSH credentials but work on different operating systems with different attack vectors.

BothanSpy is an implant that targets the SSH client program Xshell on the Microsoft Windows platform and steals user credentials for all active SSH sessions. These credentials are either username and password in case of password-authenticated SSH sessions or username, filename of private SSH key and key password if public key authentication is used. BothanSpy can exfiltrate the stolen credentials to a CIA-controlled server (so the implant never touches the disk on the target system) or save it in an enrypted file for later exfiltration by other means. BothanSpy is installed as a Shellterm 3.x extension on the target machine.

Gyrfalcon is an implant that targets the OpenSSH client on Linux platforms (centos,debian,rhel,suse,ubuntu). The implant can not only steal user credentials of active SSH sessions, but is also capable of collecting full or partial OpenSSH session traffic. All collected information is stored in an encrypted file for later exfiltration. It is installed and configured by using a CIA-developed root kit (JQC/KitV) on the target machine.

Do you really think Linux System is secure?