Fake Android apps uploaded to Play store by notorious Sandworm hackers

The Russian ‘Sandworm’ hacking group (not to be confused with the malware of the same name) has been caught repeatedly uploading fake and modified Android apps to Google’s Play store.
They were detected by Google Threat Analysis Group (TAG), making the attacks public during a presentation at the recent CyberwarCon conference.
In a blog on the topic this week, Google says the first attack connected to the group happened in South Korea in December 2017 when the group used bogus developer accounts to upload eight different apps to the Play Store.
On the face of it, the campaign was unsuccessful, garnering fewer than 10 installs per app, but it’s likely that the targets were highly selective.
That came after an attack in September 2017, when TAG detected that Sandworm hackers had uploaded a fake version of the UKR.net email app, downloaded by 1,000 users before it was stopped.
In late 2018, the group switched to inserting backdoors into the apps of legitimate developers in one of its favourite locations, Ukraine.
However, the Google Play Protect team caught the attempt at the time of upload. As a result, no users were infected, and we were able to re-secure the developer’s account.
There’s nothing unusual about this – hackers compromising developer keys to pass their own malware off as legitimate apps has been happening for years.
The significance of the Sandworm (aka Iridium) attacks is that the group is alleged to be connected to the Russian Government – one of a list of hacking entities that also includes Fancy Bear (APT28), Dragonfly, Energetic Bear, Grizzly Steppe, and many others. Sandworm is allegedly behind the NotPetya worm and the cyberattack on the 2018 Winter Olympics.
There are now so many of these that it’s hard to keep up. And it is not helped by the habit of the security industry of giving them different, proprietary names.
Google also reveals that it has detected alleged Russian disinformation campaigns in African countries such as Central African Republic, Sudan, Madagascar, and South Africa.
We terminated the associated Google accounts and 15 YouTube channels, and we continue to monitor this space.
Similar campaigns were uncovered in the Indonesian provinces Papua and West Papua “with messaging in opposition to the Free Papua Movement.”
Sandworm itself has been around since at least 2014, which makes it middle-aged by the standards of Russian hacking groups.
However, it would be a mistake to see this phenomenon as a uniquely Russian affair. Russian groups are highly active, as are ones connected to countries such as China and Iran, but the popularity of nation state-backed hacking and disinformation is spreading across the globe.
This might one day become ubiquitous. If that happens, it will not only be another bad day for the internet but could eventually rebound on its perpetrators too.

iPhone holes and Android malware – how to keep your phone safe

Recent news stories about mobile phone security – or, more precisely, about mobile phone insecurity – have been more dramatic than usual.
That’s because we’re in what you might call “the month after the week before” – last week being when the annual Black Hat USA conference took place in Las Vegas.
A lot of detailed cybersecurity research gets presented for the first time at that event, so the security stories that emerge after the conference papers have been delivered often dig a lot deeper than usual.
In particular, we heard from two mobile security researchers in Google’s Project Zero team: one looked at the Google Android ecosystem; the other at Apple’s iOS operating system.
Natalie Silvanovich documented a number of zero-day security holes in iOS that crooks could, in theory, trigger remotely just by sending you a message, even if you never got around to opening it.
Maddie Stone described the lamentable state of affairs at some Android phone manufacturers who just weren’t taking security seriously.
Stone described one Android malware sample that infected 21,000,000 devices altogether…
…of which a whopping 7,000,000 were phones delivered with the malware preinstalled, inadvertently bundled in along with the many free apps that some vendors seem to think they can convince us we can’t live without.
But it’s not all doom and gloom, so don’t panic!

Watch now

We recorded this Naked Security Live video to give you and your family some non-technical tips to improve your online safety, whichever type of phone you prefer:
(Watch directly on YouTube if the video won’t play here.)

Update your iPhone – remote control holes revealed by researchers


Google Project Zero researcher Natalie Silvanovich has just published a fascinating blog articleentitled The Fully Remote Attack Surface of the iPhone.
This work, carried out by Silvanovich and research colleague Samuel Groß, was also the topic of a presentation she gave at this year’s Black Hat conference in Las Vegas.
Silvanovich’s article is technical but not overly so, making it well worth a look even if you don’t have any formal coding experience.
Notably, she reminds us all how easy it is to open up software to remote attacks, even if that software isn’t what you’d conventionally think of as server-side code, and even if it’s running on a device that you wouldn’t think of a server.
By the way, despite the revelatory nature of the article and her talk, there’s no need to panic.
At least, you don’t need to be too worried if you’ve already applied the latest Apple updates, because the holes that Silvanovich is now talking about in detail are already patched.
If you haven’t brought your iPhone up to iOS 12.4 yet, do it now! 
Settings → General → Software Update is the quick way to check.
To explain.
An exploit that gives RCE, short for remote code execution, does exactly what its name suggests – by doing something unexceptionable, and without seeing any warnings, even well-informed users can be tricked into giving crooks access to their device.
fully remotable exploit is even worse, because there’s no need for users to do anything except have their devices turned on and running normally.
LEARN MORE ABOUT VULNERABILITIES
Other ways to listen: download MP3, play directly on Soundcloud, or get it from Apple Podcasts.)
A booby-trapped website that crashes and takes over your browser gives the crooks RCE.
Likewise, before Microsoft turned off AutoRun by default for USB devices, the proverbial USB-stick-in-the-card-park attack was considered a reliable way to achieve RCE because the chosen malware typically launched as soon as someone plugged in the booby-trapped USB key.
There wasn’t any sort of Are you sure? or [Cancel]/[OK] popup to sound a warning and give you a chance to head off the malware.
But even though visiting a web page or plugging in a USB device isn’t a difficult bridge for crooks to talk you into crossing, those attacks aren’t quite the holy grail of RCE, because some user engagement is needed.
A fully remote attack “just happens”, like the infamous Internet Worm of 1988, or the super-widespread SQL Slammer virus of 2003.
Those attacks sent network data that your computer was deliberately listening out for – no trickery required to get a foot in the door – but that your computer mishandled.
This allowed the crooks to package executable code inside their data packets and to achieve RCE in an entirely unattended and automatic way.
One of the Internet Worm’s attack methods, for example, exploited badly-configured email servers on which debugging mode was incorrectly enabled.
If you’d inadvertently left the debug option turned on, emails laid out in a certain way were treated as commands to execute (!), not as messages to be passed on, so the email server ran the malware immediately after accepting it.
The worm’s emails were directly dangerous without any user ever needing to receive them, let alone to open them or extract and run attachments from them.

Phones ≠ Servers

You might imagine that devices such as mobile phones, which generally don’t operate as servers themselves, would largely be immune to this sort of fully remote attack.
After all, you don’t generally run a mail server or a SQL server on your phone, and even if you wanted to, Apple probably wouldn’t let that sort of software into the App Store.
Even if you were to jailbreak your phone to install server software, your ISP might not allow incoming network connections to reach your phone at all, even if you were willing to accept them.
But, as Silvanovich reminds us, phones are all about messaging, and there are many sorts of message that we expect to be told about even before they arrive in full.
(An incoming call is the most obvious example: we expect the phone to ring, and the calling line’s number to be extracted and displayed, not only before we tap any icon to accept the call but also even when our phone is at the lock screen.)
In other words, even though we think of phones as network clients rather than network servers, there are plenty of client-side apps that download, process, act upon and display data that came from an arbitrary outside source.
We’re not just talking about things like automatic software or anti-virus updates that come from a known, trusted and well-regulated service, but also about content such as text messages or emails that were carefully and maliciously crafted by an unknown, untrusted and deliberately malicious creator.
Silvanovich identified five main application areas of interest on the iPhone, covering iOS subsystems that are specifically designed to fetch, process and tell you about incoming content: SMS, MMS, Visual voicemail, email and iMessage.
In the end, the researchers didn’t find any exploitable holes in SMS or MMS, perhaps because these subsystems are rather old-school and therefore have functionality that is both well-understood and somewhat limited.
But the others weren’t so robust.
As you can imagine, the more features, the more message types, the more different options, the more plugins and the more file formats an app suports, the more likely it is for a bug to exist in handling unusual, little-known or malevolently crafted files.
For example, you’d expect image processing software that can only display old-school BMP files (simple structure and plain, uncompressed data) to be less likely to crash on weird files than software that can handle 72 different image files with varying levels of complexity.
The more code you need to write to process incoming data and to handle all the possible variations, the harder it is to get it right; the harder it is test throroughly; the more likely it is to contain subtle bugs; and the longer it will take for every possible path through the maze of code to get tried out when handling real data in the real world.
Simply put, we say that its attack surface area is larger.

More code, more bugs

Although Silvanovich and Groß did find vulnerabilities in Visual voicemail and in the iOS’s email-handling system, these weren’t terribly significant.
But via iMessage they found at least eight security holes, listed by their CVE numbers: CVE-2019-8624, -8663,-8661, -8646, -8647, -8662, -8641 and -8660. (That’s the order in which they are covered in the article, which is why they are not in numeric sequence here.)
Note that even though Apple lists CVE-2019-8661 as patched in its latest iOS security advisory, the Googlers haven’t disclosed details of this one yet because they don’t think Apple’s update has fully fixed the problem yet.

What to do?

  • Get the latest iOS update if you haven’t yet. Many or most of the bug numbers listed above become irrelevant once you’ve applied the patches.
  • Get the next update as soon as it comes out. It sounds as though Apple is still working on CVE-2019-8661, and that Google is giving the company some more time to knock the bug on the head completely.
  • Less is more. If you are a programmer yourself, beware of writing code that does more than it needs to, or that itself depends on so many other modules or plugins that you can’t easily vouch for the whole thing, no matter how confident you are that your code is bug-free.

via Sophos

mobile malware alert

NEWS
Russian hackers create fake versions of popular apps for espionage, - media
"Lookout has discovered a highly targeted mobile malware threat that uses a new and sophisticated set of custom Android surveillanceware tools ...
FacebookTwitterFlag as irrelevant
Agent Smith: The new virus to hit mobile devices
Check Point researchers recently discovered a new variant of mobile malware that has quietly infected around 25 million devices, while the user ...
FacebookTwitterFlag as irrelevant
No environment is immune to cyber attacks-Check Point study reveals
Check Point's “Cyber Attack Trends: 2019 Mid-Year Report” reveals banking malwarehas evolved to become a very common mobile threat.
FacebookTwitterFlag as irrelevant
Global Mobile Anti Malware Market Research Review 2019 – Symantec, Sophos, Mcafee, Avast ...
Global Mobile Anti Malware Market study begins with an in-depth outlook which offers readers a brief overview of the market with clarity. The report ...
FacebookTwitterFlag as irrelevant
Mobile Anti-Malware Market Overview, Driver, Restraints, Opportunities (Growing Demand ...
The “Mobile Anti-Malware Market“ Report provides comprehensive information on the top of market owners, their annual transactions, the stability of ...
FacebookTwitterFlag as irrelevant
When a password could be gateway to corporate disasters
The speakers drew on some of the most pressing cybersecurity threats that companies could face in the year ahead, including mobile malware, ...
FacebookTwitterFlag as irrelevant

Twitter Delicious Facebook Digg Stumbleupon Favorites More

 
Design by Free WordPress Themes | Bloggerized by Lasantha - Premium Blogger Themes