Fake Android apps uploaded to Play store by notorious Sandworm hackers

The Russian ‘Sandworm’ hacking group (not to be confused with the malware of the same name) has been caught repeatedly uploading fake and modified Android apps to Google’s Play store.

They were detected by Google Threat Analysis Group (TAG), making the attacks public during a presentation at the recent CyberwarCon conference.

In a blog on the topic this week, Google says the first attack connected to the group happened in South Korea in December 2017 when the group used bogus developer accounts to upload eight different apps to the Play Store.

On the face of it, the campaign was unsuccessful, garnering fewer than 10 installs per app, but it’s likely that the targets were highly selective.

That came after an attack in September 2017, when TAG detected that Sandworm hackers had uploaded a fake version of the UKR.net email app, downloaded by 1,000 users before it was stopped.

In late 2018, the group switched to inserting backdoors into the apps of legitimate developers in one of its favourite locations, Ukraine.

However, the Google Play Protect team caught the attempt at the time of upload. As a result, no users were infected, and we were able to re-secure the developer’s account.

There’s nothing unusual about this – hackers compromising developer keys to pass their own malware off as legitimate apps has been happening for years.

“With Sophos we’ve had zero ransomware infections”

Start an online demo of Sophos Intercept X in less than a minute.

Start an online demo

The significance of the Sandworm (aka Iridium) attacks is that the group is alleged to be connected to the Russian Government – one of a list of hacking entities that also includes Fancy Bear (APT28), Dragonfly, Energetic Bear, Grizzly Steppe, and many others. Sandworm is allegedly behind the NotPetya worm and the cyberattack on the 2018 Winter Olympics.

There are now so many of these that it’s hard to keep up. And it is not helped by the habit of the security industry of giving them different, proprietary names.

Google also reveals that it has detected alleged Russian disinformation campaigns in African countries such as Central African Republic, Sudan, Madagascar, and South Africa.

We terminated the associated Google accounts and 15 YouTube channels, and we continue to monitor this space.

Similar campaigns were uncovered in the Indonesian provinces Papua and West Papua “with messaging in opposition to the Free Papua Movement.”

Sandworm itself has been around since at least 2014, which makes it middle-aged by the standards of Russian hacking groups.

However, it would be a mistake to see this phenomenon as a uniquely Russian affair. Russian groups are highly active, as are ones connected to countries such as China and Iran, but the popularity of nation state-backed hacking and disinformation is spreading across the globe.

This might one day become ubiquitous. If that happens, it will not only be another bad day for the internet but could eventually rebound on its perpetrators too.

• Follow @NakedSecurity on Twitter for the latest computer security news.
• Follow @NakedSecurity on Instagram for exclusive pics, gifs, vids and LOLs!

Read more »

mobile malware Daily update ⋅ March 15, 2018

	NEWS
	Cybercriminals pivot to cryptomining, fileless malware – McAfee Rappler McAfee said new ransomware grew 35%, and 2017 ended with a 59% growth of ransomware attacks year over year. While new mobile malware decreased by 35%, most notably in terms of Android screenlocking ransomware, the cybersecurity firm added new Mac OS malware samples increased 24% ... Flag as irrelevant
	APAC security chiefs expect imminent attack on critical systems ComputerWeekly.com Cyber criminals will ramp up efforts to mine cryptocurrencies, while mobile malware will rear its ugly head across the APAC region in 2018. The computer networks of two universities in Singapore were breached in April 2017 by hackers looking to steal information related to government or research. Flag as irrelevant
	Eight new cyber threat samples emerging per second Technology Decisions In 2017 total mobile malware experienced a 55% increase, while new samples declined by 3%. New malware samples increased in Q4 by 32%. The total number of malware samples grew 10% in the past four quarters. 97% of spam botnet traffic in Q4 was driven by Necurs — recent purveyor of 'lonely ... Flag as irrelevant
	Asia Pacific countries are a melting pot of cyber threats SecurityBrief NZ Asia Pacific (APAC) countries remain a popular melting pot for cyber threats of all kinds, including online banking malware, ransomware, malicious mobile app downloads and exploit kit attacks. APAC accounted for almost 40% of the 1.7 billion ransomware attacks between 2016-2017, according to ... Flag as irrelevant
	Cyberattacks to increase in 2018 on IoT and mobile devices: SonicWall Cyber Threat Report Wire19 (press release) (blog) Malware attacks increased from 7.87 billion in 2016 to 9.32 billion in 2017, while ransomware attacks decreased from 638 million to 184 million, according to SonicWall Cyber Threat Report. SonicWall, the cybersecurity solutions provider, revealed the findings, intelligence, analysis, and research about ... Flag as irrelevant
	Mobile Anti-Malware Market Analysis, Overview, Growth, Demand And Forecast Research Report ... MilTech Mobile Anti-Malware Market report provides key statistics on the market status of the Mobile Anti-MalwareManufacturers and is a valuable source of guidance and direction for companies and individuals interested in the Mobile Anti-Malware Industry. The Mobile Anti-Malware industry report firstly ... Flag as irrelevant
	Mining Malware was used by Hackers for 400,00 Computers Canadian Homesteading However, the antivirus program managed to recognize all these attempts. The miner was supposed to mine Electroneum, which is a less known coin that also uses mobile mining that is app based. Malware also generated traffic that was really suspicious, and the command and control server were ... Flag as irrelevant

Read more »

Android security: This newly discovered snooping tool has remarkable spying abilities

A newly-uncovered form of Android spyware is one of the most advanced targeted surveillance tools ever seen on mobile devices, coming equipped with spying features never previously seen active in the wild.

Named Skygofree by researchers because the word was used in one of its domains, the multistage malware is designed for surveillance and puts the device in full remote control of the attackers, enabling them to perform advanced attacks including location-based sound recording, stealing communications including WhatsApp messages, and connecting to compromised networks controlled by the malware operators.

Researchers at Kaspersky Lab say those behind spyware have been active since 2014 and are targeting select individuals -- all in Italy. Those behind the mobile surveillance tool are also thought to be based in Italy.

"Given the artefacts we discovered in the malware code and our analysis of the infrastructure, we have a high level of confidence that the developer behind the Skygofree implants is an Italian IT company that offers surveillance solutions," said Alexey Firsh, malware analyst in targeted attacks research at Kaspersky Lab.

The malware was uncovered during a review of suspicious file feeds, with its capabilities uncovered after analysing the code.

Researchers say Skygofree has some of the most advanced features ever seen in mobile malware.

Image: iStock

Still thought to be receiving updates from its authors, Skygofree offers attackers 48 different commands, allowing them flexibility to access almost all services and information on the infected device.

That includes the ability to secretly to use the device's microphone eavesdrop on the user and their surroundings when they enter a specified location -- a surveillance feature which has never previously been seen in the wild.

Other previously unseen features bundled with Skygofree are the ability to use Accessibility Services to steal WhatsApp messages of victims and an ability to connect an infected device to wi-fi networks controlled by the attackers.

The malware is also equipped with all the features and root access privileges usually associated with trojan spyware, including capturing photos and videos, seizing call records and text messages, as well as monitoring the user's location via GPS, their calendar, and any information stored on the device.

If the user has chosen to run battery-saving measures, Skygofree is able to add itself to the list of 'protected apps' in order to ensure it can carry on its malicious activity, even when the screen is off or the phone isn't active.

It remains unclear if those targeted by Skygofree have anything in common outside of being based in Italy, but research suggests that those infected with the Android malware have been compromised after visiting fake websites which mimic those of leading mobile operators.

While researchers still don't know how the victims are lured onto these malicious sites, once there, they're asked to update or configure their device configuration, allowing the malware to be dropped in the process.

Most attacks appear to have taken place in 2015, but there's evidence that Skygofree is still active with evidence of attacks as recently as 31 October 2017. The attackers have gone out of their way to ensure that Skygofree remained under the radar without being detected.

"High-end mobile malware is very difficult to identify and block and the developers behind Skygofree have clearly used this to their advantage: creating and evolving an implant that can spy extensively on targets without arousing suspicion," said Firsh.

In addition to actively infecting Android devices, the attackers also appear to have an interest in Windows systems: researchers uncovered recently-developed modules to target the platform.

However, given the treasure trove of information a mobile device can provide to attackers, it's no surprise that those behind Skygofree put their main focus on Android -- especially given the chance it offers to track a user's movement and therefore activate attacks based on location.

"Mobile spyware is becoming more effective than PC variants, because victims keep their mobile phone close by them at all times, and such implants can exfiltrate a large amount of sensitive information," Vicente Diaz, deputy head of the global research and analysis team at Kaspersky Lab, told ZDNet. "Some of the never before seen-in-the-wild features of Skygofree are remarkable in their capability."

In order to protect against falling for these sorts of targeted cyber-attacks, mobile users are encouraged to use a security tool to help protect their device and to exercise caution when they receive emails from people or organisations they don't know, or with unexpected requests or attachments.

via Zdnet

Read more »

how bad guys get malware inside your smartphone

Digital thieves have a playbook for stealing your sensitive data. A software security firm spells it out. 

Avira, a company that provides antivirus and Internet security software, has published a concise but informative 5 step guide to mobile theft explaining the how and why of malware getting inside your mobile device. 

The five-step strategy is pretty simple but effective, according to Avira.

CUNNING MALWARE SPREADS, GOING AFTER YOUR BANK ACCOUNT

Effective because, one, some malicious software slips by filters at reputable online stores and, two, people are always looking for free stuff, Alexander Vukcevic, head of virus lab for Avira, told Fox News. 

“Users rely on the quality assurance provided by store operators, and many users try to access and deploy popular apps through alternative stores without paying anything,” He said. “This…is used by many malware authors to infect mobile phones.” 

Step 1: The plan. The bad guys identify vulnerabilities then develop exploits. If they don’t have the skills, they hire a bounty hunter on the black market. Bounty hunters sometimes work with exploit brokers. The broker gets paid because organizations will pay to find and stop the hack. 

SCARY RANSOMWARE ATTACKS FAMOUS NORTH CAROLINA COUNTY

Step 2: The gear. Infected websites and malicious apps are the gear used to install malware on victims' phones.

Step 3: The inside man. Once downloaded to your phone, the bad guy tries to gain root access to the phone. “If this fails, they generate a fake update notification — clicking on the notification grants them the ability to display ads and download apps at will. Banditos can even change the phone’s IMEI number to increase the number of ads they can display,” according to Avira.

IMEI, which stands for International Mobile Equipment Identity, is a unique number used to identify phones.

SHIPPING GIANT HIT BY CYBERATTACK, REFUSES TO PAY HACKERS' RANSOM

Step 4: The heist. They sit back wait until the money starts flowing in.

Step 5: the getaway. The cybercriminals have gotten inside and left malicious code behind. But the malware is often “difficult to dislodge,” says Avira. 

HummingBad -- and its derivatives -- is a good real-world example, according to Avira. The booby-trapped app is incredibly devious because it’s often supported by fake reviews and four-star ratings. 

https://blog.avira.com/mobile-malware-guide/

MacOS HIGH SIERRA 'ROOT' BUG MAKES HACKING IT EASY

“These apps can look pretty good. People have found them in the official Google Play store or, more commonly, from the off-market sites,” Avira said. Off-market sites offer, for example, Android apps that may not be available in the Google Play store. The apps on these sites are often free.

However, if users access a malicious app it immediately tries to get root access to the phone, which allows it to do pretty much anything. “If that fails, it tries to get the user to click on a bogus ‘System Update’ notification," according to Avira. 

And it can be very profitable. “Each click, every install on the infected device means more money for the bad guys – an estimated $300,000 monthly,” Avira said, referring to HummingBad.

The fix can be extreme. “To remove this malware, the most common solution is a wipeout for the device owner, as it usually requires a complete reset of the device, wiping out all apps, settings, and saved files,” says Avira.



via FoxNews

Read more »