Fake Android apps uploaded to Play store by notorious Sandworm hackers

The Russian ‘Sandworm’ hacking group (not to be confused with the malware of the same name) has been caught repeatedly uploading fake and modified Android apps to Google’s Play store.

They were detected by Google Threat Analysis Group (TAG), making the attacks public during a presentation at the recent CyberwarCon conference.

In a blog on the topic this week, Google says the first attack connected to the group happened in South Korea in December 2017 when the group used bogus developer accounts to upload eight different apps to the Play Store.

On the face of it, the campaign was unsuccessful, garnering fewer than 10 installs per app, but it’s likely that the targets were highly selective.

That came after an attack in September 2017, when TAG detected that Sandworm hackers had uploaded a fake version of the UKR.net email app, downloaded by 1,000 users before it was stopped.

In late 2018, the group switched to inserting backdoors into the apps of legitimate developers in one of its favourite locations, Ukraine.

However, the Google Play Protect team caught the attempt at the time of upload. As a result, no users were infected, and we were able to re-secure the developer’s account.

There’s nothing unusual about this – hackers compromising developer keys to pass their own malware off as legitimate apps has been happening for years.

“With Sophos we’ve had zero ransomware infections”

Start an online demo of Sophos Intercept X in less than a minute.

Start an online demo

The significance of the Sandworm (aka Iridium) attacks is that the group is alleged to be connected to the Russian Government – one of a list of hacking entities that also includes Fancy Bear (APT28), Dragonfly, Energetic Bear, Grizzly Steppe, and many others. Sandworm is allegedly behind the NotPetya worm and the cyberattack on the 2018 Winter Olympics.

There are now so many of these that it’s hard to keep up. And it is not helped by the habit of the security industry of giving them different, proprietary names.

Google also reveals that it has detected alleged Russian disinformation campaigns in African countries such as Central African Republic, Sudan, Madagascar, and South Africa.

We terminated the associated Google accounts and 15 YouTube channels, and we continue to monitor this space.

Similar campaigns were uncovered in the Indonesian provinces Papua and West Papua “with messaging in opposition to the Free Papua Movement.”

Sandworm itself has been around since at least 2014, which makes it middle-aged by the standards of Russian hacking groups.

However, it would be a mistake to see this phenomenon as a uniquely Russian affair. Russian groups are highly active, as are ones connected to countries such as China and Iran, but the popularity of nation state-backed hacking and disinformation is spreading across the globe.

This might one day become ubiquitous. If that happens, it will not only be another bad day for the internet but could eventually rebound on its perpetrators too.

• Follow @NakedSecurity on Twitter for the latest computer security news.
• Follow @NakedSecurity on Instagram for exclusive pics, gifs, vids and LOLs!

Read more »

iPhone holes and Android malware – how to keep your phone safe

Recent news stories about mobile phone security – or, more precisely, about mobile phone insecurity – have been more dramatic than usual.

That’s because we’re in what you might call “the month after the week before” – last week being when the annual Black Hat USA conference took place in Las Vegas.

A lot of detailed cybersecurity research gets presented for the first time at that event, so the security stories that emerge after the conference papers have been delivered often dig a lot deeper than usual.

In particular, we heard from two mobile security researchers in Google’s Project Zero team: one looked at the Google Android ecosystem; the other at Apple’s iOS operating system.

Natalie Silvanovich documented a number of zero-day security holes in iOS that crooks could, in theory, trigger remotely just by sending you a message, even if you never got around to opening it.

Maddie Stone described the lamentable state of affairs at some Android phone manufacturers who just weren’t taking security seriously.

Stone described one Android malware sample that infected 21,000,000 devices altogether…

…of which a whopping 7,000,000 were phones delivered with the malware preinstalled, inadvertently bundled in along with the many free apps that some vendors seem to think they can convince us we can’t live without.

But it’s not all doom and gloom, so don’t panic!

Watch now

We recorded this Naked Security Live video to give you and your family some non-technical tips to improve your online safety, whichever type of phone you prefer:

(Watch directly on YouTube if the video won’t play here.)

Read more »

No Platform Immune from Ransomware, According to SophosLabs 2018 Malware Forecast

• Ransomware ravaged Windows, but attacks on Android, Linux and MacOS systems also increased in 2017
• Just two strains of ransomware were responsible for 89.5 percent of all attacks intercepted on Sophos customer computers worldwide

OXFORD, U.K. – Nov. 2, 2017 – Sophos (LSE: SOPH), a global leader in network and endpoint security, today announced its SophosLabs 2018 Malware Forecast, a report that recaps ransomware and other cybersecurity trends based on data collected from Sophos customer computers worldwide during April 1 to Oct. 3, 2017. One key finding shows that while ransomware predominately attacked Windows systems in the last six months, Android, Linux and MacOS platforms were not immune.

“Ransomware has become platform-agnostic. Ransomware mostly targets Windows computers, but this year, SophosLabs saw an increased amount of crypto-attacks on different devices and operating systems used by our customers worldwide,” said Dorka Palotay, SophosLabs security researcher and contributor to the ransomware analysis in the SophosLabs 2018 Malware Forecast.

The report also tracks ransomware growth patterns, indicating that WannaCry, unleashed in May 2017, was the number one ransomware intercepted from customer computers, dethroning longtime ransomware leader Cerber, which first appeared in early 2016. WannaCry accounted for 45.3 percent of all ransomware tracked through SophosLabs with Cerber accounting for 44.2 percent.

“For the first time we saw ransomware with worm-like characteristics, which contributed to the rapid expansion of WannaCry. This ransomware took advantage of a known Windows vulnerability to infect and spread to computers, making it hard to control,” said Palotay. “Even though our customers are protected against it and WannaCry has tapered off, we still see the threat because of its inherent nature to keep scanning and attacking computers. We’re expecting cyber criminals to build upon this ability to replicate seen in WannaCry and NotPetya, and this is already evident with Bad Rabbit ransomware, which shows many similarities to NotPetya.” 

The SophosLabs 2018 Malware Forecast reports on the acute rise and fall of NotPetya, ransomware that wreaked havoc in June 2017. NotPetya was initially distributed through a Ukranian accounting software package, limiting its geographic impact. It was able to spread via the EternalBlue exploit, just like WannaCry, but because WannaCry had already infected most exposed machines there were few left unpatched and vulnerable. The motive behind NotPetya is still unclear because there were many missteps, cracks and faults with this attack. For instance, the email account that victims needed to contact attackers didn’t work and victims could not decrypt and recover their data, according to Palotay.

“NotPetya spiked fast and furiously, and did hurt businesses because it permanently destroyed data on the computers it hit. Luckily, NotPetya stopped almost as fast as it started,” said Palotay. “We suspect the cyber criminals were experimenting or their goal was not ransomware, but something more destructive like a data wiper. Regardless of intention, Sophos strongly advises against paying for ransomware and recommends best practicesinstead, including backing up data and keeping patches up to date.”

Cerber, sold as a ransomware kit on the Dark Web, remains a dangerous threat. The creators of Cerber continuously update the code and they charge a percentage of the ransom that the “middle-men” attackers receive from victims. Regular new features make Cerber not only an effective attack tool, but perennially available to cyber criminals. “This Dark Web business model is unfortunately working and similar to a legitimate company is likely funding the ongoing development of Cerber. We can assume the profits are motivating the authors to maintain the code,” said Palotay.

Android ransomware is also attracting cyber criminals. According to SophosLabs analysis, the number of attacks on Sophos customers using Android devices increased almost every month in 2017.

“In September alone, 30.4 percent of malicious Android malware processed by SophosLabs was ransomware. We’re expecting this to jump to approximately 45 percent in October,”said Rowland Yu, a SophosLabs security researcher and contributor to the SophosLabs 2018 Malware Forecast. “One reason we believe ransomware on Android is taking off is because it’s an easy way for cyber criminals to make money instead of stealing contacts and SMS, popping ups ads or bank phishing which requires sophisticated hacking techniques. It’s important to note that Android ransomware is mainly discovered in non-Google Play markets – another reason for users to be very cautious about where and what kinds of apps they download.”  

The SophosLabs report further indicates two types of Android attack methods emerged: locking the phone without encrypting data, and locking the phone while encrypting the data. Most ransomware on Android doesn’t encrypt user data, but the sheer act of locking a screen in exchange for money is enough to cause people grief, especially considering how many times in a single day information is accessed on a personal device.“Sophos recommends backing up phones on a regular schedule, similar to a computer, to preserve data and avoid paying ransom just to regain access. We expect ransomware for Android to continue to increase and dominate as the leading type of malware on this mobile platform in the coming year,” said Yu.

For access to the full SophosLabs 2018 Malware Forecast and Ransomware Infographic, go to here.

via comparethecloud

Read more »

Update your Android now – many holes fixed including ‘BroadPwn’ Wi-Fi bug

Google’s July 2017 security fixes for Android are out.

As far as we can see, there are 138 bugs listed, each with its own CVE number, of which 18 are listed with the tag “RCE”.

RCE stands for Remote Code Execution, and denotes the sort of vulnerability that could be abused by a crook to run some sort of program sent in from outside – without any user interaction.

Generally speaking, RCE bugs give outsiders a sneaky chance to trigger the sort of insecure behaviour that would usually either pop up an obvious “Are you sure?” warning, or be blocked outright by the operating system.

In other words, RCEs can typically be used for so-called “drive-by” attacks, where just visiting a web page or looking at an email might leave you silently infected with malware.

The majority of the July 2017 RCE bugs in Android appear under the heading “Media framework”, which means they are Android flaws that are exposed when files such as images or videos are processed for display.

Like the infamous Stagefright bug in Android back in 2015, bugs of this sort can potentially be triggered by actions that don’t arouse suspicion, because images and videos can unexceptionably be embedded in innocent-looking content such as MMS messages and web pages.

There’s also an RCE bug in Android’s built-in FTP client – this one affects all Android versions still getting patches, from 4.4.4 all the way to 7.1.2.

We’re not sure how easy it is to trigger this bug, but we’re assuming it’s tricky to exploit because Google gives it only a moderate rating.

(Mild risk ratings are unusual for RCEs – they usually attract a high or critical rating because there’s a lot at stake if an RCE vulnerability does get exploited.)

“Proximate attacker” warning

The most intriguing bug this month, however, is an RCE flaw in the Broadcom Wi-Fi code that’s used by Android devices equipped with certain Broadcom wireless chips.

According to Google, “a proximate attacker [could] execute arbitrary code within the context of the kernel”.

In plain English, that means a crook who’s within Wi-Fi range could fire off booby-trapped network packets at your Wi-Fi hardware, trigger a bug in the wireless device…

…and end up with the same programmatic powers as the Android operating system on your device.

Given that the Android kernel is responsible for keeping your apps apart, for example by preventing the new fitness app you just installed from sneaking a look at your browsing history, a security compromise inside the kernel itself is about as serious as it gets.

Unfortunately, we can’t yet give you any real detail about the Broadcom RCE patch.

The researcher who found the bug will be presenting his findings at the end of July 2017 at the Black Hat 2017 conference in Las Vegas.

Until then, all we really have are teasers for his forthcoming talk, and a the funky-sounding name BroadPwn for the vulnerability.

(Understandably, no one who’s about to unveil a cool exploit at Black Hat wants to risk giving away a TL;DR version before the talk takes place – that would be like leaking the names of the Oscar winners a week before the awards ceremony.)

Interestingly, back in April 2017, a number of security issues in Broadcom wireless firmware were found to affect both iOS and Android devices – so if you’re an iPhone user, don’t be surprised if this month’s Google patches are quickly followed by a security patch from Apple, too.

What to do?

As usual, we’re going to repeat our usual mantra: “Patch early, patch often.”

What we can’t tell you is when the vendors of devices other than Google’s own Nexus and Pixel phones will be ready with their patches – if you’re worried, ask your vendor or the carrier who supplied your device.

Also, we can’t give you a handy list of the thousands of different Android devices out there that not only include Broadcom wireless cards but also have firmware that’s affected by the BroadPwn bug.

Once again, if you are worried, ask your supplier or mobile carrier.

Having said that, we can offer you Sophos Mobile Security for Android, 100% free of charge: although it won’t patch the abovementioned security holes for you, it will stop you from browsing to risky websites and from downloading booby-trapped adware and malware apps.

A good Android anti-virus not only makes it harder for crooks to push risky content onto your device but also stops them pulling you towards phishing pages, survey scams and other criminally oriented websites.

via nakedsecurity

Read more »