This month is National Cyber Security Awareness Month. Each week within October will take on adifferent theme, with this week's being 'Mobile'. So, with that in mind, we thought we'd prepare some tips to help keep your smartphone safe.
Top 5 threat protection best practices
Trend Micro predicts that there may be as many as a million Android malware threats by the end of the 2014. What's going on here? Make no mistake about it, there are REAL ANDROID MALWARE PROBLEMS. (Credit: Juniper Networks) Part of it is that Android is being targeted because it's extremely popular. The research company Canalys found that Android is running on 59.5 percent of all smart mobile devices that were shipped in the first quarter of 2013.
YES, YOUR SMARTPHONE CAMERA CAN BE USED TO SPY ON YOU...
Yes, smartphone cameras can be used to spy on you - if you're not careful. A researcher claims to have written an Android app that takes photos and videos using a smartphone camera, even while the screen is turned off - a pretty handy tool for a spy or a creepy stalker.
Free Security Scans - Find threats your antivirus missed
Malware is complex, seemingly everywhere and is often difficult to stop. It knows how to find your data,even on your mobile device and Mac. You can't ignore your the safety of your devices any longer: you need to recognize and stop these threats before they do MORE harm.
MALWARE ATTACKS ON ANDROID DEVICES SEE 600% INCREASE IN 2016 / 2017
Malware targeting the Android platform is exploding, with a 600 percent increase in just the past 12 months. That statistic is among the findings of a new study--Mobile Security Threat Report--unveiled last week at the Mobile World Congress in Barcelona, Spain.
Recent news stories about mobile phone security – or, more precisely, about mobile phone insecurity – have been more dramatic than usual.
That’s because we’re in what you might call “the month after the week before” – last week being when the annual Black Hat USA conference took place in Las Vegas.
A lot of detailed cybersecurity research gets presented for the first time at that event, so the security stories that emerge after the conference papers have been delivered often dig a lot deeper than usual.
Natalie Silvanovich documented a number of zero-day security holes in iOS that crooks could, in theory, trigger remotely just by sending you a message, even if you never got around to opening it.
Maddie Stone described the lamentable state of affairs at some Android phone manufacturers who just weren’t taking security seriously.
Stone described one Android malware sample that infected 21,000,000 devices altogether…
…of which a whopping 7,000,000 were phones delivered with the malware preinstalled, inadvertently bundled in along with the many free apps that some vendors seem to think they can convince us we can’t live without.
But it’s not all doom and gloom, so don’t panic!
Watch now
We recorded this Naked Security Live video to give you and your family some non-technical tips to improve your online safety, whichever type of phone you prefer:
The Justice Department last week urged everyone with a small office home office (SOHO) or NAS device to reboot their gadgets immediately in order to thwart VPNFilter, a new strain of malware that can brick your router.
The FBI seized a domain used to send commands to the infected devices, but it can't hurt to reboot anyway.
As Symantec outlines, VPNFilter is "a multi-staged piece of malware." Stage 1 makes the connection, Stage 2 delivers the goods, and Stage 3 acts as plugins for Stage 2. "These include a packet sniffer for spying on traffic that is routed through the device, including theft of website credentials and monitoring of Modbus SCADA protocols. Another Stage 3 module allows Stage 2 to communicate using Tor."
VPNFilter "is unlike most other IoT threats because it is capable of maintaining a persistent presence on an infected device, even after a reboot," Symantec says.
Still, "rebooting will remove Stage 2 and any Stage 3 elements present on the device, [temporarily removing] the destructive component of VPNFilter. However, if infected, the continuing presence of Stage 1 means that Stages 2 and 3 can be reinstalled by the attackers."
Those who believe they're infected should do a hard reset, which restores factory settings. Look for a small reset button on your device, though this will wipe any credentials you have stored on the device.
Below is a list of routers Symantec identified as vulnerable to VPNFilter. MikroTik tells Symantec that VPNFilter likely proliferated via a bug in MikroTik RouterOS software, which it patched in March 2017. "Upgrading RouterOS software deletes VPNFilter, any other third-party files and patches the vulnerability," Symantec says.
Linksys E1200
Linksys E2500
Linksys WRVS4400N
Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
Netgear DGN2200
Netgear R6400
Netgear R7000
Netgear R8000
Netgear WNR1000
Netgear WNR2000
QNAP TS251
QNAP TS439 Pro
Other QNAP NAS devices running QTS software
TP-Link R600VPN
"No other vendors, including Cisco, have been observed as infected by VPNFilter, but our research continues," according to Cisco Talos, which first reported the bug.
To date, Cisco Talos estimates that at least 500,000 in at least 54 countries have been hit by VPNFilter.
The feds are pinning this attack on Fancy Bear, a hacking group also known as APT28 and Sofacy Group, among other monikers. The group is notorious for attacking governments across the world and stealing confidential files from the Democratic National Committee during the 2016 election.
Cybercriminals have created various methods to trick people into downloading viruses or malware onto their laptops, tablets, and smartphones.
The latest form is smishing, another tool used by cybercriminals to obtain personally identifiable information and steal identities by infecting your smartphone through texts or an SMS message. The software’s malicious intent comes in the form of viruses, ransomware, spyware or adware.
The term “smishing” is a mashup of SMS (short message service) and phishing, which is when fraudsters utilize malware by sending emails which mimic a trustworthy source such as credit card company, financial institution or retailer. Unsuspecting consumers mistakenly open the email and click on the links, allowing the malware to be activated.
When people click on the links, the fraudsters can trick them into sharing their password, credit card numbers or other personally identifiable information such as Social Security numbers.
Now growing in popularity, fraudsters often deploy smishing because too many people are unaware of this new type of fraud and trust text messages more than the emails they receive.
The fraudsters are following a similar strategy when it comes to phishing and rely on social engineering to get more people to give out their personal information. The smisher wants to obtain passwords, credit card information or your Social Security number to sell them on the darknet, a.k.a. the dark web.
If fraudsters are able to obtain your personal information, they can steal your identity and apply for credit cards and loans while pretending to be you, which can greatly affect your credit score.
Some smishers have deployed a tactic of telling people that if they fail to click on the link and provide their personal information, the company they’re pretending to be will start charging daily for the service. These fraudsters will attempt to fool you into thinking they are a legitimate source you would normally use or trust.
Ignore all messages that seem bizarre or are from companies where you did not sign up for text alerts.
How to Prevent Smishing
These two words will help you avoid smishing attacks: Delete and block.
Just like emails, don’t reply to texts to people who are not in your address book. There are too many incidences of fraud and the headaches of identity theft are not worth it.
When a text message or SMS comes from a number such as “8000” and does not resemble a standard phone number, skip them. Those are simply emails that are sent to a smartphone.
As more and more people share links from articles, videos or social media, it is easy to just click on a link. Skip the ones from people you do not know. If the link looks suspicious or out of character to be coming from that particular friend, ask them if they sent it.
Protecting Yourself From Identity Theft
If you communicate through your mobile device frequently or use it to watch videos or movies, consider adding a VPN to your phone. A VPN is virtual private network and prevents fraudsters from seeing your activity on the Internet.
VPNs can be used on a person’s mobile device, laptop or computer and is useful when you are accessing the Internet from a public network at an airport, retailer or hotel.
The risk of using public WiFi is high because criminals routinely intercept people’s sensitive and personal data as they are paying bills or shopping. The public networks are being watched by hackers so they can steal passwords and identities and install malware.
Adding a VPN will shield both your activity and personally identifiable information. While some VPNs are free, others can be purchased, but people should conduct due diligence before downloading one.
Since smishing is occurring more frequently, it is good practice to check your credit report on a regular basis to see if a fraudster tried to open a new credit card or another account in your name. Consumers can obtain one free credit report from Experian, Equifax and Transunion every 12 months at AnnualCreditReport.com. You can also get a free copy of your Experian credit report and dispute anything inaccurate on it here on Experian.com.
A newly-uncovered form of Android spyware is one of the most advanced targeted surveillance tools ever seen on mobile devices, coming equipped with spying features never previously seen active in the wild.
Named Skygofree by researchers because the word was used in one of its domains, the multistage malware is designed for surveillance and puts the device in full remote control of the attackers, enabling them to perform advanced attacks including location-based sound recording, stealing communications including WhatsApp messages, and connecting to compromised networks controlled by the malware operators.
Researchers at Kaspersky Lab say those behind spyware have been active since 2014 and are targeting select individuals -- all in Italy. Those behind the mobile surveillance tool are also thought to be based in Italy.
"Given the artefacts we discovered in the malware code and our analysis of the infrastructure, we have a high level of confidence that the developer behind the Skygofree implants is an Italian IT company that offers surveillance solutions," said Alexey Firsh, malware analyst in targeted attacks research at Kaspersky Lab.
The malware was uncovered during a review of suspicious file feeds, with its capabilities uncovered after analysing the code.
Researchers say Skygofree has some of the most advanced features ever seen in mobile malware.
Image: iStock
Still thought to be receiving updates from its authors, Skygofree offers attackers 48 different commands, allowing them flexibility to access almost all services and information on the infected device.
That includes the ability to secretly to use the device's microphone eavesdrop on the user and their surroundings when they enter a specified location -- a surveillance feature which has never previously been seen in the wild.
Other previously unseen features bundled with Skygofree are the ability to use Accessibility Services to steal WhatsApp messages of victims and an ability to connect an infected device to wi-fi networks controlled by the attackers.
The malware is also equipped with all the features and root access privileges usually associated with trojan spyware, including capturing photos and videos, seizing call records and text messages, as well as monitoring the user's location via GPS, their calendar, and any information stored on the device.
If the user has chosen to run battery-saving measures, Skygofree is able to add itself to the list of 'protected apps' in order to ensure it can carry on its malicious activity, even when the screen is off or the phone isn't active.
It remains unclear if those targeted by Skygofree have anything in common outside of being based in Italy, but research suggests that those infected with the Android malware have been compromised after visiting fake websites which mimic those of leading mobile operators.
While researchers still don't know how the victims are lured onto these malicious sites, once there, they're asked to update or configure their device configuration, allowing the malware to be dropped in the process.
Most attacks appear to have taken place in 2015, but there's evidence that Skygofree is still active with evidence of attacks as recently as 31 October 2017. The attackers have gone out of their way to ensure that Skygofree remained under the radar without being detected.
"High-end mobile malware is very difficult to identify and block and the developers behind Skygofree have clearly used this to their advantage: creating and evolving an implant that can spy extensively on targets without arousing suspicion," said Firsh.
In addition to actively infecting Android devices, the attackers also appear to have an interest in Windows systems: researchers uncovered recently-developed modules to target the platform.
However, given the treasure trove of information a mobile device can provide to attackers, it's no surprise that those behind Skygofree put their main focus on Android -- especially given the chance it offers to track a user's movement and therefore activate attacks based on location.
"Mobile spyware is becoming more effective than PC variants, because victims keep their mobile phone close by them at all times, and such implants can exfiltrate a large amount of sensitive information," Vicente Diaz, deputy head of the global research and analysis team at Kaspersky Lab, told ZDNet. "Some of the never before seen-in-the-wild features of Skygofree are remarkable in their capability."
In order to protect against falling for these sorts of targeted cyber-attacks, mobile users are encouraged to use a security tool to help protect their device and to exercise caution when they receive emails from people or organisations they don't know, or with unexpected requests or attachments.
Digital thieves have a playbook for stealing your sensitive data. A software security firm spells it out.
Avira, a company that provides antivirus and Internet security software, has published a concise but informative 5 step guide to mobile theft explaining the how and why of malware getting inside your mobile device.
The five-step strategy is pretty simple but effective, according to Avira.
Effective because, one, some malicious software slips by filters at reputable online stores and, two, people are always looking for free stuff, Alexander Vukcevic, head of virus lab for Avira, told Fox News.
“Users rely on the quality assurance provided by store operators, and many users try to access and deploy popular apps through alternative stores without paying anything,” He said. “This…is used by many malware authors to infect mobile phones.”
Step 1: The plan. The bad guys identify vulnerabilities then develop exploits. If they don’t have the skills, they hire a bounty hunter on the black market. Bounty hunters sometimes work with exploit brokers. The broker gets paid because organizations will pay to find and stop the hack.
Step 2: The gear. Infected websites and malicious apps are the gear used to install malware on victims' phones.
Step 3: The inside man. Once downloaded to your phone, the bad guy tries to gain root access to the phone. “If this fails, they generate a fake update notification — clicking on the notification grants them the ability to display ads and download apps at will. Banditos can even change the phone’s IMEI number to increase the number of ads they can display,” according to Avira.
IMEI, which stands for International Mobile Equipment Identity, is a unique number used to identify phones.
Step 4: The heist. They sit back wait until the money starts flowing in.
Step 5: the getaway. The cybercriminals have gotten inside and left malicious code behind. But the malware is often “difficult to dislodge,” says Avira.
HummingBad -- and its derivatives -- is a good real-world example, according to Avira. The booby-trapped app is incredibly devious because it’s often supported by fake reviews and four-star ratings.
“These apps can look pretty good. People have found them in the official Google Play store or, more commonly, from the off-market sites,” Avira said. Off-market sites offer, for example, Android apps that may not be available in the Google Play store. The apps on these sites are often free.
However, if users access a malicious app it immediately tries to get root access to the phone, which allows it to do pretty much anything. “If that fails, it tries to get the user to click on a bogus ‘System Update’ notification," according to Avira.
And it can be very profitable. “Each click, every install on the infected device means more money for the bad guys – an estimated $300,000 monthly,” Avira said, referring to HummingBad.
The fix can be extreme. “To remove this malware, the most common solution is a wipeout for the device owner, as it usually requires a complete reset of the device, wiping out all apps, settings, and saved files,” says Avira.
Presented at Black Hat Europe, a new fileless code injection technique has been detailed by security researchers Eugene Kogan and Tal Liberman. Dubbed Process Doppelgänging, commonly available antivirus software is unable to detect processes that have been modified to include malicious code.
The process is very similar to a technique called Process Hollowing, but software companies can already detect and mitigate risks from the older attack method. Process Hollowing occurs when memory of a legitimate program is modified and replaced with user-injected data causing the original process to appear to run normally while executing potentially harmful code.
Unlike the outdated hollowing technique, Process Doppelgänging takes advantage of how Windows loads processes into memory. The mechanism that loads programs was originally designed for Windows XP and has changed little since then.
To attempt the exploit, a normal executable is handed to the NTFS transaction and then overwritten by a malicious file. The NTFS transaction is a sandboxed location that returns only a success or failure result preventing partial operations. A piece of memory in the target file is modified. After modification, the NTFS transaction is intentionally failed so that the original file appears to be unmodified. Finally, the Windows process loader is used to invoke the modified section of memory that was never removed.
The following table shows the antivirus software tested by the researchers that is unable to block the exploit discovered.
Product
Operating System
Result
Windows Defender
Windows 10
Success
AVG Internet Security
Windows 10
Success
Bitdefender
Windows 10
Success
ESET NOD 32
Windows 7 SP1
Success
Symantec Endpoint Protection
Windows 7 SP1
Success
McAfee VSE 8.8 Patch 6
Windows 7 SP1
Success
Kaspersky Endpoint Security 10
Windows 7 SP1
Success
Kasperksy Antivirus 18
Windows 7 SP1
Success
Symantec Endpoint Protection 14
Windows 7 SP1
Success
Panda
Windows 8.1
Success
Avast
Windows 8.1
Success
It should be noted that Windows 10 Fall Creators Update originally appeared to fix the issue since the duo presenting were unable to perform the exploit on the latest version. When attempting the exploit, a stop error otherwise known as the blue screen of death occurs. Not a desirable effect, but better than ending up with an infected machine.
However, later updates apparently allowed for the exploit to work again even on the latest patches of Windows 10. Due to the nature of the exploit, Microsoft will have its work cut out to update a core feature that helps preserve software compatibility. Antivirus vendors should be able to push out updates to detect and prevent Process Doppelgänging within the coming weeks.
The TrendLabs Security Intelligence Blog has identified the Coin Miner mobile malware back in the Google Play store. The malware takes over a device and uses its resources to mine a selection of different cryptocurrencies. Users will often not realise what is going all. What they will see is poor battery life and degraded performance.
The apps are using several techniques to bypass security. The blog states: “These apps used dynamic JavaScript loading and native code injection to avoid detection. We detect these apps asANDROIDOS_JSMINER and ANDROIDOS_CPUMINER.”
What apps were used by Coin Miner?
This attack is a change to the way coin mining solutions take control of machines. As the report states: “We’ve previously seentech support scamsand compromised websites used to deliver the Coinhive JavaScript cryptocurrency miner to users.” This move to using apps is different and given the success of other app based malware, could be more effective. Those users who jailbreak their devices to install anything are particularly at risk here, especially with the ANDROIDOS_CPUMINER attack.
The first of the two mining apps, ANDROIDOS_JSMINER takes advantage of two apps:
Recitiamo Santo Rosario Free: This app helps users to recite the Holy Rosary.
SafetyNet Wireless App: This is aimed at people enrolled in government assistance programs in the US who would otherwise not be able to get online.
Once installed, the apps download the Coinhive JavaScript library and start mining cryptocurrencies. The apps run in a hidden browser window making it difficult for the user to know they are there. However, they do cause very high CPU utilisation. On most devices this will manifest itself as the device getting warm or even hot when held.
The second mining app, ANDROIDOS_CPUMINER turns any app into a trojan. Apps are modified and then repackaged. When a user downloads the app, often from an unofficial app store or from illegal software site, they will be quickly infected. TrendLabs discovered one such app was the Car Wallpaper HD: Mercedes, Ferrari, BMW and Audi.
TrendLabs says that it detected a total of 25 instances of ANDROIDOS_CPUMINER in addition to the ANDROIDOS_JSMINER infected apps.
What does this mean?
The explosion in cryptocurrencies and the need to mine them early to make a serious profit is driving these attacks. It is highly unlikely that we will see any let up in the number of attacks over the next year or even longer. Criminals are also getting smarter and looking for new ways to infect machines.
The big question here is what value is realistically being gained from using mobile devices? While they are getting more powerful the problems that need to be solved are also getting harder. This means that the return on investment for the hackers is questionable. Of course, it could be that once they realise this they will change their approach and use infected devices for other purposes.
In the blog post the authors state: “These threats highlight how even mobile devices can be used for cryptocurrency mining activities, even if, in practice, the effort results in an insignificant amount of profit. Users should take note of any performance degradation on their devices after installing an app.“
Is Coin Miner draining your Android device? was last modified: October 31st, 2017 by Ian Murphy
Cybercrime is growing ever more pervasive—and costly. According to researcher Cybersecurity Ventures, the annual cost of cybercrime globally will rise from $3 trillion in 2015 to $6 trillion in 2021. Enabling this boom are thriving marketplaces online, where hackers sell tools and services to criminals. Virtually anything is available for the right price, points out Andrei Barysevich, director of advanced collection (“a fancy name for ‘spy,’ ” he says) at threat intelligence firm Recorded Future. A former consultant for the FBI’s cybercrime team in New York, Barysevich trawled the shadiest corners of the web to compile the cybercrime shopping list above, exclusively for Fortune. In the market for some basic malware? It’ll cost you as little as $1.
