Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Android devices. Show all posts
Triada
Android devices Android Smartphone counterfeit Cyberattacks CyberCrime Cybersecurity CyberThreat Global Security malware Malware Trojan Remote Access Trojan Triada

Triada Malware Embedded in Counterfeit Android Devices Poses Global Security Risk

 


There has been a significant increase in counterfeit Android smartphones in recent years. Recently, cybersecurity investigations have revealed a concern about counterfeit Android smartphones. These unauthorized replicas of popular mobile devices, which are being widely circulated and are pre-loaded with Triada, a sophisticated Android-based malware, are being offered at attractively low prices, causing widespread confusion and widespread fear. 

As a Remote Access Trojan (RAT) that was originally discovered during campaigns targeting financial and communication applications, Triada can be used to gain covert access to infected devices through covert means. Triada is designed to steal sensitive data from users, such as login information, personal messages, and financial information, which is then discreetly harvested. 

The cybersecurity experts at Darktrace claim that Triada employs evasion techniques to avoid detection by the threat intelligence community. In some cases, data can be exfiltrated through command-and-control servers using algorithmically generated domain names, which is an approach that renders conventional threat monitoring and prevention tools ineffective because of this approach. 

In the wake of a recent discovery, it has been highlighted that malicious software embedded on the firmware of mobile devices, particularly those sourced from vendors that are unknown or unreliable, poses a growing cybersecurity threat. As a consequence of the presence of malware prior to user activation, the threat becomes much more serious. Experts recommend that consumers and businesses exercise greater caution when procuring mobile hardware, especially in markets where devices are distributed without any government regulation. 

Additionally, it has become more important for mobile threat defense systems to be more sophisticated, capable of detecting deeply embedded malware as well as ensuring their effectiveness. There is a strong need for robust supply chain verification methods, effective endpoint security strategies, and an increased awareness of counterfeit electronics risks as a result of these findings. Kaspersky Security experts have warned consumers against purchasing significant discounts on Android smartphones from unverified online platforms that are deemed untrustworthy. 

There have been reports that more than 2,600 compromised devices have been delivered to unsuspecting users, most of whom are already infected with a sophisticated form of mobile malware known as Triada, which has been found to be prevalent in Russia. According to Kaspersky's research, the latest variant of Trojan is not merely installed as a malicious application, but is incorporated into the firmware of the device as well. 

Android's system framework layer is where this malware is situated, which makes it possible for it to infiltrate every single process running within the system. Because of this deep-level integration, the malware is able to access the entire system, while evading traditional detection tools, resulting in a particular difficulty in identifying or removing it using conventional techniques. This Trojan, which was first identified in 2016, has gained notoriety due to its ability to operate mainly in the volatile memory of an Android device, making it extremely difficult to detect. Its modular nature allows it to operate on a variety of Android devices. 

It has become more complex and stealthy over the years, and multiple instances have been documented in which the malware has been integrated into the firmware of budget Android smartphones that are sold through unreliable retailers that have been unauthorized. Triada is a highly persistent threat because its firmware-level embedding makes it impossible to remove it using conventional removal techniques, and it requires a full ROM reset to eradicate. 

According to Kaspersky's latest analysis, the most recent strain of Triada continues to possess sophisticated evasion capabilities. To maintain continuous control and access, the malware burrows into the Android system framework and replicates itself across all active processes. When the malware is activated, it executes a variety of malicious functions on compromised devices. It is possible for hackers to hijack the credentials of users from social media networks, manipulate WhatsApp and Telegram to send or delete messages under the guise of the user, intercept or reroute calls by using spoofing phone numbers, and more. 

Further, this malware allows users to make premium SMS payments and monitor web activity, alter hyperlinks, replace cryptocurrency wallet addresses during transactions, and monitor web activity. This malware is also capable of installing other programs remotely and disrupting network connectivity to bypass security measures or hinder forensic investigations, thus resulting in unauthorized financial losses.

According to Kaspersky's telemetry, this Triada variant has already been diverted approximately $270,000 worth of cryptocurrency, even though the full extent of the theft remains unclear due to the fact that privacy-centric cryptocurrencies such as Monero are being used in the operation. Although it is still unclear what the exact vector of infection was, researchers strongly believe that an infection could have occurred during the manufacturing or distribution stages of the device.

It is increasingly becoming clear that modified variants of Triada are being found in devices other than smartphones, including tablets, TV boxes, and digital projectors, that are based on Android, as well as smartphones. A broader fraudulent campaign known as BADBOX has been associated with these infections, which are often the result of compromised hardware supply chains and unregulated third-party marketplaces that have allowed the malware to gain initial access to the user's system. 

Triada developed into a backdoor that was built into the Android framework backdoor in 2017. This backdoor allows threat actors to remotely install more malware on the affected devices and exploit the devices for malicious purposes using various malicious operations. Google's 2019 disclosure revealed that, as a general rule, infection typically occurs during the production stage when original equipment manufacturers (OEMs) outsource custom features, such as facial recognition, to third parties. 

In such cases, these external developers may modify entire system images, and they have been implicated in injecting malware such as Triada into the operating system. Google's identification as Yehuo or Blazefire led to one of these vendors being cited as a potential contributor to the spread of the malware. 

Kaspersky confirmed in its analysis of samples that the Trojan is integrated into the system framework, which facilitates its replication across all processes on the device and allows unauthorized actions such as credential thefts, covert communications, manipulation of calls and SMS, substitution of links, activation of premium services, and disruption of network connectivity to occur. There's no doubt that Triada is not an isolated example of supply chain malware, as Avast revealed in 2018 that several Android devices made by manufacturers like ZTE and Archos are also preloaded with an adware called Cosiloon that is preloaded on them. 

According to Kaspersky's ongoing investigation, the latest strain of Triada has been found to be embedded directly within the firmware of compromised Android devices, primarily in their system framework. With this strategic placement, the malware is able to integrate itself into all the active processes on the device, giving the attacker complete control over the entire system. 

In a recent article published by Kaspersky Security, cybersecurity specialist Dmitry Kalinin highlighted the persistant threat posed by the Triada malware family, describing it as one of the most intricate and persistent malware families that targets Android devices. This was due to the fact that malware can often be introduced to devices before they even reach the end user, probably because of a compromised point along the way in the manufacturing or supply chain process, leaving retailers unaware that the devices they are distributing are already infected. 

The malware can perform a wide variety of harmful activities once it becomes active, including taking control of email accounts and social media accounts, sending fraudulent messages, stealing digital assets such as cryptocurrency, spying on users, and remotely installing malicious software to further harm their system. 

A growing number of experts advise consumers and vendors to be extremely cautious when sourcing devices, especially from unofficial or heavily discounted marketplaces, as this system is deeply integrated and has the potential to lead to large-scale data compromises, particularly when the devices are purchased online. For users to be safe from deeply embedded, persistent threats like Triada, it is imperative that the supply chain be audited more stringently, as well as robust mobile threat defense solutions are implemented.
Read more »
Privacy
Android devices Browsers Cookies Data Storage Google Chrome junk files Mozilla Firefox Privacy

Why You Should Clear Your Android Browser’s Cache and Cookies



The web browsers of your Android devices, whether it's Google Chrome, Mozilla Firefox, or Samsung Internet, stores a variety of files, images, and data from the websites you visit. While this data can help load sites faster and keep you logged in, it also accumulates a lot of unnecessary information. This data buildup can potentially pose privacy risks.

Over time, your browser’s cookies and cache collect a lot of junk files. Some of this data comes from sites you’ve visited only once, while others track your browsing habits to serve targeted ads. For example, you might see frequent ads for items you viewed recently. Clearing your cache regularly helps eliminate this unnecessary data, reducing the risk of unknown data trackers lurking in your browser.

Though clearing your cache means you’ll have to log back into your favourite websites, it’s a small inconvenience compared to the benefit of protecting your privacy and freeing up storage space on your phone.

How to Clear Cookies and Cache in Google Chrome

To clear cookies and cache in Google Chrome on your Android device, tap the More button (three vertical dots) in the top right corner. Go to History and then Delete browsing data. Alternatively, you can navigate through Chrome’s Settings menu to Privacy and Security, and then Delete browsing data. You’ll have options under Basic and Advanced settings to clear browsing history, cookies and site data, and cached images and files. You can choose a time range to delete this data, ranging from the past 24 hours to all time. After selecting what you want to delete, tap Clear data.

How to Get Rid Of Unnecessary Web Files in Samsung Internet

For Samsung Internet, there are two ways to clear your cookies and cache. In the browser app, tap the Options button (three horizontal lines) in the bottom right corner, then go to Settings, and select Personal browsing data. Tap Delete browsing data to choose what you want to delete, such as browsing history, cookies, and cached images. Confirm your choices and delete.

Alternatively, you can clear data from the Settings app on your phone. Go to Settings, then Apps, and select Samsung Internet. Tap Storage, where you’ll find options to Clear cache and Clear storage. Clear cache will delete cached files immediately, while Clear storage will remove all app data, including cookies, settings, and accounts.

How to Declutter in Mozilla Firefox

In Mozilla Firefox, clearing cookies and cache is also straightforward. Tap the More button (three vertical dots) on the right of the address bar, then go to Settings and scroll down to Delete browsing data. Firefox offers options to delete open tabs, browsing history, site permissions, downloads, cookies, and cached images. Unlike Chrome, Firefox does not allow you to select a time range, but you can be specific about the types of data you want to remove.

Firefox also has a feature to automatically delete browsing data every time you quit the app. Enable this by going to Settings and selecting Delete browsing data on quit. This helps keep your browser tidy and ensures your browsing history isn’t accessible if your phone is lost or stolen.

Regularly clearing cookies and cache from your Android browser is crucial for maintaining privacy and keeping your device free from unnecessary data. Each browser—Google Chrome, Samsung Internet, and Mozilla Firefox—offers simple steps to manage and delete this data, boosting both security and performance. By following these steps, you can ensure a safer and more efficient browsing experience on your Android device.


Read more »
Theft Prevention
AI technology Android Android devices Android Security Cyber Security Data protection Google Theft Prevention

Google Introduces Advanced Anti-Theft and Data Protection Features for Android Devices

 

Google is set to introduce multiple anti-theft and data protection features later this year, targeting devices from Android 10 up to the upcoming Android 15. These new security measures aim to enhance user protection in cases of device theft or loss, combining AI and new authentication protocols to safeguard sensitive data. 

One of the standout features is the AI-powered Theft Detection Lock. This innovation will lock your device's screen if it detects abrupt motions typically associated with theft attempts, such as a thief snatching the device out of your hand. Another feature, the Offline Device Lock, ensures that your device will automatically lock if it is disconnected from the network or if there are too many failed authentication attempts, preventing unauthorized access. 

Google also introduced the Remote Lock feature, allowing users to lock their stolen devices remotely via android.com/lock. This function requires only the phone number and a security challenge, giving users time to recover their account details and utilize additional options in Find My Device, such as initiating a full factory reset to wipe the device clean. 

According to Google Vice President Suzanne Frey, these features aim to make it significantly harder for thieves to access stolen devices. All these features—Theft Detection Lock, Offline Device Lock, and Remote Lock—will be available through a Google Play services update for devices running Android 10 or later. Additionally, the new Android 15 release will bring enhanced factory reset protection. This upgrade will require Google account credentials during the setup process if a stolen device undergoes a factory reset. 

This step renders stolen devices unsellable, thereby reducing incentives for phone theft. Frey explained that without the device or Google account credentials, a thief won't be able to set up the device post-reset, essentially bricking the stolen device. To further bolster security, Android 15 will mandate the use of PIN, password, or biometric authentication when accessing or changing critical Google account and device settings from untrusted locations. This includes actions like changing your PIN, accessing Passkeys, or disabling theft protection. 

Similarly, disabling Find My Device or extending the screen timeout will also require authentication, adding another layer of security against criminals attempting to render a stolen device untrackable. Android 15 will also introduce "private spaces," which can be locked using a user-chosen PIN. This feature is designed to protect sensitive data stored in apps, such as health or financial information, from being accessed by thieves.                                                                           
These updates, including factory reset protection and private spaces, will be part of the Android 15 launch this fall. Enhanced authentication protections will roll out to select devices later this year. 
Google also announced at Google I/O 2024 new features in Android 15 and Google Play Protect aimed at combating scams, fraud, spyware, and banking malware. These comprehensive updates underline Google's commitment to user security in the increasingly digital age.
Read more »
Unauthorized access
Android devices Data Breach Google Phishing Attacks UK Police Unauthorized access

Android Users Beware: Glitch in 999 Call Feature Raises Concerns

 

Users of Android phones have been alerted by the UK police about a potentially hazardous bug in the 999 emergency call feature. Authorities are worried that some Android devices could unintentionally mute emergency calls, endangering lives. Law enforcement organizations and technological businesses are both taking immediate measures to solve the issue.

According to reports, the glitch occurs when users accidentally press the power button on their Android devices multiple times while attempting to call emergency services. This action activates the phone's silent or vibrate mode, preventing the user from alerting emergency responders effectively. It is crucial to note that in emergency situations, every second counts, and any delay or impediment in making a distress call can have dire consequences.

The UK police have reached out to Google, the company behind the Android operating system, to address this critical issue. Authorities have requested that Google investigate the glitch and implement necessary measures to prevent accidental activation of the silent mode during emergency calls. The timely response and cooperation from Google are vital to rectifying this flaw and ensuring the safety of Android users.

Law enforcement agencies are urging Android phone owners to be cautious while dialing emergency services. It is recommended to double-check the phone's volume settings before making a call to 999. Additionally, users should avoid repeatedly pressing the power button, as this action may trigger the silent mode inadvertently.

The glitch has raised concerns among emergency service providers, who rely on quick and accurate information to respond effectively to emergencies. Any delay or disruption in receiving distress calls can significantly impact the response time and potentially jeopardize lives. It is therefore imperative for both technology companies and smartphone users to remain vigilant and prioritize the reliability and functionality of emergency services.

In response to these concerns, Google has acknowledged the issue and assured the public that they are actively investigating the matter. The company is working to identify the root cause of the glitch and develop a solution to mitigate its impact. Users are advised to install software updates promptly, as these updates often include bug fixes and security patches that address such issues.

While the glitch affects a specific group of Android users, it serves as a reminder of the importance of thorough testing and quality assurance in technology development. Issues like this highlight the need for continuous monitoring and improvement to ensure the safety and reliability of devices and services.
Read more »
Eavesdropping Scam
Android devices Caller Identity Cyber Attacks EarSpy Attack Eavesdropping Scam

EarSpy Attack: Motion Data Sensors Used to Pry on Android Devices


A team of researchers has created an eavesdropping attack for Android devices that, to varying degrees, can identify the gender and identity of the caller and even decipher private speech. 

EarSpy Attack 

The side-channel attack, EarSpy, opens up new possibilities of eavesdropping via motion sensor data readings produced by reverberations from ear speakers in mobile devices. The attack was initially established in smartphone loudspeakers, since ear speakers were comparatively weak, to produce adequate vibrations for eavesdropping. 

However, today's smartphones include stereo speakers that are more potent, providing far higher sound quality and stronger vibrations. 

The Experiment 

EarSpy is an experiment conducted by a team of researchers from universities like Rutgers University, Texas A&M University, Temple University, New Jersey Institute of Technology, and the University of Dayton. 

  • The researchers utilized the OnePlus 7T and OnePlus 9 devices along with varying sets of pre-recorded audio that was exclusive via the ear speakers of the two devices.  
  • During a simulated call, a third-party app named Physics Toolbox Sensor Suite was used in order to capture accelerometer data. 
  • They then analyzed the audio stream using MATLAB to extract characteristics. 

The research team discovered that caller gender identification on OnePlus 7T device ranged between 77.7% and 98.75%, speech recognition between 51.85% and 56.4%, and caller ID classification between 63.0% and 91.2%. 

This demonstrated the existence of speech feature differentiation in the accelerometer data that attackers can use for eavesdropping. The gender of the user could be ascertained by attackers utilizing a lower sampling rate, as demonstrated by EarSpy's focus on gender recognition using data gathered at 20 Hz. 

How to Prevent Eavesdropping? 

To prevent eavesdropping using sensor data, researchers suggested limiting permissions so that third-party programmes cannot capture sensor data without the user's permission. To avoid unintentional data breaches, Android 13 prohibits the collecting of sensor data at 200 Hz, without the user's consent. 

Mobile device manufacturers shall remain cautious while designing more potent speakers and instead concentrate on keeping a similar sound pressure during audio conversations as was maintained by old-generation phones' ear speakers. 

Moreover, it is recommended to position motion sensors as far from the ear speaker as possible, to minimize the phone speaker’s vibrations and alleviate the likelihood of spying.

Read more »
Spyware
Android devices Command and Control(C2) Data Breach f Italy Lookout Pegasus SMS Attack Spyware

'Hermit' Spyware Deployed in Syria, Kazakhstan, and Italy



Lookout Inc. discovered an enterprise-grade Android surveillanceware being used by the authorities operating within Kazakhstan's borders. Lookout researchers identified evidence of the spyware, called "Hermit," being used in Italy and northern Syria. 

Researchers got a sample of "Hermit" in April 2022, four months after a series of violently suppressed nationwide rallies against government policies. The Hermit spyware was most likely built by RCS Lab S.p.A, an Italian surveillance firm, and Tykelab Srl. 

The Hermit spyware was most likely produced by Italian surveillance vendor RCS Lab S.p.A and Tykelab Srl, a telecommunications solutions company accused of acting as a front company, according to Lookout. 

In the same market as Pegasus creator NSO Group Technologies and Gamma Group, which invented FinFisher, is a well-known developer with previous interactions with governments such as Syria. This appears to be the first time that a modern RCS Lab mobile spyware client has been publicly disclosed. 

The spyware is said to be spread by SMS messages that spoof users into installing what appear to be harmless apps from Samsung, Vivo, and Oppo, which, when launched, load a website from the impersonated company while silently initiating the kill chain. 

Spyware has been seen to infect Android smartphones in the past. The threat actor APT-C-23 (aka Arid Viper) was linked to a series of attacks targeting Middle Eastern users with new FrozenCell versions in November 2021. Last month, Google's Threat Analysis Group (TAG) revealed that government-backed actors in Egypt, Armenia, Greece, Madagascar, Côte d'Ivoire, Serbia, Spain, and Indonesia are purchasing Android zero-day exploits for covert surveillance efforts. 

As per Lookout, the samples studied used a Kazakh language website as a decoy, and the main Command-and-control (C2) server used by this app was a proxy, with the true C2 being located on an IP from Kazakhstan. "They call themselves 'lawful intercept' organizations since they claim to only sell to customers with legitimate surveillance purposes, such as intelligence and law enforcement agencies. Under the pretext of national security, similar technologies have been used to phish on corporate executives, human rights activists, journalists, academics, and government officials "as per the researchers. 

The revelations came as the Israel-based NSO Group is rumored to be in talks to sell its Pegasus technology to US defense contractor L3Harris, which makes StingRay cellular phone trackers, raising concerns it could allow law enforcement to deploy the controversial hacking tool.
Read more »
WiFi
Android devices Bluetooth Bugs Fingerprints Flaws Research Vulnerabilities and Exploits WiFi

Hardware Bugs Provide Bluetooth Chipsets Unique Traceable Fingerprints

 

A recent study from the University of California, San Diego, has proven for the first time that Bluetooth signals may be fingerprinted to track devices (and therefore, individuals). At its root, the identification is based on flaws in the Bluetooth chipset hardware established during the manufacturing process, leading to a "unique physical-layer fingerprint."

The researchers said in a new paper titled "Evaluating Physical-Layer BLE Location Tracking Attacks on Mobile Devices, "To perform a physical-layer fingerprinting attack, the attacker must be equipped with a Software Defined Radio sniffer: a radio receiver capable of recording raw IQ radio signals." 

The assault is made feasible by the pervasiveness of Bluetooth Low Energy (BLE) beacons, which are constantly delivered by current smartphones to allow critical tasks such as contact tracking during public health situations. 

The hardware flaws come from the fact that both Wi-Fi and BLE components are frequently incorporated into a specialised "combo chip," effectively subjecting Bluetooth to the same set of metrics that may be utilized to uniquely fingerprint Wi-Fi devices: carrier frequency offset and IQ imbalance. 

Fingerprinting and monitoring a device, therefore, includes calculating the Mahalanobis distance for each packet to ascertain how similar the characteristics of the new packet are to its previously registered hardware defect fingerprint. 

"Also, since BLE devices have temporarily stable identifiers in their packets [i.e., MAC address], we can identify a device based on the average over multiple packets, increasing identification accuracy," the researchers stated. 

However, carrying out such an attack in an adversarial situation has numerous obstacles, the most significant of which is that the ability to uniquely identify a device is dependent on the BLE chipset employed as well as the chipsets of other devices in close physical distance to the target. Other key aspects that may influence the readings include device temperature, variations in BLE transmit power between iPhone and Android devices, and the quality of the sniffer radio utilised by the malicious actor to carry out the fingerprinting assaults. 

The researchers concluded, "By evaluating the practicality of this attack in the field, particularly in busy settings such as coffee shops, we found that certain devices have unique fingerprints, and therefore are particularly vulnerable to tracking attacks, others have common fingerprints, they will often be misidentified. BLE does present a location tracking threat for mobile devices. However, an attacker's ability to track a particular target is essentially a matter of luck."
Read more »
Infected Devices
Android Android devices Botnet Cyber Attacks DDOS Attack Infected Devices

Turkish National Charged for DDoS Attack on U.S. Company

 

Authorities in the United States charged a Turkish national for launching distributed denial-of-service (DDoS) assaults against a Chicago-based multinational hospitality company using a now-defunct malware botnet. 

Izzet Mert Ozek, 32, is accused of launching attacks against the Chicago multinational in August 2017 using WireX, a botnet developed using Android malware. 

According to authorities, Ozek's attacks caused infected Android devices to transmit massive volumes of online traffic to the company's public website and online booking service, leading servers to crash. As per the news release from the US Department of Justice, the charges were announced on September 29 in the Northern District of Illinois. 

The press release stated, “In August 2017, IZZET MERT OZEK used the WireX botnet, which consisted of compromised Google Android devices, to direct large amounts of network traffic to the hospitality company’s website, preventing legitimate users from completing hotel bookings, according to an indictment returned Tuesday in U.S. District Court in Chicago. The hospitality company, which managed luxury hotels and resorts, was headquartered in Chicago and the servers for its website were located in northern Illinois.” 

“The indictment charges Ozek, 32, with one count of intentionally causing damage to a protected computer. Ozek is believed to be residing in Turkey, and a warrant for his arrest will be issued.” 

The official statement and indictment do not specify whether Ozek developed the WireX botnet himself or bought it from a third party. The botnet, which was created just a month before in July 2017, soon grew to gigantic size of more than 120,000 bots after its creator attacked Android smartphones with fraudulent Android apps. 

Months after the disastrous Mirai malware attacks at the end of 2016, the cyber-security industry responded quickly to eliminate the emerging danger while it was still in its early phases. 

A coalition of security firms, including Akamai, Cloudflare, Flashpoint, Google, Dyn, RiskIQ, and Team Cymr, launched an investigation weeks after the attack on the Chicago multinational company to track WireX’s bots and backend infrastructure and then seize and take down its command and control systems.
Read more »
Third Party Apps
Android devices Google Play Malicious Campaign malware Third Party Apps

GriftHorse Malware has Infected More than 10 Million Android Devices

 

A new malware named GriftHorse is said to have infected over 10 million Android cell phones. According to the research at mobile security firm Zimperium, the threat group has been executing the campaign since November 2020. The GriftHorse malware was propagated through both Google Play and third-party application stores, according to the research group, and it stole "hundreds of millions of Euros" from victims. 

GriftHorse will produce a significant number of notifications and popups when a user downloads any of the malicious programmes, luring consumers in with exceptional discounts or prizes. People who click these are taken to a web page where they must authenticate their phone number in order to gain access to the promotion. 

In actuality, GriftHorse's victims are paying for premium SMS services that cost more than $35 per month. GriftHorse operators are thought to have made anywhere from $1.5 million to $4 million per month with this fraud, and their initial victims are thought to have lost more than $230 if they didn't stop the scam. 

GriftHorse malware has been tracked by Zimperium researchers Aazim Yaswant and Nipun Gupta for months, and they describe it as "one of the most widespread campaigns the zLabs threat research team has encountered in 2021." But, according to the two Zimperium researchers, the GriftHorse developers put a lot of effort into the quality of their malware, using a wide range of websites, malicious apps, and developer personas to infect victims and evade detection as much as possible.

“The level of sophistication, use of novel techniques, and determination displayed by the threat actors allowed them to stay undetected for several months,” Yaswant and Gupta explained. “In addition to a large number of applications, the distribution of the applications was extremely well-planned, spreading their apps across multiple, varied categories, widening the range of potential victims.” 

Handy Translator Pro, Heart Rate and Pulse Tracker, Geospot: GPS Location Tracker, iCare – Find Location, and My Chat Translator are among the popular apps infested with GriftHorse malware. Users in India are also affected, according to the firm. Zimperium, a member of the App Defense Alliance, claimed it alerted Google about all GriftHorse-infected apps, which have since been withdrawn from the Play Store. These apps may, however, still be available in third-party app stores.
Read more »
malware
Android devices Google Play Store Joker malware malware

Joker Virus is Back, Targeting Android Devices

 

The notorious Joker has made a comeback, according to Belgian police, who cautioned about the Joker Virus that only targets Android smartphones and lurks in numerous apps available on the Google marketplace known as Play Store. 

The Joker malware is among the most tenacious and annoying viruses for Android, and it is even capable of infecting people through the use of the Google Play Store since it is disguised within defenseless apps. This Joker software can completely deplete victims' bank account of all funds. The 'Joker' Trojan infection is part of the Bread malware family, whose primary goal is to hijack cell phone bills and allow activities without the user's knowledge. 

As per experts at cybersecurity firm Quick Heal Security Lab, the Joker virus could access user smartphone's text messages, contact information, and a variety of other data, enabling it to enroll in websites providing premium services. Due to this users face the danger of receiving a large bill from their bank or credit card at the end of the month. 

"This malicious program has been detected in eight Play Store applications that Google has suppressed," stated the Belgian authorities in a statement published on Friday 20th August on their website. 

The 'Joker' malware made headlines in 2017 for attacking and stealing data from its victims while masquerading in several applications. Since that day, Google Play Store defense systems have deleted approximately 1,700 apps containing the 'Joker' malware before they could be installed by users. The 'Joker' virus was discovered in 24 Android applications in September 2020, with over 500 thousand downloads before even being deactivated. It is suspected that more than 30 countries were impacted at the time, along with the United States, Brazil, and Spain. Hackers might take up to $7 (approximately 140 Mexican pesos) per subscription weekly via illicit memberships, an amount that has most certainly escalated in recent months. 

According to La Razón, the cybersecurity firm Zscaler has publicly revealed the names of 16 other apps that, according to its investigation, also include this dangerous code: Private SMS, Hummingbird PDF Converter - Photo to PDF, Style Photo Collage, Talent Photo Editor - Blur focus, Paper Doc Scanner, All Good PDF Scanner, Care Message, Part Message, Blue Scanner, Direct Messenger, One Sentence Translator - Multifunctional Translator, Mint Leaf Message-Your Private Message, Unique Keyboard - Fancy Fonts & Free Emoticons, Tangram App Lock, Desire Translate and Meticulous Scanner. 

Initially, apps infected with 'Joker' or another Malware from any of this family committed SMS fraud but soon began to target electronic payments. These two strategies make use of telephone operators' interaction with suppliers to permit service payment via the mobile bill. Both necessitate device authentication but not human verification, allowing them to automate transactions without requiring any user participation. 

In addition, it is typical for all those impacted by 'Joker' to be unaware of the theft unless they thoroughly study their bank statements. It's because the bank does not detect an evidently 'regular' membership and, in general, the charges are so little that they are not noticed as odd movements, therefore the account holder does not even send a traffic notification. 

Furthermore, the malicious applications that the Google Play Store removed upon discovering that they carried the 'Joker' virus are as follows: Auxiliary Message, Element Scanner, Fast Magic SMS, Free Cam Scanner, Go Messages, Super Message, Super SMS, and Travel Wallpapers.
Read more »
Trojan
Android devices APKPure Kaspersky malware Trojan

APKPure Compromised to Deliver Malware

 

APKPure, one of the biggest alternative application stores outside of the Google Play Store, was tainted with malware this week, permitting threat actors to disseminate Trojans to Android gadgets. In an incident that is like that of German telecommunications equipment manufacturer Gigaset, the APKPure customer variant 3.17.18 is said to have been altered trying to trick unsuspecting clients into downloading and installing noxious applications linked to the malevolent code incorporated into the APKpure application. The development was reported by researchers from Doctor Web and Kaspersky. 

“Doctor Web specialists have discovered a malicious functionality in APKPure—an official client application of popular third-party Android app store. The trojan built into it downloads and installs various apps, including other malware, without users’ permission.” reads a post published by Doctor Web. "This trojan belongs to the dangerous Android.Triada malware family capable of downloading, installing, and uninstalling software without users' permission," Doctor Web researchers added.

Triada was designed with the particular purpose to carry out financial frauds, typically hijacking financial SMS transactions. The most intriguing trait of the Triada Trojan is its modular architecture, which gives it theoretically a wide range of abilities. 

As per Kaspersky, the APKPure rendition 3.17.18 was altered to incorporate an advertisement SDK that goes about as a Trojan dropper intended to convey other malware to a victim's gadget. "This component can do several things: show ads on the lock screen; open browser tabs; collect information about the device; and, most unpleasant of all, download other malware," Kaspersky's Igor Golovin said. In light of the discoveries, APKPure has released another rendition of the application (form 3.17.19) on April 9 that eliminates the malevolent part. "Fixed a potential security problem, making APKPure safer to use," the developers behind the app distribution platform said in the release notes.

“If the user has a relatively recent version of the operating system, meaning Android 8 or higher, which doesn’t hand out root permissions willy-nilly, then it loads additional modules for the Triada Trojan. These modules, among other things, can buy premium subscriptions and download other malware. If the device is older, running Android 6 or 7, and without security updates installed (or in some cases not even released by the vendor), and thus more easily rootable, it could be the xHelper Trojan.” states Kaspersky.
Read more »
Windows
Android devices Cyber Attacks Google iOS Windows

Hackers used 11 Zero-Days to Attack Windows, iOS, Android Users

 

Malware trackers at Google keep on pointing out a complex APT group that burned through at least 11 zero-days exploits in less than a year to conduct mass spying across a range of platforms and gadgets. The group has effectively utilized "watering hole" assaults to divert explicit targets to a couple of exploit servers conveying malware on Windows, iOS, and Android gadgets. 

The cross-platform capacities and the readiness to utilize almost a dozen zero-days in under a year signals a well-resourced threat actor with the ability to access hacking tools and exploits from related groups. In another blog post, Google Project Zero researcher Maddie Stone released additional details on the exploit chains found in the wild last October and cautioned that the most recent disclosure is attached to a February 2020 campaign that incorporated the utilization of multiple zero-days. As per Stone, the threat actor from the February 2020 campaign went dark for a couple of months but returned in October with dozens of websites redirecting to an exploit server. 

“Once our analysis began, we discovered links to a second exploit server on the same website. After initial fingerprinting (appearing to be based on the origin of the IP address and the user-agent), an iframe was injected into the website pointing to one of the two exploit servers. In our testing, both of the exploit servers existed on all of the discovered domains,” Stone explained. 

The first exploit server at first reacted distinctly to Apple iOS and Microsoft Windows user-agents and was active for at least a week after Google's researchers began recovering the hacking devices. This server included exploits for a distant code execution bug in the Google Chrome rendering engine and a v8 zero-day after the underlying bug was fixed. Stone said the first server momentarily reacted to Android user-agents, proposing exploits existed for every one of the significant platforms.

Stone noticed that the assailants utilized a special obfuscation and anti-analysis check on iOS gadgets where those exploits were encrypted with ephemeral keys, “meaning that the exploits couldn't be recovered from the packet dump alone, instead of requiring an active MITM on our side to rewrite the exploit on-the-fly.”
Read more »
User Security
Android devices data security Privacy User Data User Security

Here's how to Ensure Data Security Using FShred App


Users are well aware of the fact that while deleting photos, videos, files, or any other form of data on their Android, it doesn't get deleted in an irrecoverable manner and can be recovered in a number of ways using recovery tools. Although regaining access to a deleted file might be rewarding in many scenarios, the rest of the time users would prefer a once and for all deletion of the same to ensure data safety.

In the sphere of Data security, continually rising unwanted activities of unauthorized users call for the creation of something that can protect users against data breaches and cyberattacks destroying their sensitive data. Users need their data to be erased in a manner that no recovery tool can undo it.

How can it be done?

When users have no intention to retrieve their deleted data by any means, data eraser apps come into play. These apps help users delete their sensitive data in ways that make it irrevocable from their Android devices. It proves to be of significant service when users plan to sell their smartphone or just share it with someone as it could mean a serious threat to their important data.

FShred is a user-friendly app that makes use of data sanitization methods that overwrite data on both, internal and external storage of Android phone to permanently delete the deleted files from the internal storage, it does so by overwriting all available space with random data. What does that mean? It's a process that replaces all the deleted files (Photos, videos, etc) with purposeless bytes sent by a random generator; by overwriting the occupied space, it effectively ensures the deletion of that data beyond recovery.

Developed by Emile Gee, FShred is one amazing tool that would allow you easily wipe all your sensitive data using advanced shredder algorithms, it shreds your data and recovers valuable storage space on your Android device.

The app has undergone various tests with file recovery tools such as GT File Recovery and none of the applications were successful in recovering the deleted data. Additionally, the app contains no in-app purchases or advertisements and is completely free and handy for users.
Read more »
Smartphone Hacks
Android Android devices Android Hacks Phone hacking Smartphone Smartphone Hacks

Android phones vulnerable to Qualcomm bugs

Security researchers from Tencent’s Blade Team are warning Android smartphone and tablet users of flaws in Qualcomm chipsets, called QualPwn. The bugs collectively allow hackers to compromise Android devices remotely simply by sending malicious packets over-the-air – no user interaction required.

Three bugs make up QualPwn (CVE-2019-10539, CVE-2019-10540 and CVE-2019-10538). The prerequisite for the attack is that both the attacker and targeted Android device must be active on the same shared Wi-Fi network.

“One of the vulnerabilities allows attackers to compromise the WLAN and modem, over-the-air. The other allows attackers to compromise the Android kernel from the WLAN chip. The full exploit chain allows attackers to compromise the Android kernel over-the-air in some circumstances,” wrote researchers.

All three vulnerabilities have been reported to Qualcomm and Google’s Android security team and patches are available for handsets. “We have not found this vulnerability to have a public full exploit code,” according to a brief public disclosure of the flaws by the Tencent Blade Team.

Researchers said their focus was on Google Pixel2 and Pixel3 handsets and that its tests indicated that unpatched phones running on Qualcomm Snapdragon 835 and Snapdragon 845 chips may be vulnerable.

A Qualcomm spokesperson told Threatpost in a statement: “Providing technologies that support robust security and privacy is a priority for Qualcomm. We commend the security researchers from Tencent for using industry-standard coordinated disclosure practices through our Vulnerability Rewards Program. Qualcomm Technologies has already issued fixes to OEMs, and we encourage end users to update their devices as patches become available from OEMs.”

The first critical bug (CVE-2019-10539) is identified by researchers as a “buffer copy without checking size of input in WLAN.” Qualcomm describes it as a “possible buffer overflow issue due to lack of length check when parsing the extended cap IE header length.”
Read more »
Google
Android Android devices Backdoors Banking Trojans Forbes Google

Many Android devices had pre-installed backdoor: Google

Earlier this year, Forbes reported how a banking Trojan called Triada had been found on a bunch of brand new budget Android smartphones. Google has now confirmed that threat actors did, indeed, manage to compromise Android smartphones with the installation of a backdoor as part of a supply chain attack.

Two years later, on Thursday, Google has now admitted that criminals in 2017 indeed managed to get an advanced backdoor preinstalled on Android devices, even before these left the factories of manufacturers.

The list of affected devices includes Leagoo M5 Plus, Leagoo M8, Nomu S10 and Nomu S20.

To understand what has happened here, we need to go back to 2016 when Kaspersky Lab researchers first uncovered what they called one of the most advanced mobile Trojans Kaspersky malware analysts had ever seen. They named that Trojan "Triada" and explained how it existed mainly in the smartphone's random access memory (RAM) using root privileges to replace system files with malicious ones. Android phones were spotted to have Triada as a preloaded backdoor in 2017.

The firm, Dr. Web’s, researchers had found Triada embedded into one of the OS libraries and located in the system section. Not just that, the Trojan couldn’t be detected or deleted using standard methods.

Triada had, the researchers found, used a call in the Android framework log function instead. In other words, the infected devices had a backdoor installed. This meant that every time an app, any app, attempted to log something the function was called and that backdoor code executed. The Triada Trojan could now execute code in pretty much any app context courtesy of this backdoor; a backdoor that came factory-fitted.

The Mountain View, California-headquartered company initially removed Triada samples from all Android devices using Google Play Protect. But in 2017, it was found that Triada evolved and ultimately became a preloaded backdoor on Android devices. Notably, the latest phones aren't likely to be affected by what has been discovered by Google. The vulnerability did have an impact on various models in the past, though.
Read more »
Web browser
Android devices Apple Devices Firefox Mozilla Foundation Operating system Web browser

New OS takes on Apple, Android

Firefox, a web browser made by the non-profit Mozilla Foundation, was born as “Phoenix”. It rose from the ashes of Netscape Navigator, slain by Microsoft’s Internet Explorer. In 2012 Mozilla created Firefox os, to rival Apple’s ios and Google’s Android mobile operating systems. Unable to compete with the duopoly, Mozilla killed the project.

Another phoenix has arisen from it. Kaios, an operating system conjured from the defunct software, powered 30m devices in 2017 and another 50m in 2018. Most were simple flip-phones sold in the West for about $80 apiece, or even simpler ones which Indians and Indonesians can have for as little as $20 or $7, respectively. Smartphones start at about $100. The company behind the software, also called Kaios and based in Hong Kong, designed it for smart-ish phones—with an old-fashioned number pad and long battery life, plus 4g connectivity, popular apps such as Facebook and modern features like contactless payments, but not snazzy touchscreens.

With millions of Indians still using feature phones, it’s no surprise that this brainchild of San Diego startup KaiOS Technologies is already the second most popular mobile operating system in Indiaafter Android, capturing over 16% market share. iOS is second with 10%share, as per an August 2018 analysis by tech consulting firm Device Atlas.

The new category of handsets powered by KaiOS, which has partnered with Reliance Jio, require limited memory while still offering a rich user experience through services like Google Assistant, Google Maps, YouTube, and Facebook, among others.

Faisal Kawoosa, founder, techARC, credits KaiOS with bringing about a paradigm shift in infotainment in India. “This (the feature phone platform) becomes the first exposure of mobile users to a digital platform. It is also helping the ecosystem and new users to digital services without much increase to the cost of the device,” he said.
Read more »
Google Play Store
Adware Android devices Google Play Store

Malicious Android Adware Infects Approximately 200 Apps on Play Store



 A monstrous adware campaign nicknamed "SimBad" was found to be in around 206 applications on Google Play Store, known to have been downloaded roughly 150 million times. Since most of them are simulation type games, thus the term 'SimBad' has been coined.

The designers of the applications may not be entitled totally to the blame as they also may have been baited by false promises. They may have not understood that they were utilizing a promotion related software development kit or SDK whose reason for existing is to install adware on devices.

Once an application infected by SimBad gets downloaded, the adware registers itself on the system with the goal that it can keep running on boot and from that point onwards, it can perform activities like opening a browser page to phish user information, open an application store including Google Play Store (to be specific) potentially malicious application, or even download and install an application in the background.

As per Security outfit Check Point, the applications perform different malicious behavior that the user's need to be wary of, including:
  1. Showing ads outside of the application, for when the user unlocks their phone or uses other apps.
  2. Constantly opening Google Play or 9Apps Store and redirecting to another particular application, so the developer can profit from additional installations.
  3. Hiding its icon from the launcher in order to prevent uninstallation.
  4. Opening a web browser with links provided by the app developer.
  5. Downloading APK files and asking the user to install it.
  6. Searching a word provided by the app in Google Play.

As a matter of fact, SimBad is less appalling than other malware that got away from Google's notice however it does as of now can possibly accomplish more harm as, according to Checkpoint, "SimBad' has abilities that can be divided into three groups namely - Show Ads, Phishing, and Exposure to other applications.

Keeping in mind the user privacy, Google has officially brought down the infected applications and will doubtlessly add the adware strain to Google Protect’s AI.

Read more »
IoT
Android Debug Bridge Android devices DDOS Attacks IoT

Hide and Seek Iot Botnet Increasing Infection Capabilities with New Vectors



The Hide and Seek IoT botnet has been updated to act against the Android devices and the criminal group behind its advancement and development has been seen to include a new functionality in recurring incremental optimizations to the fundamental engine.

The Android infections appear to be caused not by focusing on specific vulnerabilities, rather concentrating on maltreatment of the Android Debug Bridge (ADB) option. As a matter of course this is turned-off however at times users might need to turn it on.

The IoT botnet has been spotted to have added around 40 000 gadgets to its stockpile, the infected devices are for the most part from China, Korea and Taiwan. Numerous Android devices are currently part of the home infrastructure — phones, tablets, televisions and various peripherals. This is the motivation behind why attacks utilizing it are exceptionally viewed as critical.

Its samples concentrate on the devices that have set the ADB option on either as a matter of course or by the users themselves. At the point when this capacity is empowered the devices are uncovered as this opens a network port accessing remote connections. Malignant administrators have been spotted to perform unauthenticated login endeavors — utilizing either default passwords or 'brute forcing the devices'.

The attacks likewise prompt the conclusion that the criminal collective behind the botnet is always attempting to update its features. The tremendously expanded number of infected devices is apparent that the botnet is gaining more energy. Botnets are known to be quite efficient when it comes to launching conveyed denial-of-service attacks (DDoS) which can render sites and PC systems non-working.

Chief Security Researcher at Bitdefender Alex Balan said that the botnet's purpose for the time being gives off an impression of being to increase its size and nothing more.
Despite the fact that it bolsters directions for data exfiltration and code execution the researchers have not seen them to be utilized by the botnet and additionally, there is no module for propelling dispersed denial-of-service attacks, an essential technique for botnet monetization.

Read more »
Google Chrome
Android devices Google Chrome

Android Users To Surf The Web Without A Constant Internet Connection.




On the 21st of June Google presented a new feature for its Android devices that would give users the access in India and a few different nations to surf the web without the need of a steady Web connection.

Started for Chrome on Android clients in India alongside 100 other nations including Nigeria, Indonesia, and Brazil, the feature will enable the users to surf web in areas with no or spotty web connections.

“When you’re connected to free, unmetered Wi-Fi, Chrome will automatically download relevant articles, based on what content is most popular in your location,” said Amanda Boss, Product Manager, and Offline Chrome for Android. 

For users who are already signed in, Chrome will likewise reserve important and relevant articles in view of the perusing history with the goal that the user can read them when there is no web connection in the phone. This feature is now accessible in the most recent version of Chrome.

The feature case to set aside 70 per cent of the user’s data and with the data saver mode on, Chrome downloads the content that it assumes to be generally applicable.

At the point when the Data Saver is on, the most part of the web traffic goes through Google servers before being downloaded to that specific device and Google servers compress it so less data gets downloaded to the user's device.

Aside from this, Google likewise has a data saving application also that goes by the name of - Datally- it provides the user with a few different ways to control the data usage in their smartphones. The application accompanies highlights like: ability to set daily data usage limit, set a guest mode to see how much data a friend uses, highlighting the unused apps that may be eating up your data, data usage history, WiFi finder on map and many more.


Read more »
DNS Hijacking
Android devices Android Malware DNS Hijacking

Multilingual Malware Targets Android Devices for Phishing Attacks


A blog post titled 'Roaming Mantis uses DNS hijacking to infect Android smartphones' was published in April 2018, by the Kaspersky Lab, which spoke particularly about this Malware.

The malware i.e. Roaming Mantis utilizes Android malware which is intended to spread by means of DNS hijacking and targets Android gadgets specifically. This activity is said to be found for the most parts in Asia (South Korea, Bangladesh and Japan) in view of the telemetry data by the Kaspersky Lab.

Potential victims were supposedly redirected by DNS hijacking to a pernicious web page that distributed a Trojanized application spoofed Facebook or Chrome that is then installed by the users manually. The application in reality contained an Android Trojan-Banker.

Not long after their publication it was drawn out into the open that various other researchers were also additionally concentrated on this malware family. In May though, while the Roaming Mantis also known as MoqHao and XLoader, was being monitored, the scientists at the Kaspersky Lab observed some very significant changes in their M.O.

“The group’s activity expanded geographically and they broadened their attack/evasion methods. Their landing pages and malicious apk files now support 27 languages covering Europe and the Middle East. In addition to that, the criminals also added a phishing option for iOS devices, and crypto-mining capabilities for the PC.”

According to Kaspersky Lab's researcher Suguru Ishimaru, the last crusade including Roaming Mantis was likewise dissected by the Kaspersky Lab and the discoveries were point by point in its blog post "The Roaming Mantis campaign evolved significantly in a short period of time."

The attacks have been extended to around 27 different languages including English, Hindi, Russian, Chinese, and Hebrew. Initially the malware was dispersed in five dialects only however now the range has been extended by utilizing an automatic translator. The full rundown of dialects is available here : 


Roaming Mantis is likewise said to be well-equipped for stealing private and sensitive data and necessary related  information from Apple and Android phones while cryptocurrency mining is performed by the accretion of a special script present  in the malware's HTML source code, which gets executed at whatever point the browser is opened.

Read more »
Subscribe to: Posts (Atom)