Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Android devices. Show all posts
Triada
Android devices Android Smartphone counterfeit Cyberattacks CyberCrime Cybersecurity CyberThreat Global Security malware Malware Trojan Remote Access Trojan Triada

Triada Malware Embedded in Counterfeit Android Devices Poses Global Security Risk

 


There has been a significant increase in counterfeit Android smartphones in recent years. Recently, cybersecurity investigations have revealed a concern about counterfeit Android smartphones. These unauthorized replicas of popular mobile devices, which are being widely circulated and are pre-loaded with Triada, a sophisticated Android-based malware, are being offered at attractively low prices, causing widespread confusion and widespread fear. 

As a Remote Access Trojan (RAT) that was originally discovered during campaigns targeting financial and communication applications, Triada can be used to gain covert access to infected devices through covert means. Triada is designed to steal sensitive data from users, such as login information, personal messages, and financial information, which is then discreetly harvested. 

The cybersecurity experts at Darktrace claim that Triada employs evasion techniques to avoid detection by the threat intelligence community. In some cases, data can be exfiltrated through command-and-control servers using algorithmically generated domain names, which is an approach that renders conventional threat monitoring and prevention tools ineffective because of this approach. 

In the wake of a recent discovery, it has been highlighted that malicious software embedded on the firmware of mobile devices, particularly those sourced from vendors that are unknown or unreliable, poses a growing cybersecurity threat. As a consequence of the presence of malware prior to user activation, the threat becomes much more serious. Experts recommend that consumers and businesses exercise greater caution when procuring mobile hardware, especially in markets where devices are distributed without any government regulation. 

Additionally, it has become more important for mobile threat defense systems to be more sophisticated, capable of detecting deeply embedded malware as well as ensuring their effectiveness. There is a strong need for robust supply chain verification methods, effective endpoint security strategies, and an increased awareness of counterfeit electronics risks as a result of these findings. Kaspersky Security experts have warned consumers against purchasing significant discounts on Android smartphones from unverified online platforms that are deemed untrustworthy. 

There have been reports that more than 2,600 compromised devices have been delivered to unsuspecting users, most of whom are already infected with a sophisticated form of mobile malware known as Triada, which has been found to be prevalent in Russia. According to Kaspersky's research, the latest variant of Trojan is not merely installed as a malicious application, but is incorporated into the firmware of the device as well. 

Android's system framework layer is where this malware is situated, which makes it possible for it to infiltrate every single process running within the system. Because of this deep-level integration, the malware is able to access the entire system, while evading traditional detection tools, resulting in a particular difficulty in identifying or removing it using conventional techniques. This Trojan, which was first identified in 2016, has gained notoriety due to its ability to operate mainly in the volatile memory of an Android device, making it extremely difficult to detect. Its modular nature allows it to operate on a variety of Android devices. 

It has become more complex and stealthy over the years, and multiple instances have been documented in which the malware has been integrated into the firmware of budget Android smartphones that are sold through unreliable retailers that have been unauthorized. Triada is a highly persistent threat because its firmware-level embedding makes it impossible to remove it using conventional removal techniques, and it requires a full ROM reset to eradicate. 

According to Kaspersky's latest analysis, the most recent strain of Triada continues to possess sophisticated evasion capabilities. To maintain continuous control and access, the malware burrows into the Android system framework and replicates itself across all active processes. When the malware is activated, it executes a variety of malicious functions on compromised devices. It is possible for hackers to hijack the credentials of users from social media networks, manipulate WhatsApp and Telegram to send or delete messages under the guise of the user, intercept or reroute calls by using spoofing phone numbers, and more. 

Further, this malware allows users to make premium SMS payments and monitor web activity, alter hyperlinks, replace cryptocurrency wallet addresses during transactions, and monitor web activity. This malware is also capable of installing other programs remotely and disrupting network connectivity to bypass security measures or hinder forensic investigations, thus resulting in unauthorized financial losses.

According to Kaspersky's telemetry, this Triada variant has already been diverted approximately $270,000 worth of cryptocurrency, even though the full extent of the theft remains unclear due to the fact that privacy-centric cryptocurrencies such as Monero are being used in the operation. Although it is still unclear what the exact vector of infection was, researchers strongly believe that an infection could have occurred during the manufacturing or distribution stages of the device.

It is increasingly becoming clear that modified variants of Triada are being found in devices other than smartphones, including tablets, TV boxes, and digital projectors, that are based on Android, as well as smartphones. A broader fraudulent campaign known as BADBOX has been associated with these infections, which are often the result of compromised hardware supply chains and unregulated third-party marketplaces that have allowed the malware to gain initial access to the user's system. 

Triada developed into a backdoor that was built into the Android framework backdoor in 2017. This backdoor allows threat actors to remotely install more malware on the affected devices and exploit the devices for malicious purposes using various malicious operations. Google's 2019 disclosure revealed that, as a general rule, infection typically occurs during the production stage when original equipment manufacturers (OEMs) outsource custom features, such as facial recognition, to third parties. 

In such cases, these external developers may modify entire system images, and they have been implicated in injecting malware such as Triada into the operating system. Google's identification as Yehuo or Blazefire led to one of these vendors being cited as a potential contributor to the spread of the malware. 

Kaspersky confirmed in its analysis of samples that the Trojan is integrated into the system framework, which facilitates its replication across all processes on the device and allows unauthorized actions such as credential thefts, covert communications, manipulation of calls and SMS, substitution of links, activation of premium services, and disruption of network connectivity to occur. There's no doubt that Triada is not an isolated example of supply chain malware, as Avast revealed in 2018 that several Android devices made by manufacturers like ZTE and Archos are also preloaded with an adware called Cosiloon that is preloaded on them. 

According to Kaspersky's ongoing investigation, the latest strain of Triada has been found to be embedded directly within the firmware of compromised Android devices, primarily in their system framework. With this strategic placement, the malware is able to integrate itself into all the active processes on the device, giving the attacker complete control over the entire system. 

In a recent article published by Kaspersky Security, cybersecurity specialist Dmitry Kalinin highlighted the persistant threat posed by the Triada malware family, describing it as one of the most intricate and persistent malware families that targets Android devices. This was due to the fact that malware can often be introduced to devices before they even reach the end user, probably because of a compromised point along the way in the manufacturing or supply chain process, leaving retailers unaware that the devices they are distributing are already infected. 

The malware can perform a wide variety of harmful activities once it becomes active, including taking control of email accounts and social media accounts, sending fraudulent messages, stealing digital assets such as cryptocurrency, spying on users, and remotely installing malicious software to further harm their system. 

A growing number of experts advise consumers and vendors to be extremely cautious when sourcing devices, especially from unofficial or heavily discounted marketplaces, as this system is deeply integrated and has the potential to lead to large-scale data compromises, particularly when the devices are purchased online. For users to be safe from deeply embedded, persistent threats like Triada, it is imperative that the supply chain be audited more stringently, as well as robust mobile threat defense solutions are implemented.
Read more »
Privacy
Android devices Browsers Cookies Data Storage Google Chrome junk files Mozilla Firefox Privacy

Why You Should Clear Your Android Browser’s Cache and Cookies



The web browsers of your Android devices, whether it's Google Chrome, Mozilla Firefox, or Samsung Internet, stores a variety of files, images, and data from the websites you visit. While this data can help load sites faster and keep you logged in, it also accumulates a lot of unnecessary information. This data buildup can potentially pose privacy risks.

Over time, your browser’s cookies and cache collect a lot of junk files. Some of this data comes from sites you’ve visited only once, while others track your browsing habits to serve targeted ads. For example, you might see frequent ads for items you viewed recently. Clearing your cache regularly helps eliminate this unnecessary data, reducing the risk of unknown data trackers lurking in your browser.

Though clearing your cache means you’ll have to log back into your favourite websites, it’s a small inconvenience compared to the benefit of protecting your privacy and freeing up storage space on your phone.

How to Clear Cookies and Cache in Google Chrome

To clear cookies and cache in Google Chrome on your Android device, tap the More button (three vertical dots) in the top right corner. Go to History and then Delete browsing data. Alternatively, you can navigate through Chrome’s Settings menu to Privacy and Security, and then Delete browsing data. You’ll have options under Basic and Advanced settings to clear browsing history, cookies and site data, and cached images and files. You can choose a time range to delete this data, ranging from the past 24 hours to all time. After selecting what you want to delete, tap Clear data.

How to Get Rid Of Unnecessary Web Files in Samsung Internet

For Samsung Internet, there are two ways to clear your cookies and cache. In the browser app, tap the Options button (three horizontal lines) in the bottom right corner, then go to Settings, and select Personal browsing data. Tap Delete browsing data to choose what you want to delete, such as browsing history, cookies, and cached images. Confirm your choices and delete.

Alternatively, you can clear data from the Settings app on your phone. Go to Settings, then Apps, and select Samsung Internet. Tap Storage, where you’ll find options to Clear cache and Clear storage. Clear cache will delete cached files immediately, while Clear storage will remove all app data, including cookies, settings, and accounts.

How to Declutter in Mozilla Firefox

In Mozilla Firefox, clearing cookies and cache is also straightforward. Tap the More button (three vertical dots) on the right of the address bar, then go to Settings and scroll down to Delete browsing data. Firefox offers options to delete open tabs, browsing history, site permissions, downloads, cookies, and cached images. Unlike Chrome, Firefox does not allow you to select a time range, but you can be specific about the types of data you want to remove.

Firefox also has a feature to automatically delete browsing data every time you quit the app. Enable this by going to Settings and selecting Delete browsing data on quit. This helps keep your browser tidy and ensures your browsing history isn’t accessible if your phone is lost or stolen.

Regularly clearing cookies and cache from your Android browser is crucial for maintaining privacy and keeping your device free from unnecessary data. Each browser—Google Chrome, Samsung Internet, and Mozilla Firefox—offers simple steps to manage and delete this data, boosting both security and performance. By following these steps, you can ensure a safer and more efficient browsing experience on your Android device.


Read more »
Theft Prevention
AI technology Android Android devices Android Security Cyber Security Data protection Google Theft Prevention

Google Introduces Advanced Anti-Theft and Data Protection Features for Android Devices

 

Google is set to introduce multiple anti-theft and data protection features later this year, targeting devices from Android 10 up to the upcoming Android 15. These new security measures aim to enhance user protection in cases of device theft or loss, combining AI and new authentication protocols to safeguard sensitive data. 

One of the standout features is the AI-powered Theft Detection Lock. This innovation will lock your device's screen if it detects abrupt motions typically associated with theft attempts, such as a thief snatching the device out of your hand. Another feature, the Offline Device Lock, ensures that your device will automatically lock if it is disconnected from the network or if there are too many failed authentication attempts, preventing unauthorized access. 

Google also introduced the Remote Lock feature, allowing users to lock their stolen devices remotely via android.com/lock. This function requires only the phone number and a security challenge, giving users time to recover their account details and utilize additional options in Find My Device, such as initiating a full factory reset to wipe the device clean. 

According to Google Vice President Suzanne Frey, these features aim to make it significantly harder for thieves to access stolen devices. All these features—Theft Detection Lock, Offline Device Lock, and Remote Lock—will be available through a Google Play services update for devices running Android 10 or later. Additionally, the new Android 15 release will bring enhanced factory reset protection. This upgrade will require Google account credentials during the setup process if a stolen device undergoes a factory reset. 

This step renders stolen devices unsellable, thereby reducing incentives for phone theft. Frey explained that without the device or Google account credentials, a thief won't be able to set up the device post-reset, essentially bricking the stolen device. To further bolster security, Android 15 will mandate the use of PIN, password, or biometric authentication when accessing or changing critical Google account and device settings from untrusted locations. This includes actions like changing your PIN, accessing Passkeys, or disabling theft protection. 

Similarly, disabling Find My Device or extending the screen timeout will also require authentication, adding another layer of security against criminals attempting to render a stolen device untrackable. Android 15 will also introduce "private spaces," which can be locked using a user-chosen PIN. This feature is designed to protect sensitive data stored in apps, such as health or financial information, from being accessed by thieves.                                                                           
These updates, including factory reset protection and private spaces, will be part of the Android 15 launch this fall. Enhanced authentication protections will roll out to select devices later this year. 
Google also announced at Google I/O 2024 new features in Android 15 and Google Play Protect aimed at combating scams, fraud, spyware, and banking malware. These comprehensive updates underline Google's commitment to user security in the increasingly digital age.
Read more »
Unauthorized access
Android devices Data Breach Google Phishing Attacks UK Police Unauthorized access

Android Users Beware: Glitch in 999 Call Feature Raises Concerns

 

Users of Android phones have been alerted by the UK police about a potentially hazardous bug in the 999 emergency call feature. Authorities are worried that some Android devices could unintentionally mute emergency calls, endangering lives. Law enforcement organizations and technological businesses are both taking immediate measures to solve the issue.

According to reports, the glitch occurs when users accidentally press the power button on their Android devices multiple times while attempting to call emergency services. This action activates the phone's silent or vibrate mode, preventing the user from alerting emergency responders effectively. It is crucial to note that in emergency situations, every second counts, and any delay or impediment in making a distress call can have dire consequences.

The UK police have reached out to Google, the company behind the Android operating system, to address this critical issue. Authorities have requested that Google investigate the glitch and implement necessary measures to prevent accidental activation of the silent mode during emergency calls. The timely response and cooperation from Google are vital to rectifying this flaw and ensuring the safety of Android users.

Law enforcement agencies are urging Android phone owners to be cautious while dialing emergency services. It is recommended to double-check the phone's volume settings before making a call to 999. Additionally, users should avoid repeatedly pressing the power button, as this action may trigger the silent mode inadvertently.

The glitch has raised concerns among emergency service providers, who rely on quick and accurate information to respond effectively to emergencies. Any delay or disruption in receiving distress calls can significantly impact the response time and potentially jeopardize lives. It is therefore imperative for both technology companies and smartphone users to remain vigilant and prioritize the reliability and functionality of emergency services.

In response to these concerns, Google has acknowledged the issue and assured the public that they are actively investigating the matter. The company is working to identify the root cause of the glitch and develop a solution to mitigate its impact. Users are advised to install software updates promptly, as these updates often include bug fixes and security patches that address such issues.

While the glitch affects a specific group of Android users, it serves as a reminder of the importance of thorough testing and quality assurance in technology development. Issues like this highlight the need for continuous monitoring and improvement to ensure the safety and reliability of devices and services.
Read more »
Eavesdropping Scam
Android devices Caller Identity Cyber Attacks EarSpy Attack Eavesdropping Scam

EarSpy Attack: Motion Data Sensors Used to Pry on Android Devices


A team of researchers has created an eavesdropping attack for Android devices that, to varying degrees, can identify the gender and identity of the caller and even decipher private speech. 

EarSpy Attack 

The side-channel attack, EarSpy, opens up new possibilities of eavesdropping via motion sensor data readings produced by reverberations from ear speakers in mobile devices. The attack was initially established in smartphone loudspeakers, since ear speakers were comparatively weak, to produce adequate vibrations for eavesdropping. 

However, today's smartphones include stereo speakers that are more potent, providing far higher sound quality and stronger vibrations. 

The Experiment 

EarSpy is an experiment conducted by a team of researchers from universities like Rutgers University, Texas A&M University, Temple University, New Jersey Institute of Technology, and the University of Dayton. 

  • The researchers utilized the OnePlus 7T and OnePlus 9 devices along with varying sets of pre-recorded audio that was exclusive via the ear speakers of the two devices.  
  • During a simulated call, a third-party app named Physics Toolbox Sensor Suite was used in order to capture accelerometer data. 
  • They then analyzed the audio stream using MATLAB to extract characteristics. 

The research team discovered that caller gender identification on OnePlus 7T device ranged between 77.7% and 98.75%, speech recognition between 51.85% and 56.4%, and caller ID classification between 63.0% and 91.2%. 

This demonstrated the existence of speech feature differentiation in the accelerometer data that attackers can use for eavesdropping. The gender of the user could be ascertained by attackers utilizing a lower sampling rate, as demonstrated by EarSpy's focus on gender recognition using data gathered at 20 Hz. 

How to Prevent Eavesdropping? 

To prevent eavesdropping using sensor data, researchers suggested limiting permissions so that third-party programmes cannot capture sensor data without the user's permission. To avoid unintentional data breaches, Android 13 prohibits the collecting of sensor data at 200 Hz, without the user's consent. 

Mobile device manufacturers shall remain cautious while designing more potent speakers and instead concentrate on keeping a similar sound pressure during audio conversations as was maintained by old-generation phones' ear speakers. 

Moreover, it is recommended to position motion sensors as far from the ear speaker as possible, to minimize the phone speaker’s vibrations and alleviate the likelihood of spying.

Read more »
Spyware
Android devices Command and Control(C2) Data Breach f Italy Lookout Pegasus SMS Attack Spyware

'Hermit' Spyware Deployed in Syria, Kazakhstan, and Italy



Lookout Inc. discovered an enterprise-grade Android surveillanceware being used by the authorities operating within Kazakhstan's borders. Lookout researchers identified evidence of the spyware, called "Hermit," being used in Italy and northern Syria. 

Researchers got a sample of "Hermit" in April 2022, four months after a series of violently suppressed nationwide rallies against government policies. The Hermit spyware was most likely built by RCS Lab S.p.A, an Italian surveillance firm, and Tykelab Srl. 

The Hermit spyware was most likely produced by Italian surveillance vendor RCS Lab S.p.A and Tykelab Srl, a telecommunications solutions company accused of acting as a front company, according to Lookout. 

In the same market as Pegasus creator NSO Group Technologies and Gamma Group, which invented FinFisher, is a well-known developer with previous interactions with governments such as Syria. This appears to be the first time that a modern RCS Lab mobile spyware client has been publicly disclosed. 

The spyware is said to be spread by SMS messages that spoof users into installing what appear to be harmless apps from Samsung, Vivo, and Oppo, which, when launched, load a website from the impersonated company while silently initiating the kill chain. 

Spyware has been seen to infect Android smartphones in the past. The threat actor APT-C-23 (aka Arid Viper) was linked to a series of attacks targeting Middle Eastern users with new FrozenCell versions in November 2021. Last month, Google's Threat Analysis Group (TAG) revealed that government-backed actors in Egypt, Armenia, Greece, Madagascar, Côte d'Ivoire, Serbia, Spain, and Indonesia are purchasing Android zero-day exploits for covert surveillance efforts. 

As per Lookout, the samples studied used a Kazakh language website as a decoy, and the main Command-and-control (C2) server used by this app was a proxy, with the true C2 being located on an IP from Kazakhstan. "They call themselves 'lawful intercept' organizations since they claim to only sell to customers with legitimate surveillance purposes, such as intelligence and law enforcement agencies. Under the pretext of national security, similar technologies have been used to phish on corporate executives, human rights activists, journalists, academics, and government officials "as per the researchers. 

The revelations came as the Israel-based NSO Group is rumored to be in talks to sell its Pegasus technology to US defense contractor L3Harris, which makes StingRay cellular phone trackers, raising concerns it could allow law enforcement to deploy the controversial hacking tool.
Read more »
WiFi
Android devices Bluetooth Bugs Fingerprints Flaws Research Vulnerabilities and Exploits WiFi

Hardware Bugs Provide Bluetooth Chipsets Unique Traceable Fingerprints

 

A recent study from the University of California, San Diego, has proven for the first time that Bluetooth signals may be fingerprinted to track devices (and therefore, individuals). At its root, the identification is based on flaws in the Bluetooth chipset hardware established during the manufacturing process, leading to a "unique physical-layer fingerprint."

The researchers said in a new paper titled "Evaluating Physical-Layer BLE Location Tracking Attacks on Mobile Devices, "To perform a physical-layer fingerprinting attack, the attacker must be equipped with a Software Defined Radio sniffer: a radio receiver capable of recording raw IQ radio signals." 

The assault is made feasible by the pervasiveness of Bluetooth Low Energy (BLE) beacons, which are constantly delivered by current smartphones to allow critical tasks such as contact tracking during public health situations. 

The hardware flaws come from the fact that both Wi-Fi and BLE components are frequently incorporated into a specialised "combo chip," effectively subjecting Bluetooth to the same set of metrics that may be utilized to uniquely fingerprint Wi-Fi devices: carrier frequency offset and IQ imbalance. 

Fingerprinting and monitoring a device, therefore, includes calculating the Mahalanobis distance for each packet to ascertain how similar the characteristics of the new packet are to its previously registered hardware defect fingerprint. 

"Also, since BLE devices have temporarily stable identifiers in their packets [i.e., MAC address], we can identify a device based on the average over multiple packets, increasing identification accuracy," the researchers stated. 

However, carrying out such an attack in an adversarial situation has numerous obstacles, the most significant of which is that the ability to uniquely identify a device is dependent on the BLE chipset employed as well as the chipsets of other devices in close physical distance to the target. Other key aspects that may influence the readings include device temperature, variations in BLE transmit power between iPhone and Android devices, and the quality of the sniffer radio utilised by the malicious actor to carry out the fingerprinting assaults. 

The researchers concluded, "By evaluating the practicality of this attack in the field, particularly in busy settings such as coffee shops, we found that certain devices have unique fingerprints, and therefore are particularly vulnerable to tracking attacks, others have common fingerprints, they will often be misidentified. BLE does present a location tracking threat for mobile devices. However, an attacker's ability to track a particular target is essentially a matter of luck."
Read more »
Infected Devices
Android Android devices Botnet Cyber Attacks DDOS Attack Infected Devices

Turkish National Charged for DDoS Attack on U.S. Company

 

Authorities in the United States charged a Turkish national for launching distributed denial-of-service (DDoS) assaults against a Chicago-based multinational hospitality company using a now-defunct malware botnet. 

Izzet Mert Ozek, 32, is accused of launching attacks against the Chicago multinational in August 2017 using WireX, a botnet developed using Android malware. 

According to authorities, Ozek's attacks caused infected Android devices to transmit massive volumes of online traffic to the company's public website and online booking service, leading servers to crash. As per the news release from the US Department of Justice, the charges were announced on September 29 in the Northern District of Illinois. 

The press release stated, “In August 2017, IZZET MERT OZEK used the WireX botnet, which consisted of compromised Google Android devices, to direct large amounts of network traffic to the hospitality company’s website, preventing legitimate users from completing hotel bookings, according to an indictment returned Tuesday in U.S. District Court in Chicago. The hospitality company, which managed luxury hotels and resorts, was headquartered in Chicago and the servers for its website were located in northern Illinois.” 

“The indictment charges Ozek, 32, with one count of intentionally causing damage to a protected computer. Ozek is believed to be residing in Turkey, and a warrant for his arrest will be issued.” 

The official statement and indictment do not specify whether Ozek developed the WireX botnet himself or bought it from a third party. The botnet, which was created just a month before in July 2017, soon grew to gigantic size of more than 120,000 bots after its creator attacked Android smartphones with fraudulent Android apps. 

Months after the disastrous Mirai malware attacks at the end of 2016, the cyber-security industry responded quickly to eliminate the emerging danger while it was still in its early phases. 

A coalition of security firms, including Akamai, Cloudflare, Flashpoint, Google, Dyn, RiskIQ, and Team Cymr, launched an investigation weeks after the attack on the Chicago multinational company to track WireX’s bots and backend infrastructure and then seize and take down its command and control systems.
Read more »
Subscribe to: Posts (Atom)