Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Malware Report. Show all posts

Glupteba Malware has Returned After Being Disrupted by Google



After nearly a year of being disrupted by Google, the Glupteba malware botnet has again become active, infecting devices worldwide. As a result of Google's efforts, the blockchain-enabled botnet could be seriously disrupted in December 2021 by securing court orders for control of its infrastructure as well as filing legal claims against two Russian operators. 

Based on Nozomi's analysis, blockchain transactions, TLS certificate registrations, and reverse engineering Glupteba samples, there is a new, large-scale campaign of Glupteba that started in May 2022 and continues to be conducted today. 

Blockchain as a hiding place

The virus Glupteba is modular and designed using blockchain technology. It aims to mine cryptocurrencies, steal user credentials and cookies, and deploy proxy servers on Windows and IoT systems. A large percentage of the malware is distributed through malvertising on a pay-per-install (PPI) network or traffic distribution system (TDS) pushing installers disguised as free software, videos, and movies by cybercriminals, after which they are sold to other cybercriminals as 'residential proxies.' 

As part of its evasion strategy, Glupteba utilizes the Bitcoin blockchain to obtain updated lists of command and control servers so that it can contact them to execute commands. 

A discover function in the botnet's clients allows them to find the address of the C2 server in an encrypted format. With this method, they enumerate the servers of Bitcoin wallets, retrieve their transactions, and then parse them to find an AES-encrypted address in an encoded format. Since Glupteba has employed this approach for many years, they offer a resilient stance against attacks. 

There is no way to wipe out blockchain transactions, so C2 address takedown efforts have a limited impact on the botnet since blockchain transactions cannot be erased. Additionally, law enforcement cannot plant payloads onto the controller address of Bitcoin without a Bitcoin private key. It means there can be no sudden botnet takeovers or global deactivations, like what happened to Emotet in early 2021. 

It is pertinent to note that Bitcoin is a public blockchain, which means anyone is entitled to access it and scrutinize transactions to gather information. 

It was reported by Nozomi that Glupteba continues to use blockchain in the same manner as it used years ago. Therefore, it was only a matter of scanning the whole blockchain to reveal hidden C2 domains within the network. 

Tremendous effort was put into the process, which involved the scrutiny of more than 1,500 Glupteba samples uploaded to VirusTotal. Several samples were analyzed so that wallet addresses could be extracted and encryption keys associated with the malware could be used to decrypt transaction payload data. 

Further, Nozomi made use of passive DNS records to find domains and hosts associated with Glupteba. 

The team examined the latest set of TLS certificates issued by the malware to unearth more information about the infrastructure the malware relies upon. 

An investigation by Nozomi identified 15 Bitcoin addresses that participated in the Glupteba campaign four times. This was the most recent one starting in June 2022, six months after Google disrupted the campaign. It is still in the midst of this campaign. 

The botnet is now even more resilient because it uses more Bitcoin addresses than ever. As a result of similar redundancy efforts, the number of TOR hidden services used as C2 servers has increased 10-fold since the 2021 campaign, following the same model. 

A particularly prolific address had 11 transactions over the past year, and more than 1,197 samples were connected to it. The last activity occurred on 11/8/2022, which made it the most active address. Also, Nozomi reports that many Glupteba domain registrations have been discovered in passive DNS data since November 22, 2022. 

Based on the information provided above, it is obvious that the Glupteba botnet has struck back at the scene and is again in attack mode. This organization is now much larger than it once was and has the potential to become even more resilient as a result. Because of the number of fallback addresses, it has set up, it is resisting any takedown attempts by researchers and law enforcement agencies due to their tightening up of security.

Kaspersky Lab detected a new threat to user data

 Kaspersky Lab experts discovered a targeted cyber espionage campaign, where attackers infect computers with malware that collects all recent documents on the victim's device, archives them and passes them back to them.

The UEFI program is loaded before the operating system and controls all processes at an "early start". Using it, an attacker can gain full control over the computer: change the memory, disk contents, or force the operating system to run a malicious file. Neither replacing the hard drive nor reinstalling the OS will help get rid of it.

"This file is a bootloader, it communicates with the control server, collects all recent documents on the computer, archives them, and sends them back to the server. In fact, this is just espionage. Now there is information about two victims of the UEFI bootkit, as well as several victims of the campaign who encountered targeted phishing. All of them are diplomats or members of nonprofit organizations, and their activities are related to North Korea," commented Igor Kuznetsov, a leading anti-virus expert at Kaspersky Lab.

The experts also found out that the components of the UEFI bootkit are based on the Vector-EDK code - a special constructor that was created by the cyber group Hacking Team and contains instructions for creating a module for flashing UEFI. In 2015, as a result of a leak, these and other sources of the Hacking Team were freely available, which allowed attackers to create their own software.

"Be that as it may, we are dealing with a powerful, advanced tool for cyber attacks, far from every attacker can do this. However, with the appearance of ready-made working examples, there is a danger of reusing the technology, especially since the instructions for it can still be downloaded by anyone,” added Kuznetsov.

Interestingly, five years ago, Kaspersky Lab already found undetectable viruses. Then the control servers and traces of attacks of the Equation hacker group were discovered, it was associated with the American special services.

Hackers use fake Zoom domains to spread malware


The coronavirus pandemic is forcing many people around the world to work remotely. This has significantly increased the popularity of video conferencing services such as Zoom. Attackers took advantage of this and began to use fake Zoom domains to spread malware and gain access to other people's video conferencing. This was reported by the security company Check Point.

Researchers note that since the beginning of the virus pandemic, 1,700 domains with the word Zoom have been registered. At the same time, 25% of new domains were registered in the last seven days, and 70 of them are considered suspicious by the company.

Check Point specialists found malicious files like "zoom-us-zoom_##########.exe", where # is a set of digits. After running such a file, the InstallCore batch application is installed on the user's computer, which is used for further downloading malware.

Fraudulent sites that simulate the work of Google Classroom or Google Hangouts have also appeared on the Internet. Disguised sites are created for the purpose of phishing: stealing passwords, credit card data, and other personal information from users. Check Point Cyber Research Manager Omer Dembinsky advised all users to make sure that links to video conferences are secure before using them.

In January of this year, Check Point published a report indicating that Zoom has security flaws. According to the company, hackers could connect to video conferences by generating random numbers that became conference URLs. Zoom then fixed the security breach and made some changes to the service, for example, introducing mandatory password protection for conferences.

Hackers using government websites of Russian Federation for mining


Cybercriminals used to generate cryptocurrencies not only computers of ordinary Internet users but also the resources of large companies, as well as the websites of government agencies of the Russian Federation. This was announced at a press conference on Monday by Nikolai Murashov, the Deputy Director of the National Coordination Center for Computer Incidents (NCCCI).

"Cases of cryptocurrency mining with the help of infected information resources of state organizations have been identified. In this case, attackers infect web pages, and mining is carried out at the moment they are viewed pages in the browser,” said Murashov.

He noted that the cost of most virtual coins is very high, so there are a lot of people who want to earn money easily. "Up to 80% of the free power of a computer can be used to generate virtual coins, and the legal user may not even know about it," said the Deputy head of the NCCCI. He noted that the seizure of servers of large companies for mining purposes threatens to significantly reduce their productivity and significant damage to the business.

Murashov at a press conference also said that in 2019, about 12 thousand "foreign information resources were blocked, which were used by attackers to damage our country."  In addition, according to him, in the Russian Federation at the request of foreign partners in the current year, the activities of more than 6 thousand malicious resources were stopped.

According to Murashov, users should pay attention to the security of their computers to counter such attacks. The fact of infection with malicious software should serve as a signal that the computer is poorly protected and can become a victim of any attackers.

Murashov noted that two Russian citizens were prosecuted for mining cryptocurrencies through infected computers of organizations.

"In Russia recently there were two cases of criminal prosecution of persons who used seized computers for mining cryptocurrencies," said he.

One of them is a resident of Kurgan, who used almost an entire bot network in various regions of the country. In the second case, a criminal case was initiated on the fact of using the site of company Rostovvodokanal for mining.

Russian Companies infected by a virus masquerading as accounting documents


In September, Russian companies faced the problem of malicious software disguised as accounting documents. The launch of the virus led to leaks of personal data of users and the connection their computers to the botnet. Check Point company claims that 15.3% of Russian Internet users received such letters only in a month.

According to Check Point, the Pony malware has been activated since the beginning of the business season, in September, and was in second place on the list of the most active malware by the end of the month.

The company said that Pony was distributed via email through malicious EXE files simulating accounting requests. Topics and titles of such letters were called something like this: "Closing documents Tuesday" and "Documents September". Pony is able to steal user credentials, monitor system and network operations, install additional malware and turn devices into a botnet.

Specialists of Rostelecom-Solar recorded in September phishing emails with similar titles, confirms Igor Zalevsky, the head of the Solar JSOC incident investigation department.

"The simplest and most effective defense against such attacks is content filtering on the mail gateway. It is necessary to stop sending executable files of any format by e-mail," emphasizes Mr. Zalevsky.

Attacks like Pony are standard practice, said Vladimir Ulyanov, the head of the Zecurion analytical center. According to him, such malware is easier to monetize because accountants work with important data, but are not always well aware of information security risks.

"All companies work with closing documents, but not all employees know what these documents look like," explains Mr. Ulyanov.

The expert is sure that it is necessary to deal with such attacks and raising staff awareness.

Pony belongs to spyware, and it is included in the top 3 types of malicious software used by cybercriminals. So, according to the rating, Cryptoloot is in the first place in the top of the most aggressive malware in Russia, which uses other people's computers and their resources for mining cryptocurrencies. The XMRig malware is in third place, which is also used for mining.

A new virus attacked computers in Russia


Cases of malicious e-mails to Russian companies have become more frequent. Attackers write on behalf of Banks, large air operators, car dealers and mass media. They offer cooperation to companies and advise to open the file in the attachment, where there are details about a good deal. If the user does this, the computer is infected with the so-called Troldesh virus. This malware encrypts files on the infected device and demands a ransom.

Fraudsters claim that they are employees of companies and attach a password-protected archive to the letter, in which, according to them, the details of the order are indicated. But in fact, a malicious virus is attached to this email. When a victim gains access to the archive, important files are blocked in his operating system that can be opened only by paying a ransom to the fraudsters. Of course, the addresses from which the letters were sent are fake.

Group-IB found out that in June more than a thousand such messages were sent to different Russian companies. The number of attacks using Troldesh only in this quarter increased 2.5 times compared to 2018. Yaroslav Kargalev, the Deputy Head of Information Security Incident Monitoring and Response Division of Group-IB, said that it is almost impossible to destroy the virus.

Experts of Group-IB noted that Troldesh was previously sent out mainly on behalf of Banks, however, at the moment, the attackers stopped doing it, as Banks have strengthened measures to counter phishing.

It is interesting to note that Troldesh can be bought or rented at specialized sites on the Darknet. Judging from the latest attacks, Troldesh not only encrypts files but also mines cryptocurrency and generates traffic to websites, thereby increasing their traffic and revenue from online advertising.

Experts of Group-IB also stressed that a fairly large-scale infrastructure is involved in the virus distribution, which includes servers, infected IoT (Internet of Things) devices, for example, routers. Now the virus distribution campaign is still active.

It is worth noting that Troldesh attacks companies not for the first time. Such attacks were first recorded in 2015, and the largest took place in March 2019. Then messages came from well-known retailers, as well as financial and construction companies.

Russian Antivirus Company Dr.Web Found New Malware Targeting MacOS


Specialists of the Russian company Dr Web found malicious software that threatens the MacOS operating system, which allows attackers to download and execute any Python code on the user's device. In addition, sites distributing this malware also infected Windows users with a dangerous spyware Trojan.

According to the employees of the company Dr Web, a new threat was discovered by their experts on April 29. This malware is called Mac.BackDoor.Siggen.20 and it's BackDoor that allows you to download malicious code from a remote server and execute it.

According to experts, the attackers will be able to gain unauthorized remote access to the computer system. They explained that it runs in the background and is hidden from the user. It is said that it is difficult to detect this malware.

Mac.BackDoor.Siggen.20 gets to devices through sites owned by its developers. One such resource is designed as a business card site with a portfolio of a non-existent person, and the second is disguised as a page with the WhatsApp application.

The Press Service of the company said that BackDoor or Trojan is loaded on the device depending on the operating system. If a visitor uses Mac OS, his device is infected with Mac.BackDoor.Siggen.20, and BackDoor.Wirenet.517 (NetWire) is loaded on Windows devices. NetWire is a long-known RAT Trojan by which hackers can remotely control the victim's computer, including the use of a camera and microphone on the device. In addition, the distributed RAT Trojan has a valid digital signature.

According to web specialists, about 300 visitors with unique IP addresses opened the site distributing Mac.BackDoor.Siggen.20 under the guise of Whatsapp application. The dangerous resource works since April 29 and has not yet been used by hackers in large-scale campaigns. Nevertheless, programmers recommend updating the antivirus in time, not to open suspicious business cards and distributing.

Website of Chelyabinsk court hits by data-encrypting malware



Attackers hacked into the website of Arbitration court of Chelyabinsk( a federal subject of Russia, on the border of Europe and Asia) and infected the server with a data encrypting malware.

The malware encrypted the information and files on the server. This incident took place on 4th October. By 10th October, the experts have managed to restore the website from previously saved backup.

However, the court lost all the information that was published on their website for this year, as the last backup operation was done only in January. The online resources including news, charts, video of conferences, information about bureau and judicial appointments were irretrievably lost.

According to the local report, the court is still trying to recover the information using their own sources.  There is no detailed information about the malware variant used in the attack.

- Christina

Over 6 million computers in Moscow are infected with Cryptocurrency Mining Virus

In Moscow about 30 percent of all computers are infected with a virus, which allows covertly mining bitcoins.

Herman Klimenko, adviser of the Russian President on Internet development, said that nowadays this is the most common and most dangerous virus. There are about 20 million computers in Moscow, of those, 20-30 percent are infected.

Klimenko noted that the organizers of such schema earn money by "rental" capacity of infected computers for processing Cryptocurrency payments.

As a reminder, on July 21, researchers discovered advertisement botnet Stantinko, which had so many victims from Russia and Ukraine. In the beginning of the month the specialists of "Kaspersky Lab" spotted the wide spread of the virus Xafekopy, which sent subscription request on paid services from victim's phone.

"We do not have information about all computers in Moscow and Russia, we can only talk about our users, 6% of them were attacked in 2017 with the goal of installing" miners "(Cryptocurrency), which makes it quite common type of malicious programs," Antonov Ivanov, an antivirus expert at Kaspersky Lab, quotes the local press.

- Christina

Guardian's Article on Cyber Crime spreads Malware

A cybercrime article from 2011 named as “Cybercrime: is it out of control?"  on the website of Guardian has been found to be serving up the Angler Exploit Kit.

The Angler Exploit Kit is a Web-based utility toolbelt that hackers use to test the defenses of a user's computer.

The problem was discovered by FireEye Labs on December 01 which noticed that this instance of Angler infection this not come from a tainted ad but visiting the Guardian’s article about cybercrime.

Visiting the page would execute an embedded script to redirect the reader's browser to an Angler Exploit Kit landing page.

This particular vulnerability enables a "God Mode" on infected PCs, giving attackers control over every face of the user's machine.

Angler exploit kit also scans for the Flash-based CVE-2015-5122, CVE-2015-5560, and CVE-2015-7645 vulnerabilities which are less powerful intrusions, compared to the Windows OLE one, but dangerous nevertheless.

These vulnerabilities have been fixed by Microsoft and Adobe, and users who keep their systems up to date have nothing to fear while reading the article on Guardian.

Meanwhile, Guardian has assured to fix the contaminated links on its website.

This news came days after Angler was found serving malvertising to visitors of video site DailyMotion.

Malware detected in Martel’s cameras used by police department


iPower Technologies, a U.S security company and network integrator, has discovered a copies of Conficker malware in the Martel Frontline Camera with GPS, one of the largest manufacturers of police in-car video systems in America, whose product is being sold and marketed as a body camera for official police department.


The Florida-based company, which is currently working to develop a cloud based video storage system for government agencies and police departments to store and search camera video, said that it had received cameras from the supplier Martel Electronics were loaded with 2009's baddest botware.

It was not the first time, the Conficker flaw was discovered in late 2008 when researchers found that the malware, which at that point had already infected millions of PCs, had been set to perform an unspecified update activity on April 1, 2009.

Jarrett Pavao and Charles Auchinleck, researchers from the security company, found that when the cameras were connected to a computer, they tried to execute the Worm ‘Win32/Conficker.B!inf variant’.

“When the camera was connected to a computer, iPower's antivirus software immediately caught the virus and quarantined it.  However, if the computer did not have antivirus actively protecting the computer it would automatically run and start propagating itself through the network and internet, iPower said in a post.

"In the iPower virtual lab environment, packet captures were also run on the infected PC to view the viruses' network activity using Wireshark. The virus, classified as a worm virus, immediately started to attempt to spread to other machines on the iPower lab network, and also attempted several phone home calls to internet sites," the post added.


After the findings, iPower said to have tried to contact Martel Frontline Camera in order to report the flaws. However, the company concerned is yet to give any response. 

Researchers find new POS malwares

Researchers have now discovered two new and different strains of point of sale (POS) malware including one that has gone largely undetected for the past five years.

Researchers have described Cherry Picker, a set of PoS malware which in one form or another has been targeting businesses that sell food and beverage since 2011.

The malware is reportedly said to be used in a recent breach at an unidentified U.S. restaurant chain.
The new form of memory-scraping POS malware has become a threat for retailers.

The Federal Bureau of Investigation (FBI) has released a warning to keep guards against the malware as it can infect any Windows-based POS network and can encrypt the data stolen, making detection difficult.
Researchers with Trustwave have noticed some basic elements of the malware back in 2011 but the malware has gone through three iterations in the years since, adding new configuration files, ways to scrape memory, and remain persistent. 

The malware has managed to stay covert since many years by using a combination of configuration files, encryption, obfuscation, and command line arguments. 

During his research Eric Merritt, the primary researcher who observed the malware found a file on a system infected by Cherry Picker that helped cover the malware’s tracks all these years, too. The file contains hardcoded paths to the malware, exfiltration files, and legitimate files on the system. A special “custom shredder function” in the code goes ahead and overwrites the file multiple times with 00’s, FF’s, and “cryptographic junk” before going on to shred a list of malware and exfiltration file locations, and the executable itself. From there, the code removes any remaining traces of the PoS malware.

With this reaserchers have also discovered the existence of another type of POS malware known as Abaddon. This is relatively newer to Cherry Picker.

Vawtrak, a banking Trojan, downloaded TinyLoader, a downloader which in turn, downloaded another downloader which downloaded shellcode that turned into Abaddon.

“AbbadonPOS appears to have features for anti-analysis, code obfuscation, persistence, location of credit card data, and a custom protocol for exfiltrating data. Much like malware as a general category, the sophistication of this new malware over prior malware continues to increase,” said Kevin Epstein, Vice President of Threat Operations at the firm.

In addition, security firm Trend Micro is warning of a new malware called Malum POS which targets the Oracle Micros POS system.

Attackers are going to have several choices when it comes to POS malware this season.

18,000 Android apps found with malicious code that steals messages


Researchers from Palo Alto Networks, has confirmed that Taomike, a Chinese mobile advertising company, has been distributing a malicious Software Development Kit (SDK) that allows Android developers for implementing in-app purchases (IAPs) for Android apps.

The SDK, which can be downloaded for free via Taomike, steals all messages on infected phones and sends them to the Taomike controlled server.

The SDK is being offered as a free download by Chinese company Taomike, and can be used to allow Android developers to create mobile apps that provide in-app purchases via SMS messages.

Palo Alto Networks posted in a blog stating since August 1, Palo Alto Networks WildFire has captured over 18,000 Android apps that contain the library. These apps are not hosted inside the Google Play store, but are distributed via third party distribution mechanisms in China.

Taomike provides the SDK and services to help developers display rich advertisements with a high pay rate. Although, it has not previously been associated with malicious activity, a recent update to their software added SMS theft functionality.

According to a report published in MNR Daily, there has been an increment in the number of cases of Chinese advertising company's developing malicious SDKs and APIs being used by developers to develop their own apps.

But, these apps built using the malicious SDKs and APIs have been found to steal private information and data from the handsets on which the infected apps have been installed.

They have been providing datas, which include device login and password details, to the companies who have developed the SDKs and APIs.

“Among these malware, we have found many that are created by “mobile monetization” companies who distribute apps that provide little value but have a high cost to the user. These apps are often installed by tricking users into clicking a pop-up, only to find later that a charge has appeared on their phone bill,” they added.

The researchers suggested that when developers incorporate the libraries into their apps they needed to carefully test them and monitor for any abnormal activities.


“Identifying monetization and advertising platforms that behave poorly and abuse their users is something that our industry must to do ensure the safety of all mobile devices and their users,” they concluded. 

Kemoge mobile malware infecting in more than 20 countries

If you are Android user and you have an app  Talking Tom 3, Smart Touch, Privacy Lock then you should be vary.

FirmEye, a Security and cyber-attack firm tracked  down a new mobile malware that is threat in more than 20 countries worldwide.

Kemoge, an Android-affecting malware which you can install via ads,  poses a security threat. The apps are duplicates of software that can be found on the Google Play Store; the key difference is that they attack the user's device after installation.

On its blog, FireEye says, "The attacker uploads the apps to third-party app stores and promotes the download links via websites and in-app ads. Some aggressive ad networks gaining root privilege can also automatically install the samples. On the initial launch, Kemoge collects device information and uploads it to the ad server, then it pervasively serves ads from the background. Victims see ad banners periodically regardless of the current activity (ads even pop up when the user stays on the Android home screen)."

Your data such as the phone's IMEI, IMSI, and storage information are then remotely sent to a third-party server.

FireEye said that “Kemoge has self-preservation features, and can uninstall other software including anti-virus applications. Google has been notified of the threat, and everyone else is advised not to download dodgy looking things from third-party websites.”

FireEye suggest Android users not to click on the suspicious links from emails/SMS/websites/advertisements, don’t install apps outside the official app store, Keep Android devices updated to avoid being rooted by public known bugs.







New Malware forces you to change your Wifi's default password

Ifwatch, a custom-built vigilant malware software changed the Wi-Fi passwords of  nearly 10000 routers to make it more secure.

According to researchers at the cyber security firm Symantec, the software is actually used to defend the machine from the hackers and provides solution for the other malware infections.

“We have not seen any malicious activity whatsoever,” said Symantec threat intelligence officer Val Saengphaibul. “However, in the legal sense, this is illegal activity. It’s accessing computers on a network without the owner’s permission.”

Ifwatch software infect the routers with a mysterious piece of “malware” through Telnet ports, which are often protected by default security credentials that could be easily for accessed for malicious attack, and then prompts the users to change their Telnet passwords.

The software is spreading quickly around the world but found mostly in China and Brazil. It was first discovered by an independent researcher in 2014.

“We have no idea who is behind this — or what their full intention is,” Saengphaibul said.

Will 'Green Dispenser' Take of all your Money?

(pc- google images)
ATM malwares are no myth to the cyber world and this time is no different than the earlier. a team of security researchers from PointProof have unraveled the veil off a new malware, named GreenDispenser, that gives the capability to hackers to attack compromised ATMs and drain all of it's cash.

This malware acts on the basic principle of a primitive DDoS action in which the machine displays an 'out of service' message on the screen but in the meanwhile can crack open the bank vaults through correct pin number, looting a lot of money with no trace of robbery at all.

Such kind of activities were first reported in Mexico and similar abuses have been reported in other countries ever since. GreenDispenser, unlike its predecessors, Ploutus and Tyupkin; requires no physical access for the installation procedure and hence makes it easier for the hacker to break into the machine and subsequently; the server.

It is being doubted that cyber criminal bosses now have an mobile app that provides them with a two-step encryption and creates a firewall of authorisation for malwares such as GreenDispenser itself.

ProofPoint, in another post explained such encryption; an extract from which is given below:-
GreenDispenser employs authentication using a static hardcoded PIN, followed by a second layer of authentication using a dynamic PIN, which is unique for each run of the malware. The attacker derives this second PIN from a QR code displayed on the screen of the infected ATM. We suspect that the attacker has an application that can run on a mobile phone with functionality to scan the barcode and derive the second PIN – a two-factor authentication of sorts.

Now, these malwares are evolving with the passage of time, making ATMs more vulnerable. ATMs being the primary target results as a threat to the financial institutions. Thus, security with credit and debit card credentials should be also enhanced accordingly. The question arises; How long to completely secure the parameters?

Once again a malicious application found on Google Play Store


Researchers at Check Point Threat Prevention have detected a malicious application and said to have affected some one million people, which was published twice in the Google Play Store. The malware was packaged within an Android game called “Brain Test”.

According to the researchers, the malware was reported to Google Play twice. Each instance had between 100,000 and 500,000 downloads as per the Google Play statistics. Check Point reached out to Google on September 10, 2015, and the app containing the malware was removed from Google Play on September 15, 2015.

“The malware was first detected on a Nexus 5 smartphone, and although the user attempted to remove the infected app, the malware reappeared on the same device shortly thereafter. Our analysis of the malware shows it uses multiple, advanced techniques to avoid Google Play malware detection and to maintain persistency on target devices, the researchers wrote in a blog post.

Although, the reported the malware to Google, and the company concerned removed the app from the Google Play Store, it manages to bypass malware detection through several sophisticated techniques. It also installs an application similar to itself and so these two monitor the removal of each other and actually protects each other from being removed.


The researchers suggested that in order to prevent yourself from the malware, you must have an up-to-date anti-malware software on your mobile device. It has already infected anyone’s phone, he/she has to re-flash it with an official ROM.

Security experts detects Odlanor malware that cheats at poker




Security experts from at ESET have discovered a malware that targets Pokerstars’ users and Full Tilt Poker and that lets competitors (crooks) cheat their way to winning games by leaking their information about their cards to their competitors.


It affects people who have accounts on PokerStars and Full Tilt Poker.

Researchers have said that the hackers have been using the malware dubbed Odlanor to sneak a look at a player's virtual poker hand on popular gambling sites. They are then signing into the same game and betting against their victim to up the stakes and steal their money.

It is said that the malware is a successor to the Zynga-targeting Pokeragent Facebook worm, which was discovered two years ago.

According to the researchers, once the Odlanor executed, it will be used to create screenshots of the window of the two targeted poker clients PokerStars or Full Tilt Poker, if the victim is running either of them. The screenshots are then sent to the attacker’s remote computer.


Then, the cheating attackers can retrieve the screenshots. They reveal not only the hands of the infected opponent but also the player ID. Both of the targeted poker sites allow searching for players by their player IDs, hence the attacker can easily connect to the tables on which they’re playing.

New Android Ransomware locks Victim's Phone Permanently

Security researchers at ESET have discovered the first malware that could allow an attacker to reset the PIN of anyone’s phone to permanently lock them out of their own device.

“This ransomware also uses a nasty trick to obtain and preserve Device Administrator privileges so as to prevent uninstallation. This is the first case in which we have observed this aggressive method in Android malware,” the researchers said in a blogpost.



The malware dubbed LockerPin, which spreads via an adult entertainment app called Porn Droid, could change the infected device's lock screen PIN code and leaves victims with a locked mobile screen, demanding a $500 ransom.

Researchers said that there was no effective way to regain access to infected devices without losing personal data. Rebooting the device in Safe Mode, uninstalling the offending application and using Android Debug Bridge (ADB) could not solve the problem.

In order to unlock the device to perform factory reset that wipes out all the personal data and apps stored on users device.

According to the researchers, as the lock screen PIN is reset randomly, paying the ransom amount won't give the users back their device access, because even the attackers don't know the randomly changed PIN code of their device. This is a novelty among ransomware, usually they do everything possible to unlock the device, up to and including live tech support.

If the ransomware gets installed on anyone’s smartphone, the app first tricks users into granting it device administrator rights. It does so by disguising itself as an "Update patch installation" window.
After gaining the control over phone, the malicious app goes on to change the user's lock screen PIN code, using a randomly generated number. Though the majority of infected devices are detected within the United States, the researchers have spotted the infections worldwide.


Researchers have suggested that in order to protect our smartphone from the ransomware, please do not install apps outside of the Google Play Store. Similarly, don't grant administrator privileges to apps unless you truly trust them.

CAPTCHA-bypassing malware found in Google Play


(PC-google images)
Bitdefender Security Researcher, Liviu Arsene has recently revealed that a malware, identified as Android.Trojan.MKero.A has found its way into the highly legitimate apps in Android powered Google Play Store by successfully evading the Google Bouncer's vetting algorithms. This can cause a lot of trouble for the vendors who provide paid premium services of their products as the malware can now make the services available for free.


To bypass CAPTCHA authentication systems, the trojan redirects the requests to an online image-to-text recognition service, Antigate.com. Since the online service relies on actual individuals to recognize CAPTPCHA images, requests are sent back to the malware within seconds so that it can proceed with the covert subscription process.

After receiving the sent back request, the Trojan interacts with a command-and-control (C&C) infrastructure which loads the CAPTCHA code on the target link, parses an SMS code for an activation , and ultimately subscribe the user to the premium service.

Google Play has been notified of at least seven apps that exhibit this type of behavior, two of which have been downloaded between 100,000 and 500,000 times. Moreover, these seven malware-harboring Google Play applications have been analysed and a list of 29 randomly generated C&C servers names were recovered from a single sample which did not have any encrypted strings. Hence, if any one of these locations became unresponsive –due to a takedown or any other reason – the malware on any infected device will automatically reconnect to the next C&C server in the preconfigured list and proceed with the preset instructions.

The total financial losses have been estimated to amount to a staggering $250,000, which is just  from the minimum $0.50 charged for sending the subscription SMS messages.