Is Coin Miner draining your Android device?

The TrendLabs Security Intelligence Blog has identified the Coin Miner mobile malware back in the Google Play store. The malware takes over a device and uses its resources to mine a selection of different cryptocurrencies. Users will often not realise what is going all. What they will see is poor battery life and degraded performance.

The apps are using several techniques to bypass security. The blog states: “These apps used dynamic JavaScript loading and native code injection to avoid detection. We detect these apps as ANDROIDOS_JSMINER and ANDROIDOS_CPUMINER.”

What apps were used by Coin Miner?

This attack is a change to the way coin mining solutions take control of machines. As the report states: “We’ve previously seen tech support scams and compromised websites used to deliver the Coinhive JavaScript cryptocurrency miner to users.” This move to using apps is different and given the success of other app based malware, could be more effective. Those users who jailbreak their devices to install anything are particularly at risk here, especially with the ANDROIDOS_CPUMINER attack.

The first of the two mining apps, ANDROIDOS_JSMINER takes advantage of two apps:

• Recitiamo Santo Rosario Free: This app helps users to recite the Holy Rosary.
• SafetyNet Wireless App: This is aimed at people enrolled in government assistance programs in the US who would otherwise not be able to get online.

Once installed, the apps download the Coinhive JavaScript library and start mining cryptocurrencies. The apps run in a hidden browser window making it difficult for the user to know they are there. However, they do cause very high CPU utilisation. On most devices this will manifest itself as the device getting warm or even hot when held.

The second mining app, ANDROIDOS_CPUMINER turns any app into a trojan. Apps are modified and then repackaged. When a user downloads the app, often from an unofficial app store or from illegal software site, they will be quickly infected. TrendLabs discovered one such app was the Car Wallpaper HD: Mercedes, Ferrari, BMW and Audi.

TrendLabs says that it detected a total of 25 instances of ANDROIDOS_CPUMINER in addition to the ANDROIDOS_JSMINER infected apps.

What does this mean?

The explosion in cryptocurrencies and the need to mine them early to make a serious profit is driving these attacks. It is highly unlikely that we will see any let up in the number of attacks over the next year or even longer. Criminals are also getting smarter and looking for new ways to infect machines.

The big question here is what value is realistically being gained from using mobile devices? While they are getting more powerful the problems that need to be solved are also getting harder. This means that the return on investment for the hackers is questionable. Of course, it could be that once they realise this they will change their approach and use infected devices for other purposes.

In the blog post the authors state: “These threats highlight how even mobile devices can be used for cryptocurrency mining activities, even if, in practice, the effort results in an insignificant amount of profit. Users should take note of any performance degradation on their devices after installing an app.“

Is Coin Miner draining your Android device? was last modified: October 31st, 2017 by Ian Murphy

via enterprisetimes.co.uk

fear of low battery⚠️

fear of low battery

How To Protect Android Banking Apps From Malware

The recent case of WannaCry ransomware reminded us to be cautious of the growing malware menace that ended up infecting thousands of systems around the globe. Regardless, the scale of the ransomware attack may give rise to other malware attacks such as Android malware invasions.

The latest smartphone statistics from Gartner are not surprising as they reveal the soaring popularity of Android smartphones around the globe. According to the survey, over 350 million smartphones sold in Q4 2016 were running an Android operating system. The ever-increasing popularity and most probably the open-source nature of the OS is perhaps what attracts cybercriminals to make relentless efforts to hack into the device and salvage the personal data of users.

Cybercriminals use specialized malware to carry out the hacks and achieve their ulterior motives. Australia, where cybercrimes like data and identity theft are common, and in fact, on the rise, is also not safe from the invasion of Android malware.

Cyberattackers Use Malware to Steal Banking Details

Last year, cybersecurity researchers at ESET came across a malware, aka Android/Spy.Agent.SI, which could put millions of Australian customers’ bank account details at serious risk. The malware could copy popular banking apps from different countries such as CommonWealth Bank, NAB and ANZ banks in Australia. As a result, the malware would show an overlay screen on the infected apps, showing fake username and password fields for snatching these sensitive details.

The malware was so potent that it could circumvent the two-factor authentication security of the app, thereby revealing the details to the hackers. Later the same year, security researchers at Kaspersky Lab also discovered a similar but modified Trojan malware that could bypass the Android 6’s security features. As a result, the hacker could be able to steal the bank account details of the online banking app users.

Fast forward to 2017, a small group of Russian hackers used a malware to dupe Russian bank users, stealing over $800,000. The hackers deceived the unsuspecting users by showing them fake banking apps that were plagued with the malware that would steal their money.

How to Protect Android From Malware

Be it a ransomware attack or a malware attack, these cyber threats aren’t going to go away anytime soon. Fortunately, there are ways we can prevent these attacks and the ensuing calamities.

1. Install Latest Security Patch: More often than not, attackers carry out successful hacks by exploiting security vulnerabilities in the system software, and Android is no exception. By exploiting a security hole in your Android, a hacker or snooper can inject a malware or any other malicious tool that could result in GPS hijacking, data theft, and identity theft, to name a few. Therefore, it is imperative to install security patches as soon as they are released by the vendor.

2. Avoid Pirated Apps: There are many Android users who readily root their devices so they can have more control on the OS. In fact, in most cases, users end up rooting their devices so they could install a new version of the OS that is not officially available for the specific device. Keep in mind that APK files are easily hacked. Any individual with the wrong intention of stealing your personal data can install a malware into the APK and leak your data without your knowledge. The best way to prevent such malware is by avoiding pirated apps altogether.

3. Checkout Permissions: Before you download an app from Google Play Store, you may have noticed that the Play Store asks for certain permissions. It is important that you read the permissions thoroughly to ensure that the app isn’t asking for any unnecessary permissions. For instance, a recipe app would not require permission for your GPS. If it does, it is most likely an unreliable app. In such situations, avoid downloading the app and report it as well.

4. Use Security Tools: Be it a computer or an Android device, installing the right security tool can help users avert the calamity caused by cyberattacks. Especially, if you are a savvy online banking app user, it is important that you use some kind of security tool, or best yet encryption tool. With encryption in place, you can have a safe environment to make online transactions.

Digital privacy and security are getting weaker with every passing year. As more and more cyberattacks continuously invade different sectors, it won’t be too long before cybercriminals freely roam the digital space. However, by implementing the security tips mentioned above, not only can you protect your device but also take a firm stand against the rising plague of cyberthreats.

via LTP

Millions of Android phones could be tracked with ultrasonic spying tool

Researchers discovered 234 Android apps that could be spying on users CREDIT: GOOGLE

Hundreds of Android apps could be covertly tracking users via inaudible sounds emitted by nearby devices, researchers have found. 

Researchers discovered technology that lets devices talk to one another for tracking purposes using ultrasonic tones on 234 Android apps. 

Televisions, billboards, websites and shops can emit the high frequency sounds, which can't be heard by humans but are picked up by the apps. This signals whether a person has engaged with an advert by watching it, or visited a shop, and how long for. 

Apps featuring the technology include those from McDonald's and Krispy Kreme. Major companies could be using it to track customers' location and habits, both on and off their mobile devices, without them knowing, the researchers warned.

"An adversary can monitor a user's local TV viewing habits, track their visited locations and deduce their other devices," said the researchers. "They can gain a detailed, comprehensive user profile with a regular mobile application and the device's microphone." 

The tracking method has spiked in popularity recently, according to the researchers. Two years ago just five apps in the Google Play store used the technology. Now, it is allegedly present in 234. 

As well as tracking customers' habits, the beacon technology can also be used to send them targeted adverts. Given that the tool can connect location and habits with the device, it could also be used to identify anonymous users, such as those of Bitcoin and Tor. 

The researchers from the Braunschweig University of Technology warned that millions of users could be under surveillance without knowing after they found that a sample of five of the 234 apps had been downloaded up to 11 million times. 

The majority of the apps don't alert users that they are tracking them. All they require to be able to follow users is permission to access the device's microphone. 

"The user just needs to install a regular mobile application that is listening to ultrasonic signals through the microphone in the background," said the researchers. "Once the user has installed these applications on their phone, they neither know when the microphone is activated nor are they able to see what information is sent to company servers."

Silverpush, the company that created the listening tool, denied that its technology was still being used. It stopped supporting the software in 2015 following a privacy outcry. 

"We respect customer privacy and would not want to build our business foundation where privacy was questionable," Hitesh Chawla, founder of Silverpush, told Ars Technica. "Even when we were live, our software was not present in more than 10 to 12 apps. So there is no chance that our presence in 234 apps is possible.

"Every time a new handset gets activated with our software, we get a ping on our server. We have not received any activation for six months now." 

Google said its privacy policy requires apps to disclose how they collect, use and share customer data. 

McDonald's said it did not use the technology in the UK for marketing purposes. Krispy Kreme has been contacted for comment. 

via telegraph.co.uk

Protect your PCs and laptops (and Android devices) for free: Best free antivirus software

Here are the best free antivirus programs from companies you probably didn't even know offered security software for free.

GM Bot (Android Malware) Source Code Leaked Online

The source code of a recently discovered Android banking Trojan that has the capability to gain administrator access on your smartphone and completely erase your phone's storage has been LEAKED online.

The banking Trojan family is known by several names; Security researchers from FireEye dubbed it SlemBunk, Symantec dubbed it Bankosy, and last week when Heimdal Security uncovered it, they dubbed it MazarBot.

All the above wave of Android banking Trojans originated from a common threat family, dubbed GM Bot, which IBM has been tracking since 2014.

GM Bot emerged on the Russian cybercrime underground forums, sold for $500 / €450, but it appears someone who bought the code leaked it on a forum in December 2015, the IBM X-Force team reported.

What is GM Bot and Why Should You Worry about it?

The recent version of GM Bot (dubbed MazarBOT) has the capability to display phishing pages on the top of mobile banking applications in an effort to trick Android users into handing over their financial credentials to the fraudsters.

Besides this, the banking trojan is also capable of forwarding phone calls and intercepting SMS messages to help fraudsters bypass an additional layer of bank security mechanisms, and locking a device’s screen.

Cyber criminals could also use the malware to:

• Spy on victims
• Delete data from the infected device
• Gain boot persistence to help survive device restart
• Send and Read your SMS message
• Make Calls to your contacts
• Read the phone's state
• Plague phone's control keys
• Infect your Chrome browser
• Change phone settings
• Force the phone into sleep mode
• Query the network status
• Access the Internet
• Wipe your device's storage (the most critical capabilities of the malware)

However, someone leaked the malware source code only to boost his/her reputation on an underground forum, according to the researchers.

GM Bot Android Malware Source Code for FREE

Yes, the source code for GM Bot and its control panel is now accessible to cybercriminals and fraudsters for FREE.

Here’s the Cherry on the Top:

Besides the source code, the leader also posted a tutorial and instructions for server-side installation, which means cybercriminals can create their own versions of the malware strain to conduct online banking frauds.

Though the archive file containing the source code and its control panel is password protected, the leader is offering the password only to active forum members who is approaching him.

"Those who received the password, in turn, passed it on to other, unintended users, so the actual distribution of the code went well beyond that discussion board’s member list," IBM cyber security evangelist Limor Kessem wrote in a blog post.

Online users had started sharing the password to the archive among their friends, and in no time, the GM Bot source code was all over the hacking underground forums.

GM Bot is one of the most dangerous banking trojan in the Android ecosystem and after its source code gets leaked, users are recommended to beware while banking online.

How to Protect Yourself?

As I previously mentioned, online users are advised to follow these steps in order to protect themselves against this kind of threat:

• Never open attachments from unknown sources.
• Never click on links in SMS or MMS messages sent to your phone.
• Even if the email looks legit, go directly to the source website and verify any possible updates.
• Go to Settings → Security → Turn OFF "Allow installation of apps from sources other than the Play Store" option.
• Always keep an up-to-date Anti-virus app on your Android devices.
• Avoid unknown and unsecured Wi-Fi hotspots and Keep your Wi-Fi turned OFF when not in use.

via hackernews

SMS Android malware roots and hijacks your device - unless you are Russian

A fresh strain of mobile malware has been discovered which is able to root devices, hijack sessions and completely wipe system data.

Android-based mobile malware which is able to give itself admin privileges and completely take over aspects of a smartphone's functionality has been discovered in the wild, researchers say.

According to security specialist Andra Zaharia from Heimdal Security, the malware, dubbed Mazar Android BOT, spreads via SMS and MMS messages. Crafted with a malicious link, the message reads:

"You have received a multimedia message from +[country code] [sender number] Follow the link http: //www.mmsforyou [.] Net / mms.apk to view the message."

This message links to an Android application package (APK). The user is then prompted to download the package, which is given a generic name -- "MMS Messaging" -- to make the potential victim more likely to trust the download.

If installed, the malicious code hidden within grants itself administrator rights on an Android device, giving attackers the option to send premium messages without consent, hijack browser sessions, root the device, monitor phone and text messages and retrieve device data.

In addition, but perhaps most crucially, Mazar can also completely erase the infected device and all information stored within, as well as read authentication codes sent to the device as part of two-factor authentication systems used by online banking and social media accounts.

In a blog post, Zaharia said the spread of the malware and its geographical targets are currently unknown. The Mazar APK was first spotted in November 2015 by Recorded Future, which noted the malware was able to download and run TOR on infected devices before connecting to hidden Onion servers and the malware's command and control (C&C) centers.

However, the malware's capabilities worsen. The cybercriminals behind Mazar also have implemented the "Polipo HTTP proxy," a way to give them access to additional functionalities within an Android device.

According to GitHub, the HTTP proxy not only provides useful functionality such as speeding up mobile browsing, but is also able to cache Web pages for offline access. In other words, an attacker using Mazar can also view the victim's browsing history and launch Man-in-the-Middle (MITM) attacks to monitor traffic and hijack browser sessions.

Add this to the fact Mazar can also inject itself into the mobile Chrome browser, and victim sessions are left utterly vulnerable to exploit.

An element of interest is that the malware will target Android phones indiscriminately, but is not able to download and run on devices based on the Russian language. Mazar implements a data process which pulls up a device's listed country and the APK will stop if it detects the smartphone is owned by a Russian user.

While Mazar has been on sale in the Dark Web for some time, the researchers say this is the first time they have seen the malware used in active campaigns. The team notes:

"Attackers may be testing this new type of Android malware to see how they can improve their tactics and reach their final goals, which probably is making more money (as always).

We can expect this malware to expand its reach, also because of its ability to remain covert by using TOR to hide its communication."

In order to protect yourself from such threats, you should never click on links sent by SMS or MMS message services.

via ZDNet

Android security: Google kills remote hacker bug, patches seven critical flaws

This month's fixes were shared with Android partners on January 4 but so far only BlackBerry has issued a patch.

Image: Shutterstock

Google has fixed a critical bug in Android that can be remotely exploited by an email, MMS, or link to a webpage that contains a specially-crafted media file.

Of the seven critical security vulnerabilities in Google's February patch for Android Nexus devices, the fix for the most serious flaws affects the mediaserver service in the OS.

This service contained two flaws exposing devices to remote execution when the mediaserver processes a purpose-built file delivered by email, MMS, or a webpage.

The flaws affect Android 6.0, Android 5.1 Lollipop, and Android 4.4.4 KitKat.

Google notes that one mitigation is that its Google Hangouts and Messenger apps no longer automatically pass media to the mediaserver, a measure it took last August to preventStagefright attacks.

ANDROID SECURITY

Google has an Android security problem

Security is everyone's responsibility, not just those with the cash to upgrade.

• Read More

This month's fixes were shared with Android partners on January 4. However, so far the only vendor to have patched the issue is BlackBerry, which released an update for PRIV Android handsets within 24 hours of Google's over-the-air update for Nexus handsets on Monday.

Google also addressed a pair of equally serious bugs in the Broadcom Wi-Fi driver that allow an attacker on the same Wi-Fi network to corrupt kernel memory.

"Multiple remote execution vulnerabilities in the Broadcom Wi-Fi driver could allow a remote attacker to use specially-crafted wireless control message packets to corrupt kernel memory in a way that leads to remote code execution in the context of the kernel," Google notes.

Overall, the February update addresses 13 security bugs, of which seven are critical, four high severity, and two moderate.

The fixes bring Google's Android Security Patch Level up to February 1, 2016, which Android OEMs such as Samsung, LG, Sony, and others should be rolling in the coming month at least to flagship handsets.

Samsung released its January fixes roughly three weeks after Google fixed its Nexus devices.

Android 6.0 and firmware builds LMY49G or later for Nexus devices, which are available on Google's developer site, address the issues.

The update marks the seventh monthly patch Google has released since committing to regular patching last August.

The company revealed last week that it had paid Android security researchers a total of $200,000 in bounties since launching its program last June.

via ZDNet