Android Trojan Krysanec Comes Disguised as Legitimate Apps. Android Wroba banking trojan targeted Korean users. The Antivirus vendor Malwarebytes revealed that the Wroba banking trojan distributed via file sharing sites and alternative markets targeted Korean users. Today I presented at Cyber Threat Summit 2013 the topic “Modern online-banking cybercrime” and just a few hours after it is appeared the new Android banking Trojan targeting Korean banks. The number of malware families that targets the mobile platforms, in particular Android is exploded starting from 2010 as proposed in the following graph extracted from a recent report issued by F-Secure firm. As I explained in the presentation the trend for mobile malware is the design of malicious code able to infect both desktop and mobile devices to steal password and intercept transaction authorization codes used in two-factor authentication processes.
Hesperbot is one of most interesting malware detect recently, i t spreads via phishing messages and tries to infect mobile devices including Android Symbian and Blackberry, the malicious agent. AndroRAT drives the rise for DIY Android hacking tools. AndroRAT is an open-source tool that was created and published on the Internet in November 2012, it is a RAT (Remote Access Tool) for Android OS and exactly as any other RATs, it allows a remote attacker to control the victim.
Usually the RATs have a user friendly control panel that makes possible the control of victims, in the same way AndroRAT can control, make phone calls and send SMS messages of infected devices, it is also able to get its GPS coordinates, access to files stored on the handset and activate and use the microphone and camera. The fact that Android OS has increased its popularity has had as consequences an increase of malicious code developed for the Google’s platform, RATs included. The AndroRAT (Android.Dandro) appeared in the underground since last year, many forums have offered it to respond to the request of cybercrime ecosystem. “The RAT comes in the form of an APK which is the standard application format for Android. 1. Lock your device screen.2. Android Firefox Zero-Day exploit available on the underground. A researcher at Malwarebytes has discovered that a Russian hacker recently released an Android Firefox Zero-Day exploits on the underground.
A new Android Firefox Zero-Day Exploit is available on the underground market for sale, a Russian exploit writer known as “fil9” has proposed it in the open exploit market with a starting price of $460. The advertisement on the Android Firefox Zero-Day was discovered by Joshua Cannell, Malware Intelligence Analyst at Malwarebytes, on the exploit database Inj3ct0r. The Android Firefox Zero-Day Exploit works on Firefox versions 23/24/26 (Nightly) according the Russian hacker. The author included in the advertisement a proof of concept video to show how the hacker exploits the Android Firefox Zero-Day to download and execute a malicious app, just visiting a malicious link only. This last detail on way of infection is considered really concerning due the large number of compromised websites that serve malware to a wide audience of visitors.
Android bug batters Bitcoin wallets. High performance access to file storage Users of Android Bitcoin apps have woken to the unpleasant news that an old pseudo random number generation bug has been exploited to steal balances from users' wallets. The Bitcoin Foundation's announcement, here, merely states that an unspecified component of Android “responsible for generating secure random numbers contains critical weaknesses, that render all Android wallets generated to date vulnerable to theft.”
Such wallets would include Bitcoin Wallet, blockchain.info wallet, BitcoinSpinner and Mycelium Wallet. The problem is this: the elliptic curve digital signature algorithm – ECDSA – demands that the random number used to sign a private key is only ever used once. If the random number generator is used twice, the private key is recoverable. This blog post, describing a presentation given at the RSA conference in March, gives a hint at what's going on. Sophisticated Android Trojan Spreads Through Mobile Botnet. Researchers at Kaspersky Lab say a sophisticated piece of Google Android malware is being blasted out via a mobile botnet spamming victims with text messages containing malicious links.
The Trojan – Backdoor.AndroidOS.Obad.a – is being distributed alongside another Trojan known as SMS.AndroidOS.Opfake.a, Kaspersky Lab reported. To infect users, victims get hit with a text message declaring: "MMS message has been delivered, download from www.otkroi(dot)com. " "If a user clicks on the link, a file named mms.apk containing Trojan-SMS.AndroidOS.Opfake.a is automatically loaded onto the smartphone or tablet," explained Roman Unuchek, a security researcher with Kaspersky Lab, in a blog post. "The malware cannot be installed unless users then run it. " If they do, the command and control (C&C) server can instruct the Trojan to send out the following message to all the contacts in the victim’s address book: “You have a new MMS message, download at -
Pwn all the Androids, part II: Flaw in Java, hidden Trojan. High performance access to file storage Analysis Security researchers in China claim to have uncovered a second Android vulnerability that might be abused to modify smartphone apps without breaking their digital signatures. The flaw, discovered by the "Android Security Squad", stems from a Java-based issue (explained on a Chinese language blog here, Google translation here). The vulnerability is similar to the so-called master key vulnerability recently announced by researchers from mobile security start-up Bluebox Security and due to be explained in more depth in a upcoming presentation at Black Hat in Las Vegas at the start of next month.
Bluebox first notified Google about a potential problem back in February, months prior to going public on the issue. The practical effect of both flaws is the same: miscreants could upload Trojan-laden versions of Android application packages (.APK files) onto online marketplaces. Pack RAT Chinese whispers Stay away from those third-party apps. Android malware uses Google Cloud Messaging Service as C&C Server. Android malware exploits the Google Cloud Messaging Service (GCM) as Command and Control server. The Google service allows Android app developers to send messages using JSON format to installed apps, but hackers exploited it for malicious purposes. The discovery has been made by researchers at Kaspersky with a post on Securelist. The JSON format is commonly used by developers to structure their data within a container, it is very versatile and commonly used by many applications.
The Kaspersky Lab researchers have detected at least five different Android trojans that used JSON format: SMS.AndroidOS.FakeInst.aSMS.AndroidOS.Agent.aoSMS.AndroidOS.OpFake.aBackdoor.AndroidOS.Maxit.aSMS.AndroidOS.Agent.az. The authors of the malware in every case took advantage of Google Cloud Messaging Service to exchange messages between C&C services and the malicious app. Actually the only option for security experts is to block developer accounts with IDs linked to the registration of malicious applications. Google Releases Android Patches After Bitcoin Theft. Google has pushed out patches to partners to address a cryptographic vulnerability tied to the theft of bitcoins from Android users. According Android security engineer Alex Klyubin, applications that use the Java Cryptography Architecture (JCA) for key generation, signing or random number generation may not receive cryptographically strong values on Android devices because of improper initialization of the underlying PRNG.
"Applications that directly invoke the system-provided OpenSSL PRNG without explicit initialization on Android are also affected," wrote Klyubin. "Applications that establish TLS/SSL connections using the HttpClient and java.net classes are not affected as those classes do seed the OpenSSL PRNG with values from /dev/urandom. " In addition, Google has developed patches to ensure Android's OpenSSL PRNG is initialized correctly and provided them to Open Handset Alliance (OHA) partners.
Related Podcast: Android Security Under the Microscope (10:39) Download the MP3. Man In The Browser attacks scare banking world. The majority of financial service professionals considers Man In The Browser as the greatest threat to online banking, cybercrime increases its use. Man In The Browser attack, DDoS attacks, phishing are most insidious cyber threats against banking institutions. Last statistics proposed by principal security firms confirm that online banking is considered a lucrative business for cybercrime.
The large diffusion of online banking platforms, their openness to mobile and social networking platforms are attracting the attention of cyber-criminals that are concentrating their effort against online banking services. The first form of attacks was considered phishing, using social engineering tricks crocks are able to obtain banking credentials from unaware banking customers. The response of banking world was the improvement of authentication processes, a classic example is represented by rapid diffusion for multi-factor authentication such as OTPs (e.g. Pierluigi Paganini. Android malware spotted hitching a ride on mobile botnet. State of security operations Kaspersky Lab has reported the first sighting of mobile malware (Android, of course) that piggybacks on the back of a separate mobile botnet and uses the resources of other malware once it's installed.
"For the first time malware is being distributed using botnets that were created using completely different mobile malware," said Kaspersky Lab expert Roman Unuchek in a report. The culprit is trojan called Obad.a, which the company has already branded the most sophisticated piece of mobile malware it has spotted. It comes in 12 flavors so far, and usually spreads via SMS, hacked apps websites, or in the dodgier end of the Android market scene. Now it appears the Obad boys have teamed up with the makers of malware called Opfake.a, which uses a separate method of propagation by exploiting a flaw in Google Cloud Messaging.
Kaspersky have found more than a million installers of Opfake in circulation so far. Obad gets busy State of security operations. A look to Android offer in the underground mobile market. In the last months security firms have observed an increase in criminal activities that exploited Android OS supported by the proactive evolution of the offerings in the underground mobile market. Dancho Danchev is considered one of most accredited experts of the criminal underground and its evolution, he described numerous initiatives for monetization of illegal activities, he profiled the new comers DIY Android injectors and different services harvest mobile phone numbers advertised in the underground mobile market. We wrote on commercial availability DIY Android application decompiler/injector developed to work exclusively with a publicly obtainable Android-based trojan horse, a precious instrument for a cyber criminal that intend to create its own botnet . The data stealing apps present intriguing capabilities such as the possibility to steal WhatsApp messages on rooted devices, SMS messages, personal data stored on the mobile, user’s contacts.
Goolge has access to WiFi passwords stored in Android mobile devices. Google company might know every WiFi password in the world used by every single Android user, and extraordinary amount of sensitive data could be exposed. According a Michael Horowitz post published on Computer Word it is engough that an Android device has ever logged onto a WiFi network. Considering the capillary diffusion for the Android OS, that accounted for 79,3% market share at Q2 2013 according International Data Corporation, it is likely that Google can access most WiFi passwords worldwide. According privacy advocates and security experts Android OS has a built-in feature for backup mobile data including WiFi passwords.
Users that have experience with change of devices have noted the possibility to import passwords, personal data, application and device settings and login data, this is possible if they have set up Gmail address and password on their mobile. “Android devices have defaulted to coughing up WIFi passwords since version 2.2. Pierluigi Paganini. Android 4.4 KitKat also affected by Master Key vulnerability. The flaw known as “Android Master Key vulnerability” is considered a nightmare for Android OS, last July it was discovered for the first time and experts revealed that 99% of Android devices are vulnerable. The Master Key vulnerability allows hackers to modify any legitimate and digitally signed application in order to include malicious code that can be used to steal data or to gain remote control of the mobile device.
The Master Key vulnerability was discovered and responsibly disclosed by Bluebox Labs that demonstrated that the Android vulnerability allows app modification preserving signatures. The flaw was fixed later with Android 4.3 Jelly Bean version, Google adopted as countermeasure the modification of app submission process to the Play Store to avoid the publishing of malicious application that have been packaged using such exploit.
Anatomy of a file format problem – yet another code verification bypass in Android. Four months ago, the Android platform was stirred, though fortunately not too badly shaken in the end, by a pair of code verification holes. Simply put, you could add malware to a legitimate app - one from the Play Store, if you liked, complete with icons, branding and reputation - in such a way that Android's digital signature verification would consider it unaltered. From the helpless user's point of view, Google wouldn't just fail to warn about the app possibly being dodgy, it would actively assert that it was the a validated and unaltered item from the original, legitimate vendor.
Google, developers, users: everyone lost out except the crooks. Sloppy coding Both of those earlier holes came about as a consequence of sloppy coding to do with Android Package (APK) files, the format used for delivering apps. → Android and iOS low level code maestro Jay Freeman (better known as @saurik), amongst others, found this bug mid-2013 but forbore from writing it up until the patch was officially out. Fandroids at pranksters' mercy: Android remote password reset now live. Android users can now lock their handsets from afar as Google enables what looks like the perfect feature for office pranksters.
Making a lost Android handset ring and wiping all the data on a stolen device have been standard features in the advertising giant's mobile operating system for a while. Now, however, a mislaid Android handset can have a new password set remotely for when one's phone temporarily falls into the wrong hands. This device password-reset feature must be accessed via Google Play: thus, if you leave a PC or such a machine lying around while logged into the Play store, some wag can sneak over and now kick you out of your gadget. At least it's better than deleting all of your files. The reset-password-and-lock functionality was widely anticipated, but fan website Android Police noticed that it has this week arrived in the Device Manager available from the Google Play website. Hackers Exploit Default Apps to Install Malware on Samsung Galaxy S4.
Secluded HijackRAT: Monster mobile malware multitool from HELL. Once again Android Smartphone from China with pre-installed malware. New Android Malware Targets Banking Apps, Phone Information: FireEye. Android banking apps vulnerable to cash theft by CAS hole hackers. SMS Worm Hits Chinese Users Hard, Installs Android Backdoor. Researchers Hide Android Applications in Image Files. Trojan hides in Google Play games, uses steganography to find more malicious code to run.