Android Trojan Krysanec Comes Disguised as Legitimate Apps. Android Wroba banking trojan targeted Korean users. AndroRAT drives the rise for DIY Android hacking tools. AndroRAT is an open-source tool that was created and published on the Internet in November 2012, it is a RAT (Remote Access Tool) for Android OS and exactly as any other RATs, it allows a remote attacker to control the victim.
Usually the RATs have a user friendly control panel that makes possible the control of victims, in the same way AndroRAT can control, make phone calls and send SMS messages of infected devices, it is also able to get its GPS coordinates, access to files stored on the handset and activate and use the microphone and camera. The fact that Android OS has increased its popularity has had as consequences an increase of malicious code developed for the Google’s platform, RATs included.
The AndroRAT (Android.Dandro) appeared in the underground since last year, many forums have offered it to respond to the request of cybercrime ecosystem. “The RAT comes in the form of an APK which is the standard application format for Android. 1. Android Firefox Zero-Day exploit available on the underground. A researcher at Malwarebytes has discovered that a Russian hacker recently released an Android Firefox Zero-Day exploits on the underground.
A new Android Firefox Zero-Day Exploit is available on the underground market for sale, a Russian exploit writer known as “fil9” has proposed it in the open exploit market with a starting price of $460. The advertisement on the Android Firefox Zero-Day was discovered by Joshua Cannell, Malware Intelligence Analyst at Malwarebytes, on the exploit database Inj3ct0r. The Android Firefox Zero-Day Exploit works on Firefox versions 23/24/26 (Nightly) according the Russian hacker. Android bug batters Bitcoin wallets. High performance access to file storage Users of Android Bitcoin apps have woken to the unpleasant news that an old pseudo random number generation bug has been exploited to steal balances from users' wallets.
The Bitcoin Foundation's announcement, here, merely states that an unspecified component of Android “responsible for generating secure random numbers contains critical weaknesses, that render all Android wallets generated to date vulnerable to theft.” Such wallets would include Bitcoin Wallet, blockchain.info wallet, BitcoinSpinner and Mycelium Wallet. Sophisticated Android Trojan Spreads Through Mobile Botnet. Researchers at Kaspersky Lab say a sophisticated piece of Google Android malware is being blasted out via a mobile botnet spamming victims with text messages containing malicious links.
The Trojan – Backdoor.AndroidOS.Obad.a – is being distributed alongside another Trojan known as SMS.AndroidOS.Opfake.a, Kaspersky Lab reported. To infect users, victims get hit with a text message declaring: "MMS message has been delivered, download from www.otkroi(dot)com. " "If a user clicks on the link, a file named mms.apk containing Trojan-SMS.AndroidOS.Opfake.a is automatically loaded onto the smartphone or tablet," explained Roman Unuchek, a security researcher with Kaspersky Lab, in a blog post. "The malware cannot be installed unless users then run it. " If they do, the command and control (C&C) server can instruct the Trojan to send out the following message to all the contacts in the victim’s address book:
Pwn all the Androids, part II: Flaw in Java, hidden Trojan. High performance access to file storage Analysis Security researchers in China claim to have uncovered a second Android vulnerability that might be abused to modify smartphone apps without breaking their digital signatures.
The flaw, discovered by the "Android Security Squad", stems from a Java-based issue (explained on a Chinese language blog here, Google translation here). The vulnerability is similar to the so-called master key vulnerability recently announced by researchers from mobile security start-up Bluebox Security and due to be explained in more depth in a upcoming presentation at Black Hat in Las Vegas at the start of next month. Bluebox first notified Google about a potential problem back in February, months prior to going public on the issue. The practical effect of both flaws is the same: miscreants could upload Trojan-laden versions of Android application packages (.APK files) onto online marketplaces. Android malware uses Google Cloud Messaging Service as C&C Server.
Android malware exploits the Google Cloud Messaging Service (GCM) as Command and Control server.
The Google service allows Android app developers to send messages using JSON format to installed apps, but hackers exploited it for malicious purposes. The discovery has been made by researchers at Kaspersky with a post on Securelist. The JSON format is commonly used by developers to structure their data within a container, it is very versatile and commonly used by many applications. Google Releases Android Patches After Bitcoin Theft. Google has pushed out patches to partners to address a cryptographic vulnerability tied to the theft of bitcoins from Android users.
According Android security engineer Alex Klyubin, applications that use the Java Cryptography Architecture (JCA) for key generation, signing or random number generation may not receive cryptographically strong values on Android devices because of improper initialization of the underlying PRNG. "Applications that directly invoke the system-provided OpenSSL PRNG without explicit initialization on Android are also affected," wrote Klyubin. "Applications that establish TLS/SSL connections using the HttpClient and java.net classes are not affected as those classes do seed the OpenSSL PRNG with values from /dev/urandom.
" In addition, Google has developed patches to ensure Android's OpenSSL PRNG is initialized correctly and provided them to Open Handset Alliance (OHA) partners. Related Podcast: Man In The Browser attacks scare banking world. The majority of financial service professionals considers Man In The Browser as the greatest threat to online banking, cybercrime increases its use.
Man In The Browser attack, DDoS attacks, phishing are most insidious cyber threats against banking institutions. Last statistics proposed by principal security firms confirm that online banking is considered a lucrative business for cybercrime. The large diffusion of online banking platforms, their openness to mobile and social networking platforms are attracting the attention of cyber-criminals that are concentrating their effort against online banking services.
The first form of attacks was considered phishing, using social engineering tricks crocks are able to obtain banking credentials from unaware banking customers. Android malware spotted hitching a ride on mobile botnet. State of security operations Kaspersky Lab has reported the first sighting of mobile malware (Android, of course) that piggybacks on the back of a separate mobile botnet and uses the resources of other malware once it's installed.
"For the first time malware is being distributed using botnets that were created using completely different mobile malware," said Kaspersky Lab expert Roman Unuchek in a report. The culprit is trojan called Obad.a, which the company has already branded the most sophisticated piece of mobile malware it has spotted.
It comes in 12 flavors so far, and usually spreads via SMS, hacked apps websites, or in the dodgier end of the Android market scene. Now it appears the Obad boys have teamed up with the makers of malware called Opfake.a, which uses a separate method of propagation by exploiting a flaw in Google Cloud Messaging. A look to Android offer in the underground mobile market. In the last months security firms have observed an increase in criminal activities that exploited Android OS supported by the proactive evolution of the offerings in the underground mobile market.
Dancho Danchev is considered one of most accredited experts of the criminal underground and its evolution, he described numerous initiatives for monetization of illegal activities, he profiled the new comers DIY Android injectors and different services harvest mobile phone numbers advertised in the underground mobile market. We wrote on commercial availability DIY Android application decompiler/injector developed to work exclusively with a publicly obtainable Android-based trojan horse, a precious instrument for a cyber criminal that intend to create its own botnet . The data stealing apps present intriguing capabilities such as the possibility to steal WhatsApp messages on rooted devices, SMS messages, personal data stored on the mobile, user’s contacts.
Goolge has access to WiFi passwords stored in Android mobile devices. Google company might know every WiFi password in the world used by every single Android user, and extraordinary amount of sensitive data could be exposed. According a Michael Horowitz post published on Computer Word it is engough that an Android device has ever logged onto a WiFi network. Considering the capillary diffusion for the Android OS, that accounted for 79,3% market share at Q2 2013 according International Data Corporation, it is likely that Google can access most WiFi passwords worldwide.
According privacy advocates and security experts Android OS has a built-in feature for backup mobile data including WiFi passwords. Users that have experience with change of devices have noted the possibility to import passwords, personal data, application and device settings and login data, this is possible if they have set up Gmail address and password on their mobile. Android 4.4 KitKat also affected by Master Key vulnerability.
The flaw known as “Android Master Key vulnerability” is considered a nightmare for Android OS, last July it was discovered for the first time and experts revealed that 99% of Android devices are vulnerable. The Master Key vulnerability allows hackers to modify any legitimate and digitally signed application in order to include malicious code that can be used to steal data or to gain remote control of the mobile device. The Master Key vulnerability was discovered and responsibly disclosed by Bluebox Labs that demonstrated that the Android vulnerability allows app modification preserving signatures. The flaw was fixed later with Android 4.3 Jelly Bean version, Google adopted as countermeasure the modification of app submission process to the Play Store to avoid the publishing of malicious application that have been packaged using such exploit.
Anatomy of a file format problem – yet another code verification bypass in Android. Four months ago, the Android platform was stirred, though fortunately not too badly shaken in the end, by a pair of code verification holes. Simply put, you could add malware to a legitimate app - one from the Play Store, if you liked, complete with icons, branding and reputation - in such a way that Android's digital signature verification would consider it unaltered.
From the helpless user's point of view, Google wouldn't just fail to warn about the app possibly being dodgy, it would actively assert that it was the a validated and unaltered item from the original, legitimate vendor. Google, developers, users: everyone lost out except the crooks. Sloppy coding Both of those earlier holes came about as a consequence of sloppy coding to do with Android Package (APK) files, the format used for delivering apps. → Android and iOS low level code maestro Jay Freeman (better known as @saurik), amongst others, found this bug mid-2013 but forbore from writing it up until the patch was officially out. Fandroids at pranksters' mercy: Android remote password reset now live. Android users can now lock their handsets from afar as Google enables what looks like the perfect feature for office pranksters. Making a lost Android handset ring and wiping all the data on a stolen device have been standard features in the advertising giant's mobile operating system for a while.
Now, however, a mislaid Android handset can have a new password set remotely for when one's phone temporarily falls into the wrong hands. Hackers Exploit Default Apps to Install Malware on Samsung Galaxy S4. Researchers Demonstrate Exploits Against Mobile Platforms at Mobile Pwn2Own 2013 This week at the Mobile Pwn2Own hacking contest taking place at the PacSec Applied Security Conference in Tokyo, Japan, a team of security researchers demonstrated exploits against several applications installed by default on Samsung Galaxy S4 smartphones that enabled them to silently install a malicious application and steal sensitive data.
Team MBSD, of Japanese firm Mitsui Bussan Secure Directions, Inc., earned $40,000 for their exploit efforts which enabled them to successfully compromise the Samsung device running Google’s Android. “This team exploited multiple apps, installed by default on the Samsung Galaxy S4 to install malware and steal confidential data,” HP’s Heather Goudey explained in a blog post. “In order for the exploit to be successful, the affected user must first be lured to an attacker-controlled malicious website. The vulnerability was disclosed to Samsung, HP said. Secluded HijackRAT: Monster mobile malware multitool from HELL. Build a Business Case: Developing Custom Apps Cybercrooks have brewed up a malicious Android app that bundles a raft of banking fraud tricks into a single strain of mobile malware.
The Secluded HijackRAT is banking trojan that packs together new and previously unseen tricks, according to net security firm FireEye. The mobile nasty combines private data theft, banking credential theft, spoofing and remote access into a single malicious app. Android malware to date typically has only had one of these capabilities built-in. Under the control of hackers, the app steals SMSes and contact lists and can send SMSes. The current version of the malicious app scans for eight Korean banking apps and replace them with fake ones. "While it is limited to just the 8 Korean banks right now, the hacker could easily add in the functionality for any other bank with about 30 minutes of work," according to FireEye. Once again Android Smartphone from China with pre-installed malware. It’s not a mystery that many Android Smartphone comes with pre-installed applications, unfortunately some of them could hide an ugly surprise for the owner, a malware that can steal user’s data.
In April the Chinese TV station, CCTV, reported some cases where the Android Smartphone were compromised by pre-installed malware before selling them on to unwitting customers. The Smartphone supply chain was compromised by a pre-installed malware called DataService, researchers at Kaspersky identified the pre-installed malware as Trojan.AndroidOS.Uupay.a, an insidious agent that interacts with other resident Android apps to steal mobile info, push ads and download the specific web content, including other apps from unofficial stores. New Android Malware Targets Banking Apps, Phone Information: FireEye. Android banking apps vulnerable to cash theft by CAS hole hackers. SMS Worm Hits Chinese Users Hard, Installs Android Backdoor. Researchers Hide Android Applications in Image Files. AMSTERDAM - BLACK HAT EUROPE - Researchers have found a way to trick Android users into executing potentially malicious applications by hiding them inside innocent-looking image files.
Axelle Apvrille, mobile/IoT malware analyst and researcher at Fortinet, and Ange Albertini, reverse engineer and author of Corkami.com, have created an application that can be used to encrypt an APK to make it look like a PNG image file. Trojan hides in Google Play games, uses steganography to find more malicious code to run.