For malware writers, Google Play is the promised land of sorts. Once there, a malicious application gains access to a wide audience, gains the trust of that audience and experiences a degree of leniency from the security systems built into operating systems. On mobile devices, users typically cannot install applications coming from sources other than the official store, meaning this is a serious barrier for an app with malicious intent. However, it is far from easy for the app to get into Google Play: one of the main conditions for it is to pass a rigorous check for unwanted behavior by different analysis systems, both automatic and manual.
Some malware writers have given up on their efforts to push their malicious creations past security checks, and instead learned how to use the store’s client app for their unscrupulous gains. Lately, we have seen many Trojans use the Google Play app during promotion campaigns to download, install and launch apps on smartphones without the owners’ knowledge, as well as leave comments and rate apps. The apps installed by the Trojan do not typically cause direct damage to the user, but the victim may have to pay for the created excessive traffic. In addition, the Trojans may download and install paid apps as if they were free ones, further adding to the users’ bills.
In early June, 2016, the Russian police arrested the alleged members of the criminal group known as Lurk. The police suspected Lurk of stealing nearly three billion rubles, using malicious software to systematically withdraw large sums of money from the accounts of commercial organizations, including banks. For Kaspersky Lab, these arrests marked the culmination of a six-year investigation by the company’s Computer Incidents Investigation team. We are pleased that the police authorities were able to put the wealth of information we accumulated to good use: to detain suspects and, most importantly, to put an end to the theft. We ourselves gained more knowledge from this investigation than from any other. This article is an attempt to share this experience with other experts, particularly the IT security specialists in companies and financial institutions that increasingly find themselves the targets of cyber-attacks.
Last month ESET researchers wrote an article about a new OS X malware called OSX/Keydnap, built to steal the content of OS X’s keychain and maintain a permanent backdoor. At that time of the analysis, it was unclear how victims were exposed to OSX/Keydnap. To quote the original article: “It could be through attachments in spam messages, downloads from untrusted websites or something else.”
During the last hours, OSX/Keydnap was distributed on a trusted website, which turned out to be “something else”. It spread via a recompiled version of the otherwise legitimate open source BitTorrent client application Transmission and distributed on their official website.
A destructive ransomware program deletes files from web servers and asks administrators for money to return them, though it's not clear if attackers can actually deliver on this promise.
Dubbed FairWare, the malicious program is not the first ransomware threat to target Linux-based web servers but is the first to delete files. Another program called Linux.Encoder first appeared in November and encrypted files, but did so poorly, allowing researchers to create recovery tools.
After attackers hack a web server and deploy FairWare, the ransomware deletes the entire web folder and then asks for two bitcoins (around US$1,150) to restore them, Lawrence Abrams, the founder of tech support forum BleepingComputer.com, said in a blog post.
Thousands of remote villagers in Guatemala and South Africa are living off the grid, but their personal information isn't.
Chris Vickery, lead security researcher of the MacKeeper security research team, discovered an unprotected database with no password over two months ago. Anyone who knew the database was there could access more than 40 gigabytes of customer data.
Attackers can add an arbitrary page to the end of a Google login flow that can steal users’ credentials. or alternatively, send users an arbitrary file any time a login form is submitted, due to a bug in the login process.
A researcher in the UK identified the vulnerability recently and notified Google of it, but Google officials said they don’t consider it a security issue. The bug results from the fact that the Google login page will take a specific, weak GET parameter.
“Google’s login page accepts a vulnerable GET parameter, namely ‘continue’. As far as I can determine, this parameter undergoes a basic check,” Aidan Woods, the researcher who discovered the bug, wrote in an explanation of the flaw.