System Update: New Android Malware - Security Boulevard

System Update: New Android Malware - Security Boulevard

System Update: New Android Malware - Security Boulevard

Posted: 30 Mar 2021 11:18 AM PDT

Researchers have discovered a new Android app called "System Update" that is a sophisticated Remote-Access Trojan (RAT). From a news article:

The broad range of data that this sneaky little bastard is capable of stealing is pretty horrifying. It includes: instant messenger messages and database files; call logs and phone contacts; Whatsapp messages and databases; pictures and videos; all of your text messages; and information on pretty much everything else that is on your phone (it will inventory the rest of the apps on your phone, for instance).

The app can also monitor your GPS location (so it knows exactly where you are), hijack your phone's camera to take pictures, review your browser's search history and bookmarks, and turn on the phone mic to record audio.

The app's spying capabilities are triggered whenever the device receives new information. Researchers write that the RAT is constantly on the lookout for "any activity of interest, such as a phone call, to immediately record the conversation, collect the updated call log, and then upload the contents to the C&C server as an encrypted ZIP file." After thieving your data, the app will subsequently erase evidence of its own activity, hiding what it has been doing.

This is a sophisticated piece of malware. It feels like the product of a national intelligence agency or — and I think more likely — one of the cyberweapons arms manufacturers that sells this kind of capability to governments around the world.

*** This is a Security Bloggers Network syndicated blog from Schneier on Security authored by Bruce Schneier. Read the original post at: https://www.schneier.com/blog/archives/2021/03/system-update-new-android-malware.html

Fake 'System Update' App Targets Android Users - BankInfoSecurity.com

Posted: 30 Mar 2021 11:04 AM PDT

Application Security , Endpoint Security , Governance & Risk Management

Malware Steals Data, Messages, Images; Takes Control of Phones Prajeet Nair (@prajeetspeaks) • March 30, 2021    
Fake 'System Update' App Targets Android Users

Android device users are being targeted by a sophisticated spyware app that disguises itself as a "system update" application, warns mobile security firm Zimperium zLabs.

See Also: Live Webinar | Mitigating the Risks Associated with Remote Work

The app can steal data, messages and images and take control of phones. Once in control, the hackers can record audio and phone calls, take photos, review browser history, access WhatsApp messages and more, the security firm says.

Mobile phone use poses a significant cyber risk for businesses, The Defence Works, a subsidiary of cybersecurity company Proofpoint, says in recent report. "The largest risk to businesses from breached mobile devices is that sensitive company - or even customer - data could be directly exposed to cyberattackers and used fraudulently or in further attacks," the report states.

Spyware Is a RAT

Zimperium zLabs says the malicious Android app it discovered functions as a remote access Trojan that receives and executes commands to collect and exfiltrate a wide range of data and perform malicious actions. Those include stealing instant messenger messages and database files - if root is available; inspecting the default browser's bookmarks and searches; inspecting the bookmark and search history from Google Chrome, Mozilla Firefox and Samsung Internet Browser; and searching for files with specific extensions, including .pdf, .doc, .docx, and .xls, .xlsx.

Other capabilities include recording audio and phone calls; periodically taking pictures through the front or back cameras; listing the installed applications; stealing images and videos; monitoring the GPS location; stealing SMS messages and phone contacts, including call logs; exfiltrating device information (e.g. installed applications, device name, storage stats); and concealing its presence by hiding the icon from the device's drawer/menu.

Malware Analysis

The Zimperium zLabs researchers note that Google confirmed that the app has never been available on Google Play. It's available only in a third-party store, which the researchers did not identify in their report. Once the app is downloaded, the Android device is registered with the Firebase command and control and reports to the attackers such details as presence or absence of WhatsApp, battery percentage, storage stats and the type of internet connection, the Zimperium zLabs researchers say.

"Options to update the mentioned device information exist as "update" and "refreshAllData," the difference being, in "update," the device information alone is being collected and sent to C&C, whereas in "refreshAllData," a new Firebase token is also generated and exfiltrated," says Aazim Yaswant, android malware analyst at Zimperium zLabs. "The spyware's functionality and data exfiltration are triggered under multiple conditions, such as a new contact added, new SMS received or a new application installed by making use of Android's ContentObserver and Broadcast receivers."

The researchers note that the commands received through the Firebase messaging service initiate actions, such as recording of audio from the microphone and exfiltration of data, such as SMS messages.

"The Firebase communication is used to issue the commands, and a dedicated C2 server is used to collect the stolen data by using a POST request," Yaswant says.

The spyware looks for any activity of interest, such as a phone call, to immediately record the conversation, collect the updated call log and then upload the contents to the C2 server as an encrypted ZIP file. To leave no trace of its malicious actions, it deletes the files as soon as it receives a "success" response from the C2 server on successfully receiving the uploaded files, the researchers explain.

"Along with the command "re" for recording the audio from the microphone, the parameters received are "from time" and "to time," which is used to schedule a OneTimeWorkRequest job to perform the intended malicious activity," according to the researchers. "Such usage of job scheduling can be affected by battery optimizations applied on applications by the Android OS, due to which, the spyware requests permission to ignore battery optimizations and function unhindered."

Other Capabilities

Users of the malicious app are asked to enable accessibility services, which opens the door to collecting conversations and message details from WhatsApp by scraping the content on the screen after detecting that the package name of the top window matches com.whatsapp. This collected data is then stored within a SQLite database, the researchers say.

"In addition to collecting the messages using the accessibility services, if root access is available, the spyware steals the WhatsApp database files by copying them from WhatsApp's private storage," Yaswant notes.

The spyware also steals clipboard data by registering clipboard listeners in the same way as it spies on SMS, GPS location, contacts, call logs, and notifications. The listeners, observers and broadcasted intents are used to perform actions, such as recording phone calls and collecting the thumbnails of newly captured images/videos by the victim.

"The Android device's storage is searched for files smaller than 30MB and having file extensions from the list of "interesting" types (.pdf, .doc, .docx, .xls, .xlsx, .ppt, .pptx) to be copied to the private directory of the application and encrypted as a folder before exfiltration to the C2 server," the researchers note.

The spyware has the capability to access and steal contents cached and stored in external storage, Yaswant explains. "In an attempt to not exfiltrate all the images/videos, which can usually be quite large, the spyware steals the thumbnails which are much smaller in size," he says. "This would also significantly reduce the bandwidth consumption and avoid showing any sign of data exfiltration over the internet (assisting in evading detection). When the victim is using Wi-Fi, all the stolen data from all the folders is sent to the C2, whereas when the victim is using a mobile data connection, only a specific set of data is sent to C2."

The spyware also steals victims' bookmarks and search history from browsers such as Google Chrome, Mozilla Firefox and the Samsung Internet Browser.

Coping with a Hacked Phone: One Tech Expert's Response - Datamation

Posted: 30 Mar 2021 02:03 PM PDT

Several years ago, the idea of hacking a cell phone was considered such a non-possibility that "60 Minutes" even did a piece on the topic. But as cell phones have become hand-sized computers, smart thieves have figured out how to hack them.

It has become a huge problem not only for all of us, but also employers that are struggling to keep their enterprises safe as more employees deploy their digital identities across a broader range of devices.

Let me tell you a story about what happened to me and what you can do if – when? – it happens to you.

My Case in Point

A few weeks ago, I had a power spike that caused my home's Internet and TV to go out. My provider replaced our fiber-to-ethernet converter. But I had a continuing issue with one of my ethernet routers.

So I needed to reach out again to my provider, Sonic. Using Google on the phone for customer service, I initially ended up talking to the fast-food restaurant with the same name. I added "Internet" to create a long-tail search. In the box from Google, my provider's customer service number with no URL. I called – the process sounded identical to Sonic.

It was only later learn that I was not talking to Sonic. I was talking to a clever thief. He expertly acted out the role of a helpful call center support rep as he began "troubleshooting" the problem. Even so, the more he talked, the more suspicious I got. I hung up the minute he wanted to view my accounts to verify my identity. I was left with a sinking feeling in my stomach. What did the thief get?

I moved quickly. I reached out to security experts that I know in the #CIOChat, one who is a CISO at a major company. He walked through what happened. He asked me one very important question:

Did I see a power drain on my cell phone or need to attach to power?

Yes, unfortunately.

He said this occurred because the theft was downloading everything on my phone, including the passwords to my apps. Before we talked, I had already deleted the application and put the phone in airplane mode.

But that's turned out to be just the start of what I need to do. So let me walk you through what the CISO told me and what I've learned from talking with the cell phone manufacturer, Apple.

The Roadmap Forward

The first thing to do is to turn your phone on airplane mode. (Hey, I got that right!) Then delete any application that the theft had you install and delete everything in your cell phone's wallet. (That, too!)

After that, get the earliest possible appointment with your wireless provider. (During COVID-19, AT&T is accepting only limited numbers of people in their stores.) Get the support person at the store to do a factory reset of your phone, so the theft cannot do additional damage. I chose to get a new cellphone because it is possible that the theft laid down an app that could survive the factory reinstall process.

With this completed, turn your attention to your credit cards. Cancel all credit cards in the wallet or connected to your Apple or Google ID. Then, change the passwords for all accounts on the phone.

I realized, at this point, that the anatomy of my passwords needed to change radically because the theft had a large amount of information about me and my family. It is critical to change your Apple ID and Google ID as quickly as possible. I did both. Next, inspect your phone in airplane mode and write down your financial accounts, your other apps with passwords, your work apps, and your potentially exposed information.

At this point, file a security incident with your company. It is essential to know what corporate accounts are potentially exposed. And do this as soon as possible. I was told by the CISO this is so you can protect yourself, especially if the thieves' real goal was to hack into your company. I later learned that these  steps met with the approval of my company's security department.

Calling Support

At this point, I called Apple Support. They were extremely helpful. They instructed me on how to change my Apple ID on my PC. They also told me that doing a factory restore is not enough.

Instead, you will restore apps using purchase history one by one. This means that only known "good apps" are restored onto the new phone. This takes more time. But you have the peace of mind that you have a clean, safe phone. The critical words to look for is "no transfer on information." Given this, make an appointment with your cell phone provider. Have the customer service person reset to factory install on the old phone.

However for me, this meant potentially re-exposing my Apple ID password even though we were only on WiFi. To be safe I changed my password again. With this complete, it was on to your computer.

Change your computer login and other apps that may have been compromised on my phone. At this point, I noticed an attempt to make purchases on my Amazon account. Wherever possible, do not only change your password. Also move to two-factor identification.

Honestly, the theft failed to make purchases because my phone encrypted the three-digit code on the back of my credit cards. With this complete, you can now complete the restore your phone apps. Make sure along the way to use a different password basis between personal and work accounts. With this complete, you are ready using your company policy to reconnect company apps, including token-producing apps.

A Long 12 Hours

Honestly, it took 12 plus hours to fix everything. But since there was no guide for what to do, I thought I would help others think through what I had to learn. In our digitally connected world, very few us have not been scammed at some point.

If it hasn't happened to you, trust me when I say that you will feel violated in some way. I will never forget some of the arrogance of the theft while I was on the phone with him. Especially, I remember when he said he can see everything.

Thieves are only going to get better. They are already hijacking the social presence of organizations. The fact that they managed to manipulate Google Ad Words to be at the top of search is nothing short of scary. In this environment, they are only going to become more sophisticated. Maybe regulation and increased enforcement will help. In the meantime, we all have to become more vigilant and quick to respond when we are hacked.

WhatsApp May Soon Start Encrypting Your Cloud Backups - MUO - MakeUseOf

Posted: 08 Mar 2021 12:00 AM PST

[unable to retrieve full-text content]WhatsApp May Soon Start Encrypting Your Cloud Backups  MUO - MakeUseOf
-

Comments

Post a Comment

Popular Posts

Harry Dunn's parents to meet Anne Sacoolas as immunity row continues - The Guardian

Image
Harry Dunn's parents to meet Anne Sacoolas as immunity row continues - The Guardian Harry Dunn's parents to meet Anne Sacoolas as immunity row continues - The Guardian Posted: 13 Oct 2019 06:58 AM PDT Anne Sacoolas, the wife of a US intelligence official who was involved in the road collision that killed 19-year-old Harry Dunn, has agreed to meet with his grieving parents and cooperate with a British police inquiry. But amid continuing questions over her right to diplomatic immunity, it is not clear if she will return to the UK to fulfil a promise to answer police questions about her role in the car crash. The reversal of position on a meeting appears to have come after lawyers specialising in diplomatic immunity started to advise Dunn's parents last week, leading them to say they would pursue Sacoolas in the US courts for a civil claim. Mark Stephens, one of the legal specialists advising the parents, told the Guar...
Read more

Top 100 cool tech gadgets you can't miss - Queensland Times

Image
Top 100 cool tech gadgets you can't miss - Queensland Times Top 100 cool tech gadgets you can't miss - Queensland Times Posted: 21 Nov 2020 08:22 PM PST From 5G smartphones and next-gen consoles to gadgets designed to listen to your heart, straighten your hair, light up in your hand, capture your memories and keep you connected, technology is playing a bigger role in our lives than ever this year. Analysts say the trend is likely to continue under the Christmas tree with a bumper list of shiny new devices launched mere weeks before the big day, and some so popular they are selling out in record time (good luck, PlayStation 5 buyers). To take the pain out of finding the best devices for your friends, family and yourself, we've rounded up the top 100 tech gifts to add to your cart in 2020, ranging from what you'll need in 2021 to gadgets that will just make life a bit more entertaining. SMARTPHONES SAMSUNG GALAX...
Read more

6 Anti-forensic techniques that every cyber investigator dreads | EC-Council Official Blog - EC-Council Blog

Image
6 Anti-forensic techniques that every cyber investigator dreads | EC-Council Official Blog - EC-Council Blog 6 Anti-forensic techniques that every cyber investigator dreads | EC-Council Official Blog - EC-Council Blog 5 best TrueCrypt alternatives | Encrypt your computer with these apps - proprivacy.com The Best Way to Encrypt Email in Outlook - Security Boulevard 6 Anti-forensic techniques that every cyber investigator dreads | EC-Council Official Blog - EC-Council Blog Posted: 23 Nov 2019 12:00 AM PST Anti-forensic techniques can make a computer investigator's life difficult. From committing fraud in an organization to stealing crucial data, cybercriminals can perform a wide range of nefarious activities. In some cases, these perpetrators try to cover their tracks by deleting browser history, cache memory, and even cookies. But with an upward trend , it is now much convenient for cyber attackers to use already progr...
Read more