Knowing is Owning

Showing posts with label Ransomware. Show all posts
Showing posts with label Ransomware. Show all posts

Wednesday, 17 January 2018

Skygofree Android Malware with the Ability to Steal WhatsApp Messages

Security researchers have identified a sophisticated piece of software that has been used to gain full control of people’s Android phones and steal information.
The “Skygofree” spyware implant has been in use since 2014, according to researchers at Russia’s Kaspersky Lab. The team noted that it had interesting functionality that have never been seen in the wild before.
                                         
       Skygofree Android Malware Steals WhatsApp Messages
                                     
In the malware's arsenal of weapons is the ability to track user location, record audio when the target’s phone enters a specific location, connect to attacker-controlled networks, monitor messaging apps, intercept text messages, take photographs, and much more. Kaspersky says its capabilities are " similar to Hollywood spy movies."

The tool, which is “spread through web pages mimicking leading mobile network operators,” can also be used to steal WhatsApp messages, Kaspersky Lab said. The researchers added that Skygofree was “also capable of taking pictures and videos, seizing call records, SMS, geolocation, calendar events and business-related information stored in the device’s memory.”

This appears to be a high-end piece of spyware. With the victims so far all appearing to be in Italy, Kaspersky Lab suggested that whoever created the surveillance tool was likely Italian as well.

“Given the artefacts we discovered in the malware code and our analysis of the infrastructure, we have a high level of confidence that the developer behind the Skygofree implants is an Italian IT company that offers surveillance solutions, rather like Hacking Team,” Kaspersky Lab malware analyst Alexey Firsh said in a statement.

Italy’s Hacking Team security firm hit the headlines a few years back when the company was itself hacked, revealing how it had provided surveillance tools to a variety of foreign governments. These included the human-rights-violating regimes of countries such as Egypt, Uzbekistan, and Sudan, and in 2016 the Italian government responded by revoking Hacking Team’s export license.

Although Skygofree seems to have been most widely distributed in 2015, Kaspersky Lab said its surveillance campaign was still ongoing.

source
Share:

Saturday, 14 October 2017

New Android Ransomware Gets Activated by Home Button; Encrypts Data & Changes PIN Code

Security researchers have discovered a new Android ransomware that encrypts data on the infected device and then changes its PIN number to make sure that victims are completely locked out of their devices unless they give into the demands of criminals. Dubbed aptly as DoubleLocker, this latest strain of Android ransomware is distributed through fake Adobe Flash Player downloads using malicious websites.
                                                                 
                                                                              
Misusing Android accessibility services, DoubleLocker is activated once the fake Adobe Flash Player app is launched. The app requests activation of the malware’s accessibility service, named as “Google Play Service,” after which its uses these accessibility permissions to activate device administrator rights and set itself as the default Home application without user consent.
Setting itself as a launcher makes this Android ransomware more persistent, since whenever the user clicks on the Home button, the ransomware gets activated. The only way to get rid of DoubleLocker is to do a factory reset, researchers said.

If you, however, use a rooted Android device, security researchers said that you can get past the PIN lock without a factory reset. “For the method to work, the device needed to be in the debugging mode before the ransomware got activated.”
If this condition is met, then the user can connect to the device by ADB and remove the system file where the PIN is stored by Android. This operation unlocks the screen so that the user can access their device. Then, working in safe mode, the user can deactivate device administrator rights for the malware and uninstall it. In some cases, a device reboot is needed.

This Android ransomware could be used to steal banking credentials in the future

DoubleLocker is developed on the foundations of a banking trojan. While it currently doesn’t have the modules to steal users’ banking credentials, the functionality could be easily added in the future.

“Given its banking malware roots, DoubleLocker may well be turned into what could be called ransom-bankers,” Lukáš Štefanko, the ESET researcher who discovered DoubleLocker, said. “Two-stage malware that first tries to wipe your bank or PayPal account and subsequently locks your device and data to request a ransom.”
Right now, the malware is specifically focused on extorting money from its victims by locking them out of their devices. The ransom has been set to 0.0130 BTC (approximately USD 73 at the time of this writing) with the criminals having added a message that it needs to be paid within 24 hours. ESET added that even after 24 hours, the attackers aren’t wiping the data as it remains encrypted.

Here's how to protect yourself from Android malware:

1. Don't open files that you don't recognize.
2. Don't install apps from third-party sources.
3. Install updates as soon as they become available.
4. Use anti-virus software on all Android-based devices.

Also, those users who even glance at the permissions an app is asking for should be okay since it’s basically telling you that it will change your password and erase your data.

Source
Share:

Friday, 28 July 2017

Google Play Apps with Malware capable of Controlling Your Android Device

In a security blog post, Google says it had discovered the new batch of apps, known as Lipizzan, while investigating another spyware Chrysaor. They say there's evidence the code contains references to cyber arms company Equus Technologies.
                        malware-alert-google-play-store
These Apps found in it's Playstore, are so refined, and is a two stage tool that imitate apps that sounded safe such as 'backup' or 'cleaner.' Once downloaded and installed, a 'license verification' stage would survey and exploit known vulnerabilities to 'root' devices that were running older versions of Android. This allowed the code to bypass security protections that had been built into the operating system.
Andrew Blaich, a security researcher at Lookout, told The Register this week at the Black Hat conference in Las Vegas. “We’re guessing that the malware was designed to target older versions of Android that are no longer being patched and which are more common in developing countries."

The apps were capable of secretly carrying out tasks like call recording, VOIP recording, recording from the device microphone, location monitoring, taking screenshots, taking photos with the device cameras, fetching device information and files and other user information like contacts, call logs, SMS, and application specific data.

The data collected was able to be accessed from apps including Gmail, Hangouts, LinkedIn, Skype, and Snapchat, as well as collecting messages sent and received by Whatsapp, Telegram, and Viber, which encrypt data in an attempt to make it difficult for attackers to intercept messages while their are travelling to their destination.

Read: Be Internet Awesome by google-To protect kids from scams, predators and other trouble online

Google has blocked the developers and the apps from the Android ecosystem and Google Play Protect has removed the apps from the affected devices.

The company suggests Android users protect themselves from similar spyware infections by ensuring they're opted in to Google Play Protect, avoiding third-party app stores, keeping unknown sources disabled while not using the device and keeping the device patched with the latest security updates.
Share:

Sunday, 11 June 2017

A notorious 'DVMAP' Malware Infects Android Smartphones, Are you SAFE?

Android malwares have been present for so many years now, but the surge in recent attacks is appalling.
A new version of android malware is DVMAP which uses a new technique to infect android smartphones. Dvmapis a very special rooting malware, It uses a variety of new techniques, but the most interesting thing is that it injects malicious code into the system libraries. Hence, it is the first Android malware that injects malicious code into the system libraries in runtime.
                        dvmap_malware

The Trojan has been downloaded from Google's Playstore over 50,000 times since March 2017 and is a particularly dangerous form of malware because it can inject code into the system library and remove root-detection features designed to detect malicious intrusions.

Detected by cybersecurity researchers at Kaspersky Lab, the Dvmap trojan is not only capable of obtaining root access rights (root is the user name or account that by default has access to all commands and files on a Linux or other Unix-like operating system. It is also referred to as the root account, root user and the superuser) on Android devices but has the ability to monitor information and install other applications.

Dvmap cloaked itself as a game called 'colourblock' within Google Play which managed to bypass the store's security checks by first of all uploaded a clean version of the app in March.Shortly afterwards, they updated it to a malicious version for a short time before reverting it back to the clean version. Researchers say they did at least five times in the space of four weeks, successfully tricking Google Play in the process.

Once successfully installed on the device, the trojan installs a root exploit back installing several tools - which appear to contain comments in Chinese, potentially pointing to the malware authors - in order to run the main phase and overwriting Android's code with malicious code. Researchers note that this could be "very dangerous" and cause some devices to crash.
If successfully installed and executed, Dvmap can successfully connect to a command and control server - but in the device being investigated it received no comments. Researchers suggest that if allowed to run, additional malware or advertising files could be stored on the device.

Conclusions

This Trojan was distributed through the Google Play Store and uses a number of very dangerous techniques, including patching system libraries. It installs malicious modules with different functionality into the system. It looks like its main purpose is to get into the system and execute downloaded files with root rights.
Those worried they may have been infected by Dvmap are advised to back up all their data and perform a factory data reset of their device.
Kaspersky Lab has reported the Trojan to Google, and it has now been removed from the store - but it represents just the latest instance of malicious apps sneaking into the Play store, in Google's ongoing battle with Android malware.


READ ALSO : 
Share:

Wednesday, 7 June 2017

Be Internet Awesome by google-To protect kids from scams, predators and other trouble online.

Google is spearheading an educational campaign to teach pre-teen children how to protect themselves from scams, predators and other trouble online.
The program announced Tuesday is called "Be Internet Awesome." which includes an educational classroom curriculum and a fun, informative video game called Interland. Google coordinated the curriculum with several online safety groups, including the Family Online Safety Institute, the Internet Keep Safe Coalition and Connect Safely
                           be_internet_awesome_google
The lessons are tailored for kids ranging from 8 to 12 years old The game "Interland" helps teach children about online harassment, reporting inappropriate content, how to spot scams, phishing and more.
Teachers can even use the game in the classroom as part of The classroom curriculum which includes lesson plans, activities, and key discussion points about digital citizenship, along with short quizzes to measure learning. Even adults need some of these lessons.

What does the educational programme do?

The program educates on topics relevant to all age groups, focusing on the following areas:

Be Internet Smart: Share with care
Be Internet Alert: Don’t fall for fake
Be Internet Strong: Secure your secrets
Be Internet Kind: It's cool to be kind
Be Internet Brave: When in doubt, talk it out


Is this important?

In the past, a UK study published in the Journal of Pediatrics interviewed 515 British adolescents and their parents about internet filters and their success. The study found that teens with filters enabled still had their fair share of bad online experiences, ranging from being contacted by strangers to password/identity theft.
In short, certain internet restrictions are not consistently effective and simply filtering content doesn't always work. Perhaps Google thought instead of continuing to limit usage, it would be better to start educating children at a young age — in a way that interests them — on how to maturely manage and navigate the vast black hole of terrifying and ridiculous content that is the internet.

Share:

Wednesday, 31 May 2017

The Judy Malware hits Millions of Android phones, Are you SAFE?

Judy, an auto-clicking adware, has been found on 41 apps by a Korean company.It has been found to be infecting millions of Android smartphones across the world just like the WannaCry ransomeware holding computers at ransom.
                              chef_judy                        
According to security solutions firm Check Point, the malware -- Judy -- uses infected devices to generate large amounts of fraudulent clicks on advertisements, generating revenues for the developers behind these apps.
Unlike other malwares it is not stealing your data, but it is controlling the device to carry out fraudulent activities. Judy gets control of infected devices and relies on the communication with its Command and Control server (C&C) for its operation. In addition to the clicking activity, Judy displays a large amount of advertisements, which in some cases leave users with no option but clicking on the ad itself. Although most apps have positive ratings, some of the users have noticed and reported Judy’s suspicious activities, as seen in the images below:

How long as the Judy Malware been on the Google Play Store?

Judy malware has been on the Play Store for a long time, a year to be precise. Check Point found the adware on at least 41 apps, which have been developed by a Korean company 'Kiniwini' registered on Google Play as ENISTUDIO corp. The company develops mobile apps for both Android and iOS platforms. It is mentioned on the Google Play Store as ENISTUDIO corp.
“The malicious apps reached an enormous spread between 4.5 million and 18.5 million downloads,” reads Check Point’s blog post.

 list of malicious apps developed by Kiniwini

 judy_malware
judy_malware                      

list of apps developed by other developers

judy_malware_developers

What is Google doing about Judy Malware? Do these to protect your Android device and data? 

Check Point Research made a list of 41 apps which have the malware. If you have any of those apps listed above, you have to remove them immediately.  Though Google is removing infected apps from the Play Store, it is important you take other measures to protect your smartphone:
• Use an anti-virus. Though Google Play Store has a mechanism in place to check for malicious apps, even the search giant misses out on scanning malware sometimes (as in this case). So, it is imperative you invest in a good anti-virus.
• Keep your device updated. Check if your device is up-to-date with the latest software version as well as security patches.
• Always browse an unsecured network via VPN.
• Before downloading an app, check for permissions it is asking for. Remember, your privacy is at risk, each time you download a new app. If you are not comfortable with granting permissions to certain things like contacts or camera or mic, or think the app doesn’t need access to these, simply don’t download the app. 

Though Google is removing infected apps from the Play Store, it is important you take measures to protect your smartphone now!.


Share:

Friday, 26 May 2017

Kodi App,VLC and other Media Players Now Prone to Hack by subtitles

Media players like Kodi App, PopcornTime, Stremio, and VLC, have been prone to malicious ‘attack by subtitles’. As reported by Check Point.
                          hacked by subtitles
According to the researchers, things look pretty severe:
“We estimate there are approximately 200 million video players and streamers that currently run the vulnerable software, making this one of the most widespread, easily accessed and zero-resistance vulnerability reported in recent years. (…) Each of the media players found to be vulnerable to date has millions of users, and we believe other media players could be vulnerable to similar attacks as well”.

While this is a serious breach in itself, what the Check Point announcement really picks up on is how this is an “overlooked” and relatively simple attack. As such attacks usually rely on the user doing something to initiate the malicious code. However, this attack relies on the code being initialized when subtitles accompanying video content are launched by the media player. The difference being that a user does not need to be tricked into activating a suspicious file or clicking through a link,Brilliant right?
  Starting a video which makes use of subtitles, can easily activate the code. The weight of the user’s involvement in this particular technique, is minimal compared to the traditional methods used. Likewise, even anti-virus and other security-driven software might also be prone to overlooking such files due to their generally safe nature.
                             Hacked in translation

What is the root cause?

The attack vector relies heavily on the poor state of security in the way various media players process subtitle files and the large number of subtitle formats. To begin with, there are over 25 subtitle formats in use, each with unique features and capabilities. Media players often need to parse together multiple subtitle formats to ensure coverage and provide a better user experience, with each media player using a different method. Like other, similar situations which involve fragmented software, this results in numerous distinct vulnerabilities.

Damage: By conducting attacks through subtitles, hackers can take complete control over any device running them. From this point on, the attacker can do whatever he wants with the victim’s device, whether it is a PC, a smart TV, or a mobile device. The potential damage the attacker can inflict is endless, ranging anywhere from stealing sensitive information, installing ransomware, mass Denial of Service attacks, and much more.

 Below is a video demonstration of how the attack works:



FIX:<></>
Platforms Update:<></>

PopcornTime– Created a Fixed version, however it is not yet available to download in the official website.<></>
The fixed version can be manually downloaded via the following link: 

Kodi App– Officially fixed and available to download on their website.

VLC– Officially fixed and available to download on their website.
Stremio– Officially Fixed and avilable to download on their website.
Share:

Saturday, 20 May 2017

Wanawiki unlocks WannaCry ransomware without ransom payments

Wanakiwi to the rescue! As a follow up to the recently published post on Ransomware, French researchers on Friday announced that they had found a last resort for technicians to save Windows files encrypted by WannaCry using Wanakiwi tool, racing against a deadline as the ransomware threatens to start locking up victims' computers first infected a week ago.
Wanawiki works by sniffing out the prime numbers used by the ransomware to reconstruct the key used to encrypt your PC. Once the wanawiki tool is run, the software can basically generate the key, and the tool will then unlock the encypted files.
                          French researchers unlock WannaCry

WannaCry, which started to sweep round the globe last Friday and has infected more than 300,000 computers in 150 nations, threatens to lock out victims who have not paid a sum of $300 to $600 within one week of infection.                                
                         wannacry-ransom-payments

A set of security researchers scattered across the globe said they had collaborated to develop a workaround to unlock the encryption key for files hit in the global attack, which several independent security researchers have confirmed.

The researchers cautioned that their solution only works in certain conditions:
·        If computers had not been rebooted since becoming infected.
·        If victims applied the fix before WannaCry carried out its threat to lock their files permanently.

·        It needs to be run as soon as possible, because the prime numbers the ransomware uses may be overwritten over time.

Europol said on Twitter that its European Cybercrime Centre had tested the team's new tool, and said it was "found to recover data in some circumstances".The group includes Adrien Guinet, who works as a security expert, Matthieu Suiche, who is an internationally known hacker, and Benjamin Delpy, who helped out by night, in his spare time, outside his day job at the Banque de France."We knew we must go fast because, as time passes, there is less chance to recover," Delpy said after a second sleepless night of work this week allowed him to release a workable way to decrypt WannaCry at 6 am Paris time (0400 GMT) on Friday.

Delpy calls his free tool for decrypting infected computers without paying ransom "wanakiwi".
Suiche published a blog with technical details summarizing what the group of passing online acquaintances has built and is racing to share with technical staff at organizations infected by WannaCry.
Wanakiwi was quickly tested and shown to work on Windows 7 and older Windows versions XP and 2003, Suiche said, adding that he believed the hastily developed fix also works with Windows 2008 and Vista, meaning the entire universe of affected PCs."(The method) should work with any operating system from XP to Win7," Suiche told Reuters, via direct message on Twitter.

Delpy added that so far, banking, energy and some government intelligence agencies from several European countries and India had contacted him regarding the fix. As of Wednesday, half of all internet addresses corrupted globally by WannaCry were located in China and Russia, with 30 and 20 percent of infections, respectively, according to data supplied by threat intelligence firm Kryptos Logic.By contrast, the United States accounts for 7 percent of WannaCry infections while Britain, France and Germany each represent just 2 percent of worldwide attacks, Kryptos said.

Only 309 transactions worth around $94,000 appear to have been paid into WannaCry blackmail accounts by Friday (1345 GMT), 7 days after the attack began.(Reuters graphic)

That's just under one in 1,000 of the estimated victims.This may reflect a variety of factors, security experts say, including scepticism that attackers will honor their promises or the possibility that organizations have back-up storage plans allowing them to recover their data without paying ransom.


Where Can I Download it?

You can download  Wanakiwi HERE.
Share:

Wednesday, 17 May 2017

Ransomware Spreading Fast,Nigerian communications commission (NCC) Warns

Ransomware is a kind of destructive software program that obstructs accessibility to data until a ransom money is paid.

​It also presents a message requesting settlement to open it.

                              Ransomware


​Basic ransomware could secure the system in a way which is easy for a well-informed individual to reverse. Advanced malware encrypts the target's documents, making them inaccessible, and demands a ransom settlement to decrypt them. The ransomware may additionally secure the computer system's Master File Table (MFT) or the entire tough drive.Thus, ransomware is a denial-of-access attack that prevents computer system customers from accessing files considering that it is unbending to decrypt the documents without the decryption key. Ransomware attacks are generally carried out using a Trojan that has actually a haul camouflaged as a legit file.
Ransom: A hacker's method to obtain paid

Ransomware in numbers:

Every 10 secs somebody worldwide is struck by ransomware
$ 1 billion was extorted from ransomware sufferers in 2016. The threat is growing! In 2015 the overall was $50 million. $500 is the average ransom moneys payment, but can go beyond $10,000.
While originally prominent in Russia, the use of ransomware scams has actually grown worldwide.
Infection with one incorrect click.

Ransomware contaminates a computer and also encrypts all the information on its storage drives while spreading to any other vulnerable  computer that are connected. Exactly how can a computer system come to be infected? Hyperlinks and accessories in spam e-mails. Cyber lawbreakers make use of brilliant social engineering techniques making you click harmful web links or add-ons included in a spam email.
- Destructive websites.
- With a "drive-by download," you only should see a site or click a banner to download the harmful software to your computer.
- Video Games: Gamers are targeted with saved-game web content and downloadable "extras" that attach  the malware on their computer.
Anti-virus software could fail to spot ransomware infections. Cybercriminals often design their destructive code to avoid exploration by researching known anti-malware options in order to identify weaknesses in the discovery technologies or the program style.

Possible Repairs
 - Heimdal Security
AVG's ransomware decryption tools
Trend Micro lock screen ransomware tool 
Avast anti-ransomware tools 
BitDefender anti-ransomware 
Kaspersky anti-ransomware tool

# Suspicious Filenames to be weary of
• @[email protected]
• @[email protected]
• @[email protected]
• Please Read Me!.txt (Older variant)
• C:\WINDOWS\tasksche.exe
• C:\WINDOWS\qeriuwjhrf
• 131181494299235.bat
• 176641494574290.bat
• 217201494590800.bat
• [0-9]{15}.bat #regex
• !WannaDecryptor!.exe.lnk
• 00000000.pky
• 00000000.eky
• 00000000.res
• C:\WINDOWS\system32\taskdl.exe



The Nigerian Communications Commission (NCC) yesterday notified all network operators as well as their particular clients to the outbreak of Ransomware.

" This situation demands that proactive actions be taken by all players in the telecommunication eco-system to avert the hazards of crucial data loss, monetary losses as well as ultimately network/business disruption.".
The Commission advised Nigerians, as protective steps to name a few; get software application patch released by Microsoft in March 2017 to take care of the Ransomware Virus; plan scheduled tests on the networks and systems to guarantee security and accessibility always.
The Commission urged clients to use  their mobile phones as replacements to computer systems for Internet accessibility to protect themselves and their gadgets by not opening e-mail attachments/links from unidentified resources; not clicking pop-ups as well as applets on unidentified web sites and also using effective antivirus software program for their smart phones.
Share:

Contact Form

Name

Email *

Message *

privacy policy | Sitemap Copyright © Digitalbog | Powered by Blogger