Security News

Beware the adware, and more news of the week

Avast Security News Team, 7 June 2019

A sophisticated strain of adware called BeiTaAd lurked in the background of Google Play apps downloaded 440 million times.

Adware on Google Play gets 440M downloads

An array of 238 apps that have been downloaded a collective total of 440 million times were found to contain “heavily obfuscated adware” known as BeiTaAd, reported Dark Reading, citing the recent findings of security intelligence engineer Kristina Balaam. Responding to a user’s report of strange pop-up ads, Balaam’s team found the adware hidden in almost 240 apps available for download from the Google Play store, all published by the same company — CooTek.

While some apps actually do ship with a legal load of adware, the BeiTaAd malware is overly aggressive, rendering the infected device essentially useless. There is no question that the adware was deliberately hidden within the CooTek apps, as it “was renamed, given a different filetype extension, and given AES encryption,” according to the Dark Reading article.

Avast security evangelist Luis Corrons commented, “We are talking here about really advanced adware designed to bypass Google screening systems in place for all apps sold in the official store. On top of having a good antivirus installed on our phones, we have to check that the apps we install really need all the permissions they request.”

Balaam reported the infected apps to Google Play, stating in her blog that as of May 23, they have been either updated to versions without the adware or removed from the online shop completely.

This week’s quote

“This BeiTaAd plugin family provides insight into future development of mobile adware. As official app stores continue to increase restrictions on out-of-app advertisements, we are likely to see other developers employ similar techniques to avoid detection.”

—Researcher Kristina Balaam, on adware launching from an infected  plugin instead
of needing to be installed on the device

Scattered Canary grows into flock of trouble

The Agari Cyber Intelligence Division (ACID), a security group focused on business email compromise (BEC), this week called out cybercrime syndicate Scattered Canary as a lead perpetrator of BEC scams, Bleeping Computer reported yesterday. Starting in 2008 as a one-man operation committing romance scams and check fraud on Craig’s List, Scattered Canary’s founder — a person cybersecurity researchers call “Alpha” — gradually enlarged operations. “Once they had secured enough mules via their romance scams to launder their stolen money, they shifted from targeting individuals to targeting enterprises, and the group’s BEC operation was born,” stated ACID, pointing out that along with its highly profitable business email scams, the crime group is running dozens of other schemes as well including more romance scams, employment scams, Social Security fraud, and tax fraud.

Scattered Canary came under the microscope when it targeted the Agari CFO for wire transfer fraud. ACID began observing the group’s activity, and over the course of two months gathered info on eight of its “mule” money collection accounts. ACID also made note of various tactics, techniques, and procedures used by the cybercriminals, including an index of 26 different phishing email templates, which ACID shared with authorities.

This week’s stat

In its 2018 Internet Crime Report, the FBI revealed that cybercriminals netted $1.2 billion in wire transfer schemes last year.  

Quest data breach puts 12M patients at risk

National medical lab Quest Diagnostics announced this week that a data breach may have compromised the sensitive information of 11.9 million patients. The news broke this week after the company launched an internal investigation in the wake of the discovery by the American Medical Collection Agency (AMCA) that an “unauthorized user” had gained access to confidential records through a vulnerability on the Quest payment page hosted by AMCA. Quest believes financial, medical, and Social Security information are among the breached data.

Quest reported that it is still verifying the information it received from AMCA, and at this time it is not officially stating which information of which individuals were affected. The company is working with a third-party firm to investigate the matter and “to ensure that Quest patients are appropriately notified consistent with the law.” In its public statement, the company added, “We are committed to keeping our patients, health care providers, and all relevant parties informed as we learn more.”

BlackSquid malware attacks 8 different ways

SC Media reported that cybersecurity researchers have identified a new malware armed with a host of older exploits. While fully updated systems should be protected against BlackSquid’s malicious tools, unpatched systems face serious risk. The eight “tentacles” of BlackSquid consist of:

  • EternalBlue Windows SMB protocol exploit
  • DoublePulsar backdoor implant
  • Rejetto HTTP File Server flaw CVE-2014-6287
  • Apache Tomcat vulnerability CVE-2017-12615
  • Windows bug CVE-2017-8464
  • Three ThinkPHP exploits

The malware can also launch brute-force attacks.

Researchers observed BlackSquid in the wild as it was leveraging cryptomining attacks. Looking closer, experts noted that the multifaceted collection of exploits could do major damage to web servers and network drives, as well as removable drives. Its malicious spectrum of abilities includes gaining unauthorized network access, remotely incapacitating a system, escalating privileges, and more.

“This can be a nasty infection if it reaches a business network,” stated Avast researcher Luis Corrons. “It’s common to find computers inside corporations that aren’t fully patched or updated, which makes them easy targets. So if one computer in the network gets infected by BlackSquid, there is a big chance that it could affect a number of other computers and servers in the network, disrupting daily operations.” Users are strongly encouraged to make sure their hardware and software are up to date.

This week’s ‘must-read’ on The Avast Blog

The world of hacking is a morally ambiguous landscape filled with heroes, villains, and many of the world’s teenagers. Avast security expert Jeff Elder looks at the teen hacking trend and what might be guiding the actions of our cyber successors.


Learn more about products that protect your digital life at avast.com. And get all the latest news on today's cyberthreats and how to beat them at blog.avast.com. Avast is a global leader in cybersecurity, protecting hundreds of millions of users around the world. Protect all of your devices with our award-winning free antivirus. Safeguard your privacy and encrypt your online connection with SecureLine VPN.