ICE under fire, SimBad the epic malware, and more weekly news

The ACLU accuses ICE of skirting the law, over 200 malware-infected Android apps are discovered, a bank bot gets a major evil upgrade, and more.

ICE skates around privacy

The American Civil Liberties Union (ACLU) issued grave concerns this week over the recent revelation that the US Immigrations and Customs Enforcement (ICE) holds a $6.1M contract with Vigilant Solutions, an automatic licence plate reader (ALPR) company. The contract grants ICE access to over 5 billion location records, which include coordinates, time, and date. ALPRs store data for years, making it possible to map out the travel patterns of any and all cars photographed by the machines, and Vigilant Solutions collects ALPR data from the 50 most populated areas of the country. ICE has also been accessing a pool of 1.5 billion records of ALPR data held by local governments.

The ACLU argues that local governments, when handing over the ALPR data to ICE, are sometimes breaking privacy laws and sometimes breaking sanctuary city laws. The organization is calling for an immediate end to the data sharing.

SimBad the malware and Operation Sheep

Cybersecurity researchers this week have identified two large-scale malware campaigns targeting Android devices through infected apps. Already boasting more than 250 million downloads in total, more than 220 malicious Android apps were exposed in the discovery.

SimBad is the first campaign, and it comprises 210 of those apps, which had somehow outsmarted Google’s vetting process and were selling in the official Google Play store. The name “SimBad” derives from the fact that most of the apps are simulator games. Together, they had been downloaded almost 150 million times. The SimBad campaign uses multiple strategies on the user — adware, phishing techniques, and cross-app exposure. Google Play has removed all 210.

Operation Sheep is the second campaign, and it was found only on 12 apps, all being sold in Chinese third-party app stores. Together, the 12 apps have been downloaded more than 111 million times. Operation Sheep’s sole purpose is to steal contact data from the devices. The infected apps can still be found on some third-party app stores.

“Third-party app stores usually are plagued with malicious apps,” corroborates Avast security expert Luis Corrons. “Unlike official stores, there are not exhaustive security controls. It is really common to find malware in them, and I would avoid them at all costs. At the very least, nobody should install anything from a third-party store without first having a proper antivirus solution in place, protecting their device.”

Ursnif, the bank Trojan evolved

Like something out of a comic book, the bad guy bank bot Ursnif, who first showed up on the scene to steal data in 2007, has now re-emerged, tricked out with the latest tech and some disturbing state-of-the-art features. One of these features is being called “last minute persistence,” and it is a sneaky way of installing the malware payload in the least likely manner to get detected, using the moments right before the machine shuts down and right when the machine turns on to execute its commands. Another Ursnif upgrade is its sophisticated dropping process, using phishing techniques to coax user involvement in the least suspicious way possible, and then using another lesser bank bot as the shell in which Ursnif hides until it’s safe to come out. If the malware senses it is in a sandbox or other environment where it can be studied, Ursnif will not be deployed. The advanced bot can also steal more than bank info — it can also access certain emails and browsers and can reach its virtual fingers into cryptocurrency wallets. To date, the attacks have only been in Japan.

“These hiding techniques being used to bypass security solutions are very creative and could be effective against those who do not have advanced security layers, such as behavior shields,” notes Luis Corrons. “However, this attack also illustrates that the weakest link in the chain is the user. At the end of the day, to get this nasty malware into our computer, we first need to open a malicious email, then open the attached Word document in it, and then enable macros in order to have the malicious payload started. The lesson is to avoid attachments and never click on links in emails where we do not know the sender. And even if we make the mistake of opening the document, simply not activating macros from the document will save us.”

Think outside the Box link

Testing the security of popular file-sharing service Box, researchers discovered that those files that some users share with a link can be found online or even guessed. Box is an internationally-used service that lets users share files too large to email or share a common repository of documents, like Google Drive. The Achilles’ Heel of the system is the link users email to each other to share. The same link may get shared with several users and find its way into other documents and then become discoverable online by deliberate searchers. But it’s that same convenience of the Box link that attracts millions of users. Companies are advised to employ vigilant data control over their file-sharing protocol.

RaaS buries a few surprises

Just days after we reported on Jokeroo, a new, members-only Ransomware-as-a-Service, a new RaaS-of-the-week steps forward. This one’s called Yatron, and while it follows Jokeroo’s “premium membership” model of paying a high initial price for the malware in exchange for not owing a percentage, it does have its own unique supervillain powers. For one thing, it contains code to compromise the EternalBlue and DoublePulsar vulnerabilities on unpatched Windows machines. It also counts down from 72 hours, threatening that the files will be deleted if the ransom is not paid before the clock gets to zero. In another move following Jokeroo’s model, Yatron is advertising itself on Twitter, trying to generate business.


Avast is a global leader in cybersecurity, protecting hundreds of millions of users around the world. Protect all of your devices with award-winning free antivirus. Safeguard your privacy and encrypt your online connection with SecureLine VPN.

Learn more about products that protect your digital life at avast.com. And get all the latest news on today's cyberthreats and how to beat them at blog.avast.com.

--> -->