The Tinba Trojan aka Tiny Banker targeted Czech bank customers this summer; now it’s gone global.
After an analysis of a payload distributed by Rig Exploit kit, the AVAST Virus Lab identified a payload as Tinba Banker. This Trojan targets a large scope of banks like Bank of America, ING Direct, and HSBC.
In comparison with our previous blogpost, Tinybanker Trojan targets banking customers, this variant has some differences, which we will describe later.
How does Tiny Banker work?
- 1. The user visits a website infected with the Rig Exploit kit (Flash or Silverlight exploit).
- 2. If the user’s system is vulnerable, the exploit executes a malicious code that downloads and executes the malware payload, Tinba Trojan.
- 3. When the computer is infected and the user tries to log in to one of the targeted banks, webinjects come into effect and the victim is asked to fill out a form with his/her personal data.
- 4. If he/she confirms the form, the data is sent to the attackers. This includes credit card information, address, social security number, etc. An interesting field is “Mother’s Maiden Name”, which is often used as a security question to reset a password.
avast! Mobile Security protects from an Android flaw which leaves nearly all new smartphones and tablets vulnerable to attack.
Last week, a wave of articles about a newly discovered Android security flaw flooded the Internet. They sounded a warning, similar to this:
“A flaw in the Android operating system may leave many Android phones and tablets vulnerable to attack, including the Samsung Galaxy S5 and Google’s own Nexus 5,” reported Jill Scharr in a Tom’s Guide article.
Our Virus Lab did not waste time and started preparing for the inevitable attacks. AVAST researchers dug into the subject looking for malware to make sure that avast! Mobile Security is ready to protect our users. If you are an avast! user and your tablet or smartphone is protected by avast! Mobile Security, you are protected.
“Even though TowelRoot is not malicious itself, it may be misused as an exploit kit. Generally, TowelRoot can be used as a delivery package for malicious applications,” explained Filip Chytry, an AVAST Virus Lab expert on mobile malware. “It’s capable of misusing a mistake in Android code which allows attackers to get full control over your Android device. TowelRoot itself is more a proof-of-concept, but in the hands of bad guys, it can be misused really quickly. For this reason we added it to our virus signatures, so Avast detects it as Android:TowelExploit.”
Android has not made an official statement on the security flaw, however our researchers confirm that even the latest versions of the operating system are exposed (version 4 and all higher). It is very likely that versions 3.0 can be attacked, too. For those who just purchased an Android device or don’t have protection yet, we strongly recommend that you install avast! Mobile Security, before taking any further actions. Despite the fact that some of the mobile providers claim that their devices are immune to this particular Android exploit, it is highly risky to leave your device unprotected.
What is the TowelRoot Android vulnerability?
Earlier this month a security flaw in Linux, the operating system which Android is based upon, was discovered by a young hacker known as “Pinkie Pie.” Soon afterwards, a gifted teenager, notable because he was the first to unlock the unlockable – an iPhone at the age of 17, prepared a tool kit for potential hackers. Its instructions are available publicly to “purchase,” allowing even less advanced programmers to write a script that will use the exploit.
The potential exists for hackers to take full control; to simply root your device. So far the AVAST Virus Lab has not observed any massive attack, however knowing about the potential risk, our Virus Lab is ready for the attack. avast! Mobile Security is capable of discovering different variations of malware code required to exploit the bug.
Who is exposed and how to protect yourself?
Basically everyone who owns an Android device without proper antivirus protection, tablet or mobile phone, with any version of Android OS, including the newest one is at risk for malware.
In order to prevent this exploit, or any other malware attack, once you purchase your device, we advise to install antivirus first, before installing any apps, importing contacts, or starting to browse online. Our avast! Free Mobile security, as well as its Premium version are available to download and install from Google Play.
Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun and contest information, please follow us on Facebook, Twitter and Google+. Business owners – check out our business products.
A major Apple security flaw allows cybercrooks and spies to grab personal information like email, credit card numbers, and other sensitive data. Apple confirmed researchers’ findings that the same SSL/TSL security flaw fixed with the latest iOS 7.0.2 update is also present in notebook and desktop machines running OS X.
Please apply the patches as advised in this post.
It is clear that we need constant protection to cover flaws that will always exist; flaws that we are not even aware of. Reuter‘s reported that
The bug has been present for months, according to researchers who tested earlier versions of Apple’s software. No one had publicly reported it before, which means that any knowledge of it was tightly held and that there is a chance it hadn’t been used.
But documents leaked by former U.S. intelligence contractor Edward Snowden showed agents boasting that they could break into any iPhone, and that hadn’t been public knowledge either.
It’s very public now, and that means the race is on between cybercrooks to exploit the flaw and Apple to fix it. You are exposed until the bugs are identified by the vendor, a patch is created, and it’s pushed out or you install it. Your vulnerability increases when you use public WiFi Hotspots.
Your best protection is constant protection
It’s precisely because we put ourselves at risk by using free WiFi, and we don’t know when the next security crisis is coming that we need constant protection. SecureLine VPN is that protection. Read more…
A serious new vulnerability notice about Java exploits has been issued by the Department of Homeland Security’s Cybersecurity Division. Java 7 Update 10 and earlier contain a vulnerability that can allow a remote attacker to execute malware on vulnerable systems.
A French researcher called Kafeine discovered that a number of websites using the exploit are able to download files directly to the victim’s computer, and execute actions such as installing ransomware. “Hundreds of thousands of hits daily where i found it,” he wrote on his blog. “This could be a mayhem.”
Disable Java in web browsers
Some webpages may include content or apps that use the Java plug-in. There is no fix for this yet, so it is recommended that you protect yourself by disabling Java in your particular browser. Please see our previous blog How do I disable Java in my browser for instructions.
For a higher level of security, it is possible to entirely prevent any Java apps from running in a browser by de-selecting Enable Java content in the browser in the Java Control Panel under the Security tab. Disabling Java through the Java Control Panel will disable Java in all browsers.
Last month we wrote about a flaw in Microsoft’s Internet Explorer that could allow cybercrooks to take control of a Windows-based computer if the user browses to a malicious website. The website making news for that attack was the US-based think tank, the Council on Foreign Relations (CFR). Avast Virus Lab has since discovered that two Chinese human rights sites, a Hong Kong newspaper site, a Russian science site, and weirdly, a Baptist website (see the recent tweet) are also infected with the Flash exploit of IE8.
You can imagine the interesting audience that frequents sites such as these. The CFR, for example, attracts high ranking government officials including former presidents and secretaries of state, ambassadors, journalists, and leaders of industry. These sites were chosen on purpose; instead of targeting the general masses, like in a phishing attack, the perpetrators of a so-called “watering hole attack” target specific topics like defense or energy and lie in wait for persons of interest to visit, similar to a predator at a watering hole waiting for its victims to come to it. Read more…
Researchers have determined that an attack which can wipe data from Samsung Android devices when visiting a malicious website can also be used to lock the SIM cards or completely wipe all of the data from many other Android phones. In addition to web pages, the attack can be triggered through SMS, or by a rouge NFC tag or QR code.
Mobile geek Dylan Reeve explains how the attack works. Computerworld summarizes it like this, “The attack can be launched from a Web page by loading a “tel:” URI (uniform resource identifier) with a special factory reset code inside an iframe. If the page is visited from a vulnerable device, the dialer application automatically executes the code and performs a factory reset.”
Check if your smartphone is vulnerable
Here is a way for you to check if your phone is vulnerable to this remote wipe threat: Visit http://dylanreeve.com/phone.php on your Android device, and if your phone is vulnerable, you’ll immediately see your phone’s IMEI number pop up. I checked my HTC Google Nexus One this way, and it came back as being vulnerable. Other phones reported to be affected include the HTC One X, Motorola Defy, Sony Experia Active, Sony Xperia Arc S, and the HTC Desire. Reeve says that Samsung fixed the USSD/MMI code execution issue for Galaxy S III devices, but it appears that all 4.1-based builds are safe, and some 4.0.4 builds as well.
Currently avast! Mobile Security is actively blocking URLs containing malicious code that triggers the exploit. Our Android users can expect an update containing protection against this kind of attack soon. We’ll let you know when that is released.
Edit: We are pleased to confirm that the newest update of avast! Free Mobile Security protects against USSD attacks, without installing additional tools. All you need to do is to accept the program update offered by avast! on your smartphone. Please share this message with your friends who are Android smartphone owners. They might need avast! Mobile Security too. Thank you.
Not only users visiting high-risk sites need avast! protection, but also, for example, visitors of the well-known site samsungimaging.net (the Samsung SMART CAMERA blog) were able to notice that their avast! protected them from a threat.
Yesterday, on this site AVAST began to detect malicious Java content.
Thanks for reading the avast! blog. As Jiri Sejtko described in our blog today, serious security flaws in Java version 7 allow hackers to take control of PCs and Macs. The Avast Virus Lab is releasing generic detections and using behavioral and dynamical detection mechanisms to protect our users, however they also recommend that you disable Java in your browsers. The Virus Lab explains the exploit in details on our blog, and here are instructions on how to unplug Java from different browsers.
For Windows: go to Start > Control Panel, click the Uninstall a program link. Find Java on the list of programs. If you have version 7, uninstall it.
For Mozilla Firefox: From the main menu select Tools > Add-ons. In the Add-on management window, choose Plugins. Find any plugins on the list that say Java and click the Disable button. Restart Firefox.
For Google Chrome: Type “chrome://plugins/” (minus the quotes) into the browser address bar. Find any plugins on the list that say Java and click the Disable button.
For Internet Explorer: I have been told that disabling Java in IE is complicated. The U.S. Computer Emergency Response Team (USCERT) has some steps here. This may be a good time to switch to a different browser.
For Safari: Click Preferences > Security tab > uncheck the Enable Java option.
For Opera: Type “opera:plugins” (minus the quotes) into the browser’s address bar. Find any plugins on the list that say Java and click the Disable button.
For OS X 10.7 and 10.8: go to Macintosh HD/Library/Java/JavaVirtualMachines/ and remove the 1.7.0.jdk file. Older versions of OS X run Java 6.
Also, make sure that you have up-to-date avast! antivirus protection because avast! detects the latest Java zero day exploit in real time as Java:Dong-A [Expl] . We would appreciate your recommendation as well. We make it easy to share with your Facebook friends via our Recommend avast! app. Thank you!
edit: added Opera instructions
New vulnerabilities in the Oracle’s Java Runtime Environment (JRE) have been recently discovered in the wild (first vulnerability originally reported by Fireeye, the second described by Esteban Guillardoy). The vulnerabilities targets newest version of JRE (1.7) and even with the latest update (JRE 1.7 update 6) your machine is in danger and easily exploitable. According to the Oracle’s patching cycle the patch is out of sight. So scary and Java again! But it is even worse!
The most successful exploit kit has quickly adopted these bugs which was predicted by the Brian Krebs earlier. So, all the current Blackhole campaigns use these exploits in order to infect victims. In addition, the exploitation is confirmed to work using Internet Explorer, Firefox, Opera, Google Chrome and also Safari on multiple platforms including Windows, Linux and MacOS.
Do you really think this can’t be worse? Oracle knew about these (and also other) vulnerabilities since April according to the Adam Gowdiak, the founder and CEO of Polish security firm Security Explorations.
Ms. Meyer’s official website(www.stepheniemeyer.com) has fallen victim to a sinister force known as the CRiMEPACK exploit pack. CRiMEPACK is designed to take advantage of a number of vulnerabilities in systems with weaknesses in some of its applications. When it finds an opening, it delivers malicious code that converts the system into a zombie, which becomes part of a network of criminal activity.
So steer clear of her website for now, until some zombie killers arrive on the scene.
Here is an image of the highlighted redirector code injected into the landing page.