If you found a USB stick, would you plug it into your laptop to see what’s on it?
Sounds like a risky thing to do, but in a recent experiment in four major U.S. cities, that’s exactly what happened when 200 unbranded USB devices were left in public places. One in five people let their curiosity get the best of them and plugged the flash drive into a device. These “Nosy Nellys” proceeded to open text files, click on unfamiliar web links, or send messages to a listed email address. All potentially risky behaviors!
“These actions may seem innocuous, but each has the potential to open the door to the very real threat of becoming the victim of a hacker or a cybercriminal,” said Todd Thibodeaux, president and CEO of The Computing Technology Industry Association (CompTIA) the trade association that commissioned the experiment.
Every time you plug an unknown flash drive into your computer, you’re taking a risk because a USB drive can spread malware, as well as attract it. Here are some dramatic examples:
Stuxnet and Flame were spread by USB device
The infamous Stuxnet worm and Flame malware, alleged American-Israeli cyber weapons designed to attack and spy on Iran’s nuclear program, relied on USB sticks to disseminate attack code to Windows machines.
As Google Play tightens their security measures on mobile apps, hackers are moving to third party app stores. Fake apps imitating popular apps were found on the Windows Phone Store earlier this week. Now a new batch of infected Android apps imitating the real deal have been found on unofficial third-party Android app stores.
The new malicious adware, dubbed Kemoge, reported Wednesday by security researchers at FireEye, also disguises itself as popular applications. The apps trick the user into installing them through in-app ads and ads promoting the download links via websites. The legitimate appearing apps aggressively display unwanted advertisements which seem annoying, but in the FireEye blog researcher Yulong Zhong writes, ” it soon turns evil.”
The fake apps gain root access and gathers device information such as the phones IMEI, IMSI, and storage information, then sends the data to a remote server.
Infections have been discovered in more than 20 countries, including the United States, China, France, Russia, and the United Kingdom. Because of Chinese characters found in the code, it is believed that the malware was written by Chinese developers or controlled by Chinese hackers. The apps included Talking Tom 3, WiFi Enhancer, Assistive Touch, PinkyGirls, and Sex Cademy.
How to protect your Android device from infection
- Only install apps from trusted stores like Google Play
- Avoid clicking on links from ads, SMS, websites, or emails
- Keep your device and apps up up-to-date
- Install protection that scans apps like Avast Mobile Security
Avast Free Antivirus just received another AV-Test certification for its stellar protection against real-world threats, performance in daily use, and usability.
Yay! It’s like collecting another trophy for the display case or another blue ribbon to hang on the wall, but what does it really mean? How is this type of testing useful for you, our customers?
Ondrej Vlcek, Avast’s Chief Operations Officer explains,
Because of the overwhelming growth of malware targeting consumers and businesses, labs like AV-Test Institute have become an invaluable independent source of data to Avast. Their research has influenced our engineers to expand their knowledge of malware, revolutionize diagnostic and detection methods, and facilitate strategies to get real-time updates to hundreds of millions of people who put their trust in our antivirus products.”
Here’s a little background on the testing lab.
AV-Test Institute is an independent lab designed specifically for testing and researching malware. Located in Magdeburg, Germany, they inhabit 1200m² (12,900 ft²) of space with 3 server rooms and a variety of main and secondary laboratories.
The Avast Sandbox lets you run a questionable program without risking your computer.
The Avast Sandbox is a special security feature which allows you to run potentially suspicious applications automatically in a completely isolated environment. This is particularly useful if you don’t completely trust whatever you just downloaded or you visit dodgy websites because programs running within the sandbox have limited access to your files and system, so there is no risk to your computer or any of your other files.
Here’s how it works: By default, if an application is started and Avast detects anything suspicious, it will automatically run the application in the Sandbox. The advantage of running an application in the Sandbox is that it allows you to check suspicious applications while remaining completely protected against any malicious actions that an infected application might try to perform.
The browser or other application will then open in a special window, indicating that it is being run inside the Sandbox. When the Sandbox is closed, it will be restored to its original state and any downloaded files or changed browser settings will be automatically deleted.
The Avast Sandbox is part of Avast Premier 2015, Avast Internet Security 2015 and Avast Pro Antivirus 2015.
The Tiny Banker Trojan is spread by email attachments.
Tiny Banker aka Tinba Trojan made a name for itself targeting banking customers worldwide. The Avast Virus Lab first analyzed the malware found in the Czech Republic reported in this blog post, Tinybanker Trojan targets banking customers. It didn’t take long for the malware to spread globally attacking customers from various banking behemoths such as Bank of America, Wells Fargo, and RBC Royal Bank, which we wrote about in Tiny Banker Trojan targets customers of major banks worldwide.
This time we will write about a campaign targeting customers of Polish financial institutions. The Trojan is spread by email attachments pretending to be pictures. The examples of email headers are shown in the following image.
In fact, there are executable files in the zip attachments - IMG-0084(JPEG).JPEG.exe, fotka 1.jpeg.exe. The interesting thing is that the binary looks almost like regular WinObj tool from Systernals, however there are differences: The original version of WinObj has a valid digital signature. The malware doesn’t have any.
“Biggest iPhone hack ever” attacks jailbroken phones
In what has been called the biggest iPhone hack ever, 250,000 Apple accounts were hijacked. That’s the bad news.
The good news is that most Apple device users are safe. Why? Because the malware dubbed KeyRaider by researchers at Palo Alto Networks, only infects “jailbroken” iOS devices. (there’s that bad news again)
When you jailbreak a device like an iPhone or iPad, it unlocks the device so you can do more with it like customize the look and ringtones, install apps the Apple normally would not allow, and even switch carriers!
The KeyRaider malware entered the jailbroken iPhones and iPads via Cydia, a compatible but unauthorized app store, which allows people to download apps that didn’t meet Apple’s content guidelines onto their devices. The malware intercepts iTunes traffic on the device to steal data like Apple passwords, usernames, and device GUID (“Globally Unique Identifier” which is your ID number similar to your car’s VIN). Users reported that hackers used their stolen Apple accounts to download applications from the official App Store and make in-app purchases without paying. At least one incident of ransomware was reported.
Chinese iPhone users with jailbroken phones where the primary attack target, but researchers also found incidents in 17 other countries including the United States, France, and Russia.
It is frustrating when your antivirus protection stops you from visiting a website that you know and trust, but these days even the most popular websites can fall prey to attacks.
This week security researchers discovered booby-trapped advertisements on popular websites including eBay, The Drudge Report, weather.com, and AOL. The ads, some of which can be initiated by a drive-by attack without the user’s knowledge or even any action, infected computers with adware or locked them down with ransomware.
Computer users running older browsers or unpatched software are more likely to get infected with malware just by visiting a website. Avast blocks these infected ads, but to be safe, please use the most updated version. To update your Avast, right-click the Avast Antivirus icon in the systems tray at the bottom-right corner of your desktop. From the menu, select Update.
“This kind of malvertising is a fairly easy way for cybercriminals to deliver adware or another malicious payload. Many websites sell advertising space to ad networks then deliver the targeted ads to your screen,” said Avast Virus Lab researcher Honza Zika. “All Avast users with current virus databases are fully protected against this attack, but those without protection or up-to-date security patches run the risk of being infected with ransomware.”
A team of malware authors is playing a cat and mouse game with Google. The game goes like this: they upload their malware, Google Play quickly takes it down, they upload a new mutation and Google takes it down. Current status of the game: the malware is back on Google Play. So far, the malicious apps have infected hundreds of thousands of innocent victims.
In April, we discovered porn clicker malware on Google Play posing as the popular Dubsmash app.
Two days ago, we reported that a mutation of the porn clicker malware, created by a Turkish group of malware authors, made its way back onto Google Play, but have since been removed from the Play Store.
Once the apps were downloaded they did not do anything significant when opened by the user, they just showed a static image. However, once the unsuspecting victim opened his/her browser or other apps, the app began to run in the background and redirect the user to porn sites. Users may not have necessarily understood where these porn redirects were coming from, since it was only possible to stop them from happening once the app was killed. Fellow security researchers at Eset reported that more apps with this mutation were on Google Play earlier this week. Eset also reported that the original form of the malware was uploaded to Google Play multiple times in May. Our findings combined with that from Eset, prove that these malware authors are extremely persistent and determined to make Google Play a permanent residency for their malware.
I’ll be back…
Malware Writers Can’t Keep Their Hands Off Porn
In April, we reported on a porn clicker app that slipped into Google Play posing as the popular Dubsmash app. It seems that this malware has mutated and once again had a short-lived career on Google Play, this time hidden in various “gaming” apps.
For your viewing pleasure
The original form of this porn clicker ran completely hidden in the background, meaning victims did not even notice that anything was happening. This time, however, the authors made the porn a bit more visible to their victims.
The new mutation appeared on Google Play on July 14th and was included in five games, each of which was downloaded by 5,000-10,000 users. Fortunately, Google reacted quickly and has already taken down the games from the Play Store.
Once the app was downloaded, it did not really seem to do anything significant when opened by the user. However, once the unsuspecting victim opened his/her browser or other apps, the app began to run in the background and redirect the user to porn sites. Users may not have necessarily understood where these porn redirects were coming from, since it was only possible to stop them from happening once the app was killed.
Mid January we informed you of a data-stealing piece of Android malware called Fobus. Back then Fobus mainly targeted our users in Eastern Europe and Russia. Now, Fobus is also targeting our users in the USA, United Kingdom, Germany, Spain and other countries around the world.
Fobus can cost its unaware victims a lot of money, because it sends premium SMS, makes calls without the victims’ knowledge and can steal private information. More concerning is that Fobus also includes hidden features that can remove critical device protections. The app tricks users into granting it full control of the device and that is when this nasty piece of malware really begins to do its work. You can find some more technical details and analysis of Fobus in our previous blog post from January.
Today, we decided to look back and check on some of the data we gathered from Fobus during the last six months. We weren’t surprised to find out that this malware family is still active and spreading, infecting unaware visitors of unofficial Android app stores and malicious websites.
The interesting part of this malware is the use of server-side polymorphism, which we suspected was being used back in January but could not confirm. We have now confirmed that server-side polymorphism is being used by analyzing some of the samples in our database. Most of these have not only randomly-generated package names, but it also seems that they have randomly-generated signing certificates.