Malware alert for Android phone users 0 594

Malware alert for Android

Internet security company ESET East Africa has issued an alert to mobile phone users running on the Android platfom to be wary of alternative app stores’ potential to spread malware such as screen locking malware.

According to Teddy Njoroge, Kenya Country Manager for ESET, ransomware is a fast growing problem for users of mobile devices.  “Just like SMS trojans, ransomware threats have evolved over the past few years with hackers  adopting techniques that have proven effective in regular desktop malware to develop lock-screen types and file-encrypting ransomware. These have been causing major financial and data losses for years and which have now made their way to the Android platform“, he said.

The alert comes after Cyber-crime researchers at ESET discovered that www.CepKutusu.com, a Turkish alternative Android app store was spreading malware under the guise of all the offered Android apps on the site

When users browsed the Turkish alternative app store CepKutusu.com and proceeded to downloading an app, the “Download now” button led to banking malware detected as Android/Spy.Banker.IE instead of the desired app.

After ESET researchers turned to the store’s operator with the discovery of the attack, the store ceased the malicious activity. ESET Android malware researcher, Lukas Stefanko said this was an entrirely new tactic by cybercrimnals.

“This is the first time I’ve seen an entire Android market infected like that. Within the Windows ecosystem and in browsers, this technique is known to have been used for some time but in the Android ecosystem, it’s really a new attack vector“, he said.

Athough the misdirection on www.CepKutusu.com was from a legitimate app to the malicious banking malware, the crooks behind the campaign added an exception, a tactic commonly used to increase the chances of staying longer under the radar.

The hackers introduced a seven-day window of not serving malware after a malicious download, thus falsely serving the user with clean download links, only to be redirected to the malware once they try to download any application from the store after the period lapses.

Although focused in Turkey and parts of Europe, the incident points to the growing appetite for mobile malware by hackers using masking tactics to hoodwink users and which could soon become the biggest cybersecurity problem yet.

To protect yourself, Njoroge advises that you should always download apps from official app stores and also practice caution when downloading any content from the internet. Always pay attention to anything suspicious in file name, size and extension.

Lastly is to use a reliable mobile security solution to protect you from the latest threats.

Previous ArticleNext Article

ESET research team assists FBI in Windigo case 0 976

First detected in 2011, the malware campaign that later became known as Windigo was able to infiltrate around 25,000 servers over a two-year period (2012-2014), with the malicious gang behind it demonstrating a high level of technical expertise. Operation Windigo is a set of Linux server-side malware tools used to redirect web traffic, send spam and host other malicious content.

At the core of Operation Windigo is Linux/Ebury, an OpenSSH backdoor and credential stealer, using that backdoor, the attackers installed additional malware to perform web traffic redirection (using Linux/Cdorked), send spam (using Perl/Calfbot or SSH tunnels) and, most importantly, steal credentials when the OpenSSH client was used to spread further.

In 2014 ESET published a research report entitled Operation Windigo. This report was awarded the inaugural Péter Szőr Award for best technical research at VB2014 and has also been used by law enforcement to explain exactly what Windigo is to prosecutors, lawyers and judges.

ESET’s collaboration with the FBI

At ESET our job is to protect all internet users and this task often requires collaboration with others such as law enforcement. In the case of Windigo, we have collaborated with the FBI through the sharing of technical details about the malicious operation and the malware components involved. This cooperation resulted in allowing the FBI investigators to better understand the various parts of this very complex scheme.

Maxim Senakh sentenced

The following timeline outlines the occurence of events leading up to the sentencing of Maxim Senakh

  • 2015-01-13: Indictment against Maxim Senakh is produced, charging him with 11 counts.
  • 2015-08-08: Maxim Senakh is arrested by Finnish authorities at its border while returning to Russia after personal travel.
  • 2016-01-05: Finland agrees to the extradition of Senakh.
  • 2016-02-04: Senakh is extradited from Finland to the US, where he pleads not guilty to all charges against him.
  • 2017-03-28: Maxim Senakh enters into a plea agreement with the US Attorney’s Office and pleads guilty to the first count of the indictment, the remaining 10 being dismissed.
  • 2017-08-03: Senakh is sentenced to 46 months in federal prison, without the possibility of parole.

Where are we now?

Not long after Senakh’s arrest in 2015, there was a sharp decrease in the traffic redirected by Cdorked, the component responsible for sending web visitors to exploit kits or unwanted advertisement pages and this activity has not resumed. The FBI had determined that this malicious activity benefited Senakh directly.

Unfortunately, however the sentencing of Senakh has not resulted in the complete shutdown of Windigo as new variants of Win32/Glupteba, a Windows malware that has strong ties with Windigo have been identified.

In addition, the malware component at the core of Windigo, has evolved. Development has continued with changes made to the latest versions, such as evasion of most of the public indicators of compromise, improved precautions against botnet takeover and a new mechanism to hide the malicious files on the filesystem.

Fake cryptocurreny trading apps 0 1055

How do fake cryptocurrency trading apps operate?

How to protect yourself?

If you’re a Poloniex user and have installed any of these malicious apps on your device, start by uninstalling them. Make sure to change both your Poloniex and Gmail passwords and consider enabling 2-factor-authentication authentication for both services.

Here’s what you can do to avoid falling victim to fraudsters in the future:

  • Be certain that the service you are using definitely has their own mobile app – if so, the app should be linked on their official website and it would be safest to follow this link
  • Make sure to actually read app ratings and reviews, other users may have reported issues or warnings
  • Be cautious of third party apps triggering alerts and windows appearing to be connected to Google – misusing users’ trust towards Google is a popular trick among cybercriminals
  • Use 2 Factor Authentication for an additional layer of security
  • Use a reliable mobile security solution; ESET products detect these credential stealers as Android/FakeApp.GV