We always recommend downloading apps from official stores only, to reduce the likelihood of installing malware. However, unofficial stores not only host malicious apps, but they might not be safe at all. Following a recent investigation, we are sorry to report that APKPure, a popular alternative source of Android show more ...
apps, was Trojanized and has been distributing other Trojans. What is APKPure for? The most official of all Android app stores is, of course, Google Play. But it is available only on devices that use Google Mobile Services (GMS) and are firmly tied to Google’s infrastructure. Some vendors avoid GMS libraries to stay independent, and because Android is an open operating system, they can. For users, there are both advantages and disadvantages. One prominent disadvantage is a loss of access to Google’s app store, where Android users can download the usual apps. That’s where alternative stores come in, and APKPure is one of them. Distinctively, it hosts only free or shareware apps. Also, the owners stress that the apps in their store have all been scanned by Google and are completely safe; they say their apps are exactly the same as the ones on Google Play. What happened with APKPure? The apps in the store may have passed all tests, but the APKPure app hasn’t. This incident smacks strongly of the CamScanner episode, in which the app’s developers implemented an advertisement SDK from an unverified source and it turned out to be malicious. That’s also how malware got into APKPure. Looks like APKPure version 3.17.18 was likewise fitted with an advertisement SDK, one with an embedded Trojan dropper, which Kaspersky solutions detect as HEUR:Trojan-Dropper.AndroidOS.Triada.ap. When launched, it unpacks and runs its payload, which is the dangerous part. This component can do several things: show ads on the lock screen; open browser tabs; collect information about the device; and, most unpleasant of all, download other malware. What can happen to a device with APKPure installed? Which Trojan gets downloaded (in addition to APKPure’s built-in one) depends on the Android version, as well as on how regularly the smartphone vendor released — and the user installed — security updates. If the user has a relatively recent version of the operating system, meaning Android 8 or higher, which doesn’t hand out root permissions willy-nilly, then it loads additional modules for the Triada Trojan. These modules, among other things, can buy premium subscriptions and download other malware. If the device is older, running Android 6 or 7, and without security updates installed (or in some cases not even released by the vendor), and thus more easily rootable, it could be the xHelper Trojan. Removing this beast is a real challenge; even a factory reset won’t do it. Armed with root access, xHelper lets attackers do almost anything they want on the device. Is APKPure safe now? On April 8, we informed APKPure about the issue. On April 9, APKPure representatives replied that they saw the problem and were working on the fix. Shortly after that, a new version (3.17.19) appeared on the APKPure website. According to its description, the update “Fixed a potential security problem, making APKPure safer to use.” We can confirm that the problem has indeed been fixed: APKPure 3.17.19 doesn’t contain the malicious component. It is safe to use. How to guard against Trojanized APKPure If you don’t use APKPure, then don’t worry — today’s problem does not concern you. But to avoid similar issues in the future: Never download apps from unofficial sources, and block the installation of apps from third-party sources in Android’s settings; Use a reliable security solution that automatically scans all new files; Regularly update all apps and the operating system. If you do use APKPure, we additionally recommend that you: Update the APKPure app to the version in which the issue is fixed (that is, 3.17.19 or newer); Run a full antivirus scan of the device.
Threat actors are leveraging the supply chain to deliver various types of threats to organizations, and few of them are spared from such attacks, according to a new report from Proofpoint.
This scam began with low volumes of email but quickly escalated into volumes of 200,000 emails in a single day. In total, since the scam started, Vade Secure has filtered over 1 million emails.
Wine-themed domain registrations rose once COVID-19 lockdowns took hold, some of them malicious and used in phishing campaigns, Recorded Future and Area 1 Security said in a joint report.
On March 17, a huge cache of the site’s user and administrator data was leaked online to a different underground forum, a new report published Thursday by threat research firm Group-IB shows.
Moodle is an open-source educational platform used by 179,000 sites and has 242 million users. It allows universities to easily distribute content to students and teachers.
Specialty networking solutions provider Belden on Wednesday shared an update on the data breach disclosed in November 2020, and said health-related information was also exposed.
An Iranian threat actor has unleashed a new cyberespionage campaign against a possible Lebanese target with a backdoor capable of exfiltrating sensitive information from compromised systems.
SAP and Onapsis jointly released a cyber threat intelligence report providing actionable information on how malicious threat actors are targeting unprotected mission-critical SAP applications.
Microsoft has released an open-source cyberattack simulator that allows security researchers and data scientists to create simulated network environments and see how they fare against AI-controlled cyber agents.
Malicious Android apps disguised as TikTok and offers for free Lenovo laptops are being used in adware attacks underway against devices on the Jio telecom network in India, security researchers warn.
According to a new advisory released by Palo Alto Network's Unit 42 team, cryptojacking incidents have recently taken place against educational institutions in Washington State.
Verizon reveals that many businesses may have left themselves vulnerable and open to cybercriminals in the rush to ensure their workforce could operate remotely during the pandemic.
The perpetrators are as diverse as their targets – fraudsters looking to steal identities, cybercriminal gangs in pursuit of quick profits, state-backed attackers seeking access to larger networks.
CareFirst BlueCross BlueShield’s Community Health Plan District of Columbia (CHPDC) suffered a data breach carried out by what it described as a “foreign cybercriminal” group in January.
The vulnerability, rated 9.8 in severity out of 10, could allow unauthenticated remote users to hijack targeted equipment and gain elevated privileges within effected systems.
The researchers from Computest demonstrated a three-bug attack chain against Zoom that caused remote code execution on a target machine, and all without any form of user interaction.
The country where emails originate and the number of countries they are routed through on the way to their final destination offer important warning signs of phishing attacks.
The group behind the Maze and Egregor ransomware operations are believed to have earned at least $75 million worth of Bitcoin from ransom payments following intrusions at companies all over the world.
Saint Bot, a previously undocumented malware downloader has been spotted in the wild since January 2021 in phishing attacks to deploy credential stealers and other malicious payloads.
With multiple adversaries continuing to leverage the pandemic, an interesting technique by cybercriminals has surfaced that uses unique staging and execution mechanisms via a malicious doc.
The new tool helps security teams visualize and analyze data outputs generated using Sparrow, an open-source PowerShell-based tool for detecting potentially compromised applications and accounts.
Disruptive cyberattacks on retailers becoming more common and experts have recently noted the use of double-extortion technique among hackers targeting retail organizations.
The sale of digital art through NFTs has become such a hot trend that scammers have taken notice and are attempting to lure current and prospective traders onto NFT-themed phishing and fraud websites.
Nation-state APTs are actively exploiting known vulnerabilities in the Fortinet FortiOS cybersecurity OS to gain initial access to multiple government, commercial, and technology services.
This Metasploit module exploits an issue in Google Chrome versions before 87.0.4280.88 (64 bit). The exploit makes use of an integer overflow in the SimplifiedLowering phase in turbofan. It is used along with a typer hardening bypass using ArrayPrototypeShift to create a JSArray with a length of -1. This is abused to show more ...
gain arbitrary read/write into the isolate region. Then an ArrayBuffer can be used to achieve absolute arbitrary read/write. The exploit then uses WebAssembly in order to allocate a region of RWX memory, which is then replaced with the payload shellcode. The payload is executed within the sandboxed renderer process, the browser must be run with the --no-sandbox option for the payload to work correctly.
Graudit is a simple script and signature sets that allows you to find potential security flaws in source code using the GNU utility, grep. It's comparable to other static analysis applications like RATS, SWAAT, and flaw-finder while keeping the technical requirements to a minimum and being very flexible.
Red Hat Security Advisory 2021-1079-01 - Red Hat Ansible Automation Platform Resource Operator container images with security fixes. Ansible Automation Platform manages Ansible Platform jobs and workflows that can interface with any infrastructure on a Red Hat OpenShift Container Platform cluster, or on a traditional infrastructure that is running off-cluster. Data exposure issues have been addressed.
Red Hat Security Advisory 2021-1145-01 - Nettle is a cryptographic library that is designed to fit easily in almost any context: In crypto toolkits for object-oriented languages, such as C++, Python, or Pike, in applications like LSH or GNUPG, or even in kernel space.
Networking equipment major Cisco Systems has said it does not plan to fix a critical security vulnerability affecting some of its Small Business routers, instead urging users to replace the devices. The bug, tracked as CVE-2021-1459, is rated with a CVSS score of 9.8 out of 10, and affects RV110W VPN firewall and Small Business RV130, RV130W, and RV215W routers, allowing an unauthenticated,
Gigaset has revealed a malware infection discovered in its Android devices was the result of a compromise of a server belonging to an external update service provider. Impacting older smartphone models — GS100, GS160, GS170, GS180, GS270 (plus), and GS370 (plus) series — the malware took the form of multiple unwanted apps that were downloaded and installed through a pre-installed system update
A previously undocumented malware downloader has been spotted in the wild in phishing attacks to deploy credential stealers and other malicious payloads. Dubbed "Saint Bot," the malware is said to have first appeared on the scene in January 2021, with indications that it's under active development. "Saint Bot is a downloader that appeared quite recently, and slowly is getting momentum. It was
For organizations that deal with the defense infrastructure – cybersecurity is more than just a buzzword. Recently the US Department of Defense (DoD) created a new certification process – the Cybersecurity Maturity Model Certificate (CMMC) – to ensure that all its vendors and contractors follow established best cybersecurity practices. For organizations that work along the DoD supply chain, this