Trojan subscribers represent a time-honored method of relieving Android users of their hard-earned cash. They infiltrate a smartphone under the guise of useful apps and secretly subscribe to paid services. More often than not, the subscription itself is genuine, only the user most likely does not need the service. The show more ...
creators of such Trojans make money on commission; that is, they receive a certain percentage of what the user spends. In this case, funds are usually deducted from a cell phone account, although in some schemes they can be debited directly from a bank card. Here are the most notable examples of the mobile Trojan subscribers that Kaspersky experts have observed in the past year. Paid subscriptions and confirmation codes in text messages Trojans from the Jocker families usually get distributed through Google Play. Cybercriminals modify genuinely useful apps by adding malicious code to them and uploading to the store under a different name. These could be, for example, apps for text messaging, monitoring blood pressure, or scanning documents. Google Play moderators try to identify such apps, but new ones pop up faster than they can remove those already found. Some of the apps in Google Play that were infected with the Jocker Trojan subscriber Now lets look at how Trojan subscribers work. In a normal situation, to subscribe to a service, a user has to go to the content providers site and click or tap the Subscribe button. To counter automated subscription attempts, service providers ask the user to confirm their intention by entering a code sent in a text. But malware from the Jocker family can bypass this method of protection. After the infected app gets onto the device, in many cases it asks the user for access to text messages. Next, the Trojan opens the subscription page in an invisible window, simulates the tapping of the Subscribe button, steals the confirmation code from the text message, and freely subscribes. In cases where the app functionality does not require access to texts (why give it to a document-scanning app, for example?), Trojan subscribers from the Jocker family request access to notifications. This makes it possible to steal the confirmation code as before, but this time from pop-up notifications about incoming messages. How Trojan subscribers bypass CAPTCHA Trojans from the MobOk family are a bit more sophisticated. They not only steal confirmation codes from texts or notifications, but bypass CAPTCHA — another means of protection against automated subscriptions. To recognize the code in the picture, the Trojan sends it to a special service — last year we investigated the operation of click farms that provide CAPTCHA recognition services. In other respects, it operates similarly to Trojans from the Jocker family. In several cases, MobOk was distributed as the payload of the Triada Trojan, most often through pre-installed apps on some smartphone models, unofficial WhatsApp modifications, or the APKPure alternative app store. Sometimes MobOk-infected apps can be found on Google Play as well. Trojan subscribers from unofficial sources Malware from the Vesub family is also distributed through dubious sources under the guise of apps that are banned from official stores for one reason or another —for example masquerading as apps for downloading content from YouTube or fellow streaming services Tubemate or Vidmate, or as an unofficial Android version of GTA5. In addition, they can appear in these same sources as free versions of popular, expensive apps, such as Minecraft. Trojan subscriber Vesub disguised as Tubemate, Vidmate, GTA5, Minecraft or the somewhat mysterious GameBeyond Unlike malware from the MobOk and Jocker families, Vesub-infected applications often do nothing useful for the user at all. Immediately after installation, they take out an unsolicited subscription and hide the relevant windows from the user while showing an app loading-window on the surface. In some cases theres something useful inside the app infected with MobOk, but these are rare exceptions. Login by phone number GriftHorse.ae Trojans are even less fancy. When run for the first time, they ask the user to enter their phone number, seemingly for login purposes. The subscription is issued as soon as the user enters it and taps the Log In button, and the money is debited from their mobile account. This malware usually presents itself as an app for recovering deleted files, editing photos or videos, blinking the flashlight on incoming calls, navigation, document scanning, translation, and so on. In reality the infected apps offer nothing useful at all. Autopay subscriptions Despite the similar name, GriftHorse.l subscribers use a different scheme: they employ subscriptions with recurring payments. Formally this happens with the users direct consent, but victims may not realize they are signing up for regular automatic payments. The second trick is to make the first payment insignificant, with later charges being noticeably more substantial. Weve already examined a similar scheme as illustrated by fake sites offering subscriptions to training courses. In this case the mechanics are roughly the same, but implemented inside the app. The Trojan is distributed largely through Google Play, and the money is debited directly from a bank card, with payment information being requested to gain access to the content. How not to fall victim to scammers Figuring out how to cancel an unwanted paid subscription can be very tricky. So, as ever, prevention is better than cure. Heres what we recommend to guard against Trojan subscribers: First of all, do not install apps from unofficial sources. This will greatly improve the security of your device. Official sources are way better, but unfortunately not 100% safe either. Therefore, before downloading an app from Google Play or another store, be sure to check out the reviews and ratings. Also look at the date when the app appeared on the platform. Stores proactively remove dangerous fakes, so scammers are forever creating new versions of infected apps. So if an app you want showed up in the store only recently, be wary of it. Give apps minimal access to your device. Before allowing an app to read your texts or notifications, for example, ask yourself if it really needs to. Install a reliable mobile antivirus — this will protect your phone from all digital nasties, including Trojan subscribers.
Welcome to episode 249 of the Transatlantic Cable. This week, the team look at some of the more interesting stories in the cybersecurity world. To start, Dave and Jeff look at a concerning story regarding REvil – the infamous ransomware gang that was, until recently, thought to be shut down. The story looks at signs show more ...
that all might not be as it seems and rumblings that the gang may be about to make a return. From there, they discuss a story around a DeFi hack and how the platform, Fei Protocol, is offering a cool $10 million to return the stolen funds. From there, things get decidedly strange – the first story looks at stalking using Apple AirTags – something thats becoming increasingly common. The next story takes a look at recent news that Russia and America are training dolphins for underwater missions (theres a reference to Austin Powers here, I know it), and the final story looks at how hackers could potentially cause harm through the hacking of love robots. Yes, really. If you like what you heard, please do consider subscribing. REvil ransomware returns: New malware sample confirms gang is back Rari Fuze hacker offered $10M bounty by Fei Protocol to return $80M loot Tennessee family visiting Disney World says Apple AirTag used to track them Russia deploys trained dolphins at Black Sea naval base Could Hackers Program Sex Robots To Kill?
The modified live streams make the original video smaller and put a frame around it advertising malicious sites that it claims will double the amount of cryptocurrency you send them.
The most serious of these security holes, the internet giant notes in an advisory, is a high-severity issue in Android’s Framework component that could be exploited for privilege escalation.
It forms part of NIST’s response to Executive Order 14028: Improving the Nation’s Cybersecurity, specifically Sections 4(c) and (d), which concern enhancing the security of the software supply chain.
The new Fast IDentity Online (FIDO) sign-in system does away with passwords entirely in favor of displaying a prompt asking a user to unlock the phone when signing in to a website or an application.
Officials said the incident began Monday, and they soon hired an unnamed cybersecurity firm to investigate. The organization also said it had deployed an endpoint detection and response system throughout the network.
Using this technique, attackers inject shellcode directly into Windows event logs. This allows them to use the Windows event logs as a shield to launch trojans in the last stage of the infection chain.
Despite only having been publicly disclosed in December, in less than a month the Log4j vulnerability was the second most exploited vulnerability among the top 10 CVEs of 2021.
A new framework developed and released by several healthcare stakeholder groups takes aim at securing digital health technologies and mobile health apps, the vast majority of which fall outside of HIPAA regulations.
Nigerian Tesla stole more than 800,000 different credentials from about 28,000 victims. This shows how simple yet effective running one of these scam or malware campaigns can be.
If GCP is not configured correctly, it could be exploited by attackers to engage in malicious activity inside a user's cloud environment, according to cloud security company Mitiga
Officials from the Department of Defense highlighted the importance of having associate contractors secure sensitive data stored on digital networks, stating that the next security frontier hinges on cybersecurity.
Researchers have observed the Nobelium group setting up new infrastructure to perform attacks with old techniques. The group is based in Russia and was behind the infamous SolarWinds attack.
The Pixel Update Bulletin contains details of security vulnerabilities and functional improvements affecting supported Pixel devices. In total, these two bulletins mention three critical vulnerabilities, two of which only concern Pixel users.
South Korea's intelligence agency said on Thursday that the country has joined a cyber defense group under the North Atlantic Treaty Organization (NATO), becoming its first Asian member country.
A new report by the UK's National Cyber Security Centre (NCSC) has warned of the threats posed by malicious apps. The NCSC's technical director, Ian Levy, said there was "more for app stores to do" on security.
Comae is a UAE-based cybersecurity company that specializes in cloud-based memory analysis used to recover evidence from the volatile memory of devices to aid in incident response.
Red Canary intelligence analysts have discovered a new Windows malware with worm capabilities that spreads using external USB drives. This malware is linked to a cluster of malicious activity that was first observed in September 2021.
Salesforce DevSecOps company AutoRABIT announced on Wednesday that it has raised $26 million in a Series B funding round, which brings the total raised by the firm to more than $50 million.
The site offers “tweaked apps”, apparently available with a single click and requiring “no jailbreak, no root.” There’s an OnlyFans Premium, Netflix Premium, a Pokemon Go Spoofer Injector, and many more.
Russian alcohol producers and distributors are required by law to register their shipments with the EGAIS portal, loosely translated as the “Unified State Automated Alcohol Accounting Information System.”
LockBit 2.0 posted a notice to the dark web portal it uses to identify and extort its victims saying it had files from the Bulgarian State Agency for Refugees under the Council of Ministers.
District 70 parents were told that while no child’s Social Security number was impacted by the breach, other data, including name, birth date, school of enrollment, student ID and gender had been compromised.
Tailscale announced that it raised $100 million in a Series B funding round co-led by CRV and Insight Partners, with participation from Accel, Heavybit, and Uncork Capital.
According to Malwarebytes, attackers are luring artists with offers to work on further expansion of the Cyberpunk Ape Executives NFT project and design new sets of characters with offers of up to $350 per day.
Regardless of the script they’re following, scammers will say you’ll receive a link on your phone via SMS. They will then ask you not to click the link but merely take a screenshot and send the image back to them.
Ubuntu Security Notice 5405-1 - It was discovered that jbig2dec incorrectly handled memory when parsing invalid files. An attacker could use this issue to cause jbig2dec to crash, leading to a denial of service. It was discovered that jbig2dec incorrectly handled memory when processing untrusted input. An attacker could use this issue to cause a denial of service, or possibly execute arbitrary code.
Craft CMS version 3.7.36 suffers from a password reset poisoning vulnerability. An unauthenticated attacker who knows valid email addresses or account names of Craft CMS backend users is able to manipulate the password reset functionality in a way that the registered users of the CMS receive password reset emails containing a malicious password reset link.
Ubuntu Security Notice 5259-2 - USN-5259-1 fixed several vulnerabilities in Cron. This update provides the corresponding update for Ubuntu 18.04 LTS. It was discovered that the postinst maintainer script in Cron unsafely handled file permissions during package install or update operations. An attacker could possibly use this issue to perform a privilege escalation attack.
CTBLocker ransomware looks for and executes DLLs in its current directory. Therefore, we can hijack a DLL, execute our own code, and control and terminate the malware pre-encryption. The exploit DLL checks if the current directory is "C:WindowsSystem32" and if not we grab our process ID and terminate. We do show more ...
not need to rely on hash signatures or third-party products as the malware's flaw does the work for us. Endpoint protection systems and or antivirus can potentially be killed prior to executing malware, but this method cannot as there's nothing to kill as the DLL just lives on disk waiting. From a defensive perspective you can add the DLLs to a specific network share containing important data as a layered approach. All basic tests were conducted successfully in a virtual machine environment.
Cerber ransomware looks for and executes DLLs in its current directory. Therefore, we can hijack a DLL, execute our own code, and control and terminate the malware pre-encryption. The exploit DLL checks if the current directory is "C:WindowsSystem32" and if not we grab our process ID and terminate. We do not show more ...
need to rely on hash signatures or third-party products as the malware's flaw does the work for us. Endpoint protection systems and or antivirus can potentially be killed prior to executing malware, but this method cannot as there's nothing to kill as the DLL just lives on disk waiting. From a defensive perspective you can add the DLLs to a specific network share containing important data as a layered approach. All basic tests were conducted successfully in a virtual machine environment.
LockerGoga ransomware looks for and loads a DLL named "wow64log.dll" in WindowsSystem32. Therefore, we can drop our own DLL to intercept and terminate the malware pre-encryption. Four processes are created. For instance, there is "imtvknqq9737.exe" running under AppDataLocalTemp, the process name is show more ...
"imtvknqq" plus an appended random number. Our exploit DLL will simply display a Win32API message box and call exit(). The exploit DLL must export "InterlockedExchange" function or it fails with an error. We do not need to rely on hash signature or third-party products as the malware's own flaw will do the work for us. Endpoint protection systems and or antivirus can potentially be killed prior to executing malware, but this method cannot as there's nothing to kill as the DLL just lives on disk waiting. From a defensive perspective, you can add the DLLs to a specific network share containing important data as a layered approach. All basic tests were conducted successfully in a virtual machine environment.
Red Hat Security Advisory 2022-1739-01 - Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation. This advisory covers the containers for the release.
Cryptowall ransomware looks for and executes DLLs in its current directory. Therefore, we can hijack a DLL, execute our own code, and control and terminate the malware pre-encryption. The exploit DLL checks if the current directory is "C:WindowsSystem32" and if not we grab our process ID and terminate. We do show more ...
not need to rely on hash signatures or third-party products, the malware's flaw does the work for us. Endpoint protection systems and or antivirus can potentially be killed prior to executing malware, but this method cannot as there's nothing to kill as the DLL just lives on disk waiting. From a defensive perspective you can add the DLLs to a specific network share containing important data as a layered approach. All basic tests were conducted successfully in a virtual machine environment.
REvil ransomware looks for and executes DLLs in its current directory. Therefore, we can hijack a DLL, execute our own code, and control and terminate the malware pre-encryption. The exploit DLL checks if the current directory is "C:WindowsSystem32" and if not we grab our process ID and terminate. We do not show more ...
need to rely on hash signatures or third-party products, the malware's flaw does the work for us. Endpoint protection systems and or antivirus can potentially be killed prior to executing malware, but this method cannot as there's nothing to kill as the DLL just lives on disk waiting. From a defensive perspective you can add the DLLs to a specific network share containing important data as a layered approach. All basic tests were conducted successfully in a virtual machine environment.
Radamant ransomware tries to load a DLL named "PROPSYS.dll" and execute a hidden PE file "DirectX.exe" from the AppDataRoaming directory. Therefore, we can drop our own DLL to intercept and terminate the malware pre-encryption. The exploit DLL checks if the current directory is show more ...
"C:WindowsSystem32" and if not we grab our process ID and terminate. We do not need to rely on hash signatures or third-party products as the malware's flaw does the work for us. Endpoint protection systems and or antivirus can potentially be killed prior to executing malware, but this method cannot as there's nothing to kill the DLL that just lives on disk waiting. From a defensive perspective you can add the DLLs to a specific network share containing important data as a layered approach. All basic tests were conducted successfully in a virtual machine environment.
Cryptolocker ransomware drops a PE file in the AppDataRoaming directory which then tries to load a DLL named "netapi32.dll". Therefore, we can drop our own DLL to intercept and terminate the malware pre-encryption. The exploit DLL checks if the current directory is "C:WindowsSystem32" and if not we show more ...
grab our process ID and terminate. We do not need to rely on hash signatures or third-party products as the malware's flaw does the work for us. Endpoint protection systems and or antivirus can potentially be killed prior to executing malware, but this method cannot as there's nothing to kill the DLL that just lives on disk waiting. From a defensive perspective you can add the DLLs to a specific network share containing important data as a layered approach. All basic tests were conducted successfully in a virtual machine environment.
Ubuntu Security Notice 5404-1 - Pieter Agten discovered that Rsyslog incorrectly handled certain requests. An attacker could possibly use this issue to cause a crash.
Google has released monthly security patches for Android with fixes for 37 flaws across different components, one of which is a fix for an actively exploited Linux kernel vulnerability that came to light earlier this year. Tracked as CVE-2021-22600 (CVSS score: 7.8), the vulnerability is ranked "High" for severity and could be exploited by a local user to escalate privileges or deny service. The
A pay-per-install (PPI) malware service known as PrivateLoader has been spotted distributing a "fairly sophisticated" framework called NetDooka, granting attackers complete control over the infected devices. "The framework is distributed via a pay-per-install (PPI) service and contains multiple parts, including a loader, a dropper, a protection driver, and a full-featured remote access trojan (
The China-based threat actor known as Mustang Panda has been observed refining and retooling its tactics and malware to strike entities located in Asia, the European Union, Russia, and the U.S. "Mustang Panda is a highly motivated APT group relying primarily on the use of topical lures and social engineering to trick victims into infecting themselves," Cisco Talos said in a new report detailing
Cybersecurity researchers have discovered a new Windows malware with worm-like capabilities and is propagated by means of removable USB devices. Attributing the malware to a cluster named "Raspberry Robin," Red Canary researchers noted that the worm "leverages Windows Installer to reach out to QNAP-associated domains and download a malicious DLL." The earliest signs of the activity are said to