Protect-Your-PC-From-Viruses

More »

Synchronized Security

Next-gen security with real-time intelligence sharing between your endpoints and firewall. More »

 

Monthly Archives: August 2017

Android Trojan Now Targets Non-Banking Apps that Require Card Payments

The infamous mobile banking trojan that recently added ransomware features to steal sensitive data and lock user files at the same time has now been modified to steal credentials from Uber and other booking apps as well.
Security researchers at Kaspersky Lab have discovered a new variant of the Android banking Trojan called Faketoken that now has capabilities to detect and record an infected device’s calls and display overlays on top of taxi booking apps to steal banking information.
Dubbed Faketoken.q, the new variant of mobile banking trojan is being distributed using bulk SMS messages as their attack vector, prompting users to download an image file that actually downloads the malware.

Malware Spy On Telephonic Conversations

Once downloaded, the malware installs the necessary modules and the main payload, which hides its shortcut icon and begins monitoring everything—from every calls to launched apps—that happens on the infected Android device.When calls are made to or received from certain phone numbers on the victim’s device, the malware begins to record those conversations and sends the recordings to the attacker’s server.
Moreover, Faketoken.q also checks which apps the smartphone owner is using and when detects the launch of an app whose interface it can simulate, the Trojan immediately overlays the app with a fake user interface.

Malware Exploits Overlay Feature to Steal Credit Card Details

In order to achieve this, the Trojan uses the same standard Android feature that is being employed by a whole bunch of legitimate apps, such as Facebook Messenger, window managers, and other apps, to show screen overlays on top of all other apps.
The fake user interface prompts victims to enter his or her payment card data, including the bank’s verification code, which can later be used by attackers to initiate fraudulent transactions.
Faketoken.q is capable of overlaying a large number of mobile banking apps as well as miscellaneous applications, such as:

  • Android Pay
  • Google Play Store
  • Apps for paying traffic tickets
  • Apps for booking flights and hotel rooms
  • Apps for booking taxis

Since fraudsters require an SMS code sent by the bank to authorise a transaction, the malware steals incoming SMS message codes and forward them to the attackers command-and-control (C&C) server for a successful attack.According to the researchers, Faketoken.q has been designed to target Russian-speaking users, as it uses the Russian language on the user interface.

Ways to Protect Against Such Android Banking Trojans

The easiest way to prevent yourself being a victim of such mobile banking Trojans is to avoid downloading apps via links provided in messages or emails, or any third-party app store.
You can also go to Settings → Security and make sure “Unknown sources” option is turned off in order to block installation of apps from unknown sources.
Most importantly, verify app permissions before installing apps, even if it is downloaded from official Google Play. If you find any app asking more than what it is meant for, just do not install it.
It’s always a good idea to install an antivirus app from a reputed vendor that can detect and block such malware before it can infect your device, and always keep your system and apps up-to-date.

Apple Users, Beware! A Nearly-Undetectable Malware Targeting Mac Computers

Yes, even Mac could also get viruses that could silently spy on its users. So, if you own a Mac and think you are immune to malware, you are wrong.
An unusual piece of malware that can remotely take control of webcams, screen, mouse, keyboards, and install additional malicious software has been infecting hundreds of Mac computers for more than five years—and it was detected just a few months back.
Dubbed FruitFly, the Mac malware was initially detected earlier this year by Malwarebytes researcher Thomas Reed, and Apple quickly released security patches to address the dangerous malware.
Now months later, Patrick Wardle, an ex-NSA hacker and now chief security researcher at security firm Synack, discovered around 400 Mac computers infected with the newer strain of the FruitFly malware (FruitFly 2) in the wild.Wardle believes the number of infected Macs with FruitFly 2 would likely be much higher, as he only had access to some servers used to control FruitFly.
Although it is unknown who is behind FruitFly or how the malware gets into Mac computers, the researchers believe the nasty malware has been active for around ten years, as some of its code dates back to as far as 1998.

“FruitFly, the first OS X/macOS malware of 2017, is a rather intriguing specimen. Selectively targeting biomedical research institutions, it is thought to have flown under the radar for many years,” Wardle wrote in the abstract of his talk, which he is going to present at the Black Hat later this week.Since the initial infection vector for FruitFly is unclear, like most malware, Fruitfly could likely infect Macs either through an infected website delivering the infection or via phishing emails or a booby-trapped application.
FruitFly is surveillance malware that’s capable of executing shell commands, moving and clicking a mouse cursor, capturing webcam, killing processes, grabbing the system’s uptime, retrieving screen captures, and even alerting the hacker when victims are again active on their Mac.

“The only reason I can think of that this malware has not been spotted before now is that it is being used in very tightly targeted attacks, limiting its exposure,” Reed wrote in the January blog post.

“Although there is no evidence at this point linking this malware to a specific group, the fact that it has been seen specifically at biomedical research institutions certainly seems like it could be the result of exactly that kind of espionage.”

Wardle was able to uncover FruitFly victims after registering a backup command and control (C&C) server that was once used by the attacker. He then noticed around 400 Mac users infected with FruitFly started connecting to that server.
From there, the researcher was also able to see IP addresses of FruitFly infected victims, indicating 90 percent of victims were located in the United States.Wardle was even able to see the name of victims’ Macs as well, making it “really easy to pretty accurately say who is getting infected,” he told Forbes.
But rather than taking over those computers or spying on the victims, Wardle contacted law enforcement and handed over what he found to law enforcement agents, who are now investigating the matter.
Wardle believes surveillance was the primary purpose of FruitFly, though it is yet unclear whether it is government or other hacker groups.

“This did not look like cyber crime type behaviour; there were no ads, no keyloggers, or ransomware,” Wardle said. “Its features had looked like they were actions that would support interactivity—it had the ability to alert the attacker when users were active on the computer, it could simulate mouse clicks and keyboard events.”

Since the Fruitfly’s code even includes Linux shell commands, the malware would work just fine on Linux operating system. So, it would not come as a surprise if a Linux variant of Fruitfly was in operation.