Browsing category

spyware

Backdoor, Banking Trojan, Computer Security, Cryptocurrency hack, Cyber Security News, Malware, Network Security, Ransomware, Security Hacker, spyware, trojan,

A Scary Evolution & Alliance of TrickBot, Emotet and Ryuk Ransomware Attack

Ryuk first appeared in August 2018, and while not incredibly active across the globe, at least three organizations were hit with Ryuk infections over the course of the first two months of its operations, landing the attackers about $640,000 in ransom for their efforts. According to CrowdStrike analysis from late last week, Grim Spider has […]

The post A Scary Evolution & Alliance of TrickBot, Emotet and Ryuk Ransomware Attack appeared first on GBHackers On Security.

Android, Android Spy app, Android Spyware, Cyber Security News, Google, Google Play Store, Malware, Malware Games, Mobile Attacks, Security Hacker, spyware,

Spyware From Google Play as a Legitimate Android Apps That Infected 196 Country Users

Spyware

Dangerous spyware apps discovered form the Google play store that posed as legitimate apps and almost 100,000 users downloaded and affected these malicious apps from 196 countries. Based on the Current mobile-based attacks, Android Platform is one of the biggest Target for Cyber Criminals to spying and Steal the personal information around the globle. There […]

The post Spyware From Google Play as a Legitimate Android Apps That Infected 196 Country Users appeared first on GBHackers On Security.

Android, information stealer, Mobile, Phishing, spyware,

Spyware Disguises as Android Applications on Google Play

by Ecular Xu and Grey Guo

We discovered a spyware (detected as ANDROIDOS_MOBSTSPY) which disguised itself as legitimate Android applications to gather information from users. The applications were available for download on Google Play in 2018, with some recorded to have already been downloaded over 100,000 times by users from all over the world.

One of the applications we initially investigated was the game called Flappy Birr Dog, as seen in Figure 1. Other applications included FlashLight, HZPermis Pro Arabe, Win7imulator, Win7Launcher and Flappy Bird. Five out of six of these apps have been suspended from Google Play since February 2018. And as of writing, Google has already removed all of these applications from Google Play.

Figure 1

Figure 1. Flappy Birr Dog download page

Information stealing

MobSTSPY is capable of stealing information like user location, SMS conversations, call logs and clipboard items. It uses Firebase Cloud Messaging to send information to its server.
Once the malicious application is launched, the malware will first check the device’s network availability. It then reads and parses an XML configure file from its C&C server.

Figure 2

Figure 2. Example of configure file being taken from a C&C server

The malware will then collect certain device information such as the language used, its registered country, package name, device manufacturer etc. Examples of all the information it steals can be seen in Figure 3.

Figure 3

Figure 3. Example of stolen information

It sends the gathered information to its C&C server, thus registering the device. Once done, the malware will wait for and perform commands sent from its C&C server through FCM.

Figure 4

Figure 4. Parse command from the C&C

Depending on the command the malware receives, it can steal SMS conversations, contact lists, files, and call logs, as seen from commands in the subsequent figures below.

Figure 5

Figure 5. Steal SMS conversations

Figure 6

Figure 6. Steal contact list

Figure 7

Figure 7. Steal call logs

The malware is even capable of stealing and uploading files found on the device, and will do so as long as it receives the commands as seen in Figures 8 and 9 respectively.

Figure 8

Figure 8. Steal files from target folds

Figure 9

Figure 9. Upload files

Phishing capabilities

In addition to its info-stealing capabilities, the malware can also gather additional credentials through a phishing attack. It’s capable of displaying fake Facebook and Google pop-ups to phish for the user’s account details.

Figure 10

Figure 10. Phishing behavior

If the user inputs his/her credentials, the fake pop-up will only state that the log-in was unsuccessful. At which point the malware would already have stolen the user’s credentials.

Figure 11

Figure 11. Fake Facebook login pop-up

User distribution

Part of what makes this case interesting is how widely its applications have been distributed. Through our back-end monitoring and deep research, we were able to see the general distribution of affected users and found that they hailed from a total of 196 different countries.

Figure 12

Figure 12. Top countries with the most number of affected users

Other countries affected include Mozambique, Poland, Iran, Vietnam, Algeria, Thailand, Romania, Italy, Morocco, Mexico, Malaysia, Germany, Iraq, South Africa, Sri Lanka, Saudi Arabia, Philippines, Argentina, Cambodia, Belarus, Kazakhstan, Tanzania, United Republic of Hungary, etc. As can be surmised, these applications were widely distributed around the globe.

Trend Micro Solutions

This case demonstrates that despite the prevalence and usefulness of apps, users must remain cautious when downloading them to their devices. The popularity of apps serves as an incentive for cybercriminals to continue developing campaigns that utilize them to steal information or perform other kinds of attacks. In addition, users can install a comprehensive cybersecurity solution to defend their mobile devices against mobile malware.

Trend Micro Mobile Security detects such attacks, while Trend Micro Mobile Security Personal Edition defends devices from all related threats. Trend Micro™Mobile Security for Android™ (available on Google Play) blocks malicious apps. End users can also benefit from its multilayered security capabilities that secure the device’s data and privacy, and safeguard them from ransomware, fraudulent websites, and identity theft.

For organizations, Trend Micro™Mobile Security for Enterprise provides device, compliance and application management, data protection, and configuration provisioning, as well as protects devices from attacks that leverage vulnerabilities, preventing unauthorized access to apps, as well as detecting and blocking malware and fraudulent websites. Trend Micro’s Mobile App Reputation Service (MARS) covers Android and iOS threats using leading sandbox and machine learning technologies to protect users against malware, zero-day and known exploits, privacy leaks, and application vulnerability.

Indicators of Compromise

SHA256 Package Name Label Download Count
12fe6df56969070fd286b3a8e23418749b94ef47ea63ec420bdff29253a950a3 ma[.]coderoute[.]hzpermispro HZPermis Pro Arabe 50 to 100
72252bd4ecfbd9d701a92a71ff663776f685332a488b41be75b3329b19de66ba com[.]tassaly[.]flappybird Flappy Bird 0
4593635ba742e49a64293338a383f482f0f1925871157b5c4b1222e79909e838 com[.]mobistartapp[.]windows7launcher Win7Launcher 1,000 to 5,000
38d70644a2789fc16ca06c4c05c3e1959cb4bc3b068ae966870a599d574c9b24 com[.]mobistartapp[.]win7imulator Win7imulator 100,000 to 500,000
0c477d3013ea8301145b38acd1c59969de50b7e2e7fc7c4d37fe0abc3d32d617 com[.]mobistartapp[.]flashlight FlashLight 50 to 100
 a645a3f886708e00d48aca7ca6747778c98f81765324322f858fc26271026945 com[.]tassaly[.]flappybirrdog Flappy Birr Dog 10


Command and Control Servers

hxxp://www[.]mobistartapp[.]com
hxxp://www[.]coderoute[.]ma
hxxp://www[.]hizaxytv[.]com
hxxp://www[.]seepano[.]com

The post Spyware Disguises as Android Applications on Google Play appeared first on .

This post appeared first on Trend Macro Blog
Author: Trend Micro

Backdoor, Computer Security, Cyber Security News, Malware, MS Word Document, spyware, TA505,

TA505 Cyber Threat Actors Installing Remote Monitoring Tool via Weaponized MS Word Document

TA505

Cyber Criminals from TA505 group started a new campaign that targeting retail, grocery, and restaurant chains by distributing weaponized MS word documents. TA505 group already had a record of distributing biggest threat campaign  Dridex and widely distributing Locky ransomware that affected millions of computers around the world. Currently distributed tens of thousands of messages to various country […]

The post TA505 Cyber Threat Actors Installing Remote Monitoring Tool via Weaponized MS Word Document appeared first on GBHackers On Security.

Computer Security, Data Breach, Data Protection, hacked, identity theft, Identity Thief, password attack, Phishing, PREVENTION, Security, spyware, threats,

Most Important Steps to Prevent Your Organization From Identity Theft – Detailed Explanation

Identity Thief

Identity theft by Identity Thief is the ponder utilization of another person’s character, it is a genuine wrongdoing(a serious crime). Identity Thief utilizes data about anybody without their consent. They could utilize name and address; Visa or financial balance numbers; Social Security number and substantially other valuable data. When data fraud happens, it is difficult to recover the […]

The post Most Important Steps to Prevent Your Organization From Identity Theft – Detailed Explanation appeared first on GBHackers On Security.

Advanced Threats, Antivirus, Computer Security, Cyber Security News, Sandbox, Security Hacker, spyware, Windows Defender Antivirus,

Windows Defender Antivirus Now Run Within a Sandbox To Isolate the Advanced Threats

Windows Defender Antivirus

Microsoft has moved ahead into a new milestone for its Windows Defender Antivirus and now it is running within Sandbox environment in order to isolate the malicious actions to protect the system. Microsoft offers Windows Defender as an inbuilt Antivirus for Windows users to protect various cyber threat and protect from critical cyber attacks. This […]

The post Windows Defender Antivirus Now Run Within a Sandbox To Isolate the Advanced Threats appeared first on GBHackers On Security.

.NET Malware, Android Malware, Google Play, GPlayed malware, Malware, Mobile Attacks, spyware,

GPlayed – New Malware Posed as Google Play App to Spy & Steal Data From Your Entire Android Phone

GPlayed malware

Newly discovered android based GPlayed Malware posed as Google Play app with sophisticated futures to spy android phone and steal sensitive information. GPlayed malware contains various built-in capabilities and it is very similar to the Google play store App that label as “Google Play Marketplace”. One of the extremely powerful capability is to adapt after the deployment […]

The post GPlayed – New Malware Posed as Google Play App to Spy & Steal Data From Your Entire Android Phone appeared first on GBHackers On Security.

Android, Computer Security, ios, Malware, Mobile Attacks, Security Hacker, spyware, ZERO day,

Hackers using Android & iOS Spyware “Pegasus” to Conducting Massive Surveillance Operations in 45 Countries

Pegasus Spyware

New research reveals that Israel based NSO Group using powerful mobile based Pegasus Spyware to conducting massive surveillance in 45 countries across the globe. NSO Group is operating from Israel where they produce and sells a mobile phone spyware named as Pegasus to governments and private entities to perform massive Surveillance operation in order to gain […]

The post Hackers using Android & iOS Spyware “Pegasus” to Conducting Massive Surveillance Operations in 45 Countries appeared first on GBHackers On Security.

adware, Adware Doctor, Computer Security, ios, Mac Store App, macOS, pyware, Security Hacker, spyware,

Beware !! #1 Adware Removal Mac Store App “Adware Doctor” Spying & Stealing Mac Users Sensitive Data

Adware Doctor

One of the Top paid Apple’s Mac store App “Adware Doctor” spying the Mac users and steal the Users browsers history from the Safari browser. Apple always claimed that the safest place to download apps for your Mac is the “Mac App Store” but this malicious activities of the most famous paid app leads to […]

The post Beware !! #1 Adware Removal Mac Store App “Adware Doctor” Spying & Stealing Mac Users Sensitive Data appeared first on GBHackers On Security.