android - X-Industry - Red Sky Alliance2024-03-28T15:52:18Zhttps://redskyalliance.org/xindustry/feed/tag/androidMy Credentials Runneth Overhttps://redskyalliance.org/xindustry/my-credentials-runneth-over2023-12-18T20:32:20.000Z2023-12-18T20:32:20.000ZJD Thomasonhttps://redskyalliance.org/members/JDThomason<div><p><a href="{{#staticFileLink}}12328516473,original{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12328516473,RESIZE_400x{{/staticFileLink}}" width="250" alt="12328516473?profile=RESIZE_400x" /></a>At its most basic, the term “auto fill” refers to a feature or set of features that enables users to insert previously entered information into web pages. Depending on the specific application being used, this can be any sort of information like names and address, moving all the way up to information that needs more protection such as credit card numbers and username/password combinations.</p>
<p>On Android devices, it is often the case that an application will display a login form by using what’s called a WebView control, which is essentially a feature within Android to display web content to a user without forcing them to open a separate application. A couple of common instances where WebView controls are used are when a user clicks a link in an email, or when a user logs in to a service using the “Login with…” feature. In either of these cases, web content is shown to the user without the need for changing applications.</p>
<p>An auto fill framework has been a part of Android systems since Android version 8.0. This framework is made up of three components, the first of which being the Android system itself, which is what defines the workflow and provides the infrastructure for the clients and services to work together. Services are apps like password managers, which save and store data, while clients are apps that provide views that need to be filled out.</p>
<p>Looking forward to the problem we’ll be discussing, it is worth noting here that researchers have already been discussing the potential issues with auto fill functionality on mobile devices. During a mobile password manager evaluation in 2021, researchers at the University of Tennessee noted that many of the password managers seemed to not properly establish a secure credential-to-destination mapping. What this means is that at the time, the password managers used may not have been preventing other webpages or apps from accessing the auto fill credentials en route to their destination.</p>
<p>The AutoSpill attack was introduced by a team of researchers at the recent Black Hat conference in Europe. The primary target of this type of attack is credentials being accessed during an autofill operation. Credentials can be leaked due to the fact that credentials are supplied to both the native client requesting the credentials and the WebView component needed to display the login form. To exploit this scenario, an app would need to be developed specifically for this purpose. Javascript injection can also be used on the WebView component for the sake of copying credentials, but it is worth mentioning here that Javascript credential stealing attacks are not specific to AutoSpill.</p>
<p>As we hinted at a moment ago, the main issue that AutoSpill stems from is a lack of clearly defined responsibilities in how credentials are handled between the autofill systems, clients, and services. In other words, the proposal of the AutoSpill problem is that under the right circumstances, credentials could be leaked to or intercepted by rogue apps.</p>
<p><a href="{{#staticFileLink}}12328515699,RESIZE_1200x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}12328515699,RESIZE_584x{{/staticFileLink}}" width="550" alt="12328515699?profile=RESIZE_584x" /></a></p>
<p style="text-align:center;">(Source: Black Hat)</p>
<p>In a general sense, the seriousness of the AutoSpill problem and its potential impacts have been brought into question, as some suggest that leveraging the flaw would be much more difficult than the initial research suggests. AutoSpill is also described by some less as an attack and more of a set of unsafe behaviors on behalf of the Android system. Ultimately, while novel and interesting, AutoSpill can only be a problem in certain scenarios. An easy path for an AutoSpill attack to occur would likely involve an untrusted app, which would either have to bypass Google’s malware scanning or be side-loaded on to the device manually by the user.</p>
<p>In testing, many of the password managers available on Android were used. We can see them all listed in the table below. Google and Dashlane password managers implement different approaches than what is required for AutoSpill so they did not leak any credentials. The remaining managers did leak credentials to varying degrees under ideal circumstances.</p>
<p><a href="{{#staticFileLink}}12328515482,original{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}12328515482,RESIZE_584x{{/staticFileLink}}" width="550" alt="12328515482?profile=RESIZE_584x" /></a></p>
<p style="text-align:center;">(Source: Black Hat)</p>
<p>Using javascript injection does improve the likelihood of being able to steal credentials, but as mentioned previously, that kind of attack has been around since before AutoSpill.</p>
<p>Most of the vendors responsible for the password managers listed have either created patches for the vulnerability or made comments on the situation. Specifically, 1Password and Enpass have made comments regarding updating the logic their password manager, and Dashlane and LastPass already had related mitigations in place.</p>
<p>In summary, autofill is a feature included in most, if not all, password managers for quickly entering credentials into login forms. This feature can also extend to other information like names and addresses. On Android devices, applications can use WebView controls to display web information like a login form. The client application can then make a request to the Android autofill framework, which then reciprocates the communication with both the WebView component and the client application for filling in the credentials.</p>
<p>AutoSpill, on the other hand, is a type of credential stealing attack introduced by a set of researchers at a recent Black Hat conference. The idea behind the process is that an application with malicious intent could take advantage of the confusion with how native apps and WebView controls are both given access to credentials to steal them. While this is certainly a situation worth looking into, it must be noted that a successful attack would require a very particular set of circumstances. Due to the unlikely probability of an AutoSpill attack occurring, the overall potential impact of this problem is not seen as very high.</p>
<p>Finally, we went over a list of password managers tested for vulnerability to AutoSpill. Both Google and Dashlane performed well, and while researchers were able to leak credentials from the other managers, either specific fixes for this problem or related mitigations have already been put into place by most of them.</p>
<p> </p>
<p>[1]: <a href="https://www.bleepingcomputer.com/news/security/autospill-attack-steals-credentials-from-android-password-managers/">https://www.bleepingcomputer.com/news/security/autospill-attack-steals-credentials-from-android-password-managers/</a></p>
<p>[2]: <a href="https://www.blackhat.com/eu-23/briefings/schedule/index.html#autospill-zero-effort-credential-stealing-from-mobile-password-managers-34420">https://www.blackhat.com/eu-23/briefings/schedule/index.html#autospill-zero-effort-credential-stealing-from-mobile-password-managers-34420</a></p>
<p>[3]: <a href="https://developer.android.com/guide/topics/text/autofill">https://developer.android.com/guide/topics/text/autofill</a></p>
<p>[4]: <a href="https://dl.acm.org/doi/fullHtml/10.1145/3485832.3485884">https://dl.acm.org/doi/fullHtml/10.1145/3485832.3485884</a></p>
<p>[5]: <a href="https://arstechnica.com/security/2023/12/how-worried-should-we-be-about-the-autospill-credential-leak-in-android-password-managers">https://arstechnica.com/security/2023/12/how-worried-should-we-be-about-the-autospill-credential-leak-in-android-password-managers</a></p>
<p>[6]: <a href="https://cybersecuritynews.com/autospill-attack-steals-passwords/">https://cybersecuritynews.com/autospill-attack-steals-passwords/</a></p>
<p> </p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: https://www. redskyalliance. org/ </li>
<li>Website: https://www. wapacklabs. com/ </li>
<li>LinkedIn: https://www. linkedin. com/company/64265941 </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a> </p>
<p> </p>
<p> </p>
<p> </p>
<p> </p>
<p> </p>
<p> </p></div>Xenomorph Android Banking Trojanhttps://redskyalliance.org/xindustry/xenomorph-android-banking-trojan2023-10-02T11:55:00.000Z2023-10-02T11:55:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}12236323458,RESIZE_710x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12236323458,RESIZE_400x{{/staticFileLink}}" width="250" alt="12236323458?profile=RESIZE_400x" /></a>Recently identified Xenomorph Android banking trojan samples show an expanded target list that now includes North American users. Initially detailed in February 2022 and likely linked to the infamous banking trojan Alien, Xenomorph relies on overlays to steal users’ personal and login information. It can also intercept notifications and SMS messages to bypass two-factor authentication.</p>
<p>See: <a href="https://redskyalliance.org/intel-reports/intelligence-report-weekly-data-and-threats-04-20-2023">https://redskyalliance.org/intel-reports/intelligence-report-weekly-data-and-threats-04-20-2023</a></p>
<p>The malware relies on an Automated Transfer System (ATS) framework that supports a wide range of actions that can be chained in sequences to manipulate infected devices, harvest information, disable security features, and hide malicious activity. In 2022, the threat was seen targeting banking applications from Belgium, Italy, Portugal, and Spain, along with some cryptocurrency wallets and email applications, but recently identified samples show a wider target list.<a href="#_ftn1">[1]</a></p>
<p>According to investigators, Xenomorph variants observed in August 2023 show that the malware has matured, adding several new modules that make it more efficient. Distributed via phishing pages posing as a Chrome update but delivering a malicious APK instead, Xenomorph has been updated with dozens of new overlays for financial institutions in the US, Portugal, and Spain, as well as for multiple crypto wallets.</p>
<p>Following the update, the malware can now target more than 30 financial applications used in the US, 25 used in Spain, and more than 15 banking applications in Canada. Each of the recently observed samples contains more than 100 specifically crafted overlays to steal personally identifiable and financial information from victim devices.</p>
<p>The samples also show that Xenomorph has been updated with new commands to start/stop a mimic function, to prevent the device from going into sleep mode, and to simulate a touch on specific screen coordinates.</p>
<p>The mimic activity allows the malware to pose as another application running on the device, to avoid triggering behavior detection. The malware operators did not restrict the access to their distribution server, which also contains information on Xenomorph’s distribution and evidence that desktop users are being targeted as well. This campaign is heavily focused on Spain, with more than 3,000 downloads in the span of a few weeks, followed by a large margin of downloads from the United States and Portugal, with more than 100 downloads each.</p>
<p>Analysis of the files on the distribution server also showed the use of the RisePro stealer, Private Loader, and LummaC2 stealer, suggesting that the server might be part of a distribution service.</p>
<p>The fact that we saw Xenomorph being distributed side-by-side with powerful desktop stealers is very interesting news. It could indicate a connection between the threat actors behind each of these malware [families], or it could mean that Xenomorph is being officially sold as a MaaS to actors, who operate it together with other malware families.</p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization and has reported extensively on AI technology. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941%C2%A0">https://www.linkedin.com/company/64265941 </a></li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.securityweek.com/xenomorph-android-banking-trojan-targeting-users-in-us-canada/">https://www.securityweek.com/xenomorph-android-banking-trojan-targeting-users-in-us-canada/</a></p></div>Who Is Sending My Data To China?https://redskyalliance.org/xindustry/who-is-sending-my-data-to-china2023-07-19T16:00:00.000Z2023-07-19T16:00:00.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}12150812669,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12150812669,RESIZE_400x{{/staticFileLink}}" width="200" alt="12150812669?profile=RESIZE_400x" /></a>Two file management apps on the Google Play Store have been discovered to be spyware, putting the privacy and security of up to 1.5 million Android users at risk. These apps engage in deceptive behavior and secretly send sensitive user data to malicious servers in China. Researchers have discovered this infiltration. Their report shows that both spyware apps, namely File Recovery and Data Recovery (com.spot.music.filedate), with over 1 million installs, and File Manager (com.file.box.master.gkd), with over 500,000 installs, is developed by the same group. These seemingly harmless Android apps use similar malicious tactics and automatically launch when the device reboots without user input.<a href="#_ftn1">[1]</a></p>
<p>Contrary to what they claim on the Google Play Store, where both apps assure users that no data is collected, investigators have found that various personal information is collected without users' knowledge. Stolen data includes contact lists, media files (images, audio files, and videos), real-time location, mobile country code, network provider details, SIM provider network code, operating system version, device brand, and model. What is particularly alarming is the large amount of data these spyware apps transfer. Each app performs more than a hundred transmissions, a considerable amount for malicious activities. Once the data is collected, it is sent to multiple servers in China, deemed malicious by security experts.</p>
<p>To make matters worse, the developers of these spyware apps have used sneaky techniques to appear more legitimate and make it difficult to uninstall them. Hackers artificially increased the number of downloads of apps with install Farms or mobile device emulators, creating a false sense of trustworthiness. Both apps have advanced permissions that allow them to hide their icons on the home screen, making it difficult for unsuspecting users to uninstall them.</p>
<p>"These apps have been removed from Google Play. Google Play Protect protects users from apps known to contain this malware on Android devices with Google Play Services, even when those apps come from other sources outside of Play," a spokesperson for Google stated.</p>
<p>Users should be cautious when downloading apps, especially those without ratings if they claim a large user base. It is extremely critical to read and understand app permissions before accepting them to prevent breaches like this. Organizations should prioritize educating their employees about mobile threats and setting up automated mobile detection and response systems to protect against potential attacks.</p>
<p>This incident highlights the ongoing battle between cybersecurity experts and malicious actors exploiting unsuspecting users. Malware and spyware attacks are constantly evolving and finding new ways to infiltrate trusted platforms like the Google Play Store. As a user, it is imperative to stay vigilant, exercise caution when downloading apps, and rely on reputable sources for software.</p>
<p> </p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com</p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a><br /> Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a><br /> LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a> </p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://thehackernews.com/2023/07/two-spyware-apps-on-google-play-with-15.html">https://thehackernews.com/2023/07/two-spyware-apps-on-google-play-with-15.html</a></p></div>G-Android OS Could Allow for Remote Code Executionhttps://redskyalliance.org/xindustry/g-android-os-could-allow-for-remote-code-execution2023-07-07T18:40:00.000Z2023-07-07T18:40:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}12131314470,RESIZE_192X{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12131314470,RESIZE_192X{{/staticFileLink}}" alt="12131314470?profile=RESIZE_192X" width="185" /></a>Multiple vulnerabilities have been discovered in Google Android OS, the most severe of which could allow for remote code execution. Android is an operating system developed by Google for mobile devices, including, but not limited to, smartphones, tablets, and watches. Successful exploitation of the most severe of these vulnerabilities could allow for privilege escalation. Depending on the privileges associated with the exploited component, an attacker could then install programs; view, change, or delete data; or create new accounts with full rights.</p>
<p>There are reports of vulnerabilities CVE-2023-26083, CVE-2021-29256, and CVE-2023-2136 being exploited in the wild.<a href="#_ftn1">[1]</a></p>
<p>Multiple vulnerabilities have been discovered in Google Android OS, the most severe of which could allow for remote code execution in the context of the affected component. Following the MITRE ATT&CK framework, exploitation of these vulnerabilities can be classified as follows:</p>
<p>Tactic: Execution (TA0002)</p>
<table width="100%">
<tbody>
<tr>
<td>
<p>SYSTEMS AFFECTED:</p>
<p>Android OS patch levels prior to 2023-07-05</p>
<p>Government: Large and medium government <br /> entities - HIGH</p>
<p>Small government: MEDIUM</p>
<p>Businesses: Large and medium business <br /> entities - HIGH</p>
<p>Small business entities - MEDIUM</p>
<p>Home Users: LOW</p>
</td>
</tr>
</tbody>
</table>
<p>Multiple vulnerabilities in System that could allow for remote code execution. (CVE-2023-21250, CVE-2023-2136). A vulnerability in Framework that could allow for remote code execution. (CVE-2023-21127)</p>
<p>Multiple vulnerabilities in Framework that could allow for escalation of privilege. (CVE-2023-20918, CVE-2023-20942, CVE-2023-21145, CVE-2023-21245, CVE-2023-21251, CVE-2023-21254, CVE-2023-21257, CVE-2023-21262)</p>
<ul>
<li>A vulnerability in Framework that could allow for denial of service. (CVE-2023-21087)</li>
<li>Multiple vulnerabilities in Framework that could allow for information disclosure. (CVE-2023-21238, CVE-2023-21239, CVE-2023-21249)</li>
<li>Multiple vulnerabilities in System that could allow for escalation of privilege. (CVE-2023-21241, CVE-2023-21246, CVE-2023-21247, CVE-2023-21248, CVE-2023-21256)</li>
<li>A vulnerability in System that could allow for information disclosure. (CVE-2023-21261)</li>
<li>Multiple vulnerabilities in System that could allow for denial of service. (CVE-2023-20910, CVE-2023-21240, CVE-2023-21243)</li>
<li>Multiple vulnerabilities in Kernel that could allow for escalation of privilege. (CVE-2022-42703, CVE-2023-21255, CVE-2023-25012)</li>
<li>Multiple vulnerabilities in Arm components. (CVE-2021-29256, CVE-2022-28350, CVE-2023-28147, CVE-2023-26083)</li>
<li>A vulnerability in Imagination Technologies (CVE-2021-0948)</li>
<li>Multiple vulnerabilities in MediaTek components. (CVE-2023-20754, CVE-2023-20755)</li>
<li>Multiple vulnerabilities in Qualcomm components (CVE-2023-21672, CVE-2023-22386, CVE-2023-22387, CVE-2023-24851, CVE-2023-24854, CVE-2023-28541, CVE-2023-28542)</li>
<li>Multiple vulnerabilities in Qualcomm closed-source components. (CVE-2023-21629, CVE-2023-21631, CVE-2023-22667)</li>
</ul>
<p>Successful exploitation of the most severe of these vulnerabilities could allow for privilege escalation. Depending on the privileges associated with the exploited component, an attacker could then install programs; view, change, or delete data; or create new accounts with full rights.</p>
<p>Authorities recommend the following actions be taken: Apply appropriate patches provided by Google to vulnerable systems, immediately after appropriate testing. (M1051: Update Software)</p>
<ul>
<li>Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.</li>
<li>Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.</li>
<li>Perform Automated Vulnerability Scans of Internal Enterprise Assets: Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis. Conduct both authenticated and unauthenticated scans, using a SCAP-compliant vulnerability scanning tool.</li>
<li>Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources. Inform and educate users regarding threats posed by hypertext links contained in emails or attachments, especially from un-trusted sources. (User Training).</li>
<li>Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (Exploit Protection)</li>
<li>Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Apple® System Integrity Protection (SIP) and Gatekeeper™.</li>
</ul>
<p><strong>CVEs</strong></p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-0948">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-0948</a></p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29256">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29256</a></p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28350">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28350</a></p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42703">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42703</a></p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20910">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20910</a></p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20754">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20754</a></p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20755">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20755</a></p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20918">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20918</a></p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20942">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20942</a></p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21087">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21087</a></p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21145">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21145</a></p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2136">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2136</a></p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21238">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21238</a></p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21239">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21239</a></p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21240">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21240</a></p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21241">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21241</a></p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21243">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21243</a></p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21245">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21245</a></p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21246">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21246</a></p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21247">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21247</a></p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21248">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21248</a></p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21249">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21249</a></p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21250">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21250</a></p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21251">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21251</a></p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21254">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21254</a></p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21255">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21255</a></p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21256">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21256</a></p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21257">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21257</a></p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21261">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21261</a></p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21262">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21262</a></p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21629">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21629</a></p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21631">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21631</a></p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21672">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21672</a></p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22386">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22386</a></p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22387">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22387</a></p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22667">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22667</a></p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24851">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24851</a></p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24854">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24854</a></p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25012">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25012</a></p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26083">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26083</a></p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28147">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28147</a></p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28541">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28541</a></p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28542">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28542</a></p>
<p><strong>Google</strong></p>
<p><a href="https://source.android.com/docs/security/bulletin/2023-07-01#arm-components">https://source.android.com/docs/security/bulletin/2023-07-01#arm-components</a></p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com</p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-google-android-os-could-allow-for-remote-code-execution_2023-072">https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-google-android-os-could-allow-for-remote-code-execution_2023-072</a></p></div>Transferring Data Safelyhttps://redskyalliance.org/xindustry/transferring-data2023-05-10T12:20:00.000Z2023-05-10T12:20:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}11072540077,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}11072540077,RESIZE_400x{{/staticFileLink}}" alt="11072540077?profile=RESIZE_400x" width="250" /></a>When you transfer data from an Android to an iOS device, the Move to an iOS app is the go-to solution for any mobile user. However, many users have complained that this app doesn’t work at the final step when importing backup. Or some data is not completely transferred. So, is there an alternative to the Move to iOS app that is safe, secure, and capable of doing the job?</p>
<p>IToolab WatsGo fits the description of a worthy solution pretty well. We have discussed its features and working, too. This Hack Read article explains the two best and proven methods to transfer WhatsApp from Android to iPhone simply and seamlessly.<a href="#_ftn1">[1]</a></p>
<p>2 efficient Methods to Transfer WhatsApp between Android and iPhone: Multiple ways are there to transfer WhatsApp from Android to iPhone. Here we have discussed the two practical ways, Move to iOS and iToolab WatsGo, to help you transfer data from Android to iPhone in minutes.</p>
<p>Method 1: Use iToolab WatsGo to Transfer WhatsApp from Android to iPhone without factory resetting your iPhone.</p>
<p>iToolab WatsGo – WhatsApp Transfer, Backup & Restore is the best-proven solution to quickly transfer WhatsApp from Android to iPhone and other iOS devices with just one click. Besides messages, you can export and migrate multiple data types like audio, videos, images, contacts, label messages, etc., without hassle.</p>
<p>The program easily transfers GBWhatsApp to WhatsApp/GBWhatsApp and even backups and restores GBWhatsApp, and is compatible with all iOS, including iPhone 16, Android devices, including 12/13, and over 6000 Android models.</p>
<p>Prime Features of iToolab WatsGo</p>
<ol>
<li>Features multidirectional transfer: iToolab features multidirectional transfers from Android to iPhone, iPhone to Android, Android to Android, and iPhone to iPhone.</li>
<li>Does not require iPhone factory reset: With iToolab WatsGo, you don’t need to factory reset your iPhone; instead, its cutting-edge inbuilt tech has a high success rate of up to 90%.</li>
<li>Fast Transfer Speed: Compared to any program, iToolab WatsGo has a 3x faster transfer speed. Instead, it has a powerful transfer speed of 10240 kb/s compared to Move to iOS.</li>
<li>Smooth Transfer: This program transfers extensive data of up to 20GB without sudden Interruption and exports 40k messages simultaneously.</li>
<li>Supports 6000+ Android devices: iToolab supports over 6k Android models, including Huawei, OnePlus, and Xiaomi.</li>
<li>Supports transferring over 20 data types: The program transfers images, audio, videos, call history, contacts, docs, links, stickers, status, messages, wallpaper, etc.</li>
<li>High compatibility: iToolab WatsGo is fully compatible with the latest iPhone 14 series, iOS 16, and Android 13.</li>
</ol>
<p>Steps to Use iToolab WatsGo</p>
<p>Step 1: Download and open iToolab WatsGo - Download and install iToolab WatsGo from its official link and click WhatsApp in the left panel. Then click WhatsApp Transfer. Remember to enable USB debugging on Android and tap Trust on iPhone so iToolab WatsGo recognizes them easily. </p>
<p>Step 2: Connect your Android and iPhone - Connect your Android (source device) and iPhone (target device) with the PC. Then click the arrow to flip both devices and adjust them. Once the connection is established, the tool reminds you that your iPhone will be overwritten, so you must back it up in case of losing your essential data. You must select the WhatsApp data and media files to be transferred to the iPhone, but text messages are shared by default.</p>
<p>Step 3: Turn on end-to-end encrypted WhatsApp Backup - Enable end-to-end encrypted WhatsApp Backup on your Android phone and follow the prompts (on-screen instructions) to backup. Or simply click the Kebab menu (three vertical dots) at the upper right > Settings > Chats > Chat Backup. Ensure to take a screenshot to save the password.</p>
<p>Step 4: Verify with Password - Once the WhatsApp backup is generated, verify the 64-bit encrypted backup with a password. If you cannot verify the encrypted backup, click Phone Number Verification under the Verify button and continue the transfer process. Backup WhatsApp manually and turn off the encrypted backup</p>
<p>** Verify the phone number (earlier used for backup)</p>
<p>Step 5: Generate WhatsApp backup to restore - Now the Android WhatsApp backup will process and convert to the format applicable to iPhone and will begin to restore to your iPhone. Within a few moments, you’ll see the success interface indicating that WhatsApp has transferred to the iPhone completely, and your iPhone will reboot again.</p>
<p>Pros</p>
<ul>
<li>Does not compromise on data</li>
<li>Transfers data in a few clicks</li>
<li>Offers multidirectional and secure support</li>
<li>It doesn’t require jailbreak</li>
<li>Compatible with Android 13 and iOS 16</li>
</ul>
<p>Cons</p>
<ul>
<li>The Mac version is unavailable</li>
<li>Other Useful Features of iToolab WatsGo</li>
<li>Besides offering the ease of transferring WhatsApp from Android to iPhone, iToolab WatsGo delivers its services through many other valuable features.</li>
</ul>
<ol>
<li>iToolab WatsGo easily restores WhatsApp backup from Google Drive to iPhone.</li>
<li>The program transfers GBWhatsApp to WhatsApp or GBWhatsApp/ WhatsApp Business in a simple way.</li>
<li>iToolab lets you preview and restore WhatsApp or iTunes backup anytime you want.</li>
<li>All the backups from the history list are displayed in the program.</li>
<li>iToolab WatsGo lets you back up WhatsApp on iOS and Android to a computer without iTunes, Google Drive, or iCloud.</li>
</ol>
<p>Method 2: Use Move to iOS to Transfer WhatsApp from Android to iPhone</p>
<p>Move to iOS is an efficient tool from Apple that lets you quickly transfer multiple data, viz., message history, contacts, mail accounts, website bookmarks, photos, videos, and calendars, to iOS devices. The app comes in handy for a new iOS user.</p>
<p>Step 1: Turn on your new/factory reset iPhone and keep it near the Android phone. Follow the setup instructions on the iPhone.</p>
<p>Step 2: Look for the Apps & Data screen and click Move Data from Android.</p>
<p>Note: You must erase your iOS device and start over if you have already finished setting up. But if you don’t want to erase it, you can transfer your WhatsApp data manually.</p>
<p>Step 3: Launch and open the Move to iOS app on your Android device, then follow the instructions prompts on the screen.</p>
<p>Step 4: Click Continue on your iPhone when you see the Move from Android screen. Then a six-digit/ten-digit code will display on your iPhone. Enter the prompt code on your Android phone.</p>
<p>Step 5: Your iPhone will create a temporary WiFi network. Click Connect to join it on your Android phone when asked, and wait for the Transfer Data Screen to appear.</p>
<p>Step 6: Select your content on Android to transfer and click Continue.</p>
<p>Step 7: Keep both phones nearby and plug them into a power source until the data transfer is completed. The transfer time depends on your chosen content.</p>
<p>Step 8: Once the loading bar finishes on your iPhone, click Done on Android. Click Continue on your iPhone and follow the screen prompts to set it up.</p>
<p>Step 9: Ensure all your selected WhatsApp content is transferred. You can manually move music, books, and PDF files.</p>
<p>Pros</p>
<ul>
<li>Transfers all your account information from Android to iOS devices over WiFi</li>
<li>Perfect solution for beginners</li>
<li>Identifies Android apps and downloads on iPhone (if they are free)</li>
</ul>
<p>Cons</p>
<ul>
<li>Your iPhone must be new or factory reset.</li>
<li>Connect your Android and iPhones to the same WiFi and a power source.</li>
<li>Ensure to use the same mobile number on both devices.</li>
<li>You must have Android 5 or above, iOS 15.5, and newer versions to use the Move to iOS app.</li>
<li>Ensure installing Whatsapp iOS version 2.22.10.70 or above on iPhone and WhatsApp Android version 2.22.7.74 for Android phones.</li>
</ul>
<p>The Bottom Line - As a new iOS user, transferring WhatsApp to your iOS device can be challenging, especially if you don’t follow the apt solutions. But we have discussed the two efficient and practical methods to transfer WhatsApp from Android to iPhone simply. While Move to iOS is an excellent method, its cons are enough to seek an excellent alternative. So, you can try iToolab WatsGo WhatsApp Transfer to transfer, back, and restore your WhatsApp data cleanly and simply.</p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com</p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.hackread.com/transfer-whatsapp-data-android-iphone/">https://www.hackread.com/transfer-whatsapp-data-android-iphone/</a></p></div>Danger - Google Appshttps://redskyalliance.org/xindustry/danger-google-apps2023-04-20T17:25:00.000Z2023-04-20T17:25:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}11030292475,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}11030292475,RESIZE_400x{{/staticFileLink}}" alt="11030292475?profile=RESIZE_400x" width="222" /></a>Millions of consumers are now being urged to check their devices quickly after security experts found a new threat targeting Android phones. The team at McAfee Mobile Security discovered the most recent attack, which can infect well-known applications with a malicious software library and start carrying out tasks without the smartphone owners' authorization.<a href="#_ftn1">[1]</a></p>
<p>Cyber criminals can use a contaminated app to view Wi-Fi history, Bluetooth devices connected to a phone, apps used, and even nearby GPS locations once it has been installed. This indicates that a con artist may be aware of your exact location.</p>
<p>How dangerous could this happen? Worse yet, because the bug can perform AD fraud by clicking on bogus advertisements that appear in the background, Android users might be making money for hackers without even realizing it. Phones frequently become overloaded and overworked because of this kind of attack, which is also known to slow down devices. McAfee confirmed, "the research team has found over 60 applications containing this third-party malicious library, with over 100 million downloads."</p>
<p>In addition, the problem has already been reported to Google by the research team, who instructed app developers to fix their apps or face removal from its app store.</p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: https://www. redskyalliance. org/</li>
<li>Website: https://www. wapacklabs. com/</li>
<li>LinkedIn: https://www. linkedin. com/company/64265941</li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.msn.com/en-in/money/technology/google-has-banned-36-popular-android-apps-and-millions-are-being-pushed-to-do-so-right-away/ar-AA1a2du3">https://www.msn.com/en-in/money/technology/google-has-banned-36-popular-android-apps-and-millions-are-being-pushed-to-do-so-right-away/ar-AA1a2du3</a></p></div>MaliBot Malware Updatehttps://redskyalliance.org/xindustry/malibot-malware-update2022-06-22T18:19:24.000Z2022-06-22T18:19:24.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}10588724464,RESIZE_710x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10588724464,RESIZE_400x{{/staticFileLink}}" width="250" alt="10588724464?profile=RESIZE_400x" /></a>Recently, researchers have identified a new Android malware family capable of exfiltrating financial and personal information after taking control of infected devices. Named by researchers as MaliBot, the malware poses as a cryptocurrency mining application, but may also pretend to be a Chrome browser or another app. On infected devices, the threat focuses on harvesting financial information and stealing banking, finance, cryptocurrency and Personally Identifiable Information PII.</p>
<p>The malware uses a VNC server implementation that allows it to control the infected devices, and was also designed to steal and bypass multi-factor authentication (MFA). According to investigators, MaliBot's command and control (C&C) is in Russia, using the same servers that were previously used to distribute the Sality malware. Since June 2020, the IP has been used to launch various other malicious campaigns.<a href="#_ftn1">[1]</a></p>
<p>Early versions of Sality used entry point obscuration (EPO) to hide in a Windows system. They would insert a command somewhere in the middle of an infected file’s code. When a Windows system read the infected file and tried to execute it, the system would “jump” to and execute the malware’s code instead.</p>
<p>Here is what happens during a Sality attack:</p>
<ul>
<li>Sality executes a malicious payload once it is installed on a Windows system.</li>
<li>The actions performed vary based on the malware variant.</li>
<li>Most Sality viruses try to terminate system processes, including those that execute security programs.</li>
<li>They can also attempt to open connections to remote sites, download and activate malicious files, and steal user data.</li>
</ul>
<p>Today’s Sality viruses infect executable files on local, shared, and removable drives. It adds malicious code to the end of an infected (or host) file. This code is polymorphic, too, which makes it challenging to identify and analyze.</p>
<p>The analysis of MaliBot has revealed a variety of capabilities, including support for web injections and overlay attacks, the ability to run and delete applications, and the ability to steal a great deal of information, including cookies, MFA codes, and SMS messages, and more.</p>
<p>MaliBot is being distributed via fraudulent websites attempting to trick intended victims into downloading the malware instead of the popular cryptocurrency tracker app “TheCryptoApp,” or via smishing. For most of its malicious operations, MaliBot abuses the Android Accessibility API, which allows it to perform actions without user interaction and also lets it maintain persistence on the infected devices.</p>
<p>The malware can also bypass Google’s 2FA mechanism, by validating Google prompts using the Accessibility API. It also steals the 2FA code and sends it to the attacker, and then inputs the code on the victim device. When registering an infected device with the C&C server, the malware also sends out the applications list, which is used to identify overlays/injections that can be used on top of applications that the user is launching.</p>
<p>Having permissions to use the Accessibility API, MaliBot can also implement a VNC server to provide attackers with full control over the infected device. This malware can also send SMS messages on demand (mainly for smishing), can log exceptions, and keeps its background service running by registering itself as a launcher (which also allows it to be notified when an application is launched).</p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs. com</a> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www. redskyalliance. org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www. wapacklabs. com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www. linkedin. com/company/64265941</a> </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.securityweek.com/malibot-android-malware-steals-financial-personal-information">https://www.securityweek.com/malibot-android-malware-steals-financial-personal-information</a></p></div>Joker Android Trojan is Up to its Old Tricks Againhttps://redskyalliance.org/xindustry/joker-android-trojan-is-up-to-its-old-tricks-again2021-04-21T18:44:26.000Z2021-04-21T18:44:26.000ZMac McKeehttps://redskyalliance.org/members/MacMcKee<div><p><strong><a href="{{#staticFileLink}}8820300897,RESIZE_1200x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}8820300897,RESIZE_400x{{/staticFileLink}}" width="250" alt="8820300897?profile=RESIZE_400x" /></a>Ten variants of the Joker Android Trojan managed to slip into the Huawei AppGallery app store and were downloaded by more than 538,000 users, according to new data from Russian anti-malware vendor Doctor Web.</strong><strong> </strong>Also known as Bread,<a href="https://www.securityweek.com/google-removes-trove-risky-bread-apps-play-store"><strong> </strong>the Joker Trojan</a> was first observed in 2017 when it was originally focused on SMS fraud. Joker is a malware Trojan that targets Android users. It was packaged in at least two dozen applications that were downloaded from Google Play store over 400,000 times. The main purpose of Joker is to generate revenue for the cyber criminals responsible through fraudulent advertising activities. During 2020, the malware was observed performing billing fraud, with thousands of infected applications identified and removed by Google.</p>
<p>This family of Potentially Harmful Applications (PHAs), which is known for subscribing users to premium mobile services, has previously targeted Android users through Google Play, but it appears that that malware’s operators have shifted attention to additional app stores. Joker attempts to remain silent and undetected on infected devices by making use of as little JavaScript code as possible and locking down its code through obfuscation techniques. In many cases, the malware has been integrated within advertising frameworks linked to its malicious apps.</p>
<p>With Huawei currently being the fourth smartphone maker in terms of<a href="https://gs.statcounter.com/vendor-market-share/mobile"><strong> </strong>market share</a><strong>, </strong>at roughly 9 percent, it is no surprise that the cybercriminals behind the Joker have chosen AppGallery to distribute their malware. Disguised as harmless applications, the Trojan’s modifications would work as expected when launched, thus avoiding rising suspicion. Observed apps include “virtual keyboards, a camera app, a launcher, an online messenger, a sticker collection, coloring programs, and a game,” the company<a href="https://news.drweb.com/show/?lng=en&i=14182&c=9"> said</a>.</p>
<p>The Trojan’s variations feature multiple components capable of executing a variety of tasks. While only basic Trojan modules that feature minimal functionality are installed through the initial executable, additional components are downloaded from the Internet, to expand the threat’s functionality. While the user is delivered a full-fledged app, in the background the Trojan connects to the command and control (C&C) server to fetch the necessary configuration and components. The malware automatically subscribes the user to premium mobile services, while the permissions that the decoy application asks for allow it to intercept incoming SMS messages containing the necessary subscription codes.</p>
<p>The apps set a limit on the number of premium services that can be successfully activated for each user. Subscriptions are successful only if the infected device is connected to the Internet through a mobile network. Thus, the Trojan attempts to terminate active Wi-Fi connections.</p>
<p>Doctor Web’s security researchers also warn that the Trojan also sends the contents of all notifications about incoming SMS messages to the C&C server, which could lead to data leaks. After being alerted to the identified malicious apps, Huawei took a series of measures to prevent further downloads. </p>
<p>Red Sky Alliance has been has analyzing and documenting cyber threats and groups for over 9 years and maintains a resource library of malware and cyber actor reports available at <a href="https://redskyalliance.org/">https://redskyalliance.org</a> at no charge. Many past tactics are reused in current malicious campaigns.</p>
<p><br /> Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at <a>1-844-492-7225</a>, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a> </p>
<p><strong>Weekly Cyber Intelligence Briefings</strong>:</p>
<ul>
<li><br /> Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a><br /> • Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a><br /> • LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></li>
</ul>
<p><br /> <strong>Weekly Cyber Intelligence Briefings</strong>:</p>
<p><br /> REDSHORTS - Weekly Cyber Intelligence Briefings<br /> <a href="https://attendee.gotowebinar.com/register/3702558539639477516">https://attendee.gotowebinar.com/register/3702558539639477516</a></p>
<p> </p>
<p><a href="{{#staticFileLink}}8820302098,original{{/staticFileLink}}">TR-21-110-001_Joker_Android.pdf</a></p>
<p> </p>
<p><span style="font-size:8pt;"><a href="https://www.securityweek.com/joker-android-trojan-lands-huawei-appgallery-app-store">https://www.securityweek.com/joker-android-trojan-lands-huawei-appgallery-app-store</a></span></p>
<p> </p></div>Android System Update May Contain Spywarehttps://redskyalliance.org/xindustry/android-system-update-may-contain-spyware2021-04-15T13:22:07.000Z2021-04-15T13:22:07.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}8794090860,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}8794090860,RESIZE_400x{{/staticFileLink}}" alt="8794090860?profile=RESIZE_400x" width="201" /></a>Researchers have discovered a new information-stealing Trojan, which targets Android devices with a blitz of data-exfiltration capabilities from collecting browser searches to recording audio and phone calls. While malware on Android has previously taken the guise of copycat apps, which go under names similar to legitimate pieces of software, this clever new malicious app masquerades itself as a System Update application to take control of compromised devices.</p>
<p>"The spyware creates a notification if the device's screen is off when it receives a command using the Firebase messaging service," researchers said in a recent analysis. "The 'Searching for an update..' is not a legitimate notification from the operating system, but the spyware."</p>
<p>Once installed, the sophisticated spyware campaign sets about its task by registering the device with a Firebase command-and-control (C2) server with information such as battery percentage, storage stats, and whether the phone has WhatsApp installed, followed by amassing and exporting any data of interest to the server in the form of an encrypted ZIP file.</p>
<p><a href="{{#staticFileLink}}8794151658,RESIZE_710x{{/staticFileLink}}"><img class="align-right" src="{{#staticFileLink}}8794151658,RESIZE_584x{{/staticFileLink}}" alt="8794151658?profile=RESIZE_584x" width="500" /></a></p>
<p>The spyware features myriad capabilities with a focus on stealth, including tactics to pilfer contacts, browser bookmarks, and search history, steal messages by abusing the accessibility services, record audio, and phone calls, and take photos using the phone's cameras. It can also track the victim's location, search for files with specific extensions, and grab data from the device's clipboard.</p>
<p>"The spyware's functionality and data exfiltration are triggered under multiple conditions, such as a new contact added, new SMS received or, a new application installed by making use of Android's contentObserver and Broadcast receivers," the researchers said.</p>
<p>The malware not only organizes the collected data into several folders inside its private storage, but it also wipes out any trace of malicious activity by deleting the ZIP files as soon as it receives a "success" message from the C2 server post exfiltration. In a further bid to evade detection and fly under the radar, the spyware also reduces its bandwidth consumption by uploading thumbnails as opposed to the actual images and videos present in external storage.</p>
<p>Although the "System Update" app was never distributed through the official Google Play Store, the research once again highlights how third-party app stores can protect against dangerous malware. The identity of the malware authors, the targeted victims, and the ultimate motive behind the campaign remains unknown. </p>
<p>Red Sky Alliance has been analyzing and documenting these types of cyber threats for 9 years and maintains a resource library of malware and cyber actor reports available at <a href="https://redskyalliance.org">https://redskyalliance.org</a> at no charge. Many past tactics are often dusted off and reused in current malicious campaigns. Red Sky Alliance can provide actionable cyber intelligence and weekly blacklists to help protect your network. </p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com</p>
<p><strong>Weekly Cyber Intelligence Briefings</strong>:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></li>
</ul>
<p><strong>Weekly Cyber Intelligence Briefings</strong>:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/3702558539639477516">https://attendee.gotowebinar.com/register/3702558539639477516</a></p></div>How Can One Update Hijack 10 Million Devices?https://redskyalliance.org/xindustry/how-can-one-update-hijack-10-million-devices2021-02-11T17:20:19.000Z2021-02-11T17:20:19.000ZMac McKeehttps://redskyalliance.org/members/MacMcKee<div><p><a href="{{#staticFileLink}}8543852878,RESIZE_1200x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}8543852878,RESIZE_400x{{/staticFileLink}}" width="250" alt="8543852878?profile=RESIZE_400x" /></a>With a single update, a popular barcode scanner app on Google Play transformed into malware and was able to hijack up to 10 million devices. Until recently, Barcode Scanner was a straightforward application that provided users with a basic QR code reader and barcode generator, useful for things like making purchases and redeeming discounts. The app, which has been around since at least 2017, is owned by developer Lavabird Ldt., and claims to have over 10 million downloads</p>
<p>Lavabird Ltd.'s Barcode Scanner was an Android app that had been available on Google's official app repository for years. The mobile application appeared to be legitimate, trustworthy software, with many users having installed the app years ago without any problems. Lavabird Ltd., was incorporated in 2020 and is registered at an address in London, <a href="https://find-and-update.company-information.service.gov.uk/company/12512812">according to available online records</a>. The company’s director, Dmytro Kizema, resides in Ukraine.</p>
<p>According <a href="https://blog.malwarebytes.com/android/2021/02/barcode-scanner-app-on-google-play-infects-10-million-users-with-one-update/">to Malwarebytes</a>, users recently started to complain of advertising messages began appearing unexpectedly on their Android devices. It is often the case that unwanted programs, ads, and malvertising are connected with new app installations, but in this example, users reported that they had not installed anything recently. Upon investigation, the researchers pinpointed Barcode Scanner as the culprit. It is frightening that with one update an app can turn malicious while going under the radar of Google Play Protect. It is still unknown that an app developer with a popular app would turn it into malware. Was this the scheme all along, to have an app lie dormant, waiting to strike after it reaches popularity? </p>
<p>A software update issued on 04 December 2020, changed the functions of the app to push advertising without warning. While many developers implement ads in their software in order to be able to offer free versions and paid-for apps simply do not display ads in recent years, the shift of apps from useful resources to adware overnight is becoming more common. "Ad SDKs can come from various third-party companies and provide a source of revenue for the app developer. It's a win-win situation for everyone," investigators noted. "Users get a free app, while the app developers and the ad SDK developers get paid. But every once in a while, an ad SDK company can change something on their end and ads can start getting a bit aggressive."</p>
<p>Sometimes, 'aggressive' advertising practices can be the fault of SDK third-parties, but this was not the case when it comes to Barcode Scanner. Instead, the researchers say that malicious code was pushed in the December update and was heavily concealed to avoid detection. The update was also signed with the same security certificate used in past, clean versions of the Android application. </p>
<p>Malwarebytes reported its findings to Google that has now pulled the app from Google Play. However, this doesn't mean that the app will vanish from impacted devices, and so users need to manually uninstall the now-malicious app. </p>
<p>Transforming clean SDKs into malicious packages is only one method employed to avoid Google Play protection, with time checks, long display times, the compromise of open source libraries used by an app, and dynamic loading <a href="https://www.zdnet.com/article/this-is-how-malicious-android-apps-avoid-googles-security-vetting/">also cited as potential ways</a> for attackers to compromise your mobile device. </p>
<p>Another interesting method, spotted by Trend Micro, is the implementation of a <a href="https://www.zdnet.com/article/these-malicious-android-apps-will-only-strike-when-you-move-your-smartphone/">motion sensor check</a>. In 2019, Android utility apps were found to contain the Anubis banking Trojan which would only deploy once a user moved their handset. </p>
<p>Red Sky Alliance has been has analyzing and documenting cyber threats for 9 years and maintains a resource library of malware and cyber actor reports available at <a href="https://redskyalliance.org">https://redskyalliance.org</a> at no charge.</p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a>.</p>
<p><strong> </strong></p>
<p><strong>Reporting: </strong><a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></p>
<p><strong>Website: </strong><a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a></p>
<p><strong>LinkedIn: </strong><a href="https://www.linkedin.com/company/wapacklabs/">https://www.linkedin.com/company/wapacklabs/</a></p>
<p><strong>Twitter: </strong><a href="https://twitter.com/wapacklabs?lang=en">https://twitter.com/wapacklabs?lang=en</a></p>
<p><strong>Weekly Cyber Intelligence Briefings: </strong></p>
<p><a href="https://attendee.gotowebinar.com/register/8782169210544615949">https://attendee.gotowebinar.com/register/8782169210544615949</a></p>
<p> </p>
<p><a href="{{#staticFileLink}}8543851095,original{{/staticFileLink}}">TR-21-042-001_10mDevices.pdf</a> </p>
<p> </p>
<p><a href="https://www.zdnet.com/article/with-one-update-this-malicious-android-app-hijacked-10-million-devices/">https://www.zdnet.com/article/with-one-update-this-malicious-android-app-hijacked-10-million-devices/</a></p>
<p> </p>
<p> </p>
<p> </p>
<p> </p></div>Are you feeling Lucky Today?https://redskyalliance.org/xindustry/are-you-feeling-lucky-today2021-02-08T19:30:18.000Z2021-02-08T19:30:18.000ZMac McKeehttps://redskyalliance.org/members/MacMcKee<div><p><a href="{{#staticFileLink}}8533132083,RESIZE_930x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}8533132083,RESIZE_400x{{/staticFileLink}}" width="250" alt="8533132083?profile=RESIZE_400x" /></a>A recently identified malvertising campaign targeting mobile and other connected devices users makes heavy use of obfuscation and cloaking to avoid detection. Named LuckyBoy, the multi-stage, tag-based campaign is focused on iOS, Android, and Xbox users. Since December 2020, it penetrated over 10 Demand Side Platforms (DSP), primarily Europe-based, with observed campaigns impacting users in the U.S. and Canada. </p>
<p>According to security vendor Media Trust, the malware checks for a global variable ‘luckyboy’ that allows it to detect whether blockers, testing environments, and active debuggers are present on the device. If any is detected, the malware will not execute. Should it run on a target environment, the malware executes a tracking pixel programmed to redirect the user to malicious content, including phishing pages and fake software updates.</p>
<p>The LuckyBoy Malware is a Trojan that redirects the user's browsers to corrupted sites, such as fake update domains, and gives attackers information to compromise the device. The LuckyBoy Malware targets victims through malvertising (or 'corrupted advertising') content for mobile and gaming environments. Owners of at-risk devices can protect them with up-to-date and credible security solutions that are prepared to remove the LuckyBoy Malware and should monitor their Web-surfing for symptoms of website redirects.</p>
<p>Website redirects are not the only danger in the LuckyBoy Malware's payload. Although malware analysts have yet to find any in-depth backdoor features, it transfers over some system information to the attackers' servers, such as country codes, touch interface availability, and CPU core numbers. Generalized reconnaissance of this type often is a preliminary for additional attacks that drop other threats onto the system or completely take over the device.</p>
<p>LuckyBoy was observed operating in bursts: small campaigns are launched on Thursday nights, with only a few compromised tags, and continue throughout the weekend. Multiple checks are performed as the campaign advances through stages, with extensive code obfuscation and domain exclusion employed, and device-specific information extracted.</p>
<p>The harvested device data includes country code, window size, graphics information, number of CPU cores, battery level, current domain, plugins, the presence of webdriver, and whether touch is available, likely to set up for future attacks.The malware continuously performs checks to ensure that the value of the global variable remains ‘luckyboy’. Otherwise, the script stops execution and exits after delivering a clean creative to the user.</p>
<p>LuckyBoy is likely executing tests, probing to gauge their success before launching a broader attack. Campaign was confirmed to execute on tags wrapped with malware blocking code, bypassing these defenses as further evidence that its sophistication is impressive. The security firm says it is currently working with Google and TAG Threat Exchange to isolate the buyer and block them from launching these campaigns.</p>
<p>Red Sky Alliance has been has analyzing and documenting cyber threats for 9 years and maintains a resource library of malware and cyber actor reports available at <a href="https://redskyalliance.org">https://redskyalliance.org</a> at no charge.</p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a>.</p>
<p><strong> </strong></p>
<p><strong>Reporting: </strong><a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></p>
<p><strong>Website: </strong><a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a></p>
<p><strong>LinkedIn: </strong><a href="https://www.linkedin.com/company/wapacklabs/">https://www.linkedin.com/company/wapacklabs/</a></p>
<p><strong>Twitter: </strong><a href="https://twitter.com/wapacklabs?lang=en">https://twitter.com/wapacklabs?lang=en</a></p>
<p><strong>Weekly Cyber Intelligence Briefings: </strong></p>
<p><a href="https://attendee.gotowebinar.com/register/8782169210544615949">https://attendee.gotowebinar.com/register/8782169210544615949</a></p>
<p> </p>
<p> <a href="{{#staticFileLink}}8533131086,original{{/staticFileLink}}">TR-21-039-002_Lucky.pdf</a></p>
<p> </p>
<p><a href="https://www.securityweek.com/luckyboy-malvertising-campaign-hits-ios-android-xbox-users">https://www.securityweek.com/luckyboy-malvertising-campaign-hits-ios-android-xbox-users</a></p>
<p> </p></div>Ghimob is Not a New Dance Step from Brazilhttps://redskyalliance.org/xindustry/ghimob-brazil2020-11-19T22:28:44.000Z2020-11-19T22:28:44.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}8196287665,RESIZE_1200x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}8196287665,RESIZE_400x{{/staticFileLink}}" alt="8196287665?profile=RESIZE_400x" width="250" /></a>Brazil is known for its pristine beaches, nightlife, hot dancing, and of course - The Girl from Ipanema. A recently uncovered Brazilian banking Trojan targeting Android devices can spy on over 150 apps, including those of banks, cryptocurrency exchanges, and fintech firms, as a way to gather credentials and other data, according to an analysis by security firm Kaspersky. A Trojan is sometimes called a Trojan virus or a Trojan horse virus, but that is a contradiction. Viruses can execute and replicate themselves. A Trojan cannot. A user must execute Trojans. Even so, Trojan malware and Trojan virus are often used interchangeably. This malware, called Ghimob, which was developed by fraudsters in Brazil and is currently in use there, has also targeted apps associated with banks and their customers in Germany, Portugal, Peru, Paraguay, Angola, and Mozambique. I wonder if they live in Ipanema, Brazil.</p>
<p>The Trojan appears to be linked to several other malware variants developed by the same Brazilian cybercriminal group. These banking Trojans are collectively known as Tétrade, an umbrella term for four distinct malware strains: Guildma, Javali, Melcoz, and Grandoreiro. Security research indicates that Ghimob has been developed by the same cybercriminals who coded the Astaroth Windows malware. It is interesting to note that the official Google Play Store has not yet been abused as a distribution channel. For this purpose, the hackers used malicious Android apps on sites and servers previously deployed by Astaroth.</p>
<p>Astaroth is a well-known player in the field of banking Trojans. One of its latest updates was observed in May 2020. Cisco Talos researchers detected that Astaroth was upgraded with advanced obfuscation and anti-analysis techniques. The May 2020 campaigns also displayed an innovative employ of YouTube channel descriptions used for encoded command-and-control communications.</p>
<p>Since 2011, the operators behind the Tétrade family of Trojans have mainly targeted financial institutions in Brazil. In recent months, the cybercriminals have started expanding globally, reengineering the malware to better evade security tools. "Brazilian cybercriminals are very active and are creating new banking Trojans for desktop and mobile platforms," says a security expert at Kaspersky. "Right now, they are in a move to expand their attacks abroad, and Ghimob is one important step in this movement."</p>
<p>Kaspersky researchers first came across the Ghimob Trojan in August 2020 while examining a Windows campaign related to another malware strain circulating in Brazil. "We believe this campaign could be related to the Guildma, a Brazilian banking Trojan threat actor for several reasons, mainly because they share the same infrastructure," according to the report. "It is also important to note that the protocol used in the mobile version is very similar to that used for the Windows version."</p>
<p>Unlike other types of Android-focused malware, the Ghimob Trojan does not disguise itself as a legitimate app that is hidden within the official Google Play Store. Instead, the criminals attempt to lure victims into installing a malicious file through a phishing or spam email that suggests that the recipient has debt. The message includes an "informational" link for the victim to click on, which starts the malware delivery. The malicious link is usually disguised to appear as either a Google Defender, a Google Doc, or a WhatsApp Updater. If opened, it installs the Ghimob Trojan within the device. The malware's first step is to check for any emulators or debuggers which, if found, are terminated.</p>
<p>If there are no security tools present in the compromised Android device, Ghimob connects to a command-and-control server and starts sending back details such as the phone model, whether the device has lock screen security, and a list of all installed apps that the malware can target. Then the Trojan, which is known for its ability to harvest credentials and a wide range of other data, can target up to 150 banking and financial apps, most of which are used in Brazil. The list of targeted apps is likely to expand as the criminals become greedy. "Even if the user uses a lock screen pattern, Ghimob is able to record it and replay it to unlock the device," according to Kaspersky. "When the actors are ready to perform a fraudulent transaction, they can insert a blank or black screen overlay or open some websites in full screen. While the user looks at that screen, the attackers perform the fraudulent transaction in the background, using the already opened or logged-in financial app running on the device."</p>
<p>Ghimob can block a user from attempting to uninstall the Trojan. The malware can also shut down and restart a device. The malware uses domain generation algorithms as a way to disguise its command-and-control IP address to help evade security tools, according to the report.</p>
<p>Since smartphones are becoming more and more a means to computing, attacks on phone apps will continue. The installation, updating and monitoring of firewalls, cybersecurity, and proper employee training are keys to blocking attacks. Yet employing underground search to proactively stop attacks, is additionally important and a great support feature. Please feel free to contact our analyst team for research assistance and proactive Cyber Threat Analysis on your organization.</p>
<p>Red Sky Alliance has been as analyzing and documenting cyber threats and vulnerabilities for over 9 years and maintains a resource library of malware and cyber actor reports.</p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please contact the lab directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a> </p>
<p>Weekly Cyber Intelligence Briefings: </p>
<p><a href="https://attendee.gotowebinar.com/register/8782169210544615949">https://attendee.gotowebinar.com/register/8782169210544615949</a></p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a> </li>
</ul></div>Ghimob Android Malwarehttps://redskyalliance.org/xindustry/ghimob-android-malware2020-11-19T14:22:00.000Z2020-11-19T14:22:00.000ZMac McKeehttps://redskyalliance.org/members/MacMcKee<div><p><a href="{{#staticFileLink}}8195120853,RESIZE_1200x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}8195120853,RESIZE_400x{{/staticFileLink}}" width="250" alt="8195120853?profile=RESIZE_400x" /></a>Security researchers have discovered a new Android banking trojan that can spy and steal data from 153 Android applications.</p>
<p>Named Ghimob, the trojan is believed to have been developed by the same group behind the Astaroth (Guildma) Windows malware, according to a report published on Monday by Kaspersky. Kaspersky says the new Android trojan has been offered for download packed inside malicious Android apps on sites and servers previously used by the Astaroth operation. Distribution was never carried out via the official Play Store. Instead, the Ghimob group used emails or malicious sites to redirect users to websites promoting Android apps.</p>
<p>These apps mimicked official apps and brands, with names such as Google Defender, Google Docs, WhatsApp Updater, or Flash Update. If users were careless enough to install the apps despite all the warnings shown on their devices, the malicious apps would request access to the Accessibility service as a final step in the infection process.</p>
<p>If this was granted, the apps would search the infected phone for a list of 153 apps for which it would show fake login pages in an attempt to steal the user's credentials. Most of the targeted apps were for Brazilian banks, but in recently updated versions, Kaspersky said Ghimob also expanded its capabilities to start targeting banks in Germany (five apps), Portugal (three apps), Peru (two apps), Paraguay (two apps), Angola and Mozambique (one app per country).</p>
<p>Furthermore, Ghimob also added an update to target cryptocurrency exchange apps in attempts to gain access to cryptocurrency accounts, with Ghimob following a general trend in the Android malware scene that has slowly shifted to target cryptocurrency owners. After any phishing attempt was successful, all collected credentials were sent back to the Ghimob gang, which would then access a victim's account and initiate illegal transactions.</p>
<p>If accounts were protected by hardened security measures, the Ghimob gang used its full control over the device (via the Accessibility service) to respond to any security probes and prompts shown on the attacked smartphone.</p>
<p>Ghimob's features aren't unique, but actually copy the make-up of other Android banking trojans, such as Blackrock or Alien.</p>
<p>Kaspersky noted that Ghimob's development currently echoes a global trend in the Brazilian malware market, with the very active local threat actors slowly expanding to target victims in countries abroad.</p>
<p>Red Sky Alliance has been has analyzing and documenting cyber threats for 9 years and maintains a resource library of malware and cyber actor reports.</p>
<p>The installation, updating and monitoring of firewalls, cyber security and proper employee training are keys to blocking attacks. Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis on your organization.</p>
<p>What can you do to better protect your organization today?</p>
<p> </p>
<ul>
<li>All data in transmission and at rest should be encrypted.</li>
<li>Proper data back-up and off-site storage policies should be adopted and followed.</li>
<li>Implement 2-Factor authentication company wide. (Read Multifactor Authentication or MFA)</li>
<li>Join and become active in your local Infragard chapter, there is no charge for membership. <a href="http://www.infragard.org">infragard.org</a></li>
<li>Update disaster recovery plans and emergency procedures with cyber threat recovery procedures. And test them.</li>
<li>Institute cyber threat and phishing training for all employees, with testing and updating.</li>
<li>Recommend/require cyber security software, services and devices to be used by all at home working employees and consultants.</li>
<li>Review and update your cyber threat and information security policies and procedures. Make them a part of all emergency planning and training.</li>
<li>Ensure that all software updates and patches are installed immediately.</li>
<li>Enroll your company/organization in RedXray for daily cyber threat notifications are directed at your domains. RedXray service is $500 a month and provides threat intelligence on nine (9) cyber threat categories including Keyloggers, with having to connect to your network. </li>
<li>Purchase annual cyber insurance coverage from Red Sky Alliance provided by Cysurance.</li>
</ul>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a>.</p>
<p><strong>Reporting: </strong><a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></p>
<p><strong>Website: </strong><a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a></p>
<p><strong>LinkedIn: </strong><a href="https://www.linkedin.com/company/wapacklabs/">https://www.linkedin.com/company/wapacklabs/</a></p>
<p><strong>Twitter: </strong><a href="https://twitter.com/wapacklabs?lang=en">https://twitter.com/wapacklabs?lang=en</a></p>
<p><strong>Weekly Cyber Intelligence Briefings: </strong></p>
<p><a href="https://attendee.gotowebinar.com/register/8782169210544615949">https://attendee.gotowebinar.com/register/8782169210544615949</a></p>
<p> </p>
<p><a href="{{#staticFileLink}}8195124867,original{{/staticFileLink}}">TR-20-324-001.pdf</a></p></div>MalLocker.B Ransomware Targeting Android Smartphone Usershttps://redskyalliance.org/xindustry/mallockerb-android-ransomware2020-10-14T20:48:07.000Z2020-10-14T20:48:07.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}8035933500,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}8035933500,RESIZE_400x{{/staticFileLink}}" alt="8035933500?profile=RESIZE_400x" width="250" /></a>A new ransomware has emerged online threatening Android security. This new malware triggers on an infected phone as soon as the victim presses the Home key. Researchers at Microsoft are warning about a new strain of mobile ransomware that takes advantage of incoming call notifications and Android's Home button to lock the device behind a ransom note.</p>
<p>The findings concern a variant of a known Android ransomware family called, "MalLocker.B" which has resurfaced with new techniques. This malware includes a novel means to deliver the ransom demand on infected devices as well as an obfuscation mechanism to evade security solutions. The development comes amid a huge surge in ransomware attacks against critical infrastructure across sectors, with a 50% increase in the daily average of ransomware attacks in the last three months compared to the first half of the year. Cybercriminals increasingly incorporating extortion in their playbooks.</p>
<p>MalLocker has been known for being hosted on malicious websites and circulated on online forums using various social engineering lures by masquerading as popular apps, cracked games, or video players. The ransomware reaches target devices via apps available on third-party app stores. This malware is active in the “Wild” and Android users should be careful when downloading apps from any store other than Google Play. The main reason it caught the attention of analysts is its ever-evolving evil intent and abilities to bypass security safeguards. This has allowed this malware to hide from current anti-malware solutions.<a href="#_ftn1">[1]</a></p>
<p>The malware does not encrypt the data on the target device, rather it blocks the user’s access to the device. Previous instances of Android ransomware have exploited Android accessibility features or permission called "SYSTEM_ALERT_WINDOW" to display a persistent window atop all other screens to display the ransom note, which typically masquerade as fake police notices or alerts about purportedly finding explicit images on the device. The ransom note can also mimic a legal notice from a tax or law enforcement agency. The note demands payment for a crime the victim committed.</p>
<p>As soon as anti-malware software began detecting this behavior, the new Android ransomware variant has evolved to overcome this barrier. What has changed with MalLocker.B is the method by which it achieves the same goal via an entirely new tactic. To do this, it leverages the "call" notification that is used to alert the user about incoming calls in order to display a window that covers the entire area of the screen, and subsequently combines it with a Home or ‘Recents’ keypress to trigger the ransom note to the foreground and prevent the victim from switching to any other screen. "This creates a chain of events that triggers the automatic pop-up of the ransomware screen without doing infinite redraw or posing as a system window," researchers noted.</p>
<p>Aside from incrementally building on an array of aforementioned techniques to show the ransomware screen, Microsoft also noted the presence of a yet-to-be-integrated machine learning model that could be used to fit the ransom note image within the screen without distortion. This could be a preview of the next stage of malware features. To mask its true purpose, the ransomware code is heavily obfuscated and made unreadable through name mangling and deliberate use of meaningless variable names and junk code to inhibit analysis.</p>
<p>"This new mobile ransomware variant is an important discovery because the malware exhibits behaviors that have not been seen before and could open doors for other malware to follow," Microsoft 365 Defender Research Team said. "It reinforces the need for comprehensive defense powered by broad visibility into attack surfaces as well as domain experts who track the threat landscape and uncover notable threats that might be hiding amidst massive threat data and signals."</p>
<p><strong>Red Sky Alliance has been analyzing and documenting cyber threats for 9 years and maintains a resource library of malware and cyber actor reports.</strong></p>
<p><strong>The installation, updating, and monitoring of firewalls, cybersecurity, and proper employee training are keys to blocking attacks. Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis on your organization.</strong></p>
<p><strong>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com.</strong></p>
<p><strong>For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a> </strong></p>
<ul>
<li><strong>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></strong></li>
<li><strong>Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a></strong></li>
<li><strong>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></strong></li>
</ul>
<p><strong> </strong></p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://thehackernews.com/2020/10/android-ransomware-lock.html">https://thehackernews.com/2020/10/android-ransomware-lock.html</a></p></div>Android Ransomware Up to New Trickshttps://redskyalliance.org/xindustry/android-ransomware-up-to-new-tricks2020-07-16T16:21:52.000Z2020-07-16T16:21:52.000ZMac McKeehttps://redskyalliance.org/members/MacMcKee<div><p><a href="{{#staticFileLink}}6932015855,RESIZE_1200x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}6932015855,RESIZE_400x{{/staticFileLink}}" width="250" alt="6932015855?profile=RESIZE_400x" /></a>A new strain of ransomware has arisen in Canada, targeting Android users, and locking up personal photos and videos. Named CryCryptor by cyber threat investigators, it has initially been spotted pretending to be the official COVID-19 tracing app provided by Health Canada. It is propagating via two different bogus websites that pretend to be official. According to ESET researchers, one called tracershield[dot]ca. Like other ransomware families, it encrypts targeted files. But, instead of simply locking the device, CryCryptor leaves a “readme” file with the attacker’s email in every directory.</p><p>When a victim launches the app, it requests access to files on the Android device. The selected files are then encrypted with a randomly generated 16-character key. The targeted files include photos and videos. Once encryption is complete, CryCryptor displays a notification that says, “Personal files encrypted, see readme_now.txt.” That readme_now.txt file is placed in every directory with encrypted files. The developers attempted to disguise the project, called CryDroid, as being legitimate and claim to have uploaded the code to the VirusTotal service.</p><p>This type of bug, listed as an “Improper Export of Android Application Components,” occurs when an Android application “exports a component for use by other applications, but does not properly restrict which applications can launch the component or access the data it contains,” according to MITRE. Because of the bug in the app, any other app that is installed on the affected device can launch any exported service provided by the ransomware.</p><p>The service responsible for the file decryption in CryCryptor has the encryption key stored in shared preferences, meaning it does not have to contact any C2 (Command and Control) to retrieve it. The service is exported without any restriction in the Android Manifest (security weakness CWE-926), means that it is possible to launch it externally.</p><p>CryCryptor, like other malware, is looking to take advantage of governments rolling out COVID-19 tracing apps to fight the pandemic. The Canadian government officially announced the creation of a nationwide, voluntary tracing app called COVID Alert, due to be rolled out for testing in the province of Ontario in July. The new ransomware family surfaced just a few days later. CryCryptor is not the first malware to try and leverage fears of coronavirus/COVID-19 as a method of attacking smartphone or computer users. Microsoft announced in May that it was tracking a massive <a href="https://hothardware.com/news/covid-19-malware-campaign-uses-excel">phishing malware campaign</a> that spread using malicious Excel spreadsheets promising coronavirus data.</p><p>What can you do to better protect your organization today?</p><ul><li>Proper data back-up and off-site storage policies should be adopted and followed.</li><li>Institute cyber threat and phishing training for all employees, with testing and updating with quarterly updates.</li><li>Manage, review and update file permissions and access for all employees.</li><li>Phishing is normally the first step in a broader attack campaign.</li><li>Review and update your cyber threat and information security policies and procedures. Make them a part of all emergency planning and training.</li><li>Enroll your company/organization in RedXray for daily cyber threat notifications are directed at your domains. RedXray service is $500 a month and provides threat intelligence on nine (9) cyber threat categories including Keyloggers, with having to connect to your network.</li><li>RedXray customers can receive up to $100,000 in ransomware coverage at no additional expense to them.</li><li>Purchase annual cyber insurance coverage from Red Sky Alliance provided by Cysurance.</li></ul><p>Red Sky Alliance can provide both internal monitoring in tandem with RedXray notifications on external threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting. Red Sky Alliance is in New Boston, NH USA. We are a Cyber Threat Analysis and Intelligence Service organization. </p><p>For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a> </p><ul><li><strong>Reporting: </strong><a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a><br /> <strong>Website: </strong><a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a><br /> <strong>LinkedIn: </strong><a href="https://www.linkedin.com/company/wapacklabs/">https://www.linkedin.com/company/wapacklabs/</a><br /> <strong>Twitter: </strong><a href="https://twitter.com/wapacklabs?lang=en">https://twitter.com/wapacklabs?lang=en</a></li></ul><p> </p><p><a href="{{#staticFileLink}}6932080080,original{{/staticFileLink}}">TR-20-197-001_Anroid Ransomware07142020.pdf</a></p></div>