Google Play app with 100 million downloads executed secret payloads

Google Play app with 100 million downloads executed secret payloads

Enlarge (credit: NurPhoto | Getty Images)

The perils of Google Play are once again on display with the discovery of an app with 100 million downloads that contained a malicious component that downloaded secret payloads onto infected Android devices.

Throughout most of its life, CamScanner was a legitimate app that provided useful functions for scanning and managing documents, researchers from antivirus provider Kaspersky Lab said on Tuesday. To make money, the developers displayed ads and offered in-app purchases.

Then, at some point things changed. The app was updated to add an advertising library that contained a malicious module. This component was what’s known as a “Trojan dropper,” meaning it regularly downloaded encrypted code from a developer-designated server at https://abc.abcdserver[.]com and then decrypted and executed it on infected devices. The module, which Kaspersky Lab researchers named Trojan-Dropper.AndroidOS.Necro.n, could download and execute whatever the developers wanted at any time. The researchers said that they have previously found Trojan-Dropper.AndroidOS.Necro.n lurking inside apps that are preinstalled on some phones sold in China.

Read 4 remaining paragraphs | Comments

Tuesday’s massive ransomware outbreak was, in fact, something much worse

Enlarge / Code in Tuesday's attack, shown on the left, was altered to permanently destroy hard drives. (credit: Matt Suiche)

Tuesday's massive outbreak of malware that shut down computers around the world has been almost universally blamed on ransomware, which by definition seeks to make money by unlocking data held hostage only if victims pay a hefty fee. Now, some researchers are drawing an even bleaker assessment—that the malware was a wiper with the objective of permanently destroying hard drives.

Initially, researchers said the malware was a new version of the Petya ransomware that first struck in early 2016. Later, researchers said it was a new, never-before-seen ransomware package that mimicked some of Petya's behaviors. With more time to analyze the malware, researchers on Wednesday are highlighting some curious behavior for a piece of malware that was nearly perfect in almost all other respects: its code is so aggressive that it's impossible for victims to recover their data.

In other words, the researchers said, the payload delivered in Tuesday's outbreak wasn't ransomware at all. Instead, its true objective was to permanently destroy as many hard drives as possible on infected networks, in much the way the Shamoon disk wiper left a wake of destruction in Saudi Arabia. Some researchers have said Shamoon is likely the work of developers sponsored by an as-yet unidentified country. Researchers analyzing Tuesday's malware—alternatively dubbed PetyaWrap, NotPetya, and ExPetr—are speculating the ransom note left behind in Tuesday's attack was, in fact, a hoax intended to capitalize on media interest sparked by last month's massive WCry outbreak.

Read 8 remaining paragraphs | Comments

Advanced CIA firmware has been infecting Wi-Fi routers for years

Enlarge (credit: D-Link)

Home routers from 10 manufacturers, including Linksys, DLink, and Belkin, can be turned into covert listening posts that allow the Central Intelligence Agency to monitor and manipulate incoming and outgoing traffic and infect connected devices. That's according to secret documents posted Thursday by WikiLeaks.

CherryBlossom, as the implant is code-named, can be especially effective against targets using some D-Link-made DIR-130 and Linksys-manufactured WRT300N models because they can be remotely infected even when they use a strong administrative password. An exploit code-named Tomato can extract their passwords as long as a default feature known as universal plug and play remains on. Routers that are protected by a default or easily-guessed administrative password are, of course, trivial to infect. In all, documents say CherryBlossom runs on 25 router models, although it's likely modifications would allow the implant to run on at least 100 more.

(credit: WikiLeaks)

The 175-page CherryBlossom user guide describes a Linux-based operating system that can run on a broad range of routers. Once installed, CherryBlossom turns the device into a "FlyTrap" that beacons a CIA-controlled server known as a "CherryTree." The beacon includes device status and security information that the CherryTree logs to a database. In response, the CherryTree sends the infected device a "Mission" consisting of specific tasks tailored to the target. CIA operators can use a "CherryWeb" browser-based user interface to view Flytrap status and security information, plan new missions, view mission-related data, and perform system administration tasks.

Read 8 remaining paragraphs | Comments

Microsoft’s recent success in blocking in-the-wild attacks is eerily good

Enlarge (credit: Stephen Brashear / Getty Images News)

Microsoft engineers have neutralized a series of attacks that took control of targeted computers by exploiting independent vulnerabilities in Word and Windows. Remarkably, the software maker said fixes or partial mitigations for all four security bugs were released before it received private reports of the attacks.

Both versions of the attacks used malformed Word documents that were attached to phishing e-mails sent to a highly select group of targets. The malicious documents chained together two exploits, one that targeted flaws in an Encapsulated PostScript filter in Word and the other that targeted elevation-of-privilege bugs in Windows so that the attack could break out of the security sandbox that fortifies Office. Encapsulated PostScript is an old format that's rarely used any more.

One version of the attacks combined an exploit for a Word EPS flaw designated as CVE-2017-0261 with an exploit for CVE-2017-0001, a Windows privilege-escalation bug. By the time Microsoft received a private report of ongoing attacks in March, the company had already released a partial fix as part of its March Update Tuesday release. A second attack version exploited an EPS flaw indexed as CVE-2017-0262 in combination with CVE-2017-0263, a separate Windows privilege-elevation flaw.

Read 8 remaining paragraphs | Comments