Feed aggregator

Dropbox Denies Hack, Says ‘Your Stuff is Safe’

Threatpost for B2B - Tue, 10/14/2014 - 09:28
Dropbox officials on Monday said that a large cache of usernames and passwords posted online and alleged to have come from the company’s users are not related to Dropbox customer accounts. A spate of media reports reported yesterday that attackers had stolen several million sets of credentials from Dropbox and posted them online. The claim of […]

Sandworm APT Team Found Using Windows Zero Day Vulnerability

Threatpost for B2B - Tue, 10/14/2014 - 05:11
A cyberespionage team, possibly based in Russia, has been using a Windows zero day vulnerability to target a variety of organizations in several countries, including the United States, Poland, Ukraine and western Europe.

Backoff Malware Identified as Culprit in Dairy Queen Breach

Threatpost for B2B - Fri, 10/10/2014 - 13:19
Close to 400 Dairy Queen locations were breached this summer and the company has pinned the blame on hackers using the Backoff point-of-sale malware.

EFF Launches New Anti-Surveillance Site

Threatpost for B2B - Fri, 10/10/2014 - 09:27
The EFF has launched a new site dedicated to educating users about how to resist pervasive surveillance online, through the promotion of encryption and other tools and the publication of first-person stories from people around the world who have fought surveillance in various ways. The new site, I Fight Surveillance, is designed to bring attention […]

Tic Tac Toe with a twist

Secure List feed for B2B - Fri, 10/10/2014 - 04:00

UPDATE / OCT, 15.

Further to this blog post, describing malicious functions of a mobile Trojan camouflaged as the TicTacToe game app, Lacoon Mobile Security company stated that TicTacToe was developed by them as a proof-of-concept.

Kaspersky Lab would like to reiterate, that as a security company, we detect all forms of malicious program, regardless of their origin or purpose. We recieved the samples through malware exchange with other antivirus companies and it was not marked as a proof-of-concept at this time. We saw several potentially malicious functions in this app – and a thorough analysis of TicTacToe revealed that the game code accounted for less than 30% of the executable file's size. The rest is functionality appeared for monitoring user and obtaining personal data. It is for this reason that we began the investigation and reported the incident to the public.

We respect and support other security companies who aspire to the development of mobile technologies, but we also believe that proof-of-concept programs should be marked clearly and shouldn't demonstrate fully-operational functions, to avoid situations where malicious users replicate the techniques.

Attempts by cybercriminals to disguise malware as useful applications are common to the point of being commonplace. However, the developers of Gomal, a new mobile Trojan, not only achieved a new level of camouflage by adding Tic Tac Toe game to their malicious program, but also implemented interesting techniques which are new to this kind of malware.

It all started with a Tic Tac Toe game being sent to us for analysis. At first glance, the app looked quite harmless:

However, the list of permissions requested by the game made us wonder. Why would it need to access the Internet, the user's contacts and the SMS archive or to be able to process calls and record sound? We analyzed the 'game' and it turned out to be a piece of multi-purpose spyware. The malicious app is now detected by Kaspersky Lab products as Trojan-Spy.AndroidOS.Gomal.a.

A thorough analysis of the malicious program showed that the game code accounts for less than 30% of the executable file's size. The rest is functionality for spying on the user and stealing personal data.

Game code is marked in green, malicious functionality – in red

What does this functionality include? First and foremost, the malware has sound recording functions, which are now standard for mobile spyware:

It also has SMS-stealing functionality:

In addition, the Trojan collects information about the device and sends all the data collected to its masters' server. But Trojan-Spy.AndroidOS.Gomal.a has something really curious up its sleeve – a package of interesting libraries distributed with it.

The package includes an exploit used to obtain root privileges on the Android device. The extended privileges give the app access to various services provided by Linux (the operating system on which Android is based), including the ability to read process memory and /maps.

After obtaining root access, the Trojan gets down to work. For example, it steals emails from Good for Enterprise, if the app is installed on the smartphone. The application is positioned as a secure email client for corporate use, so the theft of data from it can mean serious problems for the company where the owner of the device works. In order to attack Good for Enterprise, the Trojan uses the console to get the ID of the relevant process (ps command) and reads virtual file /proc/ /maps. The file contains information about memory blocks allocated to the application.

After getting the list of memory blocks, the malware finds the block [heap] containing the application's string data and creates its dump using one more library from its package. Next, the dump file created is searched for signatures characteristic of emails and the messages found are sent to the cybercriminals' server.

Gomal also steals data from logcat – the logging service built into Android that is used for application debugging. Developers very often have their applications outputting critically important data to Logcat even after the apps have been released. This enables the Trojan to steal even more confidential data from other programs.

As a result, the seemingly harmless game of Tic Tac Toe gives cybercriminals access to an enormous amount of the user's personal data and corporate data belonging to his employer. The techniques used by Gomal were originally implemented in Windows Trojans, but now, as we can see, they have moved on to Android malware. And, most dangerously, the principles upon which this technique is based can be used to steal data from applications other than Good for Enterprise – it is likely that a range of mobile malware designed to attack popular email clients, messengers and other programs will appear in the near future.

To reduce the risk of infection by mobile malware we recommend that users:
  • Do not activate the "Install applications from third-party sources" option
  • Only install applications from official channels (Google Play, Amazon Store, etc.)
  • When installing new apps, carefully study which rights they request
  • If the requested rights do not correspond with the app's intended functions, do not install the app
  • Use protection software
Update:

Trojan-Spy.AndroidOS.Gomal.a uses an old version of the exploit, which is effective on Samsung devices running Android 4.0.4 or earlier. This particular version of the malware could not successfully attack a corporate email client on devices with newer firmware.
So far, we have not seen any attempts to infect our users with the Gomal Trojan. However, even though this sample is not currently active in-the-wild, we detect it so we will be able to block any future attacks by mobile malicious programs based on this proof-of-concept malware.

Microsoft Ready With Nine Bulletins, New Critical IE Patches

Threatpost for B2B - Thu, 10/09/2014 - 14:20
Microsoft published its Patch Tuesday advance notification, advising IT shops to be ready for nine bulletins, including three critical patches.

Rovnix Variant Surfaces With New DGA

Threatpost for B2B - Thu, 10/09/2014 - 13:17
Researchers have unearthed a new version of the Rovnix malware that has a couple of additional features, including a new domain generation algorithm and a secure transmission channel for communicating with the command-and-control servers. Rovnix is a malware variant that often has been distributed by other kinds of malware. Last year Microsoft warned users about a […]

SAP Patches Seven Vulnerabilities in Three Products

Threatpost for B2B - Thu, 10/09/2014 - 12:19
SAP recently pushed out patches to address seven vulnerabilities in three different lines of software that could have opened those running the systems up to complete compromise.

Shellshock Exploits Spreading Mayhem Botnet Malware

Threatpost for B2B - Thu, 10/09/2014 - 11:36
Researchers at Malware Must Die published a report that hackers are spreading Mayhem botnet malware in exploits targeting the Shellshock vulnerability in Bash.

Wyden: Surveillance is a ‘Clear and Present Danger’ to the Digital Economy

Threatpost for B2B - Thu, 10/09/2014 - 09:39
The pervasive dragnet surveillance of Americans revealed by the Edward Snowden documents has caused serious damage to the trust that enterprises and citizens had in the United States government and unless that trust is repaired, it could have serious effects on the Internet economy, a panel of prominent technology executives said. In a town hall meeting […]

EFF Issues Arguments Against National Security Letters

Threatpost for B2B - Thu, 10/09/2014 - 08:51
The Electronic Frontier Foundation and the Justice Department squared off on the topic of National Security Letters in a San Francisco courtroom yesterday. This fight's next stop is likely the Supreme Court.

[Bad]USB ‘Patch’ Skirts More Effective Options

Threatpost for B2B - Thu, 10/09/2014 - 06:54
Researchers who released attack code against vulnerabilities in USB devices followed that up with a patch, that they and researcher Karsten Nohl acknowledge isn't enough to solve the problem.

Google Fixes 159 Flaws in Chrome

Threatpost for B2B - Thu, 10/09/2014 - 06:02
Google updates its Chrome browser on a very aggressive timeline, often a couple of times a month. Usually, each update includes a handful of security fixes, maybe 12 or 15. On Tuesday, the company released Chrome 38, which patched a staggering 159 vulnerabilities. The huge majority of those patches–113 of them–fix minor vulnerabilities in the […]
Syndicate content