| {"text": "Super Mario Run Malware # 2 β DroidJack RAT Gamers love Mario and Pokemon , but so do malware authors .", "spans": {"Malware: Super Mario Run Malware": [[0, 23]], "Malware: DroidJack RAT": [[30, 43]], "System: Mario": [[56, 61]], "System: Pokemon": [[66, 73]]}, "info": {"id": "securebert2_train_00000", "source": "securebert2_train"}} |
| {"text": "A few days back , we wrote about an Android Marcher trojan variant posing as the Super Mario Run game for Android .", "spans": {"System: Android": [[36, 43], [106, 113]], "Malware: Marcher": [[44, 51]], "System: Super Mario Run": [[81, 96]]}, "info": {"id": "securebert2_train_00001", "source": "securebert2_train"}} |
| {"text": "We have found another instance of malware posing as the Super Mario Run Android app , and this time it has taken the form of DroidJack RAT ( remote access trojan ) .", "spans": {"System: Super Mario Run": [[56, 71]], "System: Android": [[72, 79]], "Malware: DroidJack RAT": [[125, 138]]}, "info": {"id": "securebert2_train_00002", "source": "securebert2_train"}} |
| {"text": "Proofpoint wrote about the DroidJack RAT side-loaded with the Pokemon GO app back in July 2016 ; the difference here is that there is no game included in the malicious package .", "spans": {"Organization: Proofpoint": [[0, 10]], "Malware: DroidJack RAT": [[27, 40]], "System: Pokemon GO": [[62, 72]]}, "info": {"id": "securebert2_train_00003", "source": "securebert2_train"}} |
| {"text": "The authors are trying to latch onto the popularity of the Super Mario Run game to target eagerly waiting Android users .", "spans": {"System: Super Mario Run": [[59, 74]], "System: Android": [[106, 113]]}, "info": {"id": "securebert2_train_00004", "source": "securebert2_train"}} |
| {"text": "Details : Name : Super Mario Run Package Name : net.droidjack.server MD5 : 69b4b32e4636f1981841cbbe3b927560 Technical Analysis : The malicious package claims to be the Super Mario Run game , as shown in the permissions screenshot below , but in reality this is a malicious RAT called DroidJack ( also known as SandroRAT ) that is getting installed .", "spans": {"System: Super Mario Run": [[17, 32], [168, 183]], "Indicator: net.droidjack.server": [[48, 68]], "Indicator: 69b4b32e4636f1981841cbbe3b927560": [[75, 107]], "Malware: DroidJack": [[284, 293]], "Malware: SandroRAT": [[310, 319]]}, "info": {"id": "securebert2_train_00005", "source": "securebert2_train"}} |
| {"text": "Once installed , the RAT registers the infected device as shown below .", "spans": {}, "info": {"id": "securebert2_train_00006", "source": "securebert2_train"}} |
| {"text": "DroidJack RAT starts capturing sensitive information like call data , SMS data , videos , photos , etc .", "spans": {"Malware: DroidJack RAT": [[0, 13]]}, "info": {"id": "securebert2_train_00007", "source": "securebert2_train"}} |
| {"text": "Observe below the code routine for call recording .", "spans": {}, "info": {"id": "securebert2_train_00008", "source": "securebert2_train"}} |
| {"text": "This RAT records all the calls and stores the recording to an β .amr β file .", "spans": {"Indicator: .amr": [[64, 68]]}, "info": {"id": "securebert2_train_00009", "source": "securebert2_train"}} |
| {"text": "The following is the code routine for video capturing .", "spans": {}, "info": {"id": "securebert2_train_00010", "source": "securebert2_train"}} |
| {"text": "Here , the RAT stores all the captured videos in a β video.3gp β file .", "spans": {"Indicator: video.3gp": [[53, 62]]}, "info": {"id": "securebert2_train_00011", "source": "securebert2_train"}} |
| {"text": "It also harvests call details and SMS logs as shown below .", "spans": {}, "info": {"id": "securebert2_train_00012", "source": "securebert2_train"}} |
| {"text": "Upon further inspection , we have observed that this RAT extracts WhatsApp data too .", "spans": {"System: WhatsApp": [[66, 74]]}, "info": {"id": "securebert2_train_00013", "source": "securebert2_train"}} |
| {"text": "The RAT stores all the data in a database ( DB ) in order to send it to the Command & Control ( C & C ) server .", "spans": {}, "info": {"id": "securebert2_train_00014", "source": "securebert2_train"}} |
| {"text": "The following are the DBs created and maintained by the RAT .", "spans": {}, "info": {"id": "securebert2_train_00015", "source": "securebert2_train"}} |
| {"text": "We saw the following hardcoded C & C server location in the RAT package : Conclusion : The DroidJack RAT is another example of a growing trend in which malware authors seek to exploit public interest as a way to spread malware .", "spans": {"Malware: DroidJack RAT": [[91, 104]]}, "info": {"id": "securebert2_train_00016", "source": "securebert2_train"}} |
| {"text": "In this case , like others before , the event of a popular game release became an opportunity to trick unsuspecting users into downloading the RAT .", "spans": {}, "info": {"id": "securebert2_train_00017", "source": "securebert2_train"}} |
| {"text": "As a reminder , it is always a good practice to download apps only from trusted app stores such as Google Play .", "spans": {"System: Google Play": [[99, 110]]}, "info": {"id": "securebert2_train_00018", "source": "securebert2_train"}} |
| {"text": "This practice can be enforced by unchecking the \" Unknown Sources '' option under the \" Security '' settings of your device .", "spans": {}, "info": {"id": "securebert2_train_00019", "source": "securebert2_train"}} |
| {"text": "XLoader Disguises as Android Apps , Has FakeSpy Links This new XLoader variant poses as a security app for Android devices , and uses a malicious iOS profile to affect iPhone and iPad devices .", "spans": {"Malware: XLoader": [[0, 7], [63, 70]], "System: Android": [[21, 28], [107, 114]], "Malware: FakeSpy": [[40, 47]], "System: iOS": [[146, 149]], "System: iPhone": [[168, 174]], "System: iPad": [[179, 183]]}, "info": {"id": "securebert2_train_00020", "source": "securebert2_train"}} |
| {"text": "By : Hara Hiroaki , Lilang Wu , Lorin Wu April 02 , 2019 In previous attacks , XLoader posed as Facebook , Chrome and other legitimate applications to trick users into downloading its malicious app .", "spans": {"Malware: XLoader": [[79, 86]], "System: Facebook": [[96, 104]], "System: Chrome": [[107, 113]]}, "info": {"id": "securebert2_train_00021", "source": "securebert2_train"}} |
| {"text": "Trend Micro researchers found a new variant that uses a different way to lure users .", "spans": {"Organization: Trend Micro": [[0, 11]]}, "info": {"id": "securebert2_train_00022", "source": "securebert2_train"}} |
| {"text": "This new XLoader variant poses as a security app for Android devices , and uses a malicious iOS profile to affect iPhone and iPad devices .", "spans": {"Malware: XLoader": [[9, 16]], "System: Android": [[53, 60]], "System: iOS": [[92, 95]], "System: iPhone": [[114, 120]], "System: iPad": [[125, 129]]}, "info": {"id": "securebert2_train_00023", "source": "securebert2_train"}} |
| {"text": "Aside from a change in its deployment techniques , a few changes in its code set it apart from its previous versions .", "spans": {}, "info": {"id": "securebert2_train_00024", "source": "securebert2_train"}} |
| {"text": "This newest variant has been labeled XLoader version 6.0 ( detected as AndroidOS_XLoader.HRXD ) , following the last version discussed in a previous research on the malware family .", "spans": {"Malware: XLoader": [[37, 44]], "Indicator: AndroidOS_XLoader.HRXD": [[71, 93]]}, "info": {"id": "securebert2_train_00025", "source": "securebert2_train"}} |
| {"text": "Infection chain The threat actors behind this version used several fake websites as their host β copying that of a Japanese mobile phone operator β s website in particular β to trick users into downloading the fake security Android application package ( APK ) .", "spans": {"System: Android": [[224, 231]]}, "info": {"id": "securebert2_train_00026", "source": "securebert2_train"}} |
| {"text": "Monitoring efforts on this new variant revealed that the malicious websites are spread through smishing .", "spans": {}, "info": {"id": "securebert2_train_00027", "source": "securebert2_train"}} |
| {"text": "The infection has not spread very widely at the time of writing , but we β ve seen that many users have already received its SMS content .", "spans": {}, "info": {"id": "securebert2_train_00028", "source": "securebert2_train"}} |
| {"text": "In the past , XLoader showed the ability to mine cryptocurrency on PCs and perform account phishing on iOS devices .", "spans": {"Malware: XLoader": [[14, 21]], "System: iOS": [[103, 106]]}, "info": {"id": "securebert2_train_00029", "source": "securebert2_train"}} |
| {"text": "This new wave also presents unique attack vectors based on the kind of device it has accessed .", "spans": {}, "info": {"id": "securebert2_train_00030", "source": "securebert2_train"}} |
| {"text": "In the case of Android devices , accessing the malicious website or pressing any of the buttons will prompt the download of the APK .", "spans": {"System: Android": [[15, 22]]}, "info": {"id": "securebert2_train_00031", "source": "securebert2_train"}} |
| {"text": "However , successfully installing this malicious APK requires that the user has allowed the installation of such apps as controlled in the Unknown Sources settings .", "spans": {}, "info": {"id": "securebert2_train_00032", "source": "securebert2_train"}} |
| {"text": "If users allow such apps to be installed , then it can be actively installed on the victim β s device .", "spans": {}, "info": {"id": "securebert2_train_00033", "source": "securebert2_train"}} |
| {"text": "The infection chain is slightly more roundabout in the case of Apple devices .", "spans": {"System: Apple": [[63, 68]]}, "info": {"id": "securebert2_train_00034", "source": "securebert2_train"}} |
| {"text": "Accessing the same malicious site would redirect its user to another malicious website ( hxxp : //apple-icloud [ .", "spans": {"Indicator: hxxp : //apple-icloud [ .": [[89, 114]]}, "info": {"id": "securebert2_train_00035", "source": "securebert2_train"}} |
| {"text": "] qwq-japan [ .", "spans": {}, "info": {"id": "securebert2_train_00036", "source": "securebert2_train"}} |
| {"text": "] com or hxxp : //apple-icloud [ .", "spans": {"Indicator: hxxp : //apple-icloud [ .": [[9, 34]]}, "info": {"id": "securebert2_train_00037", "source": "securebert2_train"}} |
| {"text": "] zqo-japan [ .", "spans": {}, "info": {"id": "securebert2_train_00038", "source": "securebert2_train"}} |
| {"text": "] com ) that prompts the user to install a malicious iOS configuration profile to solve a network issue preventing the site to load .", "spans": {"System: iOS": [[53, 56]]}, "info": {"id": "securebert2_train_00039", "source": "securebert2_train"}} |
| {"text": "If the user installs the profile , the malicious website will open , revealing it to be an Apple phishing site , as seen in figure 2 .", "spans": {"Organization: Apple": [[91, 96]]}, "info": {"id": "securebert2_train_00040", "source": "securebert2_train"}} |
| {"text": "Technical analysis Most of this new attack β s routines are similar to those of the previous XLoader versions .", "spans": {"Malware: XLoader": [[93, 100]]}, "info": {"id": "securebert2_train_00041", "source": "securebert2_train"}} |
| {"text": "However , as mentioned earlier , an analysis of this new variant showed some changes in its code in line with its new deployment method .", "spans": {}, "info": {"id": "securebert2_train_00042", "source": "securebert2_train"}} |
| {"text": "We discuss these changes and its effect on Android and Apple devices .", "spans": {"System: Android": [[43, 50]], "System: Apple": [[55, 60]]}, "info": {"id": "securebert2_train_00043", "source": "securebert2_train"}} |
| {"text": "Malicious APK Like its previous versions , XLoader 6.0 abuses social media user profiles to hide its real C & C addresses , but this time its threat actors chose the social media platform Twitter , which was never used in previous attacks .", "spans": {"Malware: XLoader 6.0": [[43, 54]], "Organization: Twitter": [[188, 195]]}, "info": {"id": "securebert2_train_00044", "source": "securebert2_train"}} |
| {"text": "The real C & C address is encoded in the Twitter names , and can only be revealed once decoded .", "spans": {"Organization: Twitter": [[41, 48]]}, "info": {"id": "securebert2_train_00045", "source": "securebert2_train"}} |
| {"text": "This adds an extra layer against detection .", "spans": {}, "info": {"id": "securebert2_train_00046", "source": "securebert2_train"}} |
| {"text": "The code for this characteristic and the corresponding Twitter accounts can be seen in figures 3 and 4 respectively .", "spans": {"Organization: Twitter": [[55, 62]]}, "info": {"id": "securebert2_train_00047", "source": "securebert2_train"}} |
| {"text": "Version 6.0 also adds a command called β getPhoneState β , which collects unique identifiers of mobile devices such as IMSI , ICCID , Android ID , and device serial number .", "spans": {"System: Android": [[134, 141]]}, "info": {"id": "securebert2_train_00048", "source": "securebert2_train"}} |
| {"text": "This addition is seen in Figure 5 .", "spans": {}, "info": {"id": "securebert2_train_00049", "source": "securebert2_train"}} |
| {"text": "Considering the other malicious behaviors of XLoader , this added operation could be very dangerous as threat actors can use it to perform targeted attacks .", "spans": {"Malware: XLoader": [[45, 52]]}, "info": {"id": "securebert2_train_00050", "source": "securebert2_train"}} |
| {"text": "Malicious iOS profile In the case of Apple devices , the downloaded malicious iOS profile gathers the following : Unique device identifier ( UDID ) International Mobile Equipment Identity ( IMEI ) Integrated Circuit Card ID ( ICCID ) Mobile equipment identifier ( MEID ) Version number Product number The profile installations differ depending on the iOS .", "spans": {"System: iOS": [[10, 13], [78, 81], [351, 354]], "System: Apple": [[37, 42]]}, "info": {"id": "securebert2_train_00051", "source": "securebert2_train"}} |
| {"text": "For versions 11.0 and 11.4 , the installation is straightforward .", "spans": {}, "info": {"id": "securebert2_train_00052", "source": "securebert2_train"}} |
| {"text": "If a user visits the profile host website and allows the installer to download , the iOS system will go directly to the β Install Profile β page ( which shows a verified safety certificate ) , and then request the users β passcode for the last step of installation .", "spans": {"System: iOS": [[85, 88]]}, "info": {"id": "securebert2_train_00053", "source": "securebert2_train"}} |
| {"text": "On later versions , specifically iOS 12.1.1 and iOS 12.2 , the process is different .", "spans": {"System: iOS 12.1.1": [[33, 43]], "System: iOS 12.2": [[48, 56]]}, "info": {"id": "securebert2_train_00054", "source": "securebert2_train"}} |
| {"text": "After the profile is downloaded , the iOS system will first ask users to review the profile in their settings if they want to install it .", "spans": {"System: iOS": [[38, 41]]}, "info": {"id": "securebert2_train_00055", "source": "securebert2_train"}} |
| {"text": "Users can see a β Profile Downloaded β added in their settings ( this feature is in iOS 12.2 , but not on iOS 12.1.1 ) .", "spans": {"System: iOS 12.2": [[84, 92]], "System: iOS 12.1.1": [[106, 116]]}, "info": {"id": "securebert2_train_00056", "source": "securebert2_train"}} |
| {"text": "This gives users a chance to see details and better understand any changes made .", "spans": {}, "info": {"id": "securebert2_train_00057", "source": "securebert2_train"}} |
| {"text": "After the review , the process is the same as above .", "spans": {}, "info": {"id": "securebert2_train_00058", "source": "securebert2_train"}} |
| {"text": "After the profile is installed , the user will then be redirected to another Apple phishing site .", "spans": {"Organization: Apple": [[77, 82]]}, "info": {"id": "securebert2_train_00059", "source": "securebert2_train"}} |
| {"text": "The phishing site uses the gathered information as its GET parameter , allowing the attacker to access the stolen information .", "spans": {}, "info": {"id": "securebert2_train_00060", "source": "securebert2_train"}} |
| {"text": "Ongoing activity While monitoring this particular threat , we found another XLoader variant posing as a pornography app aimed at South Korean users .", "spans": {"Malware: XLoader": [[76, 83]]}, "info": {"id": "securebert2_train_00061", "source": "securebert2_train"}} |
| {"text": "The \" porn kr sex '' APK connects to a malicious website that runs XLoader in the background .", "spans": {"Malware: XLoader": [[67, 74]]}, "info": {"id": "securebert2_train_00062", "source": "securebert2_train"}} |
| {"text": "The website uses a different fixed twitter account ( https : //twitter.com/fdgoer343 ) .", "spans": {"Organization: twitter": [[35, 42]], "Indicator: https : //twitter.com/fdgoer343": [[53, 84]]}, "info": {"id": "securebert2_train_00063", "source": "securebert2_train"}} |
| {"text": "This attack , however , seems exclusive to Android users , as it does not have the code to attack iOS devices .", "spans": {"System: Android": [[43, 50]], "System: iOS": [[98, 101]]}, "info": {"id": "securebert2_train_00064", "source": "securebert2_train"}} |
| {"text": "Succeeding monitoring efforts revealed a newer variant that exploits the social media platforms Instagram and Tumblr instead of Twitter to hide its C & C address .", "spans": {"Organization: Instagram": [[96, 105]], "Organization: Tumblr": [[110, 116]], "Organization: Twitter": [[128, 135]]}, "info": {"id": "securebert2_train_00065", "source": "securebert2_train"}} |
| {"text": "We labeled this new variant XLoader version 7.0 , because of the different deployment method and its use of the native code to load the payload and hide in Instagram and Tumblr profiles .", "spans": {"Malware: XLoader": [[28, 35]], "Organization: Instagram": [[156, 165]], "Organization: Tumblr": [[170, 176]]}, "info": {"id": "securebert2_train_00066", "source": "securebert2_train"}} |
| {"text": "These more recent developments indicate that XLoader is still evolving .", "spans": {"Malware: XLoader": [[45, 52]]}, "info": {"id": "securebert2_train_00067", "source": "securebert2_train"}} |
| {"text": "Adding connections to FakeSpy We have been seeing activity from XLoader since 2018 , and have since followed up our initial findings with a detailed research revealing a wealth of activity dating back to as early as January 2015 , which outlined a major discoveryβits connection to FakeSpy .", "spans": {"Malware: FakeSpy": [[22, 29], [282, 289]], "Malware: XLoader": [[64, 71]]}, "info": {"id": "securebert2_train_00068", "source": "securebert2_train"}} |
| {"text": "The emergence of XLoader 6.0 does not only indicate that the threat actors behind it remain active ; it also holds fresh evidence of its connection to FakeSpy .", "spans": {"Malware: XLoader 6.0": [[17, 28]], "Malware: FakeSpy": [[151, 158]]}, "info": {"id": "securebert2_train_00069", "source": "securebert2_train"}} |
| {"text": "One such immediately apparent connection was the similar deployment technique used by both XLoader 6.0 and FakeSpy .", "spans": {"Malware: XLoader 6.0": [[91, 102]], "Malware: FakeSpy": [[107, 114]]}, "info": {"id": "securebert2_train_00070", "source": "securebert2_train"}} |
| {"text": "It had again cloned a different legitimate Japanese website to host its malicious app , similar to what FakeSpy had also done before .", "spans": {"Malware: FakeSpy": [[104, 111]]}, "info": {"id": "securebert2_train_00071", "source": "securebert2_train"}} |
| {"text": "Their similarity is made more apparent by looking at their naming method for downloadable files , domain structure of fake websites and other details of their deployment techniques , exemplified in figure 10 .", "spans": {}, "info": {"id": "securebert2_train_00072", "source": "securebert2_train"}} |
| {"text": "XLoader 6.0 also mirrors the way FakeSpy hides its real C & C server .", "spans": {"Malware: XLoader 6.0": [[0, 11]], "Malware: FakeSpy": [[33, 40]]}, "info": {"id": "securebert2_train_00073", "source": "securebert2_train"}} |
| {"text": "When before it had used several different social media platforms , it now uses the Twitter platform , something FakeSpy has done in its past attacks .", "spans": {"Organization: Twitter": [[83, 90]], "Malware: FakeSpy": [[112, 119]]}, "info": {"id": "securebert2_train_00074", "source": "securebert2_train"}} |
| {"text": "Analysis of the malicious iOS profile also revealed further connections , as the profile can also be downloaded from a website that FakeSpy deployed early this year .", "spans": {"System: iOS": [[26, 29]], "Malware: FakeSpy": [[132, 139]]}, "info": {"id": "securebert2_train_00075", "source": "securebert2_train"}} |
| {"text": "Conclusion and security recommendations The continued monitoring of XLoader showed how its operators continuously changed its features , such as its attack vector deployment infrastructure and deployment techniques .", "spans": {"Malware: XLoader": [[68, 75]]}, "info": {"id": "securebert2_train_00076", "source": "securebert2_train"}} |
| {"text": "This newest entry seems to indicate that these changes won β t be stopping soon .", "spans": {}, "info": {"id": "securebert2_train_00077", "source": "securebert2_train"}} |
| {"text": "Being aware of this fact can help create defensive strategies , as well as prepare for upcoming attacks .", "spans": {}, "info": {"id": "securebert2_train_00078", "source": "securebert2_train"}} |
| {"text": "In addition , just as uncovering new characteristics is important , finding ones we β ve also seen in a different malware family like FakeSpy also provides valuable insight .", "spans": {"Malware: FakeSpy": [[134, 141]]}, "info": {"id": "securebert2_train_00079", "source": "securebert2_train"}} |
| {"text": "Links between XLoader and FakeSpy can give clues to the much broader inner workings of the threat actors behind them .", "spans": {"Malware: XLoader": [[14, 21]], "Malware: FakeSpy": [[26, 33]]}, "info": {"id": "securebert2_train_00080", "source": "securebert2_train"}} |
| {"text": "Perhaps more information on XLoader will be known in the future .", "spans": {"Malware: XLoader": [[28, 35]]}, "info": {"id": "securebert2_train_00081", "source": "securebert2_train"}} |
| {"text": "For now , users can make the best of the knowledge they have now to significantly reduce the effectivity of such malware .", "spans": {}, "info": {"id": "securebert2_train_00082", "source": "securebert2_train"}} |
| {"text": "Users of iOS can remove the malicious profile using the Apple Configurator 2 , Apple β s official iOS helper app for managing Apple devices .", "spans": {"System: iOS": [[9, 12], [98, 101]], "Organization: Apple": [[56, 61], [79, 84], [126, 131]]}, "info": {"id": "securebert2_train_00083", "source": "securebert2_train"}} |
| {"text": "Following simple best practices , like strictly downloading applications or any files from trusted sources and being wary of unsolicited messages , can also prevent similar attacks from compromising devices .", "spans": {}, "info": {"id": "securebert2_train_00084", "source": "securebert2_train"}} |
| {"text": "Indicators of Compromise SHA256 Package App label 332e68d865009d627343b89a5744843e3fde4ae870193f36b82980363439a425 ufD.wykyx.vlhvh SEX kr porn 403401aa71df1830d294b78de0e5e867ee3738568369c48ffafe1b15f3145588 ufD.wyjyx.vahvh δ½ε·ζ₯δΎΏ 466dafa82a4460dcad722d2ad9b8ca332e9a896fc59f06e16ebe981ad3838a6b com.dhp.ozqh Facebook 5022495104c280286e65184e3164f3f248356d065ad76acef48ee2ce244ffdc8 ufD.wyjyx.vahvh Anshin Scan a0f3df39d20c4eaa410a61a527507dbc6b17c7f974f76e13181e98225bda0511 com.aqyh.xolo δ½ε·ζ₯δΎΏ cb412b9a26c1e51ece7a0e6f98f085e1c27aa0251172bf0a361eb5d1165307f7 jp.co.sagawa.SagawaOfficialApp δ½ε·ζ₯δΎΏ Malicious URLs : hxxp : //38 [ .", "spans": {"Indicator: 332e68d865009d627343b89a5744843e3fde4ae870193f36b82980363439a425": [[50, 114]], "Indicator: ufD.wykyx.vlhvh": [[115, 130]], "Indicator: 403401aa71df1830d294b78de0e5e867ee3738568369c48ffafe1b15f3145588": [[143, 207]], "Indicator: ufD.wyjyx.vahvh": [[208, 223], [381, 396]], "Indicator: 466dafa82a4460dcad722d2ad9b8ca332e9a896fc59f06e16ebe981ad3838a6b": [[229, 293]], "Indicator: com.dhp.ozqh": [[294, 306]], "Organization: Facebook": [[307, 315]], "Indicator: 5022495104c280286e65184e3164f3f248356d065ad76acef48ee2ce244ffdc8": [[316, 380]], "Indicator: a0f3df39d20c4eaa410a61a527507dbc6b17c7f974f76e13181e98225bda0511": [[409, 473]], "Indicator: com.aqyh.xolo": [[474, 487]], "Indicator: cb412b9a26c1e51ece7a0e6f98f085e1c27aa0251172bf0a361eb5d1165307f7": [[493, 557]], "Indicator: jp.co.sagawa.SagawaOfficialApp": [[558, 588]], "Indicator: hxxp : //38 [ .": [[611, 626]]}, "info": {"id": "securebert2_train_00085", "source": "securebert2_train"}} |
| {"text": "] 27 [ .", "spans": {}, "info": {"id": "securebert2_train_00086", "source": "securebert2_train"}} |
| {"text": "] 99 [ .", "spans": {}, "info": {"id": "securebert2_train_00087", "source": "securebert2_train"}} |
| {"text": "] 11/xvideo/ hxxp : //apple-icloud [ .", "spans": {"Indicator: hxxp : //apple-icloud [ .": [[13, 38]]}, "info": {"id": "securebert2_train_00088", "source": "securebert2_train"}} |
| {"text": "] qwe-japan [ .", "spans": {}, "info": {"id": "securebert2_train_00089", "source": "securebert2_train"}} |
| {"text": "] com hxxp : //apple-icloud [ .", "spans": {"Indicator: hxxp : //apple-icloud [ .": [[6, 31]]}, "info": {"id": "securebert2_train_00090", "source": "securebert2_train"}} |
| {"text": "] qwq-japan [ .", "spans": {}, "info": {"id": "securebert2_train_00091", "source": "securebert2_train"}} |
| {"text": "] com/ hxxp : //apple-icloud [ .", "spans": {"Indicator: hxxp : //apple-icloud [ .": [[7, 32]]}, "info": {"id": "securebert2_train_00092", "source": "securebert2_train"}} |
| {"text": "] zqo-japan [ .", "spans": {}, "info": {"id": "securebert2_train_00093", "source": "securebert2_train"}} |
| {"text": "] com/ hxxp : //files.spamo [ .", "spans": {"Indicator: hxxp : //files.spamo [ .": [[7, 31]]}, "info": {"id": "securebert2_train_00094", "source": "securebert2_train"}} |
| {"text": "] jp/δ½ε·ζ₯δΎΏ.apk hxxp : //mailsa-qae [ .", "spans": {"Indicator: hxxp : //mailsa-qae [ .": [[14, 37]]}, "info": {"id": "securebert2_train_00095", "source": "securebert2_train"}} |
| {"text": "] com hxxp : //mailsa-qaf [ .", "spans": {"Indicator: hxxp : //mailsa-qaf [ .": [[6, 29]]}, "info": {"id": "securebert2_train_00096", "source": "securebert2_train"}} |
| {"text": "] com hxxp : //mailsa-qau [ .", "spans": {"Indicator: hxxp : //mailsa-qau [ .": [[6, 29]]}, "info": {"id": "securebert2_train_00097", "source": "securebert2_train"}} |
| {"text": "] com hxxp : //mailsa-qaw [ .", "spans": {"Indicator: hxxp : //mailsa-qaw [ .": [[6, 29]]}, "info": {"id": "securebert2_train_00098", "source": "securebert2_train"}} |
| {"text": "] com hxxp : //mailsa-wqe [ .", "spans": {"Indicator: hxxp : //mailsa-wqe [ .": [[6, 29]]}, "info": {"id": "securebert2_train_00099", "source": "securebert2_train"}} |
| {"text": "] com hxxp : //mailsa-wqo [ .", "spans": {"Indicator: hxxp : //mailsa-wqo [ .": [[6, 29]]}, "info": {"id": "securebert2_train_00100", "source": "securebert2_train"}} |
| {"text": "] com hxxp : //mailsa-wqp [ .", "spans": {"Indicator: hxxp : //mailsa-wqp [ .": [[6, 29]]}, "info": {"id": "securebert2_train_00101", "source": "securebert2_train"}} |
| {"text": "] com hxxp : //mailsa-wqq [ .", "spans": {"Indicator: hxxp : //mailsa-wqq [ .": [[6, 29]]}, "info": {"id": "securebert2_train_00102", "source": "securebert2_train"}} |
| {"text": "] com hxxp : //mailsa-wqu [ .", "spans": {"Indicator: hxxp : //mailsa-wqu [ .": [[6, 29]]}, "info": {"id": "securebert2_train_00103", "source": "securebert2_train"}} |
| {"text": "] com hxxp : //mailsa-wqw [ .", "spans": {"Indicator: hxxp : //mailsa-wqw [ .": [[6, 29]]}, "info": {"id": "securebert2_train_00104", "source": "securebert2_train"}} |
| {"text": "] com hxxp : //nttdocomo-qae [ .", "spans": {"Indicator: hxxp : //nttdocomo-qae [ .": [[6, 32]]}, "info": {"id": "securebert2_train_00105", "source": "securebert2_train"}} |
| {"text": "] com hxxp : //nttdocomo-qaq [ .", "spans": {"Indicator: hxxp : //nttdocomo-qaq [ .": [[6, 32]]}, "info": {"id": "securebert2_train_00106", "source": "securebert2_train"}} |
| {"text": "] com hxxp : //nttdocomo-qaq [ .", "spans": {"Indicator: hxxp : //nttdocomo-qaq [ .": [[6, 32]]}, "info": {"id": "securebert2_train_00107", "source": "securebert2_train"}} |
| {"text": "] com/aa hxxp : //nttdocomo-qar [ .", "spans": {"Indicator: hxxp : //nttdocomo-qar [ .": [[9, 35]]}, "info": {"id": "securebert2_train_00108", "source": "securebert2_train"}} |
| {"text": "] com hxxp : //nttdocomo-qat [ .", "spans": {"Indicator: hxxp : //nttdocomo-qat [ .": [[6, 32]]}, "info": {"id": "securebert2_train_00109", "source": "securebert2_train"}} |
| {"text": "] com hxxp : //nttdocomo-qaw [ .", "spans": {"Indicator: hxxp : //nttdocomo-qaw [ .": [[6, 32]]}, "info": {"id": "securebert2_train_00110", "source": "securebert2_train"}} |
| {"text": "] com hxxp : //sagawa-reg [ .", "spans": {"Indicator: hxxp : //sagawa-reg [ .": [[6, 29]]}, "info": {"id": "securebert2_train_00111", "source": "securebert2_train"}} |
| {"text": "] com/ hxxp : //www [ .", "spans": {"Indicator: hxxp : //www [ .": [[7, 23]]}, "info": {"id": "securebert2_train_00112", "source": "securebert2_train"}} |
| {"text": "] 711231 [ .", "spans": {}, "info": {"id": "securebert2_train_00113", "source": "securebert2_train"}} |
| {"text": "] com hxxp : //www [ .", "spans": {"Indicator: hxxp : //www [ .": [[6, 22]]}, "info": {"id": "securebert2_train_00114", "source": "securebert2_train"}} |
| {"text": "] 759383 [ .", "spans": {}, "info": {"id": "securebert2_train_00115", "source": "securebert2_train"}} |
| {"text": "] com hxxp : //www [ .", "spans": {"Indicator: hxxp : //www [ .": [[6, 22]]}, "info": {"id": "securebert2_train_00116", "source": "securebert2_train"}} |
| {"text": "] 923525 [ .", "spans": {}, "info": {"id": "securebert2_train_00117", "source": "securebert2_train"}} |
| {"text": "] com hxxp : //www [ .", "spans": {"Indicator: hxxp : //www [ .": [[6, 22]]}, "info": {"id": "securebert2_train_00118", "source": "securebert2_train"}} |
| {"text": "] 923915 [ .", "spans": {}, "info": {"id": "securebert2_train_00119", "source": "securebert2_train"}} |
| {"text": "] com hxxp : //www [ .", "spans": {"Indicator: hxxp : //www [ .": [[6, 22]]}, "info": {"id": "securebert2_train_00120", "source": "securebert2_train"}} |
| {"text": "] 975685 [ .", "spans": {}, "info": {"id": "securebert2_train_00121", "source": "securebert2_train"}} |
| {"text": "] com Malicious Twitter accounts : https : //twitter.com/lucky88755 https : //twitter.com/lucky98745 https : //twitter.com/lucky876543 https : //twitter.com/luckyone1232 https : //twitter.com/sadwqewqeqw https : //twitter.com/gyugyu87418490 https : //twitter.com/fdgoer343 https : //twitter.com/sdfghuio342 https : //twitter.com/asdqweqweqeqw https : //twitter.com/ukenivor3 Malicious Instagram account : https : //www.instagram.com/freedomguidepeople1830/ Malicious Tumblr accounts : https : //mainsheetgyam.tumblr.com/ https : //hormonaljgrj.tumblr.com/ https : //globalanab.tumblr.com/ C & C addresses : 104 [ .", "spans": {"Organization: Twitter": [[16, 23]], "Indicator: https : //twitter.com/lucky88755": [[35, 67]], "Indicator: https : //twitter.com/lucky98745": [[68, 100]], "Indicator: https : //twitter.com/lucky876543": [[101, 134]], "Indicator: https : //twitter.com/luckyone1232": [[135, 169]], "Indicator: https : //twitter.com/sadwqewqeqw": [[170, 203]], "Indicator: https : //twitter.com/gyugyu87418490": [[204, 240]], "Indicator: https : //twitter.com/fdgoer343": [[241, 272]], "Indicator: https : //twitter.com/sdfghuio342": [[273, 306]], "Indicator: https : //twitter.com/asdqweqweqeqw": [[307, 342]], "Indicator: https : //twitter.com/ukenivor3": [[343, 374]], "Organization: Instagram": [[385, 394]], "Indicator: https : //www.instagram.com/freedomguidepeople1830/": [[405, 456]], "Organization: Tumblr": [[467, 473]], "Indicator: https : //mainsheetgyam.tumblr.com/": [[485, 520]], "Indicator: https : //hormonaljgrj.tumblr.com/": [[521, 555]], "Indicator: https : //globalanab.tumblr.com/": [[556, 588]], "Indicator: 104 [ .": [[607, 614]]}, "info": {"id": "securebert2_train_00122", "source": "securebert2_train"}} |
| {"text": "] 160 [ .", "spans": {}, "info": {"id": "securebert2_train_00123", "source": "securebert2_train"}} |
| {"text": "] 191 [ .", "spans": {}, "info": {"id": "securebert2_train_00124", "source": "securebert2_train"}} |
| {"text": "] 190:8822 61 [ .", "spans": {"Indicator: 61 [ .": [[11, 17]]}, "info": {"id": "securebert2_train_00125", "source": "securebert2_train"}} |
| {"text": "] 230 [ .", "spans": {}, "info": {"id": "securebert2_train_00126", "source": "securebert2_train"}} |
| {"text": "] 204 [ .", "spans": {}, "info": {"id": "securebert2_train_00127", "source": "securebert2_train"}} |
| {"text": "] 87:28833 61 [ .", "spans": {"Indicator: 61 [ .": [[11, 17]]}, "info": {"id": "securebert2_train_00128", "source": "securebert2_train"}} |
| {"text": "] 230 [ .", "spans": {}, "info": {"id": "securebert2_train_00129", "source": "securebert2_train"}} |
| {"text": "] 204 [ .", "spans": {}, "info": {"id": "securebert2_train_00130", "source": "securebert2_train"}} |
| {"text": "] 87:28844 61 [ .", "spans": {"Indicator: 61 [ .": [[11, 17]]}, "info": {"id": "securebert2_train_00131", "source": "securebert2_train"}} |
| {"text": "] 230 [ .", "spans": {}, "info": {"id": "securebert2_train_00132", "source": "securebert2_train"}} |
| {"text": "] 204 [ .", "spans": {}, "info": {"id": "securebert2_train_00133", "source": "securebert2_train"}} |
| {"text": "] 87:28855 61 [ .", "spans": {"Indicator: 61 [ .": [[11, 17]]}, "info": {"id": "securebert2_train_00134", "source": "securebert2_train"}} |
| {"text": "] 230 [ .", "spans": {}, "info": {"id": "securebert2_train_00135", "source": "securebert2_train"}} |
| {"text": "] 205 [ .", "spans": {}, "info": {"id": "securebert2_train_00136", "source": "securebert2_train"}} |
| {"text": "] 122:28833 61 [ .", "spans": {"Indicator: 61 [ .": [[12, 18]]}, "info": {"id": "securebert2_train_00137", "source": "securebert2_train"}} |
| {"text": "] 230 [ .", "spans": {}, "info": {"id": "securebert2_train_00138", "source": "securebert2_train"}} |
| {"text": "] 205 [ .", "spans": {}, "info": {"id": "securebert2_train_00139", "source": "securebert2_train"}} |
| {"text": "] 122:28844 61 [ .", "spans": {"Indicator: 61 [ .": [[12, 18]]}, "info": {"id": "securebert2_train_00140", "source": "securebert2_train"}} |
| {"text": "] 230 [ .", "spans": {}, "info": {"id": "securebert2_train_00141", "source": "securebert2_train"}} |
| {"text": "] 205 [ .", "spans": {}, "info": {"id": "securebert2_train_00142", "source": "securebert2_train"}} |
| {"text": "] 122:28855 61 [ .", "spans": {"Indicator: 61 [ .": [[12, 18]]}, "info": {"id": "securebert2_train_00143", "source": "securebert2_train"}} |
| {"text": "] 230 [ .", "spans": {}, "info": {"id": "securebert2_train_00144", "source": "securebert2_train"}} |
| {"text": "] 205 [ .", "spans": {}, "info": {"id": "securebert2_train_00145", "source": "securebert2_train"}} |
| {"text": "] 132:28833 61 [ .", "spans": {"Indicator: 61 [ .": [[12, 18]]}, "info": {"id": "securebert2_train_00146", "source": "securebert2_train"}} |
| {"text": "] 230 [ .", "spans": {}, "info": {"id": "securebert2_train_00147", "source": "securebert2_train"}} |
| {"text": "] 205 [ .", "spans": {}, "info": {"id": "securebert2_train_00148", "source": "securebert2_train"}} |
| {"text": "] 132:28844 61 [ .", "spans": {"Indicator: 61 [ .": [[12, 18]]}, "info": {"id": "securebert2_train_00149", "source": "securebert2_train"}} |
| {"text": "] 230 [ .", "spans": {}, "info": {"id": "securebert2_train_00150", "source": "securebert2_train"}} |
| {"text": "] 205 [ .", "spans": {}, "info": {"id": "securebert2_train_00151", "source": "securebert2_train"}} |
| {"text": "] 132:28855 GoldenCup : New Cyber Threat Targeting World Cup Fans As the World Cup launches , so does a new threat Officials from the Israeli Defense Force recently uncovered an Android Spyware campaign targeting Israeli soldiers and orchestrated by \" Hamas .", "spans": {"Malware: GoldenCup": [[12, 21]], "Organization: Israeli Defense Force": [[134, 155]], "System: Android": [[178, 185]], "Organization: Hamas": [[252, 257]]}, "info": {"id": "securebert2_train_00152", "source": "securebert2_train"}} |
| {"text": "'' The latest samples attributed to this campaign were discovered by security researchers from ClearSky .", "spans": {"Organization: ClearSky": [[95, 103]]}, "info": {"id": "securebert2_train_00153", "source": "securebert2_train"}} |
| {"text": "In our research , we focus on the most recent sample , an application dubbed as \" Golden Cup '' , launched just before the start of World Cup 2018 .", "spans": {"Malware: Golden Cup": [[82, 92]]}, "info": {"id": "securebert2_train_00154", "source": "securebert2_train"}} |
| {"text": "Distribution / Infection When this campaign started at the start of 2018 , the malware ( \" GlanceLove '' , \" WinkChat '' ) was distributed by the perpetrators mainly via fake Facebook profiles , attempting to seduce IDF soldiers to socialize on a different platform ( their malware ) .", "spans": {"Malware: GlanceLove": [[91, 101]], "Malware: WinkChat": [[109, 117]], "System: Facebook": [[175, 183]]}, "info": {"id": "securebert2_train_00155", "source": "securebert2_train"}} |
| {"text": "As this approach was not a great success , their last attempt was to quickly create a World Cup app and this time distribute it to Israeli citizens , not just soldiers .", "spans": {}, "info": {"id": "securebert2_train_00156", "source": "securebert2_train"}} |
| {"text": "The official β Golden Cup β Facebook page .", "spans": {"Malware: Golden Cup": [[15, 25]], "System: Facebook": [[28, 36]]}, "info": {"id": "securebert2_train_00157", "source": "securebert2_train"}} |
| {"text": "The short URL redirects to the application page at Google Play .", "spans": {"System: Google Play": [[51, 62]]}, "info": {"id": "securebert2_train_00158", "source": "securebert2_train"}} |
| {"text": "The official β Golden Cup β Facebook page .", "spans": {"Malware: Golden Cup": [[15, 25]], "System: Facebook": [[28, 36]]}, "info": {"id": "securebert2_train_00159", "source": "securebert2_train"}} |
| {"text": "The short URL redirects to the application page at Google Play .", "spans": {"System: Google Play": [[51, 62]]}, "info": {"id": "securebert2_train_00160", "source": "securebert2_train"}} |
| {"text": "We assume it was rushed because , unlike GlanceLove , it lacked any real obfuscation .", "spans": {"Malware: GlanceLove": [[41, 51]]}, "info": {"id": "securebert2_train_00161", "source": "securebert2_train"}} |
| {"text": "Even the C & C server side was mostly exposed with the file listing available for everyone to traverse through it .", "spans": {}, "info": {"id": "securebert2_train_00162", "source": "securebert2_train"}} |
| {"text": "It contained approximately 8GB of stolen data .", "spans": {}, "info": {"id": "securebert2_train_00163", "source": "securebert2_train"}} |
| {"text": "A recent whois of β goldncup.com β .", "spans": {"Indicator: goldncup.com": [[20, 32]]}, "info": {"id": "securebert2_train_00164", "source": "securebert2_train"}} |
| {"text": "Creation date is a week before the start of the tournament .", "spans": {}, "info": {"id": "securebert2_train_00165", "source": "securebert2_train"}} |
| {"text": "A recent whois of β goldncup.com β .", "spans": {"Indicator: goldncup.com": [[20, 32]]}, "info": {"id": "securebert2_train_00166", "source": "securebert2_train"}} |
| {"text": "Creation date is a week before the start of the tournament .", "spans": {}, "info": {"id": "securebert2_train_00167", "source": "securebert2_train"}} |
| {"text": "How it Works In order to get into the Google Play Store , the malware uses a phased approach which is quite a common practice for malware authors these days .", "spans": {"System: Google Play": [[38, 49]]}, "info": {"id": "securebert2_train_00168", "source": "securebert2_train"}} |
| {"text": "The original app looks innocent , with most of its code aimed at implementing the real features that the app claims to provide .", "spans": {}, "info": {"id": "securebert2_train_00169", "source": "securebert2_train"}} |
| {"text": "In addition , it collects identifiers and some data from the device .", "spans": {}, "info": {"id": "securebert2_train_00170", "source": "securebert2_train"}} |
| {"text": "After getting a command from the C & C , the app is able to download a malicious payload in the form of a .dex file that is being dynamically loaded adding the additional malicious capabilities .", "spans": {}, "info": {"id": "securebert2_train_00171", "source": "securebert2_train"}} |
| {"text": "In this way , the malware authors can submit their app and add the malicious capabilities only after their app is live on the Play Store .", "spans": {"System: Play Store": [[126, 136]]}, "info": {"id": "securebert2_train_00172", "source": "securebert2_train"}} |
| {"text": "Communication with the C & C In order to communicate with its C & C , the app uses the MQTT ( Message Queuing Telemetry Transport ) protocol , which is transported over TCP port 1883 .", "spans": {"Indicator: TCP port 1883": [[169, 182]]}, "info": {"id": "securebert2_train_00173", "source": "securebert2_train"}} |
| {"text": "Initiating the MQTT client .", "spans": {}, "info": {"id": "securebert2_train_00174", "source": "securebert2_train"}} |
| {"text": "Initiating the MQTT client .", "spans": {}, "info": {"id": "securebert2_train_00175", "source": "securebert2_train"}} |
| {"text": "Initiating the MQTT client .", "spans": {}, "info": {"id": "securebert2_train_00176", "source": "securebert2_train"}} |
| {"text": "The app connects to the MQTT broker with hardcoded username and password and a unique device identifier generated for each device .", "spans": {}, "info": {"id": "securebert2_train_00177", "source": "securebert2_train"}} |
| {"text": "The MQTT connection to broker The MQTT connection to broker The MQTT communication is used primarily to update the device state and get commands from the C & C .", "spans": {}, "info": {"id": "securebert2_train_00178", "source": "securebert2_train"}} |
| {"text": "It uses different topics that include the unique device identifier , which side is sending the message , and whether it is information message or command .", "spans": {}, "info": {"id": "securebert2_train_00179", "source": "securebert2_train"}} |
| {"text": "HTTP Communication In addition to the MQTT communication , the app also uses plain text HTTP communication in order to download the .dex file and upload collected data .", "spans": {}, "info": {"id": "securebert2_train_00180", "source": "securebert2_train"}} |
| {"text": "All of the files that are being uploaded or downloaded are zip files encrypted by AES with ECB mode .", "spans": {}, "info": {"id": "securebert2_train_00181", "source": "securebert2_train"}} |
| {"text": "The key for each file is generated randomly and stored in the encrypted file with a fixed offset .", "spans": {}, "info": {"id": "securebert2_train_00182", "source": "securebert2_train"}} |
| {"text": "In order to upload the file , the app uses a basic REST communication with the server , checking if the file exists and uploading it if it isn β t .", "spans": {}, "info": {"id": "securebert2_train_00183", "source": "securebert2_train"}} |
| {"text": "The path that is used for the uploads is : http : // /apps/d/p/op.php The communication looks like this : First Phase The first phase of the app β s attack flow collects device information and a list of apps installed on the device .", "spans": {"Indicator: http : // /apps/d/p/op.php": [[43, 69]]}, "info": {"id": "securebert2_train_00184", "source": "securebert2_train"}} |
| {"text": "These are then uploaded to the C & C HTTP server .", "spans": {}, "info": {"id": "securebert2_train_00185", "source": "securebert2_train"}} |
| {"text": "The collection of basic device information .", "spans": {}, "info": {"id": "securebert2_train_00186", "source": "securebert2_train"}} |
| {"text": "The collection of basic device information .", "spans": {}, "info": {"id": "securebert2_train_00187", "source": "securebert2_train"}} |
| {"text": "In addition , at this stage the app can process one of these commands : β’ Collect device info β’ Install app β’ Is online ? β’ Change server domain Out of these , the most interesting command is the β install app β command that downloads an encrypted zip file containing the second phase dex file , unpacks and loads it .", "spans": {}, "info": {"id": "securebert2_train_00188", "source": "securebert2_train"}} |
| {"text": "Second Phase The second phase dex file contains 3 main services that are being used : β’ ConnManager - handles connections to the C & C β’ ReceiverManager - waits for incoming calls / app installations β’ TaskManager - manages the data collection tasks The C & C server address is different than the one that is used by the first phase , so the app reconnects to the new server as well as starts the periodic data collector tasks .", "spans": {}, "info": {"id": "securebert2_train_00189", "source": "securebert2_train"}} |
| {"text": "By analyzing the TaskManager class we can see the new commands that are supported at this stage : As can be seen in the code snippet above , there are quite a lot of data collection tasks that are now available : Collect device info Track location Upload contacts information Upload sent and received SMS messages Upload images Upload video files Send recursive dirlist of the external storage Upload specific files Record audio using the microphone Record calls Use the camera to capture bursts of snapshots Those tasks can either run periodically , on event ( such as incoming call ) or when getting a command from the C & C server .", "spans": {}, "info": {"id": "securebert2_train_00190", "source": "securebert2_train"}} |
| {"text": "Mitigations Stay protected from mobile malware by taking these precautions : Do not download apps from unfamiliar sites Only install apps from trusted sources Pay close attention to the permissions requested by apps Install a suitable mobile security app , such as SEP Mobile or Norton , to protect your device and data Keep your operating system up to date Make frequent backups of important data Indicators of Compromise ( IoCs ) Package names : anew.football.cup.world.com.worldcup com.coder.glancelove com.winkchat APK SHA2 : 166f3a863bb2b66bda9c76dccf9529d5237f6394721f46635b053870eb2fcc5a b45defca452a640b303288131eb64c485f442aae0682a3c56489d24d59439b47 d9601735d674a9e55546fde0bffde235bc5f2546504b31799d874e8c31d5b6e9 2ce54d93510126fca83031f9521e40cd8460ae564d3d927e17bd63fb4cb20edc 67b1a1e7b505ac510322b9d4f4fc1e8a569d6d644582b588faccfeeaa4922cb7 1664cb343ee830fa94725fed143b119f7e2351307ed0ce04724b23469b9002f2 Loaded DEX SHA2 : afaf446a337bf93301b1d72855ccdd76112595f6e4369d977bea6f9721edf37e Domain/IP : goldncup [ .", "spans": {"Indicator: anew.football.cup.world.com.worldcup": [[448, 484]], "Indicator: com.coder.glancelove com.winkchat": [[485, 518]], "Indicator: 166f3a863bb2b66bda9c76dccf9529d5237f6394721f46635b053870eb2fcc5a": [[530, 594]], "Indicator: b45defca452a640b303288131eb64c485f442aae0682a3c56489d24d59439b47": [[595, 659]], "Indicator: d9601735d674a9e55546fde0bffde235bc5f2546504b31799d874e8c31d5b6e9": [[660, 724]], "Indicator: 2ce54d93510126fca83031f9521e40cd8460ae564d3d927e17bd63fb4cb20edc": [[725, 789]], "Indicator: 67b1a1e7b505ac510322b9d4f4fc1e8a569d6d644582b588faccfeeaa4922cb7": [[790, 854]], "Indicator: 1664cb343ee830fa94725fed143b119f7e2351307ed0ce04724b23469b9002f2": [[855, 919]], "Indicator: afaf446a337bf93301b1d72855ccdd76112595f6e4369d977bea6f9721edf37e": [[938, 1002]], "Indicator: goldncup [ .": [[1015, 1027]]}, "info": {"id": "securebert2_train_00191", "source": "securebert2_train"}} |
| {"text": "] com glancelove [ .", "spans": {"Indicator: glancelove [ .": [[6, 20]]}, "info": {"id": "securebert2_train_00192", "source": "securebert2_train"}} |
| {"text": "] com autoandroidup [ .", "spans": {"Indicator: autoandroidup [ .": [[6, 23]]}, "info": {"id": "securebert2_train_00193", "source": "securebert2_train"}} |
| {"text": "] website mobilestoreupdate [ .", "spans": {"Indicator: mobilestoreupdate [ .": [[10, 31]]}, "info": {"id": "securebert2_train_00194", "source": "securebert2_train"}} |
| {"text": "] website updatemobapp [ .", "spans": {"Indicator: updatemobapp [ .": [[10, 26]]}, "info": {"id": "securebert2_train_00195", "source": "securebert2_train"}} |
| {"text": "] website 107 [ .", "spans": {"Indicator: 107 [ .": [[10, 17]]}, "info": {"id": "securebert2_train_00196", "source": "securebert2_train"}} |
| {"text": "] 175 [ .", "spans": {}, "info": {"id": "securebert2_train_00197", "source": "securebert2_train"}} |
| {"text": "] 144 [ .", "spans": {}, "info": {"id": "securebert2_train_00198", "source": "securebert2_train"}} |
| {"text": "] 26 192 [ .", "spans": {"Indicator: 192 [ .": [[5, 12]]}, "info": {"id": "securebert2_train_00199", "source": "securebert2_train"}} |
| {"text": "] 64 [ .", "spans": {}, "info": {"id": "securebert2_train_00200", "source": "securebert2_train"}} |
| {"text": "] 114 [ .", "spans": {}, "info": {"id": "securebert2_train_00201", "source": "securebert2_train"}} |
| {"text": "] 147 Red Alert 2.0 : Android Trojan targets security-seekers A malicious , counterfeit version of a VPN client for mobile devices targets security-minded victims with a RAT .", "spans": {"Malware: Red Alert 2.0": [[6, 19]], "System: Android": [[22, 29]], "System: VPN": [[101, 104]]}, "info": {"id": "securebert2_train_00202", "source": "securebert2_train"}} |
| {"text": "Written by Jagadeesh Chandraiah JULY 23 , 2018 SophosLabs has uncovered a mobile malware distribution campaign that uses advertising placement to distribute the Red Alert Trojan , linking counterfeit branding of well-known apps to Web pages that deliver an updated , 2.0 version of this bank credential thief .", "spans": {"Organization: SophosLabs": [[47, 57]], "Malware: Red Alert Trojan": [[161, 177]]}, "info": {"id": "securebert2_train_00203", "source": "securebert2_train"}} |
| {"text": "The group distributing this family of malware decorates it in the branding and logos of well-known social media or media player apps , system update patches , or ( in its most recent campaign ) VPN client apps in an attempt to lure users into downloading , installing , and elevating the privileges of a Trojanized app hosted on a site not affiliated with any reputable app market or store .", "spans": {"System: VPN": [[194, 197]]}, "info": {"id": "securebert2_train_00204", "source": "securebert2_train"}} |
| {"text": "Aside from the inescapable irony of disguising a security-reducing Trojan as an ostensibly security-enhancing app , and the righteous affront to the whole concept of a VPN β s purpose a Trojan so disguised inspires , this represents an escalation in the variety of app types targeted by this campaign of bankbots in disguise .", "spans": {}, "info": {"id": "securebert2_train_00205", "source": "securebert2_train"}} |
| {"text": "Red Alert Plays Dress-Up In the wild , we found Web pages designed to ( vaguely ) resemble legitimate app market pages , hosting files for download that have been disguised as a legitimate mobile application of moderately broad appeal , such as a media player or social media app .", "spans": {"Malware: Red Alert": [[0, 9]]}, "info": {"id": "securebert2_train_00206", "source": "securebert2_train"}} |
| {"text": "But the categories targeted by this group seem to be broadening with the inclusion of VPN software .", "spans": {"System: VPN": [[86, 89]]}, "info": {"id": "securebert2_train_00207", "source": "securebert2_train"}} |
| {"text": "The Web page shown here on the left is hosted on a domain that seems apt : free-vpn [ .", "spans": {"Indicator: free-vpn [ .": [[75, 87]]}, "info": {"id": "securebert2_train_00208", "source": "securebert2_train"}} |
| {"text": "] download .", "spans": {}, "info": {"id": "securebert2_train_00209", "source": "securebert2_train"}} |
| {"text": "Investigation of this domain led to additional domains that appear to have been registered for use with the campaign , but are not in use yet .", "spans": {}, "info": {"id": "securebert2_train_00210", "source": "securebert2_train"}} |
| {"text": "( You can find additional IoCs at the end of this article ) As you can see , the Web page uses a similar colour scheme as , and the icon design from , a legitimate VPN application ( VPN Proxy Master ) found on the Google Play store .", "spans": {"System: Google Play store": [[214, 231]]}, "info": {"id": "securebert2_train_00211", "source": "securebert2_train"}} |
| {"text": "The fake doesn β t quite nail the app name .", "spans": {}, "info": {"id": "securebert2_train_00212", "source": "securebert2_train"}} |
| {"text": "In addition to β Free VPN Master Android , β we β ve observed Red Alert 2.0 Trojans in the wild disguising themselves using names like : Flash Player or Update Flash Player Android Update or Android Antivirus Chrome Update or Google Update Update Google Market WhatsApp Viber OneCoin Wallet Pornhub Tactic FlashLight or PROFlashLight Finanzonline The vast majority of in-the-wild Red Alert 2.0 samples falsely present themselves as Adobe Flash player for Android , a utility that Adobe stopped supporting years ago .", "spans": {"System: Free VPN Master Android": [[17, 40]], "Malware: Red Alert 2.0": [[62, 75]], "System: Flash Player": [[137, 149]], "System: Update Flash Player": [[153, 172]], "System: Android Update": [[173, 187]], "System: Android Antivirus": [[191, 208]], "System: Chrome Update": [[209, 222]], "System: Google Update": [[226, 239]], "System: Update Google Market": [[240, 260]], "System: WhatsApp": [[261, 269]], "System: Viber": [[270, 275]], "System: OneCoin": [[276, 283]], "System: Wallet": [[284, 290]], "Malware: Red Alert 2.0 samples": [[380, 401]], "System: Adobe Flash player": [[432, 450]], "System: Android": [[455, 462]], "Organization: Adobe": [[480, 485]]}, "info": {"id": "securebert2_train_00213", "source": "securebert2_train"}} |
| {"text": "Our logs show a number of simultaneous Red Alert 2.0 campaigns in operation , many ( but not all ) hosted on dynamic DNS domains .", "spans": {"Malware: simultaneous Red Alert 2.0 campaigns": [[26, 62]]}, "info": {"id": "securebert2_train_00214", "source": "securebert2_train"}} |
| {"text": "The Red Alert Payload Once installed , the malware requests Device Administrator privileges .", "spans": {"Malware: Red Alert Payload": [[4, 21]]}, "info": {"id": "securebert2_train_00215", "source": "securebert2_train"}} |
| {"text": "If the malware obtains device administrator rights , it will be able to lock the screen by itself , expire the password , and resist being uninstalled through normal methods .", "spans": {}, "info": {"id": "securebert2_train_00216", "source": "securebert2_train"}} |
| {"text": "Device admin request from app that says it is WhatsApp The app then stays in the background listening to commands from the cybercrooks .", "spans": {}, "info": {"id": "securebert2_train_00217", "source": "securebert2_train"}} |
| {"text": "Within some of the first of those commands , the bot typically receives a list of banks it will target .", "spans": {}, "info": {"id": "securebert2_train_00218", "source": "securebert2_train"}} |
| {"text": "The Trojan works by creating an overlay whenever the user launches the banking application .", "spans": {}, "info": {"id": "securebert2_train_00219", "source": "securebert2_train"}} |
| {"text": "Currently Running Applications Banking Trojans that rely on the overlay mechanism to steal information need to know what application is in the foreground .", "spans": {}, "info": {"id": "securebert2_train_00220", "source": "securebert2_train"}} |
| {"text": "They do this not only to identify whether the use of a particular app may permit them to harvest another credential , but also because each targeted app needs to have an overlay mapped to its design , so the Trojan can intercept and steal user data .", "spans": {}, "info": {"id": "securebert2_train_00221", "source": "securebert2_train"}} |
| {"text": "This quest to determine the currently running application is a hallmark of overlay malware , so we thought we β d take a closer look at how it β s done .", "spans": {}, "info": {"id": "securebert2_train_00222", "source": "securebert2_train"}} |
| {"text": "To prevent this , Android β s engineers regularly release updates that contain bug fixes designed to prevent apps from getting the list of currently running apps without explicit permission .", "spans": {"System: Android": [[18, 25]]}, "info": {"id": "securebert2_train_00223", "source": "securebert2_train"}} |
| {"text": "With every Android update , the malware authors are forced to come up with new tricks .", "spans": {"System: Android": [[11, 18]]}, "info": {"id": "securebert2_train_00224", "source": "securebert2_train"}} |
| {"text": "This particular case is not an exception .", "spans": {}, "info": {"id": "securebert2_train_00225", "source": "securebert2_train"}} |
| {"text": "The author ( s ) of this malware wrote separate subroutines that identify the operating system version and fire off methods to obtain a list of currently running applications known to work on that particular version of Android .", "spans": {"System: Android": [[219, 226]]}, "info": {"id": "securebert2_train_00226", "source": "securebert2_train"}} |
| {"text": "First , they use the built-in toolbox commands to determine what apps are running .", "spans": {}, "info": {"id": "securebert2_train_00227", "source": "securebert2_train"}} |
| {"text": "If that doesn β t work , they try to use queryUsageStats : When the malware invokes queryUsageStats , it asks for the list of applications that ran in the last 1 million milliseconds ( 16 minutes and 40 seconds ) .", "spans": {}, "info": {"id": "securebert2_train_00228", "source": "securebert2_train"}} |
| {"text": "String Resources Used to Store App Data Red Alert 2.0 stores its data in an atypical location ( inside the Strings.xml file embedded in the app ) to fetch its critical data , such as the C2 address .", "spans": {"Malware: Red Alert 2.0": [[40, 53]], "Indicator: Strings.xml file": [[107, 123]]}, "info": {"id": "securebert2_train_00229", "source": "securebert2_train"}} |
| {"text": "The com.dsufabunfzs.dowiflubs strings in the screenshot above refer to the internal name this particular malware was given , which in this case was randomized into alphabet salad .", "spans": {}, "info": {"id": "securebert2_train_00230", "source": "securebert2_train"}} |
| {"text": "It β s been SophosLabs β observation that Red Alert Trojans usually have a randomized internal name like this .", "spans": {"Malware: Red Alert Trojans": [[42, 59]]}, "info": {"id": "securebert2_train_00231", "source": "securebert2_train"}} |
| {"text": "The strings section of the app contains embedded command-and-control IP addresses , ports , and domain names in plaintext .", "spans": {}, "info": {"id": "securebert2_train_00232", "source": "securebert2_train"}} |
| {"text": "It is an invaluable source of intelligence about a given campaign .. The following snippet shows the location within the Trojan where it uses SQLite database commands to store and recall command-and-control addresses : Backdoor Commands The Red Alert code also contains an embedded list of commands the botmaster can send to the bot .", "spans": {"Malware: Red Alert code": [[241, 255]]}, "info": {"id": "securebert2_train_00233", "source": "securebert2_train"}} |
| {"text": "The malware can execute a variety of arbitrary commands , including ( for example ) intercepting or sending text messages without the user β s knowledge , obtaining a copy of the victim β s Address Book , or call or text message logs , or sending phone network feature codes ( also known as USSD codes ) .", "spans": {"System: Address Book": [[190, 202]]}, "info": {"id": "securebert2_train_00234", "source": "securebert2_train"}} |
| {"text": "C2 and Targeted Banks As described earlier , the C2 domain is kept in the app β s resources .", "spans": {}, "info": {"id": "securebert2_train_00235", "source": "securebert2_train"}} |
| {"text": "During the app execution , the malware contacts C2 domain for further instructions .", "spans": {}, "info": {"id": "securebert2_train_00236", "source": "securebert2_train"}} |
| {"text": "Most of the network traffic we β ve observed is HTTP .", "spans": {"Indicator: HTTP": [[48, 52]]}, "info": {"id": "securebert2_train_00237", "source": "securebert2_train"}} |
| {"text": "The C2 address , as stored in samples we β ve seen , comprise both an IP address and port number ; So far , all the samples we β ve tested attempted to contact an IP address on port 7878/tcp .", "spans": {"Indicator: port 7878/tcp": [[177, 190]]}, "info": {"id": "securebert2_train_00238", "source": "securebert2_train"}} |
| {"text": "If the main C2 domain is not responsive , the bot fetches a backup C2 domain from a Twitter account .", "spans": {"Organization: Twitter": [[84, 91]]}, "info": {"id": "securebert2_train_00239", "source": "securebert2_train"}} |
| {"text": "Static analysis of the code reveals that the malware downloads the overlay template to use against any of the bank ( s ) it is targeting .", "spans": {}, "info": {"id": "securebert2_train_00240", "source": "securebert2_train"}} |
| {"text": "The malware also sends regular telemetry back to its C2 server about the infected device in the form of an HTTP POST to its C2 server .", "spans": {"Indicator: HTTP": [[107, 111]]}, "info": {"id": "securebert2_train_00241", "source": "securebert2_train"}} |
| {"text": "It uses the base Dalvik User-Agent string for the device it β s running on .", "spans": {}, "info": {"id": "securebert2_train_00242", "source": "securebert2_train"}} |
| {"text": "The content of the HTTP POST data is telemetry data in a json format about the device the malware is running on .", "spans": {"Indicator: HTTP": [[19, 23]]}, "info": {"id": "securebert2_train_00243", "source": "securebert2_train"}} |
| {"text": "The list of banks targeted by Red Alert 2.0 includes NatWest , Barclays , Westpac , and Citibank .", "spans": {"Malware: Red Alert 2.0": [[30, 43]], "Organization: Barclays": [[63, 71]]}, "info": {"id": "securebert2_train_00244", "source": "securebert2_train"}} |
| {"text": "Red Alert 2.0 is a banking bot that is currently very active online , and presents a risk to Android devices .", "spans": {"Malware: Red Alert 2.0": [[0, 13]]}, "info": {"id": "securebert2_train_00245", "source": "securebert2_train"}} |
| {"text": "We expect to see more diversification in the social engineering lures this threat group employs as time goes on .", "spans": {}, "info": {"id": "securebert2_train_00246", "source": "securebert2_train"}} |
| {"text": "So far , legitimate app stores appear to be this malware β s Achilles heel ; disabling the installation of third-party apps has been an effective prevention measure .", "spans": {}, "info": {"id": "securebert2_train_00247", "source": "securebert2_train"}} |
| {"text": "Stick to Google Play and use VPN software from reputable vendors .", "spans": {"System: Google Play": [[9, 20]]}, "info": {"id": "securebert2_train_00248", "source": "securebert2_train"}} |
| {"text": "Sophos detects all the samples of this Trojan family as Andr/Banker-GWC and Andr/Spybot-A .", "spans": {"Organization: Sophos": [[0, 6]]}, "info": {"id": "securebert2_train_00249", "source": "securebert2_train"}} |
| {"text": "In the wild , these are only distributed as a direct download from unofficial Web pages ( β third-party β app ) and not through legitimate app stores .", "spans": {}, "info": {"id": "securebert2_train_00250", "source": "securebert2_train"}} |
| {"text": "Red Alert 2.0 IoCs list C2 addresses 103.239.30.126:7878 146.185.241.29:7878 146.185.241.42:7878 185.126.200.3:7878 185.126.200.12:7878 185.126.200.15:7878 185.126.200.18:7878 185.165.28.15:7878 185.243.243.241:7878 185.243.243.244:7878 185.243.243.245:7878 Domains Malware source Web hosts on 167.99.176.61 : free-androidvpn.date free-androidvpn.download free-androidvpn.online free-vpn.date free-vpn.download free-vpn.online Hashes 22fcfce096392f085218c3a78dd0fa4be9e67ed725bce42b965a27725f671cf 55292a4dde8727faad1c40c914cf1be9dfdcf4e67b515aa593bcd8d86e824372 be92a751e5abbcd24151b509dbb4feb98ea46f367a99d6f86ed4a7c162461e31 5c4d666cef84abc2a1ffd3b1060ef28fa3c6c3bb4fad1fa26db99350b41bea4c 06081ab7faa729e33b9397a0e47548e75cbec3d43c50e6368e81d737552150a5 753999cb19a4346042f973e30cf1158c44f2335ab65859d3bfa16bca4098e2ef As a result of a lot of hard work done by our security research teams , we revealed today a new and alarming malware campaign .", "spans": {"Malware: Red Alert 2.0": [[0, 13]], "Indicator: 103.239.30.126:7878": [[37, 56]], "Indicator: 146.185.241.29:7878": [[57, 76]], "Indicator: 146.185.241.42:7878": [[77, 96]], "Indicator: 185.126.200.3:7878": [[97, 115]], "Indicator: 185.126.200.12:7878": [[116, 135]], "Indicator: 185.126.200.15:7878": [[136, 155]], "Indicator: 185.126.200.18:7878": [[156, 175]], "Indicator: 185.165.28.15:7878": [[176, 194]], "Indicator: 185.243.243.241:7878": [[195, 215]], "Indicator: 185.243.243.244:7878": [[216, 236]], "Indicator: 185.243.243.245:7878": [[237, 257]], "Indicator: 167.99.176.61": [[294, 307]], "Indicator: free-androidvpn.date": [[310, 330]], "Indicator: free-vpn.date": [[379, 392]], "Indicator: 55292a4dde8727faad1c40c914cf1be9dfdcf4e67b515aa593bcd8d86e824372": [[498, 562]], "Indicator: be92a751e5abbcd24151b509dbb4feb98ea46f367a99d6f86ed4a7c162461e31": [[563, 627]], "Indicator: 5c4d666cef84abc2a1ffd3b1060ef28fa3c6c3bb4fad1fa26db99350b41bea4c": [[628, 692]], "Indicator: 06081ab7faa729e33b9397a0e47548e75cbec3d43c50e6368e81d737552150a5": [[693, 757]], "Indicator: 753999cb19a4346042f973e30cf1158c44f2335ab65859d3bfa16bca4098e2ef": [[758, 822]]}, "info": {"id": "securebert2_train_00251", "source": "securebert2_train"}} |
| {"text": "The attack campaign , named Gooligan , breached the security of over one million Google accounts .", "spans": {"Malware: Gooligan": [[28, 36]], "Organization: Google": [[81, 87]]}, "info": {"id": "securebert2_train_00252", "source": "securebert2_train"}} |
| {"text": "The number continues to rise at an additional 13,000 breached devices each day .", "spans": {}, "info": {"id": "securebert2_train_00253", "source": "securebert2_train"}} |
| {"text": "Our research exposes how the malware roots infected devices and steals authentication tokens that can be used to access data from Google Play , Gmail , Google Photos , Google Docs , G Suite , Google Drive , and more .", "spans": {"System: Google Play": [[130, 141]], "System: Gmail": [[144, 149]], "System: Google Photos": [[152, 165]], "System: Google Docs": [[168, 179]], "System: G Suite": [[182, 189]], "System: Google Drive": [[192, 204]]}, "info": {"id": "securebert2_train_00254", "source": "securebert2_train"}} |
| {"text": "Gooligan is a new variant of the Android malware campaign found by our researchers in the SnapPea app last year .", "spans": {"Malware: Gooligan": [[0, 8]], "Malware: SnapPea": [[90, 97]]}, "info": {"id": "securebert2_train_00255", "source": "securebert2_train"}} |
| {"text": "Check Point reached out to the Google Security team immediately with information on this campaign .", "spans": {"Organization: Check Point": [[0, 11]], "Organization: Google Security": [[31, 46]]}, "info": {"id": "securebert2_train_00256", "source": "securebert2_train"}} |
| {"text": "Our researchers are working closely with Google to investigate the source of the Gooligan campaign .", "spans": {"Organization: Google": [[41, 47]], "Malware: Gooligan campaign": [[81, 98]]}, "info": {"id": "securebert2_train_00257", "source": "securebert2_train"}} |
| {"text": "β We β re appreciative of both Check Point β s research and their partnership as we β ve worked together to understand these issues , β said Adrian Ludwig , Google β s director of Android security .", "spans": {"Organization: Check Point": [[31, 42]], "Organization: Google": [[157, 163]], "System: Android": [[180, 187]]}, "info": {"id": "securebert2_train_00258", "source": "securebert2_train"}} |
| {"text": "β As part of our ongoing efforts to protect users from the Ghost Push family of malware , we β ve taken numerous steps to protect our users and improve the security of the Android ecosystem overall. β We are very encouraged by the statement Google shared with us addressing the issue .", "spans": {"Malware: Ghost Push family": [[59, 76]], "System: Android": [[172, 179]], "Organization: Google": [[241, 247]]}, "info": {"id": "securebert2_train_00259", "source": "securebert2_train"}} |
| {"text": "We have chosen to join forces to continue the investigation around Gooligan .", "spans": {"Malware: Gooligan": [[67, 75]]}, "info": {"id": "securebert2_train_00260", "source": "securebert2_train"}} |
| {"text": "Google also stated that they are taking numerous steps including proactively notifying affected accounts , revoking affected tokens and deploying SafetyNet improvements to protect users from these apps in the future .", "spans": {"Organization: Google": [[0, 6]]}, "info": {"id": "securebert2_train_00261", "source": "securebert2_train"}} |
| {"text": "Who is affected ? Gooligan potentially affects devices on Android 4 ( Jelly Bean , KitKat ) and 5 ( Lollipop ) , which is over 74 % of in-market devices today .", "spans": {"Malware: Gooligan": [[18, 26]], "System: Android 4 ( Jelly Bean , KitKat ) and 5 ( Lollipop )": [[58, 110]]}, "info": {"id": "securebert2_train_00262", "source": "securebert2_train"}} |
| {"text": "About 57 % of these devices are located in Asia and about 9 % are in Europe .", "spans": {}, "info": {"id": "securebert2_train_00263", "source": "securebert2_train"}} |
| {"text": "In our research we identified tens of fake applications that were infected with this malware .", "spans": {}, "info": {"id": "securebert2_train_00264", "source": "securebert2_train"}} |
| {"text": "If you β ve downloaded one of the apps listed in Appendix A , below , you might be infected .", "spans": {}, "info": {"id": "securebert2_train_00265", "source": "securebert2_train"}} |
| {"text": "You may review your application list in β Settings - > Apps β , if you find one of this applications , please consider downloading an antivirus product such as Check Point ZoneAlarm to check if you are indeed infected .", "spans": {"Organization: Check Point": [[160, 171]], "System: ZoneAlarm": [[172, 181]]}, "info": {"id": "securebert2_train_00266", "source": "securebert2_train"}} |
| {"text": "We have noticed that hundreds of the email addresses are associated with enterprise accounts worldwide .", "spans": {}, "info": {"id": "securebert2_train_00267", "source": "securebert2_train"}} |
| {"text": "How do you know if your Google account is breached ? You can check if your account is compromised by accessing the following web site that we created : https : //gooligan.checkpoint.com/ .", "spans": {"Organization: Google": [[24, 30]], "Indicator: https : //gooligan.checkpoint.com/": [[152, 186]]}, "info": {"id": "securebert2_train_00268", "source": "securebert2_train"}} |
| {"text": "If your account has been breached , the following steps are required : A clean installation of an operating system on your mobile device is required ( a process called β flashing β ) .", "spans": {}, "info": {"id": "securebert2_train_00269", "source": "securebert2_train"}} |
| {"text": "As this is a complex process , we recommend powering off your device and approaching a certified technician , or your mobile service provider , to request that your device be β re-flashed. β Change your Google account passwords immediately after this process .", "spans": {"Organization: Google": [[203, 209]]}, "info": {"id": "securebert2_train_00270", "source": "securebert2_train"}} |
| {"text": "How do Android devices become infected ? We found traces of the Gooligan malware code in dozens of legitimate-looking apps on third-party Android app stores .", "spans": {"Malware: Gooligan": [[64, 72]], "System: Android": [[138, 145]]}, "info": {"id": "securebert2_train_00271", "source": "securebert2_train"}} |
| {"text": "These stores are an attractive alternative to Google Play because many of their apps are free , or offer free versions of paid apps .", "spans": {"System: Google Play": [[46, 57]]}, "info": {"id": "securebert2_train_00272", "source": "securebert2_train"}} |
| {"text": "However , the security of these stores and the apps they sell aren β t always verified .", "spans": {}, "info": {"id": "securebert2_train_00273", "source": "securebert2_train"}} |
| {"text": "Gooligan-infected apps can also be installed using phishing scams where attackers broadcast links to infected apps to unsuspecting users via SMS or other messaging services .", "spans": {"Malware: Gooligan-infected": [[0, 17]]}, "info": {"id": "securebert2_train_00274", "source": "securebert2_train"}} |
| {"text": "How did Gooligan emerge ? Our researchers first encountered Gooligan β s code in the malicious SnapPea app last year .", "spans": {"Malware: Gooligan": [[8, 16], [60, 68]], "Malware: SnapPea": [[95, 102]]}, "info": {"id": "securebert2_train_00275", "source": "securebert2_train"}} |
| {"text": "At the time this malware was reported by several security vendors , and attributed to different malware families like Ghostpush , MonkeyTest , and Xinyinhe .", "spans": {"Malware: Ghostpush": [[118, 127]], "Malware: MonkeyTest": [[130, 140]], "Malware: Xinyinhe": [[147, 155]]}, "info": {"id": "securebert2_train_00276", "source": "securebert2_train"}} |
| {"text": "By late 2015 , the malware β s creators had gone mostly silent until the summer of 2016 when the malware reappeared with a more complex architecture that injects malicious code into Android system processes .", "spans": {"System: Android": [[182, 189]]}, "info": {"id": "securebert2_train_00277", "source": "securebert2_train"}} |
| {"text": "The change in the way the malware works today may be to help finance the campaign through fraudulent ad activity .", "spans": {}, "info": {"id": "securebert2_train_00278", "source": "securebert2_train"}} |
| {"text": "The malware simulates clicks on app advertisements provided by legitimate ad networks and forces the app to install on a device .", "spans": {}, "info": {"id": "securebert2_train_00279", "source": "securebert2_train"}} |
| {"text": "An attacker is paid by the network when one of these apps is installed successfully .", "spans": {}, "info": {"id": "securebert2_train_00280", "source": "securebert2_train"}} |
| {"text": "Logs collected by Check Point researchers show that every day Gooligan installs at least 30,000 apps fraudulently on breached devices or over 2 million apps since the campaign began .", "spans": {"Organization: Check Point": [[18, 29]], "Malware: Gooligan": [[62, 70]]}, "info": {"id": "securebert2_train_00281", "source": "securebert2_train"}} |
| {"text": "How does Gooligan work ? The infection begins when a user downloads and installs a Gooligan-infected app on a vulnerable Android device .", "spans": {"Malware: Gooligan": [[9, 17]], "Malware: Gooligan-infected": [[83, 100]]}, "info": {"id": "securebert2_train_00282", "source": "securebert2_train"}} |
| {"text": "Our research team has found infected apps on third-party app stores , but they could also be downloaded by Android users directly by tapping malicious links in phishing attack messages .", "spans": {"System: Android": [[107, 114]]}, "info": {"id": "securebert2_train_00283", "source": "securebert2_train"}} |
| {"text": "After an infected app is installed , it sends data about the device to the campaign β s Command and Control ( C & C ) server .", "spans": {}, "info": {"id": "securebert2_train_00284", "source": "securebert2_train"}} |
| {"text": "Gooligan then downloads a rootkit from the C & C server that takes advantage of multiple Android 4 and 5 exploits including the well-known VROOT ( CVE-2013-6282 ) and Towelroot ( CVE-2014-3153 ) .", "spans": {"Malware: Gooligan": [[0, 8]], "System: Android 4 and 5": [[89, 104]], "Vulnerability: VROOT": [[139, 144]], "Vulnerability: CVE-2013-6282": [[147, 160]], "Vulnerability: Towelroot": [[167, 176]], "Vulnerability: CVE-2014-3153": [[179, 192]]}, "info": {"id": "securebert2_train_00285", "source": "securebert2_train"}} |
| {"text": "These exploits still plague many devices today because security patches that fix them may not be available for some versions of Android , or the patches were never installed by the user .", "spans": {"System: Android": [[128, 135]]}, "info": {"id": "securebert2_train_00286", "source": "securebert2_train"}} |
| {"text": "If rooting is successful , the attacker has full control of the device and can execute privileged commands remotely .", "spans": {}, "info": {"id": "securebert2_train_00287", "source": "securebert2_train"}} |
| {"text": "After achieving root access , Gooligan downloads a new , malicious module from the C & C server and installs it on the infected device .", "spans": {"Malware: Gooligan": [[30, 38]]}, "info": {"id": "securebert2_train_00288", "source": "securebert2_train"}} |
| {"text": "This module injects code into running Google Play or GMS ( Google Mobile Services ) to mimic user behavior so Gooligan can avoid detection , a technique first seen with the mobile malware HummingBad .", "spans": {"System: Google Play": [[38, 49]], "System: GMS ( Google Mobile Services )": [[53, 83]], "Malware: Gooligan": [[110, 118]], "Malware: HummingBad": [[188, 198]]}, "info": {"id": "securebert2_train_00289", "source": "securebert2_train"}} |
| {"text": "The module allows Gooligan to : Steal a user β s Google email account and authentication token information Install apps from Google Play and rate them to raise their reputation Install adware to generate revenue Ad servers , which don β t know whether an app using its service is malicious or not , send Gooligan the names of the apps to download from Google Play .", "spans": {"Malware: Gooligan": [[18, 26], [304, 312]], "Organization: Google": [[49, 55]], "System: Google Play": [[125, 136], [352, 363]]}, "info": {"id": "securebert2_train_00290", "source": "securebert2_train"}} |
| {"text": "After an app is installed , the ad service pays the attacker .", "spans": {}, "info": {"id": "securebert2_train_00291", "source": "securebert2_train"}} |
| {"text": "Then the malware leaves a positive review and a high rating on Google Play using content it receives from the C & C server .", "spans": {"System: Google Play": [[63, 74]]}, "info": {"id": "securebert2_train_00292", "source": "securebert2_train"}} |
| {"text": "Our research team was able to identify several instances of this activity by cross-referencing data from breached devices with Google Play app reviews .", "spans": {"System: Google Play": [[127, 138]]}, "info": {"id": "securebert2_train_00293", "source": "securebert2_train"}} |
| {"text": "This is another reminder of why users shouldn β t rely on ratings alone to decide whether to trust an app .", "spans": {}, "info": {"id": "securebert2_train_00294", "source": "securebert2_train"}} |
| {"text": "Similar to HummingBad , the malware also fakes device identification information , such as IMEI and IMSI , to download an app twice while seeming like the installation is happening on a different device , thereby doubling the potential revenue .", "spans": {"Malware: HummingBad": [[11, 21]]}, "info": {"id": "securebert2_train_00295", "source": "securebert2_train"}} |
| {"text": "What are Google authorization tokens ? A Google authorization token is a way to access the Google account and the related services of a user .", "spans": {"Organization: Google": [[9, 15], [41, 47], [91, 97]]}, "info": {"id": "securebert2_train_00296", "source": "securebert2_train"}} |
| {"text": "It is issued by Google once a user successfully logged into this account .", "spans": {"Organization: Google": [[16, 22]]}, "info": {"id": "securebert2_train_00297", "source": "securebert2_train"}} |
| {"text": "When an authorization token is stolen by a hacker , they can use this token to access all the Google services related to the user , including Google Play , Gmail , Google Docs , Google Drive , and Google Photos .", "spans": {"Organization: Google": [[94, 100]], "System: Google Play": [[142, 153]], "System: Gmail": [[156, 161]], "System: Google Docs": [[164, 175]], "System: Google Drive": [[178, 190]], "System: Google Photos": [[197, 210]]}, "info": {"id": "securebert2_train_00298", "source": "securebert2_train"}} |
| {"text": "While Google implemented multiple mechanisms , like two-factor-authentication , to prevent hackers from compromising Google accounts , a stolen authorization token bypasses this mechanism and allows hackers the desired access as the user is perceived as already logged in .", "spans": {"Organization: Google": [[6, 12], [117, 123]]}, "info": {"id": "securebert2_train_00299", "source": "securebert2_train"}} |
| {"text": "Conclusion Gooligan has breached over a million Google accounts .", "spans": {"Malware: Gooligan": [[11, 19]], "Organization: Google": [[48, 54]]}, "info": {"id": "securebert2_train_00300", "source": "securebert2_train"}} |
| {"text": "We believe that it is the largest Google account breach to date , and we are working with Google to continue the investigation .", "spans": {"Malware: Google": [[34, 40]], "Organization: Google": [[90, 96]]}, "info": {"id": "securebert2_train_00301", "source": "securebert2_train"}} |
| {"text": "We encourage Android users to validate whether their accounts have been breached .", "spans": {"System: Android": [[13, 20]]}, "info": {"id": "securebert2_train_00302", "source": "securebert2_train"}} |
| {"text": "Hacking Team Spying Tool Listens to Calls By : Trend Micro July 21 , 2015 Following news that iOS devices are at risk of spyware related to the Hacking Team , the saga continues into the Android sphere .", "spans": {"Organization: Hacking Team": [[0, 12], [144, 156]], "Organization: Trend Micro": [[47, 58]], "System: iOS": [[94, 97]], "System: Android": [[187, 194]]}, "info": {"id": "securebert2_train_00303", "source": "securebert2_train"}} |
| {"text": "We found that among the leaked files is the code for Hacking Team β s open-source malware suite RCSAndroid ( Remote Control System Android ) , which was sold by the company as a tool for monitoring targets .", "spans": {"Malware: RCSAndroid": [[96, 106]], "Malware: Remote Control System Android": [[109, 138]]}, "info": {"id": "securebert2_train_00304", "source": "securebert2_train"}} |
| {"text": "( Researchers have been aware of this suite as early as 2014 .", "spans": {}, "info": {"id": "securebert2_train_00305", "source": "securebert2_train"}} |
| {"text": ") The RCSAndroid code can be considered one of the most professionally developed and sophisticated Android malware ever exposed .", "spans": {"Malware: RCSAndroid": [[6, 16]], "System: Android": [[99, 106]]}, "info": {"id": "securebert2_train_00306", "source": "securebert2_train"}} |
| {"text": "The leak of its code provides cybercriminals with a new weaponized resource for enhancing their surveillance operations .", "spans": {}, "info": {"id": "securebert2_train_00307", "source": "securebert2_train"}} |
| {"text": "Based on the leaked code , the RCSAndroid app can do the following intrusive routines to spy on targets : Capture screenshots using the β screencap β command and framebuffer direct reading Monitor clipboard content Collect passwords for Wi-Fi networks and online acco ; .unts , including Skype , Facebook , Twitter , Google , WhatsApp , Mail , and LinkedIn Record using the microphone Collect SMS , MMS , and Gmail messages Record location Gather device information Capture photos using the front and back cameras Collect contacts and decode messages from IM accounts , including Facebook Messenger , WhatsApp , Skype , Viber , Line , WeChat , Hangouts , Telegram , and BlackBerry Messenger .", "spans": {"Malware: RCSAndroid": [[31, 41]], "System: Skype": [[288, 293], [612, 617]], "System: Facebook": [[296, 304]], "System: Twitter": [[307, 314]], "System: Google": [[317, 323]], "System: WhatsApp": [[326, 334], [601, 609]], "System: Mail": [[337, 341]], "System: LinkedIn": [[348, 356]], "System: Gmail": [[409, 414]], "System: Facebook Messenger": [[580, 598]], "System: Viber": [[620, 625]], "System: Line": [[628, 632]], "System: WeChat": [[635, 641]], "System: Hangouts": [[644, 652]], "System: Telegram": [[655, 663]], "System: BlackBerry Messenger": [[670, 690]]}, "info": {"id": "securebert2_train_00308", "source": "securebert2_train"}} |
| {"text": "Capture real-time voice calls in any network or app by hooking into the β mediaserver β system service RCSAndroid in the Wild Our analysis reveals that this RCSAndroid ( AndroidOS_RCSAgent.HRX ) has been in the wild since 2012 .", "spans": {"Malware: RCSAndroid": [[103, 113], [157, 167]], "Indicator: AndroidOS_RCSAgent.HRX": [[170, 192]]}, "info": {"id": "securebert2_train_00309", "source": "securebert2_train"}} |
| {"text": "Traces of its previous uses in the wild were found inside the configuration file : It was configured to use a Command-and-control ( C & C ) server in the United States ; however , the server was bought from a host service provider and is now unavailable .", "spans": {}, "info": {"id": "securebert2_train_00310", "source": "securebert2_train"}} |
| {"text": "It was configured to activate via SMS sent from a Czech Republic number .", "spans": {}, "info": {"id": "securebert2_train_00311", "source": "securebert2_train"}} |
| {"text": "Attackers can send SMS with certain messages to activate the agent and trigger corresponding action .", "spans": {}, "info": {"id": "securebert2_train_00312", "source": "securebert2_train"}} |
| {"text": "This can also define what kind of evidences to collect .", "spans": {}, "info": {"id": "securebert2_train_00313", "source": "securebert2_train"}} |
| {"text": "Based on emails leaked in the dump , a number of Czech firms appear to be in business with the Hacking team , including a major IT partner in the Olympic Games .", "spans": {}, "info": {"id": "securebert2_train_00314", "source": "securebert2_train"}} |
| {"text": "Dropping Cluster Bombs RCSAndroid is a threat that works like a cluster bomb in that it deploys multiple dangerous exploits and uses various techniques to easily infect Android devices .", "spans": {"Malware: RCSAndroid": [[23, 33]], "System: Android": [[169, 176]]}, "info": {"id": "securebert2_train_00315", "source": "securebert2_train"}} |
| {"text": "While analyzing the code , we found that the whole system consists of four critical components , as follows : penetration solutions , ways to get inside the device , either via SMS/email or a legitimate app low-level native code , advanced exploits and spy tools beyond Android β s security framework high-level Java agent β the app β s malicious APK command-and-control ( C & C ) servers , used to remotely send/receive malicious commands Attackers use two methods to get targets to download RCSAndroid .", "spans": {"System: Android": [[270, 277]], "Malware: RCSAndroid": [[493, 503]]}, "info": {"id": "securebert2_train_00316", "source": "securebert2_train"}} |
| {"text": "The first method is to send a specially crafted URL to the target via SMS or email .", "spans": {}, "info": {"id": "securebert2_train_00317", "source": "securebert2_train"}} |
| {"text": "The URL will trigger exploits for arbitrary memory read ( CVE-2012-2825 ) and heap buffer overflow ( CVE-2012-2871 ) vulnerabilities in the default browsers of Android versions 4.0 Ice Cream Sandwich to 4.3 Jelly Bean , allowing another local privilege escalation exploit to execute .", "spans": {"Vulnerability: arbitrary memory read ( CVE-2012-2825 )": [[34, 73]], "Vulnerability: heap buffer overflow ( CVE-2012-2871 )": [[78, 116]], "System: Android versions 4.0 Ice Cream Sandwich": [[160, 199]], "System: 4.3 Jelly Bean": [[203, 217]]}, "info": {"id": "securebert2_train_00318", "source": "securebert2_train"}} |
| {"text": "When root privilege is gained , a shell backdoor and malicious RCSAndroid agent APK file will be installed The second method is to use a stealthy backdoor app such as ANDROIDOS_HTBENEWS.A , which was designed to bypass Google Play .", "spans": {"Malware: RCSAndroid": [[63, 73]], "Malware: ANDROIDOS_HTBENEWS.A": [[167, 187]], "System: Google Play": [[219, 230]]}, "info": {"id": "securebert2_train_00319", "source": "securebert2_train"}} |
| {"text": "The role of ANDROIDOS_HTBENEWS.A and the malicious APK mentioned in the first method is to exploit a local privilege escalation vulnerability in Android devices .", "spans": {"Malware: ANDROIDOS_HTBENEWS.A": [[12, 32]], "Vulnerability: local privilege escalation vulnerability": [[101, 141]]}, "info": {"id": "securebert2_train_00320", "source": "securebert2_train"}} |
| {"text": "Hacking Team has been known to use both CVE-2014-3153 and CVE-2013-6282 in their attacks .", "spans": {"Vulnerability: CVE-2014-3153": [[40, 53]], "Vulnerability: CVE-2013-6282": [[58, 71]]}, "info": {"id": "securebert2_train_00321", "source": "securebert2_train"}} |
| {"text": "The said exploits will root the device and install a shell backdoor .", "spans": {}, "info": {"id": "securebert2_train_00322", "source": "securebert2_train"}} |
| {"text": "The shell backdoor then installs the RCSAndroid agent .", "spans": {"Malware: RCSAndroid": [[37, 47]]}, "info": {"id": "securebert2_train_00323", "source": "securebert2_train"}} |
| {"text": "This agent has two core modules , the Evidence Collector and the Event Action Trigger .", "spans": {}, "info": {"id": "securebert2_train_00324", "source": "securebert2_train"}} |
| {"text": "The Evidence Collector module is responsible for the spying routines outlined above .", "spans": {}, "info": {"id": "securebert2_train_00325", "source": "securebert2_train"}} |
| {"text": "One of its most notable routines is capturing voice calls in real time by hooking into the β mediaserver β system service .", "spans": {}, "info": {"id": "securebert2_train_00326", "source": "securebert2_train"}} |
| {"text": "The basic idea is to hook the voice call process in mediaserver .", "spans": {}, "info": {"id": "securebert2_train_00327", "source": "securebert2_train"}} |
| {"text": "Take voice call playback process for example .", "spans": {}, "info": {"id": "securebert2_train_00328", "source": "securebert2_train"}} |
| {"text": "The mediaserver will first builds a new unique track , start to play the track , loop play all audio buffer , then finally stop the playback .", "spans": {}, "info": {"id": "securebert2_train_00329", "source": "securebert2_train"}} |
| {"text": "The raw wave audio buffer frame can be dumped in the getNextBuffer ( ) function .", "spans": {}, "info": {"id": "securebert2_train_00330", "source": "securebert2_train"}} |
| {"text": "With the help of the open-source Android Dynamic Binary Instrumentation Toolkit and root privilege , it is possible to intercept any function execution .", "spans": {"System: Android": [[33, 40]]}, "info": {"id": "securebert2_train_00331", "source": "securebert2_train"}} |
| {"text": "The Event Action Trigger module triggers malicious actions based on certain events .", "spans": {}, "info": {"id": "securebert2_train_00332", "source": "securebert2_train"}} |
| {"text": "These events can be based on time , charging or battery status , location , connectivity , running apps , focused app , SIM card status , SMS received with keywords , and screen turning on .", "spans": {}, "info": {"id": "securebert2_train_00333", "source": "securebert2_train"}} |
| {"text": "According to the configuration pattern , these actions are registered to certain events : Sync configuration data , upgrade modules , and download new payload ( This uses transport protocol ZProtocol encrypted by AES/CBC/PKCS5Padding algorithm to communicate with the C & C server .", "spans": {}, "info": {"id": "securebert2_train_00334", "source": "securebert2_train"}} |
| {"text": ") Upload and purge collected evidence Destroy device by resetting locking password Execute shell commands Send SMS with defined content or location Disable network Disable root Uninstall bot To avoid detection and removal of the agent app in the device memory , the RCSAndroid suite also detects emulators or sandboxes , obfuscates code using DexGuard , uses ELF string obfuscator , and adjusts the OOM ( out-of-memory ) value .", "spans": {"Malware: RCSAndroid": [[266, 276]], "System: DexGuard": [[343, 351]]}, "info": {"id": "securebert2_train_00335", "source": "securebert2_train"}} |
| {"text": "Interestingly , one unused feature of the app is its ability to manipulate data in the Android package manager to add and remove permissions and components as well as hide the app icon .", "spans": {"System: Android": [[87, 94]]}, "info": {"id": "securebert2_train_00336", "source": "securebert2_train"}} |
| {"text": "Recommendations Popular mobile platforms like Android are common targets for organized or commercialized monitoring operations .", "spans": {"System: Android": [[46, 53]]}, "info": {"id": "securebert2_train_00337", "source": "securebert2_train"}} |
| {"text": "Attackers know that rooting devices via malware exploits is an effective means to control devices and gather information from them .", "spans": {}, "info": {"id": "securebert2_train_00338", "source": "securebert2_train"}} |
| {"text": "In a root broken device , security is a fairy tale .", "spans": {}, "info": {"id": "securebert2_train_00339", "source": "securebert2_train"}} |
| {"text": "Take note of the following best practices to prevent this threat from getting in your device : Disable app installations from unknown , third-party sources .", "spans": {}, "info": {"id": "securebert2_train_00340", "source": "securebert2_train"}} |
| {"text": "Constantly update your Android devices to the latest version to help prevent exploits , especially in the case of RCSAndroid which can affect only up to version 4.4.4 KitKat .", "spans": {"System: Android": [[23, 30]], "Malware: RCSAndroid": [[114, 124]], "System: 4.4.4 KitKat": [[161, 173]]}, "info": {"id": "securebert2_train_00341", "source": "securebert2_train"}} |
| {"text": "Note , however , that based on the leak mail from a customer inquiry , Hacking Team was in the process of developing exploits for Android 5.0 Lollipop .", "spans": {"Organization: Hacking Team": [[71, 83]], "System: Android 5.0 Lollipop": [[130, 150]]}, "info": {"id": "securebert2_train_00342", "source": "securebert2_train"}} |
| {"text": "Install a mobile security solution to secure your device from threats .", "spans": {}, "info": {"id": "securebert2_train_00343", "source": "securebert2_train"}} |
| {"text": "The leaked RCSAndroid code is a commercial weapon now in the wild .", "spans": {"Malware: RCSAndroid code": [[11, 26]]}, "info": {"id": "securebert2_train_00344", "source": "securebert2_train"}} |
| {"text": "Mobile users are called on to be on top of this news and be on guard for signs of monitoring .", "spans": {}, "info": {"id": "securebert2_train_00345", "source": "securebert2_train"}} |
| {"text": "Some indicators may come in the form of peculiar behavior such as unexpected rebooting , finding unfamiliar apps installed , or instant messaging apps suddenly freezing .", "spans": {}, "info": {"id": "securebert2_train_00346", "source": "securebert2_train"}} |
| {"text": "Should a device become infected , this backdoor can not be removed without root privilege .", "spans": {}, "info": {"id": "securebert2_train_00347", "source": "securebert2_train"}} |
| {"text": "Users may be required the help of their device manufacturer to get support for firmware flashing .", "spans": {}, "info": {"id": "securebert2_train_00348", "source": "securebert2_train"}} |
| {"text": "Trend Micro offers security for Android mobile devices through Mobile Security for Androidβ’ to protect against these types of attacks .", "spans": {"Organization: Trend Micro": [[0, 11]], "System: Android": [[32, 39]], "System: Mobile Security for Androidβ’": [[63, 91]]}, "info": {"id": "securebert2_train_00349", "source": "securebert2_train"}} |
| {"text": "Find out more about the 7 Android Security Hacks You Need to Do Right Now to keep your mobile data safe .", "spans": {"System: Android": [[26, 33]]}, "info": {"id": "securebert2_train_00350", "source": "securebert2_train"}} |
| {"text": "Update as of July 23 , 2015 1:00 AM PDT ( UTC-7 ) We have added a link to a previous report discussing this threat .", "spans": {}, "info": {"id": "securebert2_train_00351", "source": "securebert2_train"}} |
| {"text": "Timeline of posts related to the Hacking Team DATE UPDATE July 5 The Italian company Hacking Team was hacked , with more than 400GB of confidential company data made available to the public .", "spans": {"Organization: Hacking Team": [[85, 97]]}, "info": {"id": "securebert2_train_00352", "source": "securebert2_train"}} |
| {"text": "July 7 Three exploits β two for Flash Player and one for the Windows kernelβwere initially found in the information dump .", "spans": {"System: Flash Player": [[32, 44]], "System: Windows": [[61, 68]]}, "info": {"id": "securebert2_train_00353", "source": "securebert2_train"}} |
| {"text": "One of these [ CVE-2015-5119 ] was a Flash zero-day .", "spans": {"Vulnerability: CVE-2015-5119": [[15, 28]]}, "info": {"id": "securebert2_train_00354", "source": "securebert2_train"}} |
| {"text": "The Windows kernel vulnerability ( CVE-2015-2387 ) existed in the open type font manager module ( ATMFD.dll ) and can be exploited to bypass the sandbox mitigation mechanism .", "spans": {"Vulnerability: Windows kernel vulnerability": [[4, 32]], "Vulnerability: CVE-2015-2387": [[35, 48]], "Indicator: ATMFD.dll": [[98, 107]]}, "info": {"id": "securebert2_train_00355", "source": "securebert2_train"}} |
| {"text": "The Flash zero-day exploit ( CVE-2015-5119 ) was added into the Angler Exploit Kit and Nuclear Exploit Pack .", "spans": {"System: Flash": [[4, 9]], "Vulnerability: CVE-2015-5119": [[29, 42]], "Malware: Angler Exploit Kit": [[64, 82]], "Malware: Nuclear Exploit Pack": [[87, 107]]}, "info": {"id": "securebert2_train_00356", "source": "securebert2_train"}} |
| {"text": "It was also used in limited attacks in Korea and Japan .", "spans": {}, "info": {"id": "securebert2_train_00357", "source": "securebert2_train"}} |
| {"text": "July 11 Two new Flash zero-day vulnerabilities , CVE-2015-5122 and CVE-2015-5123 , were found in the hacking team dump .", "spans": {"Vulnerability: Flash zero-day vulnerabilities": [[16, 46]], "Vulnerability: CVE-2015-5122": [[49, 62]], "Vulnerability: CVE-2015-5123": [[67, 80]]}, "info": {"id": "securebert2_train_00358", "source": "securebert2_train"}} |
| {"text": "July 13 Further analysis of the hacking team dump revealed that the company used UEFI BIOS rootkit to keep their Remote Control System ( RCS ) agent installed in their targets β systems .", "spans": {"Malware: UEFI BIOS rootkit": [[81, 98]], "Malware: Remote Control System ( RCS )": [[113, 142]]}, "info": {"id": "securebert2_train_00359", "source": "securebert2_train"}} |
| {"text": "July 14 A new zero-day vulnerability ( CVE-2015-2425 ) was found in Internet Explorer .", "spans": {"Vulnerability: zero-day vulnerability": [[14, 36]], "Vulnerability: CVE-2015-2425": [[39, 52]], "System: Internet Explorer": [[68, 85]]}, "info": {"id": "securebert2_train_00360", "source": "securebert2_train"}} |
| {"text": "July 16 On the mobile front , a fake news app designed to bypass Google Play was discovered .", "spans": {"System: Google Play": [[65, 76]]}, "info": {"id": "securebert2_train_00361", "source": "securebert2_train"}} |
| {"text": "July 20 A new zero-day vulnerability ( CVE-2015-2426 ) was found in Windows , which Microsoft fixed in an out-of-band patch .", "spans": {"Vulnerability: zero-day vulnerability": [[14, 36]], "Vulnerability: CVE-2015-2426": [[39, 52]], "System: Windows": [[68, 75]], "Organization: Microsoft": [[84, 93]]}, "info": {"id": "securebert2_train_00362", "source": "securebert2_train"}} |
| {"text": "July 21 Analysis of the RCSAndroid spying tool revealed that Hacking Team can listen to calls and roots devices to get in .", "spans": {"Malware: RCSAndroid": [[24, 34]]}, "info": {"id": "securebert2_train_00363", "source": "securebert2_train"}} |
| {"text": "July 28 A recent campaign compromised Taiwan and Hong Kong sites to deliver Flash exploits related to Hacking Team .", "spans": {"System: Flash": [[76, 81]], "Organization: Hacking Team": [[102, 114]]}, "info": {"id": "securebert2_train_00364", "source": "securebert2_train"}} |
| {"text": "Android users warned of malware attack spreading via SMS FEB 16 , 2016 Security researchers are warning owners of Android smartphones about a new malware attack , spreading via SMS text messages .", "spans": {"System: Android": [[0, 7], [114, 121]]}, "info": {"id": "securebert2_train_00365", "source": "securebert2_train"}} |
| {"text": "As the team at Scandinavian security group CSIS describes , malware known as MazarBOT is being distributed via SMS in Denmark and is likely to also be encountered in other countries .", "spans": {"Organization: CSIS": [[43, 47]], "Malware: MazarBOT": [[77, 85]]}, "info": {"id": "securebert2_train_00366", "source": "securebert2_train"}} |
| {"text": "Victims β first encounter with the malware reportedly comes via an unsolicited text message that their Android smartphone receives .", "spans": {"System: Android smartphone": [[103, 121]]}, "info": {"id": "securebert2_train_00367", "source": "securebert2_train"}} |
| {"text": "The txt message uses social engineering to dupe unsuspecting users into clicking on a link to a downloadable Android application .", "spans": {"System: Android": [[109, 116]]}, "info": {"id": "securebert2_train_00368", "source": "securebert2_train"}} |
| {"text": "CSIS provided a ( sanitised ) version of a typical message to warn users what to look out for : β You have received a multimedia message from + [ country code ] [ sender number ] Follow the link http : //www.mmsforyou [ .", "spans": {"Organization: CSIS": [[0, 4]], "Indicator: http : //www.mmsforyou [ .": [[195, 221]]}, "info": {"id": "securebert2_train_00369", "source": "securebert2_train"}} |
| {"text": "] net/mms.apk to view the message β Once the APK package is downloaded , potential victims are urged to grant the malicious app a wide range of permissions on their Android device : App permissions SEND_SMS RECEIVE_BOOT_COMPLETED INTERNET SYSTEM_ALERT_WINDOW WRITE_SMS ACCESS_NETWORK_STATE WAKE_LOCK GET_TASKS CALL_PHONE RECEIVE_SMS READ_PHONE_STATE READ_SMS ERASE_PHONE Once installed , MazarBOT downloads a copy of Tor onto users β Android smartphones and uses it to connect anonymously to the net before sending a text message containing the victim β s location to an Iranian mobile phone number .", "spans": {"Malware: MazarBOT": [[388, 396]], "System: Tor": [[417, 420]], "System: Android": [[434, 441]]}, "info": {"id": "securebert2_train_00370", "source": "securebert2_train"}} |
| {"text": "With the malware now in place , a number of actions can be performed , including allowing attackers to secretly monitor and control smartphones via a backdoor , send messages to premium-rate numbers , and intercept two-factor authentication codes sent by online banking apps and the like .", "spans": {}, "info": {"id": "securebert2_train_00371", "source": "securebert2_train"}} |
| {"text": "In fact , with full access to the compromised Android smartphone , the opportunities for criminals to wreak havoc are significant β such as erasing infected phones or launching man-in-the-middle ( MITM ) attacks .", "spans": {"System: Android smartphone": [[46, 64]]}, "info": {"id": "securebert2_train_00372", "source": "securebert2_train"}} |
| {"text": "In its analysis , CSIS notes that MazarBOT was reported by Recorded Future last November as being actively sold in Russian underground forums and intriguingly , the malware will not activate on Android devices configured with Russian language settings .", "spans": {"Organization: CSIS": [[18, 22]], "Malware: MazarBOT": [[34, 42]], "Organization: Recorded Future": [[59, 74]], "System: Android": [[194, 201]]}, "info": {"id": "securebert2_train_00373", "source": "securebert2_train"}} |
| {"text": "This , in itself , does not prove that the perpetrators of the malware campaign are based in Russia , but it certainly sounds as if that is a strong possibility .", "spans": {}, "info": {"id": "securebert2_train_00374", "source": "securebert2_train"}} |
| {"text": "Malware authors in the past have often coded a β safety net β into their malware to prevent them from accidentally infecting their own computers and devices .", "spans": {}, "info": {"id": "securebert2_train_00375", "source": "securebert2_train"}} |
| {"text": "For more detailed information about the threat , check out the blog post from CSIS .", "spans": {"Organization: CSIS": [[78, 82]]}, "info": {"id": "securebert2_train_00376", "source": "securebert2_train"}} |
| {"text": "And , of course , remember to always be wary of unsolicited , unusual text messages and installing apps from third-party sources on your Android smartphone .", "spans": {"System: Android smartphone": [[137, 155]]}, "info": {"id": "securebert2_train_00377", "source": "securebert2_train"}} |
| {"text": "Coronavirus Update App Leads to Project Spy Android and iOS Spyware We discovered a cyberespionage campaign we have named Project Spy infecting Android and iOS devices with spyware by using the coronavirus disease ( Covid-19 ) as a lure .", "spans": {"System: Coronavirus Update App": [[0, 22]], "Malware: Project Spy": [[32, 43], [122, 133]], "System: Android": [[44, 51], [144, 151]], "System: iOS": [[56, 59], [156, 159]]}, "info": {"id": "securebert2_train_00378", "source": "securebert2_train"}} |
| {"text": "By : Tony Bao , Junzhi Lu April 14 , 2020 We discovered a potential cyberespionage campaign , which we have named Project Spy , that infects Android and iOS devices with spyware ( detected by Trend Micro as AndroidOS_ProjectSpy.HRX and IOS_ProjectSpy.A , respectively ) .", "spans": {"Malware: Project Spy": [[114, 125]], "System: Android": [[141, 148]], "System: iOS": [[153, 156]], "Organization: Trend Micro": [[192, 203]], "Indicator: AndroidOS_ProjectSpy.HRX": [[207, 231]], "Indicator: IOS_ProjectSpy.A": [[236, 252]]}, "info": {"id": "securebert2_train_00379", "source": "securebert2_train"}} |
| {"text": "Project Spy uses the ongoing coronavirus pandemic as a lure , posing as an app called Coronavirus Updates .", "spans": {"Malware: Project Spy": [[0, 11]]}, "info": {"id": "securebert2_train_00380", "source": "securebert2_train"}} |
| {"text": "We also found similarities in two older samples disguised as a Google service and , subsequently , as a music app after further investigation .", "spans": {"Organization: Google": [[63, 69]]}, "info": {"id": "securebert2_train_00381", "source": "securebert2_train"}} |
| {"text": "However , we have noted a significantly small number of downloads of the app in Pakistan , India , Afghanistan , Bangladesh , Iran , Saudi Arabia , Austria , Romania , Grenada , and Russia .", "spans": {}, "info": {"id": "securebert2_train_00382", "source": "securebert2_train"}} |
| {"text": "Project Spy routine At the end of March 2020 , we came across an app masquerading as a coronavirus update app , which we named Project Spy based on the login page of its backend server .", "spans": {"Malware: Project Spy": [[0, 11], [127, 138]]}, "info": {"id": "securebert2_train_00383", "source": "securebert2_train"}} |
| {"text": "This app carries a number of the capabilities : Upload GSM , WhatsApp , Telegram , Facebook , and Threema messages Upload voice notes , contacts stored , accounts , call logs , location information , and images Upload the expanded list of collected device information ( e.g. , IMEI , product , board , manufacturer , tag , host , Android version , application version , name , model brand , user , serial , hardware , bootloader , and device ID ) Upload SIM information ( e.g. , IMSI , operator code , country , MCC-mobile country , SIM serial , operator name , and mobile number ) Upload wifi information ( e.g. , SSID , wifi speed , and MAC address ) Upload other information ( e.g. , display , date , time , fingerprint , created at , and updated at ) The app is capable of stealing messages from popular messaging apps by abusing the notification permissions to read the notification content and saving it to the database .", "spans": {"System: GSM": [[55, 58]], "System: WhatsApp": [[61, 69]], "System: Telegram": [[72, 80]], "System: Facebook": [[83, 91]], "System: Threema": [[98, 105]], "System: Android": [[330, 337]]}, "info": {"id": "securebert2_train_00384", "source": "securebert2_train"}} |
| {"text": "It requests permission to access the additional storage .", "spans": {}, "info": {"id": "securebert2_train_00385", "source": "securebert2_train"}} |
| {"text": "Project Spy β s earlier versions Searching for the domain in our sample database , we found that the coronavirus update app appears to be the latest version of another sample that we detected in May 2019 .", "spans": {"Malware: Project Spy": [[0, 11]]}, "info": {"id": "securebert2_train_00386", "source": "securebert2_train"}} |
| {"text": "The first version of Project Spy ( detected by Trend Micro as AndroidOS_SpyAgent.HRXB ) had the following capabilities : Collect device and system information ( i.e. , IMEI , device ID , manufacturer , model and phone number ) , location information , contacts stored , and call logs Collect and send SMS Take pictures via the camera Upload recorded MP4 files Monitor calls Searching further , we also found another sample that could be the second version of Project Spy .", "spans": {"Malware: Project Spy": [[21, 32]], "Organization: Trend Micro": [[47, 58]], "Indicator: AndroidOS_SpyAgent.HRXB": [[62, 85]]}, "info": {"id": "securebert2_train_00387", "source": "securebert2_train"}} |
| {"text": "This version appeared as Wabi Music , and copied a popular video-sharing social networking service as its backend login page .", "spans": {}, "info": {"id": "securebert2_train_00388", "source": "securebert2_train"}} |
| {"text": "In this second version , the developer β s name listed was β concipit1248 β in Google Play , and may have been active between May 2019 to February 2020 .", "spans": {"System: Google Play": [[79, 90]]}, "info": {"id": "securebert2_train_00389", "source": "securebert2_train"}} |
| {"text": "This app appears to have become unavailable on Google Play in March 2020 .", "spans": {"System: Google Play": [[47, 58]]}, "info": {"id": "securebert2_train_00390", "source": "securebert2_train"}} |
| {"text": "The second Project Spy version has similar capabilities to the first version , with the addition of the following : Stealing notification messages sent from WhatsApp , Facebook , and Telegram Abandoning the FTP mode of uploading the recorded images Aside from changing the app β s supposed function and look , the second and third versions β codes had little differences .", "spans": {"Malware: Project Spy": [[11, 22]], "System: WhatsApp": [[157, 165]], "System: Facebook": [[168, 176]], "System: Telegram": [[183, 191]]}, "info": {"id": "securebert2_train_00391", "source": "securebert2_train"}} |
| {"text": "Potentially malicious iOS connection Using the codes and β Concipit1248 β to check for more versions , we found two other apps in the App Store .", "spans": {"System: iOS": [[22, 25]], "System: App Store": [[134, 143]]}, "info": {"id": "securebert2_train_00392", "source": "securebert2_train"}} |
| {"text": "Further analysis of the iOS app β Concipit1248 β showed that the server used , spy [ .", "spans": {"Indicator: spy [ .": [[79, 86]]}, "info": {"id": "securebert2_train_00393", "source": "securebert2_train"}} |
| {"text": "] cashnow [ .", "spans": {}, "info": {"id": "securebert2_train_00394", "source": "securebert2_train"}} |
| {"text": "] ee , is the same one used in the Android version of Project Spy .", "spans": {"System: Android": [[35, 42]], "System: Project Spy": [[54, 65]]}, "info": {"id": "securebert2_train_00395", "source": "securebert2_train"}} |
| {"text": "However , although the β Concipit1248 β app requested permissions to open the device camera and read photos , the code only can upload a self-contained PNG file to a remote sever .", "spans": {}, "info": {"id": "securebert2_train_00396", "source": "securebert2_train"}} |
| {"text": "This may imply the β Concipit1248 β app is still incubating .", "spans": {}, "info": {"id": "securebert2_train_00397", "source": "securebert2_train"}} |
| {"text": "The other iOS app β Concipit Shop β from the same developer appeared normal and was last updated on November 2019 .", "spans": {"System: iOS": [[10, 13]]}, "info": {"id": "securebert2_train_00398", "source": "securebert2_train"}} |
| {"text": "Apple has confirmed that the iOS apps are not functioning based on analysis of the codes , and stated that the sandbox is able to detect and block these malicious behaviors .", "spans": {"Organization: Apple": [[0, 5]], "System: iOS": [[29, 32]]}, "info": {"id": "securebert2_train_00399", "source": "securebert2_train"}} |
| {"text": "Conclusion The β Corona Updates β app had relatively low downloads in Pakistan , India , Afghanistan , Bangladesh , Iran , Saudi Arabia , Austria , Romania , Grenada , and Russia .", "spans": {}, "info": {"id": "securebert2_train_00400", "source": "securebert2_train"}} |
| {"text": "Perhaps the app β s false capabilities also fueled the low number of downloads .", "spans": {}, "info": {"id": "securebert2_train_00401", "source": "securebert2_train"}} |
| {"text": "It also appears the apps may still be in development or incubation , maybe waiting for a β right time β to inject the malicious codes .", "spans": {}, "info": {"id": "securebert2_train_00402", "source": "securebert2_train"}} |
| {"text": "It β s also possible that the apps are being used to test other possible techniques .", "spans": {}, "info": {"id": "securebert2_train_00403", "source": "securebert2_train"}} |
| {"text": "A possible indication for timing might be when the app reaches a specific number of downloads or infected devices .", "spans": {}, "info": {"id": "securebert2_train_00404", "source": "securebert2_train"}} |
| {"text": "The coding style suggests that the cybercriminals behind this campaign are amateurs .", "spans": {}, "info": {"id": "securebert2_train_00405", "source": "securebert2_train"}} |
| {"text": "The incomplete iOS codes used in this campaign may have been bought while other capabilities appear to have been added .", "spans": {"System: iOS": [[15, 18]]}, "info": {"id": "securebert2_train_00406", "source": "securebert2_train"}} |
| {"text": "This may also explain the timing in between the apps becoming fully functional and β incubation. β As this is a group we have not observed before , we will continue monitoring this campaign for further developments .", "spans": {}, "info": {"id": "securebert2_train_00407", "source": "securebert2_train"}} |
| {"text": "Users are cautioned to research and check reviews before they download apps .", "spans": {}, "info": {"id": "securebert2_train_00408", "source": "securebert2_train"}} |
| {"text": "Observe and look at the app β s display and text , stated functions , reviews from other users , and requested permissions before downloading .", "spans": {}, "info": {"id": "securebert2_train_00409", "source": "securebert2_train"}} |
| {"text": "Make sure that all other apps installed and the device operating systems are updated to the latest version .", "spans": {}, "info": {"id": "securebert2_train_00410", "source": "securebert2_train"}} |
| {"text": "Indicators of Compromise ( IoCs ) SHA256 Detection e394e53e53cd9047d6cff184ac333ef7698a34b777ae3aac82c2c669ef661dfe AndroidOS_SpyAgent.HRXB e8d4713e43241ab09d40c2ae8814302f77de76650ccf3e7db83b3ac8ad41f9fa AndroidOS_ProjectSpy.HRX 29b0d86ae68d83f9578c3f36041df943195bc55a7f3f1d45a9c23f145d75af9d AndroidOS_ProjectSpy.HRX 3a15e7b8f4e35e006329811a6a2bf291d449884a120332f24c7e3ca58d0fbbdb IOS_ProjectSpy.A URLs cashnow [ .", "spans": {"Indicator: e394e53e53cd9047d6cff184ac333ef7698a34b777ae3aac82c2c669ef661dfe": [[51, 115]], "Indicator: AndroidOS_SpyAgent.HRXB": [[116, 139]], "Indicator: e8d4713e43241ab09d40c2ae8814302f77de76650ccf3e7db83b3ac8ad41f9fa": [[140, 204]], "Indicator: 29b0d86ae68d83f9578c3f36041df943195bc55a7f3f1d45a9c23f145d75af9d": [[230, 294]], "Indicator: 3a15e7b8f4e35e006329811a6a2bf291d449884a120332f24c7e3ca58d0fbbdb": [[320, 384]], "Indicator: IOS_ProjectSpy.A": [[385, 401]], "Indicator: cashnow [ .": [[407, 418]]}, "info": {"id": "securebert2_train_00411", "source": "securebert2_train"}} |
| {"text": "] ee Backend server ftp [ .", "spans": {"Indicator: server ftp [ .": [[13, 27]]}, "info": {"id": "securebert2_train_00412", "source": "securebert2_train"}} |
| {"text": "] XXXX [ .", "spans": {}, "info": {"id": "securebert2_train_00413", "source": "securebert2_train"}} |
| {"text": "] com Backend server spy [ .", "spans": {"Indicator: server spy [ .": [[14, 28]]}, "info": {"id": "securebert2_train_00414", "source": "securebert2_train"}} |
| {"text": "] cashnow [ .", "spans": {}, "info": {"id": "securebert2_train_00415", "source": "securebert2_train"}} |
| {"text": "] ee Backend server xyz [ .", "spans": {"Indicator: server xyz [ .": [[13, 27]]}, "info": {"id": "securebert2_train_00416", "source": "securebert2_train"}} |
| {"text": "] cashnow [ .", "spans": {}, "info": {"id": "securebert2_train_00417", "source": "securebert2_train"}} |
| {"text": "] ee Backend server October 8 , 2020 Sophisticated new Android malware marks the latest evolution of mobile ransomware Attackers are persistent and motivated to continuously evolve β and no platform is immune .", "spans": {"System: Android": [[55, 62]]}, "info": {"id": "securebert2_train_00418", "source": "securebert2_train"}} |
| {"text": "That is why Microsoft has been working to extend its industry-leading endpoint protection capabilities beyond Windows .", "spans": {"Organization: Microsoft": [[12, 21]], "System: Windows": [[110, 117]]}, "info": {"id": "securebert2_train_00419", "source": "securebert2_train"}} |
| {"text": "The addition of mobile threat defense into these capabilities means that Microsoft Defender for Endpoint ( previously Microsoft Defender Advanced Threat Protection ) now delivers protection on all major platforms .", "spans": {"System: Microsoft Defender": [[73, 91]], "System: Microsoft Defender Advanced Threat Protection": [[118, 163]]}, "info": {"id": "securebert2_train_00420", "source": "securebert2_train"}} |
| {"text": "Microsoft β s mobile threat defense capabilities further enrich the visibility that organizations have on threats in their networks , as well as provide more tools to detect and respond to threats across domains and across platforms .", "spans": {"Organization: Microsoft": [[0, 9]]}, "info": {"id": "securebert2_train_00421", "source": "securebert2_train"}} |
| {"text": "Like all of Microsoft β s security solutions , these new capabilities are likewise backed by a global network of threat researchers and security experts whose deep understanding of the threat landscape guide the continuous innovation of security features and ensure that customers are protected from ever-evolving threats .", "spans": {"Organization: Microsoft": [[12, 21]]}, "info": {"id": "securebert2_train_00422", "source": "securebert2_train"}} |
| {"text": "For example , we found a piece of a particularly sophisticated Android ransomware with novel techniques and behavior , exemplifying the rapid evolution of mobile threats that we have also observed on other platforms .", "spans": {"System: Android": [[63, 70]]}, "info": {"id": "securebert2_train_00423", "source": "securebert2_train"}} |
| {"text": "The mobile ransomware , detected by Microsoft Defender for Endpoint as AndroidOS/MalLocker.B , is the latest variant of a ransomware family that β s been in the wild for a while but has been evolving non-stop .", "spans": {"System: Microsoft Defender": [[36, 54]], "Indicator: AndroidOS/MalLocker.B": [[71, 92]]}, "info": {"id": "securebert2_train_00424", "source": "securebert2_train"}} |
| {"text": "This ransomware family is known for being hosted on arbitrary websites and circulated on online forums using various social engineering lures , including masquerading as popular apps , cracked games , or video players .", "spans": {}, "info": {"id": "securebert2_train_00425", "source": "securebert2_train"}} |
| {"text": "The new variant caught our attention because it β s an advanced malware with unmistakable malicious characteristic and behavior and yet manages to evade many available protections , registering a low detection rate against security solutions .", "spans": {}, "info": {"id": "securebert2_train_00426", "source": "securebert2_train"}} |
| {"text": "As with most Android ransomware , this new threat doesn β t actually block access to files by encrypting them .", "spans": {"System: Android": [[13, 20]]}, "info": {"id": "securebert2_train_00427", "source": "securebert2_train"}} |
| {"text": "Instead , it blocks access to devices by displaying a screen that appears over every other window , such that the user can β t do anything else .", "spans": {}, "info": {"id": "securebert2_train_00428", "source": "securebert2_train"}} |
| {"text": "The said screen is the ransom note , which contains threats and instructions to pay the ransom .", "spans": {}, "info": {"id": "securebert2_train_00429", "source": "securebert2_train"}} |
| {"text": "What β s innovative about this ransomware is how it displays its ransom note .", "spans": {}, "info": {"id": "securebert2_train_00430", "source": "securebert2_train"}} |
| {"text": "In this blog , we β ll detail the innovative ways in which this ransomware surfaces its ransom note using Android features we haven β t seen leveraged by malware before , as well as incorporating an open-source machine learning module designed for context-aware cropping of its ransom note .", "spans": {"System: Android": [[106, 113]]}, "info": {"id": "securebert2_train_00431", "source": "securebert2_train"}} |
| {"text": "New scheme , same goal In the past , Android ransomware used a special permission called β SYSTEM_ALERT_WINDOW β to display their ransom note .", "spans": {"System: Android": [[37, 44]]}, "info": {"id": "securebert2_train_00432", "source": "securebert2_train"}} |
| {"text": "Apps that have this permission can draw a window that belongs to the system group and can β t be dismissed .", "spans": {}, "info": {"id": "securebert2_train_00433", "source": "securebert2_train"}} |
| {"text": "No matter what button is pressed , the window stays on top of all other windows .", "spans": {}, "info": {"id": "securebert2_train_00434", "source": "securebert2_train"}} |
| {"text": "The notification was intended to be used for system alerts or errors , but Android threats misused it to force the attacker-controlled UI to fully occupy the screen , blocking access to the device .", "spans": {"System: Android": [[75, 82]]}, "info": {"id": "securebert2_train_00435", "source": "securebert2_train"}} |
| {"text": "Attackers create this scenario to persuade users to pay the ransom so they can gain back access to the device .", "spans": {}, "info": {"id": "securebert2_train_00436", "source": "securebert2_train"}} |
| {"text": "To catch these threats , security solutions used heuristics that focused on detecting this behavior .", "spans": {}, "info": {"id": "securebert2_train_00437", "source": "securebert2_train"}} |
| {"text": "Google later implemented platform-level changes that practically eliminated this attack surface .", "spans": {"Organization: Google": [[0, 6]]}, "info": {"id": "securebert2_train_00438", "source": "securebert2_train"}} |
| {"text": "These changes include : Removing the SYSTEM_ALERT_WINDOW error and alert window types , and introducing a few other types as replacement Elevating the permission status of SYSTEM_ALERT_WINDOW to special permission by putting it into the β above dangerous β category , which means that users have to go through many screens to approve apps that ask for permission , instead of just one click Introducing an overlay kill switch on Android 8.0 and later that users can activate anytime to deactivate a system alert window To adapt , Android malware evolved to misusing other features , but these aren β t as effective .", "spans": {"System: Android 8.0": [[429, 440]], "System: Android": [[530, 537]]}, "info": {"id": "securebert2_train_00439", "source": "securebert2_train"}} |
| {"text": "For example , some strains of ransomware abuse accessibility features , a method that could easily alarm users because accessibility is a special permission that requires users to go through several screens and accept a warning that the app will be able to monitor activity via accessibility services .", "spans": {}, "info": {"id": "securebert2_train_00440", "source": "securebert2_train"}} |
| {"text": "Other ransomware families use infinite loops of drawing non-system windows , but in between drawing and redrawing , it β s possible for users to go to settings and uninstall the offending app .", "spans": {"System: windows": [[67, 74]]}, "info": {"id": "securebert2_train_00441", "source": "securebert2_train"}} |
| {"text": "The new Android ransomware variant overcomes these barriers by evolving further than any Android malware we β ve seen before .", "spans": {"Malware: Android": [[8, 15], [89, 96]]}, "info": {"id": "securebert2_train_00442", "source": "securebert2_train"}} |
| {"text": "To surface its ransom note , it uses a series of techniques that take advantage of the following components on Android : The β call β notification , among several categories of notifications that Android supports , which requires immediate user attention .", "spans": {"System: Android": [[111, 118], [196, 203]]}, "info": {"id": "securebert2_train_00443", "source": "securebert2_train"}} |
| {"text": "The β onUserLeaveHint ( ) β callback method of the Android Activity ( i.e. , the typical GUI screen the user sees ) is called as part of the activity lifecycle when the activity is about to go into the background as a result of user choice , for example , when the user presses the Home key .", "spans": {"System: Android Activity": [[51, 67]]}, "info": {"id": "securebert2_train_00444", "source": "securebert2_train"}} |
| {"text": "The malware connects the dots and uses these two components to create a special type of notification that triggers the ransom screen via the callback .", "spans": {}, "info": {"id": "securebert2_train_00445", "source": "securebert2_train"}} |
| {"text": "As the code snippet shows , the malware creates a notification builder and then does the following : setCategory ( β call β ) β This means that the notification is built as a very important notification that needs special privilege .", "spans": {}, "info": {"id": "securebert2_train_00446", "source": "securebert2_train"}} |
| {"text": "setFullScreenIntent ( ) β This API wires the notification to a GUI so that it pops up when the user taps on it .", "spans": {}, "info": {"id": "securebert2_train_00447", "source": "securebert2_train"}} |
| {"text": "At this stage , half the job is done for the malware .", "spans": {}, "info": {"id": "securebert2_train_00448", "source": "securebert2_train"}} |
| {"text": "However , the malware wouldn β t want to depend on user interaction to trigger the ransomware screen , so , it adds another functionality of Android callback : As the code snippet shows , the malware overrides the onUserLeaveHint ( ) callback function of Activity class .", "spans": {"System: Android": [[141, 148]]}, "info": {"id": "securebert2_train_00449", "source": "securebert2_train"}} |
| {"text": "The function onUserLeaveHint ( ) is called whenever the malware screen is pushed to background , causing the in-call Activity to be automatically brought to the foreground .", "spans": {}, "info": {"id": "securebert2_train_00450", "source": "securebert2_train"}} |
| {"text": "Recall that the malware hooked the RansomActivity intent with the notification that was created as a β call β type notification .", "spans": {}, "info": {"id": "securebert2_train_00451", "source": "securebert2_train"}} |
| {"text": "This creates a chain of events that triggers the automatic pop-up of the ransomware screen without doing infinite redraw or posing as system window .", "spans": {}, "info": {"id": "securebert2_train_00452", "source": "securebert2_train"}} |
| {"text": "Machine learning module indicates continuous evolution As mentioned , this ransomware is the latest variant of a malware family that has undergone several stages of evolution .", "spans": {}, "info": {"id": "securebert2_train_00453", "source": "securebert2_train"}} |
| {"text": "The knowledge graph below shows the various techniques this ransomware family has been seen using , including abusing the system alert window , abusing accessibility features , and , more recently , abusing notification services .", "spans": {}, "info": {"id": "securebert2_train_00454", "source": "securebert2_train"}} |
| {"text": "This ransomware family β s long history tells us that its evolution is far from over .", "spans": {}, "info": {"id": "securebert2_train_00455", "source": "securebert2_train"}} |
| {"text": "We expect it to churn out new variants with even more sophisticated techniques .", "spans": {}, "info": {"id": "securebert2_train_00456", "source": "securebert2_train"}} |
| {"text": "In fact , recent variants contain code forked from an open-source machine learning module used by developers to automatically resize and crop images based on screen size , a valuable function given the variety of Android devices .", "spans": {"System: Android": [[213, 220]]}, "info": {"id": "securebert2_train_00457", "source": "securebert2_train"}} |
| {"text": "The frozen TinyML model is useful for making sure images fit the screen without distortion .", "spans": {"System: TinyML": [[11, 17]]}, "info": {"id": "securebert2_train_00458", "source": "securebert2_train"}} |
| {"text": "In the case of this ransomware , using the model would ensure that its ransom noteβtypically fake police notice or explicit images supposedly found on the deviceβwould appear less contrived and more believable , increasing the chances of the user paying for the ransom .", "spans": {}, "info": {"id": "securebert2_train_00459", "source": "securebert2_train"}} |
| {"text": "The library that uses tinyML is not yet wired to the malware β s functionalities , but its presence in the malware code indicates the intention to do so in future variants .", "spans": {"System: tinyML": [[22, 28]]}, "info": {"id": "securebert2_train_00460", "source": "securebert2_train"}} |
| {"text": "We will continue to monitor this ransomware family to ensure customers are protected and to share our findings and insights to the community for broad protection against these evolving mobile threats .", "spans": {}, "info": {"id": "securebert2_train_00461", "source": "securebert2_train"}} |
| {"text": "Protecting organizations from threats across domains and platforms Mobile threats continue to rapidly evolve , with attackers continuously attempting to sidestep technological barriers and creatively find ways to accomplish their goal , whether financial gain or finding an entry point to broader network compromise .", "spans": {}, "info": {"id": "securebert2_train_00462", "source": "securebert2_train"}} |
| {"text": "This new mobile ransomware variant is an important discovery because the malware exhibits behaviors that have not been seen before and could open doors for other malware to follow .", "spans": {}, "info": {"id": "securebert2_train_00463", "source": "securebert2_train"}} |
| {"text": "It reinforces the need for comprehensive defense powered by broad visibility into attack surfaces as well as domain experts who track the threat landscape and uncover notable threats that might be hiding amidst massive threat data and signals .", "spans": {}, "info": {"id": "securebert2_train_00464", "source": "securebert2_train"}} |
| {"text": "Microsoft Defender for Endpoint on Android , now generally available , extends Microsoft β s industry-leading endpoint protection to Android .", "spans": {"System: Microsoft Defender": [[0, 18]], "System: Android": [[35, 42], [133, 140]], "Organization: Microsoft": [[79, 88]]}, "info": {"id": "securebert2_train_00465", "source": "securebert2_train"}} |
| {"text": "It detects this ransomware ( AndroidOS/MalLocker.B ) , as well as other malicious apps and files using cloud-based protection powered by deep learning and heuristics , in addition to content-based detection .", "spans": {"Indicator: AndroidOS/MalLocker.B": [[29, 50]]}, "info": {"id": "securebert2_train_00466", "source": "securebert2_train"}} |
| {"text": "It also protects users and organizations from other mobile threats , such as mobile phishing , unsafe network connections , and unauthorized access to sensitive data .", "spans": {}, "info": {"id": "securebert2_train_00467", "source": "securebert2_train"}} |
| {"text": "Learn more about our mobile threat defense capabilities in Microsoft Defender for Endpoint on Android .", "spans": {"System: Microsoft Defender": [[59, 77]], "System: Android": [[94, 101]]}, "info": {"id": "securebert2_train_00468", "source": "securebert2_train"}} |
| {"text": "Malware , phishing , and other threats detected by Microsoft Defender for Endpoint are reported to the Microsoft Defender Security Center , allowing SecOps to investigate mobile threats along with endpoint signals from Windows and other platforms using Microsoft Defender for Endpoint β s rich set of tools for detection , investigation , and response .", "spans": {"System: Microsoft Defender": [[51, 69], [253, 271]], "Organization: Microsoft Defender Security Center": [[103, 137]], "System: Windows": [[219, 226]]}, "info": {"id": "securebert2_train_00469", "source": "securebert2_train"}} |
| {"text": "Threat data from endpoints are combined with signals from email and data , identities , and apps in Microsoft 365 Defender ( previously Microsoft Threat Protection ) , which orchestrates detection , prevention , investigation , and response across domains , providing coordinated defense .", "spans": {"System: Microsoft 365 Defender": [[100, 122]], "System: Microsoft Threat Protection": [[136, 163]]}, "info": {"id": "securebert2_train_00470", "source": "securebert2_train"}} |
| {"text": "Microsoft Defender for Endpoint on Android further enriches organizations β visibility into malicious activity , empowering them to comprehensively prevent , detect , and respond to against attack sprawl and cross-domain incidents .", "spans": {"System: Microsoft Defender": [[0, 18]], "System: Android": [[35, 42]]}, "info": {"id": "securebert2_train_00471", "source": "securebert2_train"}} |
| {"text": "Technical analysis Obfuscation On top of recreating ransomware behavior in ways we haven β t seen before , the Android malware variant uses a new obfuscation technique unique to the Android platform .", "spans": {"System: Android": [[111, 118], [182, 189]]}, "info": {"id": "securebert2_train_00472", "source": "securebert2_train"}} |
| {"text": "One of the tell-tale signs of an obfuscated malware is the absence of code that defines the classes declared in the manifest file .", "spans": {}, "info": {"id": "securebert2_train_00473", "source": "securebert2_train"}} |
| {"text": "The classes.dex has implementation for only two classes : The main application class gCHotRrgEruDv , which is involved when the application opens A helper class that has definition for custom encryption and decryption This means that there β s no code corresponding to the services declared in the manifest file : Main Activity , Broadcast Receivers , and Background .", "spans": {}, "info": {"id": "securebert2_train_00474", "source": "securebert2_train"}} |
| {"text": "How does the malware work without code for these key components ? As is characteristic for obfuscated threats , the malware has encrypted binary code stored in the Assets folder : When the malware runs for the first time , the static block of the main class is run .", "spans": {}, "info": {"id": "securebert2_train_00475", "source": "securebert2_train"}} |
| {"text": "The code is heavily obfuscated and made unreadable through name mangling and use of meaningless variable names : Decryption with a twist The malware uses an interesting decryption routine : the string values passed to the decryption function do not correspond to the decrypted value , they correspond to junk code to simply hinder analysis .", "spans": {}, "info": {"id": "securebert2_train_00476", "source": "securebert2_train"}} |
| {"text": "On Android , an Intent is a software mechanism that allows users to coordinate the functions of different Activities to achieve a task .", "spans": {"System: Android": [[3, 10]]}, "info": {"id": "securebert2_train_00477", "source": "securebert2_train"}} |
| {"text": "It β s a messaging object that can be used to request an action from another app component .", "spans": {}, "info": {"id": "securebert2_train_00478", "source": "securebert2_train"}} |
| {"text": "The Intent object carries a string value as β action β parameter .", "spans": {}, "info": {"id": "securebert2_train_00479", "source": "securebert2_train"}} |
| {"text": "The malware creates an Intent inside the decryption function using the string value passed as the name for the Intent .", "spans": {}, "info": {"id": "securebert2_train_00480", "source": "securebert2_train"}} |
| {"text": "It then decrypts a hardcoded encrypted value and sets the β action β parameter of the Intent using the setAction API .", "spans": {}, "info": {"id": "securebert2_train_00481", "source": "securebert2_train"}} |
| {"text": "Once this Intent object is generated with the action value pointing to the decrypted content , the decryption function returns the Intent object to the callee .", "spans": {}, "info": {"id": "securebert2_train_00482", "source": "securebert2_train"}} |
| {"text": "The callee then invokes the getAction method to get the decrypted content .", "spans": {}, "info": {"id": "securebert2_train_00483", "source": "securebert2_train"}} |
| {"text": "Payload deployment Once the static block execution is complete , the Android Lifecycle callback transfers the control to the OnCreate method of the main class .", "spans": {"System: Android Lifecycle": [[69, 86]]}, "info": {"id": "securebert2_train_00484", "source": "securebert2_train"}} |
| {"text": "Malware code showing onCreate method Figure 9. onCreate method of the main class decrypting the payload Next , the malware-defined function decryptAssetToDex ( a meaningful name we assigned during analysis ) receives the string β CuffGmrQRT β as the first argument , which is the name of the encrypted file stored in the Assets folder .", "spans": {"Indicator: CuffGmrQRT": [[230, 240]]}, "info": {"id": "securebert2_train_00485", "source": "securebert2_train"}} |
| {"text": "Malware code showing decryption of assets Figure 10 .", "spans": {}, "info": {"id": "securebert2_train_00486", "source": "securebert2_train"}} |
| {"text": "Decrypting the assets After being decrypted , the asset turns into the .dex file .", "spans": {}, "info": {"id": "securebert2_train_00487", "source": "securebert2_train"}} |
| {"text": "This is a notable behavior that is characteristic of this ransomware family .", "spans": {}, "info": {"id": "securebert2_train_00488", "source": "securebert2_train"}} |
| {"text": "Comparison of code of Asset file before and after decryption Figure 11 .", "spans": {}, "info": {"id": "securebert2_train_00489", "source": "securebert2_train"}} |
| {"text": "Asset file before and after decryption Once the encrypted executable is decrypted and dropped in the storage , the malware has the definitions for all the components it declared in the manifest file .", "spans": {}, "info": {"id": "securebert2_train_00490", "source": "securebert2_train"}} |
| {"text": "It then starts the final detonator function to load the dropped .dex file into memory and triggers the main payload .", "spans": {}, "info": {"id": "securebert2_train_00491", "source": "securebert2_train"}} |
| {"text": "Malware code showing loading of decrypted dex file Figure 12 .", "spans": {}, "info": {"id": "securebert2_train_00492", "source": "securebert2_train"}} |
| {"text": "Loading the decrypted .dex file into memory and triggering the main payload Main payload When the main payload is loaded into memory , the initial detonator hands over the control to the main payload by invoking the method XoqF ( which we renamed to triggerInfection during analysis ) from the gvmthHtyN class ( renamed to PayloadEntry ) .", "spans": {}, "info": {"id": "securebert2_train_00493", "source": "securebert2_train"}} |
| {"text": "Malware code showing handover from initial module to main payload Figure 13 .", "spans": {}, "info": {"id": "securebert2_train_00494", "source": "securebert2_train"}} |
| {"text": "Handover from initial module to the main payload As mentioned , the initial handover component called triggerInfection with an instance of appObj and a method that returns the value for the variable config .", "spans": {}, "info": {"id": "securebert2_train_00495", "source": "securebert2_train"}} |
| {"text": "Malware code showing definition of populateConfigMap Figure 14 .", "spans": {}, "info": {"id": "securebert2_train_00496", "source": "securebert2_train"}} |
| {"text": "Definition of populateConfigMap , which loads the map with values Correlating the last two steps , one can observe that the malware payload receives the configuration for the following properties : number β The default number to be send to the server ( in case the number is not available from the device ) api β The API key url β The URL to be used in WebView to display on the ransom note The malware saves this configuration to the shared preferences of the app data and then it sets up all the Broadcast Receivers .", "spans": {}, "info": {"id": "securebert2_train_00497", "source": "securebert2_train"}} |
| {"text": "This action registers code components to get notified when certain system events happen .", "spans": {}, "info": {"id": "securebert2_train_00498", "source": "securebert2_train"}} |
| {"text": "This is done in the function initComponents .", "spans": {}, "info": {"id": "securebert2_train_00499", "source": "securebert2_train"}} |
|
|
