Android hack brief: Update Your android security patch to block an Evil Toast android malware attack. Modern Android hones pains to "sandbox" applications, keeping them carefully segregated so that no malicious program can interfere in the sensitive business of another application. But security researchers have found an unexpected feature of Android that can surreptitiously grant an application permission to not only get outside its sandbox, but completely redraw the phone's screen while another part of the operating system is running, cheating users tapping on fake buttons that can have unexpected consequences. And while hijacking your finger tickets is not a new feat for Android hackers, a new tweak in the attack makes it easier than ever.
Android malware
The Android Hack
On Thursday, researchers from the Palo Alto networks warned on a blog that users should rush to patch their Android phones against what they are calling a "toast" attack: for all versions of Android, other than Oreo, it may be fooled into installing a piece of malware that can overlay images over other applications and elements of the phone's controls and settings. You could, for example, insert an image of an innocent "continue installation" or a simple "OK" button on another hidden button that invisibly grants the malware more privileges in the phone's operating system or silently installs a fraudulent application on the screen and lock the user from all other parts of the phone in a ransomware form. "They can make it look like you're touching one thing when you're playing another," says Palo Alto researcher Ryan Olson. "All they have to do is put a button overlay on 'enable this app to be a device admin' and they have cheated you into giving them control over their device. Android overlay attacks have been around for almost as long as Android itself. But despite repeated efforts by Android developers at Google to solve the problem, another version of the overlay attack was introduced earlier this year at the Black Hat security conference. This new attack, known as Cloak and Dagger, took advantage of two features of Android to re-enable overlapping attacks: one called SYSTEM_ALERT_WINDOW designed to allow applications to display alerts and another known as BIND_ACCESSIBILITY_SERVICE that allows applications for disabled users, - Prevented manipulate other applications, magnify your text or read it aloud. Any malware that performs the Cloak and Dagger attack would need to request user permission for those features when it is installed, and the system alert feature is only allowed in applications within the Google Play Store. The overly roasted attack takes Cloak and Dagger one step further, say researchers from Palo Alto. They found that they could hijack the accessibility feature to perform a specific form of overlap using so-called toasting notifications that pop up and fill the screen, without the need for system alert permission. That tweak not only reduces the permissions that the user must cheat on the grant but also means that the malware could be distributed from outside the Google Play store, where it would not be subject to Google's security controls. When we contacted Google about the attack, a spokesman declined to comment but noted that Google released a patch for the problem on Tuesday.
Who is affected?
Each version of Android before Oreo is vulnerable to the new version of the overlay attack, according to Palo Alto, unless you have already installed the Google patch. (Thanks to the complexity of Android's entanglements with phone operators and manufacturers, they most likely have not.) The most recent version of Android prior to Oreo has a safeguard that only allows notifications of toasts to be displayed for 3.5 seconds. But that can be circumvented by putting the notification in a repeated and timed loop. "If you do it over and over and over again, you can create a continuous overlay that is not visible to the user as a change," says Olson.
How serious is this?
While Palo Alto calls its toast overlay method a "high severity vulnerability," it is not exactly the cause of panic. Palo Alto says he has not yet seen the attack used in nature. And users would have to make a bunch of bugs (even if they are forgivable) before the attack can wreak havoc: you'd have to install the malware that's equipped with the method first after you've already gotten into the Play Store or less forgivable to install it from a source outside Play-and then grant "Accessibility" permissions before it could start popping its notifications of deceptive toasts. But that does not mean that the toast overlay attack is not worth a quick update to fix: Better to patch the phone's operating system now than worry about malicious toast exploit its rescue screen. Keywords: Android security patch, toast message, toast app, android hack, Android virus, android application security, best free antivirus for android, android malware, phone malware.
Be careful: Android Super Mario Run is actually Malware; Do not install it. The game Super Mario Run is loved by all, elders, adults, and young people. The game has been released on iOS, but not on the Android operating system yet. Android device owners have been eagerly waiting for the game to be released so they can enjoy it while on the go. We know that Android users are in abundance all over the world and Super Mario is a game that is popular across borders. Therefore, it is not surprising that when users discovered that the Android game version is now available, they were quick to download it.
But the Android version of Super Mario, which is available in third-party Android apps stores, is actually a fake application containing malware. There are not a single, but diverse applications that float in untrustworthy application stores. One of the applications is called Super Mario; Gets full control of the device after requesting the edit, read and receive/send text messages privileges and go as far as capturing images and videos, along with using the phone's GPS to track your location. The news was broken by Trend Micro, a Tokyo-based IT security firm, which identified that its security research team has discovered malicious applications of the Super Mario game about 90,000 times in 2016. However, the company claims that Such games applications Super Mario State around since 2012 but, due to the fact that there is news about the Android version of the game release sometime in 2017, the frequency and number of these malicious applications have been doubled. This is the percentage of users who have downloaded fake applications of Super Mario games on their Android devices: Indonesia 41%, India 33%, Mexico 8%, Japan 4%, Philippines 3%, United States 2% and other 9%. The application mentioned above is one of the infected applications that prompts users to install an update called 9Apps, which requests additional rights such as audio recording, access to the SD card and changing calendar entries. This particular application also offers an imitated version of the actual NES Super Mario Bros., game. However, according to Super Mario analysis, the application also shows "unnecessary icons, pop-ups, banners [and] installs other applications and performs other intrusive activities without any user input." If you click on any of the ads shown, the applications will redirect you to other websites or adult websites that will try to install other applications on your device. It goes without saying that these new applications will be loaded with other malware that will then request administrative privileges on your device. It is recommended to avoid downloading any third-party app and just rely on official stores like the Google Play Store. Also on your android device, click Settings and uncheck the box "Unknown sources" if it is enabled. Remember, this is not the first time cybercriminals are using a famous gambling application to infect informed users. A few months ago, the Pokémon Go application was also used to infect those who were looking for their Android application days before its official launch in the Google Play Store.
Android security November update an update for the bugs and security flaws but "dirty cow" Linux flaw does not include in the update by Google. Last month, the Linux security researcher, Phil Oester, discovered that a Linux kernel bug 9 years old (CVE-2016-5195) "Dirty Cow" is seen infected many android users. Google had to correct this - after all, Android uses the Linux kernel - with its latest security updates, but as it turns out, the search giant has set aside the old important flaw to fix with its security updates dated for November.
Android Security November Update fixes 15 critical flaws associated with the platform, but surprisingly, this vulnerability discovered by Oester has not yet found a solution. The extent of the danger of this vulnerability can be understood by the fact that it can give root access to a device to the attacker in just five seconds. "The exploit is trivial to run in nature, never failed and probably been there for years - the version I got was compiled with GCC 4.8," said Oester last month. The bug was initially updated 11 years ago, but the update was subsequently canceled in another update. Threatpost Kaspersky Lab reported that, although the main setting in Android security update for November does not include a fix for the Dirty Cow Flaw, Google released another patch for pixels and Nexus devices. He added that Samsung also launched a solution for its mobile devices. Google will present the Patch for Dirty Cow Android in the Android Security Update of December. According to the side of this decision, the operation of these errors leaves no trace. This type of disruption makes it still dangerous because the users will not be aware even if their security has been compromised.
Almost 3,18,000 Android phones have been hacked via Google AdSense vulnerability. Kaspersky Lab, an international provider of IT security and antivirus in Moscow and operated by a holding company in the UK, said on Tuesday that they discovered a change in the mobile Svpeng Trojan horsehidden in the AdSense advertising network of Google. "Since mid-July, Svpeng has been detected in Android devices by about 318,000 users, with infection rates reaching 37,000 victims with the intent of being in a day. The attacker discovered the map information to steal banking and personal data, hackers are using a bug in Chrome for Android. Kaspersky Lab said in a statement that the bug was corrected by Google.
The first known case of an attack of Svpeng android trojan with Chrome Android Bug came in mid-July in a news magazine in Russian, said the antivirus manufacturer, adding that the Trojan virus downloaded itself silentently when an Android user visted a website. The infecction started from an infected ad placed in Google AdSense. The ad appears "normal" on uninfected phones, the Trojan will only download when the user accesses the page through the Chrome browser on an Android device. "Svpeng disguised himself as a major upgrade to the browser or the popular application to convince the user to approve the installation.When the malware launches itself, it disappears from the list of installed applications, and asks the user for admin rights. When the malware gains admin rights it becomes more difficult to detect. Kaspersky, adding that the attacker had found a way to avoid some of Google's most important security features for Google Chrome. Under normal circumstances, when an APK file is downloaded from a mobile device through an external link, the browser displays a warning that a potentially dangerous object is being downloaded. In this case, fraudsters found a vulnerability that allows APK files to be downloaded without notification to users. After detecting the error, Kaspersky Lab reports the problem immediately to Google. The patch will be released in the next update of Google Chrome for Android, according to the company. "The Svpeng case reaffirms the importance of collaboration between entreprises.Nous a common goal to protect users from cyber attacks, and it is important that we work together to achieve this objective and thank Google for its quick response. "We also encourage users to avoid downloading applications from untrustworthy sources and be cautious when it comes to what permissions they are asked to give and why," said Nikita Buchka, a malware analyst at Kaspersky Lab. The Trojan Svpeng Mobile Banking malware is designed to steal credit card information. It also captures call histories, text and multimedia messages, browser bookmarks, and contacts. Svpeng is mainly attacks the Russian-speaking countries, but it has the potential to spread worldwide. Because of the specific nature of the distribution of malware, millions of web sites around the world are in danger as many of them are using AdSense ads network.
The latest Android malware applicationstargeting mobile banking in Europe and the United States. The latest Android malware bugs targeted the 94 different applications of mobile banking and payment apps including American Express, PayPal and Santander, according to the reports of different media.
Fortinet, a company which produces and markets cyber security software was first to discover the virus that represents as a Flash Player application. The malware in question gains the full administrative rights of an Android phone when you press the activation button of the android malware during installation. The malware then runs in the background and waits until the owner opens the applications of mobile banking and payment. The bug affects Android smartphones in Europe and the United States. According to media reports, the malware also targets social media applications such as Facebook, LinkedIn, Twitter and Snapchat. The Trojan can also intercept SMS messages.
HummingBad malware: Chinese malware infected 10 million Android devices. Experts estimate that more than 10 million Android devices were infected worldwide by a malicious software of a Chinese company. Cyber security specialist Check Point, the malicious program called HummingBad followed since its discovery in February and there was an increase in the number of infected devices across the world.
In a new report, Check Point said the malware a multi-stage attack chain and gets infected by two main components, the first malware infection take place when people visited certain websites with their android phones. "The first component attempts to gain root access to an android device with a rootkit [software] that exploits multiple vulnerabilities. If successful, the attacker gets full access to a device", according to the reports. "If the root fails, a second component used to upgrade from false notification system, fooling users to gain full system level permission by the HummingBad malware. According to Check Point, a mobile otherwise legitimate advertising agency based in Beijing Yingmobis responsible for malware. "Yingmob has several development teams for legitimate displaying and monitoring platforms. The team is responsible for the development of this malware, consisting of four groups with a total of 25 employees", according to the report. The analysis of cyber security company Yingmob Details used malicious software to generate advertising revenue through fraudulently forced download applications, and click ads. The company is earning as much as $A402,000 per month with the help of this android malware. "Yingmob can be the first group to which exposed of spreading such type of android malware, but certainly not the last", according to the report. The good news is that it is probably less than 100,000 android devices in Australia that are infected with HummingBad malware.
How to know if you have infected with HummingBad malware?
Fortunately, the malware is now known to cyber expert and can be protected with the help of a good phone protection software that easily recognizes the malware infection. Other options include checkpoints app ZoneAlarm, 360 Security AntivirusBoost, Avira Antivirus Security and a variety of other options. Scanning with antivirus software quickly detects the malware and notify the user of bad pieces of apps in your device.
What to do if you have infected with HummingBad malware?
Although, malware has less than 100,000 infected android devices in Australia but it should be removed soon after infection. Fortunately, there are some methods to achieve this. The first option is a bit difficult task of finding the source of malware and remove that manually from the device. The other option is a little awkward by factory resetting the phone.The factory reset option is the best choice to remore malware and viruses from android devices for those who don't know much about android os or non-tech person.
Amazing Fansmitter malware that steals data from computer without Internet or network connection and steals datavia cooling fan of a computer. The researchers of the Negev Ben-Gurion University of cyber-research center created malware, called Fansmitter which hijack a computer with airspaces by manipulating the speed of your CPU and chassis fansoundproduce signals that is picked up by a microphone of a smartphone.
This computer malware works in a scenario in which this trick can work requires several preparatory steps, the researchers wrote. Basically what it does is that the malware uses the computer fan to act as a transmitter, while the smartphone acts as a receiver. The researchers said the target machine with air gapped are first affected physically. The researchers cited the Stuxnet attack - when a USB drive was used to deploy malware that attacked machines in an Iranian nuclear site - as an example of how this could be achieved. The smartphone is expected to be hacked before the attack that you can receive data via smartphone. Moreover, it must be within 24 feet of the target computer. Then applies the computer the desired data is modulated and waves running emitted from the computer fan transmitted with acoustic sound, created by faster or slower. This information will be "heard" by the hacked smartphone, decoded and transmitted to the remote user. The binary data modulated and transmitted through these audio signals to a microphone distance." "We show that the software can adjust the speed of the internal fanto control the acoustic signals emitted by a computer," the report says. The process takes a long time as the fan can only transmit the data at a speed of15 bits per minute. Fansmitter malware has been successfully tested in a normal working environment with ambient background noise from an air conditioner, multiple workstations and other people.
Gunpowder Android malware: A new android version of malware targets non-residents of China people and infects their Android phones. Researchers have discovered a new family of malware for Android that successfully evaded all antivirus products on the VirusTotal Web service. Palo Alto Networks named this family of malware 'Gunpowder' based on the principal name of the malicious android software, and threat intelligence team of Palo Alto Networks Unit 42 found 49 unique samples through three different variants. This finding highlights the fine line between "adware" which is not traditionally prevented by antivirus and malware products, with its ability to cause harm.
Gunpowder samples have been uploaded to VirusTotal since November 2014, with all antivirus engines reported this malware as "benign" or "adware", that is verdicts existing controls would not prevent the installation of the malware in android. During the investigation of the sample, the team noted that the unit 42, although it contained many features of adware, and actually incorporates a popular adware inside her library, also a number of openly malicious activities were discovered, researchers believe characterizes this family as malware, such as collecting sensitive information of users; spread via SMS messages; push potentially fraudulent advertising; and the ability to run additional payloads. Gunpowder targets Android users in at least 13 different countries, including India. An interesting observation found by Gunpoder reverse engineering is that this new Android family only spreads among users outside China. The Gunpowder android malware includes legitimate advertising libraries within samples. These ad libraries are easily detected and may also include aggressive behaviors. The malware successfully used these advertising libraries to hide malicious behavior detected by antivirus. While antivirus software can flag Gunpowder as adware, not flag as being overtly malicious. Users who have executed Gunpowder are shown a notice that include ad library and the advertising is legitimate. "We believe that the notice was intentionally added in order to use the library as legitimate scapegoat", the researchers said. Gunpowder embed malicious code samples in popular Nintendo Entertainment System (NES) emulator games, which is based on a framework of open source game Palo Alto Networks has seen a trend of malware authors repackaging Android open source applications with malicious code. Gonpoder makes use of this technique, which makes it difficult to distinguish malicious code to perform static analysis. From the observation it was found that this malicious Samples support online payments, including PayPal, Moneybookers, Xsolla and CYPay. Also Gunpowder steals your browser history, bookmarksand and other private information of the victims. In addition, Gunpowder collect information about all apps, android packages installed on the device of the victim. Also it provides capabilities for executing payloads. Dynamic code for loading and executing the payload after decoding reside in "com.fcp.a" and components "com.fx.a". So far, Palo Alto Networks has observed 49 unique samples of Gunpowder family; and he found three different groups of variants within this family. In particular, variants of group 1 (12 samples) can spread via SMS and attract users to make some payments. Variants in group 2 (16 samples) can only attract users to make a payment, and variants of group 3 (21 samples) do not contain the spread of SMS or attract users to make payments. Group 3 was found to be the newest malware variants of Gunpowder.
