New DoubleLocker Ransomware Attacks Android Devices

Security researchers have discovered a new kind of ransomware for android that both changes the affected device’s PIN code and encrypts the files. It goes by the name DoubleLocker and is reported to use code from an old banking trojan called Svpeng. This was formerly one one of the more interesting pieces of android malware. It would overlay fake banking logins, steal money from bank accounts using sms account management, change PIN codes, and encrypt user files. Fortunately the DoubleLocker ransomware doesn’t attempt to steal any banking information. At least not yet.

DoubleLocker takes a new approach to ransomware, being the first of its kind to misuse Android’s accessibility service to gain admin rights. Once it is installed, usually through a fake flash player update, the app gives requests device accessibility permissions. If the user enables these, the app is able to simulate touches on the screen so it can make itself a device administrator and set itself as the default home app. This means that whenever the user presses the home button, the malware is re-launched. The app uses its administrator rights to change the PIN code on the phone and encrypt all of the user files to .cryeye files with a random key stored at a remote location.

doublelocker

Once running, the app shows a ransom request for 0.013 BTC (about $70) like this one, which when paid will remotely decrypt the phone and remove the PIN lock.

There are a few ways to protect yourself from these kinds of attacks. For one, Flash Player for mobile is dead so don’t be trying to update it. More generally, however, you should

  • Only install apps from trusted sources
  • Keep the “Unknown Sources” checkbox off unless you have a very good reason to turn it on. Always turn it back off right afterwards.
  • Keep an antivirus app on your smartphone

 

Sources used:

 

~ Daniel Monteagudo

Advertisements

Is your phone really locked?

business_users_lock

Recently, new information has been discovered regarding lock screen vulnerability on certain Android products. “Google recently issued a patch for Nexus mobile devices to fix an Android Lollipop vulnerability that lets hackers bypass the lock screen and gain control of mobile devices. However, it could take weeks to months for manufacturers and service providers to roll out the patch for other Android devices.” University of Texas security researcher John Gordon was the person to discover this exposure of information.

Locking methods of the pattern or PIN lock do not provide a text field. The hack needs text pasted into that field to crash the lock screen so the safest thing to do is to use one of those two methods of securing your cell. “Lock screen security in general is iffy, lock screen vulnerabilities happen on all mobile operating platforms,” Lysa Myers, a researcher for Eset told LinuxInsider.

Many owners of these types of phones may ignore this recent news as they fell they have set a tricky password to crack but that is no deterrent to these hackers. “This is a major threat. Even when users feel confident about locking their phone with a strong password, if their device is exposed to this exploit, it does not really matter how strong the password is,” said Armando Leon, director of mobile at LaunchKey.

Overall, it could take many months for most users to receive the patches. As these patches are slowly getting out to the users at such a slow speed there is not any measures in place to stop these hackers from bypassing a persons lock screen and going straight to their home screen. This results in loss of personal data as well as huge inconvenience to the owner.

Source: http://www.technewsworld.com/story/82513.html

Lisa Ann Hornak

Android SMS Malware

According to SOPHOS’ ‘naked security’ blog, there are fake Android Applications making the rounds, which uses SMS (Text messages) to act similarly to a worm and infect as many people as possible. Applications such as ‘Heart App’ and ‘Self-time’ have been discussed and fixed previously, but the most recent malicious app (as of March 6th) goes by the name Gazon.

So how does one become infected by Gazon? It starts with having a friend (or other contact) that has been infected with it already. You would receive an SMS from this person which would contain an introduction, some message stating that they are sending you an amazon gift card, followed by a ‘link’ to where you can claim it. These links are usually obscured by URL shortening services such as Bitly, so they generally wouldn’t look like a normal domain name. If you were to follow this link, it would direct you to download and install Gazon, masquerading as an Amazon Rewards Application. Upon downloading and running this app, every contact that a user has becomes a viable target, as Gazon doesn’t limit itself to the amount contacts it will attempt to reach like Heart App and Self-time do. On top of this, pop-up ads will be displayed when using browsers, advertising games, vouchers and rewards (according to the article).

There are two things that I find interesting about this ordeal. The first is that this this app is not certified by Google, and thus does not appear on the Google Play store. The only way that this app can spread is through SMS, meaning that if you’ve ever gotten a message similar to this, than one of your contacts has fallen for this tactic and downloaded it. Furthermore, I could not find an ‘Amazon Rewards’ app on the Google Play store, legitimate or otherwise, meaning that its likely no such application exists. The second thing that I found interesting is how many ways that infection could be avoided with this app, which are not taken by the victims. For example, simply responding to the message by asking the contact what its all about would likely result in the contact confirming its spam. Similarly, someone upon being prompted to download the app could look it up on Google Play to check its legitimacy, and find that it is not legitimate. However, neither of these actions are taken, and thus the worm has proceeded to spread quickly.

The author of the malicious app has yet to be identified. Previous iterations of these kinds have apps are able to be tracked, such as the Heart App which was traced to a bored Chinese college student, but it depends on how well the authors are attempting to stay hidden. On that note the Self-time App, which is close to half a year old at this point, still has not been traced to any definitive creator.

Written By Jeff Gruttadauria

Articles Used:

https://nakedsecurity.sophos.com/2015/03/06/gazon-android-virus-smses-everyone/

https://nakedsecurity.sophos.com/2014/06/29/anatomy-of-an-android-sms-virus-watch-out-for-text-messages-even-from-your-friends/

https://nakedsecurity.sophos.com/2014/08/11/android-heart-app-virus-spreads-quickly-author-arrested-within-17-hours/

Android Malware Fakes Shutdown, Steals Data

A new type of Android malware is able to hijack your phone’s shutdown process to fake being turned off. Once in this false shutdown this malware is used to steal data and use the phone’s services. The phone must be rooted to be vulnerable to this exploit.

Researchers at AVG found the malware and posted information about it to their blog on February 18, 2015. When an infected phone is being shutdown a fake dialog box appears giving the user what appears to be standard options. When shutdown is selected the malware plays a fake shutdown sequence and appears to be turned off. Once in this state the victim’s phone can be accessed and used to make calls, take pictures and transfer data without the victim’s knowledge.

According to AVG the malware has been spread to at least 10,000 Chinese devices so far through third-party app sites. They have reported that the malware can affect devices with any Android OS prior to version .5 (Lollipop) and the phone must be rooted.

The exploit involves the ShutDownThread.shutdown function and mWindowManagerFuncs.shutdown interface object. The malware tries to gain root permissions and once successful injects a modified system_server process to hijack the stock shutdown function. It then listens for the power key button to be called at which point it launches it’s own fake dialog box.

Jacob R Hooker

Source:

http://now.avg.com/malware-is-still-spying-on-you-after-your-mobile-is-off/

http://www.securityweek.com/android-malware-hijacks-phone%E2%80%99s-shutdown-process

http://www.pcworld.com/article/2886932/android-malware-fakes-phone-shutdown-to-steal-data.html

CurrentC Hacked Before It Is Even Launched

CurrentC is a mobile payment system slated for release in 2015 that is meant to compete with Google Wallet and Apple Pay. On October 30, Merchants Customer Exchange (MCX), which is the organization behind the smartphone app, informed its beta testers that their database had been hacked and that users’ email addresses had been compromised. Unlike Google Wallet and Apple Pay, CurrentC uses a completely different system that uses QR codes instead of NFC to make financial transactions. It also does not allow you to pay using a credit card and instead links directly to your checking account. The system is being backed by many retail giants since it would allow them to avoid paying for credit card transaction fees. Although no financial information had been leaked during this breach, this is still a huge cause for concern for many people since CurrentC requires for you to enter in your bank account information and social security number. It also does not help that Kmart, Lowe’s, Target, and several other companies that are members of MCX have already experienced data breaches of their own over this past year.

Source: http://www.pcworld.com/article/2841032/currentc-is-doa-before-its-even-launched.html

-Chris Jones