CopyCat Android Rooting Malware Infected 14 Million Devices

CopyCat Android Rooting Malware Infected 14 Million Devices 

CopyCat Android mobile malware was able to infect over 14 million devices last year and root eight million of them, researchers have revealed.

The malware, spread through popular apps repackaged with the malicious code and distributed through third-party stores and phishing scams -- but not Google Play -- infects devices in order to generate and steal advertising revenue.

According to Check Point researchers, the hackers behind the campaign were able to earn roughly $1.5 million in two months, infecting 14 million devices globally and rooting 8 million of them in what the security team calls an "an unprecedented success rate."

Check Point

Once a device is infected, CopyCat waits until a restart to allay suspicion then attempts to root the device. Check Point says that CopyCat was able to successfully root 54 percent of all the devices it infected, "which is very unusual even with sophisticated malware."

In order to achieve root status, the malicious code uses six different vulnerabilities for Android versions 5 and earlier through an "upgrade" pack pulled from Amazon web storage. Some of the flaws the malware tests for are extremely old and the most modern ones were discovered over two years ago -- and so should your device be patched and up-to-date, CopyCat should not be a worry.

"These old exploits are still effective because users patch their devices infrequently, or not at all," the researchers note.

The malware then injects malicious code into the Zygote app launching process, which permits attackers to generate fraudulent revenue by installing apps and substituting the user's referrer ID with their own, as well as display fraudulent ads and applications.

This technique was first used by the Triada Trojan. According to Kaspersky Labs, the malware targeted the same process to gain superuser privileges before using regular Linux debugging tools to embed its DLL and target mobile browsers.

In total, fraudulent ads were displayed on 26 percent of infected devices, while 30 percent were used to steal credit for installing apps on Google Play. In addition, Check Point says the malware would also send device brand, model, OS version and country to CopyCat command and control (C&C) centers.

At the peak of the campaign in April and May 2016, CopyCat mainly infected users in Asia, although over 280,000 infections were also recorded in the United States.

Check Poin

Google was able to quell the campaign, and now the current number of infected devices is far lower -- but those affected by the malware may still be generating revenue for the attackers today.

The researchers are not sure who is behind the malware campaign but has tentatively linked MobiSummer as some of the malware's code is signed by the Chinese ad network.

See also: Windows ransomware found to be incredibly rare

Earlier this week, a UK teenager was charged for supplying malware for use in distributed denial-of-service (DDoS) attacks and assisting criminals in striking high-profile targets worldwide, including NatWest, Vodafone, O2, BBC, BT, Amazon, Netflix, and Virgin Media, among others.r

Read More

AlphaBay Dark Web Market Goes Down; Users Fear Exit-Scam

AlphaBay Dark Web Market Goes Down; Users Fear Exit-Scam 

AlphaBay Market, one of the largest Dark Web marketplaces for drugs, guns, and other illegal goods, suddenly disappeared overnight without any explanation from its admins, leaving its customers who have paid large sums in panic.

AlphaBay, also known as "the new Silk Road," has been shut down since Tuesday night. The site also came in the news at the beginning of this year when a hacker successfully hacked the AlphaBay site and stole over 200,000 private unencrypted messages from several users.

Although the website sometimes goes down for maintenance, customers are speculating that the admins have stolen all their Bitcoins for good measure, when heard no words from the site's admins on the downtime.

Some users at Reddit and Twitter are claiming that AlphaBay's admins may have shut down the marketplace to withdraw a huge number of bitcoins from the site's accounts.

The withdrawal Bitcoin transactions total 1,479.03904709 Bitcoin (roughly $3.8 Million), which led to suspicion from some users that the site’s admins may have pulled an exit scam to steal user funds.

In March 2015, the largest (at the time) dark web market 'Evolution' suddenly disappeared overnight from the Internet, stealing millions of dollars worth of Bitcoins from its customers.

However, users no need to worry—at least right now when nothing is confirmed, and the timing of the two incidents—site downtime and Bitcoin withdrawals—may be just coincidental.

This is not the first time AlphaBay goes offline. Last year, the site went down for about four days. Also, the blockchain transactions of about $3.8 Million are not enough for AlphaBay moderators to go offline.

One user on Reddit calls for calm and patience, saying "Now I'll admit I don't know for sure what's going on, and I am a bit nervous myself because if this is the end then I've lost a couple of hundred dollars myself But think about it Last year alphabay went down for about 4 days."

"Everyone was saying for sure that this was it, but it was not. It took the alphabay moderators days to update people on what was going on too; they're known to do this. Also about that blockchain transaction.. 44 bitcoins rounds off to about 4 million US. [I don’t know] about you but that doesn't sound like nearly enough money."

While AlphaBay continues to be down, and AlphaBay-associated Redditor who goes by moniker Big_Muscles has called users to calm down, saying the site's servers are under update and will be "back online soon."

Also unlike Silk Road, there is no indication that the law enforcement took down the AlphaBay marketplace.

Silk Road was shut down in 2013 after the arrest of its unassuming founder, Ross William Ulbricht. The FBI seized bitcoins (worth about $33.6 million, at the time) from the site, which were later sold in a series of auctions by the United States Marshals Service (USMS).

AlphaBay Market, one of the largest Dark Web marketplaces for drugs, guns, and other illegal goods, suddenly disappeared overnight without any explanation from its admins, leaving its customers who have paid large sums in panic. AlphaBay, also known as "the new Silk Road," has been shut down since Tuesday night. The site also came in the news at the beginning of this year when a hacker successfully hacked the AlphaBay site and stole over 200,000 private unencrypted messages from several users. Although the website sometimes goes down for maintenance, customers are speculating that the admins have stolen all their Bitcoins for good measure, when heard no words from the site's admins on the downtime. Some users at Reddit and Twitter are claiming that AlphaBay's admins may have shut down the marketplace to withdraw a huge number of bitcoins from the site's accounts. The withdrawal Bitcoin transactions total 1,479.03904709 Bitcoin (roughly $3.8 Million), which led to suspicion from some users that the site’s admins may have pulled an exit scam to steal user funds. In March 2015, the largest (at the time) dark web market 'Evolution' suddenly disappeared overnight from the Internet, stealing millions of dollars worth of Bitcoins from its customers. However, users no need to worry—at least right now when nothing is confirmed, and the timing of the two incidents—site downtime and Bitcoin withdrawals—may be just coincidental. This is not the first time AlphaBay goes offline. Last year, the site went down for about four days. Also, the blockchain transactions of about $3.8 Million are not enough for AlphaBay moderators to go offline. One user on Reddit calls for calm and patience, saying "Now I'll admit I don't know for sure what's going on, and I am a bit nervous myself because if this is the end then I've lost a couple of hundred dollars myself But think about it Last year alphabay went down for about 4 days." "Everyone was saying for sure that this was it, but it was not. It took the alphabay moderators days to update people on what was going on too; they're known to do this. Also about that blockchain transaction.. 44 bitcoins rounds off to about 4 million US. [I don’t know] about you but that doesn't sound like nearly enough money." While AlphaBay continues to be down, and AlphaBay-associated Redditor who goes by moniker Big_Muscles has called users to calm down, saying the site's servers are under update and will be "back online soon." Also unlike Silk Road, there is no indication that the law enforcement took down the AlphaBay marketplace. Silk Road was shut down in 2013 after the arrest of its unassuming founder, Ross William Ulbricht. The FBI seized bitcoins (worth about $33.6 million, at the time) from the site, which were later sold in a series of auctions by the United States Marshals Service (USMS).

Read More

This newly discovered bug allows any website to crash a Windows Vista, 7, or 8 PC

Windows 7 users may want to forget this month as soon as possible. Recently, the widely spread WannaCry ransomware virus had infected computers around the world, of which majority of those affected were Windows 7 users. And, now in what looks like a major throwback from the 1990s, a new bug has been discovered that can slow down and crash systems running Windows Vista, Windows 7 or Windows 8/8.1, reports ArsTechnica. Malicious users can abuse this bug to attack other people’s systems by using certain bad filenames to lock their system or crash it with a blue screen of death (BSOD).

For those unfamiliar, this newly discovered bug is an upgraded version of an annoying old bug known as concon. This was a computer bug that appeared in the Windows 95 and Windows 98 operating systems and was considered as a security vulnerability because malicious web pages would crash systems with links such as file:///C:/con/con.

So, how does this new iteration of bug work? This bug allows a malicious website to load an image file with the “$MFT” name in the directory path. “$MFT” is a filename given to a special metadata file that’s used by Windows’ NTFS filesystems. Since the file exists in the root directory of each NTFS volume, it’s hidden from view and inaccessible to most software. However, it is handled by the NTFS driver in special ways.

When someone tries embedding certain bad filenames by using them as image sources, it can lock the system or occasionally crash with a BSOD. For instance, if you are trying to open the file c:\$MFT\123, the NTFS driver locks the filesystem and never releases it, which in turn prevents any apps that are running from accessing data on the hard drive. This ultimately causes the affected system to slow down, hang, or worse, crash by making way for the dreaded BSOD. The only way that you can get yourself out of this situation is by rebooting your system.

While Microsoft has been informed of the bug, it is not clear as of yet when it will release a fix for the problem. Meanwhile, Windows 10 users remain unaffected by the new bug.

Read More

Largest Cryptocurrency Exchange Hacked! Over $1 Million Worth Bitcoin and Ether Stolen

One of the world's largest Bitcoin and Ether cryptocurrencies exchanges Bithumb has recently been hacked, resulting in loss of more than $1 Million in cryptocurrencies after a number of its user accounts compromised.

Bithumb is South Korea's largest cryptocurrency exchange with 20% of global ether trades, and roughly 10% of the global bitcoin trade is exchanged for South Korea's currency, the Won.

Bithumb is currently the fourth largest Bitcoin exchange and the biggest Ethereum exchange in the world.

Last week, a cyber attack on the cryptocurrency exchange giant resulted in a number of user accounts being compromised, and billions of South Korean Won were stolen from customers accounts.

Around 10 Million Won worth of bitcoins were allegedly stolen from a single victim's account, according to the Kyunghyang Shinmun, a major local newspaper.

A survey of users who lost cryptocurrencies in the cyber attack reveals "it is estimated that hundreds of millions of won [worth of cryptocurrencies] have been withdrawn from accounts of one hundred investors. One member claims to have had 1.2 billion won stolen."

Besides digital currencies, hackers were succeeded in stealing the personal information of 31,800 Bithumb website users, including their names, email addresses, and mobile phone numbers, the South Korean government-funded Yonhap News reported.

However, Bithumb claims that this number represents approximately 3% of its customers.

The exchange also told Yonhap that it contacted South Korea's cybercrime watchdog on June 30, Friday after it learned of the hack on June 29.

Bithumb believes that one of its employee's home computer was hacked in the attack and not its entire network and no passwords were compromised, so it is impossible for hackers to gain direct access to user accounts.

The digital currency exchange says that the loss of funds is the result of using "disposable passwords" in order to carry out digital transactions online.

"The employee PC, not the head office server, was hacked. Personal information such as mobile phone and email address of some users were leaked," Bithumb told the newspaper. "However, some customers were found to have been stolen from because of the disposable password used in electronic financial transactions."

While more than 100 Bithumb customers have already filed a complaint with the National Police Agency's cybercrime report center regarding the hack, South Korean officials are now investigating the incident.

One of the world's largest Bitcoin and Ether cryptocurrencies exchanges Bithumb has recently been hacked, resulting in loss of more than $1 Million in cryptocurrencies after a number of its user accounts compromised. Bithumb is South Korea's largest cryptocurrency exchange with 20% of global ether trades, and roughly 10% of the global bitcoin trade is exchanged for South Korea's currency, the Won. Bithumb is currently the fourth largest Bitcoin exchange and the biggest Ethereum exchange in the world. Last week, a cyber attack on the cryptocurrency exchange giant resulted in a number of user accounts being compromised, and billions of South Korean Won were stolen from customers accounts. Around 10 Million Won worth of bitcoins were allegedly stolen from a single victim's account, according to the Kyunghyang Shinmun, a major local newspaper. A survey of users who lost cryptocurrencies in the cyber attack reveals "it is estimated that hundreds of millions of won [worth of cryptocurrencies] have been withdrawn from accounts of one hundred investors. One member claims to have had 1.2 billion won stolen." Besides digital currencies, hackers were succeeded in stealing the personal information of 31,800 Bithumb website users, including their names, email addresses, and mobile phone numbers, the South Korean government-funded Yonhap News reported. However, Bithumb claims that this number represents approximately 3% of its customers. The exchange also told Yonhap that it contacted South Korea's cybercrime watchdog on June 30, Friday after it learned of the hack on June 29. Bithumb believes that one of its employee's home computer was hacked in the attack and not its entire network and no passwords were compromised, so it is impossible for hackers to gain direct access to user accounts. The digital currency exchange says that the loss of funds is the result of using "disposable passwords" in order to carry out digital transactions online. "The employee PC, not the head office server, was hacked. Personal information such as mobile phone and email address of some users were leaked," Bithumb told the newspaper. "However, some customers were found to have been stolen from because of the disposable password used in electronic financial transactions." While more than 100 Bithumb customers have already filed a complaint with the National Police Agency's cybercrime report center regarding the hack, South Korean officials are now investigating the incident.

Read More