CopyCat Android Rooting Malware Infected 14 Million Devices

CopyCat Android Rooting Malware Infected 14 Million Devices 

CopyCat Android mobile malware was able to infect over 14 million devices last year and root eight million of them, researchers have revealed.

The malware, spread through popular apps repackaged with the malicious code and distributed through third-party stores and phishing scams -- but not Google Play -- infects devices in order to generate and steal advertising revenue.

According to Check Point researchers, the hackers behind the campaign were able to earn roughly $1.5 million in two months, infecting 14 million devices globally and rooting 8 million of them in what the security team calls an "an unprecedented success rate."

Check Point

Once a device is infected, CopyCat waits until a restart to allay suspicion then attempts to root the device. Check Point says that CopyCat was able to successfully root 54 percent of all the devices it infected, "which is very unusual even with sophisticated malware."

In order to achieve root status, the malicious code uses six different vulnerabilities for Android versions 5 and earlier through an "upgrade" pack pulled from Amazon web storage. Some of the flaws the malware tests for are extremely old and the most modern ones were discovered over two years ago -- and so should your device be patched and up-to-date, CopyCat should not be a worry.

"These old exploits are still effective because users patch their devices infrequently, or not at all," the researchers note.

The malware then injects malicious code into the Zygote app launching process, which permits attackers to generate fraudulent revenue by installing apps and substituting the user's referrer ID with their own, as well as display fraudulent ads and applications.

This technique was first used by the Triada Trojan. According to Kaspersky Labs, the malware targeted the same process to gain superuser privileges before using regular Linux debugging tools to embed its DLL and target mobile browsers.

In total, fraudulent ads were displayed on 26 percent of infected devices, while 30 percent were used to steal credit for installing apps on Google Play. In addition, Check Point says the malware would also send device brand, model, OS version and country to CopyCat command and control (C&C) centers.

At the peak of the campaign in April and May 2016, CopyCat mainly infected users in Asia, although over 280,000 infections were also recorded in the United States.

Check Poin

Google was able to quell the campaign, and now the current number of infected devices is far lower -- but those affected by the malware may still be generating revenue for the attackers today.

The researchers are not sure who is behind the malware campaign but has tentatively linked MobiSummer as some of the malware's code is signed by the Chinese ad network.

See also: Windows ransomware found to be incredibly rare

Earlier this week, a UK teenager was charged for supplying malware for use in distributed denial-of-service (DDoS) attacks and assisting criminals in striking high-profile targets worldwide, including NatWest, Vodafone, O2, BBC, BT, Amazon, Netflix, and Virgin Media, among others.r

Read More

Beware! Fireball Malware Infects Nearly 250 Million Computers Worldwide

Beware! Fireball Malware Infects Nearly 250 Million Computers Worldwide

Security researchers have discovered a massive malware campaign that has already infected more than 250 million computers across the world, including Windows and Mac OS.

Dubbed Fireball, the malware is an adware package that takes complete control of victim's web browsers and turns them into zombies, potentially allowing attackers to spy on victim's web traffic and potentially steal their data.

Check Point researchers, who discovered this massive malware campaign, linked the operation to Rafotech, a Chinese company which claims to offer digital marketing and game apps to 300 million customers.

While the company is currently using Fireball for generating revenue by injecting advertisements onto the browsers, the malware can be quickly turned into a massive destroyer to cause a significant cyber security incident worldwide.

Fireball comes bundled with other free software programs that you download off of the Internet. Once installed, the malware installs browser plugins to manipulate the victim's web browser configurations to replace their default search engines and home pages with fake search engines (trotux.com).

"It's important to remember that when a user installs freeware, additional malware isn't necessarily dropped at the same time." researchers said. "Furthermore, it is likely that Rafotech is using additional distribution methods, such as spreading freeware under fake names, spam, or even buying installs from threat actors."

The fake search engine simply redirects the victim's queries to either Yahoo.com or Google.com and includes tracking pixels that collect the victim's information.

Far from legitimate purpose, Fireball has the ability to spy on victim's web traffic, execute any malicious code on the infected computers, install plug-ins, and even perform efficient malware dropping, which creates a massive security hole in targeted systems and networks.

"From a technical perspective, Fireball displays great sophistication and quality evasion techniques, including anti-detection capabilities, multi-layer structure, and a flexible C&C– it is not inferior to a typical malware," researchers said.

At the current, Fireball adware is hijacking users' web traffic to boost its advertisements and gain revenue, but at the same time, the adware has the capability to distribute additional malware.

"Based on our estimated infection rate, in such a scenario, one out of five corporations worldwide will be susceptible to a major breach," researchers added.

According to researchers, over 250 million computers are infected worldwide, 20 percent of them are corporate networks:

• 25.3 million infections in India (10.1%)
• 24.1 million in Brazil (9.6%)
• 16.1 million in Mexico (6.4%)
• 13.1 million in Indonesia (5.2%)
• 5.5 million In US (2.2%)

"How severe is it? Try to imagine a pesticide armed with a nuclear bomb. Yes, it can do the job, but it can also do much more," researchers warned. "Many threat actors would like to have even a fraction of Rafotech's power."

Warning Signs that Your Computer is Fireball-Infected

If the answer to any of the following questions is "NO," that means your computer is infected with Fireball or a similar adware.

Open your web browser and check:

1. Did you set your homepage?
2. Are you able to modify your browser's homepage?
3. Are you familiar with your default search engine and can modify that as well?
4. Do you remember installing all of your browser extensions?

To remove the adware, just uninstall the respective application from your computer (or use an adware cleaner software) and then restore/reset your browser configurations to default settings.

The primary way to prevent such infections is to be very careful when you agree to install.

You should always pay attention when installing software, as software installers usually include optional installs. Opt for custom installation and then de-select anything that is unnecessary or unfamiliar.

Read More

Website of Popular Mac Software Hacked to Spread Malware

Website of Popular Mac Software Hacked to Spread Malware

f you have recently downloaded the popular open source video transcoder app HandBrake on your Mac, there are chances that your computer is infected with a notorious Remote Access Trojan (RAT).

The HandBrake team issued a security alert on Saturday, warning Mac users that one of its mirror servers to download the software has been compromised by hackers.

In case you aren't aware, HandBrake is an open source video transcoder app that allows Mac users to convert multimedia files from one format to another.

According to the HandBrake team, an unknown hacker or group of hackers compromised the download mirror server (download.handbrake.fr) and then replaced the Mac version of the HandBrake client (HandBrake-1.0.7.dmg) with a malicious version infected with a new variant of Proton.

Originally discovered in February on a Russian underground hacking forum, Proton is a Mac-based remote access trojan that gives attackers root access privileges to the infected system.

The affected server has been shut down for investigation, but the HandBrake team is warning that anyone who has downloaded HandBrake for Mac from the server between May 2 and May 6, 2017, has a "50/50 chance" of getting their Mac infected by Proton.

How to Check if You're Infected?

The HandBrake team has provided instructions for less technical folks, who can check if they've been infected.

Head on to the OSX Activity Monitor application, and if you see a process called "Activity_agent" there, you are infected with the trojan.

You can also check for hashes to verify if the software you have downloaded is corrupted or malicious. The infected app is signed with the following hashes:

SHA1: 0935a43ca90c6c419a49e4f8f1d75e68cd70b274
SHA256: 013623e5e50449bbdf6943549d8224a122aa6c42bd3300a1bd2b743b01ae6793

If you have installed a HandBrake.dmg with the above checksums, you are infected with the trojan.

How to Remove the Proton RAT?

The HandBrake developers have also included removal instructions for Mac users who have been compromised.

Follow the following instructions to remove the Proton Rat from your Mac:

Step 1: Open up the "Terminal" application and run the following command:

launchctl unload ~/Library/LaunchAgents/fr.handbrake.activity_agent.plist

rm -rf ~/Library/RenderFiles/activity_agent.app

Step 2: If ~/Library/VideoFrameworks/ includes proton.zip, remove the folder.

Step 3: once done, you should remove any installations of Handbrake.app you may find.

However, instead of stopping here; head on to your settings and change all the passwords that are stored in your OS X KeyChain or any browser password stores, as an extra security measure.

Meanwhile, Mac users who have updated to HandBrake version 1.0 or later are not affected by the issue, as it uses DSA signatures to verify the downloaded files, so malware-tainted version reportedly would not pass the DSA verification process.

Read More