Martijn Lammerts
My own digital place with a little of everything

Skygofree: New Government Malware for Android

22 January 2018
Kaspersky Labs is reporting on a new piece of sophisticated malware: We observed many web landing pages that mimic the sites of mobile operators and which are used to spread the Android implants. These domains have been registered by the attackers since 2015. According to our telemetry, that was the year the distribution campaign was at its most active. The...
Continue reading...

Cyberespionage Campaign Sphinx Goes Mobile With AnubisSpy

19 December 2017

Android malware like ransomware exemplify how the platform can be lucrative for cybercriminals. But there are also other threats stirring up as of late: attacks that spy on and steal data from specific targets, crossing over between desktops and mobile devices.

Take for instance several malicious apps we came across with cyberespionage capabilities, which were targeting Arabic-speaking users or Middle Eastern countries. These were published on Google Play — but have since been taken down — and third-party app marketplaces. We named these malicious apps AnubisSpy (ANDROIDOS_ANUBISSPY) as all the malware’s payload is a package called watchdog.

We construe AnubisSpy to be linked to the cyberespionage campaign Sphinx (APT-C-15) based on shared file structures and command-and-control (C&C) server as well as targets. It’s also possible that while AnubisSpy’s operators may also be Sphinx’s, they could be running separate but similar campaigns.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Cyberespionage Campaign Sphinx Goes Mobile With AnubisSpy

Continue reading...

New GnatSpy Mobile Malware Family Discovered

18 December 2017

Earlier this year researchers first disclosed a targeted attack campaign targeting various sectors in the Middle East. This threat actor was called Two-tailed Scorpion/APT-C-23. Later on, a mobile component called VAMP was found, with a new variant (dubbed FrozenCell) discovered in October.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

New GnatSpy Mobile Malware Family Discovered

Continue reading...

Tracking People Without GPS

15 December 2017
Interesting research: The trick in accurately tracking a person with this method is finding out what kind of activity they're performing. Whether they're walking, driving a car, or riding in a train or airplane, it's pretty easy to figure out when you know what you're looking for. The sensors can determine how fast a person is traveling and what kind...
Continue reading...

Toast Overlay Weaponized to Install Several Android Malware

9 November 2017

We uncovered new Android malware that can surreptitiously install other malware on the affected device via the Toast Overlay attack: TOASTAMIGO, detected by Trend Micro as ANDROIDOS_TOASTAMIGO. The malicious apps, one of which had over 500,000 installs as of November 6, 2017, abuses Android’s Accessibility features, enabling them—at least for now—to have ad-clicking, app-installing and self-protecting/persistence capabilities.

Overlay attacks entail drawing and superimposing Android View (i.e., images, buttons) atop other running apps, windows or processes. A typical scenario for a Toast Overlay attack is to employ it to trick the user into clicking a window or button specified by the attacker instead of the legitimate one. The technique, which was demonstrated earlier this year, leverages a vulnerability in Toast (CVE-2017-0752, patched last September), a feature in Android used to display notifications over other applications.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Toast Overlay Weaponized to Install Several Android Malware

Continue reading...

App Stores that Formerly Coddled ZNIU Found Distributing a New iXintpwn/YJSNPI Variant

2 November 2017

We covered iXintpwn/YJSNPI in a previous blog post and looked into how it renders an iOS device unresponsive by overflowing it with icons. This threat comes in the form of an unsigned profile that crashes the standard application that manages the iOS home screen when installed. The malicious profile also exploits certain features to make iXintpwn/YJSNPI more difficult to uninstall.

We recently discovered a new variant of iXintpwn/YJSNPI (detected by Trend Micro as IOS_YJSNPI.A) that uses a signed profile to conduct different attacks compared to its predecessor. IOS_YJSNPI.A is extracted from either of the two app stores—hxxp://m[.]3454[.]com and hxxp://m[.]973[.]com. Based on our analysis, this new variant’s main purpose is not to damage users’ operating systems, but to lure users into downloading repackaged apps.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

App Stores that Formerly Coddled ZNIU Found Distributing a New iXintpwn/YJSNPI Variant

Continue reading...

ZNIU: First Android Malware to Exploit Dirty COW Vulnerability

25 September 2017

The Linux vulnerability called Dirty COW (CVE-2016-5195) was first disclosed to the public in 2016. The vulnerability was discovered in upstream Linux platforms such as Redhat, and Android, which kernel is based on Linux. It is categorized as a serious privilege escalation flaw that allows an attacker to gain root access on the targeted system. Dirty COW attacks on Android has been silent since its discovery, perhaps because it took attackers some time to build a stable exploit for major devices. Almost a year later, Trend Micro researchers captured samples of ZNIU (detected as AndroidOS_ZNIU)—the first malware family to exploit the vulnerability on the Android platform.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

ZNIU: First Android Malware to Exploit Dirty COW Vulnerability

Continue reading...