What is Xamalicious Malware?

As I’ve said in the introduction, Xamalicious is a backdoor malware designed for Android. It is based on a Xamarin framework, which eventually granted it the name, and some of the abilities. Typically for sophisticated examples of Android malware, it abuses accessbility permissions to gain access to things like clipboard, autofill forms, notifications, messages, and others.

Xamalicious operates in two stages. Initially, it gathers device metadata and contacts a command-and-control (C2) server. This first contact is crucial for determining further steps, as upon sending the initial data, malware masters should decide their further steps. If needed, the malware can deliver other payloads and run them as an assembly DLL at runtime. This enables complete control over the device, potentially leading to fraudulent actions such as ad clicks and unauthorized app installations.

Researchers say about locating the threat within 25, some of which were even distributed through the official Google Play Store since mid-2020. Alarmingly, these apps have been installed at least 327,000 times, affecting users from Western Europe, South and North America and Australia.

Here some of these malicious apps:

• Track Your Sleep (com.shvetsStudio.trackYourSleep)
• Count Easy Calorie Calculator (com.lakhinstudio.counteasycaloriecalculator)
• Sound Volume Extender (com.muranogames.easyworkoutsathome)
• 3D Skin Editor for PE Minecraft (com.littleray.skineditorforpeminecraft)
• Logo Maker Pro (com.vyblystudio.dotslinkpuzzles)
• Auto Click Repeater (com.autoclickrepeater.free)
• LetterLink (com.regaliusgames.llinkgame)
• Essential Horoscope for Android (com.anomenforyou.essentialhoroscope)

Geography of Activity: Xamalicious Malware

Technical aspects

To evade detection, Xamalicious authors have encrypted all communications and data transmissions between the C2 and infected devices. The encryption is not limited to HTTPS protection but extends to JSON Web Encryption tokens. Such tokens use advanced algorithms like RSA-OAEP with 128CBC-HS256. This makes the malware difficult to analyze and detect.

Moreover, the first-stage dropper contains self-update functions for the main Android package file (APK), suggesting that it can be weaponized as spyware or a banking trojan without user interaction.

How to Protect Against Xamalicious Backdoor?

Xamalicious is not a ground-breaking malware sample, but its dangers should not be underestimated. The fact that it exploits the same Android features is not about its technological obsolescence. “Don’t change what’s working” – hackers stick to this rule, and it works out rather well.

To avoid the infection, exercise caution when downloading apps, especially from unofficial sources. Even more attention should be paid to the permissions you give to the programs. And, to seal the deal, consider running an anti-malware scan on your smartphone, at least once a week. This will ensure your data security.

The post Xamalicious Trojan Hits Over 327K Android Devices appeared first on Gridinsoft Blog.

18 Malicious Loan Apps Defraud Millions of Android Users

Cybersecurity researchers have exposed 18 malicious loan apps on the Google Play Store. These apps collectively amassed over 12 million downloads. Operating under the guise of legitimate financial services, they have duped users into high-interest-rate loans. Meanwhile, apps surreptitiously harvest victim’s personal and financial data for malicious purposes, which we’ll discuss next. Researchers have christened this operation as SpyLoan.

The malicious apps primarily focus on preying upon potential borrowers in Southeast Asia, Africa, and Latin America. Despite their attractive appearance, these apps are far from genuine financial services; instead, they engage in fraudulent activities that exploit unsuspecting users. Although these apps have been removed from the store, the damage has already been done. The primary infection pathways include SMS messages and social media like Twitter, Facebook, or YouTube. The list of now-removed apps includes:

• AA Kredit: इंस्टेंट लोन ऐप (com.aa.kredit.android)
• Amor Cash: Préstamos Sin Buró (com.amorcash.credito.prestamo)
• Oro Préstamo – Efectivo rápido (com.app.lo.go)
• Cashwow (com.cashwow.cow.eg)
• CrediBus Préstamos de crédito (com.dinero.profin.prestamo.credito.credit.credibus.loan.efectivo.cash)
• ยืมด้วยความมั่นใจ – ยืมด่วน (com.flashloan.wsft)
• PréstamosCrédito – GuayabaCash (com.guayaba.cash.okredito.mx.tala)
• Préstamos De Crédito-YumiCash (com.loan.cash.credit.tala.prestmo.fast.branch.mextamo)
• Go Crédito – de confianza (com.mlo.xango)
• Instantáneo Préstamo (com.mmp.optima)
• Cartera grande (com.mxolp.postloan)
• Rápido Crédito (com.okey.prestamo)
• Finupp Lending (com.shuiyiwenhua.gl)
• 4S Cash (com.swefjjghs.weejteop)
• TrueNaira – Online Loan (com.truenaira.cashloan.moneycredit)
• EasyCash (king.credit.ng)
• สินเชื่อปลอดภัย – สะดวก (com.sc.safe.credit)

Interestingly, these services exist exclusively as apps and work only on smartphones. You won’t find a web version or an official website. This allows attackers to request permission to obtain users’ confidential information stored on the victim’s smartphones.

Dirty Fraud Methods

In the previous paragraph, I emphasized that attackers operate exclusively through mobile devices instead of classic websites. This is because they would not be able to access as much information through a website as they can through a phone. The operators of SpyLoan not only harvest information from compromised devices but also resort to blackmail and harassment tactics. I.E., victims are pressured into making payments under the threat of releasing their private photos and videos on social media platforms (that reminds me of something). This alarming revelation underscores the darker side of the digital lending landscape.

Users often have reported instances of fraud and coercion. For example, a user from Nigeria, in a message posted on the Google Play Help Community, accused EasyCash of fraudulent lending practices, including exorbitant interest rates and threats of blackmail. Additionally, the apps deploy misleading privacy policies to justify extensive permissions, including access to media files, camera, calendar, contacts, call logs, and SMS messages. This revelation coincides with the resurgence of TrickMo, an Android banking trojan masquerading as a free streaming app. The trojan has enhanced capabilities, including stealing screen content and employing overlay attacks.

Defense Measures and Advice

This SpyLoan incident is not alone but part of a broader scheme dating back to 2020. It adds to over 300 Android and iOS apps uncovered last year. These apps also exploited users’ urgent need for quick cash, trapping them into predatory loan contracts and coercing them into granting access to sensitive information. To mitigate the risks posed by such spyware threats, users are advised to:

• Validate the authenticity of offerings. It is not hard to conceal a rip-off as a genuine and beneficial deal. When it comes to financial operations, it is vital to check every element of the offered deal to find catches. Though in some cases, this is not enough – so I’d prefer the second option.
• Do your research regarding the service provider. Regardless of how good the offer appears to be, it should come from a benign company. Any mismatches in the information, questionable testimonials, outdated, abandoned or even absent sites – those are the signs of a bad deal. And a perfect reason to review your plans to use their services.
• Pay close attention to reviews and permissions before installation. Asking for excessive permissions is a classic catch of quite a few mobile malicious programs. People used to click-through permissions pop-ups during installation, and that is what frauds rely on. Check out what the app asks for, and compare it to the real program functionality. Because why would a financial app ever need continuous access to your microphone?

The post Malicious Loan Apps in Play Store Decieved 12M Users appeared first on Gridinsoft Blog.

What is SecuriDropper Malware?

SecuriDropper represents the latest evolution in the ever-changing world of cyber threats. It serves as a conduit for cybercriminals to efficiently distribute their malware in a convenient way. This, actually, is a key point of the dropper-as-a-service model. Such innovation enables threat actors to separate the development and execution of an attack from the installation of malware. This trick offers a level of sophistication that is both concerning and challenging to combat.

Dropper malware plays a crucial role in the cybercriminal ecosystem. It acts as a precursor tool designed to provide initial access to the target system. Its primary function is to download and install a malicious payload on the victim’s device, making it a valuable tool for threat actors. This strategic approach allows malicious actors to advertise their services to other criminal groups, creating a lucrative business model.

Distribution of Malicious Payloads

SecuriDropper has been observed distributing a range of malicious payloads, including Android banking trojans such as SpyNote and ERMAC. These trojans are often disguised as legitimate applications and are distributed through deceptive websites and third-party platforms like Discord. The resurgence of Zombinder, another Dropper-as-a-Service tool, has further amplified concerns about the distribution of malware payloads through sideloaded apps.

SecuriDropper is a stark reminder that the fight against cyber threats is an ongoing and evolving battle. As Android continues to implement enhanced security measures, cybercriminals adapt and innovate, finding new ways to infiltrate devices and distribute malware. Dropper-as-a-Service platforms have become powerful tools for malicious actors, posing significant challenges to Android security.

Android 13 Feature Blocks SecuriDropper

Despite quite depressing statements from the above, things are not that bad. Users who got Android 13 updates for their devices are able to counteract SecuriDropper on their own. The new feature called Restricted Settings does what it sounds like to the side-loaded applications.

As the dropper aims at getting excessive permissions, particularly to Accessibility and Notifications, the feature will block such permissions by default. This, however, is an Android 13-only feature, so users of earlier OS versions should be careful when granting permissions.

Folks with the most recent updates should not be reckless either. There is a chance of an infected app in the Google Play Market, which diminishes any anti-side-loaded apps tricks. And since Google hesitates with implementing security features to its official app sources, it remains a source of a threat.

How to Protect Yourself from SecuriDropper

SecuriDropper is a sophisticated Android dropper-as-a-service malware that poses a significant threat to the security of Android devices. To protect yourself from this emerging threat and similar malware, follow these security measures:

• Only download applications from official app stores like Google Play Store. These platforms implement stringent security measures to ensure the safety of the apps they host.
• Regularly update your Android device’s operating system and installed applications. Software updates often include security patches that address known vulnerabilities.
• Install a reputable mobile security solution on your device. These security apps can help detect and remove threats like SecuriDropper from your device.
• Be cautious when considering sideloaded apps obtained from unofficial sources. While sideloading offers access to a wider range of apps, it also presents security risks. Ensure you trust the source and origin of sideloaded apps.
• Pay close attention to the permissions requested by apps during installation. Avoid granting unnecessary permissions to apps. For example, if a simple flashlight app requests access to your contacts and camera, it may be suspicious.
• Regularly backup your important data to a secure location or cloud storage. This ensures you can recover your data in case of a malware infection.

By following these security measures, you can reduce the risk of falling victim to SecuriDropper and other similar threats. Remember that staying vigilant and proactive in protecting your Android device is essential in today’s evolving threat landscape.

The post SecuriDropper Bypasses Google Play & Android Defenses appeared first on Gridinsoft Blog.

What are we talking about?

The era of hype around crypto-mining is over, and the shortage of video cards and mining farms is a thing of the past. Today, cloud computing technology is making it possible to significantly lower the entry threshold into the world of crypto-mining. To start mining Bitcoin, for example, there is no need to buy expensive equipment. Instead, the user can rent computing power from cloud mining companies for a fee. Of course, scammers couldn’t stay away from this niche.

The current fraudulent scheme is as follows: attackers create a phishing website that pretends to provide cloud mining services. Unsuspecting users end up on the website, where they are prompted to download a smartphone app. However, instead of the promised app, the user downloads malware that steals crypto wallet data and other valuable information from their device. It sounds too obvious, but this scheme works if it’s being written about.

How the Cloud Mining Scams scheme works

A team of researchers discovered a phishing website with the address hxxps://cloudmining[.]uk[.]com, which looks like a cloud mining platform. The site has “Create Account” and “Sign In” buttons and links to download a mobile app from Google Play and the App Store for Android and iOS devices, respectively. However, attackers use a trick: when clicking on the “Google Play” link, the user is not redirected to the application page in the store, but a direct download of the .apk file named CloudMining.apk takes place. An experienced user might have noticed the unusualness of this behavior. Still, an ordinary user might not pay attention to it. This is precisely the kind of oversight that attackers are counting on. After downloading the file, the victim gets a malicious software module that aims to steal confidential data from the victim’s device.

The Roamer Banking Trojan

The “Roamer” Banking Trojan is a malware that extracts sensitive information from infected devices. It targets various crypto wallets and banking applications. It is distributed through fraudulent websites and employs different themes, such as gaming or shopping mall names and icons. Once installed, the malware exploits the Accessibility Service to extract information from targeted applications. The malware targets the following cryptocurrency wallet and banking applications:

Roamer Trojan steals sensitive data, including crypto wallet details and banking credentials. It automatically inserts TA’s crypto address into the victim’s app and transfers funds to TA’s account. In addition, it collects SMS data, files, and location details from infected devices. It can open targeted apps, take screenshots, and initiate screen recording. Stolen data is transmitted to a C&C server.

Telegram channel for phishing distribution

Researchers also found an active telegram channel that began its activity on May 15, 2023, and has more than 5 thousand subscribers. Supposedly, scammers use this channel for their purposes and to attract victims. The channel regularly publishes information about cloud mining schemes and distributes phishing websites hxxps://cloud-miner[.]cc and hxxps://cloud-miner[.]top. Although the latter site has a different design, it also involved cloud mining scams. It offers to download the previously mentioned smartphone app.

Another phishing site

These sites have “Sign in” and “Sign up” buttons to give them a realistic look, but they are not just decorative elements. Clicking on these buttons will redirect the user to another phishing site, hxxps://cloud-mining[.]vip, which offers to create an account and mine Tron (TRX). After registering, the user will be prompted to top up their wallet to start mining, a typical scam scheme. As you may have guessed, it simply hijacks your wallet, since the site intendedly lacks any forms protection.

Safety tips

The following are tips to help prevent unpleasant experiences with this cyber threat:

• Only install software from official app stores. This is the Google Play Store for Android and, for iOS, the App Store. While this doesn’t guarantee 100% protection against rogue apps, it significantly reduces the chances. Also, if you are an Android user, ensure that Google Play Protect is turned on.
• Use biometric security features such as fingerprints or facial recognition to unlock your mobile device.
• Use strong passwords, change them periodically, and use multifactor authentication wherever possible.
• Update your device firmware and apps to the latest version to fix vulnerabilities and improve security.
• Be wary of links from unknown senders in SMS, messengers, and emails. Don’t click on them, especially if they are suspicious.
• Never give anyone your banking information or confirmation codes, even if they pretend to be from a bank or other organization.

The post Cloud Mining Scams Spread Banking Trojans appeared first on Gridinsoft Blog.

A few words about Android malware

As we know, the Android operating system is based on the Linux kernel. It was released in 2008, so malicious users had a chance to study it. Despite the misconception that there is no malware on Android, there is much more of it than we think. Actually, among all other mobile OS, Android became a prevalent target for malware creators. Researchers recently found more than 60,000 apps containing adware. While that’s an impressive number, experts say there are far more. Additionally, malware has been thriving for a long time due to a lack of ability to detect it.

Key place where malware is spread is the Google Play Store. Sluggish moderation, together with loyal rules of app uploads, give the crooks almost a carte blanche. Even though there is a security team which checks programs for malware, they physically cannot cope with the sheer volume of uploads to the platform. That is what makes the default – and trusted – applications market for Android such a convenient spot for malware distribution.

How does Android malware work?

According to the analysis, the campaign promotes adware on Android devices for profit. However, the main problem is that attackers can quickly change tactics and redirect users to other types of malware, such as banking Trojans, to steal credentials and financial information or ransomware.

Hidden Android apps

Since API 30, Google has removed the ability to hide app icons on Android once a launcher is registered. So, the malware relies on the user to open the app for the first time. After installation, the app may report a “The app is unavailable in your region. Click “OK” to uninstall”. After clicking “OK,” the app closes but is not uninstalled. Since the malicious application has no icon in the launcher and has a UTF-8 character in the label, it only appears in the list of installed applications. However, it is at the very end by default, so the user is unlikely to pay attention to it. The app registers actions to be called on boot or when the user interacts with the device, and the server can initialize the adware phase at an unknown time interval.

Adware behavior

When the user unlocks the phone, the application gets an adware URL from the server and uses the mobile browser to load the ad. The application uses one of the adware libraries included to render a full-screen WebView of an ad. It serves links, notifications, full-screen videos, open tabs in browsers, and more. During monitoring, researchers noticed the application loading ads from the following domains.

• ehojam[.]com
• publisher-config.unityads.unity3d[.]com
• googleads.g.doubleclick.net
• adc-ad-assets.adtilt[.]com
• wd.adcolony[.]com
• adservice.google[.]com
• gogomeza[.]com
• konkfan[.]com
• httpkafka.unityads.unity3d[.]com
• auction-load.unityads.unity3d[.]com
• kenudo.net
• config.unityads.unity3d[.]com
• pagead2.googlesyndication[.]com
• beahor[.]com
• adc3-launch.adcolony[.]com

Worth noting the domains are not necessarily malware-related.

Redirect

Furthermore, modified versions of official applications may redirect the user to malicious Web sites. For example, when users open a “modded” app and search for something in Google, they may be redirected to a random ad page. Sometimes, these pages pretend to offer the desired mod as a download, but they contain harmful malware. An example user opens hXXp://crackedapk[.]com/appcoins-wallet-mod-apk/download1/website. Immediately they were redirected to hXXp://1esterdayx[.]com/worjt1e6a5efdf4388a83865ddce977639e28e199d821e?q=appcoins%20wallet%20mod%20apk%20v2.9.0.0%20(free%20purchased/premium%20cracked). This website was actually designed to spread malware.

How did Android malware end up on my smartphone?

First, determine how an app can get on a user’s smartphone. There are some ways to install an app on your smartphone:

1. Play Store. This method is the safest and most recommended because the download is from an official source.
2. Third-party sites and sources. This method allows you to install any app downloaded from any site or obtained elsewhere.
3. Zero Day Vulnerability. As the name suggests, this vulnerability was found by attackers, but the developers do not know about it. This is how the Pegasus spyware was spread.

Although all three variants have a chance to download the malicious application, in the first case, the malicious application is likely to be deleted sooner or later. However, in question, apps with adware were not available on Google Play or other official stores. This means the attackers found another way to convince people to install them. Since Android allows you to install any app from any source, attackers disguised the malware as highly sought-after programs. Often these apps cannot be found in official stores or apps that mimic the real ones published on the Play Store. Most often, malicious applications are disguised as:

• Games with unlocked features
• Game cracks
• Cracked utility programs
• YouTube/Instagram without ads
• Free VPN
• Fake videos
• Fake tutorials
• Fake security programs
• Netflix

Since modified applications are a hot commodity, there are entire websites devoted to these applications. Usually, these are the original applications with unlocked functionality or with a lot of game currency. In addition, these sites may contain applications that are visually similar to the real thing. Of course, the download pages may have fake positive reviews and high ratings.

Safety recommendations

The best advice for Android users is to install apps from the official app store. Also, pay attention to the permissions that the app asks for. For example, suppose you have installed Flashlight, and it asks for access to your phonebook and geo-location. Thus, there is every reason to believe it is malware. Don’t download or install any hacked apps. You can also use our Android scanner to check your device for malware.

The post Android Malware Mimics VPN, Netflix and Over 60k of Other Apps appeared first on Gridinsoft Blog.

How does the SDK work?

The module is designed to engage users through mini-games, tasks, prizes, and reward drawings. However, upon activation, this Android malware development kit (SDK) connects to a command and control server (C&C) and sends technical details about the affected device. These details include data from Android device sensors like the gyroscope and magnetometer. Attackers can use this data to determine if the malware is in a sandbox environment that security researchers often use to study potentially harmful Android apps. The trojan module also ignores device proxy settings, allowing it to conceal network connections when security teams analyze it.

What do the experts say?

According to Dr. Web, a trojan SDK can execute JavaScript code on web pages containing ads. It allows it to perform various functions, such as obtaining files from the device and copying or substituting clipboard contents. The problem is that many mobile app developers need to thoroughly check the capabilities of the SDKs they integrate into their apps. Malicious actors take advantage of this, making detecting their activity code difficult. Mobile-focused tools that cover static and dynamic analysis are needed to combat this. In addition, the threat actors focus on a niche of Android games that allegedly make money for the player, possibly to observe the transfer of funds or exploit specific files.

Bud Broomhead, CEO at Viakoo, notes that the 421 million-plus downloads figure must accurately reflect how many devices are impacted. Wi-Fi usage may offer some protection, but multiple layers of network security are necessary to reduce significant data exfiltration incidents.

How to protect your device from SDK?

To protect your device, updating infected apps to the latest version available on Google Play is important. This will ensure that the app is clean and safe to use. If the app is unavailable on the Google Play Store, it is best to uninstall it immediately. After uninstalling, scan your device with a mobile antivirus to ensure that all traces of spyware have been removed.

The post Android Malware With Almost 500M Downloads Resides in Google Play appeared first on Gridinsoft Blog.

What is fleeceware?

Fleeceware apps have free versions that perform little or no function or are constantly deliberately bombarding users with ads of in-app purchase, that unlock the actual functionality. In this way, tricky developers force users to sign up for a subscription, which can be unnecessarily expensive. Here are the main signs of fleeceware:

• The app’s functionality is free from other online sources or through the mobile OS.
• The app forces the user to sign up for a short trial period. In the end, the user is charged periodically for the subscription.
• The app floods the user with ads, making the free version unusable.

Usually, during installation, such apps request permission to track activities in other apps and websites and request to rate the app before even using it. In the process of abundant spamming with permission requests, such as for sending notifications, the app tries to get the user to sign up for a “free” trial version.

The pseudo-developers are banking on the user, not paying attention to the cost or forgetting that they have this subscription. Since fleeceware is designed to be useless after the free trial period ends, users uninstall it from their devices. However, uninstalling the app does not cancel the subscription, and the user is charged monthly and sometimes weekly for a subscription they don’t even use.

“FleeceGPT”

Researchers recently published a report stating that one mobile app developer made $1 million per month simply by charging users $7 weekly for a ChatGPT subscription. If you’ve never dealt with the chatbot, this may seem like a regular phenomenon. However, the catch is that OpenAI provides this service to users for free. In addition, during a raid on the Google Play and Apple App Stores, experts found several other ChatGPT-related fleeceware apps.

“Genie AI Chatbot,” fleeceware app, was downloaded more than 2m per last month from the App Store. The first reason this app could be called fleeceware is that the popup asks to rate the app before it is fully launched and also asks to track actions in other apps and websites. While this app fulfills its stated function, it can only handle four requests per day without a subscription, which is extremely low. To remove this limitation, the user would have to subscribe, which would cost $7 per week, which is costly.

Measures against fleeceware

Unfortunately, there are a lot of such applications in the official stores, and store owners are in no hurry to remove them. The point is that the store receives a commission for each transaction in the app. For example, Apple gets 30% of each purchase in the application, so they are not interested in being left without earnings. However, both Apple and Google have rules for stores designed to combat earlier generations of fleeceware. These rules prevented app fraud since some apps were worth over $200 monthly. Under the new rules, developers must report subscription fees in advance and allow users to cancel this subscription before the payment is taken off.

However, savvy scammers are finding ways around these rules. According to research, the number of ChatGPT-related web domains increased by 910% from November to April, and URL filtering systems intercepted about 118 malicious web addresses daily. Since ChatGPT is not officially working in some countries, there is a high demand for this bypass solution. It costs as little as 8 cents to output 1,000 words through the OpenAI API, and a monthly subscription to the latest ChatGPT is $20. But scammers offer the functionality of the basic version of the chatbot for an average of $1 a day. However, even after Google and Apple received reports of the fleeceware, some apps were not removed.

Why aren’t the platforms removing some apps?

With more than 20 million iOS developers registered on the App Store and thousands of new apps released monthly, monitoring all this is a tremendous job, even for Apple. Moreover, some fleeceware apps are redesigned web apps. So, their functionality directly depends on a remote content platform. Such apps can pose a risk since, to add malicious functionality, the developer only needs to make some changes remotely without touching the local code. This is a common tactic to bypass protection in official app stores. The only effective way to avoid becoming a victim of such applications is to be vigilant when installing the application, read the description carefully, and see what information the application asks for.

How to cancel the subscription?

There are two types of purchases in online app stores. The first is a one-time purchase. In this case, you pay once and permanently get the application or functionality. The app is added to your library, and you can at any time download it or restore the purchase (if it is an in-app purchase), and no additional fees are involved. The second method consists of a subscription to the app or feature. This means you rent the app or individual components for a recurring payment. However, by the logic of this system, if you subscribe to the app and then delete it, the subscription is not canceled.
Consequently, you will be charged even if you don’t use the app. Some apps offer monthly or weekly subscriptions and a one-time purchase. This is the best option for both the developer and the user.

To cancel your subscription on iOS, follow these steps:

1. Open the Settings app.
2. Tap your name.

3. Tap Subscriptions.
4. Tap subscriptions.
5. Tap Unsubscribe.

The subscription has already been canceled if there is no “Cancel” button or if you see an expiration message in red text.

To cancel your Android subscription, do the following:

1. Open your subscriptions in Google Play on your Android device.
2. Then select the subscription you want to cancel.
3. tap Unsubscribe.
4. Follow the instructions.

How to avoid fleeceware in future?

Since fleeceware does not harm your device, app stores are in no hurry to remove them. However, it hurts your wallet, so prevention is primarily for the user. The following tips will help you avoid these increasingly successful heist schemes.

• Beware of free trial subscriptions. Most fleece apps lure users with free three-day trials. However, you will be charged for the subscription without warning once the trial period expires.
• Scrutinize the terms of service carefully. Always read the information in the app profile carefully, including the terms and conditions and the in-app purchases section. This section usually lists all the paid features in the app, and the actual subscription cost is generally listed somewhere at the bottom of the page.
• Read more reviews. Often fleeceware creators try to flood the reviews section of their apps with fake reviews. You should flip through a few pages or sort through the reviews, and if the five-star reviews at the top are followed by reviews with one star, it’s probably fleeceware.
• Don’t be fooled by the ads. Scammers often promote their software through video ads, such as social media. However, sometimes these ads have nothing to do with promoted application.
• Improve your payment hygiene. Never use your primary card as a method of paying for subscriptions. Instead, create a separate or virtual card to keep as much money as your existing subscriptions need.
• Set a minimum online payment limit on your primary cards or disable it altogether. Also, set up an additional password or biometric verification when you pay. This will prevent unwanted subscription fees from going unnoticed.

The post ChatGPT Causes New Wave of Fleeceware appeared first on Gridinsoft Blog.

Vulnerability in Android Devices Touches Millions

According to the researchers, the production of gadgets is mainly outsourced to OEMs, and such outsourcing allows various parties involved in the production process (for example, firmware suppliers) to infect products with malware at the production stage.

It is worth saying that this problem has been known for a long time. For example, back in 2017, Check Point experts warned that 38 different smartphone models from well-known brands, including Samsung, LG, Xiaomi, Asus, Nexus, Oppo, and Lenovo, contained malware right out of the box. Now, representatives of Trend Micro described what is happening as “a growing problem for ordinary users and enterprises.”

Fedor Yarochkin, a senior researcher at Trend Micro, and his colleague Zhenyu Dong, said that the introduction of malware at such an early stage began with the fact that prices for firmware for mobile devices fell. The competition between firmware distributors has become so serious that in the end they generally lost the opportunity to charge money for their product.

Yarochkin notes that, of course, nothing is free, and as a result, “silent” plug-ins began to appear in the firmware. Researchers say they have scoured dozens of firmware images for malware and found more than 80 such plugins, although many of them have not been widely adopted.

As a rule, the purpose of such malware is stealing information, as well as making money on the collected or transmitted information. In essence, the malware turns infected devices into proxy servers that are used to steal and sell SMS messages, hijack accounts on social networks and instant messengers, and monetize through ads and click fraud.

For example, the team discovered a Facebook cookie plugin that was used to collect activity information from the Facebook app. Another type of plugin, proxy plugins, allows criminals to rent out infected devices for up to 5 minutes. As a result, those who rent access to the device can intercept data about keystrokes, geographic location of the victim, IP address and much more.

The researchers calculated that millions of devices infected in this way are working around the world, but Southeast Asia and Eastern Europe are the leaders in infections. According to experts, the statistical analysis confirms approximately 8.9 million of infected devices.

Analysts are evasive about where such threats come from, although the word “China” was often heard during the report, including when it came to the development of suspicious firmware. Yarochkin says users should think about the relationship between the location of the world’s OEMs, incidence of infected firmware discovery, and draw its own conclusions.

Overall, the researchers say the malware was found on devices from at least 10 unnamed vendors and likely affected about 40 more. To avoid buying infected mobile phones out of the box, experts say users can opt for higher-end devices. In other words, malware is more likely to be found on cheaper devices in the Android ecosystem, and it’s best to stick with the big brands, although that’s no guarantee of security either.

See also: Vulnerabilities in the Firmware of Some HP Computers Cannot Be Fixed for a Year.

The post Trend Micro: Millions of Android Devices Contain Malware Right in the Firmware appeared first on Gridinsoft Blog.

Our smartphones store vast information about us – our passwords, banking details, history of calls, messages, and pages visited. Consequently, the security risks that potentially threaten your accounts from criminals are not limited to hackers. Anyone who finds your phone if it’s lost or stolen can easily use your information in their not-so-noble interests. So here are five simple tips for keeping your smartphone secure. These tips are always relevant, whether it’s a phone you just bought or one you’ve used for years.

1. Always apply the last software updates and security patches

This is the easiest thing to do when buying a new smartphone. Most Android or iOS smartphones prompt you to download the latest operating system update when you first set it up. We recommend not delaying or canceling this action, as it eliminates cybersecurity vulnerabilities detected in the operating system. Saying short, applying updates prevents cybercriminals from exploiting known security problems. In addition, updates often optimize the operating system and add new useful features. Since most smartphones prompt you to install updates and only have to click “ok” or “cancel”, even a novice user can handle the process.

Most manufacturers keep their devices updated for as long as possible. However, some vendors could cease releasing security updates if your smartphone model is over a few years old. Since there is no standard for device shelf life, each manufacturer decides how long a device will receive updates. This time can vary from two to five or six years. To see if your smartphone still receives updates, you can visit the website of its manufacturer or send a query to their technical support.

2. Use a password, PIN, or biometric security features to protect your smartphone

We are usually serious about choosing a password to protect our email account or a PIN to protect our online banking information. However, when using a password to smartphone security, many prefer easy-to-guess passwords of four identical digits or don’t use screen locking. Of course, it’s much more convenient to pick up your phone and start using it right away than typing a password or PIN each time. However, it also means that if someone gets their hands on your smartphone, they can help themselves with its contents without obstacles. That way, anyone who finds it can easily access your data.

Although there is a slight chance that the person who found your device will use this information for good and return your phone to you, it is unlikely. Since criminals are looking to profit in any way they can, sharing your phone with them is not a brilliant idea. You will most likely lose access to your accounts, and your personal data will be compromised. For that reason, any applications you use to access sensitive information (such as online banking) should be protected by unique, secure passwords. It is essential to understand that these passwords should not contain your date of birth or be the same as the passwords you use to lock your phone.

3. Use multi-factor authentication if possible

Passwords are essential to protect your accounts, and they are one of the most sought-after pieces of information for cybercriminals. Knowing someone’s account password allows attackers to use it as if they were real users. They can send messages to the victim’s friends, view the victim’s social media profiles, and access documents and photos searching for sensitive personal information, such as banking information. On the other hand, if you use a relatively weak password, hackers can easily guess it using a brute force attack.

However, even if your password is strong enough, another danger exists. For example, the password may be stolen due to a phishing attack aimed either at you or the company managing the account. In the first case, the blame lies entirely with you. Another case, however, renders the company whose services you use guilty of the leak. In 1995, AT&T invented multifactor authentication (MFA) to prevent this from happening. The technology’s essence is the user’s additional confirmation of the attempt to log in to his account. For example, suppose your password was somehow compromised. If you’re not using MFA, an intruder would enter your login and password and log in to your account. However, if you are using MFA, the attacker cannot directly access your account. Instead, you’ll get a warning that someone is trying to log in.

What should I do if I received a message?

You should log in immediately and change your password if you did not do this. Next, you should also forcibly end other active sessions. You can do it from the browser. Suppose you want enhanced security. In that case, you may consider using a physical security key, perhaps the best way to protect your data. This form of multifactor authentication assumes that you need a key that you own to access your accounts. Unlike confirmation codes or SMS, which, although difficult but possible to intercept, you need the attacker to hold the physical security key to pass this protection. It’s only possible if they manage to steal it directly from you.

iPhones running iOS 16.3 or later allow you to use security keys for your Apple ID. So you can use a hardware key as an additional level of authentication. Such security keys are tied to your Apple ID and require your username, password, and a hardware key to access your account or device. While MFA provides an excellent extra layer of smartphone security and accounts protection, it’s worth remembering that it’s not wholly infallible.

4. Download applications and updates from trusted sources only

As a regular user, you are probably satisfied with downloading apps from the official app store. Those are Google Play Store for Android and App Store for iPhone. By default, they are considered the only proper place to download apps. However, there are reasons why users are not happy with such download methods. Most commonly, people are looking for an alternative way to install the required application on their smartphones for free, i.e., use cracked apps. Unfortunately, this is a bad idea because any “free” versions come from a third-party site, which can expose you to a security breach.

Scammers and cybercriminals never disdain such a niche. They are well aware that people tend to prefer free versions of many popular apps, unlike smartphone security. That’s why scammers often promote websites they own in search and buy ads to promote their malicious sites. The main danger of fake sites is that a program you get from them may be in fact a trojan virus. Aside from that, the app you download from such websites may not work properly or fail to start. In addition, it is a way to trick you into downloading malware or snatching your username and password.

Download apps with caution

Unfortunately, although official app stores are considered safer than third-party sites, and rightly so, sometimes malicious apps do bypass official store protection and become available for download. Therefore, you should be sure about what you are downloading. In addition, we recommend you check what permissions the application you are installing asks for; this directly affects smartphone security. Seeing that calculator asks to access your contact book and gallery is a bad omen. You can also check reviews. If something is wrong with the program, you will find it out there.

Another method of spreading malicious downloads is phishing emails that warn the user about a problem with a frequently used app or that the subscription is about to expire and a request to update the app. Legitimate apps will never ask you to download an update via email. Instead, when the developer releases an update to an installed app, the app store will update the app itself. If you have the auto-update feature turned off, you’ll either get a notification from the app store or the app will ask you to update itself when you launch it.

5. Use VPN when using public networks

Today, most mobile operators provide tariff plans with large amounts of 4G or 5G traffic. This allows you to do whatever you used to, without worrying about running out of traffic. However, some thrifty users, seeing a public Wi-Fi network, will prefer it. While many free wireless hotspots are safe and legit, they carry privacy risks. Using a public Wi-Fi network means data transfer is less secure than a cellular connection or on your home or corporate network.

There’s nothing wrong with connecting to public Wi-Fi, but it is essential to understand the risks when you do. You should also be careful about what information you enter and transmit on public Wi-Fi networks. If possible, avoid entering passwords or any sensitive information. Any trickster can intercept your data during the course of a man-in-the-middle attack. If you urgently need to log into your bank account, it will be a good idea to find another way to accomplish that.

The danger is that savvy scammers often set up their open Wi-Fi networks in busy places, allowing people to connect to them. This way, scammers can monitor the transmitted data and intercept your logins, passwords, bank details, and other personal information. However, consider a mobile VPN if you need to transfer sensitive data. Because it encrypts your data, it can better protect it while keeping your Internet use private.

The post Five Easy Smartphone Security Tips to Keep It Safe From Hackers appeared first on Gridinsoft Blog.

A group of scientists from five American universities has developed a side-channel EarSpy attack that can be used to eavesdrop on Android devices: recognize the gender and identity of the caller, and also partially parse the contents of the conversation.

Eavesdrop can be carried out using motion sensors that are able to capture the reverberation of the speakers of mobile devices.

Let me remind you that we also wrote that PCspoF Attack Could Disable Orion Spacecraft, and also that Experts Demonstrate Data Extraction Using LEDs and a Gyroscope.

The media also noted that Data from Isolated Computers Can Be Stolen Using SATA Cables.

The EarSpy attack was presented by experts from Texas A&M University, New Jersey Institute of Technology, Temple University, Dayton University, and Rutgers University. They said that similar side-channel attacks had already been studied before, but a few years ago, smartphone speakers were found to be too weak to generate enough vibration to eavesdrop.

Modern smartphones use more powerful stereo speakers (compared to previous years), which provide better sound quality and stronger vibrations. Similarly, modern devices use more sensitive motion sensors and gyroscopes, capable of registering even the smallest nuances of the speakers.

A clear proof of these words can be seen in the illustration below, where the performance of the 2016 OnePlus 3T speakers is barely visible on the spectrogram and is compared with the 2019 OnePlus 7T stereo speakers, which obviously allow you to extract significantly more data.

Left to right: OnePlus 3T, OnePlus 7T, OnePlus 7T

In their experiments, the researchers used OnePlus 7T and OnePlus 9 devices, as well as various sets of pre-recorded sounds that were played through the speakers of the devices. The specialists also used a third-party Physics Toolbox Sensor Suite application in their work to collect accelerometer readings during a simulated call, and then transferred them to MATLAB for analysis.

The machine learning algorithm was trained using readily available datasets for speech recognition, caller ID, and gender. As a result, the data obtained as a result of the tests varied depending on the data set and device used, but in general, the researchers’ experiments gave promising results and proved that such wiretapping is possible.

For example, caller gender accuracy on OnePlus 7T ranged from 77.7% to 98.7%, caller ID classification ranged from 63.0% to 91.2%, and speech recognition succeeded with an accuracy of 51.8% to 56.4%.

On the OnePlus 9 device, gender accuracy exceeded 88.7%, but caller ID fell to an average of 73.6%, and speech recognition showed a result from 33.3% to 41.6%.

The researchers acknowledge that the volume that users themselves choose for the speakers of their devices can significantly reduce the effectiveness of the EarSpy attack. That is, the low volume of the speaker may well interfere with the implementation of wiretapping in general.

In addition, reverberations are significantly affected by the location of the device’s hardware components and assembly density, as well as the accuracy of the data, reducing user movement and vibration caused by the environment.

OnePlus 7T device

Let me remind you that in one of the studies of past years, the Spearphone PoC application was used, which also abused access to the accelerometer and analyzed the reverberations that occur during telephone conversations.

However, at that time, experts used a speakerphone, due to which the accuracy of determining the gender and caller ID reached 99%, and the accuracy of speech recognition – 80%.

The authors of EarSpy summarize that phone manufacturers should ensure a stable sound pressure level during telephone conversations, as well as place sensors in the case in such a way that internal vibrations do not affect them or have the least possible impact.

The post Android Devices Can Be Monitored Using Motion Sensors appeared first on Gridinsoft Blog.