Skygofree: Spying on FB, WhatsApp, Skype and Credit Cards On Your Android

Malware is definitely getting more sinister and Skygofree, said to be in existence since 2014, was reported by Kaspersky as vicious enough to steal messages and take over your phone camera and steal data. The ultimate eavesdropper, Skygofree does not actually read WhatsApp and Facebook encrypted messages but goes around this limitation by capitalizing on Android’s Accessibility Services, something that was created for people with disabilities or limited interaction with the smartphone or tablet.

Kaspersky Lab researchers have uncovered an advanced mobile implant, active since 2014 and designed for targeted cyber-surveillance, possibly as an ‘offensive  security’ product. 

Late last year, it was considered one of the most sophisticated malware affecting Android operating systems because it can link-up infected devices to Wi-Fi networks under the control of the attackers. Unlike in the past when malware was released by cyber attackers, word has it that an Italian company selling surveillance systems developed this malware with root access. Hence, it is capable of reading practically anything on your device’s memory including geolocation, text messages, calendared events, business data, and personal information. It can also take photos, record video and conversations automatically without as much as alerting the owner that anything was remiss. It has better control of infected devices and can record the once impregnable Skype conversations.

Skygofree is a sophisticated, multi-stage spyware that gives attackers full remote control of an infected device.  – Kaspersky

You realize the gravity of the security risk when you realize just how much information you’ve entrusted to your smartphone. You read emails, write notes, store passwords, credit card information and even hold virtual work meetings using your Android.

According to Kaspersky, the malware is spread through landing pages that mimic mobile network operators. Users are then tricked into installing and using the app. If you notice your smartphone is fast draining charge and heating up, it may be infected by Skygofree and other Trojans). Aside from the 48 commands it can execute, it can circumvent battery-saving mechanisms (such as in Huawei) and unobtrusively implant itself as a protected app. A particularly dangerous quality because it remains quietly operating in the background when the screen is off.

How does Skygofree do it? Once installed from fake sites, you will see a notification that may be permutations of this “Dear Customer, we’re updating your configuration and it will be ready as soon as possible”. It sounds official and above-board and doesn’t raise suspicions. However, if you detect something off and want to address this by deleting or uninstalling the app, you are in for a big surprise! The trojan hides the icon in background services where it isn’t easily removed from the system. According to Kaspersky, this self-protection feature affects almost all services. Windows itself could be the next target and this has already started with infiltrating Skype.

Prevent infection by Skygofree by:

  • installing antivirus/anti-malware protection such as  Kaspersky Security for Mobile.
  • being cautious when opening mail from unknown sites
  • not opening attachments
  • downloading only from known sites and
  • turning on Application Control if you are the system administrator.

Malware disguises itself as an Instagram app

A new Trojan is currently showing its wears that takes advantage of the popularity of Instagram.

Security firm Sophos discovered this new malware and dubbed it “Andr/Boxer-F”.

Since that fateful day that Facebook bought Instagram for a billion dollars in cash and stock, the popularity of the app sky-rocketed. A day after the social networking giant acquired the app, the latter became the most downloaded free app in Apple’s App Store. Android users on the other hand are also rising in staggering proportions.

This is the reason why cyber crooks and criminals are trying to cash in. They have been setting up fake website advertising fake Instagram apps. If you look closely at the website, you’d certainly see that it is quite questionable. Once you have been attacked by this malware, it sends expensive international text messages to earn revenue.

So once again we go back to the basics. First, let us not be fooled by these individuals by trying to look closely at the websites that we visit. Is the address correct? Does it look authentic?

Don’t install questionable files to your device as this may lead to unwanted problems. Phishing schemes are common and so be warned.

Better safe than sorry.

Image Source: rootzwiki.com

Apple scrambling to get rid of malware

Over 600,000 Mac units have been infected by a malware that gets sensitive personal information from users.

Around the world, people felt that Apple Inc. is too slow in battling and finding a way to eradicate the problem which reportedly first wreaked havoc last year.

Apple said that they are finding and ridding the malware that exploits a flaw in Oracle Corp’s java software. The company has issued patches and temporary fixes and is now starting to develop software to detect and eliminate the malware called “Flashback”.

Unfortunately for them, the cyber community was adamant with the slow action of Apple and for not addressing the issue quickly.

Security specialist at Sophos Paul Ducklin said, “Someone in Apple has broken ranks following the recent revelations of a jolly Big OS X botnet. Apple has – apparently for the very first time – talked about a security problem before it had all its threat response ducks in a row.”

Apple rarely has problem with malware as their closest rival Microsoft’s OS is the one who is normally being targeted by these.

Symantec Corp said that the malware was developed last summer or early fall.

A “Trojan” is a software program that looks and acts like a regular program but opens backdoors into a user’s computer system.

Image Source: timenerdworld.files.wordpress.com

Latest Trojan disguises itself as game app

A new Trojan is currently scouring the web waiting to infect smartphones that are currently running on Google’s Android OS. This latest intruder is disguising itself as a game app and would send information about the phone to its controller and as well as subscribe you to premium SMS services.

Sophos said that this latest problem goes with a legitimate Chinese game, “The roar of the Pharaoh”. The game is said to be not distributed on Google Play.

According to the security firm’s blog post, “Once installed the malicious application gathers sensitive information (IMEI, IMSE, phone model, screen size, platform, phone number and OS version) and sends it off to the malware’s authors. Like many other mobile Trojans, this once sends SMS messages to premium rate SMS numbers and is capable of reading you SMSs as well.”

The company said that the malware is being detected, which is attached to the game app, as ANDR/Stiniter-A.

Sophos warns that the app doesn’t ask for permission during installation of the app. They added that the malware also attempts to communicate with four .com domains with a path of “tgloader-android.”

They noted that, “Criminals love the free money laundering service provided by mobile phone providers. They can set up premium rate SMS numbers in Europe and Asia with a little difficulty.”

Image Source: Activeresponse.org

Scareware hides files and folders, charges $80 for repair

BitDefender developers have recently discovered a new scareware tactic threatens the victims that all their files and folders have disappeared due to hard disk issues and invites them to buy a disk repair utility that will solve the problem priced at $80.

The scareware is installed in the victims computer Win32.Brontok.AP@mm. It is a popular worm that spreads by attaching itself in an email to email addresses. It can also spread through USB drives.

The developers said, “It copies itself in every folder on the infected stick under the name of the folder. It adds an .exe extension that remains hidden from users. This is an indicator that it needs the user to recognize, trust, click and thus install it on the PC.”

The worm has the ability to disable antivirus and security software. The Brontok virus also doesn’t enable users to click on the “visible” settings for folders and files.

If the user’s gets tricked into buying the $80 fix that they are trying to advertise, beware. Even if you pay for it, this will still do nothing to restore the files and folders in their computers.

The best thing to do is watch what you install in your computer and avoid downloading email attachments that are not form trusted emails.

Image source: securitywatch.pcmag.com

New variant of Flashback Trojan for Mac OS found

Macs are known to be one of the safest, if not the safest, computers in the world. Compared to Windows, malwares are far too few in the Mac operating systems.

Unfortunately, antivirus firm Integro reported that cyber criminals that are responsible for the Flashback Trojan have been on it again and have started to spread another malware package. This seventh variant of the latter uses new techniques to infect Macs.

The Flashback is a Trojan attack that uses a number of methods to infect the system. It tries to take advantage of Java security hole to install itself. Those who do not have Java installed, it will use various techniques to trick users. It can disguise itself as a legitimate Adobe Flash installer and display certificates that appear from Apple to trick users to install the program.

Once installed, it injects the code into the web browsers and other applications in order to get passwords and other personal information. One good thing is that affected programs crash most of the time so users need to reinstall them.

So to be safe, Mac users should install a malware scanner and update it regularly.

Image source: techmapr.com

New Trojan can stay hidden in Windows

Reports have it that a new malware has been discovered that hijacks a critical file and is hidden in the system while still being active.

According to antivirus company BitDefender, this complex Trojan is identified as Trojan.Dropper.UAJ. The latter tries to evade antivirus detection by not adding itself to the list of programs during startup.

The company’s Malware City blog read, “Trojan.Dropper.UAJ comes with its own approach – it patches a vital code library (comres.dll) forcing all applications that rely on comres.dll to execute this particular e-threat, as well.”

BitDefender states that comres.dll is commonly used by Internet browser (most). They use it for communication applications and networking tools. That is why this is very popular and very important to the operating system of the computer.

They say that the Trojan duplicates the genuine comres.dll file, and then patches it and saves it in the Windows directory folder where the OS looks for a dynamic link library or DLL.

Then the Trojan drops the file identified as a backdoor .Zxshell.B or prfn0305.dat which contains the function that eventually compromises your operating system.

BitDefender says that the Trojan can run on almost any Windows operating systems both 32 and 64 bit versions.

Zeus identity-theft Trojan is back, FBI warns

A new strain of the infamous Zeus Trojan is again wrecking havoc in cyberspace and the Federal Bureau of Investigation (FBI) said that it can defeat security measures of top financial institutions.

The latest ID-theft malware known as Gameover, starts via spam e-mails also known as phishing schemes supposed to come from the National Automated Clearing House Association or the NACHA, the Federal Reserve Bank, or the FDIC also known as Federal Deposit Insurance Corporation.

This was the warning issued by the FBI:

The malware is appropriately called “Gameover” because once it’s on your ocmputer, it can steal usernames and passwords and defeat common methods of user authentication employed by financial institutions. And once the crooks get into your bank account, ti’s definitely “game over”.

Gamover is a newer variant of the Zeus malware, which was created several years ago and specifically targeted banking information.

The scheme usually has a link in the e-mail that if clicked would redirect you to a website. According to the FBI, “once you’re there, you inadvertently download the Gameover amlware, which promptly infects your computer and steals your banking information.”

Image source: adsh2007.com