If you’re using a cheap Android smartphone manufactured or sold by BLU, Infinix, Doogee, Leagoo, IKU, Beeline or Xolo, you are likely wide open to Man-in-the-Middle attacks that can result in your device being thoroughly compromised.

Android smartphones backdoor

A more detailed (but not complete) list of vulnerable devices can be found in an advisory by CERT/CC.

This discovery comes less than a week after researchers from Kryptowire identified several models of Android mobile devices that contain firmware that collects sensitive data about their owners and secretly transmits it to servers owned by a company named Shanghai Adups Technology Co. Ltd.

Among these mobile devices are also some BLU smartphones.

The origin of the vulnerability (CVE-2016-6564)

Those and other devices (roughly 55 device models) are open to attack because they sport the same firmware by Chinese software company Ragentek Group.

This firmware contains a binary that is responsible for enabling over-the-air (OTA) software updating, but unfortunately the mechanism is flawed.

For one, the update requests and supplied updates are sent over an unencrypted channel. Secondly, until a few days ago, two Internet domains that the firmware is instructed to contact for updates (the addresses are hardwired into it) were unregistered – meaning anybody could have registered them and delivered malicious updates and commands to compromise the devices.

Luckily, it was researchers from Anubis Networks that did it, and the move allowed them clock over 2.8 million devices that contacted the domains in search for updates. Many of these devices are located in the US, as most of the models are sold by Best Buy and Amazon.

But even though the domains are now owned by these security companies, the fact that updates are delivered over an unencrypted channel allows attackers with a MitM position to intercept legitimate updates and exchange them for malicious ones (the firmware does not check for any signatures to assure the updates’ legitimacy).

MitM attackers could also send responses that would make the devices execute arbitrary commands as root, install applications, or update configurations.

Is this a deliberate backdoor/rootkit?

It does seem so. According to the researchers, the binary that performs OTA update checks – debugs, in the /system/bin/ folder – runs with root privileges, but its presence and the process it starts are being actively hidden by the firmware.

“It’s unclear why the author of this process wanted to purposely hide the presence of the process and local database on the device, although it’s worth noting that it did not attempt to do this comprehensively,” they researchers noted.

But they told Ars Technica that believe the backdoor capabilities were unintentional, and Ragentek is yet to comment on the discovery.

How to protect yourself?

If you’re using one of the affected devices, the right solution is to implement an update with the fix – when it becomes available. But make sure to download the update only over trusted networks and/or use a VPN to encrypt and protect the traffic from tampering.

So far, only BLU has released such an update, but the fix has not yet been checked.

A workaround that should keep you safe until a security update includes using your device only on trusted networks (eg. your home network, as opposed to open or public Wi-Fi).

Help Net Security

Technology recruitment site GeekedIn has scraped 8 million GitHub profiles and left the information exposed in an unsecured MongoDB database. The backup of the database was downloaded by at least one third party, and it’s likely being traded online.

GitHub profiles scraped

Troy Hunt, the security researcher who runs the Have I been Pwned? service and whose own information is in the compromised backup file, received the file, and ultimately notified GitHub of the matter.

His analysis of the file ultimately revealed that:

  • It contains 8.2 million unique email addresses, i.e. records about 8.2 million users of GitHub, Bitbucket (another web-based hosting service for projects), and possibly other online services.
  • Most of these records contain users’ names, usernames, email address, geographic location, professional skills, years of professional experience.
  • All of this information is already online on GitHub and those other services, accessible to anybody – GeekedIn just scraped it and created its own database, access to which is offered to companies interested in finding developers – for a fee.

When contacted, GitHub said that they allow third parties scraping of their users’ data, so long as it’s only used for the same purpose for which they gave that information to GitHub.

“Using scraped information for a commercial purpose violates our privacy statement and we do not condone this kind of use,” they told Hunt.

After he finally managed to get in touch with GeekedIn, they acknowledged the incidente and promised to secure the data.

Hunt made some of this data searchable in raw format through his service, but only a little over 1 million users will be able to find it. He only included the data of those who had a publicly available email address on GitHub.

“This incident is not about any sort of security vulnerability on GitHub’s behalf, rather it relates to a trove of data from their site which was inappropriately scraped and then inadvertently exposed due to a vulnerability in another service,” he made sure to note.

Help Net Security

  • Home
  • Application Development

Microsoft opens up its 'million dollar' bug-finder Credit: Thinkstock

Microsoft is previewing a cloud-based bug detector, dubbed Project Springfield, that it calls one of its most sophisticated tools for finding potential security vulnerabilities.

Project Springfield uses "whitebox fuzzing," which uncovered one-third of the "million dollar" security bugs during the development of Windows 7. Microsoft has been using a component of the project called SAGE since the mid-2000s to test products prior to release, including fuzzing both Windows and Office applications. 

[ From Docker containers and Nano Server to software-defined storage and networking improvements, Windows Server 2016 is packed with great additions: Get the scoop on Windows Server 2016 from InfoWorld. | Stay up on key Microsoft technologies with the Windows Report newsletter. ]

For this project, SAGE is bundled with other tools for fuzz testing, featuring a dashboard and other interfaces that enable use by people without an extensive security background. The tests are run using Microsoft's Azure cloud.

With fuzz testing, the system throws random inputs at software to find instances in which unforeseen actions cause software to crash. This testing, according to Microsoft researcher David Molnar, is ideal for software regularly incorporating inputs like documents, images, videos, or other information that may not be trustworthy. Bad actors are sought out that could launch malicious attacks or crash a system. Whitebox fuzz testing uses artificial intelligence to ask a series of "what if" questions and make decisions about what might cause a crash and signal a security concern.

The code-name, Springfield, previously was used at Microsoft for the now-defunct Popfly web page and mashup creation service. There's no relation between the two projects, a Microsoft representative said. Microsoft is extending preview invitations for Project Springfield to customers, with an initial group to evaluate it for free.

An investigation conducted into the two Yahoo security incidents disclosed recently revealed the existence of a connection and led researchers to believe that the claim of 200 million accounts being stolen in 2012 is likely false.

In early August, a hacker claimed to possess 200 million Yahoo user accounts stolen from the tech giant back in 2012. The hacker, known online as Peace and peace_of_mind, had offered to sell the data for 3 Bitcoin on a marketplace called TheRealDeal, where he had previously sold hundreds of millions of Tumblr, Myspace, VK and LinkedIn accounts.

Then, earlier this month, Yahoo confirmed that attackers, which the company believes were sponsored by a nation state, breached its systems in 2014 and stole at least 500 million user accounts. Yahoo never confirmed the alleged 2012 incident, although some suggested that the company discovered the 2014 breach while investigating those claims.

Security firm InfoArmor launched an investigation and determined that the vast majority of the 200 million credentials were not associated with Yahoo accounts. Experts believe the data likely comes from multiple third-party leaks and that some of the credentials match only because people reuse passwords. It’s worth noting that some people questioned the validity of the 2012 dump ever since samples of the data were made available.

InfoArmor believes Peace faked the data after having a falling-out with tessa88, another hacker who recently offered to sell hundreds of millions of accounts stolen from various services. According to researchers, tessa88 and Peace exchanged stolen information, until the former was called out over fake and low-quality dumps.

However, evidence uncovered by InfoArmor suggests that there is a link between these cybercriminals and the threat actor that carried out the 2014 attack confirmed by Yahoo.

Researchers believe tessa88 is linked to the real Yahoo hackers through an unidentified actor that played the role of a proxy. This proxy allegedly obtained the Yahoo data from professional black hats in Eastern Europe and provided it to various other actors, including cybercriminals and a state-sponsored party that had been interested in exclusive database acquisitions.

Tessa88 had previously received accounts from the proxy and InfoArmor believes tessa88 and Peace expected to get the Yahoo data as well. However, since that did not happen, Peace created a fake dump and claimed it came from a 2012 breach.

According to the security firm, the 500 million accounts were stolen from Yahoo after the compromised database was divided into hundreds of equal parts. The files, which contained data organized alphabetically, were exfiltrated in segments.

InfoArmor said the actual Yahoo dump is still not available on any cybercrime forums. However, the data has been monetized by some cybercriminals and the company believes it might have also been leveraged in attacks targeting U.S. government personnel.

Yahoo breach aftermath

News of the breach has caused serious problems for Yahoo, just as the company’s core business is about to be acquired by Verizon for $ 4.8 billion. Some believe the incident could impact the deal, but Verizon has yet to comment.

Several class actions have been filed against Yahoo by customers, including people who claim to be directly affected by the breach.

Earlier this week, U.S. Senator Patrick Leahy sent a letter to Yahoo CEO Marissa Mayer asking how such a massive breach could go undetected for two years. Senator Mark Warner has asked the Securities and Exchange Commission (SEC) to determine if the company fulfilled obligations to keep the public and investors informed, as required by law.

Mayer reportedly neglected cybersecurity since she took over the company. According to The New York Times, current and former employees said the CEO focused on functionality and design improvements rather than security.

Alex Stamos, who left his CISO position at Yahoo last year to become Facebook’s CSO, was allegedly denied financial resources for proactive security solutions. Mayer is said to have also rejected a proposal to reset all user passwords fearing that the move would result in more users abandoning its services.

Related: Yahoo Pressed to Explain Huge 'State Sponsored' Hack

Related: Russia? China? Who Hacked Yahoo, and Why?

view counter

Previous Columns by Eduard Kovacs:


SecurityWeek RSS Feed

Yahoo officially acknowledged it was the victim of one of the largest data breaches in history in which data from at least 500 million user accounts was stolen.

The Yahoo breach took place in late 2014 but it wasn't confirmed until a "recent investigation." Yahoo didn't provide a specific timeline of events, but Flashpoint confirmed it recently found 200 million Yahoo accounts for sale on the deep web.

"On August 2, 2016, Flashpoint became aware of an advertisement posted on TheRealDeal Marketplace by actor "peace_of_mind" (otherwise known as "peace") for the sale of some 200 million Yahoo account credentials," Vitali Kremez, cybercrime intelligence senior analyst at Flashpoint, told SearchSecurity via email. "Peace_of_mind is the same actor whom Flashpoint previously reported as selling leaked MySpace and LinkedIn account credentials in May 2016. This actor, who is also a co-founder of TheRealDeal Marketplace, is considered highly credible based on past activity and feedback from customers."

Various new outlets have reported that the sale of the Yahoo accounts on the deep web  first prompted Yahoo to investigate a potential mega breach in the first place. The Yahoo breach follows other high profile data breaches at companies such as LinkedIn and Dropbox that have exposed user emails and information.

Keatron Evans, senior security researcher and principle of Blink Digital Security, said Yahoo needs to provide more details about the attack. "What I want to know is when Yahoo discovered this attack. If it happened in 2014, and the company has known about it for the past two years, then why has it taken so long to reveal the extent of the breach?" Evans said. "This slow response could become a PR nightmare that damages the company's reputation, and it goes to show how difficult it can be to determine the root cause of an attack that happened months or even years in the past without the right training and tools."

In a statement, Yahoo said it believes the attack was state-sponsored, though no specific nation was named. Yahoo also attempted to reassure users that their most valuable data had not been compromised.

"The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers," Yahoo wrote. "The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected."

J. Paul Haynes, CEO of eSentire, said it was good to see Yahoo not jumping to conclusions with attribution.

"The timing of this breach is curious, given Yahoo's pending sale; however it's a bit premature to place blame with a state-sponsored attacker," Haynes said. "Attribution is a slippery slope and nearly impossible without a complete case file, which Yahoo nor the investigators have at this point."

Complicating matters further, Verizon is in the process of purchasing Yahoo for $ 4.8 billion. The deal is still under regulatory review. A Verizon spokesperson said the company only learned of the mega breach at Yahoo this past Tuesday, but said Verizon only has "limited information and understanding of the impact" of the breach.

Adam Levin, chairman and founder of IDT911, said data breaches should be considered a new certainty in life along with death and taxes. "All users of Yahoo email must immediately change not only their Yahoo user IDs and passwords but also any duplicate login information used to access other accounts," Levin said. "As we live in an environment where breaches have become the third certainty in life, it is essential that consumers protect themselves by using long and strong passwords, which are never shared across their universe of social, financial, retail and email accounts and updated routinely; enable two-factor authentication; and are always on guard against phishing attacks."

Yahoo suggested users review their online accounts for any suspicious activity, change account details, avoid clicking suspicious links and use the Yahoo Account Key two-factor authentication tool.

Brett McDowell, executive director of the FIDO Alliance, said this should be a warning to everyone that strong passwords alone may not be enough. "Cyber criminals know that consumers use the same passwords across websites and applications, which is why these millions of leaked password credentials are so useful for perpetuating fraud. We need to take that ability away from criminals and the only way to do that is to stop relying on passwords all together," McDowell said. "The frequency and severity of these data breaches is only getting worse year-over-year, and this trend will continue until our industry ends its dependency on password security and adopts un-phishable strong authentication."

Vishal Gupta, CEO of Seclore, said the fallout from this attack could be devastating. "This nation now has access to 500 million phone numbers. With talk of Russian attempts to influence the election, it isn't difficult to imagine how access to the contact information, and personal details, of that many potential votes could be used maliciously," Gupta said. "Unless organizations take stricter security measures and apply data-centric security solutions, hackers will always come up with inventive ways to leverage sensitive information for malicious purposes."

Next Steps

Learn more about the merits of encrypting and hashing passwords

Find out how to build strong passwords and prevent data breaches

Get info on best practices for conducting information security assessments

SearchSecurity: Security Wire Daily News

Pokémon GO Spam, Ransomware, On the Rise

August 17, 2016 , 12:58 pm

500 Million Yahoo Accounts Stolen By State-Sponsored Hackers

September 22, 2016 , 3:47 pm

Yahoo Reportedly to Confirm Breach of Hundreds of Millions of Credentials

September 22, 2016 , 12:31 pm

Experts Want Transparency From Government’s Vulnerabilities Equities Process

September 20, 2016 , 2:41 pm

Bruce Schneier on Probing Attacks Testing Core Internet Infrastructure

September 15, 2016 , 11:15 am

Generic OS X Malware Detection Method Explained

September 13, 2016 , 9:14 am

Patched Android Libutils Vulnerability Harkens Back to Stagefright

September 9, 2016 , 2:06 pm

Chrome to Label Some HTTP Sites ‘Not Secure’ in 2017

September 8, 2016 , 3:43 pm

Threatpost News Wrap, September 2, 2016

September 2, 2016 , 9:00 am

Insecure Redis Instances at Core of Attacks Against Linux Servers

September 1, 2016 , 1:08 pm

Dropbox Forces Password Reset for Older Users

August 29, 2016 , 9:58 am

Cisco Begins Patching Equation Group ASA Zero Day

August 24, 2016 , 5:53 pm

New Collision Attacks Against 3DES, Blowfish Allow for Cookie Decryption

August 24, 2016 , 8:00 am

Cisco Acknowledges ASA Zero Day Exposed by ShadowBrokers

August 17, 2016 , 4:06 pm

ProjectSauron APT On Par With Equation, Flame, Duqu

August 8, 2016 , 1:40 pm

Miller, Valasek Deliver Final Car Hacking Talk

August 4, 2016 , 3:26 pm

Researchers Go Inside a Business Email Compromise Scam

August 4, 2016 , 10:00 am

Export-Grade Crypto Patching Improves

August 3, 2016 , 10:00 am

Kaspersky Lab Launches Bug Bounty Program

August 2, 2016 , 9:00 am

Threatpost News Wrap, July 29, 2016

July 29, 2016 , 10:45 am

KeySniffer Vulnerability Opens Wireless Keyboards to Snooping

July 26, 2016 , 9:30 am

Upcoming Tor Design Battles Hidden Services Snooping

July 25, 2016 , 3:51 pm

EFF Files Lawsuit Challenging DMCA’s Restrictions on Security Researchers

July 21, 2016 , 1:18 pm

Oracle Patches Record 276 Vulnerabilities with July Critical Patch Update

July 20, 2016 , 9:21 am

Threatpost News Wrap, July 15, 2016

July 15, 2016 , 11:00 am

Academics Build Early-Warning Ransomware Detection System

July 14, 2016 , 1:05 pm

xDedic Hacked Server Market Resurfaces on Tor Domain

July 12, 2016 , 11:40 am

Conficker Used in New Wave of Hospital IoT Device Attacks

June 30, 2016 , 11:48 am

655,000 Healthcare Records Being Sold on Dark Web

June 28, 2016 , 10:00 am

Windows Zero Day Selling for $ 90,000

May 31, 2016 , 5:44 pm

Millions of Stolen MySpace, Tumblr Credentials Being Sold Online

May 31, 2016 , 1:37 pm

OTR Protocol Patched Against Remote Code Execution Flaw

March 10, 2016 , 10:23 am

New Gmail Alerts Warn of Unauthenticated Senders

August 11, 2016 , 2:10 pm

New Trojan SpyNote Installs Backdoor on Android Devices

July 29, 2016 , 12:21 pm

Keystroke Recognition Uses Wi-Fi Signals To Snoop

August 25, 2016 , 2:19 pm

Critical MySQL Vulnerability Disclosed

September 12, 2016 , 11:00 am

PLC-Blaster Worm Targets Industrial Control Systems

August 5, 2016 , 4:49 pm

Android Patch Fixes Nexus 5X Critical Vulnerability

September 2, 2016 , 12:49 pm

Browser Address Bar Spoofing Vulnerability Disclosed

August 17, 2016 , 12:54 pm

Threatpost | The first stop for security news

A single ransomware author and distributor was able to collect $ 121 million in ransomware payments during the first half of this year, netting $ 94 million after expenses, according to a report released today.

"Ransomware has grown over the years, and in 2015 and 2016 we really saw a serious spike," said Vincent Weafer, vice president of Intel Security's McAfee Labs.

[ An InfoWorld exclusive: Go inside a security operations center. | Discover how to secure your systems with InfoWorld's Security newsletter. ]

Weafer estimated that total ransomware revenues could be in the hundreds of millions.

"And that's on the conservative side," he said.

Total ransomware increased by 128 percent during the first half of 2016 compared to the same period last year. There were 1.3 million new ransomware samples recorded, the highest number since McAfee began tracking it.

There were also nearly 2 million new mobile malware samples, also the highest ever recorded. Total mobile malware grew 151 percent in the past year, according to the report.

The report also included the results of a data protection benchmark study, surveying security practitioners around the world. According to the survey, companies with more than 5,000 employees reported a median of 31 to 50 data loss incidents -- per day.

WHAT SHOULD YOU DO: How to respond to ransomware threats

The smallest companies in the survey, with between 1,000 and 3,000 employees, reported a medium of 11 to 20 data loss incidents per day.

The worst-hit were government organizations and financial services, with an average of 22 incidents per day, followed by retail with 20 incidents and health care with 19.

[ MORE: The history of ransomware ]

The breaches were serious enough that 68 percent required public disclosure, the report said.

According to Weafer, the research highlighted two major gaps in security focus -- physical media, and cloud services. Nearly 40 percent of the data losses involved some kind of physical media, such as stolen or lost laptops or thumb drives.

"There's a significant amount of data going out by physical medium," he said. "Are you actually monitoring those areas?"

Only 37 percent of organizations do the kind of monitoring of user activity and media connections that could address these types of losses, according to the survey.

The survey showed significantly higher losses via physical media than the Verizon breach report, which put the number of security incidents involving physical theft or loss at less than 10 percent of the total. But the Verizon report is largely based on incidents that involve outside forensics, Weafer explained. Stolen or lost devices may not require that kind of investigation, he said.

There's also a security focus gap when it comes to use of cloud services, Weafer said.

"By and large, they're not really monitoring a lot of cloud services where their data is stored, particularly public cloud services," he said.

According to the survey, only 12 percent of respondents had confidence in their visibility of their data in the cloud.

Nearly 90 percent have some protections in place, however.

"They're looking at restrictions of which employees are allowed to go into the cloud," he said. "The basic things. But what data is there, how to monitor it -- they're still catching up."

This story, "A single ransomware network has pulled in $ 121 million" was originally published by CSO.

InfoWorld Security

If you’ve ever registered with ClixSense – and millions have – you can consider all your personal information shared with the service compromised.


The company behind the popular Paid To Click site has been breached, the site ( made to redirect to a gay porn site, its Microsoft Exchange server and webservers compromised, and an old database server containing users’ information pilfered some ten days ago.

The stolen information includes users’ name, email and IP address, home address, date of birth, sex, account balance, payment history, as well as their password in plaintext.

The company has confirmed the hack for Ars Technica, and had said that they have forced a password reset on all of its 6.6 million registered users.

Users who have reused the same password on other online accounts should change it there also, as well as be on the lookout for convincing phishing attempts by crooks using their stolen information.

It is a very realistic scenario, as the attackers are offering the account records for sale, along with emails exchanged by the company’s employees and the complete source code for the site.

They have released a sample of the stolen data, containing that of early users, as proof.

Unlike previous mega data breaches, this one is not old – the user database has been dumped earlier this month, so all the information contained in it should be up to date.

Of course, it’s possible that some users have entered incorrect information when asked, and given what’s happened, I say good on them.

“It has come to our attention that this hacker did get access to our database server for a short period of time. He was able to gain access to this not directly but instead through an old server we were no longer using that had a connection to our database server. (This server has since been terminated),” Clixsense explained in a post about the incident.

“He was able to copy most if not all of our users table, he ran some SQL code that changed the names on accounts to ‘hacked account’ and deleted many forum posts. He also set user balances to $ 0.00.”

After all that, the company had the nerve to say that the incident “has taught us that regardless of what you do to stay secure, it still may not be enough,” and that users’ “ClixSense account information is now much more secure.”

Nevermind that it should have been secure in the first place… Why was an old server that’s no longer in use still connected to their database server? And, for that matter, why did they store passwords in plain text? None of this inspires much confidence that they will “do” security better in the future.

But none of this matters much to the affected users: much of their personal info has been compromised, and there is no going back.

Help Net Security

Last Friday, General Motors has announced that the owners of some 3.64 million of its vehicles will have to come in for a re-flash of their sensing and diagnostic module (SDM) software.

gm recall cars software defect

Apparently, a software bug tied to the diagnostic “oscillation test” routine in the SDM software makes it so that frontal airbags and seat belt pretensioners will not deploy “in certain rare circumstances when a crash is preceded by a specific event impacting vehicle dynamics.”

They did not explain what these “rare circumstances” are, but noted that the failure to deploy of this security feature could result in increased risk of injury to the driver and front passenger.

Cars affected by this latest problem include certain:

  • 2014-2016 model year Buick LaCrosse and Chevrolet SS and Spark EV
  • 2014-2017 model year Chevrolet Corvette, Trax, Caprice PPV and Silverado 1500; Buick Encore; and GMC Sierra 1500, and
  • 2015-2017 model year Chevrolet Tahoe, Suburban and Silverado HD; GMC Yukon, Yukon XL and Sierra HD; and Cadillac Escalade and Escalade ESV.

Owners of those cars will be notified by the company, and the software update will be free of charge – they only need to visit a GM dealership.

As time-consuming as this might seem both for the vehicle owners and the dealerships, there must be a reason why the update can’t be performed over-the-air (i.e. remotely).

Maybe GM does not believe that, at the moment, they can assure the total security of this approach. Unfortunately, the come-in-the-dealership-and-we’ll-fix-it approach has its own problems, as many owners will ignore the recall, or simply won’t have the time to do it.

But, with the recall notification, GM has effectively put the onus of keeping themselves safe on the car owners.

This is not the first time that GM has had problems with airbags. In fact, in 2014 defective ignition switches in some of its cars resulted in the non-deployment of the airbags, and at least 13 individuals lost their lives due to it.

Help Net Security

Malware that slips past the Google Bouncer and becomes available via Google Play isn’t something new, but it still comes as a surprise that some malicious programs manage to infect millions through the official store before being caught.

Such is the case with two newly discovered malicious Android apps in the application marketplace, namely CallJam and DressCode. The former had between 100,000 and 500,000 installs at the time it was discovered, while the latter was found in 40 apps in Google Play, with some having between 100,000 and 500,000 installs. Overall, up to 2.5 million users might have downloaded these apps. 

CallJam is a piece of malware that includes a premium dialer to generate fraudulent phone calls, along with a rough adnet designed to display ads to its victims. Hidden inside a game called Gems Chest for Clash Royale and available in Google Play since May, the malware might have infected nearly half a million devices, Check Point researchers say. Google wa informed about the malware this week.

The malware was observed requesting permission from the user before starting to make premium calls. However, Check Point’s security researchers explain that most users usually grant those permissions willingly, some without reading or fully understanding information about the permissions they are granting.

The malware’s command and control (C&C) server provides the targeted premium phone number and information about the length of the call, and CallJam initiates a call using these parameters. The malicious program can also redirect victims to malicious websites and can display fraudulent ads on these websites instead of displaying them directly on the device, thus generating additional fraudulent revenue.

“Since it deceives the users as part of its activity, the game has been able to achieve a relatively high rating. Users are asked to rate the game before it initiates under the false pretense that they will receive additional game currency. This is another reminder that attackers can develop high-reputation apps and distribute them on official app stores, putting devices and sensitive data at risk,” researchers say.

The DressCode malware, however, is an entire different story, starting with the fact that it creates a botnet of infected devices, most probably to generate ad clicks and false traffic. In addition to the 40 apps in Google Play that contain the malicious code, security researchers also discovered 400 other apps on third-party app stores.

The Google Play apps, some published in the storefront in April this year, had a combined user base of between 500,000 and 2 million when they were discovered. Google has removed some of these programs soon after being informed on the malware, Check Point reports.

As soon as it has been installed on a device, DressCode initiates communication with the C&C server, which was observed only ordering the malware to “sleep.” Most probably, the attackers were looking to create a larger botnet and then start using it for malicious purposes by turning infected devices into socks proxies and rerouting traffic through them.

DressCode, researchers say, is a piece of malware similar to Viking Horde, which was discovered earlier this year. The created botnet can be used for various purposes, even to infiltrate internal networks. “Since the malware allows the attacker to route communications through the victim’s device, the attacker can access any internal network to which the device belongs. This can compromise security for enterprises and organizations,” Check Point notes. The researchers published a video detailing how this can be done, along with a list of infected packages found on Google Play.

Related: Mobile Malware Shows Rapid Growth in Volume and Sophistication

view counter

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:


SecurityWeek RSS Feed