Tag Archive for: detected

This sneaky Android malware has an all-new way to avoid being detected


Cybersecurity researchers have found a new version of a well-known Android banking trojan malware which sports quite a creative method of hiding in plain sight.

PixPirate targets mostly Brazilian consumers with accounts on the Pix instant payment platform, which allegedly counts more than 140 million customers, and services transactions north of $250 billion.

The campaign’s goal was to divert the cash to attacker-owned accounts. Usually, banking trojans on Android would try to hide by changing their app icons and names. Often, the trojans would assume the “settings” icon, or something similar, tricking the victims into looking elsewhere, or simply into being too afraid to remove the app from their device. PixPirate, on the other hand, gets rid of all of that by not having an icon in the first place.

Running the malware

The big caveat here is that without the icon, the victims cannot launch the trojan, so that crucial part of the equation is left to the attackers.

The campaign consists of two apps – the dropper, and the “droppee”. The dropper is being distributed on third-party stores, shady websites, and via social media channels, and is designed to deliver the final payload – droppee – and to run it (after asking for Accessibility and other permissions).

Droppee, which is PixPirate’s filename, exports a service to which other apps can connect to. The dropper connects to that service, allowing it to run the trojan. Even after removing the dropper, the malware can still run on its own, on certain triggers (for example, on boot, on network change, or on other system events).

The entire process, from harvesting user credentials, to initiating money transfer, is automated, and done in the background without the victim’s knowledge or consent. The only thing standing in the way, the researchers claim, are Accessibility Service permissions.

It is also worth mentioning that this method only works on older versions of Android, up to Pie (9).

Via BleepingComputer

More from TechRadar Pro

Source…

Cybersecurity Warning: Threat Detected on ‘www.china.org.cn’


Internet Security Alert: Potential Threat on ‘www.china.org.cn’

In an alarming development, an internet security warning has been flagged indicating a potential threat to users visiting the website ‘www.china.org.cn’. The warning points to a possible attempt to pilfer sensitive information, unmasking a cybersecurity risk that has sent ripples across the digital world. The crux of the issue lies in the discrepancy between the domain name presented in the warning and the domain name on the security certificate.

The Certificate Quandary

The security certificate in question was issued by GeoTrust TLS RSA CA G1 and appears to belong to a different domain, ‘*.edgenext.com’, not matching the one users intended to visit. This mismatch raises a red flag, hinting at a possible misconfiguration or a more sinister man-in-the-middle attack. Such an attack could allow an unauthorized party to intercept and potentially manipulate communications between the user and the intended website. The certificate, set to expire on March 30, 2024, is currently under scrutiny.

Certificate Transparency Logs Verification

In an added layer of complexity, Certificate Transparency logs from Google ‘Xenon2024’, DigiCert ‘Yeti2024’, and Cloudflare ‘Nimbus2024’ are integrated into the certificate. These logs have been verified, adding to the conundrum. These logs, designed to prevent issuance of fraudulent or misissued SSL certificates, are now part of this brewing cybersecurity storm.

Caution Advised for Internet Users

Given the potential threat, users are strongly advised to exercise caution when accessing ‘www.china.org.cn’. Until the issue is resolved, it is recommended that users refrain from inputting any personal or sensitive information on the said website. This stern warning underlines the critical importance of stringent cybersecurity practices in our increasingly interconnected digital world.

Source…

Hackers spent 2+ years looting secrets of chipmaker NXP before being detected


A cartoon man runs across a white field of ones and zeroes.

A prolific espionage hacking group with ties to China spent over two years looting the corporate network of NXP, the Netherlands-based chipmaker whose silicon powers security-sensitive components found in smartphones, smartcards, and electric vehicles, a news outlet has reported.

The intrusion, by a group tracked under names including “Chimera” and “G0114,” lasted from late 2017 to the beginning of 2020, according to Netherlands national news outlet NRC Handelsblad, which cited “several sources” familiar with the incident. During that time, the threat actors periodically accessed employee mailboxes and network drives in search of chip designs and other NXP intellectual property. The breach wasn’t uncovered until Chimera intruders were detected in a separate company network that connected to compromised NXP systems on several occasions. Details of the breach remained a closely guarded secret until now.

No material damage

NRC cited a report published (and later deleted) by security firm Fox-IT, titled Abusing Cloud Services to Fly Under the Radar. It documented Chimera using cloud services from companies including Microsoft and Dropbox to receive data stolen from the networks of semiconductor makers, including one in Europe that was hit in “early Q4 2017.” Some of the intrusions lasted as long as three years before coming to light. NRC said the unidentified victim was NXP.

“Once nested on a first computer—patient zero—the spies gradually expand their access rights, erase their tracks in between and secretly sneak to the protected parts of the network,” NRC reporters wrote in an English translation. “They try to secrete the sensitive data they find there in encrypted archive files via cloud storage services such as Microsoft OneDrive. According to the log files that Fox-IT finds, the hackers come every few weeks to see whether interesting new data can be found at NXP and whether more user accounts and parts of the network can be hacked.”

NXP did not…

Source…

Dangerous permissions detected in top Android health apps


Leading Android health applications expose users to avoidable threats like surveillance and identity theft, due to their risky permissions. Cybernews has the story.

The Android challenge

In the digital age, mobile applications have become an integral part of our lives, transforming the way we communicate, work, and entertain ourselves. With the vast array of apps available at our fingertips, it’s easy to overlook the potential risks they may pose. Behind the sleek interfaces and promising functionalities lurks a hidden concern that has captured the attention of security researchers and users alike – dangerous Android app permissions.

Android, being the most widely used mobile operating system globally, offers developers great flexibility to create innovative and powerful applications. However, this flexibility also introduces a crucial challenge – maintaining a balance between user convenience and safeguarding sensitive data and privacy.

Our researchers took a look at 50 popular health apps – for fitness, sleep tracking, meditation, mental health, quitting smoking, blood-sugar measurement, and medication reminders, among other purposes – to test their permissions.

Android health apps with dangerous permissions

Android permissions

The Android operating system has a comprehensive permission system designed to protect a user’s privacy and security. While many permissions are essential for apps to function properly, some could be considered more dangerous as they grant apps access to sensitive data and functionalities that, if misused, could compromise user privacy and security.

Here are some of the most dangerous Android app permissions:

  • Location Access: This permission allows apps to track the user’s precise location using GPS and network information. While some apps genuinely need this permission for features like maps and location-based services, malicious apps could misuse this data for stalking, surveillance, or targeted advertising
  • Camera and Microphone Access: Granting an app access to your device’s camera and microphone poses significant privacy risks. Malicious apps with such permissions could spy on users, capture sensitive information, or record audio and video without consent.
  • SMS and Call Log Access:

Source…