The AN0M fake secure chat app may have been too clever for its own good • The Register

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being.

Comment In April 1943, Japanese admiral Isoroku Yamamoto was killed when the US Air Force shot down the plane carrying him to Balalae Airfield in the Solomon Islands.

The attack was made possible by the USA cracking Japanese codes and decrypting a message that revealed Yamamoto’s flight plan would just take him within range of America’s scarce long-range aircraft.

The chances of those aircraft happening upon Yamamoto were very small so US strategists worried Japanese analysts might conclude an attack was only possible had their codes been broken.

The US chose to kill Yamamoto, because he was felt to be so important to the war effort that losing access to decrypted intelligence was worth the risk. But on other occasions in World War II, troops were sent into harm’s way to protect intelligence sources.

Which brings me to last week’s news that Australian and US law enforcement agencies seeded a backdoored encrypted chat app named AN0M into the criminal underworld, then intercepted word of a great many crimes and swooped to arrest those responsible.

Late last week, FBI International Operations Division legal attaché for Australia Anthony Russo added another important piece of information: speaking to Australian newspapers he said one reason for discontinuing use of AN0M was that it produced too much intelligence.

“The volume [of content] was increasing at a scale and our ability to resource it and monitoring it really wasn’t scalable commensurate to the growth,” he reportedly said.

Russo said authorities therefore decided enough was enough, so revealed AN0M’s existence. We also noted that, in March, someone poking around in the software’s code spotted what looked like a backdoor and raised the alarm in a later-deleted blog post.

I’d been thinking about the Yamamoto story since news of AN0M’s existence was revealed….


Fake Microsoft and Spotify Ads Lead to Ficker Malware

Opt-in to Cyber Safety. Multiple layers of protection for your devices, online privacy and more.

People tend to be less guarded when they’re dealing with something familiar. Digital attackers know this, which explains why they set up malware behind ads pretending to be for Microsoft Store products and Spotify.

Bleeping Computer learned from ESET that the attackers were using malicious advertisements as part of their attack chain. Once clicked, those ads sent users to the Spotify or Microsoft Store scam websites harboring samples of the Ficker stealer family.

Read on to learn how these websites enticed visitors to infect themselves with malware.

Want a Legit App? Well, Here’s Some Malware Instead…

The attackers used malicious ads to lure in users with promotions for real apps.

Security researchers spotted one ad promoting an online chess app, for example. When clicked, the ad sent users to a fake Microsoft Store page. Clicking on the ‘Download Free’ button retrieved a malware payload disguised as from an Amazon AWS server.

Some of the other malicious ads directed users to a landing page offering a free bundle of Spotify Music and YouTube Premium for 90 days. No such bundle existed as of this writing.

The website then instructed visitors to click on a ‘Download Free App (1 MB)’ button. It’s worth noting that no music player is that small in size. At this time, the actual size of the real Spotify mobile and desktop apps was at least 150 MB.

Both of those apps downloaded Ficker onto a victim’s device. This malware is capable of stealing users’ passwords, taking screenshots of their computers and lifting documents.

Other Recent Attacks Involving Ficker

Malware analysts took to Twitter to expose Ficker in October 2020. At that time, they observed the malware developer renting out Ficker on Russian-speaking cracker forums.

In the months that followed, researchers learned more about how the digital threat works and observed the malware in action. One of the first eureka moments came from Minerva in early March, when its researchers witnessed Ficker download the Kronos RAT in a lab setting.

A few weeks later, Infoblox detected a malspam campaign that used DocuSign-themed lures to install the Hancitor Trojan…


Fake Versions Of Popular Apps Used To Spread Malware On Android

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being.

According to Bitdefender, a cybersecurity company, fake versions of popular apps were used to spread malware on Android. Criminals actually spread most of their malware through sideloading.

As most of you know, Android allows you to sideload apps, you don’t have to install them via the Play Store. That is contrary to Apple, and one of Android’s biggest strengths, many would say. Well, it turns out that’s a weakness too, if you’re not careful.

Fake apps have been spreading malware, masking themselves as popular applications

The TeaBot and Flubot are the newest trojans, spotted early this year. Bitdefender spotted a batch of new malicious Android applications that impersonate real ones, and they’re usually doing that for rather popular apps.

The company found five such apps that were containing the TeaBot trojan, and at least one of them has been installed over 50 million times. Those apps use fake ad blocker apps to spread around malware.

Those apps will ask your permission to display over other apps, show notifications, and install apps outside of the Play Store. Once they do that, icons for such apps remain hidden from the app drawer.

TeaBot can do some serious damage, so be extra careful. It can “overlay attacks via Android Accessibility Services, intercept messages, perform various keylogging activities, steal Google Authentication codes, and even take full remote control of Android devices.”

On the flip side is Flubot. This malware is spread through SMS spam. Flubot steals banking, contact, SMS, and other types of private data from infected devices. It can send an SMS with content provided by the CnC.

Stick to the Google Play Store when installing apps, or be extra careful

Flubot usually imitates shipping apps like DHL Express Mobile, Fedex, and Correos. Bitdefender suggests that you stick to the Play Store when installing apps, in order to avoid such problems.

If you take a look at the image / table below, you’ll see a comparison between fake and real apps. Some of the examples include PlutoTV, Kaspersky Antivirus, and VLC.

TeaBot malware fake and real apps


Hackers using fake streaming site to distribute BazaLoader dropper

Security researchers at Proofpoint have uncovered a new phishing campaign that involves hackers luring unsuspecting Internet users into downloading the BazaLoader malware dropper by making they believe they erroneously subscribed to a movie streaming service.

The phishing campaign, first discovered in early May by Proofpoint, involved hackers setting up a fake movie-streaming website called BravoMovies and populating the site with fake movie posters and additional content to make it appear genuine to unsuspecting visitors.

The hackers then proceeded to send carefully-crafted emails to hundreds of recipients, informing them that they had subscribed to BravoMovies, that they were on a 30-day free trial, and will be charged $39.99 a month after the end of the trial period. The recipients were, however, given the option to unsubscribe by calling a customer service number. The emails themselves did not contain any malicious attachments.

Once a curious recipient of the email calls the customer service number, they are directed by the fraudsters to navigate to the Frequently Asked Questions component of the website, and follow the instructions to unsubscribe via the “Subscribtion” page, and download an Excel sheet to complete the process. According to Proofpoint, the Excel sheet contains macros that, if enabled, will download BazaLoader, a downloader written in C++ that is used to download and execute additional modules.

“BazaLoader is a downloader written in C++ that is used to download and execute additional modules. Proofpoint first observed BazaLoader in April 2020. It is currently used by multiple threat actors and frequently serves as a loader for disruptive malware including Ryuk and Conti ransomware. Proofpoint assesses with high confidence there is a strong overlap between the distribution and post-exploitation activity of BazaLoader and threat actors behind The Trick malware, also known as Trickbot,” the security firm said in a blog post.

“Proofpoint has observed BazarLoader threat actors using the method of phone-based customer service representatives to direct malicious downloads since February 2021. Security researchers have dubbed this method…