Hackers can accurately determine your location with the new malware Whiffy Recon. The data can potentially be used as leverage to let victims fulfil the hacker’s wishes.

The new malware Whiffy Recon searches for a computer’s location. Researchers from Secureworks first encountered the malware in the Smoke Loader botnet.

Malware for botnets

The malware was developed for computers that are already infected. The set of devices infected by the same malware family is also called a botnet. As users, there is no way to find out if devices in your possession are related to such a botnet.

Authorities recently succeeded in destroying the largest global botnet ‘Qakbot’. This operation makes about 700,000 computers no longer vulnerable to the new malware Whiffy Recon.

So, through other botnets, the malware can still do damage, and it already appears to be doing that currently through Smoke Loader. In this malware, the initial infection happens through a phishing message containing a malicious zip file.

Google Geolocation API helps

The malware currently only targets Windows devices. The operating system possesses Wireless AutoConfig Service (WLANSVC) that hackers can abuse to connect to the nearest routers via Wi-Fi. WLANSVC is used to verify whether the infected device has a Wi-Fi connection. Once that is assured, the malware will scan for Wi-Fi routers every minute.

With the data obtained from the scan, the hackers can find out the exact location of the infected device. To do this, they upload the data to the Google Geolocation API. This service accurately determines the location through a combination of Wi-Fi access points and transmission towers.

Threat and entry search

In repeating the scan every minute, the malware is used as a tracker. Moving an infected work device from the office to home, for example, will give hackers your work and home address if the device connects to a Wi-Fi router in both places.

“Demonstrating access to geolocation information can be used to intimidate victims or pressure them to comply with demands,” the researchers state. A threat message from a hacker is indeed much more intimidating if it appears…