Android dropper app infects 45K devices in past 6 months

Symantec has observed a surge in detections for a malicious Android application that can hide itself from users, download additional malicious apps, and display advertisements. The app, called Xhelper, is persistent. It is able reinstall itself after users uninstall it and is designed to stay hidden by not appearing on the system’s launcher. Symantec said that the app has infected over 45,000 devices in the past six months. Users have been posing about Xhelper on online forums, complaining about random pop-up advertisements and how the malware keeps showing up even after they have manually uninstalled it. Xhelper does not provide a regular user interface. The malware is an application component, meaning it won’t be listed in the device’s application launcher. This makes it easier for the malware to perform its malicious activities undercover. Xhelper can’t be launched manually since there is no app icon visible on the launcher. Instead, the malicious app is launched by external events, such as when the compromised device is connected to or disconnected from a power supply, the device is rebooted, or an app is installed or uninstalled. Once launched, the malware will register itself as a foreground service, lowering its chances of being killed when memory is low. For persistence, the malware restarts its service if it is stopped; a common tactic used by mobile malware. Once Xhelper gains a foothold on the victim’s device, it begins executing its core malicious functionality by decrypting to memory the malicious payload embedded in its package. The malicious payload then connects to the attacker’s command and control (C&C) server and waits for commands. To prevent this communication from being intercepted, SSL certificate pinning is used for all communication between the victim’s device and the C&C server.

 

Dtrack spy tool targeting financial institutions

Researchers from Kaspersky discovered the Dtrack spy tool when they were analyzing the ATMDtrack malware that was targeting Indian banks. The initially discovered Dtrack samples were observed to be dropped ones, because the real payloads were encrypted with various droppers. On decrypting the final payload, several similarities with the DarkSeoul campaign emerged. This led to the campaign being associated with the Lazarus group. Researchers believe that a part of the old code was reused in the attacks against Indian financial sectors. Early September 2019 witnessed the last detected activity of the Dtrack RAT. The dropper has an encrypted payload embedded as an overlay of a PE file. The overlay data, when decrypted, contains an extra executable, process hollowing shellcode, and a list of predefined executable names. The malicious code is embedded into a binary that is a harmless executable such as the Visual Studio MFC project. The droppers were found to be containing several executables for spying purposes. A few payload executables were found to be capable of keylogging, listing running processes, listing files on all disk volumes, harvesting details about available networks and active connections, stealing host IP addresses, and keylogging. Some executables box the collected data into an archive that is password-protected and save it to the disk. Other executables send the data to their command-and-control server directly. “Aside from the aforementioned executables, the droppers also contained a remote access Trojan (RAT). The RAT executable allows criminals to perform various operations on a host, such as uploading/downloading, executing files, etc,” said the researchers.

 

Ex-Yahoo engineer hacked accounts seeking pornography

A former Yahoo software engineer has pleaded guilty to charges of illegally accessing user accounts. Reyes Daniel Ruiz admitted he had "hacked" about 6,000 accounts, seeking sexual images and videos. The US Department of Justice said Ruiz had "cracked" user passwords and accessed internal Yahoo systems while hunting for pornography. Ruiz also used access to Yahoo accounts to target other online services users had signed up for. In a statement, the DoJ said the access Ruiz had attained to Yahoo user data had helped him "compromise" Apple iCloud, Facebook, GMail, Dropbox and other online accounts. And he had used his access to the accounts to reset passwords so he could access the other systems. Ruiz had targeted friends, co-workers and many young women during his hacking campaign, the DoJ said. He had copied many of the images and videos he had found and kept the material at his home and soon after Yahoo discovered his activities, in 2018, Ruiz had destroyed the computer and hard drives on which the stolen data had been stored. Ruiz was charged in April this year and has now signed an agreement with the DoJ which will see him pleading guilty to one count of computer intrusion. He is due to be sentenced in February 2020. The maximum jail term for computer intrusion is five years plus a fine of $250,000 (£203,000) and damages.

 

ICO calls for live facial recognition code of practice to stop police turning the UK into Xinjiang

The Information Commissioner has called for a new code of practice to control police use of live facial recognition. It follows an investigation into trials conducted by South Wales Police and the Metropolitan Police that, the ICO claims, "raises serious concerns". Information Commissioner Elizabeth Denham has been so vexed by the issue that she has published her first Commissioner's Opinion to help police understand the law around data protection. Live facial recognition is a step-change in policing techniques; never before have we seen technologies with the potential for such widespread invasiveness. "The results of that investigation raise serious concerns about the use of a technology that relies on huge amounts of sensitive personal information," wrote Information Commissioner Elizabeth Denham. She argues that the absence of a statutory code specifically addressing the use of live facial recognition, and the legal and moral challenges it entails, will end-up undermining public confidence. The proposed code will "give the police and the public enough knowledge as to when and how the police can use live facial recognition systems in public spaces", Denham wrote, adding that the ICO will now work with the Home Office, the Investigatory Powers Commissioner, the Biometrics Commissioner, the Surveillance Camera Commissioner and policing bodies on the new code.

 

Firefox scraps extension sideloading over malware fears

Support for sideloaded extensions in the Firefox browser will be discontinued from next year following concerns that the function could be exploited to install malware onto devices. Sideloading is a method of installing a browser extension that adds the file to a specific location on a user's machine through an executable application installer. These are different from conventional add-ons, which are assigned to profiles, and are also available to download outside official Firefox channels. From 11 February 2020, the Firefox browser will continue to read sideloaded files, but will copy these over to a user's individual profile and install them as regular add-ons. Then from 10 March, sideloaded extensions will be phased out entirely. Mozilla argues that for some users it's difficult to remove sideloaded extensions completely, as these cannot be fully removed from Firefox's Add-ons Manager. This has also proved a popular method of installing malware, the firm said.

 

Edited and compiled by cyber security specialist James Aguilan.