Hackers are spreading Malware through Fake Security Tools

Over the past few years, Internet users globally have grown increasingly aware of online privacy and security issues due to mass monitoring and surveillance by government agencies, making them adopt encryption software and services.

But it turns out that hackers are taking advantage of this opportunity by creating and distributing fake versions of encryption tools in order to infect as many victims as possible.

Kaspersky Lab has revealed an advanced persistent threat (APT) group, nicknamed StrongPity, which has put a lot of efforts in targeting users of software designed for encrypting data and communications.

The StrongPity APT group has been using watering-hole attacks, infected installers, and malware for many years to target users of encryption software by compromising legitimate sites or setting up their own malicious copycat sites.

Watering hole attacks are designed to lure specific groups of users to their interest-based sites that typically house malicious files or redirect them to attacker-controlled downloads.

The StrongPity APT group has managed to infect users in Europe, Northern Africa, and the Middle East and targeted two free encryption utilities in different attacks: WinRAR and TrueCrypt.

WinRAR and TrueCrypt are long popular within security and privacy conscious users. WinRAR is best known for its archiving capabilities that encrypting files with AES-256 crypto, while TrueCrypt is a full-disk encryption utility that locks all files on a hard drive.

By setting up fake distribution sites that closely mimic legitimate download sites, StrongPity is able to trick users into downloading malicious versions of these encryption apps in hopes that users encrypt their data using a trojanized version of WinRAR or TrueCrypt apps, allowing attackers to spy on encrypted data before encryption occurred.

"The problem with people depending on tools like this isn’t the strength of the crypto, but more about how it's distributed," says Kurt Baumgartner, principal security researcher at Kaspersky Lab. "This is that problem that StrongPity is taking advantage of."

Booby-Trapped WinRAR and TrueCrypt Downloads:

The APT group previously set up TrueCrypt-themed watering holes in late 2015, but their malicious activity surged in end of summer 2016.

Between July and September, dozens of visitors have redirected from tamindir[.]com to true-crypt[.]com with unsurprisingly almost all of the focus on computer systems in Turkey, with some victims in the Netherlands.

However, in WinRAR case, instead of redirecting victims to a website controlled by StrongPity, the group hijacked the legitimate winrar.it website to host a malicious version of the file themselves.

The winrar.it website infected users mostly in Italy, with some victims in countries like Belgium, Algeria, Tunisia, France, Morocco and Cote D'Ivoire, while the attackers controlled site, winrar.be, infected users in Belgium, Algeria, Morocco, the Netherlands, and Canada.

Top Countries infected with StrongPity APT malware:

According to Kaspersky, more than 1,000 systems infected with StrongPity malware this year. The top five countries affected by the group are Italy, Turkey, Belgium, Algeria and France.

The StrongPity APT's dropper malware was signed with "unusual digital certificates," but the group didn't re-use its fake digital certificates. It downloaded components include a backdoor, keyloggers, data stealers and other crypto-related software programs, including the putty SSH client, the filezilla FTP client, the Winscp secure file transfer program and remote desktop clients.

The dropper malware not only provides the hackers control of the system, but also allows them to steal disk contents and download other malware that would steal communication and contact information.

Therefore, users visiting sites and downloading encryption-enabled software are advised to verify both the validity of the distribution website as well as the integrity of the downloaded file itself.

Download sites that not use PGP or any strong digital code signing certificate are required to re-examine the necessity of doing so for the benefits of them as well as their own customers, explained Baumgartner.

Google Imposed Strictly Enforced verified Boot in Android 7.0 Nougat

As far as security is concerned, Google is going very strict with the newest version of its mobile operating system.

Until now, Google has not done more than just alerting you of the potential threats when your Android device runs the check as part of the boot process.

Android Marshmallow 6.0 does nothing more than just warning you that your device has been compromised, though it continues to let your device boot up.

1. Android Nougat 7.0 Getting Strictly Enforced 'Verified Boot'

In Android Nougat, Google has taken the security of its Android operating system to the next level by strictly enforcing verified boot on devices.

Among multiple layers of security protection, Android uses verified boot - since Android version 4.4 KitKat - that improves its device's security by using cryptographic integrity checking to detect if your device has been tampered with.

Now, Android Nougat will strictly enforce the boot check, giving you far more than just a warning.

2. Android 7.0 Verified Boot Protects Device from Rootkits and Malware

Enforcing verified boot on a device is a good idea.

If any Android malware or rootkit made its way onto your Android device and made deep system changes to critical kernel files, your device will either start in a limited-use mode (presumably similar to safe mode) or refuse to start at all, protecting your data.

In addition to strict verified boot, Android Nougat also features forward error correction that is capable of repairing some errors on devices without any user input.

And, of course, Nexus devices will be the first to get these features.

This will prevent your Android device from becoming a playground for malware and viruses, at least after you restart it.

That sounds really great. Right?

3. If Modified, Corrupt or Tampered, It won't let your phone Boot

For most users the strict verified boot would be helpful, however, for some, it's bad news.

According to Google, some non-malicious corruption of data could cause Android devices to fail to boot up because verified boot process runs into issues that it can not correct.

This data corruption could be the result of some software flaws or hardware issues.

Here's what the Android Developer blog explains: "This means that a device with a corrupt boot image or verified partition will not boot or will boot in a limited capacity with user consent. Such strict checking, though, means that non-malicious data corruption, which previously would be less visible, could now start affecting process functionality more."

Since corrupted data may not always be malicious, even a single-byte error could prevent the device from booting.

However, Android Nougat brings additional code designed to protect against data corruption.

"In the changes we made to dm-verity for Android 7.0, we used a technique called interleaving to allow us to recover not only from a loss of an entire 4 KiB source block, reads the blog, "but several consecutive blocks, while significantly reducing the space overhead required to achieve usable error correction capabilities compared to the naive implementation."

4. Verified Boot Has Made It Harder to Root Android 7.0 Nougat

Like I said, data corruption could not always be due to malicious reasons.

Strictly enforcing verified boot could also make it tougher for you to tweak your Android Operating System (especially with locked bootloader) using custom ROMs, mods, and kernels.

Since this involves circumventing the locked bootloader, verified boot process will detect any changes, making it harder for users to play with their devices when Nougat rolls around.

The bottom line:

Enforcing strict verified boot in Android Nougat is a good idea, because most users root their devices with custom firmware but forget to take important security measures, which leaves their devices open to malicious software and rootkits.

What do you think of the additional security Google provides to the boot process in Android Nougat?

Let us know your views in the comments below!

Beware ! it could be Malicious to download Pokemon Go Game for Android

"Pokémon Go" has become the hottest iPhone and Android game to hit the market in forever with enormous popularity and massive social impact. The app has taken the world by storm since its launch this week.

Nintendo's new location-based augmented reality game allows players to catch Pokémon in the real life using their device's camera and is currently only officially available in the United States, New Zealand, UK and Australia.

On an average, users are spending twice the amount of time engaged with the new Pokémon Go app than on apps like Snapchat. In fact Pokémon Go is experiencing massive server overload in just few days of launch.

Due to the huge interest surrounding Pokémon Go, many gaming and tutorial websites have offered tutorials recommending users to download the APK from a non-Google Play link.

In order to download the APK, users are required to "side-load" the malicious app by modifying their Android core security settings, allowing their device's OS to install apps from "untrusted sources."

Pokémon Go is Installing DroidJack Malware

Security researchers have warned users that many of these online tutorials are linked to malicious versions of the Pokémon Go app that install a backdoor on Android phones, enabling hackers to compromise a user's device completely.

Security firm Proofpoint has discovered the malicious app, or APK, that has been infected withDroidJack – a Remote Access Tool (RAT) that can hack any Android device by opening a silent backdoor for hackers.

Just less than 3 days after Nintendo initially released the game in Australia and New Zealand on July 4, the malicious app was uploaded to an online malware detection repository.

Since Android core security settings normally prevent the installation of untrusted third-party apps from "unknown sources," side-loading should have never been done by a user.

"This is an extremely risky practice and can easily lead users to install malicious apps on their own mobile devices," researchers at Proofpoint wrote in a blog post. "Should an individual download an APK [Android application package] from a third-party that has been infected with a backdoor, like the one we discovered, their device would then be compromised."

Here's How to Prevent Yourself

Fortunately, there are several ways to check if you have downloaded the malicious version of the Pokémon Go app.

The infected version of the Pokémon Go app would have been granted more system permissions, so one way to differ between the two is to compare the permissions of your app to those of the legitimate one.

To do so, Go to the Settings → Apps → Pokemon GO and check the game's permissions.

If you find that the game has asked for permissions like directly call phone numbers, edit and read your SMSes, record audio, read Web history, modify and read your contacts, read and write call logs, and change network connectivity, then you should uninstall the game right away, since it is infected with DroidJack.

You can also compare the game's SHA-1 hash – a long string of characters used to verify if a file was infected with or modified by a malicious third-party – to make sure the game matches the hash of the legitimate version.

The Bottom Line:

Instead of downloading available applications from unknown third party stores, wait for the Pokémon Go app to launch in your country.

However, downloading apps from third parties do not always end up with malware or viruses, but it certainly ups the risk. So, it's the best way to wait in order to avoid compromising your device and the networks it accesses.

Offer Money to install Malware on Raspberry Pi

The Raspberry Pi is now gaining attention from malware distributors who want the popular mini-computers to deliver with pre-install malware.

The Raspberry Pi Foundation has made a shocking revelation that the charitable foundation has been offered money to install malware onto the Raspberry Pi machines before they were shipped out to users

The Raspberry Pi is an extremely simple computer that looks and feels very basic, but could be built into many geeky projects. Due to the low-cost appeal of the Raspberry Pi, the Foundation has sold over 4 million units.

Just Last month, Raspberry Pi unveiled its latest wonder: The Raspberry Pi Zero – a programmable computer that costs just $5 (or £4), may rank as the world's cheapest computer.

Last Wednesday, the Foundation tweeted a screenshot of an email in which "business officer" Linda effectively asked Foundation's director of communications Liz Uptonto to install a suspicious executable file onto Raspberry Pis for which the officer promised to offer a "price per install."

The email further explained that installing the executable file would create a shortcut icon on the user's desktop and opening the shortcut would take the user to the company's website. "Then this is our target,"the email reads.

Here's the screenshot of the full email:

However, the name of the company represented by Linda was not revealed by the Raspberry Pi Foundation.

Obviously, the paid-for-malware distributor pitched the wrong organisation, who declined the offer, describing the company as "evildoers," but the incident once again raises the question about this common, widespread issue.

Another Critical Flaw of Android Affected Millions At RISK

we reported about a critical mediaserver vulnerability that threatened to crash more than 55 percent of Android devices, making them unresponsive and practically unusable to perform most essential tasks.

Now, security researchers at Trend Micro have uncovered another flaw in the Android's mediaserver component that could be remotely exploited to install malware onto a target device by sending a specially crafted multimedia message.

The vulnerability (CVE-2015-3842) affects almost all the versions of Android devices from Android 2.3 Gingerbread to Android 5.1.1 Lollipop, potentially putting hundreds of Millions of Android devices open to hackers.

Since Google has patched this issue, but hopefully the patch issued by Google this time isn’t incomplete like its patch for the Stagefright vulnerability that affects 950 Million Android devices worldwide.

How the Vulnerability Works?

The security flaw involves a mediaserver component called AudioEffect and uses an unchecked variable that comes from the client, usually an app.

According to a security researcher from Trend Micro, the vulnerability can be exploited by malicious apps.

All a hacker need to do is to convince the victim to install an app that does not ask for "any required permissions, giving them a false sense of security."

"The checking of the buffer sizes of pReplyData and pCmdData is not correct," researchers wrote in a blog post published Monday.

"As the mediaserver component uses these buffers… the mediaserver component assumes the buffer sizes of pReplyData and pCmdData are bigger than this size. We can make the buffer size of pReplyData, which is client-supplied, smaller than the size read from the buffer pCmdData. This causes a heap overflow."

Proof-of-Concept Attack

The researchers have also developed a proof-of-concept (PoC) malicious app that exploits the flaw. They tested their app on a Nexus 6 handset running Android 5.1.1 Build LMY47Z.

Once installed on the device, the app crashes the Android’s mediaserver component by overflowing the buffer pReplyData in the heap. However, if the mediaserver component does not crash, the POC app will be closed and run again.

When will I expect a Fix?

So far, there isn't any indication of active attacks against this vulnerability, but researchers said that the flaw could be exploited to provide full control of the target device.

Google has fixed the issue, but given the shaky history of device manufacturers and carriers rolling out patches, it is not known how long the companies will take to update the vulnerable devices.