Tag Archive for: Slips

TeaBot malware slips back into Google Play Store to target US users

/in


TeaBot malware slips back into Google Play Store to target US users

The TeaBot banking trojan was spotted once again in Google Play Store where it posed as a QR code app and spread to more than 10,000 devices.

This is a trick that its distributors used before, in January, and even though Google ousted these entries, it appears that the malware can still find a way into the official Android app repository.

According to a report from Cleafy, an online fraud management and prevention company, these applications are acting as droppers. They are submitted without malicious code and request minimal permissions, which makes it hard for Google’s reviewers to spot anything shady.

Also, the trojanized apps include the promised functionality, so user reviews on the Play Store are positive.

TeaBot fetcher app on the Play Store
TeaBot fetcher app on the Play Store (Cleafy)

Fetching the TeaBot payload

The In february, researchers found that TeaBot posed as an app named ‘QR Code & Barcode – Scanner’, which appears as a legitimate QR code scanning utility.

Upon installation, the app requests an update through a popup message, but contrary to the standard procedure imposed by the Play Store guidelines, the update is fetched from an external source.

Cleafy traced the download source back to two GitHub repositories belonging to the same user (feleanicusor), containing multiple TeaBot samples, uploaded on February 17, 2022.

TeaBot loading and infection process
TeaBot loading and infection process (Cleafy)

Once the victim accepts to install the update from non-trusted sources, TeaBot is loaded onto their device as a new app under the name ‘QR Code Scanner: Add-On’.

The new app launches automatically and requests the user to grant permission to use the Accessibility Services, to perform the following functions:

  • View the device’s screen and grab screenshots that expose login credentials, 2FA codes, SMS content, etc.
  • Perform actions such as auto-granting additional permissions in the background without requiring any user interaction.
Abuse of Accessibility Services
Abuse of Accessibility Services (Cleafy)

Google has introduced some security-minded API changes for the Accessibility Service in Android 12, but this remains the most commonly abused permission by banking trojans. After all, most Android phones are still running OS version 11 or…

Source…

New AdLoad malware variant slips through Apple’s XProtect defenses

/in


New AdLoad malware variant slips through Apple's XProtect defenses

A new AdLoad malware variant is slipping through Apple’s YARA signature-based XProtect built-in antivirus tech to infect Macs as part of multiple campaigns tracked by American cybersecurity firm SentinelOne.

AdLoad is a widespread trojan targeting the macOS platform since at least since late 2017 and used to deploy various malicious payloads, including adware and Potentially Unwanted Applications (PUAs), 

This malware can also harvest system information that later gets sent to remote servers controlled by its operators.

Increasingly active since July

These massive scale and ongoing attacks have started as early as November 2020, according to SentinelOne threat researcher Phil Stokes, with an increase in activity beginning with July and the beginning of August.

Once it infects a Mac, AdLoad will install a Man-in-The-Middle (MiTM) web proxy to hijack search engine results and inject advertisements into web pages for monetary gain.

It will also gain persistence on infected Macs by installing LaunchAgents and LaunchDaemons and, in some cases, user cronjobs that run every two and a half hours.

While monitoring this campaign, the researcher observed more than 220 samples, 150 of them unique and undetected by Apple’s built-in antivirus even though XProtect now comes with roughly a dozen AdLoad signatures.

Many of the samples detected by SentinelOne are also signed with valid Apple-issued Developer ID certificates, while others are also notarized to run under default Gatekeeper settings.

XProtect AdLoad signatures
XProtect AdLoad signatures (SentinelOne)

“At the time of writing, XProtect was last updated around June 15th. None of the samples we found are known to XProtect since they do not match any of the scanner’s current set of Adload rules,” Stokes concluded.

“The fact that hundreds of unique samples of a well-known adware variant have been circulating for at least 10 months and yet still remain undetected by Apple’s built-in malware scanner demonstrates the necessity of adding further endpoint security controls to Mac devices.”

Hard to ignore threat

To put things into perspective, Shlayer, another common macOS malware strain that has also been able to bypass XProtect…

Source…

‘Clipper’ malware that alters crypto wallet addresses slips into Play Store – SC Magazine

/in
  1. ‘Clipper’ malware that alters crypto wallet addresses slips into Play Store  SC Magazine
  2. Fake MetaMask App on Google Play Store Hosted Crypto Malware  CoinDesk
  3. Fake MetaMask Crypto Malware Pulled From Google Play After Tipoff  Cointelegraph
  4. That’s Not MetaMask Mobile, It’s Malware  ETHNews
  5. Cryptocurrency-stealing Clipper malware caught in Google Play Store, here’s how to avoid it  TechRepublic
  6. View full coverage on read more

“malware news” – read more

Software trains away human slips implied in 95% of security breaches

/in

“I took a step back from my computer-science and computer-security background and dove into the field of behavioral science, positive psychology, and game design and started exploring how people …
computer security – read more