Android malware uses coronavirus for sextortion and ransomware combo - Naked Security

Android malware uses coronavirus for sextortion and ransomware combo - Naked Security


Android malware uses coronavirus for sextortion and ransomware combo - Naked Security

Posted: 18 Mar 2020 03:15 PM PDT

Late last week, researchers at network intelligence company DomainTools warned about an Android malware sample that caught our attention.

We downloaded a copy of the malware for ourselves and took a look at what the crooks were up to – here's what we found.

Like many other cyberthreats doing the rounds these days, the criminals have used the coronavirus pandemic as a lure, offering an intriguing if rather creepy app called COVID 19 TRACKER.

Catchy icon of the malware app

The website promoting the app offers to "Track Real-Time Coronavirus Outbreak in your Street, City and State", and says it will "Get Real-Time Statistics about Coronavirus outbreaks around you in over 100 countries."

Main malware landing page when browsing from Android

To be precise, if you're keeping your eye out for giveaway mistakes, it actually says outbreak aroud you, an error both of grammar and spelling that you can see below.

Sure, mainstream websites make spelling mistakes, too, but every clue helps, so keep your eyes open for errors that might be a telltale sign of crooks in a hurry.

As we've seen before in coronavirus-themed cybercrime, the criminals have added the logos of various legitimate and useful sources of information:

Left: Main malware landing page when browsing from Android
Right: Download button with fraudulent "certification" claims

This time, they're claiming their app is "certified by" the US Department of Education, the World Health Organization (WHO), and the US Centers for Disease Control and Prevention (CDC).

(No, that's not a typo above: the CDC runs its operations and research from numerous major locations, so its name is a plural.)

If you're wondering why the feature to track coronavirus infections in more than 100 countries has what looks like a winner's gold cup above it with the number "1" on it, it's because the crooks have plundered various legitimate apps and brands to leech logos, layout ideas, icons and more to use in their code.

The marketing material that the crooks have crudely ripped off comes from the pages of an unrelated Google Play app that really does have a 4.4-star rating:

Left: ripped-off web site content repurposed by malware authors
Right: original marketing from unrelated Google Play app

What about the the app?

As you can see from the screenshot above, the "tracker app" doesn't come from Google Play, because it wouldn't get in.

Instead, you have to go off-market by downloading it directly from the crooks' website by clicking their own [DOWNLOAD APK] button.

When you run the app for the first time, it asks for various permissions that might make you suspicious, but that don't seem too outrageous, given that it's supposed to keep you alerted about coronavirus cases as you move around.

In particular, the app wants to run in the background, to have lockscreen access, and to use Android's accessibility features, as you see here:

Left: background permission is requested immediately
Right: clicking the [SCAN] button on the app screen demands you to grant more permissions first

Although the malware claims to need lockscreen access to give you an "instant alert when a coronavirus patient is near you", that's bogus for two reasons.

Firstly, even if the app is using the latest coronavirus stats, downloaded in real time, it has no way of determining the infectious status of any individual passing by, so it is false (and, indeed, creepy) to claim this as a "feature" at all.

Secondly, you don't need "lockscreen access" to send notifcations to the lockscreen – that's controlled by the user, who can choose from their phone's settings what sort of notifications to show when the phone is locked.

In fact, the malware wants what's called device admin rights, as you can see in the screenshot below.

This is a feature that Google describes in its own documenation as allowing "device administration features at the system level, [to] allow you to create security-aware apps that are useful in enterprise settings."

Similarly, if this app were genuine, it wouldn't need Accessiblity permissions, as it claims.

Those features are intended for use by software such as screen readers (which obviously need to access the screen content of other apps), and they're tolerated on Google Play for security apps that can justify looking out for data such as web links in order to look for malicious sites.

The app claims that it needs Accessibility permissions by mentioning "active stats monitoring", but a legitimate program would get its data by downloading and processing it itself, not by "sneaking a peek" and stealing it from other apps.

Left: malware demands device admin powers, though they aren't needed for lockscreen notifications
Right: malware uses Accessibility functions to track your app usage

What happens next?

The real reasons why this malware wants to run in the background, monitor the other apps you are running, and intervene as a device administrator…

…are probably rather obvious, given the headline of this article.

Amongst other things, it tracks which app you have in the foreground and takes over control as soon as you try to use your phone for most of its normal features, including making calls, getting and sending messages, and accessing the Settings page.

And the Settings page is probably exactly where you will want to go as soon as a the malware kicks in, which is does within about a second of launching most apps:

The malware locks you out of most apps by quickly covering them entirely with a blackmail demand.
The demand mixes sextortion with ransomware.

As you can see, this one is a combination of sextortion and ransomware – you're locked out of your device because of the persistent pop-over screen, but with a threat to leak personal videos and photos to your family as an added incentive to pay up.

Once you're infected, you can't access Settings (where you can, in fact, kill off and uninstall the malware), in an attack reminiscent of Reveton, one of the earliest mobile phone "screen locker" ransomware variants that was widespread back in 2012.

Ironically, the malware is careful not to block your browser, even though you could use it to go online and look for advice on how to clean up.

That's because the malware itself relies on the browser to load its own "here is how it works" page, hosted on the free data-sharing site Pastebin:

Instructions for how much to pay and whom to contact

How to clean up

Fortunately, at least in our experiments with this sample, the malware was fairly easy to remove by hand.

Our files were left intact, with the malware relying on its rapid pop-over screen as its way of keeping you locked out of your device, and as far as we can tell, the threat to reveal your personal data to friends and family if you don't pay is entirely empty.

In other words, if you can remove the app so it no longer interferes with your phone usage, then you're essentially home free.

A quick fix is offered by the fact that the crooks were lazy, and hardcoded the unlock code into their app:

Hardcoded unlock PIN in the malware

When we typed in the 10-digit code 4865083501 where you see enter decryption code in the blackmail page shown above, the malware stopped blocking our access to other apps.

Note, however, that the unlock code doesn't actually stop the malware and uninstall it!

(The crooks handily left logging code in their app, so we could use the Android development tool adb logcat to watch the app continuing to abuse its Accessibility permissions to track apps as we used them, even after we'd entered the unlock code.)

But after entering the unlock code, we were able to access the Settings page, remove the malware's device admin rights and uninstall it.

We used Settings > Apps and notifications > See all N apps to reach the App info page, where we located the Coronavirus Tracker app:

Left: the top-level App info page
Right: the malware shows up as "Coronavirus Tracker"

We tapped on the malware entry to open up its own App info page, where we used the system's Uninstall button to get to the Deactivate & uninstall option, by which the system will demote the app from its device admin role (which prevents regular uninstallation) and then remove it:

Left: the [Uninstall] button on the system App info page
Right: uninstalling from here lets you remove device admin and the app in one go

We also tried rebooting our phone in Safe Mode, where most background apps don't run, to see if we could remove the malware without relying on the unlock code – even though we know the right code for this sample, it might be different in other variants of the malware.

Also, there is something unappealing about trying to remove the malware while it's still active and keeping track of what you're up to on the device.

On our phone, Safe Mode is activated by holding the power button until the reboot menu appears, then holding down the power off icon for a second or two until the Safe Mode menu appears.

After a reboot, the text Safe mode appeared at bottom left of the screen; the malware didn't launch; and we could use the same procedure as we did above to locate, deactivate and uninstall the malware.

What to do?

Not all mobile malware is this easy to get rid of, and most ransomware these days no longer just locks your device but also scrambles your files so that they need decrypting, too.

And many crooks have learned not to take shortcuts with their passwords, so it's unusual to find an unlock key right there in the malware code.

So, your best bet is not to let your Android get infected in the first place.

  • Stick to Google Play. It's not perfect, but it would almost certainly never have admitted this app, not only because of its coronavirus theme, but also because of its blatant abuse of permissions.
  • Use a third-party anti-virus in addition to the standard built-in protection. Sophos Intercept X for Mobile is free, and it will not only block malware from running in the first place, wherever you download it from, but also keep you away from risky websites to start with.
  • Never believe an app's own propaganda. In this case, the crooks simply stole a marketing history from an existing app and claimed it as their own, complete with a positive review rating. On-site reviews are largely meaningless – they could have come from anywhere, and probably did. If you need advice, ask someone you actually know and trust.
  • Don't grant permissions to an app unless it genuinely needs them. Decently-behaved apps generally still work, albeit with limited features, even if you withold some permissions, so this malware's trick of demanding unreasonable permissions before it runs at all should be considered suspicious.

Oh, in case it makes you feel better, the total amount that the crooks have received into the Bitcoin address shown in the Pastebin page above…

…is zero.

Sophos products detect and block this malware as Andr/SLocker-CX.
The website where we downloaded the malware (see screenshots above) has been taken down.


Microsoft Defender coming to devices running Android, iOS - Tech Xplore

Posted: 24 Feb 2020 05:03 AM PST

microsoft
Credit: CC0 Public Domain

Microsoft Defender software will extend its activity to fight the good fight against malware on iOS and Android mobile platforms. Expect to see the Defender software for these devices later this year, according to reports. But why bother? Matthew Humphries in PC Magazine says, "Microsoft believes there's a market for its security software on mobile devices, so Android and iOS users will soon have the option of running Microsoft Defender on their devices."

Regarding Android, Tom Warren in The Verge said, "Microsoft will join this growing market to prevent malware in Android apps that are sideloaded onto devices." Quoted by CNBC, Rob Lefferts, a Microsoft corporate vice president, said that people can end up allowing malware onto their Android devices by installing applications they find outside of Google Play, which is the official repository of apps for Android.

A BGR report said, "If you've been reading BGR even sporadically for the past several years, you know how frequently malware shows up in applications that Android users sideload on to their devices from outside the official Google Play store." A big reason for this move to iOS and Android is phishing prevention. This extended reach would count as a measure to stop employees at companies from accidentally revealing their user names, passwords or other account information.

"Phishing prevention will likely be one of the main features for Defender on iOS and Android," said Anthony Spadafora in TechRadar, "as Microsoft looks to protect businesses from having their employees reveal their usernames, passwords and other account information to potential attackers."

A PCWorld report said, "Microsoft apparently hopes to reassure its that it can secure their phones as well as their PCs." What about consumers? Defender for mobile will be part of the company's enterprise security platform, "and as of now, it is still unclear as to whether or not Microsoft will make its antivirus apps available to consumers," Spadafora added.

CNBC said the Defender software coming to Android and iOS was designed to prevent people from visiting online destinations that Microsoft deems unsafe. Nonetheless, Tyler Lee in Ubergizmo was still looking for answers: "The company will be sharing more details about the app next week," he wrote, "so we'll be sharing those details with you then. That being said, it will be interesting to see what kind of protection Microsoft can offer to iOS devices. This is largely due to Apple's walled garden approach with third-party apps that can sometimes limit its functionality."

Tom Warren in The Verge suggested a similar reason to be curious, as "Microsoft's mobile Defender clients will likely be very different to the desktop versions, especially as Apple's iOS platform doesn't allow apps to scan for malware across an iPhone or iPad."

TechRadar, though, was looking forward to an upcoming security event for a fuller story. "Microsoft has not yet shared any details regarding the functionality of the apps yet," wrote Anthony Spadafora, "but it does plan to preview them at the upcoming RSA conference." The San Francisco event starts Feb. 24.

Moti Gindi, corporate vice president, Microsoft Threat Protection, said in a February 20 blog post that "next week at the RSA Conference, we'll provide a preview of our investments in mobile threat defense with the work we're doing to bring our solutions to Android and iOS."

Mark Hachman, PCWorld, has gathered some insight into the move to iOS and Android. "Interestingly, the Defender package that Microsoft plans to install doesn't appear to be traditional anti-malware," he wrote. "While Windows Defender scans for and removes malware on your PC, the iOS and Android solutions Microsoft announced are designed to prevent people from visiting online destinations that Microsoft thinks are unsafe."


Explore further

Microsoft makes Word available on Android phones

© 2020 Science X Network

Citation: Microsoft Defender coming to devices running Android, iOS (2020, February 24) retrieved 24 March 2020 from https://techxplore.com/news/2020-02-microsoft-defender-devices-android-ios.html

This document is subject to copyright. Apart from any fair dealing for the purpose of private study or research, no part may be reproduced without the written permission. The content is provided for information purposes only.

Comments

Popular Posts

FBI and NSA issue cybersecurity advisory over new form of Russian malware - SiliconANGLE

System detected an overrun of a stack-based buffer in this application [FIX] - Windows Report

Unseen Suburban Danger: Children Dying of Mosquito-Borne Diseases - Wired