We at Kaspersky Lab monitor, report, and protect against a lot of threat actors, some of which are known internationally and sometimes featured in the news. It doesn’t matter which language the threat actor speaks, it’s our duty to know about it, investigate it, and protect our customers from it.
One of the most active threat actors is a Russian-speaking APT called Sofacy, also known as APT28, Fancy Bear, and Tsar Team, infamous for its spear phishing campaigns and cyberespionage activities. In 2017, it shifted focus in a way worthy of an update here.
We’ve been watching Sofacy since 2011 and are pretty familiar with the instruments and tactics the threat actor is using. Last year, the main change was that it moved beyond the NATO countries it was actively spear phishing in the beginning of the year and onto countries in the Middle East and Asia — and farther — in Q2 2017. Earlier, Sofacy also targeted the Olympic Games, the World Anti-Doping Agency (WADA), and the Court of Arbitration for Sports (CAS).
Sofacy uses different tools for different target profiles. For example, in early 2017 a campaign called Dealer’s Choice targeted mostly military and diplomatic organizations (mainly in NATO countries and Ukraine); later, the hackers were using two other tools, which we call Zebrocy and SPLM, to target companies of different profiles including science and engineering centers and press services. Both Zebrocy and SPLM were heavily modified last year, with SPLM (which also goes by the name Chopsticks) becoming modular and using encrypted communications.
The usual infection scheme starts with a spear-phishing letter containing a file with a script that downloads the payload. Sofacy is known for finding and exploiting zero-day vulnerabilities and using those exploits to deliver the payload. The threat actor maintains a high level of operational security and really focuses on making its malware harder to detect — which, of course, makes it harder to investigate.
In cases of highly sophisticated targeted campaigns such as Sofacy, thorough incident investigation is vital. It will allow you to figure out what information malefactors were after, understand their motives, and detect the presence of any sleeping implants.
To do that, your security system needs not only advanced protective solutions but also an endpoint detection and response system. Such a system detects threats at early stages, and helps analyze events that predated the incident. Having skilled experts doesn’t hurt, either. As a solution, we offer the Threat Management and Defense platform, which incorporates Kaspersky Anti Targeted Attack, Kaspersky Endpoint Detection and Response, and expert services.
You can find more information on the threat actor’s activity in 2017, including technical details, on Securelist. Further, at the start of this year, our researchers found some interesting shifts in Sofacy’s behavior that we will highlight at the SAS 2018 conference. If you are interested in APTs and building defense against them, don’t forget to get a ticket — or at least visit our blogs frequently during the SAS.
The No More Ransom project for assisting victims of ransomware has good news to report: The Belgian police, in cooperation with Kaspersky Lab, managed to obtain keys for recovering files encrypted with new versions of Cryakl ransomware, also known as Fantomas. The updated decryption tool is already available on the project’s website.
What is Cryakl?
The Trojan ransomware Cryakl (Trojan-Ransom.Win32.Cryakl) has been . At first, it was distributed through attached archives in e-mails that appeared to come from an arbitration court in connection with some alleged wrongdoing. There is something about such messages that sets nerves to jangling, and even those who know better might be inclined to click on the attachment. Later, the e-mails diversified, looking like messages from other organizations, such as a local homeowners’ association.
When encrypting files on a victim’s computer, Cryakl creates a long key that it sends to a command-and-control C&C server. Without this key, it is nearly impossible to recover files impacted by the malware. After that, Cryakl replaces the desktop wallpaper with contact details for its creators together with a ransom demand. Cryakl also displays an image of the mask of the 1964 French movie villain Fantomas, hence its alternative name. Cryakl mostly targeted users in Russia, so information about it is mostly available in Russian.
As we already said, the joint efforts of our experts and Belgian police resulted in obtaining the master keys. The investigation began when the computer crime unit learned about victims of the ransomware in Belgium, and then they discovered a C&C server in a neighboring country. An operation led by the Belgian federal prosecutor neutralized the server, along with several other C&C servers that received master keys from infected machines. Then Kaspersky Lab stepped in to assist the law enforcement agencies, not for the first time. As before, the results were first-class: Our experts helped analyze the data found and extract the decryption keys.
The keys have already been added to the RakhniDecryptor tool on the No More Ransom website, and the Belgian federal police is now an official partner of the project. No More Ransom, which has been running since July 2016, has to date provided free help to tens of thousands of people in decrypting files rendered unusable by ransomware, and deprived cyberblackmailers of at least 10 million euros of potential booty.
How to rescue files encrypted by Cryakl ransomware
The No More Ransom site offers two tools for decrypting files corrupted by Cryakl. One, named RannohDecryptor and around since 2016, is for older versions of Cryakl. You can download it at NoMoreRansom.org, and get decryption instructions here.
We recently updated the second tool, RakhniDecryptor, by adding the master keys from the servers seized by the Belgian police. It can be downloaded from the same site; instructions are available here. RakhniDecryptor is needed to decrypt files hit by newer versions of Cryakl. Either one of the tools should restore Cryakl-infected files to full health.
How to stay safe in the future
When dealing with cryptoransomware, prevention is far cheaper and simpler than a cure. In other words, it’s better to secure yourself now and sleep easy than to mess around with file decryption. We’d like to share a few preemptive file protection tips:
1. Always keep a copy of your most important files somewhere else: in the cloud, on another drive, on a memory stick, or on another computer. More details about backup options are available here.
2. Use reliable AV software. Some security solutions — for example, Kaspersky Total Security — can also assist with file backup.
3. Don’t download programs from suspicious sources. Their installers might contain something you’d rather not have on your computer.
4. Don’t open attachments in e-mails from unknown senders, even if they look important and credible. If in doubt, look up the phone number on the organization’s official website and call to check.
The story of the Internet and its Things may seem as star-crossed a tale as any, but it does not need to be hopeless. Although security researchers Dennis Giese and Daniel Wegemer eventually managed to hack into the Xiaomi Mi Robot vacuum cleaner, their research shows that the device is much more secure than most other smart things are.
In their talk at Chaos Communication Congress 34, which was held in Leipzig recently, the researchers explained how the device’s software works and which vulnerabilities they had to use to finally crack its protection.
Hacking the Mi Robot with tinfoil
When they started their research, Giese and Wegemer were amazed to find that the Xiaomi vacuum cleaner has more powerful hardware than many smartphones do: It is equipped with three ARM processors, one of which is quad core. Sounds pretty promising, right? So, for starters, Giese and Wegemer tried to use several obvious attack vectors to hack the system.
First, they examined a unit to see if there was a way in through the vacuum cleaner’s micro USB port. That was a dead end: Xiaomi has secured this connection with some kind of authentication. After that, the researchers took the Mi Robot apart and tried to find a serial port on its motherboard. This attempt was likewise unsuccessful.
Their second hacking method was network based. The researchers tried to scan the device’s network ports, but all ports were closed. Sniffing network traffic didn’t help, either; the robot’s communications were encrypted. At this point, I’m already rather impressed: Most other IoT devices would have been hacked by now because their creators usually don’t go this far in terms of security. Our recent research on how insecure connected devices are illustrates it perfectly.
However, let’s get back to the Xiaomi Mi Robot. The researchers’ next attempt was to attack the vacuum cleaner’s hardware. Here, they finally succeeded — by using aluminum foil to short-circuit some of the tiny contacts connecting processor to motherboard, causing the processor to enter a special mode that allows reading and even writing to flash memory directly through the USB connection.
That’s how Giese and Wegemer managed to obtain Mi Robot firmware, reverse-engineer it, and, eventually, modify and upload it to the vacuum cleaner, thereby gaining full control over the unit.
Hacking the Mi Robot wirelessly
But cracking stuff open and hacking hardware is not nearly as cool as noninvasive hacks. After reverse-engineering the device’s firmware, the researchers figured out how to hack into it using nothing more than Wi-Fi — and a couple of flaws in the firmware’s updating mechanism.
Xiaomi has implemented a pretty good firmware-update procedure: New software arrives over an encrypted connection, and the firmware package is encrypted as well. However, to encrypt update packages, Xiaomi used a static password — “rockrobo” (don’t use weak passwords, kids). That allowed the researchers to make a properly encrypted package containing their own rigged firmware.
After that, they used the security key they obtained from Xiaomi’s smartphone app to send a request to the vacuum cleaner to download and install new firmware — not from Xiaomi’s cloud but from their own server. And that’s how they hacked the device again, this time wirelessly.
Inside the Mi Robot’s firmware
Examining the firmware, Giese and Wegemer learned a couple of interesting things about Xiaomi smart devices. First, the Mi Robot firmware is basically Ubuntu Linux, which is regularly and quickly patched. Second, it uses a different superuser password for each device; there’s no master password that could be used to mass-hack a whole lot of vacuum cleaners at once. And third, the system runs a firewall that blocks all ports that could be used by hackers. Again, hats off to Xiaomi: By IoT standards, this is surprisingly good protection.
The researchers also learned something disappointing about Mi Robot, however. The device collects and uploads to Xiaomi cloud a lot of data — several megabytes per day. Along with reasonable things such as device operation telemetry, this data includes the names and passwords of the Wi-Fi networks the device connects to, and the maps of rooms it makes with its built-in lidar sensor. Even more disturbing, this data stays in the system forever, even after a factory reset. So if someone buys a used Xiaomi vacuum cleaner on eBay and roots it, they can easily obtain all of that information.
Concluding this post, it’s worth emphasizing that both of the techniques Giese and Wegemer used enabled them to hack only their own devices. The first one required physical access to the vacuum cleaner. As for the second, they had to obtain the security key to make an update request, and those keys are generated every time the device is paired with the mobile app. The security keys are unique, and it’s not that easy to get them if you don’t have access to the smartphone that is paired with the Xiaomi device you’re going to hack.
All in all, it doesn’t look like the Xiaomirai is nigh. Quite the contrary: The research shows that Xiaomi puts much more effort into security than most other smart device manufacturers do, and that is a hopeful sign for our connected future. Almost everything can be hacked, but if something takes a lot of effort to hack, it’s less likely that criminals will bother trying — they are usually after easy money.
Ransomware has been called the scourge of the Internet for quite a while. It’s really one of the twenty-first century’s main cyberthreats, and recently it has taken … quite a turn. Researchers from MalwareHunterTeam have discovered a new strain of ransomware, called nRansom, that blocks victims’ computers, but instead of requiring money to unlock the computer, it demands nude photos.
This ransomware seems to be not a cryptor, but rather a blocker, which means that in case of infection it doesn’t encrypt your files, but simply blocks access to your computer. The ransom note that appears on the screen informs victims that the only way to get back access to their computers is to send the aforementioned pictures: ten of them, nude, and demonstrably of the victims.
They state that they will somehow verify those nudes really belong to the victim before sending the code that unlocks the computer.
At this point, nRansom has been seen only as a file called nRansom.exe, which means it affects only Windows users.
We can only speculate on what the criminals are planning to do with any photos they manage to get. They’ll probably use the pictures to shame the victims and extort either more nudes or money.
As always, we advise you not to pay the ransom if your computer gets infected. The word “pay” in this case is as legitimate as in any other; private information is no less payment than money.
Kaspersky Internet Security detects nRansom as Trojan-Ransom.MSIL.Agent.zz and neutralizes it right away. In case the blocker has somehow sneaked onto your PC, you can unblock the computer by pressing Ctrl + Alt + Shift + F4 simultaneously. It’s necessary to run a full scan of your system after that. You can read more about that here.
That technique is available in all of our flagship security solutions, and it works against all blockers, in case they somehow get onto your computer. However, if you always keep protection running, that scenario is highly unlikely; Kaspersky Internet Security neutralizes almost all ransomware species before they can do anything at all, and any that manage to sneak in under the radar are detected by System Watcher when they attempt to do anything malicious.
You’re in a hurry, trying to get to work, a business meeting, a date. So you launch your favorite app for booking a taxi as usual, but this time, it prompts you to enter your credit card number. Does that seem suspicious? It may not — apps forget information, and all you have to do is add your card number again.
The Faketoken Trojan has existed for a long time, and it has been upgraded for many years. Our experts named the current version “Faketoken.q,” and by now it has learned a significant number of tricks.
After getting onto a smartphone (judging by the malware icon, Faketoken infiltrates smartphones through bulk SMS messages with a prompt to download some picture) and installing the necessary modules, the Trojan hides its shortcut icon and starts background monitoring of everything that happens in the system.
The icon of the installed Faketoken Trojan
First, the Trojan is interested in the user’s calls. As soon as it detects a call, it starts recording. When the call is finished, Faketoken sends the recording to the criminal’s server. Second, the Trojan also checks which apps the smartphone’s owner uses.
When Faketoken detects the launch of an app whose interface it can simulate, the Trojan immediately overlays the app with its own screen. To achieve that, it uses a standard Android feature that supports showing screen overlays on top of all other apps. A whole bunch of legitimate apps, such as messengers, window managers, and so on, use this feature.
The overlaying window matches the colors of the original app’s interface. In this window, the Trojan prompts the user to enter the number of his or her credit card, including the verification code from the back of the card.
The Faketoken.q Trojan impersonates taxi-booking apps popular in Russia
Actually, Faketoken.q is after a huge variety of apps that have one thing in common: in them, a request to enter payment data looks normal enough not to arouse suspicion. Among the attacked apps are a number of mobile banking apps, Android Pay, the Google Play Store, apps for booking flights and hotel rooms, and apps for paying traffic tickets — as well as apps for booking taxis.
During the very stage of stealing money from the user, Faketoken resorts to another ruse, intercepting all incoming SMS messages, hiding them from the user, and forwarding them to the criminals’ server, where one-time passwords for payment confirmation from those messages are extracted.
We must give the assiduous creators of Faketoken their due. They will most likely improve the Trojan, and a wave of infection incidents may sprout from the “commercial” version at some point.
Currently the Trojan is focused on users in Russia, but as we’ve seen many times in the past, cybercriminals constantly steal ideas from each other, so it won’t take long for them to adopt the same trick in other countries. A lot of city dwellers have taxi-booking apps installed these days, so this trick represents a good opportunity for malware creators.
Below you can find several pieces of advice on how to protect yourself against Faketoken and similar mobile Trojans that steal card numbers and intercept SMS messages with one-time passwords used to confirm payments.
It is imperative that you go into Android’s settings and prohibit the installation of apps from unknown sources. To block installation from unknown sources, go to Settings -> Security and uncheck Unknown sources.
Always pay attention to what access permissions an app requests during installation, even if you downloaded it from Google Play (there might be Trojans in the official app store as well). You can learn more about Android permissions in this article.
Do you use Snapchat? If so, you may want to take a deeper look at the Snap Map feature released earlier this week. As the company explains:
With the Snap Map, you can view Snaps of sporting events, celebrations, breaking news, and more from all across the world.
If you and a friend follow one another, you can share your locations with each other so you can see where they’re at and what’s going on around them! Plus, meeting up can be a cinch.
Only the people you choose can see your location — so if you’re friends with your boss, you can still keep your location on the down low during a “sick day”.
Snaps you submit to Our Story can still show up on the Map, though!
The feature sounds quite straightforward, but the setup is not clear about how your data is shared, only that you are giving access to the app.
Earlier today, The Verge penned a piece digging into the privacy aspect and discovered that the map feature was firing up each time the author’s friend opened the app:
Turned out, she didn’t know she had Snap Map enabled, and didn’t know it was showing her location every time she opened the app. When she updated Snap and went through the Snap Map introduction, she believed Snap was giving the option to geotag her Snaps for Our Story, as shown in the promotional video. Instead, she had inadvertently broadcasted where she lived to every one of her Snap contacts.
In a follow-up, the company noted some things that were not mentioned during signup:
If you tap on your friend, you will see when their location was updated (i.e., 1 hour ago, 2 hours ago). Their location reflects where they last opened Snapchat.
A friend’s location will remain on the Map for up to 8 hours if they do not open the app again, causing their location to update. If more than 8 hours have passed and a Snapchatter has not opened the app, their location will disappear from the Map entirely.
We know that everyone has their own threshold for sharing — and, in some instances, oversharing. This is why the company offers many settings.
If you are like me and value your privacy, avoid opting in to the service. If you are curious but don’t want to broadcast your location, opt in by using Ghost mode, which shares your location with you alone; from there, you can browse the map.
Given the demographics of Snapchat, this is also a good time for parents to take a minute and talk with their children about privacy. Kids could be unwittingly sharing where they are and how long they have been there.
Not long ago, Facebook was hit with a wave of posts that falsely claimed to be giving away a suspiciously large number of free flight tickets in honor of airline anniversaries. As one of the conditions of the promotional offer, participants had to like and share the websites that pretended to give away prizes.
As usual, people saw the promise of something free and lost their minds, so Facebook was flooded with those posts. Of course, in reality there were no free tickets to claim, and the airlines had absolutely nothing to do with it. Let’s see what really happened.
As our analysts found out, the links in the posts led to websites like deltagiveaway.com, emiratesnow.us, aeroflot-com.us, and other similar websites, depending on which airline appeared to be offering free tickets. Different posts mentioned different airlines, and everyone seemed to be celebrating an anniversary at the same time — a rather large coincidence.
At first glance, the links seemed plausibly legitimate: after all, they contained an airline name. At second glance, some doubts could have crept in; but who has the time for a second glance when free tickets are on the line — free tickets that someone else might claim first?
Each of the websites had a simple survey with three questions: had you ever used the airline, what you liked best about the airline, and were you satisfied with the quality of service. After a user answered the questions, they were told they were now close to getting a free ticket. All that was left to do was share the link to the website on a social network, thank the airline, and click the “Like” button.
However, clicking the “Like” button led to a variety of undesirable results. For example, the user could end up on a website demanding their mobile phone number. If users failed to notice they had moved to a completely different website, entered their number, and clicked the “Confirm” button, they actually subscribed to a paid service with a daily subscription fee. Moreover, if they accessed the website from a mobile phone, confirmation would not necessarily have been required to subscribe, which means they might not have noticed anything strange. After that, the user finally learned they had not won the ticket.
The schemes varied in different countries. For example, a user might be redirected not to a mobile service subscription page but to Web pages with advertisements; mere attempts to boost traffic. A user might also find suggestions to download applications (not related to the airlines in any way). Or the links could lead to other scam websites. In no case were tickets actually offered.
Despite the obviousness of the scheme, it turned out to be very effective: Tens of thousands of people published similar posts with links in their news feeds. And they swallowed the bait either by subscribing to paid content or by downloading apps. What were these users really installing? Among other things, malicious browser extensions with permissions to read all data from the browser — including logins, passwords, and credit card numbers.
So, users turned out in droves to shove paid subscription scams or malware at their friends on social networks, all in the hopes of getting a free plane ticket. Nobody won in the end, and the number of scammed and infected people has increased by quite a bit. This commotion is ongoing, and we are likely to see new scams promising something else free. How can you avoid falling victim — and dragging your friends down with you?
Always remember that at least 99% of free lunches are nonexistent. There are exceptions, of course, where reasonable prizes are offered in reasonable quantities. But if you are offered a luxury car out of the blue, or you are told that there are thousands of airline tickets up for grabs, you have no reason to believe that. The only way to win is not to participate.
Pay particularly close attention to the URLs of any websites where you are asked to enter personal data. Is it really the website where you intended to enter your credit card number, or is it a phishing site? To learn more about how to recognize phishing and protect yourself against it, please read this blogpost.
Install reliable security solutions on all your devices. Good protection will prevent the installation of malicious browser extensions on your computer and will warn you when you are going to navigate to a phishing Web page.
Advertising can sometimes be annoying — and sometimes it can be malicious. Businesses that make their money selling advertisements sometimes go too far trying to make sure you see their ads. Recently researchers found that one such business — a big digital-marketing agency — went as far as installing adware on 250 million computers running Windows and macOS all over the world.
What’s even worse, this adware is capable of turning into full-fledged malware that can divert users to malicious sites and drop malware on their computers. And no one seemed to notice it — until now.
The stealthy Fireball
Adware is a type of application that shows you ads or collects data about you for purposes of profiling you and selling that profile to advertising agencies, which, in turn, show you ads. The most common way adware sneaks onto computers is when it comes bundled with other software. Adware creators are willing to pay for the bundling, so some developers of free software are actually eager to bundle it with their products to monetize them.
However, bundling can look quite different depending on the developers. Whereas normally you are notified about additional software being installed alongside the app you want, Fireball, the adware in question, doesn’t prompt users or give them a chance to opt out of the installation — it just stealthily installs. It’s important to note that the bundled adware doesn’t necessarily install at the same time as the freeware program you were interested in. The adware might be dropped in later, when you’re less alert to potential installation issues.
Fireball is a browser hijacker, which means it modifies your browser to serve its creator’s purposes. The modification involves changing the homepage and the default search engine as well as blocking your attempts to change them back. The fake search engines Fireball sets as defaults contain tracking pixels that gather data about users to use for marketing purposes. Also, Fireball has the ability to execute any code on the infected computer and download browser extensions or other software.
What’s interesting is that despite its malicious nature, Fireball is signed with legitimate digital certificates, which makes it seem innocuous. It also implements other detection-evasion techniques to make it harder for security suites to find it and mark it as malicious. That’s why no one noticed the spreading epidemic for some time — Fireball seemed to be a totally legit app.
Why Fireball is so dangerous
Additional ads together with additional tracking might seem bothersome but not dangerous. However, Fireball’s ability to download and install browser extensions and execute code on an infected device makes it a perfect backdoor — one that can be used, well, in a lot of different ways: mostly for dropping bad stuff onto your computer to harvest critical information or infect your device with various kinds of malware.
According to the researchers who discovered Fireball, it has already infected more than 250 million devices worldwide, and it can be found on one in every five corporate networks. If (or once) its creators decide to use it for espionage, Fireball could become a global catastrophe.
Despite Fireball’s stealth, it’s quite easy to spot. Open your browser and look at the homepage — is it the homepage you set? How about the default search engine? Can you modify the settings to change your homepage and default search engine? If you answered no to any or all of those, you might be infected with adware, be it Fireball or something else.
If nothing blocks your attempts to modify the settings and you are sure that your homepage and default search engine are intact, you are probably not infected with Fireball. But nonetheless, why not run a virus scan? Better safe than sorry.
Everyone, this is not a drill. It applies to all versions of Android, and at the time of this post’s publication, Google has not yet patched the vulnerability. By using this vulnerability, malicious actors can steal data including passwords; install applications with a full set of permissions; and monitor what the user is interacting with or typing on a keyboard on any Android smartphone or tablet. We repeat: This is not a drill…
The attack, dubbed Cloak and Dagger, was demonstrated by employees of the Georgia Institute of Technology and the University of California, Santa Barbara. They drew Google’s attention to the problem three times, but each time, Google replied that everything was working as intended. The researchers were left with no option but to publish their discoveries: They even created a website, cloak-and-dagger.org, for that purpose.
The essence of the Cloak and Dagger attack
In a nutshell, the attack uses an app from Google Play. Although the app asks for no specific permissions from the user, attackers obtain the rights to show the interface of the app on top of other apps, visually blocking them, and to click buttons on behalf of the user in such a way that they do not notice anything suspicious.
The attack is possible because users are not explicitly prompted to allow apps to access SYSTEM_ALERT_WINDOW functions when installing apps from Google Play, and permission to access ACCESSIBILITY_SERVICE (A11Y) is quite easy to obtain.
What kind of permissions are those? The first permission allows an app to overlay its interface on top of any other app, and the second one gives it access to a set of functions — Accessibility Service — for people with visual or hearing impairment. The latter can do a lot of different, even dangerous things, on a device by allowing an application both to monitor what happens in other apps and to interact with them on behalf of the user.
What could possibly go wrong?
An invisible layer
Essentially, the attacks that use the first permission, SYSTEM_ALERT_WINDOW, overlay other apps with their own interface without prompting the user. Moreover, the windows it can show can have any shape — including shapes with holes. They can also either register tapping or let it go through so that the app window below registers it.
For example, malicious developers can create a transparent layer that overlays the virtual keyboard of an Android device and captures all attempts to tap on the screen. Correlating the coordinates of the place where the user tapped the screen and the character positions on the keyboard, the attacker can find out what exactly the user is typing on that keyboard. Malicious programs of that kind are called keyloggers. This is one of the examples the researchers presented to demonstrate the attack.
Generally speaking, SYSTEM_ALERT_WINDOW is quite a dangerous permission; and Google itself assumes that it should be limited to a small number of apps. However, with popular applications such as Facebook Messenger (those Chat Heads that overlay everything else), Skype, and Twitter requiring this permission, the team at Google apparently decided that it would be easier if Google Play just granted the permission without explicitly prompting the user. Simplicity and security, unfortunately, don’t always go hand in hand.
The dangers of Accessibility features
The second permission, Accessibility, was designed with good intentions: to make it easier for people with visual or hearing impairments to interact with Android devices. However, this feature gives such a large number of permissions to apps that it is more often used for different purposes — by apps that need to execute actions not usually allowed on Android.
For example, to read out loud what is happening on the screen for people with a visual impairment, an app with Accessibility access may obtain information such as: what app has been opened, what the user taps on, and when a notification pops up. This means that the app knows the entire context of what is happening. And that’s not all. In addition to monitoring activities, the app can also perform various actions on behalf of the user.
All in all, Google is aware that the Accessibility permission gives applications the ability to do practically anything that one can think of on the device; therefore, it requires users to enable Accessibility for each individual application in a special menu in the settings section of a smartphone.
The problem is that by using the first permission, SYSTEM_ALERT_WINDOW, and by skillfully showing windows that overlap most of the screen (aside from the “OK” button), attackers can trick users into enabling Accessibility options, thinking that they are agreeing to something innocuous.
Then, because Accessibility can perceive context and act on behalf of users, which includes making purchases in the Google Play store, it becomes child’s play for attackers to use Google Play to download a special spy app and give it any permissions they want. Moreover, they can do so even when the screen is off or, for example, while a video clip plays, blocking everything that is happening below it.
Accessing SYSTEM_ALERT_WINDOW and ACCESSIBILITY_SERVICE also allows fraudsters to perform phishing attacks without raising user suspicion.
For example, when a user opens the Facebook app and attempts to enter their login and password, another app with the Accessibility permissions may understand what’s happening and interfere. Then, by making use of SYSTEM_ALERT_WINDOW and the ability to overlay other apps, the application may show the user a phishing window that looks just like Facebook’s password prompt, into which the unsuspecting user will enter the login and password of his or her account.
In this case, the knowledge of context allows the developers to show the phishing screen at the right spot only when the user is going to enter the password. And from the user’s point of view, the Facebook login worked as expected, so they won’t have any reason to suspect that something has gone wrong.
Attacks such as those we describe above are not new to security researchers. They even have a name — tapjacking. Google gave Android app developers a way to fight back: an option to check if an app is overlaid, in which case users will not be allowed to perform some actions. That’s why most banking apps are protected against attacks with overlays such as Cloak and Dagger. However, the only way to be 100% sure an app is not vulnerable to such attacks is to contact the developer.
How to protect your device against Cloak and Dagger
The authors of the Cloak and Dagger research have tested the attack on three most popular Android versions: Android 5, Android 6, and Android 7, which together account for 70% of all Android devices. It turns out that those versions are all vulnerable to the attack — and it’s likely all previous versions are as well. In other words, if you have an Android device, it probably concerns you as well.
So, here is what you can do to protect yourself:
1. Try not to install unknown apps from Google Play and other stores, especially free apps. Legitimate apps will not attack you using Cloak and Dagger. Nevertheless, the question of how to tell a suspicious app from a harmless one remains open.
2. Regularly check which permissions the apps on your device have and revoke unnecessary ones. You can read this post to learn more on how to do that.
Last but not least, do not forget about installing security solutions on Android devices.
A lot of ads on the Internet promote easy ways to earn money. They tend to lead to fishy places — say, a post from an alleged mother of three who stays at home, earning several thousand dollars a day, and says you can do the same. But there are other ways to earn some easy money, too, that may seem much more plausible.
For example, some services offer to pay you for installing apps. The money amounts to pocket change — about 5 cents per app — but the work is pretty effortless, so some people find it attractive nonetheless. This kind of scheme is especially popular among children — install 50 apps and get a $2.50 to buy some gear for your favorite character in an online game.
The Google Play app store has quite a few applications that are in fact app exchanges. You download one of those, install it, see a list of apps for which you can get paid, download a couple of those on the list, install them, play a couple of minutes — and profit!
That looks rather mundane — even legitimate. Indeed, many software developers place a high value on the number of app downloads, and such a scheme increases that number, even if it isn’t exactly honest. No wonder developers are willing to pay for it. There doesn’t seem to be a catch — or is there?
Money for nothing, malware for free
Of course there is — otherwise, why would we write about it? It turns out that, among other things, such app exchanges may urge you to download malware, in particular the infamous Ztorg Trojan. That’s the Trojan downloaded from Google Play 500,000 times disguised as a guide for the popular game Pokémon Go.
All of these applications have two things in common. First, their download numbers increase rapidly — by tens of thousands per day. Second, if you look at their user reviews in the Google Play store, many mention that people downloaded those apps for money, credits, bonuses, or something like that.
The Ztorg Trojan hasn’t changed. After installation, it collects information about the system and the device and sends it to the command-and-control (C&C) server. The server responds with files that enable the malware to gain root access to the device, after which crooks have the freedom to do whatever they want: show ads, download other Trojans, whatever.
Ztorg also spreads through ads. You click on a banner and download the app, install it, and get infected. Very easy!
What’s interesting is that Ztorg shows its victims ads from the very same networks through which it spreads itself. The networks are legitimate; many other applications use them to try to monetize themselves. It’s just that the networks’ security guys missed the important point that they were advertising malware.
To be fair, Ztorg’s developers hid the malicious functionality, and it is not evident when studying the app. For example, Ztorg evaluates its environment and won’t run in a sandbox (a test environment).
Most malvertising banners do not link directly to the app download page but rather take users to a page that redirects to another page, which redirects to another page, and then to another page. Unuchek counted up to 27 such redirects before finally getting to the download. Moreover, the app can delay downloading malicious files from the C&C server for up to 90 minutes — by that time a tester would probably have decided that the app wasn’t doing anything malicious.
Actually, obfuscation is exactly the trick that was getting the malicious applications into the official Google Play store for a year and a half. Other Trojans lurk in there as well so you should not blindly trust all applications from this or any store.
How can you avoid becoming a victim of such attacks and letting scammers into your phone? We have two tips for you:
Download applications only from trustworthy developers or, better, from official app stores. You still may encounter Trojans, but they are far less prevalent in official stores.