We recently posted that ransomware is giving way to miners at the top of the online threat rankings. In line with this trend, the Trojan ransomware Rakhni, which we’ve been watching since 2013, has added a cryptocurrency mining module to its arsenal. What’s interesting is that the malware loader is able to choose which component to install depending on the device. Our researchers figured out how the updated malware works and where the danger lies.
Our products spotted Rakhni in Russia, Kazakhstan, Ukraine, Germany, and India. The malware is distributed mainly through spam mailings with malicious attachments. The sample that our experts studied, for example, was disguised as a financial document. This suggests that the cybercriminals behind it are primarily interested in corporate “clients.”
A DOCX attachment in a spam e-mail contains a PDF document. If the user allows editing and tries to open the PDF, the system requests permission to run an executable file from an unknown publisher. With the user’s permission, Rakhni swings into action.
Like a thief in the night
When it’s started, the malicious PDF file appears to be a document viewer. First, the malware shows the victim an error message explaining why nothing has opened. Next, it disables Windows Defender and installs forged digital certificates. Only when the coast seems clear does it decide what to do with the infected device — encrypt files and demand ransom or install a miner.
Finally, the malicious program tries to spread to other computers inside the local network. If company employees have shared access to the Users folder on their devices, the malware copies itself onto them.
Mine or encrypt?
The selection criterion is simple: If the malware finds a service folder called Bitcoin on the victim’s computer, it runs a piece of ransomware that encrypts files (including Office docs, PDFs, images, and backups) and demands a ransom payment within three days. Details of the ransom, including how much, the cybercriminals kindly promise to send by e-mail.
If there are no Bitcoin-related folders on the device, and the malware believes it has enough power to handle cryptocurrency mining, it downloads a miner that surreptitiously generates Monero, Monero Original, or Dashcoin tokens in the background.
Owners of software stores (Google, Apple, Amazon, et al.) have to fight malware just as intensely as security solution vendors do. Like any circle, the process is never-ending: Cybercriminals write malware that worms its way into online stores, whereupon it gets named and shamed (not to mention deleted), the security policy is updated to avoid repeat incidents, and the cybercriminals contrive a way to sneak their creation past the new policy into the store.
We always recommend installing apps from official sources only, but that doesn’t mean that such sites are malware-free, just that there’s less of it than elsewhere. And although Google Play is fairly safe, the Chrome Web Store is a different kettle of piranha. In it, our experts recently discovered a malicious extension that targets users’ bank data.
A Trojan banker in your browser
The culprit was an extension named “Desbloquear Conteúdo” (Portuguese for “Unblock contents”), which essentially carried out a man-in-the-middle attack. When the user visited their bank’s website, a malicious script redirected the traffic through a proxy server belonging to the cybercriminals, allowing them to analyze it and pick out what they wanted.
The malware also contained scripts designed to extract certain information entered by users online. For example, when a user signed visited the bank’s login web-page, the malware used a screen overlay perfectly matching the bank’s interface but replacing the login, password, and one-time confirmation code fields with its own. When the user pressed the login button, the malware copied the data for itself.
The domain on which the crooked C&C server was located used the same IP address as other domains previously exposed as malicious, which was one of the reasons the scheme caught our researchers’ attention. Once they’d confirmed their suspicions, the researchers contacted Google, and the malware was quickly removed from the Chrome Web Store.
Remember that during installation, Chrome extensions request access permissions that often give them near-limitless powers on your computer. Most malicious programs need just one permission: “Read and change all your data on the websites you visit” — which is pretty powerful.
So, handle extensions with extreme caution — they’re not necessarily benign, although they’re so easy to install, it’s easy to assume they can’t be powerful or do any harm.
Protecting against malicious browser extensions
Here are some tips that will help fend off malware masquerading as a handy browser extension:
Install only extensions that you trust completely. There is no one perfect test for trust, unfortunately, but at least stick to extensions supplied by reputable developers.
Don’t add extra extensions if you have no real need for them.
If an extension is no longer necessary, remove it. You can always install it again if need be.
Use a tried-and-tested security solution such as Kaspersky Internet Security. All new Chrome extensions are automatically sent to us for analysis, so even in the very latest extensions, malware has no place to hide.
However, in the month since the report was published, Roaming Mantis has learned to speak another two dozen languages and is rapidly spreading around the world.
The malware uses compromised routers to infect Android-based smartphones and tablets, redirect iOS devices to a phishing site, and runs the CoinHive cryptomining script on desktops and laptops. It does so by means of DNS hijacking, making it hard for targeted users to detect that something’s amiss.
What is DNS hijacking
When you enter a site name in the browser address bar, the browser doesn’t actually send a request to this site. Because it can’t. The Internet operates on IP addresses, which are sets of numbers, while domain names with letters are for people, since they are easier to remember and input.
So the first thing the browser does when a URL is entered is to send a request to what is called a DNS-server (DNS is Domain Name System), which translates the ‘human’ name into the IP address of the corresponding website. It is this IP address that the browser uses to locate and open the site.
DNS hijacking is a way of fooling the browser into thinking it has matched the domain name to the correct IP address when in fact it hasn’t. Although the IP address is wrong, the original URL entered by the user is displayed in the browser address bar, so nothing looks suspicious.
There are many DNS-hijacking techniques, but the creators of Roaming Mantis have chosen perhaps the simplest and the most effective: they hijack the settings of compromised routers forcing them to use their own rogue DNS servers. That means that whatever is typed in the browser address bar of a device connected to this router, the user is redirected to a malicious site.
Roaming Mantis on Android
After the user is redirected to the malicious site, they are prompted to update the browser. This leads to the download of a malicious app named chrome.apk (there was another version as well, named facebook.apk).
The malware requests a whole host of permissions during the installation process, including rights to access accounts information, send/receive SMS, process voice calls, record audio, access files, display its own window on top of others, and so on. For a trusted application like Google Chrome, such a list doesn’t seem too suspicious — if the user considers this ‘browser update’ legit, they are sure to grant permissions without even reading the list.
After the application is installed, the malware uses the right to access the list of accounts to find out which Google account is used on the device. Next, the user is shown a message (it appears on top of all other open windows, since the malware also requested permission for that) saying that something is wrong with their account and that they need to sign in again. A page then opens prompting the user to enter their name and date of birth.
It appears that this data, together with the SMS permissions that grant access to the one-time codes needed for two-factor authentication, is then used by the creators of Roaming Mantis to steal Google accounts.
Roaming Mantis: world tour, iOS debut, and mining
In the beginning, Roaming Mantis knew how to display messages in four languages: English, Korean, Chinese, and Japanese. But somewhere along the line its creators decided to expand out and teach their polyglot malware another two dozen languages:
While they were at it, the creators also improved Roaming Mantis, teaching it to attack devices running iOS. It’s a different scenario from Android. It skips downloading the application and instead the malicious site displays a phishing page prompting the user to relog into the App Store right away. To add credibility, the address bar shows the reassuring address security.apple.com:
The cybercriminals do not confine themselves to stealing only Apple ID credentials; immediately after entering this data, the user is asked for a bank card number:
The third innovation that our experts uncovered concerns desktop computers and laptops. On these devices, Roaming Mantis runs the CoinHive mining script, which mines cryptocurrency straight into the pockets of the malware makers. The victim’s computer processor is loaded to the max, forcing the system to slow down and consume vast amounts of power.
Malware tends to evolve, with crooks adding new functions and techniques to help it avoid detection by antivirus programs. Sometimes, the evolution is rather rapid. For example, SynAck ransomware, which has been known since September 2017 (when it was just average, not particularly clever), has recently been overhauled to become a very sophisticated threat that avoids detection with unprecedented effectiveness and uses a new technique called Process Doppelgänging.
Malware creators commonly use obfuscation — attempts to make the code unreadable so that antiviruses will not recognize the malware — typically employing special packaging software for that purpose. However, antivirus developers caught on, and now antivirus software effortlessly unpacks such packages. The developers behind SynAck chose another way that requires more effort on both sides: thoroughly obfuscating the code before compiling it, making detection significantly harder for security solutions.
That’s not the only evasion technique the new version of SynAck uses. It also employs a rather complicated Process Doppelgänging technique — and it is the first ransomware seen in the wild to do so. Process Doppelgänging was first presented at Black Hat 2017 by security researchers, after which it was picked up by malefactors and used in several malware species.
Process Doppelgänging relies on some features of the NTFS file system and a legacy Windows process loader that exists in all Windows versions since Windows XP, letting developers create fileless malware that can pass off malicious actions as harmless, legitimate processes. The technique is complicated; to read more about it, see Securelist’s more detailed post on the topic.
SynAck has two more noteworthy features. First, it checks if it’s installed in the right directory. If it’s not, it doesn’t run — that’s an attempt to avoid detection by the automatic sandboxes various security solutions use. Second, SynAck checks if it’s installed on a computer with a keyboard set to a certain script — in this case, Cyrillic — in which case it also does nothing. That’s a common technique for restricting malware to specific regions.
The usual crime
From the user’s perspective, SynAck is just more ransomware, notable mainly for its steep demand: $3,000. Before encrypting a user’s files, SynAck ensures it has access to its important file targets by killing some processes that would otherwise keep the files in use and off limits.
The victim sees the ransom note, including contact instructions, on the logon screen. Unfortunately, SynAck uses a strong encryption algorithm, and no flaws have been found in its implementation, so there is no way yet to decrypt the encrypted files.
We have seen SynAck distributed mostly by Remote Desktop Protocol brute force, which means it’s mostly targeted at business users. The limited number of attacks thus far — all of them in the USA, Kuwait, and Iran — bears out this hypothesis.
Getting ready for the next generation of ransomware
Even if SynAck is not coming for you, its existence is a clear sign that ransomware is evolving, becoming more and more sophisticated and harder to protect against. Decryptor utilities will appear less frequently as attackers learn to avoid the mistakes that made the creation of those decryptors possible. And despite ceding ground to hidden miners (just as we predicted), ransomware is still a big global trend, and knowing how to protect against all such threats is a must for every Internet user.
Recently, the United States shifted from using insecure magnetic stripe in credit and debit cards to better-protected chip-and-PIN cards, which are regulated by the EMV standard. That’s a big step toward increasing the security of transactions and reducing card fraud, and one might think that the end is near for the kind of card fraud that relied on cloning.
While researching malware for ATM jackpotting used by a Brazilian group called Prilex, our researchers stumbled upon a modified version of this malware with some additional features that was used to infect point-of-service (POS) terminals and collect card data.
This malware was capable of modifying POS software to allow a third party to capture the data transmitted by a POS to a bank. That’s how the crooks obtained the card data. Basically, when you pay at a local shop whose POS terminal is infected, your card data is transferred right away to the criminals.
However, having the card data is just half the battle; to steal money, they also needed to be able to clone cards, a process made more complicated by the chips and their multiple authentications.
The Prilex group developed a whole infrastructure that lets its “customers” create cloned cards — which in theory shouldn’t be possible.
To learn why it’s possible, you might first want to take a quick look at how EMV cards work. As for the cloning, we’ll try to keep it as simple as possible.
How the chip-and-PIN standard works
The chip on the card is not just flash memory, but a tiny computer capable of running applications. When the chip is introduced into a POS terminal, a sequence of steps begins.
The first step is called initialization: The terminal receives basic information such as cardholder name, card expiration date, and the list of applications the card is capable of running.
Second is an optional step called data authentication. Here, the terminal checks if the card is authentic, a process that involves validating the card using cryptographic algorithms. It’s more complicated than needs to be discussed here.
Third is another optional step called cardholder verification; the cardholder must provide either the PIN code or a signature (depending on how the card was programmed). This step is used to ensure that the person trying to pay with a card is actually the same person the card was issued for.
Fourth, the transaction happens. Note that only steps 1 and 4 are mandatory. In other words, authentication and verification can be skipped — that’s where the Brazilians come in.
So, we have a card that is capable of running applications, and during its first handshake, the POS asks the card for information about the apps available to it. The number and complexity of steps needed for the transaction depend on the available applications.
The card-cloners created a Java application for cards to run. The application has two capabilities: First, it tells the POS terminal there is no need to perform data authentication. That means no cryptographic operations, sparing them the near-impossible task of obtaining the card’s private cryptographic keys.
But that still leaves PIN authentication. However, there’s an option in the EMV standard to choose as the entity checking if the PIN is correct…your card. Or, more precisely, an app running on your card.
You read that right: The cybercriminals’ app can say a PIN is valid, no matter what PIN was entered. That means that the crook wielding the card can simply enter four random digits — and they’ll always be accepted.
Card fraud as a service
The infrastructure Prilex created includes the Java applet described above, a client application called “Daphne” for writing the information on smart cards (smart card reader/writer devices and blank smart cards are inexpensive and completely legal to buy.) The same app is used for checking the amount of money that can be withdrawn from the card.
The infrastructure also includes the database with card numbers and other data. Whether the card is debit or credit doesn’t matter; “Daphne” can create clones of both. The crooks sell it all as a package, mostly to other criminals in Brazil, who then create and use the cloned cards.
According to Aite’s 2016 Global Consumer Card Fraud report, it is safe to assume that all users have been compromised. Whether you use a card with a magnetic stripe or a more secure chip-and-PIN card doesn’t matter — if you have a card, its information has probably been stolen.
Now that criminals have developed a method to actually clone the cards, that starts to look like a very serious financial threat. If you want to avoid losing significant amounts of money through card fraud, we recommend you do the following:
Keep an eye on your card’s transaction history, using either mobile push or SMS notifications. If you notice suspicious spending, call your bank ASAP and block the card right away.
Use AndroidPay or ApplePay if possible; these methods don’t disclose your card data to the POS. That’s why they can be considered more secure than inserting your card into a POS.
Use a separate card for Internet payments, because this card is even more likely to be compromised than those you use only in brick-and-mortar stores. Don’t keep large sums of money on that card.
We at Kaspersky Lab monitor, report, and protect against a lot of threat actors, some of which are known internationally and sometimes featured in the news. It doesn’t matter which language the threat actor speaks, it’s our duty to know about it, investigate it, and protect our customers from it.
One of the most active threat actors is a Russian-speaking APT called Sofacy, also known as APT28, Fancy Bear, and Tsar Team, infamous for its spear phishing campaigns and cyberespionage activities. In 2017, it shifted focus in a way worthy of an update here.
We’ve been watching Sofacy since 2011 and are pretty familiar with the instruments and tactics the threat actor is using. Last year, the main change was that it moved beyond the NATO countries it was actively spear phishing in the beginning of the year and onto countries in the Middle East and Asia — and farther — in Q2 2017. Earlier, Sofacy also targeted the Olympic Games, the World Anti-Doping Agency (WADA), and the Court of Arbitration for Sports (CAS).
Sofacy uses different tools for different target profiles. For example, in early 2017 a campaign called Dealer’s Choice targeted mostly military and diplomatic organizations (mainly in NATO countries and Ukraine); later, the hackers were using two other tools, which we call Zebrocy and SPLM, to target companies of different profiles including science and engineering centers and press services. Both Zebrocy and SPLM were heavily modified last year, with SPLM (which also goes by the name Chopsticks) becoming modular and using encrypted communications.
The usual infection scheme starts with a spear-phishing letter containing a file with a script that downloads the payload. Sofacy is known for finding and exploiting zero-day vulnerabilities and using those exploits to deliver the payload. The threat actor maintains a high level of operational security and really focuses on making its malware harder to detect — which, of course, makes it harder to investigate.
In cases of highly sophisticated targeted campaigns such as Sofacy, thorough incident investigation is vital. It will allow you to figure out what information malefactors were after, understand their motives, and detect the presence of any sleeping implants.
To do that, your security system needs not only advanced protective solutions but also an endpoint detection and response system. Such a system detects threats at early stages, and helps analyze events that predated the incident. Having skilled experts doesn’t hurt, either. As a solution, we offer the Threat Management and Defense platform, which incorporates Kaspersky Anti Targeted Attack, Kaspersky Endpoint Detection and Response, and expert services.
You can find more information on the threat actor’s activity in 2017, including technical details, on Securelist. Further, at the start of this year, our researchers found some interesting shifts in Sofacy’s behavior that we will highlight at the SAS 2018 conference. If you are interested in APTs and building defense against them, don’t forget to get a ticket — or at least visit our blogs frequently during the SAS.
The No More Ransom project for assisting victims of ransomware has good news to report: The Belgian police, in cooperation with Kaspersky Lab, managed to obtain keys for recovering files encrypted with new versions of Cryakl ransomware, also known as Fantomas. The updated decryption tool is already available on the project’s website.
What is Cryakl?
The Trojan ransomware Cryakl (Trojan-Ransom.Win32.Cryakl) has been . At first, it was distributed through attached archives in e-mails that appeared to come from an arbitration court in connection with some alleged wrongdoing. There is something about such messages that sets nerves to jangling, and even those who know better might be inclined to click on the attachment. Later, the e-mails diversified, looking like messages from other organizations, such as a local homeowners’ association.
When encrypting files on a victim’s computer, Cryakl creates a long key that it sends to a command-and-control C&C server. Without this key, it is nearly impossible to recover files impacted by the malware. After that, Cryakl replaces the desktop wallpaper with contact details for its creators together with a ransom demand. Cryakl also displays an image of the mask of the 1964 French movie villain Fantomas, hence its alternative name. Cryakl mostly targeted users in Russia, so information about it is mostly available in Russian.
As we already said, the joint efforts of our experts and Belgian police resulted in obtaining the master keys. The investigation began when the computer crime unit learned about victims of the ransomware in Belgium, and then they discovered a C&C server in a neighboring country. An operation led by the Belgian federal prosecutor neutralized the server, along with several other C&C servers that received master keys from infected machines. Then Kaspersky Lab stepped in to assist the law enforcement agencies, not for the first time. As before, the results were first-class: Our experts helped analyze the data found and extract the decryption keys.
The keys have already been added to the RakhniDecryptor tool on the No More Ransom website, and the Belgian federal police is now an official partner of the project. No More Ransom, which has been running since July 2016, has to date provided free help to tens of thousands of people in decrypting files rendered unusable by ransomware, and deprived cyberblackmailers of at least 10 million euros of potential booty.
How to rescue files encrypted by Cryakl ransomware
The No More Ransom site offers two tools for decrypting files corrupted by Cryakl. One, named RannohDecryptor and around since 2016, is for older versions of Cryakl. You can download it at NoMoreRansom.org, and get decryption instructions here.
We recently updated the second tool, RakhniDecryptor, by adding the master keys from the servers seized by the Belgian police. It can be downloaded from the same site; instructions are available here. RakhniDecryptor is needed to decrypt files hit by newer versions of Cryakl. Either one of the tools should restore Cryakl-infected files to full health.
How to stay safe in the future
When dealing with cryptoransomware, prevention is far cheaper and simpler than a cure. In other words, it’s better to secure yourself now and sleep easy than to mess around with file decryption. We’d like to share a few preemptive file protection tips:
1. Always keep a copy of your most important files somewhere else: in the cloud, on another drive, on a memory stick, or on another computer. More details about backup options are available here.
2. Use reliable AV software. Some security solutions — for example, Kaspersky Total Security — can also assist with file backup.
3. Don’t download programs from suspicious sources. Their installers might contain something you’d rather not have on your computer.
4. Don’t open attachments in e-mails from unknown senders, even if they look important and credible. If in doubt, look up the phone number on the organization’s official website and call to check.
Most Trojans are basically the same: Having penetrated a device, they steal the owner’s payment information, mine cryptocurrency for the attackers, or encrypt data and demand a ransom. But some display capabilities more reminiscent of Hollywood spy movies.
We recently discovered one such cinematic Trojan by the name of Skygofree (it doesn’t have anything to do with the television service Sky Go; it was named after one of the domains it used). Skygofree is overflowing with functions, some of which we haven’t encountered elsewhere. For example, it can track the location of a device it is installed on and turn on audio recording when the owner is in a certain place. In practice, this means that attackers can start listening in on victims when, say, they enter the office or visit the CEO’s home.
Another interesting technique Skygofree employs is surreptitiously connecting an infected smartphone or tablet to a Wi-Fi network controlled by the attackers — even if the owner of the device has disabled all Wi-Fi connections on the device. This lets the victim’s traffic be collected and analyzed. In other words, someone somewhere will know exactly what sites were looked at and what logins, passwords, and card numbers were entered.
The malware also has a couple of functions that help it operate in standby mode. For example, the latest version of Android can automatically stop inactive processes to save battery power, but Skygofree is able to bypass this by periodically sending system notifications. And on smartphones made by one of the tech majors, where all apps except for favorites are stopped when the screen is turned off, Skygofree adds itself automatically to the favorites list.
The malware can also monitor popular apps such as Facebook Messenger, Skype, Viber, and WhatsApp. In the latter case, the developers again showed savvy — the Trojan reads WhatsApp messages through Accessibility Services. We have already explained how this tool for visually or aurally impaired users can be used by intruders to control an infected device. It’s a kind of “digital eye” that reads what’s displayed on the screen, and in the case of Skygofree, it collects messages from WhatsApp. Using Accessibility Services requires the user’s permission, but the malware hides the request for permission behind some other, seemingly innocent, request.
Last but not least, Skygofree can secretly turn on the front-facing camera and take a shot when the user unlocks the device — one can only guess how the criminals will use these photos.
However, the authors of the innovative Trojan did not dispense with more mundane features. Skygofree can also to intercept calls, SMS messages, calendar entries, and other user data.
The promise of fast Internet
We discovered Skygofree recently, in late 2017, but our analysis shows the attackers have been using it — and constantly enhancing it — since 2014. Over the past three years, it has grown from a rather simple piece of malware into full-fledged, multifunctional spyware.
The malware is distributed through fake mobile operator websites, where Skygofree is disguised as an update to improve mobile Internet speed. If a user swallows the bait and downloads the Trojan, it displays a notification that setup is supposedly in progress, conceals itself from the user, and requests further instructions from the command server. Depending on the response, it can download a variety of payloads — the attackers have solutions for almost every occasion.
Forewarned is forearmed
To date, our cloud protection service has logged only a few infections, all in Italy. But that doesn’t mean that users in other countries can let their guard down; malware distributers can change their target audience at any moment. The good news is that you can protect yourself against this advanced Trojan just like any other infection:
Install apps only from official stores. It’s wise to disable installation of apps from third-party sources, which you can do in your smartphone settings.
If in doubt, don’t download. Pay attention to misspelled app names, small numbers of downloads, or dubious requests for permissions — any of these things should raise flags.
Install a reliable security solution — for example, Kaspersky Internet Security for Android. This will protect your device from most malicious apps and files, suspicious websites, and dangerous links. In the free version scans must be run manually; the paid version scans automatically.
We recommend that business users deploy Kaspersky Security for Mobile — a component of Kaspersky Endpoint Security for Business — to protect the phones and tablets employees use at work.
The story of the Internet and its Things may seem as star-crossed a tale as any, but it does not need to be hopeless. Although security researchers Dennis Giese and Daniel Wegemer eventually managed to hack into the Xiaomi Mi Robot vacuum cleaner, their research shows that the device is much more secure than most other smart things are.
In their talk at Chaos Communication Congress 34, which was held in Leipzig recently, the researchers explained how the device’s software works and which vulnerabilities they had to use to finally crack its protection.
Hacking the Mi Robot with tinfoil
When they started their research, Giese and Wegemer were amazed to find that the Xiaomi vacuum cleaner has more powerful hardware than many smartphones do: It is equipped with three ARM processors, one of which is quad core. Sounds pretty promising, right? So, for starters, Giese and Wegemer tried to use several obvious attack vectors to hack the system.
First, they examined a unit to see if there was a way in through the vacuum cleaner’s micro USB port. That was a dead end: Xiaomi has secured this connection with some kind of authentication. After that, the researchers took the Mi Robot apart and tried to find a serial port on its motherboard. This attempt was likewise unsuccessful.
Their second hacking method was network based. The researchers tried to scan the device’s network ports, but all ports were closed. Sniffing network traffic didn’t help, either; the robot’s communications were encrypted. At this point, I’m already rather impressed: Most other IoT devices would have been hacked by now because their creators usually don’t go this far in terms of security. Our recent research on how insecure connected devices are illustrates it perfectly.
However, let’s get back to the Xiaomi Mi Robot. The researchers’ next attempt was to attack the vacuum cleaner’s hardware. Here, they finally succeeded — by using aluminum foil to short-circuit some of the tiny contacts connecting processor to motherboard, causing the processor to enter a special mode that allows reading and even writing to flash memory directly through the USB connection.
That’s how Giese and Wegemer managed to obtain Mi Robot firmware, reverse-engineer it, and, eventually, modify and upload it to the vacuum cleaner, thereby gaining full control over the unit.
Hacking the Mi Robot wirelessly
But cracking stuff open and hacking hardware is not nearly as cool as noninvasive hacks. After reverse-engineering the device’s firmware, the researchers figured out how to hack into it using nothing more than Wi-Fi — and a couple of flaws in the firmware’s updating mechanism.
Xiaomi has implemented a pretty good firmware-update procedure: New software arrives over an encrypted connection, and the firmware package is encrypted as well. However, to encrypt update packages, Xiaomi used a static password — “rockrobo” (don’t use weak passwords, kids). That allowed the researchers to make a properly encrypted package containing their own rigged firmware.
After that, they used the security key they obtained from Xiaomi’s smartphone app to send a request to the vacuum cleaner to download and install new firmware — not from Xiaomi’s cloud but from their own server. And that’s how they hacked the device again, this time wirelessly.
Inside the Mi Robot’s firmware
Examining the firmware, Giese and Wegemer learned a couple of interesting things about Xiaomi smart devices. First, the Mi Robot firmware is basically Ubuntu Linux, which is regularly and quickly patched. Second, it uses a different superuser password for each device; there’s no master password that could be used to mass-hack a whole lot of vacuum cleaners at once. And third, the system runs a firewall that blocks all ports that could be used by hackers. Again, hats off to Xiaomi: By IoT standards, this is surprisingly good protection.
The researchers also learned something disappointing about Mi Robot, however. The device collects and uploads to Xiaomi cloud a lot of data — several megabytes per day. Along with reasonable things such as device operation telemetry, this data includes the names and passwords of the Wi-Fi networks the device connects to, and the maps of rooms it makes with its built-in lidar sensor. Even more disturbing, this data stays in the system forever, even after a factory reset. So if someone buys a used Xiaomi vacuum cleaner on eBay and roots it, they can easily obtain all of that information.
Concluding this post, it’s worth emphasizing that both of the techniques Giese and Wegemer used enabled them to hack only their own devices. The first one required physical access to the vacuum cleaner. As for the second, they had to obtain the security key to make an update request, and those keys are generated every time the device is paired with the mobile app. The security keys are unique, and it’s not that easy to get them if you don’t have access to the smartphone that is paired with the Xiaomi device you’re going to hack.
All in all, it doesn’t look like the Xiaomirai is nigh. Quite the contrary: The research shows that Xiaomi puts much more effort into security than most other smart device manufacturers do, and that is a hopeful sign for our connected future. Almost everything can be hacked, but if something takes a lot of effort to hack, it’s less likely that criminals will bother trying — they are usually after easy money.
Virus writers are creating all sorts of unpleasantness for Android device owners. We all know about the theft of personal data that later turns up on the black market. And about money leaking out of credit cards. But what about a Trojan that can make your device literally go up in smoke? Well, it’s here.
How does jack-of-all-trades Loapi operate
Users pick up the Loapi Trojan by clicking on an ad banner and downloading a fake AV or adult-content app (the most likely vehicles for this Trojan). After installation, Loapi demands administrator rights — and it doesn’t take no for an answer; notification after notification appears on the screen until the desperate user finally gives in and taps OK.
If the smartphone owner later tries to deprive the app of administrator rights, the Trojan locks the screen and closes the settings window. And if the user tries to download apps that genuinely protect the device (for example, a real AV, not a fake one), Loapi declares them to be malware and demands their removal. Another notification to that effect pops up endlessly, until the user throws in the towel.
Icons of fake apps in which Loapi conceals itself
Because of Loapi’s modular structure, it can switch functions on the fly at a remote server’s command, downloading and installing the necessary add-ons all by itself. Let’s take a look at some consequences of an encounter with the new Trojan.
1. Unwanted ads
Loapi relentlessly plagues the owner of the infected smartphone with banner and video ads. This module of the Trojan can also download and install other apps, visit links, and open pages in Facebook, Instagram, and VKontakte — apparently to drive up various ratings.
2. Paid subscriptions
Another module of the Trojan can sign up users to paid services. Such subscriptions usually need to be confirmed by SMS — but that doesn’t stop Loapi either. It has yet another special module that sends a text message to the required number, and does so secretly. What’s more, all messages (both outgoing and incoming) are immediately deleted.
3. DDoS attacks
The Trojan can turn your phone into a zombie and hijack it to use in DDoS attacks against Web resources. To do so, it uses a built-in proxy server and sends HTTP requests from the infected device.
Loapi also uses smartphones to mine Monero tokens. It is this activity that can overheat your device as a result of the prolonged operation of the processor at maximum load. During our research, the battery of the test smartphone overcooked 48 hours after the device was infected.
5. Downloading new modules
Now for the most interesting bit. At the command of a remote center, the malware can download new modules — that is, adapt to any new cash-out strategy its creators develop. For example, one day it might transform into ransomware, spyware, or a banking Trojan. In the code of the current version, our experts discovered functions that have yet to be deployed and are clearly intended for use further down the line.
How to protect yourself from the Loapi Trojan
As is often the case, prevention is better than cure. To avoid swallowing the malware bait, observe some simple rules.
Install apps only from official stores. Google Play has a dedicated team responsible for catching mobile malware. Trojans do occasionally infiltrate official stores, but the chances of encountering one there are far lower than on dubious sites.
Disable the installation of apps from unknown sources for added security. To do so, in Settings go to Security and ensure that the Unknown sources check box is not selected.
Don’t install what you don’t really need. As a general rule, the fewer applications you install, the more secure your device is.
Get a reliable and proven AV for Android and regularly scan your device with it. Even free applications, such as the basic version of Kaspersky Internet Security for Android, offer good protection.