A newly discovered watering-hole campaign is targeting Apple iPhone users in Hong Kong by using malicious website links as a lure to install spyware on the devices.

According to research published by Trend Micro and Kaspersky, the “Operation Poisoned News” attack leverages a remote iOS exploit chain to deploy a feature-rich implant called ‘LightSpy’ through links to local news websites, which when clicked, executes the malware payload and allows an interloper to exfiltrate sensitive data from the affected device and even take full control.

Watering-hole attacks typically let a bad actor compromise a specific group of end-users by infecting websites that they are known to visit, with an intention to gain access to the victim’s device and load it with malware.

The APT group, dubbed “TwoSail Junk” by Kaspersky, is said to be leveraging vulnerabilities present in iOS 12.1 and 12.2 spanning all models from iPhone 6 to the iPhone X, with the attacks first identified on January 10, before intensifying around February 18.​

images from Hacker News

Preying on public fears, the ongoing coronavirus outbreak is proving to be a goldmine of opportunity for attackers to stage a variety of malware attacks, phishing campaigns, and create scam sites and malicious tracker apps.

Now in a fresh twist, third-party Android app developers too have begun to take advantage of the situation to use coronavirus-related keywords in their app names, descriptions, or in the package names so as to drop malware, perpetrate financial theft and rank higher in Google Play Store searches related to the topic.

“Most malicious apps found are bundle threats that range from ransomware to SMS-sending malware, and even spyware designed to clean out the contents of victims’ devices for personal or financial data,” Bitdefender researchers said in a telemetry analysis report shared with The Hacker News.

The find by Bitdefender is the latest in an avalanche of digital threats piggybacking on the coronavirus pandemic.

images from Hacker News

The malware authors behind TrickBot banking Trojan have developed a new Android app that can intercept one-time authorization codes sent to Internet banking customers via SMS or relatively more secure push notifications, and complete fraudulent transactions.

The Android app, called “TrickMo” by IBM X-Force researchers, is under active development and has exclusively targeted German users whose desktops have been previously infected with the TrickBot malware.

“Germany is one of the first attack turfs TrickBot spread to when it first emerged in 2016,” IBM researchers said. “In 2020, it appears that TrickBot’s vast bank fraud is an ongoing project that helps the gang monetise compromised accounts.”

The name TrickMo is a direct reference to a similar kind of Android banking malware called ZitMo that was developed by Zeus cybercriminal gang in 2011 to defeat SMS-based two-factor authentication.

The development is the latest addition in the arsenal of evolving capabilities of the banking trojan that has since morphed to deliver other kinds of malware, including the notorious Ryuk ransomware, act as an info stealer, loot Bitcoin wallets, and harvest emails and credentials.

images from Hacker News

A cybersecurity researcher today disclosed technical details and proof-of-concept of a critical remote code execution vulnerability affecting OpenWrt, a widely used Linux-based operating system for routers, residential gateways, and other embedded devices that route network traffic.

Tracked as CVE-2020-7982, the vulnerability resides in the OPKG package manager of OpenWrt that exists in the way it performs integrity checking of downloaded packages using the SHA-256 checksums embedded in the signed repository index.

While an ‘opkg install’ command is invoked on the victim system, the flaw could allow a remote man-in-the-middle attacker in a position to intercept the communication of a targeted device to execute arbitrary code by tricking the system into installing a malicious package or software update without verification.

If exploited successfully, a remote attacker could gain complete control over the targeted OpenWrt network device, and subsequently, over the network traffic it manages.

The three-year-old vulnerability was discovered earlier this year by Guido Vranken from the ForAllSecure software company, who then reported it responsibly to the OpenWrt development team.

In a blog post published today, Vranken explained that when a checksum contains any leading spaces, OPKG on the vulnerable versions of OpenWrt skips checking the integrity of the downloaded package and proceeds to the installation task.

images from Hacker News

More than 50 Android apps on the Google Play Store—most of which were designed for kids and had racked up almost 1 million downloads between them—have been caught using a new trick to secretly click on ads without the knowledge of smartphone users.

Dubbed “Tekya,” the malware in the apps imitated users’ actions to click ads from advertising networks such as Google’s AdMob, AppLovin’, Facebook, and Unity, cybersecurity firm Check Point Research noted in a report shared with The Hacker News.

“Twenty four of the infected apps were aimed at children (ranging from puzzles to racing games), with the rest being utility apps (such as cooking apps, calculators, downloaders, translators, and so on),” the researchers said.

While the offending apps have been removed from Google Play, the find by Check Point Research is the latest in an avalanche of ad fraud schemes that have plagued the app storefront in recent years, with malware posing as optimizer and utility apps to perform phony clicks on ads.

Malware Abuses MotionEvent API to Simulate User Clicks

Stating that the campaign cloned legitimate popular apps to gain an audience, the newly discovered 56 apps were found bypassing Google Play Store protections by obfuscating its native code and relying on Android’s MotionEvent API to simulate user clicks.

Once an unwitting user installed one of the malicious apps, the Tekya malware registers a receiver, an Android component that’s invoked when a certain system or application event occurs — such as a device restart or when the user is actively using the phone.

images from Hacker News