Select Page
WhatsApp-based wormable Android malware spotted on the Google Play Store

WhatsApp-based wormable Android malware spotted on the Google Play Store

Cybersecurity researchers have discovered yet another piece of wormable Android malware—but this time downloadable directly from the official Google Play Store—that’s capable of propagating via WhatsApp messages.

Disguised as a rogue Netflix app under the name of “FlixOnline,” the malware comes with features that allow it to automatically reply to a victim’s incoming WhatsApp messages with a payload received from a command-and-control (C&C) server.

“The application is actually designed to monitor the user’s WhatsApp notifications, and to send automatic replies to the user’s incoming messages using content that it receives from a remote C&C server,” Check Point researchers said in an analysis published today.

Besides masquerading as a Netflix app, the malicious “FlixOnline” app also requests intrusive permissions that allow it to create fake Login screens for other apps, with the goal of stealing credentials and gain access to all notifications received on the device, using it to hide WhatsApp notifications from the user and automatically reply with a specially-crafted payload received from the C&C server.

“The malware’s technique is fairly new and innovative,” said Aviran Hazum, manager of mobile intelligence at Check Point. “The technique here is to hijack the connection to WhatsApp by capturing notifications, along with the ability to take predefined actions, like ‘dismiss’ or ‘reply’ via the Notification Manager.”

images from Hacker News

11 Useful Security Tips for Securing Your AWS Environment

11 Useful Security Tips for Securing Your AWS Environment

Want to take advantage of excellent cloud services? Amazon Web Services may be the perfect solution, but don’t forget about AWS security.

Whether you want to use AWS for a few things or everything, you need to protect access to it. Then you can make sure your business can run smoothly.

Read on to learn some important AWS security tips.

Use Multi-Factor authentication

When setting up your AWS security settings or adding new users, you should implement multi-factor authentication (MFA). MFA relies on more than one login factor to grant you access to your account.

For example, when you log in to your account, the program might send a code to your mobile phone. Then you must verify that you have that phone and enter the code to access your account.

images from Hacker News

Critical Auth Bypass Bug Found in VMware Data Center Security Product

Critical Auth Bypass Bug Found in VMware Data Center Security Product

A critical vulnerability in the VMware Carbon Black Cloud Workload appliance could be exploited to bypass authentication and take control of vulnerable systems.

Tracked as CVE-2021-21982, the flaw is rated 9.1 out of a maximum of 10 in the CVSS scoring system and affects all versions of the product prior to 1.0.1.

Carbon Black Cloud Workload is a data center security product from VMware that aims to protect critical servers and workloads hosted on vSphere, the company’s cloud-computing virtualization platform.

“A URL on the administrative interface of the VMware Carbon Black Cloud Workload appliance can be manipulated to bypass authentication,” VMware said in its advisory, thereby allowing an adversary with network access to the interface to gain access to the administration API of the appliance.

Armed with the access, a malicious actor can then view and alter administrative configuration settings, the company added.

images from Hacker News

Pre-Installed Malware Dropper Found On German Gigaset Android Phones

Pre-Installed Malware Dropper Found On German Gigaset Android Phones

In what appears to be a fresh twist in Android malware, users of Gigaset mobile devices are encountering unwanted apps that are being downloaded and installed through a pre-installed system update app.

“The culprit installing these malware apps is the Update app, package name com.redstone.ota.ui, which is a pre-installed system app,” Malwarebytes researcher Nathan Collier said. “This app is not only the mobile device’s system updater, but also an auto installer known as Android/PUP.Riskware.Autoins.Redstone.”

The development was first reported by German author and blogger Günter Born last week.

While the issue seems to be mainly affecting Gigaset phones, devices from a handful of other manufacturers appear to be impacted as well. The full list of devices that come with the pre-installed auto-installer includes Gigaset GS270, Gigaset GS160, Siemens GS270, Siemens GS160, Alps P40pro, and Alps S20pro+.

According to Malwarebytes, the Update app installs three different versions of a trojan (“Trojan.Downloader.Agent.WAGD”) that’s capable of sending SMS and WhatsApp messages, redirecting users to malicious game websites, and downloading additional malware-laced apps.

images from Hacker News

Experts uncover a new Banking Trojan targeting Latin American users

Experts uncover a new Banking Trojan targeting Latin American users

Researchers on Tuesday revealed details of a new banking trojan targeting corporate users in Brazil at least since 2019 across various sectors such as engineering, healthcare, retail, manufacturing, finance, transportation, and government.

Dubbed “Janeleiro” by Slovak cybersecurity firm ESET, the malware aims to disguise its true intent via lookalike pop-up windows that are designed to resemble the websites of some of the biggest banks in the country, including Itaú Unibanco, Santander, Banco do Brasil, Caixa Econômica Federal, and Banco Bradesco.

“These pop-ups contain fake forms, aiming to trick the malware’s victims into entering their banking credentials and personal information that the malware captures and exfiltrates to its [command-and-control] servers,” ESET researchers Facundo Muñoz and Matías Porolli said in a write-up.

This modus operandi is not new to banking trojans. In August 2020, ESET uncovered a Latin American (LATAM) banking trojan called Mekotio that displayed similar fake pop-up windows to its victims in an attempt to entice them into divulging sensitive information.

images from Hacker News