In an official alert, Finland’s National Cyber Security Centre (NCSC-FI) warned about a massive FluBot malware campaign targeting Android users in the country since June 2021. The Finnish Transport and Communications Agency has reportedly received multiple reports about dozens of messages sent to spread the FluBot malware.

Be aware of malware spread by SMS

The #FluBot campaign has become active again, and the malware is being spread by SMS. Scam messages written in Finnish are being sent to tens of thousands of people in Finland.https://t.co/TRXQa5Jv9D

— NCSC-FI (@CERTFI) November 26, 2021

What is FluBot?  

FluBot is a sophisticated malware targeting Android users via malicious messages or pop-ups.  The messages that carry FluBot usually alert the victims that they have a new voicemail or missed call from an unknown number.  The message contains a link, which, once clicked, redirects the user to a malicious website impersonating a legitimate website. The malware is then deployed on the targeted device.

How FluBot Infects

The officials stated the FluBot campaign sent fraudulent text messages to Android device users. FluBot malware can steal sensitive information from the compromised device and infect other banking apps installed on the device.

“Clicking on the link does not yet install the malware. Users will be requested to allow the installation. The malware may steal data from the device and send malware-spreading scam messages. The messages are often written without Scandinavian letters (å, ä and ö) and may contain the characters +, /, &, % and @ in random and illogical places in the text,” the alert said.

The NCSC-FI urged organizations to be vigilant and inform about the FluBot campaign to their personnel. Users are recommended not to click on any links from unknown sources and not download files or attachments shared via links or messages.

“Preparedness is important, and organizations should inform their personnel about FluBot to ensure that their employees do not install the malware on their phones. It is important for organizations to know what information and data phones contain and assess the risks of a potential data leak because FluBot steals information from phones,” the alert added.

Mitigation

NCSC-FI offered certain mitigation measures for the affected users:

• Perform a factory reset on the device. If you restore your settings from a backup, make sure you restore from a backup created before the malware was installed.
• Contact your bank if you used a banking application or handled credit card information on the infected device.
• Report any financial losses to the police.
• Reset your passwords on any services you have used with the device. The malware might have stolen your password if you logged in after installing the malware.
• Contact your operator because your subscription may have been used to send text messages subject to a charge. The currently active malware for Android devices spread by sending text messages from infected devices.

Commenting on the latest malware campaign, Aino-Maria Väyrynen, Information Security Adviser at the NCSC-FI, said, “According to our current estimate, tens of thousands of messages have been sent to people in Finland during one day. We expect the amount to increase in the coming days and weeks. We managed to almost completely eliminate FluBot from Finland at the end of summer thanks to cooperation among the authorities and telecommunications operators. The currently active malware campaign is a new one because the previously implemented control measures are not effective.”

The post Finland Warns About ‘Flubot’ Malware Spread Via SMS appeared first on CISO MAG | Cyber Security Magazine.

In its report, Check Point identified multiple vulnerabilities inside the chip’s audio processor embedded in 37% of smartphones worldwide. Taiwan-based MediaTek is one of the largest chipset vendors that supply its products to various smartphone brands, including Xiaomi, Realme, OPPO, and Vivo.

The Vulnerabilities

The vulnerabilities in MediaTek’s audio Digital Signal Processor (DSP) include CVE-2021-0661, CVE-2021-0662, CVE-2021-0663, and audio HAL CVE-2021-0673. If exploited, the vulnerabilities could allow a remote hacker to spy or eavesdrop on the targeted user from an unprivileged Android app.

MediaTek said that it had fixed all vulnerabilities after the vulnerability disclosure.

“A malformed inter-processor message could potentially be used by an attacker to execute and hide malicious code inside the DSP firmware. Since the DSP firmware has access to the audio data flow, an attack on the DSP could potentially be used to eavesdrop on the user. By chaining with vulnerabilities in Original equipment manufacturer (OEM) partner’s libraries, the MediaTek security issues we found could lead to local privilege escalation from an Android application,” the researchers said.

Attack Methodology

• A user installs a malicious app from the Play Store and launches it.
• The app uses the MediaTek API to attack a library with permissions to talk with the audio driver.
• The app with system privilege sends crafted messages to the audio driver to execute code in the firmware of the audio processor.
• The app steals the audio flow.

While there is no evidence that the vulnerabilities were being exploited before they were patched, MediaTek urged users to immediately update their smartphones and IoT devices to prevent any risks.

Commenting on the vulnerability disclosure, Slava Makkaveev, Security Researcher at Check Point Software, said, “We embarked on research into the technology, which led to the discovery of a chain of vulnerabilities that potentially could be used to reach and attack the audio processor of the chip from an Android application. Left unpatched, a hacker potentially could have exploited the vulnerabilities to listen in on conversations of Android users. Furthermore, the security flaws could have been misused by the device manufacturers themselves to create a massive eavesdrop campaign. Although we do not see any specific evidence of such misuse, we moved quickly to disclose our findings to MediaTek and Xiaomi. In summary, we proved out a completely new attack vector that could have abused the Android API.”

The post Vulnerabilities in MediaTek Chips Found in 37% of Smartphones Worldwide appeared first on CISO MAG | Cyber Security Magazine.

Key Findings

• Nearly, 99% of U.S. government Android users are exposed to hundreds of vulnerabilities due to out-of-date operating systems.
• App threats surged nearly 20 times across all levels of government as the cybersecurity community recategorized the risks surrounding embedded adware.
• 1 in 15 government employees was exposed to phishing threats. With over two million federal government employees alone.
• Over 70% of phishing attacks against government organizations sought to steal login credentials, which is a 67% increase from 2019.
• Nearly one-quarter of state and local government employees use personal unmanaged devices, outpacing the nearly 9% in the federal government.

Remote Work – An Added Fuel to Rising Threats

With remote working conditions globally, most of the employees in government organizations are using their personal devices to access sensitive government data. These multiple endpoints along with cloud applications are encouraging cybercriminals to discover vulnerable entry points to break into the victims’ devices.

The analysis found that 22.8% of the U.S. government workers still use the Android 8 operating system, which has over 636 known vulnerabilities. And 28.2% of federal, state, and local government employees use the Android 9 operating system, which has over 173 publicly known vulnerabilities.

Risks with a vulnerable operating system

• Attackers can exploit vulnerabilities to actively target and take over a device or surpass its built-in security measures.
• Compliance violations due to data handling practices.
• If an employee is running an old version, they present a risk to the organization that could be easily eliminated with an operating system update.
• Access to the camera and microphone to spy on the user.
• Access to the device’s file system.
• Connections to servers in foreign countries. 

How to Maximize Mobile Security

Lookout also made certain recommendations to boost mobile security, these include:

• Keep mobile systems up to date. This may mean accelerating the testing of proprietary apps, but it’s a necessary change of priority.
• Make sure mobile vulnerability and patch management capabilities are part of your operation.
• Require users to install updates on mobile devices whenever they’re available.
• Implement an approved device list for BYOD devices.
• Train employees to recognize phishing attacks, but don’t stop at desktop attacks: Be sure to include recognizing phishing on mobile devices as well.

“Malicious actors have embraced mobile phishing because they can use any one of the hundreds of apps on the average person’s mobile device. Attackers can socially engineer targets on a personal level through social media apps, messaging platforms, games, and even dating apps. An attacker will target particular individuals, including department heads, law enforcement officials, city superintendents, revenue officers, or other government officials to gain privileged access to the data they want to steal,” Lookout said.

The post 1 in 15 Government Employees Exposed to Phishing Attacks appeared first on CISO MAG | Cyber Security Magazine.

Once an unsuspecting user clicks on the link, it goes either of the two ways depending on the OS on the mobile device.

If a user of an Android device clicks “OK,” they are redirected to a malicious site that reads, “Your browser is out-of-date and needs to be updated.” If the user clicks “OK,” the malicious application is downloaded onto the device. For iPhone users, the download doesn’t work. Instead, the iPhone users are greeted with a phishing page designed to look like Apple’s login page — in a bid to steal the credentials of the users.

Once the Trojan is installed on a device, it can perform several nefarious activities like sending fake SMSs, access financial transaction data, check installed packages, and steal contact list and credentials for financial data.  According to Kaspersky, Wroba belongs to a family of malware that attempts to steal mobile banking accounts as well as one-time passwords sent by banks for client authentication.

Related News: FBI Warns About Fake Mobile Banking Apps, Trojans

Geographical distribution of attacks by the Trojan-Banker.AndroidOS.Wroba family

According to Malwarebytes, associated families of the mobile bank Trojan include:

• Trojan.Bank.Marcher
• Trojan.Bank.Perkel
• Trojan.Bankun
• Trojan.Spy.FakeBank
• Trojan.Spy.FakeKRBank
• Trojan.Spitmo
• Trojan.Zitmo

What is Wroba Trojan?

For the uninitiated, Wroba is not altogether a new malware. Back in 2013, Wroba Trojan masqueraded itself as a legitimate application on Google Play Store. Also known as FunkyBot, Wroba had mainly targeted users in Korea, China, Russia, Japan, and other countries in the APAC region.

What is a Trojan horse?

A Trojan horse or Trojan is a malicious program or malicious code disguised to look like a popular or legitimate application. Unlike viruses, Trojans cannot replicate and spread on their own, but depending on user action for infecting other systems. The user has to open the Trojan application for it to spread.

What is malware?

Malware is a generic or collective term for malicious software code. It includes viruses, Trojans, ransomware, and spyware. Typically malware is delivered as a link in email or as an email attachment. Clicking the link will lead to a malicious website. Opening a malicious attachment will execute the malicious program or code.

The post Wroba Trojan Resurfaces, Targets U.S. Users appeared first on CISO MAG | Cyber Security Magazine.

By Pooja Tikekar, Feature Writer at CISO MAG

The Ginp Clickbait

• Once the Ginp Banking Trojan is downloaded on the victims’ phone, the attacker sends a special command to the Trojan to open a web page titled “Coronavirus Finder.”
• The Coronavirus Finder web page displays the number of people infected with the virus near the victim’s location.
• It then asks them to pay 0.75 Euros to see the location of the virus-infected persons.
• If the victims agree to pay, the Trojan redirects them to a payment page, where the payment details need to be entered.
• Once the details are entered, the victims are neither charged, nor do they receive any information about the location of the infected persons. Instead, the credit card details of the victims are accessed.

Kaspersky’s Security Expert, Alexander Eremin, said, “Cybercriminals have, for months, attempted to take advantage of the coronavirus crisis by launching phishing attacks and creating coronavirus-themed malware. This is the first time, though, we’ve seen a banking Trojan attempting to capitalize on the pandemic. It’s alarming, particularly since Ginp is such an effective Trojan. We encourage Android users to be particularly vigilant at this time–pop-ups, unfamiliar web pages, and spontaneous messages about coronavirus should always be viewed skeptically.”

Mitigation Measures Against Ginp

Researchers at Kaspersky suggested precautionary measures to avoid exposure to the banking Trojan, which include:

• Install or update Android apps only from Google Play.
• Do not click on suspicious links and never give away sensitive information, such as logins, passwords or credit card information.
• Do not give the Accessibility permission to apps that request it, other than anti-virus apps.

Not the First Time

The Ginp Trojan, which was first discovered in October 2019 by Kaspersky expert Tatyana Shishkova, had targeted Spanish banks as well as legitimate banking apps per bank. The Trojan exploited the Accessibility Service privilege to send messages and make calls, without the knowledge of the victims.

About the Author

Pooja Tikekar is a Feature Writer, and part of the editorial team at CISO MAG. She writes news and feature stories on cybersecurity trends.

More from the author.

 

The post Ginp Banking Trojan Lures Android Users Amidst COVID-19 Outbreak appeared first on CISO MAG | Cyber Security Magazine.