By Rudra Srinivas, Senior Feature Writer, CISO MAG

The smarter our phones, the more we become vulnerable to cybersecurity risks.

5 Signs Your Phone Is Hacked

While there are no standard measures to determine whether a smartphone is compromised or not, you can find out by observing the functions of your device. Here are five signs that will help you know if your smartphone is behaving erratically or controlled by others:

1. Unusual Messages and Pop-ups

If you are receiving inappropriate messages or unwanted ad pop-ups on your smartphone, it may indicate the presence of mobile malware or spyware. Threat actors often target/trick users with various phishing lures via flashing ads or malicious links, which, when clicked, redirect the users to a hacker-controlled webpage or take full control of the device by deploying additional payloads.

2. Presence of Unusual Apps

There could be multiple reasons for a sudden increase in internet usage. But if mobile data is higher than usual without your consent, your device is likely compromised. Hackers and fraudsters consume your mobile’s data to run their apps in stealth mode in the background.

3. High Usage of the Internet

Identify unusual installs or suspicious apps on your smartphone that you did not download. It could be the act of cybercriminals as they download fake/malicious apps embedded with spyware to monitor users’ activity and steal sensitive information.  If you find any messages you didn’t send or calls you didn’t make, it’s likely a hacker’s act.

Also Read: How to Spot Malicious or Fake Apps

4. Increased Battery Drainage

While a smartphone’s battery life decreases with time, a phone infected with malware or spyware shows a significant battery drain than usual. This is due to the presence of hacker-controlled malware/spyware apps on your device. These malicious apps leverage mobile resources like data and battery to run in the background, monitor the device, and transfer the data to the cybercriminal servers.

5. Slow Performance

Smartphones come with a variety of specifications and capabilities, which also decline over time. But if you feel the performance of your smartphone suddenly has degraded, then it’s time to act. Compromised mobile devices often freeze out, crash applications, and experience continued running of apps even after closing them.

How to Restore Your Hacked Smartphone

• Download a robust mobile security app or anti-malware software on your device to scan and eliminate malware/spyware from it.
• Change the login credentials of all accounts immediately.
• Uninstall all suspicious apps from the device.
• Inform your contacts to not click/respond to any suspicious messages or links received from you as they could be malicious.
• If you’re still facing the same issues with your device, restore your smartphone to its factory settings.

How to Protect Your Smartphone from Hackers 

• Turn off your mobile hotspot and Bluetooth when in public.
• Avoid using public Wi-Fi and charging points.
• Don’t leave your device unattended. Always lock it with a password.
• Frequently review the apps you’ve downloaded on your smartphone. Immediately delete if you find any suspicious apps.
• Continue using updated anti-malware apps and software.
• Use VPNs to secure your browsing and keep it private.
• Always download apps and attachments from trusted sources only (Play Store and App Store).
• While traveling, avoid using public USB charging points or use a USB condom if you must.

Wrap-Up

Smartphones are an undeniable part of our lives. The increased usage of smart devices has become the primary reason for cybercriminals to compromise devices and steal information. Threat actors will always find new ways to break into smartphones. Mindful use of smartphones, awareness of potential mobile threats, and practicing cyber hygiene can only help users against the rising mobile threat landscape.

About the Author

Rudra Srinivas is a Senior Feature Writer and part of the editorial team at CISO MAG. He writes news and feature stories on cybersecurity trends.

More from Rudra

 

The post How to Know if Your Smartphone is Hacked? appeared first on CISO MAG | Cyber Security Magazine.

See also: Why Zero Trust Model is a Top Priority for Security Leaders Today

Not too long ago, media was rife with news about Pegasus spyware from Israeli company NSO Group being used to snoop on activists, journalists, people in political power, and senior government officials across the globe. A list of more than 50,000 people, which were supposedly targeted, was made public. An important aspect, in addition to the spyware, was the vulnerability discovered in the Apple products. The vulnerability was exploited by Pegasus spyware to infect Apple devices like iPhone, iPad, Apple Watch, or Mac, providing access to the camera and microphone and giving access to the digital life of the device user.

The recently reported vulnerability was assigned CVE-2021-30860 and is described as a maliciously crafted PDF that may lead to arbitrary code execution. Earlier in the year, Apple had added a security feature called ‘BlastDoor’ across its operating systems to add an extra security layer in the iMessage. The spyware bypasses this feature and surreptitiously plants itself on the infected device.

The Vulnerabilities

The vulnerabilities tracked as CVE-2021-30860 and CVE-2021-30858, allow maliciously crafted documents to execute commands when accessed on vulnerable devices.

Vulnerability CVE-2021-30860 CoreGraphics is an integer overflow bug discovered by Citizen Lab that allows maliciously crafted PDF to execute arbitrary code when opened in iOS and macOS.

CVE-2021-30858 is a WebKit used after a free vulnerability that allowed hackers to create maliciously crafted web pages that execute commands when they visit them on iPhones and macOS.

In an urgent update, Apple has urged its customers to run the latest software updates for the fixes to take effect by installing iOS 14.8, MacOS 11.6 and WatchOS 7.6.2.

Apple releases formal statement regarding ForcedEntry exploit: pic.twitter.com/X5zTeAAH3X

— Catalin Cimpanu (@campuscodi) September 13, 2021

With the next iOS 15 on the anvil, the company is expected to add security features to fix the spyware intrusion and tighten its defense.

The post Apple Releases Security Updates for Two Zero-Day Vulnerabilities appeared first on CISO MAG | Cyber Security Magazine.

By Brian Pereira, Editor-in-Chief, CISO MAG

Snooping is fairly common in the digital world. Do you remember how whistleblower Edward Snowden revealed the snooping exploits of the U.S. National Security Agency (NSA), back in 2014? Welcome to the era of mass surveillance.

CNBC TV18 reports that the French government is in discussions with the Israeli government over concerns that President Macron’s phone may have been targeted for surveillance. The Israeli authorities are now scrutinizing the operations of NSO Group Technologies that created Pegasus spyware.

When the Pegasus incident hit the headlines, NSO vehemently denied any involvement. It said it just creates this tool and sells it to governments and intelligence or security agencies. It says it cannot be held accountable for how its customers use this tool.

So, the licensees should be held responsible – the State in particular. But then, there is a thin line between what one deems as “surveillance for security reasons” and snooping. Who decides what is legal and permissible and what violates a citizen’s privacy?

The State needs to take a call on such issues and revise its IT laws and Acts if necessary.

A few questions about Pegasus Spyware

This incident also raises a few questions:

• Is it possible to get infected by spyware without clicking on any links (zero click)?
• Can someone plant spyware on your phone just by knowing your number and sending you a message?
• How does one know if they have been infected by Pegasus spyware?
• And how do you remove and block this spyware from your phone?

I am hoping the answers to these questions will emerge soon. Because if it doesn’t, a lot of people may get paranoid with this Orwellian approach of governments.

Will this be 1984 all over again?

About the Author

Brian Pereira is the Editor-in-Chief of CISO MAG. He has been writing on business technology concepts for the past 27 years and has achieved basic certifications in cloud computing (IBM) and cybersecurity (EC-Council).

The post Pegasus Spyware – The Ghost in the Machine appeared first on CISO MAG | Cyber Security Magazine.

Per reports, 50,000 phone numbers, primarily belonging to journalists, government officials, and human rights activists across the globe, were put under surveillance, violating the basic human right of privacy.

The Global Spyware Market Index Report from Top10VPN.com revealed some startling statistics:

• 74 countries have bought and/or used invasive spyware technology since 2015.
• Spyware firms: 86% are based in countries considered full or flawed democracies by the EIU.
• Suspected customers: 55% are authoritarian or hybrid regimes, with only 7% considered full democracies.
• FinFisher has the most reported state customers (34), followed by Circles (25), and NSO Group (23).

Responding to the imminent attack, MicroWorld Technologies, a security solution provider with a specialization in cybersecurity, emphasized that their Mobile Security solution is capable of detecting and blocking Pegasus spyware along with similar digital threats.

MicroWorld Technologies houses two brands under its banner namely eScan and Nemasis.

Speaking exclusively with CISO MAG about detecting spyware, Govind Rammurthy, MD and CEO of MicroWorld Technologies Inc., said, “The Pegasus attack, which the world has recently encountered uses a zero-click method and surely has been difficult to track if one doesn’t know the existing vulnerabilities in their devices. The new upgrade to Pegasus has been designed to bypass the need for any kind of social engineering tactic. However, with time and experience, we have been able to detect current infections and block the spyware.”

 

The spyware has evolved with time, and unlike its earlier versions that used the spear phishing technique, Pegasus is capable of exploiting bugs in iMessage, allowing it to gain access to millions of iPhones through a backdoor.

Rammurthy further articulated, “Pegasus is a spyware-equipped remote access tool (RAT). The spyware can monitor the user’s activities remotely using the phone’s microphone and camera, as well as take screenshots and record keystrokes. This infection is treated like any other spyware by eScan’s Mobile Security for Android and the action is taken accordingly on it. In case of any active or dormant version of Pegasus is identified while scanning, a warning is triggered on the device by our mobile security application, keeping the user safe from unauthorized surveillance.”

eScan’s mobile security application for Android and Apple devices detects any dormant and active strains of the spyware that is present within the storage space of the device.

Privacy violation

Globally governments and authorities are working toward banning spyware and working on policies to prevent these surveillance attacks. With more incidents coming to the fore and awareness being created, significant activity is being reported globally, questioning the misuse of spyware.

Rammurthy, condemns this campaign saying, “In this digital age, data and privacy are of highest importance. Any form of interception of communication is illicit in nature and strict action should be taken against the perpetrators of this campaign. At the same time, the masses should collectively educate themselves on how to spot the signs of such a pernicious campaign and use cybersecurity solutions that can actively thwart the advances of such spyware.”

Shweta Thakare, Vice President – Global Sales and Marketing of MicroWorld Technologies Inc., adds, “We severely castigate the Pegasus campaign that has come to light. It not only violates the freedom of the press but also the basic human rights of the citizens of the free world. Our research and development teams have worked relentlessly to provide a solution for this digital atrocity and we are happy to announce that our cybersecurity solution for mobiles, irrespective of the platform can detect and mitigate this threat with ease.”

MicroWorld concluded that keeping the evolving threat landscape in mind, its team is currently working on adding more upgrades through which the application would be able to proactively detect any security flaws within the device and plug it before a threat actor could capitalize on it. Consequently, both the present and the future are in secure hands.

The post eScan’s Mobile Security Application Capable of Detecting and Blocking Pegasus Spyware appeared first on CISO MAG | Cyber Security Magazine.

Candiru’s DevilsTongue

A joint investigation by Citizenlab and Microsoft Threat Intelligence Center (MSTIC) identified the Windows spyware, tracked as DevilsTongue, exploiting two windows zero-day vulnerabilities listed as CVE-2021-31979 and CVE-2021-33771. If exploited, the vulnerabilities could give a remote attacker privilege escalation access by evading browser sandboxes and gain kernel code execution.

Microsoft has fixed the bugs in its July 2021 security update.

The spyware also targeted more than 100 victims, including politicians, journalists, academics, embassy workers, human rights activists, and political dissidents. Adversaries leveraged different browsers and Windows exploits to deploy malware on the targeted systems. They sent malicious single-use URLs to targets via messaging services like WhatsApp. Most of DevilsTongue’s victims are located in Palestine, followed by Israel, Yemen, Iran, Lebanon, Spain, the U.K., Turkey, Armenia, and Singapore.

Citizenlab stated that Candiru’s Windows payload poses a variety of features such as exfiltrating files; stealing cookies and passwords from Chrome, Internet Explorer, Firefox, Safari, and Opera browsers; and exporting all messages saved in messaging apps.

Microsoft claimed that it has implemented necessary security measures to protect its products from this highly sophisticated spyware.

“We have shared these protections with the security community so that we can collectively address and mitigate this threat. We have also issued a software update that will protect Windows customers from the associated exploits that the actor used to help deliver its highly sophisticated malware,” Microsoft said.

Candiru’s Corporate Structure  

According to Citizenlab, Candiru was founded in 2014 and is known to have changed its identity several times. While the company presently operates under the name Saito Tech Ltd., it has been functional under multiple identities, such as DF Associates in  2017, Grindavik Solutions in 2018, and Taveta in 2019. The company provides various criminal services like custom malware distribution and cyber espionage (computers, mobile devices, and cloud accounts) by keeping its operations, infrastructure, and staff identities in stealth mode. Candiru has clients in Europe, the Persian Gulf, the former Soviet Union, Asia, and Latin America.

The researchers found over 750 websites linked to Candiru’s spyware infrastructure, many of which impersonated several legitimate domains of social welfare and advocacy agencies like Amnesty International and Black Lives Matter.

The post DevilsTongue – A New Spyware from Israeli Company Candiru appeared first on CISO MAG | Cyber Security Magazine.

 By Rudra Srinivas, Senior Feature Writer, CISO MAG

What is Stalkerware?

Whether it is a malicious actor, suspicious partner, or a spying employer, the use of Spyware and Stalkerware apps has significantly increased in recent times. Such apps serve as powerful surveillance tools capable of working in stealth mode. Stalkerware has the ability to spy on users’ online activities like tracking their location; accessing their personal data, communications from WhatsApp and Facebook; eavesdropping on phone calls; and making covert recordings of conversations without the target’s knowledge. Stalkerware often runs under disguise and requires disabling anti-viruses or the built-in protection in the operating system.

The Rise of Stalkerware

According to a Unwitting users targeted by full-throttle spyware detected as TrojanSpy reached 26,620 in the first eight months of 2019. It is found that Russia (23.4%), Brazil (9.4%), India (9%), and the U.S. (5.6%) are the most prominent regions for Stalkerware. While in Europe – Germany (3.1%), Italy (2.4%) and France (1.8%) are the top three affected places.

How is Stalkerware installed?

Usually, attackers use social engineering techniques like phishing emails/malicious attachments to lure unwitting users into downloading Stalkerware on their devices. Sometimes, users may unknowingly download Spyware that comes bundled with other software from unsecured third-party sources.

Once installed, the Stalkerware leverages the permissions of other apps in the victim’s device to get control over the device. With this accessibility, a hacker can compromise device data, make phone calls, get SIM serial numbers, obtain contact details, read and send text messages, record calls/audio, query call logs, and access device location and ID.

How to know if someone is stalking you?

Stalkerware apps are designed to be hidden, making them difficult to detect. Users need to be more vigilant about their device behaviors to find out whether they are a victim of Stalkerware. Usually, Stalkerware requires permissions from the victim’s phone to collect and send information to the attackers. You can suspect that a Stalkerware/Spyware is installed on your device when:

• Your mobile data usage increases drastically
• Your phone’s battery drains faster than usual
• If your device turns on Wi-Fi or mobile internet even though you turned them off
• If location and Bluetooth options are turned on automatically
• When you spot unusual notifications on your device
• When certain app permissions enable/disable without your consent
• If you find any login activities on social media, bank apps, or other accounts without your knowledge

How to protect against Spyware/Stalkerware?

Cybercriminals often rely on Spyware apps to compromise the sensitive information of victims. Users and organizations must enhance their mobile application security to defend against evolving threats from Stalkerware. The end-users must also follow certain security precautions while installing and using mobile apps. These include:

• Check the URL protocol (HTTPS) for secure communication.
• Never install apps from unknown sites, as they might be malicious. Always download original applications from trusted sources (Google Play Store or Apple Store).
• Secure your mobiles against all unauthorized physical and online access.
• Install a paid antivirus and a mobile security app to scan for malware and viruses.
• Always check the app’s permission list (both Android and iOS) before downloading an app. Restrict or deny access to functions that are not needed for the app to work.
• Avoid downloading an app if it is asking for permissions unrelated to its functionality.

Conclusion

Despite multiple security checks, Spyware/Stalkerware apps are making their way into victims’ mobile devices, evading and breaching security, and allowing cybercriminals to pilfer sensitive information. It is users’ responsibility to maintain robust cyber hygiene to protect their devices from such evolving threats.

• Related Story: How to Spot Malicious or Fake Apps

About the Author

Rudra Srinivas is a Feature Writer and part of the editorial team at CISO MAG. He writes news and feature stories on cybersecurity trends.

The post How to Know if You’re Being Stalked by Stalkerware appeared first on CISO MAG | Cyber Security Magazine.

The Vietnamese government has mandated the use of digital signatures and digitally signed documents. The VGCA is the authorized certificate provider. It also develops and distributes a digital signature toolkit and offers cryptographic certificates used to sign documents.

The “SignSight” Attack

The researchers named the cyber operation as SignSight attack, which occurred from July 23 to August 16, 2020. ESET researchers stated that cybercriminals modified two software installers, “gca01-client-v2-x32-8.3.msi” and “gca01-client-v2-x64-8.3.msi” for 32-bit and 64-bit Windows systems, which are available for download on the agency’s website. Attackers manipulated the software and added a backdoor to compromise users of the legitimate application.

“We were able to confirm that those installers were downloaded from ca.gov.vn over the HTTPS protocol, so we believe it is unlikely to be a man-in-the-middle attack,” ESET researchers said.

The URLs that redirected the users to malicious installers include:

https://ca.gov[.]vn/documents/20182/6768590/gca01-client-v2-x64-8.3.msi

https://ca.gov[.]vn/documents/20182/6768590/gca01-client-v2-x32-8.3.msi

PhantomNet Supply-Chain Attack

The users could get affected by PhantomNet spyware if the compromised software hosted on the official website is downloaded and installed on the targeted system. Once installed, the altered software hides its malware and runs the PhantomNet backdoor that tricks users as a regular file named “eToken.exe.”

The Attack Flow                                              

“We believe that the website has not been delivering compromised software installers as of the end of August 2020 and ESET telemetry data does not indicate the compromised installers being distributed anywhere else. The Vietnam Government Certification Authority confirmed that they were aware of the attack before our notification and that they notified the users who downloaded the Trojanized software,” the ESET researchers added.

The post After U.S., Vietnam Government Suffers Supply Chain Attack appeared first on CISO MAG | Cyber Security Magazine.

Once an unsuspecting user clicks on the link, it goes either of the two ways depending on the OS on the mobile device.

If a user of an Android device clicks “OK,” they are redirected to a malicious site that reads, “Your browser is out-of-date and needs to be updated.” If the user clicks “OK,” the malicious application is downloaded onto the device. For iPhone users, the download doesn’t work. Instead, the iPhone users are greeted with a phishing page designed to look like Apple’s login page — in a bid to steal the credentials of the users.

Once the Trojan is installed on a device, it can perform several nefarious activities like sending fake SMSs, access financial transaction data, check installed packages, and steal contact list and credentials for financial data.  According to Kaspersky, Wroba belongs to a family of malware that attempts to steal mobile banking accounts as well as one-time passwords sent by banks for client authentication.

Related News: FBI Warns About Fake Mobile Banking Apps, Trojans

Geographical distribution of attacks by the Trojan-Banker.AndroidOS.Wroba family

According to Malwarebytes, associated families of the mobile bank Trojan include:

• Trojan.Bank.Marcher
• Trojan.Bank.Perkel
• Trojan.Bankun
• Trojan.Spy.FakeBank
• Trojan.Spy.FakeKRBank
• Trojan.Spitmo
• Trojan.Zitmo

What is Wroba Trojan?

For the uninitiated, Wroba is not altogether a new malware. Back in 2013, Wroba Trojan masqueraded itself as a legitimate application on Google Play Store. Also known as FunkyBot, Wroba had mainly targeted users in Korea, China, Russia, Japan, and other countries in the APAC region.

What is a Trojan horse?

A Trojan horse or Trojan is a malicious program or malicious code disguised to look like a popular or legitimate application. Unlike viruses, Trojans cannot replicate and spread on their own, but depending on user action for infecting other systems. The user has to open the Trojan application for it to spread.

What is malware?

Malware is a generic or collective term for malicious software code. It includes viruses, Trojans, ransomware, and spyware. Typically malware is delivered as a link in email or as an email attachment. Clicking the link will lead to a malicious website. Opening a malicious attachment will execute the malicious program or code.

The post Wroba Trojan Resurfaces, Targets U.S. Users appeared first on CISO MAG | Cyber Security Magazine.

Aarogya Setu is a smartphone application developed by the Indian government to help people assess themselves on the risk of infecting with Coronavirus. The app determines the risk if one has been near a COVID-19 infected person (within six feet distance) by scanning through a database of known cases across India. The app detects other devices via GPS or Bluetooth range and gets information about positive cases. The app gained huge popularity in the country; however, it also became a target for cybercriminals.

The SonicWall researchers also disclosed multiple scenarios on how these malicious apps function.

Scenario 1

The researchers stated that they found several fake apps with the package name “cmf0.c3b5bm90zq.patch”. It is observed that the malware operators used the same code for a majority of fake apps, by re-branding the icon and application name.

In this case, the app impersonates the legitimate Aarogya Setu App. However, the copy is imperfect, the icon appears stretched and can be identified by seeing along-side the legitimate app.

“Upon execution, we do not see any activity on the screen. However, after some time, the app icon disappears from the app drawer. This contains reference to a domain – johnnj2-37916.portmap.io – in the patch_preferences.xml file. During an analysis, the malware did not try to communicate with this domain, however this domain is connected to malicious apps,” the researchers said.

Scenario 2

Like in the first scenario, several fake apps have been found with the package name “yps.eton.application”. In this case, the app has been shown as an Aarogya Setu Add-on app, which is not an official app.

If the user installs the app, it requests for the Device-Admin privileges and permission for installation from this source. The fake app automatically installs the legitimate Aarogya Setu App from its resource folder to look less suspicious to users.

Scenario 3

In this case, hackers successfully duplicated the official Aarogya Setu icon, making it difficult to identify whether it is legitimate or fake. “There was no network activity witnessed during our analysis session but there was a record of a domain – 204.48.26.131:29491 – within an xml file belonging to the app. This domain is related to another malicious Android app,” the researchers said.

The common element in all the three scenarios is the containment of spyware components, which comprise malicious codes like the Android spyware SpyNote. Once downloaded, this spyware can make phone calls, recording audio, send SMS, take pictures, and record videos from the camera, and start the spyware every time the device reboots.

How to Delete Fake Apps

If the user deletes the Aarogya Setu app from the device by simple uninstalling method (by long pressing the icon), only the genuine app is removed, while the malicious app would still be available in the background of the device. The only way to remove the malicious apps is to remove it from settings > apps > uninstall.

Debasish Mukherjee, Regional Sales – APAC at SonicWall, said, “As the Aarogya Setu App gained popularity in India, it became a target for malware creators. The outbreak of Covid-19 has created new avenues for cyber attackers to explore, innovate and strike in every malicious way. With increasing cyberthreats it appears that cybercriminals are working overtime to create dissonance among mass app users. We advise Android users to exercise maximum caution while downloading and using the Aarogya Setu App.”

The Government of India made the Aarogya Setu app open source this week. The source code for Android is now available on GitHub and the Government has said that all future app updates will be made through this dedicated repository. This was reported by The Financial Express. Researchers and cybersecurity experts will now be able to audit the Aarogya Setu app at their full discretion. But hackers may also be taking advantage of this as they have access to the source code.

The post Fake Aarogya Setu Apps Spread Spyware, SonicWall Reports appeared first on CISO MAG | Cyber Security Magazine.

“The campaign has been active since at least 2015 and is still ongoing, featuring multiple versions of a complex spyware – software created to gather victims’ data – and smart distribution tactics, including distribution via dozens of applications on the Google Play official market,” Kaspersky said.

Evading Google Security Checks

The researchers found that attackers behind the campaign used sophisticated techniques to constantly bypass the vetting process that Google uses to detect malicious apps. Hackers initially submit a benign version of an app and include the backdoor after the app is accepted by Google.

Kaspersky observed over 300 infection attacks on users of android devices in India, Vietnam, Bangladesh, and Indonesia since 2016. There were also several threat detections noticed in Nepal, Myanmar, and Malaysia. Below is a cartographic representation of countries with top attempted attacks.

Apart from the android applications containing PhantomLance malware, Kaspersky also provided a list of apps that were distributed and later removed from the Play Store by Google in November 2019.

“During our extensive investigation, we spotted a certain tactic often used by the threat actors for distributing their malware. The initial versions of applications uploaded to app marketplaces did not contain any malicious payloads or code for dropping a payload. These versions were accepted because they contained nothing suspicious, but follow-up versions were updated with both malicious payloads and code to drop and execute these payloads. We were able to confirm this behavior in all of the samples, and we were able to find two versions of the applications, with and without a payload,” Kaspersky added.

The post “PhantomLance” Targets Android App Store to Spread Malware and Spyware appeared first on CISO MAG | Cyber Security Magazine.