TheNewsGuru

Tag: Malware

  • Cyber security firm uncovers threat targeting iPhones, other iOS devices

    Cyber security firm uncovers threat targeting iPhones, other iOS devices

    Kaspersky, a global cyber security company, says it has uncovered an ongoing mobile Advanced Persistent Threat (APT) campaign targeting iOS devices with an unknown malware.

    The cyber security firm made this known in its latest report on Friday.

    It said that the APT which was tagged as ‘Operation Triangulation’, distributes zero-click exploits via iMessage to run malware gaining complete control over the device and user data, with the final goal to spy on users.

    It said that Kaspersky experts uncovered the new mobile APT campaign while monitoring the network traffic of its corporate Wi-Fi network using the Kaspersky Unified Monitoring and Analysis Platform (KUMA).

    It noted that upon further analysis, company researchers discovered that the threat actor had been targeting iOS devices of dozens of company employees.

    According to the company, the investigation of the attack technique is still ongoing, but so far Kaspersky researchers were able to identify the general infection sequence.

    “The victim receives message via iMessage with an attachment containing a zero-click exploit.

    “Without any further interaction, the message triggers a vulnerability that leads to code execution for privilege escalation and provides full control over the infected device.

    “Once the attacker successfully establishes its presence in the device, the message automatically deletes itself,” it said.

    According to the report, the spyware quietly transmits private information to remote servers.

    ”This includes microphone recordings, photos from instant messengers, geolocation and data about a number of other activities of the owner of the infected device,” it said.

    The report stated that during the analysis, it was confirmed that there was no impact on the company’s products, technologies and services, and no Kaspersky customer user data or critical company processes were affected.

    It noted that the attackers could only access data stored on the infected devices.

    Igor Kuznetsov, Head of Eastern Europe, Middle East and Africa Unit at Kaspersky Global Research and Analysis Team, said: “When it comes to cyber security, even the most secure operating systems can be compromised.

    “As APT actors are constantly evolving their tactics and searching for new weaknesses to exploit, businesses must prioritise security of their systems,” he said.

    Kuznetsov said this involved prioritising employee education, awareness and providing them with the latest threat intelligence and tools to effectively recognise and defend against potential threats.

    He said the company’s investigation of the triangulation operation continues, adding that further details on it would be shared as there could be other targets of this spy operation.

  • BEWARE: Threat actors take over viral TikTok challenge

    BEWARE: Threat actors take over viral TikTok challenge

    The Nigerian Communications Commission’s Computer Security Incident Response Team (NCC-CSIRT) has warned about the potential harm of taking part in the Invisible Challenge on short-form video hosting service, TikTok, revealing that it exposes devices to Information-Stealing Malware.

    An NCC-CSIRT advisory disclosed that threat actors have taken advantage of the viral TikTok challenge, known as the Invisible Challenge to disseminate an information-stealing malware known as the WASP (or W4SP) stealer.

    The WASP stealer, which is high in probability with critical damage potential, is a persistent malware hosted on discord that its developer claim is undetectable.

    The advisory reads: “The Invisible Challenge involves wrapping a somewhat transparent body contouring filter around a presumed naked individual. Attackers are uploading videos to TikTok with a link to software that they claim can reverse the filter’s effects.

    “Those who click on the link and attempt to download the software, known as “unfilter,” are infected with the WASP stealer. Suspended accounts had amassed over a million views after initially posting the videos with a link. Following the link leads to the “Space Unfilter” Discord server, which had 32,000 members at its peak but has since been removed by its creators.

    “Successful installation will allow the malware to harvest keystrokes, screenshots, network activity, and other information from devices where it is installed. It may also covertly monitor user behaviour and harvest Personally Identifiable Information (PII), including names and passwords, keystrokes from emails, chat programs, websites visited, and financial activity.

    “This malware may be capable of covertly collecting screenshots, video recordings, or the ability to activate any connected camera or microphone,” it explained.

    The Team said some ways to forestall such an attack include avoiding clicking on suspicious links, using anti-malware software on your devices, checking app tray and removing any apps that you do not remember installing or that are dormant and embracing healthy password hygiene practices such as using a password manager.

    The CSIRT is the telecom sector’s cyber security incidence centre set up by the NCC to focus on incidents in the telecom sector and as they may affect telecom consumers and citizens at large.

    The CSIRT also works collaboratively with Nigerian Computer Emergency Response Team (ngCERT), established by the Federal Government to reduce the volume of future computer risk incidents by preparing, protecting, and securing Nigerian cyberspace to forestall attacks, and problems or related events.

  • NCC warns against apps by Mobile Apps Group in Google Play Store

    NCC warns against apps by Mobile Apps Group in Google Play Store

    Following the constant introduction of malicious apps into Google Play Store, the Nigerian Communications Commission’s Computer Security Incident Response Team (NCC-CSIRT) has advised against the installation of apps from the offending publisher, the ‘Mobile Apps Group’, whose products were discovered to contain Trojans and adware that are harmful to users and their privacy.

    NCC-CSIRT’s advisory on the incident disclosed that “The Nigeria Computer Emergency Response Team (ngCERT) has continued to observe and monitor the constant introduction of malicious mobile applications into Google Play Store.

    “Mobile apps Group has a history of distributing malware-infected apps through the Google Play store, and the current batch of apps has already been downloaded over a million times” it said.

    It listed this group’s malicious apps as the Bluetooth Auto Connect; Bluetooth App Sender; Driver: Bluetooth, Wi-Fi, USB; and Mobile transfer: smart switch.

    According to the advisory, “The apps will delay the display of ads for up to three days after installation to avoid detection. However, once this period has passed, the user is bombarded with advertisements and is directed to malicious phishing websites in the Chrome browser. While the device is idle, the malicious app can open Chrome tabs in the background. Some of the sites it opens may appear to be harmless, but they are pay-per-click pages that generate revenue for the developers when clicked on.”

    Consequences of installing the malicious apps include the user being bombarded with advertisements, which will degrade the user experience; theft of sensitive user data; clicking on the ads resulting in the stealth download or installation of additional malware, as well as the user privacy and data being jeopardized.

    These unpleasant consequences are avoidable when users refrain from downloading apps developed by Mobile apps Group and ensure to read app reviews before installing any app. Other proffered solutions are for users that may have installed any of the identified malicious apps to immediately uninstall them and to install up-to-date anti-malware solution to detect and remove malware.

    NCC-CSIRT rated the malicious activities of the offending apps as high in probability and potential to do damage.

    The CSIRT is the telecom sector’s cyber security incidence centre set up by the NCC to focus on incidents in the telecom sector and as they may affect telecom consumers and citizens at large.

    The CSIRT also works collaboratively with ngCERT, established by the Federal Government to reduce the volume of future computer risk incidents by preparing, protecting, and securing Nigerian cyberspace to forestall attacks, and problems or related events.

  • NCC-CSIRT alerts on Google Chrome extensions malware

    NCC-CSIRT alerts on Google Chrome extensions malware

    The Nigerian Communications Commission’s Computer Security Incident Response Team (NCC-CSIRT) has identified five malicious Google Chrome Extensions that surreptitiously track online browser’s activities and steal their data.

    According to NCC-CSIRT, the five malicious extensions which the McAfee Mobile Research Team earlier discovered are Netflix Party with 800,000 downloads, Netflix Party 2 with 300,000 downloads, Full Page Screenshot Capture Screenshotting with 200,000 downloads, FlipShope Price Tracker Extension with 80,000 downloads, and AutoBuy Flash Sales with 20,000 downloads.

    The NCC-CSIRT said the five google chrome extensions identified have a high probability and damage potential and have been downloaded more than 1.4 million times and serve as access to steal users’ data. The telecom sector-focused cybersecurity protection team alerted telecom consumers to be cautious when installing any browser extension.

    “The users of these chrome extensions are unaware of their invasive functionality and privacy risk. Malicious extensions monitor victims’ visits to e-commerce websites and modify the visitor’s cookie to appear as if they came through a referrer link. Consequently, the extensions’ developers get an affiliate fee for any purchases at electronic shops,” the advisory said.

    In addition, the advisory stated that, although the google team removed several browser extensions from its Chrome Web Store, keeping malicious extensions out may be difficult. The NCC-CSIRT, thus, recommended that telecom consumers observe caution when installing any browser extension.

    “These include removing all listed extensions from their chrome browser manually. Internet users are to pay close attention to the promptings from their browser extensions, such as the permission to run on any website visited and the data requested before installing it. Although, some extensions are seemingly legit, due to the high number of user downloads, these hazardous add-ons make it imperative for users to ascertain the authenticity of extensions they access.” the advisory stated.

    Google Chrome extensions are software programmes that can be installed into Chrome in order to change the browser’s functionality. This includes adding new features to Chrome or modifying the existing behavior of the program itself to make it more convenient for the user. They serve purposes such as block ads, integration with password managers and sourcing coupons as items sent to a shopping cart.

    The Computer Security Incident Response Team (CSIRT) is the telecom sector’s cyber security incidence centre set up by the NCC to focus on incidents in the telecom sector and as they may affect telecom consumers and citizens at large.

  • NCC-CSIRT flags ‘HiddenAds’ malware that jeopardizes users’ privacy

    NCC-CSIRT flags ‘HiddenAds’ malware that jeopardizes users’ privacy

    The Nigerian Communications Commission’s Computer Security Incident Response Team (NCC-CSIRT) has flagged a new malware, HiddenAds, which has infiltrated Google Play Store that can impact device performance and jeopardize users’ privacy.

    In its advisory of August 8, 2022, NCC-CSIRT classified the virus, first identified by the McAfee Mobile Research Team, as high in probability and damage potential.

    The malware infiltrated the Google Play Store in the form of several device cleaners or optimization apps.

    According to the summary provided by NCC-CSIRT “Upon installation, it can run malicious services without the user opening the app. It also spams the user with irrelevant advertisements. The apps have received downloads ranging from 100,000 to over a million.

    “Some of the apps HiddenAds masquerades as are: Junk Cleaner, EasyCleaner, Power Doctor, Carpet Clean, Super Clean, Meteor Clean, Strong Clean, Windy Clean, Fingertip Cleaner, Keep Clean, Full Clean – Clean Cache, Quick Cleaner, and Cool Clean.

    “When a user installs any of the aforementioned apps, whether the user has opened the app or not, a malicious service is immediately installed on the device. The app will then attempt to blend into the app tray by changing its icon to the Google Play icon that every Android user is familiar with. Its name will also change to ‘Google Play’ or ‘Setting’. The device will then be bombarded with ads in a variety of deceptive ways, severely impairing the user experience,” the advisory stated.

    Anyone that installs the compromised app will experience their device performance suffering significantly, clicking on the ads may result in stealth downloads/installation of other malware, users may inadvertently subscribe to services and be billed on a monthly basis, and the privacy of users will be jeopardized.

    NCC-CSIRT advised users to avoid downloading questionable apps or apps they are unsure about while those who have installed any of the identified malicious apps should immediately delete them.

    It further disclosed that where the malicious app’s icon and name have changed, it can be identified by the fact that it is removable while the legitimate Google Play app cannot be uninstalled.

    The advisory recommended the installation of anti-virus/anti-malware software with a proven track record for detecting and removing malware.

    The Computer Security Incident Response Team (CSIRT) is the telecom sector’s cyber security incidence centre set up by the NCC to focus on incidents in the telecom sector and as they may affect telecom consumers and citizens at large.

    The CSIRT also works collaboratively with the Nigeria Computer Emergency Response Team (ngCERT), established by the Federal Government to reduce the volume of future computer risks incidents by preparing, protecting and securing the Nigerian cyberspace to forestall attacks, problems or related events.

  • NCC-CSIRT flags ‘HiddenAds’ malware that jeopardizes users’ privacy

    NCC-CSIRT flags ‘HiddenAds’ malware that jeopardizes users’ privacy

    The Nigerian Communications Commission’s Computer Security Incident Response Team (NCC-CSIRT) has flagged a new malware, HiddenAds, which has infiltrated Google Play Store that can impact device performance and jeopardize users’ privacy.

    In its advisory of August 8, 2022, NCC-CSIRT classified the virus, first identified by the McAfee Mobile Research Team, as high in probability and damage potential.

    The malware infiltrated the Google Play Store in the form of several device cleaners or optimization apps.

    According to the summary provided by NCC-CSIRT “Upon installation, it can run malicious services without the user opening the app. It also spams the user with irrelevant advertisements. The apps have received downloads ranging from 100,000 to over a million.

    “Some of the apps HiddenAds masquerades as are: Junk Cleaner, EasyCleaner, Power Doctor, Carpet Clean, Super Clean, Meteor Clean, Strong Clean, Windy Clean, Fingertip Cleaner, Keep Clean, Full Clean – Clean Cache, Quick Cleaner, and Cool Clean.

    “When a user installs any of the aforementioned apps, whether the user has opened the app or not, a malicious service is immediately installed on the device. The app will then attempt to blend into the app tray by changing its icon to the Google Play icon that every Android user is familiar with. Its name will also change to ‘Google Play’ or ‘Setting’. The device will then be bombarded with ads in a variety of deceptive ways, severely impairing the user experience,” the advisory stated.

    Anyone that installs the compromised app will experience their device performance suffering significantly, clicking on the ads may result in stealth downloads/installation of other malware, users may inadvertently subscribe to services and be billed on a monthly basis, and the privacy of users will be jeopardized.

    NCC-CSIRT advised users to avoid downloading questionable apps or apps they are unsure about while those who have installed any of the identified malicious apps should immediately delete them.

    It further disclosed that where the malicious app’s icon and name have changed, it can be identified by the fact that it is removable while the legitimate Google Play app cannot be uninstalled.

    The advisory recommended the installation of anti-virus/anti-malware software with a proven track record for detecting and removing malware.

    The Computer Security Incident Response Team (CSIRT) is the telecom sector’s cyber security incidence centre set up by the NCC to focus on incidents in the telecom sector and as they may affect telecom consumers and citizens at large.

    The CSIRT also works collaboratively with the Nigeria Computer Emergency Response Team (ngCERT), established by the Federal Government to reduce the volume of future computer risks incidents by preparing, protecting and securing the Nigerian cyberspace to forestall attacks, problems or related events.

  • Beware of dangerous malware posing as harmless Android apps

    Beware of dangerous malware posing as harmless Android apps

    The Google Play Store continues to be targeted with malware attacks. Several apps posing as useful tools have infected more than 300,000 Android devices, giving hackers access to vital personal information.

    Just like the recent Joker malware, these apps appear to be genuinely useful on first glance. Fitness trackers, QR code scanners and cryptocurrency trackers are tools many of us will have downloaded in the past without too much thought. They even work as advertised, so users are unlikely to suspect any malicious intent.

    However, over time these apps can be used to access huge amounts of personal data from the target device. This includes official documentation and banking information, meaning these apps can even be used to steal money from the unsuspecting user.

    As cybersecurity company ThreatFabric reports, Google has clamped down on the use of permissions to gain access to Android devices in recent weeks. But hackers have quickly adapted by making their malware more sophisticated. Instead of containing a large amount of malicious code that can be detected straight away, the malicious app introduces this gradually by requesting more and more permissions over time. Eventually, this can provide the app with near-total control of your device.

    How to stay safe from Android malware

    This malware attack serves as the latest reminder of the dangers of apps downloaded from the Play Store. Even though it’s still the safest place to download Android apps, some are malicious and can cause significant harm to your device.

    However, there are several steps you can take to avoid unintentionally installing malware on your device. The first is to check reviews within the Play Store itself. A low rating or lots of negative reviews is a red flag, as is almost exclusively positive feedback with reviews that sound generic or robotic. Apps with more downloads are generally more trustworthy, but that’s not always the case. Likewise, an app with no reviews isn’t necessarily malicious.

    It’s also worth sticking to well-known apps from recognised developers, where possible. If the provider’s name doesn’t ring any bells, research it online before downloading. For anything that’s already been downloaded, head into Settings and regularly review the permissions you’re giving to specific apps.

    This last piece of advice is probably the most significant. Make sure to download effective antivirus software, which can scan every new app that’s downloaded and constantly monitor it for suspicious activity. There are plenty of great free options, but some of the best antivirus software out there can be installed on all your devices.

  • Flubot: How to avoid being bitten by a new bug in town

    Flubot: How to avoid being bitten by a new bug in town

    There is a new bug in town known as the Flubot Malware that you must avoid being bitten by because when it infects your device, it can result in incalculable financial losses.

    TheNewsGuru.com (TNG) reports Flubot targets Androids with fake security updates and app installations and its goal transcends stealing personal data and essentially targets stealing of credit card details or online banking credentials.

    This is according to information received from the Nigeria Computer Emergency Response Team (ngCERT) and circulated by the Nigerian Communications Commission (NCC) on Friday.

    Alerting millions of Nigerian telecom consumers of the existence of the new, high-risk and extremely-damaging Malware, the telecoms regulatory body itemized how to avoid being bitten by the bug.

    How you could be bitten by Flubot

    TNG reports a malware is a generic word used to describe a virus or software, designed specially to “disrupt, damage, or gain unauthorized access to a computer system.”

    The ngCERT affirmed that Flubot “impersonates Android mobile banking applications to draw fake web view on targeted applications” and its goal transcends stealing personal data and essentially targets stealing of credit card details or online banking credentials.

    FluBot is circulated through Short Message Service (SMS) and can snoop “on incoming notifications, initiate calls, read or write SMSes, and transmit the victim’s contact list to its control centre.”

    This malware attacks Android devices by pretending to be “FedEx, DHL, Correos, and Chrome applications” and compels unsuspecting users to alter the accessibility configurations on their devices in order to maintain continuous presence on devices.

    The new malware undermines the security of devices by copying fake login screens of prominent banks, and the moment the users enter their login details on the fake pages, their data is harvested and transmitted to the malware operators’ control point from where the data is exploited by intercepting banking-related One Time Passwords (OTPs) and replacing the default SMS app on the targeted Android device.

    Consequently, it secures admittance into the device through SMS and proceeds to transmit similar messages to other contacts that may be on the device it has attacked enticing them into downloading the fake app.

    It suffices to say that, when Flubot infects a device, it can result in incalculable financial losses. Additionally, the malware creates a backdoor which grants access to the user’s device, thus enabling the invader or attacker to perform other criminal actions, including launching other variants of malware.

    How to protect yourself against Flubot

    In view of this discovery and understanding of the process by which this malware operates, and in order to protect millions of telecom consumers and prevent criminal forces, irrespective of location, from using telecom platforms to perpetrate fraud and irredeemable damages, the NCC has reiterated the advisory of ngCERT as follows:

    1. Do not click on the link if you receive a suspicious text message, and do not install any app or security update the page asks you to install.
    2. Use updated antivirus software that detects and prevents malware infections.
    3. Apply critical patches to the system and application.
    4. Use strong passwords and enable Two-Factor Authentication (2FA) over logins.
    5. Back-up your data regularly.
    6. If you have been affected by this campaign, you should reset your device to factory mode as soon as possible. This will delete any data on your phone, including personal data.
    7. Do not restore from backups created after installing the app. You may contact ngCERT on *incident@cert.gov.ng* for technical assistance.
    8. You will also need to change the passwords to all of your online accounts, with urgency, around your online bank accounts.
    9. If you have concerns that your accounts may have been accessed by unauthorised people, contact your bank immediately.

    Meanwhile, the NCC has restated its commitment to empowering consumers through useful information and education to protect them from falling victims of all kinds of cyber-attack while online.

    “As the Commission intensifies efforts in ensuring increased broadband access, enabling telecoms consumers to carry out their legitimate activities more efficiently and effectively online, it also restates its commitment to empowering consumers through useful information and education to protect them from falling victims of all kinds of cyber-attack while online.

    “This explains the rationale for the launch of telecom sector’s Centre for Computer Security Incident Response by NCC on 30th September, 2021,” a statement by NCC’s Director of Public Affairs, Dr Ikechukwu Adinde read.

  • Why you must delete these apps from your phone right now

    Why you must delete these apps from your phone right now

    Google between July and September removed a number of apps that were infected with dangerous malware from the Play Store.

    TheNewsGuru.com (TNG) reports the dangerous malware is known as the Joker malware that has been infecting apps on the Play Store for the past several months.

    The malware is not a new one, but recently many app developers have also given information about it, and Google removed information about these apps from the Play Store.

    The Joker malware is a malicious bot that has been categorized as fleeceware. The main function of this malware is to make the user click and subscribe to paid premium services via SMS.

    Without any knowledge, users subscribe to this service and fall prey to fraud. The Joker does its job with very little coding and leaves very few marks behind, which makes it difficult to identify.

    Joker-infected 11 apps were first removed from the Play Store in July. After this, 6 more apps were removed in early September. Recently 17 more apps were infected with this malware and now they have been removed from the App Store.

    The apps infected by the malware on Google Play Store are:

    • All Good PDF Scanner
    • Mint Leaf Message-Your Private Message
    • Private SMS
    • Tangram App Lock
    • Direct Messenger
    • Unique Keyboard – Fancy Fonts & Free Emoticons
    • One Sentence Translator – Multifunctional Translator
    • Style Photo Collage
    • Meticulous Scanner
    • Desire Translate
    • Talent Photo Editor – Blur focus
    • Care Message
    • Part Message
    • Paper Doc Scanner
    • Blue Scanner
    • Hummingbird PDF Converter – Photo to PDF
    • All Good PDF Scanner
    • com.imagecompress.android
    • com.relax.relaxation.androidsms
    • com.file.recovefiles
    • com.training.memorygame
    • Push Message- Texting & SMS
    • Fingertip GameBox
    • com.contact.withme.texts
    • com.cheery.message.sendsms (two different instances)
    • com.LPlocker.lockapps
    • Safety AppLock
    • Emoji Wallpaper
    • com.hmvoice.friendsms
    • com.peason.lovinglovemessage
    • com.remindme.alram
    • Convenient Scanner 2
    • Separate Doc Scanner

  • FBI warns of emerging Internet threat, SamSam

    American Federal Bureau of Investigation (FBI) has warned of a new cyber threat known as SamSam ransomware.

    SamSam ransomware like WannaCry, is a lethal malware which locks infected systems, encrypts files and demands payments towering $44,000 in return for decryption.

    Without access to core networks and systems, many firms and organizations will pay up rather than suffer through disruption which can be far more costly in the long run.

    When payment demands are a few hundred dollars or so, victims may be more inclined to pay the fee. However, the SamSam ransomware is now demanding far more than the average person would be able to raise.

    “MSIL or Samas (SAMSAM) was used to compromise the networks of multiple US victims, including 2016 attacks on healthcare facilities that were running outdated versions of the JBoss content management application,” the FBI says.

    “SAMSAM exploits vulnerable Java-based Web servers. SAMSAM uses open-source tools to identify and compile a list of hosts reporting to the victim’s active directory.

    “The actors then use psexec.exe to distribute the malware to each host on the network and encrypt most of the files on the system.

    “The actors charge varying amounts in Bitcoin to provide the decryption keys to the victim,” the FBI added.

    According to AlientVault researchers, the ransomware is more akin to a targeted attack than opportunistic ransomware.

    A New York hospital was forced to either pay $44,000 to SamSam hackers or lose access to their systems after a successful infection. However, the organization refused to capitulate to the hackers’ demands and instead endured a month of disruption before the hospital’s systems were restored, according to ZDNet.

    Last week, the ransomware struck in its earliest of attacks, with $33,000 paid to a Bitcoin wallet reports claim is associated with SamSam.

    While SamSam may not be the most sophisticated kind of ransomware out there, the successful exploit of victims reminds us that this malware is out in the wild.

    Like so many other kinds of ransomware, however, keeping systems patched and up-to-date can prevent infection.