By Corbin Davenport for Android Police
Google Play Protect is just about two years old, as it was introduced at I/O 2017. The tool scans all applications installed on your phone for identified malware – whether they are from the Play Store or from a sideloaded APK. At Google I/O 2019, it was revealed that Play Protect now scans 50-billion applications each day.
The number was announced as part of the focus on privacy and security during today’s keynote presentations. Play Protect has seen a number of improvements since it was introduced, like a new interface added earlier this year, though it mostly remains a silent and unobtrusive component to most people.
OUTA has notified members on its Facebook page that a highly suspicious SMS is doing the rounds with regards to e-tolls.
The organisation notes that before members of the public can appear in any court for any matter, they need to be summonsed.
This SMS is a scam to cash in on people’s fear in light of the current uncertainty around e-tolls. The link contains a link to documents which contain malware. The public is advised not to open the link, and to delete the SMS immediately.
By Alison DeNisco Rayome for Tech Republic
Microsoft Office documents packed with malicious macros are the most common malware loader of the past month, accounting for 45% of all delivery mechanisms analysed, according to a Thursday report from Cofense.
Office Macros were followed in popularity by CVE-2017-11882, malicious batch scripts, malicious PowerShell scripts, and WSC downloaders, the report found.
This demonstrates that threat actors tend to leverage tried-and-tested delivery mechanisms, the report noted. Macros may have a low barrier to entry, but they are not used only by immature or low-impact cybercriminals: Malware delivered via macros is among the worst in today’s threat landscape, including Geodo, Chanitor, AZORult, and GandCrab, according to the report.
Macros remain a popular email attachment method of delivering a malicious payload because they are typically enabled on a machine, or easily allowed with a single mouse click, the report noted—making it very easy to launch the first stage of an attack. When used this way, macros are embedded Visual Basic scripts that are often used to download or directly execute further payloads.
The Microsoft Office Macro feature could be enabled by default in your organisation’s IT environment, according to the report. When this is the case, a user may not receive any warning that something is wrong upon opening a malicious document. Even when an organisation has some kind of protection in place—such as a security warning at the top of the document—it can often be dismissed with just one click, or may be ignored by the user.
IT departments can protect their organisation from macros by disabling them enterprise-wide, the report said. However, many businesses rely on macros for their legitimate usage, in which case IT may want to consider enacting a blanket policy of blocking documents at the gateway, or, perhaps more realistically, combining different policies such as blocking or grey-listing documents coming from unknown senders. Security education is also key, the report said.
The big takeaways for tech leaders
- Microsoft Office documents packed with malicious macros are the most common malware loader of the past month, accounting for 45% of all delivery mechanisms.
- Malware delivered via macros is among the worst in today’s threat landscape, including Geodo, Chanitor, AZORult, and GandCrab.
Google’s numerous safeguards designed to prevent malicious apps from reaching Android users led to the removal of over 700,000 apps from the Google Play Store in 2017, the company said today. That’s a 70% increase over the total removals in 2016.
“Not only did we remove more bad apps, we were able to identify and action against them earlier,” Google Play product manager Andrew Ahn wrote in a blog post.
“99 percent of apps with abusive contents were identified and rejected before anyone could install them.”
Google attributes this success to its improved ability to detect abuse “through new machine learning models and techniques.”
Copycat apps are still a significant problem
Copycat apps designed to resemble popular mainstays remain a popular method of trying to deceive users, according to Ahn. Google removed over a quarter of a million of these impersonating apps last year. The company also says it kept “tens of thousands” of apps with inappropriate content (pornography, extreme violence, hate, and illegal activities) out of the Play Store. Machine learning plays a key role here in helping human reviewers keep an eye out for bad apps and malicious developers.
“Potentially harmful applications” (PHAs) are apps that attempt to phish users’ personal information, act as a trojan horse for malware, or commit SMS fraud by firing off texts without a user’s knowledge. “While small in volume, PHAs pose a threat to Android users and we invest heavily in keeping them out of the Play Store,” Ahn said.
Google Play Protect scans installed apps to monitor for malicious activity. Google
Last year, Google put all of its malware scanning and detection technologies under the umbrella of Google Play Protect. The Android operating system automatically performs scans on installed applications to hunt for anything that’s out of place, and users can also manually trigger scans of their Android smartphones right in the updates section. (I’ve finally managed to stop hitting this button when checking for new versions of apps, but it took some time.)
Still, bad apps do occasionally slip through Google’s defenses. In August, Google discovered and kicked out 30 apps that were secretly using the devices they were installed on to perform DDoS attacks. Just earlier this month, the company removed 60 games from the Play Store — some of them meant for children — that were found to display pornographic ads. Google says it will continue to upgrade its methods and machine learning models against bad actors trying to trick consumers with apps that violate its policies. Those efforts indeed seem to be paying off in helping Android’s security turn a corner.
By Chris Welch for The Verge
The City of Johannesburg has said it suspected that malware has infected one of the servers hosting its Web site, causing major downtime last week.
This is just one in a long string of woes for the city.
The billing system, inherited from the ANC when the DA won the metro, has been in crisis for some months. The City tried to fix it by rolling out a new system, which automatically requires payment on the 15th of the month unless rate payers ask for it to be the 28th, by way of e-mail or the call centre.
As a result of the change in date, as well as a lack of postal notices and SMS notices, many household have unintentionally fallen behind in payment – or worse, have not, but have been cut off anyway. Re-instatement of electricity is a costly and time-consuming exercise, and falling behind on payments can impact credit ratings.
Local councillors instructed their ward members to use the CoJ Web site to ensure they know what they owe and don’t fall behind on payments.
However, the city’s website – https://joburg.org.za/ – was inaccessible through browsers like Google Chrome for almost two days last week, due to a malware warning from Google.
When attempting to access the site, Google’s safe browsing warning turns users away, stating that it contains harmful content – including pages that “send visitors to harmful websites”.
The city said it was aware of the issue, and had an investigation underway.
“Preliminary indications suggest that one of the servers hosting the website may be infected with malware. It is also possible that the outage may be a result of corrupted code,” said the City of Johannesburg.
“Fortunately, the city’s customer data has not been compromised as it resides in separate servers.”
According to the ZACR’s records, the City of Johannesburg is the registrant of the domain, while Internet Solutions is the sponsoring registrar.
Although the issues with the site have since been fixed, it leaves many questioning what kind of security is in place for one of the city’s most important databases.
Source: MyBroadband; My Office News
Kaspersky Lab’s Global Research and Analysis Team has discovered a new sophisticated wiper malware, called StoneDrill.
Just like another infamous wiper, Shamoon,it destroys everything on the infected computer. StoneDrill also features advanced anti-detection techniques and espionage tools in its arsenal. In addition to targets in the Middle East, one StoneDrill target has also been discovered in Europe, where wipers used in the Middle East have not previously been spotted in the wild.
Kaspersky Lab experts have detected a new Trojan targeting Android devices that can be compared to Windows-based malware in terms of its complexity. Triada is stealthy, modular, persistent and written by very professional cybercriminals. Devices running the 4.4.4. and earlier versions of the Android OS are at greatest risk.
According to the recent Kaspersky Lab research on Mobile Virusology, nearly half of the top 20 Trojans in 2015 were malicious programmes with the ability to gain super-user access rights. Super-user privileges give cybercriminals the rights to install applications on the phone without the user’s knowledge.
This type of malware propagates through applications that users download/install from untrusted sources. These apps can sometimes be found in the official Google Play app store, masquerading as a game or entertainment application. They can also be installed during an update of existing popular applications and, are occasionally pre-installed on the mobile device. Those at greatest risk include devices running 4.4.4. and earlier versions of the Android OS.
There are 11 known mobile Trojan families that use root privileges. Three of them – Ztorg, Gorpo and Leech – act in cooperation with each other. Devices infected with these Trojans usually organise themselves into a network, creating a sort of advertising botnet that threat actors can use to install different kinds of adware.
Shortly after rooting on the device, the above-mentioned Trojans download and install a backdoor. This then downloads and activates two modules that have the ability to download, install and launch applications.
The application loader and its installation modules refer to different types of Trojans, but all of them have been added to our antivirus databases under a common name – Triada.
A distinguishing feature of this malware is the use of Zygote – the parent of the application process on an Android device – that contains system libraries and frameworks used by every application installed on the device. In other words, it’s a demon whose purpose is to launch Android applications. This is a standard app process that works for every newly installed application. It means that as soon as the Trojan gets into the system, it becomes part of the app process and will be pre-installed into any application launching on the device and can even change the logic of the application’s operations.
This is the first time technology like this has been seen in the wild.
The stealth capabilities of this malware are very advanced. After getting into the user’s device Triada implements in nearly every working process and continues to exist in the short-term memory. This makes it almost impossible to detect and delete using antimalware solutions. Triada operates silently, meaning that all malicious activities are hidden both from the user and from other applications.
The complexity of the Triada Trojan’s functionality proves the fact that very professional cybercriminals, with a deep understanding of the targeted mobile platform, are behind this malware.
The Triada Trojan can modify outgoing SMS messages sent by other applications. This is now a major functionality of the malware. When a user is making in-app purchases via SMS for Android games, fraudsters are likely to modify the outgoing SMS so that they receive the money instead of the game developers.
“The Triada of Ztrog, Gorpo and Leech marks a new stage in the evolution of Android-based threats. They are the first widespread malware with the potential to escalate their privileges on most devices. The majority of users attacked by the Trojans were located in Russia, India and Ukraine as well as APAC countries. It is hard to underestimate the threat of a malicious application gaining root access to a device. Their main threat, as the example of Triada shows, is in the fact that they provide access to the device for much more advanced and dangerous malicious applications. They also have a well-thought-out architecture developed by cybercriminals who have deep knowledge of the target mobile platform,” says Nikita Buchka, junior malware analyst, Kaspersky Lab.
As it is nearly impossible to uninstall this malware from a device, users face two options to get rid of it. The first is to “root” their device and delete the malicious applications manually. The second option is to jailbreak the Android system on the device.
Kaspersky Lab products detect Triada Trojan components as: Trojan-Downloader.AndroidOS.Triada.a; Trojan-SMS.AndroidOS.Triada.a; Trojan-Banker.AndroidOS.Triada.a; Backdoor.AndroidOS.Triada.
A new ransomware “super bug”, codenamed “Locky”, is on the lose. There have been 500 000 sessions of the virus crossing the globe in the last few weeks – and now it has arrived in South Africa.
Anti-virus coverage for this type of malware is very poor – only four out of 54 service providers detected it.
It is believed that there are 4 000 infections an hour now – 100 000 infections a day.
A hospital group in the US has had to shut its doors after the fee to purchase its own files was set at $3,6-million – to be paid in untraceable Bitcoin.
There are 499 000 other cases of Locky reported so far. The virus is spread via infected Word documents.
A click on the attachment and the unfortunate victims, unable to mitigate this threat, are given a ransom demand for their files.
And a subsequent visit to the referenced Locky payment portal site reveal multiple options for victims to pay – including payment plans.
How to stay Locky-free:
• Never download freeware or files from untrusted sources as it might be infected.
• Always scan removable devices before using them.
• Regularly scan your PC to detect .locky File Extension Ransomware as well as other related threats.
• Always keep Windows Operating System updated.
• Browser’s security settings should be activated and set to medium level.
• Avoid installation of ActiveX controls as it is somewhat prone to .locky File Extension Ransomware.
• Never install potentially unwanted program on your PC.
• Always carefully read “License and Agreement” before installing any freeware.
• Turn on firewall and other security settings for better PC protection.
• Do not click on suspicious links while surfing web.
• Avoid getting carried away by unrealistic deals and offers as it can be a trick used by .locky File Extension Ransomware.
• Never respond to unknown mails and messages.