Source: Business Ghana
Secure-D from Upstream detected 1.69 million malware-infected android devices in South Africa last year. Within many popular apps, Malware is lurking unseen and committing background fraud that targets advertisers, operators and consumers. The blocked transactions came from more than 18 000 different applications.
While the rogue apps behave normally on a smartphone’s screen, they surreptitiously click on links and adverts, sign users up to subscription services and consume vast amounts of data from prepaid contracts. Not only do advertisers pay app developers for the false clicks, the fraudulent apps are also used to steal personal data about the smartphone user without any visible sign of the fraudulent activity.
Specialist mobile security company Upstream works with a number of operators in South Africa to protect consumers and businesses from this type of fraud. The company’s Secure-D platform monitors app activity and blocks suspicious transactions. In an end of year report , Upstream revealed that it checked more than 50 million Android transactions in South Africa in 2019, identifying and blocking 86 percent of them as fraudulent.
Fraudsters recognise that smartphone users regularly watch and share videos, and they often hide malicious activity in video apps. In 2019, South Africa’s worst three offending Apps were all video apps:
VIDMATE: 15-million blocked transactions
Downloaded worldwide more than 500 million times – Vidmate lets people download videos and songs from popular social media sites and entertainment services, allowing users to watch content offline. In the background, however, a hidden component generates fake clicks and purchases and downloads other suspicious apps without the user’s knowledge. Vidmate was by far the most dangerous app in South Africa in 2019, and is now only available on independent Apps stores, having been removed from Google Play.
SNAPTUBE: 2-million blocked transactions
The Snaptube video app infected 4.4 million handsets and generated more than 70 million fraudulent transactions, with 2 million of those transactions originating in South Africa. Upstream exposed Snaptube in October 2019, but it is also still available on third-party Android app stores.
VIVAVIDEO: 560 000 blocked transactions
A very popular video editing software app for smartphones, Vivavideo has been downloaded more than 100 million times worldwide. But just like Vidmate, its background behaviour leaves a lot to be desired and Secure D was working hard to block more than half a million fraudulent transactions in South Africa alone.
According to a report  on the state of malware and mobile ad fraud released by mobile technology company Upstream , 93 percent of total mobile transactions in 20 countries were blocked as fraudulent in 2019. Data from the Invisible Digital Threat  is based on deployments of Upstream’s Secure-D  full-stack anti-fraud platform, which detects and blocks fraudulent mobile transactions that primarily originated from ad fraud malware. At the end of 2019, Secure-D was used by 31 mobile operators in 20 countries.
In those markets, Upstream’s security platform processed 1.71 billion mobile transactions and blocked 1.6 billion of them as fraudulent, a staggering 93 percent of total transactions. It’s estimated that these transactions would have cost users $2.1bn in unwanted charges had they not been identified. For the industry as a whole, losses from online, mobile and in-app advertising reached $42 billion  in 2019 and are expected to reach $100 billion by 2023.
Why android mobile phones are targeted
Fraudsters target Android handsets because the open operating system is easier to work with, and there are a host of unofficial places to visit and download apps. Additionally, in countries like South Africa, a large proportion of consumers use prepaid mobile phones as their main method to access the Internet. These users also often use their airtime credit to buy digital services, enabling fraudsters to subscribe users to premium services without their knowledge.
A new email-based extortion scheme apparently is making the rounds, targeting Web site owners serving banner ads through Google’s AdSense program. In this scam, the fraudsters demand bitcoin in exchange for a promise not to flood the publisher’s ads with so much bot and junk traffic that Google’s automated anti-fraud systems suspend the user’s AdSense account for suspicious traffic.
Earlier this month, KrebsOnSecurity heard from a reader who maintains several sites that receive a fair amount of traffic. The message this reader shared began by quoting from an automated email Google’s systems might send if they detect your site is seeking to benefit from automated clicks. The message continues:
“Very soon the warning notice from above will appear at the dashboard of your AdSense account undoubtedly! This will happen due to the fact that we’re about to flood your site with huge amount of direct bot generated web traffic with 100% bounce ratio and thousands of IP’s in rotation — a nightmare for every AdSense publisher. More also we’ll adjust our sophisticated bots to open, in endless cycle with different time duration, every AdSense banner which runs on your site.”
The message goes on to warn that while the targeted site’s ad revenue will be briefly increased, “AdSense traffic assessment algorithms will detect very fast such a web traffic pattern as fraudulent.”
“Next an ad serving limit will be placed on your publisher account and all the revenue will be refunded to advertisers. This means that the main source of profit for your site will be temporarily suspended. It will take some time, usually a month, for the AdSense to lift your ad ban, but if this happens we will have all the resources needed to flood your site again with bad quality web traffic which will lead to second AdSense ban that could be permanent!”
The message demands $5,000 worth of bitcoin to forestall the attack. In this scam, the extortionists are likely betting that some publishers may see paying up as a cheaper alternative to having their main source of advertising revenue evaporate.
The reader who shared this email said while he considered the message likely to be a baseless threat, a review of his recent AdSense traffic statistics showed that detections in his “AdSense invalid traffic report” from the past month had increased substantially.
The reader, who asked not to be identified in this story, also pointed to articles about a recent AdSense crackdown in which Google announced it was enhancing its defenses by improving the systems that identify potentially invalid traffic or high risk activities before ads are served.
Google defines invalid traffic as “clicks or impressions generated by publishers clicking their own live ads,” as well as “automated clicking tools or traffic sources.”
“Pretty concerning, thought it seems this group is only saying they’re planning their attack,” the reader wrote.
Google declined to discuss this reader’s account, saying its contracts prevent the company from commenting publicly on a specific partner’s status or enforcement actions. But in a statement shared with KrebsOnSecurity, the company said the message appears to be a classic threat of sabotage, wherein an actor attempts to trigger an enforcement action against a publisher by sending invalid traffic to their inventory.
“We hear a lot about the potential for sabotage, it’s extremely rare in practice, and we have built some safeguards in place to prevent sabotage from succeeding,” the statement explained. “For example, we have detection mechanisms in place to proactively detect potential sabotage and take it into account in our enforcement systems.”
Google said it has extensive tools and processes to protect against invalid traffic across its products, and that most invalid traffic is filtered from its systems before advertisers and publishers are ever impacted.
“We have a help center on our website with tips for AdSense publishers on sabotage,” the statement continues. “There’s also a form we provide for publishers to contact us if they believe they are the victims of sabotage. We encourage publishers to disengage from any communication or further action with parties that signal that they will drive invalid traffic to their web properties. If there are concerns about invalid traffic, they should communicate that to us, and our Ad Traffic Quality team will monitor and evaluate their accounts as needed.”
Johannesburg residents using pre-paid electricity have been left in the dark after a computer virus hit City Power, rendering users unable to purchase electricity.
The utility’s spokesperson, Isaac Mangena, was cited on News24 as saying “the virus had attacked its database and other software, impacting on most of its applications and networks”.
This resulted in City Power customers being unable to upload pre-paid electricity to their meter boxes.
The City Power website is also affected by the virus.
Mangena also stated that City Power hoped to have resolved the problem by midday on Thursday.
By James Pero for DailyMail.com
Malware that replaces victims’ legitimate apps with a malicious doppelgänger has infected 25-million devices across India, the UK and the US, say security researchers.
The virus, named ‘Agent Smith’ after a fictional character from the, ‘The Matrix’ who is able to make others into copies of himself, was highlighted by the security firm Check Point on Wednesday and affects users on Android devices.
Instead of stealing data, the malware covertly replaces apps inside a user’s phone with hacked versions which display ads selected by the hackers, allowing them to profit off their views.
To avoid detection, the malware — under its disguise as popular apps like WhatsApp or Flipkart — is also capable of replacing code in the original program with its own malicious version that prevents an app from being updated.
At least 15-million of the devices infected are located in India and 300,000 have been detected in the U.S. Other infections are spread across Asia as well as the U.K., and Australia.
‘The malware attacks user-installed applications silently, making it challenging for common Android users to combat such threats on their own,’ said Jonathan Shimonovich, head of Mobile Threat Detection Research at Check Point.
‘Combining advanced threat prevention and threat intelligence while adopting a ‘hygiene first’ approach to safeguard digital assets is the best protection against invasive mobile malware attacks like ‘Agent Smith”
A malware called ‘Agent Smith’ was found to have infected 25 million device mostly in India.
Malicious code was able to disguise itself as legitimate apps and take over the ads served inside those programs.
Hackers didn’t steal users data but were able to make money off serving up phoney ads.
Many users were unaware that they had been infected.
Code spread via third party app-store 9Apps and unsuccessfully tried to infect users in the Google Play store.
The malware is named after a fictional villain in the 1999 movie ‘The Matrix’ who was able to turn victims into copies of himself.
Researchers say Agent Smith was able to spread to devices through a third-party app store called 9Apps.
Malicious code was embedded into photo apps and sex-related apps which were then downloaded by users.
Once inside a victim’s device, the malware would disguise itself as a legitimate app and then begin replacing code.
As reported by The Verge, creators of the malware also attempted to infect users in the Google Play store through 11 apps containing bits of malicious code.
The foray was reportedly unsuccessful and Google has removed all the apps from its store.
A vulnerability in Android that allowed hackers to include their code was patched several years ago, but developers failed to patch their apps, leaving many open to attack.
To avoid being compromised by malware like Agent Smith, Check Point has some simple words of advice.
‘Users should only be downloading apps from trusted app stores to mitigate the risk of infection as third party app stores often lack the security measures required to block adware loaded apps,’ wrote researchers.
By Corbin Davenport for Android Police
Google Play Protect is just about two years old, as it was introduced at I/O 2017. The tool scans all applications installed on your phone for identified malware – whether they are from the Play Store or from a sideloaded APK. At Google I/O 2019, it was revealed that Play Protect now scans 50-billion applications each day.
The number was announced as part of the focus on privacy and security during today’s keynote presentations. Play Protect has seen a number of improvements since it was introduced, like a new interface added earlier this year, though it mostly remains a silent and unobtrusive component to most people.
OUTA has notified members on its Facebook page that a highly suspicious SMS is doing the rounds with regards to e-tolls.
The organisation notes that before members of the public can appear in any court for any matter, they need to be summonsed.
This SMS is a scam to cash in on people’s fear in light of the current uncertainty around e-tolls. The link contains a link to documents which contain malware. The public is advised not to open the link, and to delete the SMS immediately.
By Alison DeNisco Rayome for Tech Republic
Microsoft Office documents packed with malicious macros are the most common malware loader of the past month, accounting for 45% of all delivery mechanisms analysed, according to a Thursday report from Cofense.
Office Macros were followed in popularity by CVE-2017-11882, malicious batch scripts, malicious PowerShell scripts, and WSC downloaders, the report found.
This demonstrates that threat actors tend to leverage tried-and-tested delivery mechanisms, the report noted. Macros may have a low barrier to entry, but they are not used only by immature or low-impact cybercriminals: Malware delivered via macros is among the worst in today’s threat landscape, including Geodo, Chanitor, AZORult, and GandCrab, according to the report.
Macros remain a popular email attachment method of delivering a malicious payload because they are typically enabled on a machine, or easily allowed with a single mouse click, the report noted—making it very easy to launch the first stage of an attack. When used this way, macros are embedded Visual Basic scripts that are often used to download or directly execute further payloads.
The Microsoft Office Macro feature could be enabled by default in your organisation’s IT environment, according to the report. When this is the case, a user may not receive any warning that something is wrong upon opening a malicious document. Even when an organisation has some kind of protection in place—such as a security warning at the top of the document—it can often be dismissed with just one click, or may be ignored by the user.
IT departments can protect their organisation from macros by disabling them enterprise-wide, the report said. However, many businesses rely on macros for their legitimate usage, in which case IT may want to consider enacting a blanket policy of blocking documents at the gateway, or, perhaps more realistically, combining different policies such as blocking or grey-listing documents coming from unknown senders. Security education is also key, the report said.
The big takeaways for tech leaders
- Microsoft Office documents packed with malicious macros are the most common malware loader of the past month, accounting for 45% of all delivery mechanisms.
- Malware delivered via macros is among the worst in today’s threat landscape, including Geodo, Chanitor, AZORult, and GandCrab.
Google’s numerous safeguards designed to prevent malicious apps from reaching Android users led to the removal of over 700,000 apps from the Google Play Store in 2017, the company said today. That’s a 70% increase over the total removals in 2016.
“Not only did we remove more bad apps, we were able to identify and action against them earlier,” Google Play product manager Andrew Ahn wrote in a blog post.
“99 percent of apps with abusive contents were identified and rejected before anyone could install them.”
Google attributes this success to its improved ability to detect abuse “through new machine learning models and techniques.”
Copycat apps are still a significant problem
Copycat apps designed to resemble popular mainstays remain a popular method of trying to deceive users, according to Ahn. Google removed over a quarter of a million of these impersonating apps last year. The company also says it kept “tens of thousands” of apps with inappropriate content (pornography, extreme violence, hate, and illegal activities) out of the Play Store. Machine learning plays a key role here in helping human reviewers keep an eye out for bad apps and malicious developers.
“Potentially harmful applications” (PHAs) are apps that attempt to phish users’ personal information, act as a trojan horse for malware, or commit SMS fraud by firing off texts without a user’s knowledge. “While small in volume, PHAs pose a threat to Android users and we invest heavily in keeping them out of the Play Store,” Ahn said.
Google Play Protect scans installed apps to monitor for malicious activity. Google
Last year, Google put all of its malware scanning and detection technologies under the umbrella of Google Play Protect. The Android operating system automatically performs scans on installed applications to hunt for anything that’s out of place, and users can also manually trigger scans of their Android smartphones right in the updates section. (I’ve finally managed to stop hitting this button when checking for new versions of apps, but it took some time.)
Still, bad apps do occasionally slip through Google’s defenses. In August, Google discovered and kicked out 30 apps that were secretly using the devices they were installed on to perform DDoS attacks. Just earlier this month, the company removed 60 games from the Play Store — some of them meant for children — that were found to display pornographic ads. Google says it will continue to upgrade its methods and machine learning models against bad actors trying to trick consumers with apps that violate its policies. Those efforts indeed seem to be paying off in helping Android’s security turn a corner.
By Chris Welch for The Verge
The City of Johannesburg has said it suspected that malware has infected one of the servers hosting its Web site, causing major downtime last week.
This is just one in a long string of woes for the city.
The billing system, inherited from the ANC when the DA won the metro, has been in crisis for some months. The City tried to fix it by rolling out a new system, which automatically requires payment on the 15th of the month unless rate payers ask for it to be the 28th, by way of e-mail or the call centre.
As a result of the change in date, as well as a lack of postal notices and SMS notices, many household have unintentionally fallen behind in payment – or worse, have not, but have been cut off anyway. Re-instatement of electricity is a costly and time-consuming exercise, and falling behind on payments can impact credit ratings.
Local councillors instructed their ward members to use the CoJ Web site to ensure they know what they owe and don’t fall behind on payments.
However, the city’s website – https://joburg.org.za/ – was inaccessible through browsers like Google Chrome for almost two days last week, due to a malware warning from Google.
When attempting to access the site, Google’s safe browsing warning turns users away, stating that it contains harmful content – including pages that “send visitors to harmful websites”.
The city said it was aware of the issue, and had an investigation underway.
“Preliminary indications suggest that one of the servers hosting the website may be infected with malware. It is also possible that the outage may be a result of corrupted code,” said the City of Johannesburg.
“Fortunately, the city’s customer data has not been compromised as it resides in separate servers.”
According to the ZACR’s records, the City of Johannesburg is the registrant of the domain, while Internet Solutions is the sponsoring registrar.
Although the issues with the site have since been fixed, it leaves many questioning what kind of security is in place for one of the city’s most important databases.
Source: MyBroadband; My Office News
Kaspersky Lab’s Global Research and Analysis Team has discovered a new sophisticated wiper malware, called StoneDrill.
Just like another infamous wiper, Shamoon,it destroys everything on the infected computer. StoneDrill also features advanced anti-detection techniques and espionage tools in its arsenal. In addition to targets in the Middle East, one StoneDrill target has also been discovered in Europe, where wipers used in the Middle East have not previously been spotted in the wild.