Android Malware that Infected Millions Returns to Google Play Store

HummingBad – an Android-based malware that infected over 10 million Android devices around the world last year and made its gang an estimated US$300,000 per month at its peak – has made a comeback.

Security researchers have discovered a new variant of the HummingBad malware hiding in more than 20 Android apps on Google Play Store.

The infected apps were already downloaded by over 12 Million unsuspecting users before the Google Security team removed them from the Play Store.

Dubbed HummingWhale by researchers at security firm Check Point, the new malware utilizes new, cutting-edge techniques that allow the nasty software to conduct Ad fraud better than ever before and generate revenue for its developers.

The Check Point researchers said the HummingWhale-infected apps had been published under the name of fake Chinese developers on the Play Store with common name structure, com.[name].camera, but with suspicious startup behaviors.

"It registered several events on boot, such as TIME_TICK, SCREEN_OFF and INSTALL_REFERRER which [were] dubious in that context," Check Point researchers said in a blog post published Monday.

HummingWhale Runs Malicious Apps in a Virtual Machine

The HummingWhale malware is tricky than HummingBad, as it uses a disguised Android application package (APK) file that acts as a dropper which downloads and runs further apps on the victim's smartphone.

If the victim notices and closes its process, the APK file then drops itself into a virtual machine in an effort to make it harder to detect.

The dropper makes use of an Android plugin created by the popular Chinese security vendor Qihoo 360 to upload malicious apps to the virtual machine, allowing HummingWhale to further install other apps without having to elevate permissions, and disguises its malicious activity to get onto Google Play.

"This .apk operates as a dropper, used to download and execute additional apps, similar to the tactics employed by previous versions of HummingBad," researchers said. "However, this dropper went much further. It uses an Android plugin called DroidPlugin, originally developed by Qihoo 360, to upload fraudulent apps on a virtual machine."

HummingWhale Runs Without having to Root the Android Device

Thanks to the virtual machine (VM), the HummingWhale malware no longer needs to root Android devices unlike HummingBad and can install any number of malicious or fraudulent apps on the victim's devices without overloading their smartphones.
Once the victim gets infected, the command and control (C&C) server send fake ads and malicious apps to the user, which runs in a VM, generating a fake referrer ID used to spoof unique users for ad fraud purposes and generate revenue.
Alike the original HummingBad, the purpose of HummingWhale is to make lots of money through ad fraud and fake app installations.
Besides all these malicious capabilities, the HummingWhale malware also tries to raise its reputation on Google Play Store using fraudulent ratings and comments, the tactic similar to the one utilized by the Gooligan malware.

Over 1 Million Google Accounts Hacked by 'Gooligan' Android Malware

 

 32.1K  1371  214  34.1K

If you own an Android smartphone, Beware! A new Android malware that has already breached more than 1 Million Google accounts is infecting around 13,000 devices every day.

Dubbed Gooligan, the malware roots vulnerable Android devices to steal email addresses and authentication tokens stored on them.

With this information in hands, the attackers are able to hijack your Google account and access your sensitive information from Google apps including Gmail, Google Photos, Google Docs, Google Play, Google Drive, and G Suite.

Researchers found traces of Gooligan code in dozens of legitimate-looking Android apps on 3rd-party app stores, which if downloaded and installed by an Android user, malware starts sending your device’s information and stolen data to its Command and Control (C&C) server.

"Gooligan then downloads a rootkit from the C&C server that takes advantage of multiple Android 4 and 5 exploits including the well-known VROOT (CVE-2013-6282) and Towelroot (CVE-2014-3153)," researchers said in a blog post.

"If rooting is successful, the attacker has full control of the device and can execute privileged commands remotely."

According to CheckPoint security researchers, who uncovered the malware, anyone running an older version of the Android operating system, including Android 4.x (Jelly Bean, KitKat) and 5.x, (Lollipop) is most at risk, which represents nearly 74% of Android devices in use today.

"These exploits still plague many devices today because security patches that fix them may not be available for some versions of Android, or the patches were never installed by the user," researchers added.

Once hack into any Android device, Gooligan also generates revenues for the cyber criminals by fraudulently buying and installing apps from Google Play Store and rating them and writing reviews on behalf of the phone's owner. The malware also installs adware to generate revenue.

How to check if your Google account has been compromised with this malware?

Check Point has published an online tool to check if your Android device has been infected with the Gooligan malware. Just open ‘Gooligan Checker’ and enter your Google email address to find out if you've been hacked.

If you found yourself infected, Adrian Ludwig, Google's director of Android security, has recommended you to run a clean installation of the operating system on your Android device.

This process is called 'Flashing,' which is quite a complicated process. So, the company recommends you to power off your device and approach a certified technician or your mobile service provider in order to re-flash your device.

LA. College Pays Hackers $28,000 Ransom To Get Its Files Back

Los Angeles College Pays Hackers $28,000 Ransom To Get Its Files Back

by, Mohit Kumar

Ransomware has turned on to a noxious game of Hackers to get paid effortlessly.

Once again the heat was felt by the Los Angeles Valley College (LAVC) when hackers managed to infect its computer network with ransomware and demanded US$28,000 payment in Bitcoins to get back online.

The cyber-attack occurred over winter break and caused widespread disruption to online, financial aid, email and voicemail systems, including locking out 1,800 students and staffs from their computers.

As the situation was gone out of its hand, the Los Angeles Community College District (LACCD) agreed to pay the ransom demand of $28,000 in Bitcoin to criminals to resume their operations after gaining the decryption keys, the school newspaper, The Valley Star, reports.

The cyber criminals gave the college a week to pay the ransom and threatened to delete all the data if they were not paid.

Just like most ransomware victims the college obviously was not properly backing up the data. Therefore, the district agreed to pay up the ransom amount to quickly recover access to their systems and data.

However, according to the college officials, it was ultimately cheaper for them to pay the ransom than to remove the unknown ransomware virus from their systems to recover data and resume other services.

After paying the ransom, the college was given a ransomware decryption key to retaining access to its valuable data.

"LACCD and LAVC information technology staff, outside cybersecurity experts and law enforcement are working together to determine the specific nature and impact of this incident. Our top priority is the integrity of student, faculty and employee data, and we will continue to communicate with the LAVC community and the public as the investigation proceeds." the College wrote in a report [PDF].

The college was lucky this time, because, in the case of ransomware, there is no guarantee that one will get the right decryption key in return. For example, recently discovered KillDisk Ransomware that targets Linux machines, demands $218,000 to decrypt, but in return, wipes out data permanently.

One of the most notorious examples of ransomware attacks took place in March last year when crooks locked down the computers and sealed all sensitive files of a Los Angeles hospital, including patient data, which eventually made the hospital to pay $17,000.

Last year, we saw an enormous rise in Ransomware threats, both in numbers and sophistication, and the only way to secure your environment is to deploy automated and isolated backup mechanism.