Malwarebytes has discovered a strain of malware on the Unimax (UMX) U686CL, a low-end smartphone sold by Virgin Mobile Group subsidiary Assurance Wireless.

 Jimmy Aki

 Jan 13, 2020 @ 22:10 UTC

Low-end smartphones across the United States have a new problem to deal with, malware. Malwarebytes has discovered a strain of malware on the Unimax (UMX) U686CL, a low-end smartphone sold by Virgin Mobile Group subsidiary Assurance Wireless.

The phones, which are made in China, are sold through a U.S. government program that subsidizes phone services to low-income families, called Lifeline.

ZDNet

✔@ZDNet

Unremovable malware found preinstalled on low-end smartphone sold in the US https://www.zdnet.com/article/unremovable-malware-found-preinstalled-on-low-end-smartphone-sold-in-the-us/?ftag=COS-05-10aaa0g&taid=5e1855d3b19b7e000193018b&utm_campaign=trueAnthem%3A+Trending+Content&utm_medium=trueAnthem&utm_source=twitter …

Unremovable malware found preinstalled on low-end smartphone sold in the US | ZDNet

Malwarebytes said it found malware pre-installed on Unimax U673c handsets, sold by Assurance Wireless (Virgin Mobile) in the US.

zdnet.com

8

12:45 PM - Jan 10, 2020

Twitter Ads info and privacy

See ZDNet's other Tweets

As Malwarebytes reported, there have been several reports concerning the phones since late 2019, with multiple users complaining that some of the pre-installed apps are malicious. Researchers went on to purchase the phone, only to find that the complaints were true.

Adups and HiddenAds

To begin with, they discovered that one of the apps on the phones- named Wireless Update- contained a malware known as Adups. The malware was created by a Chinese company bearing the same name, and was billed as a means of allowing firmware vendors to update their code.

However, researchers at Kryptowire found in 2017 that its manufacturers were able to ship updates to the software without getting permission from the devices’ vendors and users. Malwarebytes explained that the software still does the same thing to this day.

“From the moment you log into the mobile device [the UMX U686CL], Wireless Update starts auto-installing apps. To repeat: There is no user consent collected to do so, no buttons to click to accept the installs, it just installs apps on its own,” researchers explained.

Although they pointed out that the apps were initially free of any malware, the fact that they’re installed without consent means that Adups (the software manufacturers) could just as well do the same thing at any time.

Kaspersky

✔@kaspersky

Our new mobile malware report is now available. Whilst the number of malicious apps are down, the number of attacks doubled.

For the full details, check out the report here: https://kas.pr/1g8d  #KLReport #mobile

13

4:56 PM - Mar 5, 2019

Twitter Ads info and privacy

See Kaspersky's other Tweets

That’s not all. They also found suspicious code in the Settings app. As they explained, the app was filled with a heavily obfuscated malware strain,’ and from the set of characters used in writing its code, they opined that it was of Chinese origin.

They explained that it was meant to act as a dropped for HiddenAds; a popular second-stage malware payload.
Difficult to Uninstall

The company explained that they couldn’t confirm if the malware was installed by the device manufacturers. They might as well have been installed by any of the third parties that had access to the devices while in transit. But, that’s unlikely.What’s troublesome is the fact that the two malware were said to be non-removable, thanks to their strategic location. Adups is hidden in the Wireless Update app, and any user that uninstalls or disables that will miss out on critical updates going forward.

On the flip side, the Settings app, as we all know, is non-removable. Taking it out will make the device effectively unusable, leaving users stuck with the malware it houses

Microsoft Issues Windows Security Update for 0Day Vulnerability

Microsoft released two out of band security updates today for remote code execution (RCE) and denial of service (DoS) security vulnerabilities impacting Internet Explorer and Windows Defender, respectively.

The first one is a zero-day RCE vulnerability tracked as CVE-2019-1367 and disclosed by Clément Lecigne of Google’s Threat Analysis Group.

The CVE-2019-1367 scripting engine memory corruption vulnerability is known to have been exploited in the wild and it "exists in the way that the scripting engine handles objects in memory in Internet Explorer."

Security Response

✔@msftsecresponse

Out of band security vulnerability fixes CVE-2019-1367 and CVE-2019-1255 have been released today. For more information please see https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1367 … and https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1255 … .

135

7:07 PM - Sep 23, 2019

Twitter Ads info and privacy

150 people are talking about this

"The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user" says Microsoft. More: bleepingcomputer.com 

Malware Must Die!: MMD-0065-2020 - Linux/Mirai-Fbot's new encryption ...

Malware Must Die!: MMD-0065-2020 - Linux/Mirai-Fbot's new encryption ...: Prologue I setup a local brand new ARM base router I bought online around this new year 2020 to replace my old pots, and yesterday, it wa...

Microsoft Warns of Unpatched IE Browser Zero-Day That's Under Active

January 18, 2020Mohit Kumar internet explorer zero day vulnerability

Internet Explorer is dead, but not the mess it left behind. 

Microsoft earlier today issued an emergency security advisory warning millions of Windows users of a new zero-day vulnerability in Internet Explorer (IE) browser that attackers are actively exploiting in the wild — and there is no patch yet available for it. 
The vulnerability, tracked as CVE-2020-0674 and rated moderated, is a remote code execution issue that exists in the way the scripting engine handles objects in memory of Internet Explorer and triggers through JScript.dll library.

A remote attacker can execute arbitrary code on targeted computers and take full control over them just by convincing victims into opening a maliciously crafted web page on the vulnerable Microsoft browser.
"The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user," the advisory says. "If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system.
An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights." Microsoft is aware of 'limited targeted attacks' in the wild and working on a fix, but until a patch is released, affected users have been provided with workarounds and mitigation to prevent their vulnerable systems from cyberattacks.

 The affected web browsing software includes — Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11 running on all versions of Windows 10, Windows 8.1, and the recently-discontinued Windows 7.
Workarounds: Defend Against Attacks Until A Patch Arrives According to the advisory, preventing the loading of the JScript.dll library can manually block the exploitation of this vulnerability.

To restrict access to JScript.dll, run following commands on your Windows system with administrator privileges.
For 32-bit systems:

takeown / f% windir% \ system32 \ jscript.dll
cacls% windir% \ system32 \ jscript.dll / E / P everyone: N

For 64-bit systems:

takeown / f% windir% \ syswow64 \ jscript.dll
cacls% windir% \ syswow64 \ jscript.dll / E / P everyone: N takeown / f% windir% \ system32 \ jscript.dll
cacls% windir% \ system32 \ jscript.dll / E / P everyone: N

When a patch update is available, users need to undo the workaround using the following commands:

For 32-bit systems:
cacls %windir%\system32\jscript.dll /E /R everyone

For 64-bit systems:
cacls %windir%\system32\jscript.dll /E /R everyone
cacls %windir%\syswow64\jscript.dll /E /R everyone

To be noted, some websites or features may break after disabling the vulnerable JScript.dll library that relies on this component, therefore, users should install updates as soon as they become available.


Mohit KumarHacker news

Αριθμοί υψηλής χρέωσης!!! Συχνές Ερωτήσεις Vodafone

Χρεώνομαι από ανεπιθύμητα πενταψήφια sms. Τι να κάνω; Ενεργοποίησε άμεσα τη φραγή μέσα από τις ρυθμίσεις στο My Vodafone app. Μπορείς επίσης να ζητήσεις από τον Tobi να ενεργοποιήσει τη φραγή για εσένα ή τηλεφωνικά από την εξυπηρέτηση στο 13830. Άλλος τρόπος είναι να επισκεφτείς ένα κατάστημα Vodafone. Αν ενεργοποιήσεις τη φραγή σε αριθμούς που ξεκινούν από 19 ή/ και από 54, σου διασφαλίζουμε πως δε θα έχεις μελλοντικά σχετικές χρεώσεις. Αυτό ωστόσο δεν αποκλείει την ενεργοποίηση κάποιας άλλης υπηρεσίας προστιθέμενης αξίας ή χρέωση από αποστολή SMS, σε κάποιον αριθμό εκτός από όσους ξεκινούν από 19 ή από 54. Τι είναι τα 5ψήφια SMS τρίτων εταιρειών; Είναι υπηρεσίες περιεχομένου που παρέχονται από τρίτες εταιρίες οι οποίες είναι αποκλειστικά υπεύθυνες για το περιεχόμενο και τον τρόπο που τις παρέχουν. Ποιο είναι το περιεχόμενο αυτών των υπηρεσιών; Το περιεχόμενο αυτών των υπηρεσιών δεν είναι συγκεκριμένο. Ποικίλει ανάλογα την εταιρεία. Για παράδειγμα μπορεί να αφορά λήψη ενημερώσεων σχετικά με ζώδια ή με αθλητικά νέα. Περισσότερα για το επίκαιρο θέμα εδώ: Συχνές Ερωτήσεις Vodafone