Over 50 Android Apps for Kids on Google Play Store Caught in Ad Fraud Scheme

Over 50 Android Apps for Kids on Google Play Store Caught in Ad Fraud Scheme



March 24, 2020Ravie Lakshmanan
More than 50 Android apps on the Google Play Store—most of which were designed for kids and had racked up almost 1 million downloads between them—have been caught using a new trick to secretly click on ads without the knowledge of smartphone users.

Dubbed "Tekya," the malware in the apps imitated users' actions to click ads from advertising networks such as Google's AdMob, AppLovin', Facebook, and Unity, cybersecurity firm Check Point Research noted in a report shared with The Hacker News.

"Twenty four of the infected apps were aimed at children (ranging from puzzles to racing games), with the rest being utility apps (such as cooking apps, calculators, downloaders, translators, and so on)," the researchers said.


While the offending apps have been removed from Google Play, the find by Check Point Research is the latest in an avalanche of ad fraud schemes that have plagued the app storefront in recent years, with malware posing as optimizer and utility apps to perform phony clicks on ads.


Malware Abuses MotionEvent API to Simulate User Clicks
Stating that the campaign cloned legitimate popular apps to gain an audience, the newly discovered 56 apps were found bypassing Google Play Store protections by obfuscating its native code and relying on Android's MotionEvent API to simulate user clicks.

Once an unwitting user installed one of the malicious apps, the Tekya malware registers a receiver, an Android component that's invoked when a certain system or application event occurs — such as a device restart or when the user is actively using the phone.



The receiver, when it detects these events, then proceeded to load a native library named "libtekya.so" that includes a sub-function called "sub_AB2C," which creates and dispatches touch events, thereby mimicking a click via the MotionEvent API.


An Ongoing Problem of Mobile Ad Fraud
Mobile ad fraud manifests in different ways, including threat actors planting malware-laced ads on user phones or embedding malware in apps and online services to generate clicks fraudulently to receive payouts by advertising networks.


Mobile security vendor Upstream's analysis of 2019 data revealed that the favorite apps for hiding ad-fraud malware are those that purport to improve productivity or improve device functionality. Nearly 23 percent of the malicious Android ads that Upstream encountered last year fell into this category. Other apps that attackers frequently used to hide malware included gaming apps, entertainment, and shopping apps.

Google, for its part, has been actively trying to stop rogue Android apps from infiltrating the Google Play Store. It has leveraged Google Play Protect as a means to screen potentially harmful applications and also forged an "App Defense Alliance" in partnership with cybersecurity firms ESET, Lookout, and Zimperium to reduce the risk of app-based malware.

To safeguard yourself from such threats, it's recommended that you stick to the Play Store for downloading apps and avoid sideloading from other sources. More importantly, scrutinize the reviews, developer details, and the list of requested permissions before installing any app.

Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.

HPE Warns of New Bug That Kills SSD Drives After 40,000 Hours

By Ionut Ilascu March 24, 2020 06:26 PM 1






Hewlett Packard Enterprise (HPE) is once again warning its customers that certain Serial-Attached SCSI solid-state drives will fail after 40,000 hours of operation, unless a critical patch is applied.

The company made a similar announcement in November 2019, when firmware defect produced failure after 32,768 hours of running.
Affected drives

The current issue affects drives in HPE server and Storage products like HPE ProLiant, Synergy, Apollo 4200, Synergy Storage Modules, D3000 Storage Enclosure, StoreEasy 1000 Storage.
HPE Model Number HPE SKU HPE SKU DESCRIPTION HPE Spare Part SKU HPE Firmware Fix Date
EK0800JVYPN 846430-B21 HPE 800GB 12G SAS WI-1 SFF SC SSD 846622-001 3/20/2020
EO1600JVYPP 846432-B21 HPE 1.6TB 12G SAS WI-1 SFF SC SSD 846623-001 3/20/2020
MK0800JVYPQ 846432-B21 HPE 800GB 12G SAS MU-1 SFF SC SSD 846624-001 3/20/2020
MO1600JVYPR 846436-B21 HPE 1.6TB 12G SAS MU-1 SFF SC SSD 846625-001 3/20/2020


The company says that this is a comprehensive list of impacted SSDs it makes available. However, the issue is not unique to HPE and may be present in drives from other manufacturers.

If the SSD in these products runs a firmware version older than HPD7, they will fail after being powered on for 40,000 hours; this translates into 4 years, 206 days, 16 hours and it is about half a year shorter than the extended warranty available for some of them.

When the failure point is reached, neither the data nor the drive can be recovered. Preventing such a disaster is possible in environments with data backup setups.

HPE learned about the firmware bug from a SSD manufacturer and warns that if SSDs were installed and put into service at the same time they are likely to fail almost concurrently.


“Restoration of data from backup will be required in non-fault tolerance modes (e.g., RAID 0) and in fault tolerance RAID mode if more drives fail than what is supported by the fault tolerance RAID mode logical drive [e.g. RAID 5 logical drive with two failed SSDs]” - HPE advisory

The new firmware can be installed by using the online flash component for VMware ESXi, Windows, and Linux.
Not as bad as last time

There is some good news, though. By checking the shipping dates from HPE and considering the 40,000 hours expiration limit, no affected SSD have failed because of this firmware bug.

HPE estimates that unpatched SSDs will begin to fail as early as October 2020. This gives plenty of time for admins to apply the corrected firmware.

Back in November, reports about storage drive failure came pouring on social media and forums, with ussers complaing about device collapsing in bulk, minutes apart.

Finding out the uptime of an affected drive is possible with the Smart Storage Administrator (SSA) utility, which offers the power-on time for every drive installed on the system.

Alternatively, users can run scripts that can check if the firmware on their SSDs has the 40,000 power-on-hours failure issue. The scripts work for certain HPE‌‌ SAS SSDs and are available for Linux, VMware and Windows. 

JohnC_21 - 4 hours ago 

The company said in a bulletin that the “issue is not unique to HPE and potentially affects all customers that purchased these drives.” HPE has not identified the SSD maker and refused to do so, saying: “We’re not confirming manufacturers.”

However, a Dell EMC urgent firmware update issued last month also mentioned SSDs failing after 40,000 operating hours and specifically identified SanDisk SAS drives. The update included firmware version D417 as a fix.

The fault fixed by the Dell EMC firmware concerns an Assert function which had a bad check to validate the value of a circular buffer’s index value. Instead of checking the maximum value as N, it checked for N-1. The fix corrects the assert check to use the maximum value as N.

It seems likely that the HPE drives are SanDisk drives as well.

https://blocksandfiles.com/2020/03/24/hpe-enterprise-ssd-40k-hours-flaw/

Sucuri is going to provide crisis responders with a free website firewall for one year during the coronavirus pandemic

Free Sucuri WAF for Medical & Social Services

MARCH 24, 2020CHASE WATTS

0SHARES
FacebookTwitterSubscribe


During the COVID-19 pandemic, there is concern about health systems worldwide. Many people in isolation or self-quarantine are looking for accurate medical information online on a daily basis.

As a result, it is crucial that public health and social service websites remain available. We want to prevent malicious users from abusing these types of websites. So, we decided to stand up and do something about it.

Free year of the Sucuri WAF for crisis responders

Sucuri is going to provide crisis responders with a free website firewall for one year during the coronavirus pandemic. We are offering website protection and increased performance for dedicated professionals and volunteer services who have been acting as crisis responders, such as:
Hospitals
Physicians
Emergency medical technicians
Food banks

All you need to do is submit an eligibility form to get a free year of the Sucuri WAF .

SUBMIT AN APPLICATION
Don’t let bad actors exploit our situation

Though some ransomware groups are claiming they will not be targeting health organizations, there are still bad actors online that will likely treat the COVID-19 outbreak as an opportunity. They do so at their own risk; a response from national cybersecurity units and ethical hackers is inevitable.


@mikko@mikko



Public message to ransomware gangs: Stay the f away from medical organizations. If you target hospital computer systems during the pandemic, we will use all of our resources to hunt you down.
7,687
12:36 PM - Mar 18, 2020
Twitter Ads info and privacy
2,420 people are talking about this





When people flock to a website for help, some hackers and scammers can work to compromise the site and steal valuable data. Worse still, they could even use a distributed denial of service (DDoS) attack to shut it down completely.

This is not just a problem for health care and social services. Many organizations currently lack the IT resources required to address the cybersecurity challenges of rapidly shifting the workforce and business model to an online environment.


Security Under Swift Law@SwiftOnSecurity



We need a global suspension of malware activity right now. Security teams are getting pulled into assisting with Work-From-Home to keep isolation and save people’s lives. Come back 2x harder when this ends whatever. We can’t be doing this right now.
686
9:32 PM - Mar 19, 2020
Twitter Ads info and privacy
187 people are talking about this





For those who are new to working from home, we’ve released a post including security tips for remote workers.
How can Sucuri protect and speed up your website?

We keep our WAF updated with the latest and emerging threat definitions to block DDoS and other attacks by bad actors.

Traffic surges to a website can reduce availability. Our WAF mitigates traffic surges with the Anycast content delivery network (CDN). The Anycast CDN stores copies of a website on numerous points of presence (PoP) throughout the world, and then delivers content to an individual via the nearest PoP.

That improves a website’s availability during episodes of high traffic and speeds up content delivery by an average of 70%.
Count on our WAF for HIPAA compliance

We built our WAF with people in mind who must adhere to the U.S. Health Insurance Portability and Accountability Act (HIPAA). With your website behind our WAF, be confident you’re meeting standards for protected health information.

If you have any questions, feel free to chat with us. Stay safe!

Warning — Two Unpatched Critical 0-Day RCE Flaws Affect All Windows Versions

March 23, 2020Mohit Kumar
Microsoft today issued a new security advisory warning billions of Windows users of two new critical, unpatched zero-day vulnerabilities that could let hackers remotely take complete control over targeted computers.

According to Microsoft, both unpatched flaws are being used in limited, targeted attacks and impact all supported versions of the Windows operating system—including Windows 10, 8.1 and Server 2008, 2012, 2016, and 2019 editions, as well as Windows 7 for which Microsoft ended its support on January 14, 2020.

Both vulnerabilities reside in the Windows Adobe Type Manager Library, a font parsing software that not only parses content when open with a 3rd-party software but also used by Windows Explorer to display the content of a file in the 'Preview Pane' or 'Details Pane' without having users to open it.


The flaws exist in Microsoft Windows when the Adobe Type Manager Library improperly "handles a specially-crafted multi-master font - Adobe Type 1 PostScript format," allowing remote attackers to execute arbitrary malicious code on targeted systems by convincing a user to open a specially crafted document or viewing it in the Windows Preview pane.


"For systems running supported versions of Windows 10, a successful attack could only result in code execution within an AppContainer sandbox context with limited privileges and capabilities," Microsoft said.
At this moment, though it's not clear if the flaws can also be triggered remotely over a web browser by convincing a user to visit a web-page containing specially-crafted malicious OTF fonts, there are multiple other ways an attacker could exploit the vulnerability, such as through the Web Distributed Authoring and Versioning (WebDAV) client service.


No Patch Yet Available; Apply Workarounds
Microsoft said it's aware of the issue and working on a patch, which the company would release to all Windows users as part of its next Patch Tuesday updates, on 14th April.


"Enhanced Security Configuration does not mitigate this vulnerability," the company added.

1) Disable the Preview Pane and Details Pane in Windows Explorer
Meanwhile, all Windows users are highly recommended to disable the Preview Pane and Details Pane feature in Windows Explorer as a workaround to reduce the risk of getting hacked by opportunistic attacks.


To disable the Preview Pane and Details Pane feature:


Open Windows Explorer, click Organize and then click Layout.
Clear both the Details pane and Preview pane menu options.
Click Organize, and then click Folder and search options.
Click the View tab.
Under Advanced settings, check the Always show icons, never thumbnails box.
Close all open instances of Windows Explorer for the change to take effect.
However, to be noted, while this workaround prevents malicious files from being viewed in Windows Explorer, it does not strict any legitimate 3rd-party software from loading the vulnerable font parsing library.


2) Disable the WebClient service
Besides this, it is also advised to disable Windows WebClient service to prevent cyberattacks through the WebDAV client service.


Click Start, click Run (or press the Windows Key and R on the keyboard), type Services.msc and then click OK.
Right-click WebClient service and select Properties.
Change the Startup type to Disabled. If the service is running, click Stop.
Click OK and exit the management application.
"After applying this workaround, it is still possible for remote attackers who successfully exploit this vulnerability to cause the system to run programs located on the targeted user's computer or the Local Area Network (LAN), but users will be prompted for confirmation before opening arbitrary programs from the Internet," the Microsoft warned.


3) Rename or Disable ATMFD.DLL
Microsoft is also urging users to rename Adobe Type Manager Font Driver (ATMFD.dll) file to temporarily disable the embedded font technology, which could cause certain 3rd-party apps to stop working.

Enter the following commands at an administrative command prompt:


For 32-bit system:
cd "%windir%\system32"
takeown.exe /f atmfd.dll
icacls.exe atmfd.dll /save atmfd.dll.acl
icacls.exe atmfd.dll /grant Administrators:(F)
rename atmfd.dll x-atmfd.dll

For 64-bit system:
cd "%windir%\system32"
takeown.exe /f atmfd.dll
icacls.exe atmfd.dll /save atmfd.dll.acl
icacls.exe atmfd.dll /grant Administrators:(F)
rename atmfd.dll x-atmfd.dll
cd "%windir%\syswow64"
takeown.exe /f atmfd.dll
icacls.exe atmfd.dll /save atmfd.dll.acl
icacls.exe atmfd.dll /grant Administrators:(F)
rename atmfd.dll x-atmfd.dll
Restart the system.

Fake Corona Antivirus Software Used to Install Backdoor Malware

By Sergiu Gatlan March 23, 2020 07:12 PM 0






Sites promoting a bogus Corona Antivirus are taking advantage of the current COVID-19 pandemic to promote and distribute a malicious payload that will infect the target's computer with the BlackNET RAT and add it to a botnet.

The two sites promoting the fake antivirus software can be found at antivirus-covid19[.]site and corona-antivirus[.]com as discovered by the Malwarebytes Threat Intelligence team and researchers at MalwareHunterTeam, respectively.

While the former was already taken down since Malwarebytes' report, the one spotted by MalwareHunterTeam is still active but it had its contents altered, with the malicious links removed and a donation link added to support the scammers' efforts — spoiler alert, no donations were made until now.



"Download our AI Corona Antivirus for the best possible protection against the Corona COVID-19 virus," the site reads. "Our scientists from Harvard University have been working on a special AI development to combat the virus using a mobile phone app.

Last but not least, the malicious sites' makers also mention an update that will add VR sync capabilities to their fake antivirus: "We analyse the corona virus in our laboratory to keep the app always up to date! Soon a corona antivirus VR synchronization will be implemented!"

If anyone would fall this, they would end up downloading an installer from antivirus-covid19[.]site/update.exe (link is now down) that will deploy the BlackNET malware onto their systems if launched.

BlackNET will add the infected device to a botnet that can be controlled by its operators:

• to launch DDoS attacks
• to upload files onto the compromised machine
• to execute scripts
• to take screenshots
• to harvest keystrokes using a built-in keylogger (LimeLogger)
• to steal bitcoin wallets
• to harvest browser cookies and passwords.

The BlackNET RAT, which was rated as 'skidware malware' by MalwareHunterTeam, is also capable to detect if it's being analyzed within a VM and it will check for the presence of analysis tools commonly used by malware researchers, per c0d3inj3cT's analysis.
BlackNET command panel

The malware also comes with bot management features including restarting and shutting down the infected devices, uninstalling or updating the bot client, and opening visible or hidden web pages.

One of the sites promoting this bogus Corona Antivirus was spotted by MalwareHunterTeam on March 6, while the other was exposed by Malwarebytes' Threat Intelligence team in a report published today.

In somewhat related news, an HHS.gov open redirect is currently abused by attackers to deliver Raccoon info-stealing malware payloads onto targets' systems via a coronavirus-themed phishing campaign.

The actors behind these ongoing phishing attacks use the open redirect to link to a malicious attachment that delivers a VBS script previously spotted while being employed by the operators behind Netwalker Ransomware to deploy their payloads.

The World Health Organization (WHO), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), and the U.S. Federal Trade Commission (FTC) have all warned about Coronavirus-themed phishing and attacks targeting potential victims from countries around the globe (1, 2, 3).