Viry a Červi

Rowhammer Attacks Come to MLC NAND Flash Memory - 1 hodina 17 min zpět
IBM researchers have demonstrated a filesystem-level version of the Rowhammer attack against MLC NAND flash memory.
Kategorie: Viry a Červi

News in brief: new Bitcoin fork; HBO hacked; China cracks down

Sophos Naked Security - 2 hodiny 49 min zpět
Your daily round-up of some of the other stories in the news

Woman targeted with 120 images on public transport via AirDrop

Sophos Naked Security - 3 hodiny 55 min zpět
Bluejacking is back, this time via Apple's AirDrop technology, allowing strangers to bombard women with 'dick pics'

Uber faces privacy audits every two years until 2037, rules FTC

Sophos Naked Security - 5 hodin 36 min zpět
Uber 'failed consumers in two key ways' says FTC after probe into catalogue of privacy concerns

London council 'failed to test' parking ticket app, exposed personal info

The Register - Anti-Virus - 6 hodin 10 min zpět
Authority fined £70k after missing URL manipulation

A London council has been fined £70,000 after design faults in its TicketViewer app allowed unauthorised access to 119 documents containing sensitive personal information.…

Kategorie: Viry a Červi

Got an iPhone? Here’s what we think about the security of iOS11

Sophos Naked Security - 7 hodin 54 min zpět
Will your iOS device be more or less secure when iOS11 is launched? We've had a look beyond the cosmetic tweaks to the security features

It’s baaaack: Locky ransomware is on the rise again

Sophos Naked Security - 8 hodin 20 min zpět
Locky had been quiet until new variants started appearing last week. Here's what you need to know

Booking a Taxi for Faketoken

Kaspersky Securelist - 10 hodin 5 min zpět

The Trojan-Banker.AndroidOS.Faketoken malware has been known about for already more than a year. Throughout the time of its existence, it has worked its way up from a primitive Trojan intercepting mTAN codes to an encrypter. The authors of its newer modifications continue to upgrade the malware, while its geographical spread is growing. Some of these modifications contain overlay mechanisms for about 2,000 financial apps. In one of the newest versions, we also detected a mechanism for attacking apps for booking taxis and paying traffic tickets issued by the Main Directorate for Road Traffic Safety.

Not so long ago, thanks to our colleagues from a large Russian bank, we detected a new Trojan sample, Faketoken.q, which contained a number of curious features.


We have not yet managed to reconstruct the entire chain of events leading to infection, but the application icon suggests that the malware sneaks onto smartphones through bulk SMS messages with a prompt to download some pictures.

The malware icon

The structure of the malware

The mobile Trojan that we examined consists of two parts. The first part is an obfuscated dropper (verdict: files like this are usually obfuscated on the server side in order to resist detection. At first glance, it may seem that its code is gibberish:

However, this is code works quite well. It decrypts and launches the second part of the malware. This is standard practice these days, whereas unpacked Trojans are very rare.

The second part of the malware, which is a file with DAT extensions, contains the malware’s main features. The data becomes encrypted:

By decrypting the data, it is possible to obtain a rather legible code:

After the Trojan initiates, it hides its shortcut icon and starts to monitor all of the calls and whichever apps the user launches. Upon receiving a call from (or making a call to) a certain phone number, the malware begins to record the conversation and sends it to evildoers shortly after the conversation ends.

The code for recording a conversation

The authors of Faketoken.q kept the overlay features and simplified them considerably. So, the Trojan is capable of overlaying several banking and miscellaneous applications, such as Android Pay, Google Play Store, and apps for paying traffic tickets and booking flights, hotel rooms, and taxis.

Faketoken.q monitors active apps and, as soon as the user launches a specific one, it substitutes its UI with a fake one, prompting the victim to enter his or her bank card data. The substitution happens instantaneously, and the colors of the fake UI correspond to those of the original launched app.

It should be noted that all of the apps attacked by this malware sample have support for linking bank cards in order to make payments. However, the terms of some apps make it mandatory to link a bank card in order to use the service. As millions of Android users have these applications installed, the damage caused by Faketoken can be significant.

However, the following question may arise: what do fraudsters do in order to process a payment if they have to enter an SMS code sent by the bank? Evildoers successfully accomplish this by stealing incoming SMS messages and forwarding them to command-and-control servers.

We are inclined to believe that the version that we got our hands on is still unfinished, as screen overlays contain formatting artifacts, which make it easy for a victim to identify it as fake:

The screen overlays for the UI of a taxi-booking app

As screen overlays are a documented feature widely used in a large number of apps (window managers, messengers, etc.), protecting yourself against such fake overlays is quite complicated, a fact that is exploited by evildoers.

To this day we still have not registered a large number of attacks with the Faketoken sample, and we are inclined to believe that this is one of its test versions. According to the list of attacked applications, the Russian UI of the overlays, and the Russian language in the code, Faketoken.q is focused on attacking users from Russia and CIS countries.


In order to avoid falling victim to Faketoken and apps similar to it, we strongly discourage the installation of third-party software on your Android device. A mobile security solution like Kaspersky Mobile Antivirus: Web Security & AppLock would be quite helpful too.



UK govt steams ahead with £5m facial recog system amid furore over innocents' mugshots

The Register - Anti-Virus - 13 hodin 2 min zpět
Contract ignores lack of strategy, growing criticism

The UK Home Office has put out to tender a £4.6m ($5.9m) contract for facial recognition software – despite the fact its biometrics strategy and retention systems remain embroiled in controversy.…

Kategorie: Viry a Červi

Bank IT fella accused of masterminding multimillion-dollar insider-trading scam

The Register - Anti-Virus - 14 hodin 2 min zpět
Consultant was all too app-y to break law, claim investigators

A banking IT expert orchestrated an insider-trading caper that raked in millions of dollars for him and his pals, it was claimed on Wednesday.…

Kategorie: Viry a Červi

Rowhammer RAM attack adapted to hit flash storage

The Register - Anti-Virus - 14 hodin 38 min zpět
Project Zero's two-year-old dog learns a new trick

It's Rowhammer, Jim, but not as we know it: IBM boffins have taken the DRAM-bit-flipping-as-attack-vector trick found by Google and applied it to MLC NAND Flash.…

Kategorie: Viry a Červi

NotPetya ransomware attack cost us $300m – shipping giant Maersk

The Register - Anti-Virus - 20 hodin 50 min zpět
IT crippled so badly firm relied on WhatsApp

The world's largest container shipping biz has revealed the losses it suffered after getting hit by the NotPetya ransomware outbreak, and the results aren't pretty.…

Kategorie: Viry a Červi

Locky Ransomware Variant Slips Past Some Defenses - 16 Srpen, 2017 - 23:41
Ransomware called IKARUSdilapidated is managing to slip into unsuspecting organizations as an unknown file.
Kategorie: Viry a Červi

Disgraced US Secret Service agent coughs to second Bitcoin heist

The Register - Anti-Virus - 16 Srpen, 2017 - 21:04
Fox, meet henhouse

An ex-Secret Service agent who stole Bitcoins from the Silk Road dark web drugs bazaar he was supposed to be investigating has admitted stealing even more sacks of the digital currency.…

Kategorie: Viry a Červi

News in brief: micro robots heal mice; Scottish Parliament hacked; Google Allo on desktops

Sophos Naked Security - 16 Srpen, 2017 - 20:27
Your daily round-up of some of the other stories in the news

Flash’s Final Countdown Has Begun - 16 Srpen, 2017 - 19:59
The impending demise of Adobe Flash will create legacy challenges similar to Windows XP as companies begin to wean themselves off the vulnerable code base.
Kategorie: Viry a Červi

Maersk Shipping Reports $300M Loss Stemming from NotPetya Attack - 16 Srpen, 2017 - 19:33
A.P. Moller -Maersk said June's NotPetya wiper malware attacks would cost the world's largest shipping container company $300M USD in lost revenue.
Kategorie: Viry a Červi

Judge orders LinkedIn to stop blocking third-party use of your data

Sophos Naked Security - 16 Srpen, 2017 - 18:44
How do you feel about other companies scraping your public information from LinkedIn and monetizing it?

Who will own the data from your autonomous car?

Sophos Naked Security - 16 Srpen, 2017 - 18:00
If you're hoping that Congress to lock in protection for your privacy, you should probably lower your expectations

Google Removes Chrome Extension Used in Banking Fraud - 16 Srpen, 2017 - 17:14
Google has removed the Interface Online Chrome extension from the Chrome Web Store. The plugin was used by criminals in Brazil to target corporate users with the aim of stealing banking credentials.
Kategorie: Viry a Červi
Syndikovat obsah