Tag Archives: General

Avast

Weekend wrap-up: Cybersecurity news from Avast

Leave a comment

Here’s your wrap up of security and privacy related news from the first half of July.

Mr Robot TV shows about hackersWe are very excited to announce the debut of a new series of videos called Avast Hack Chat. Every week we invite a security expert to talk us through the hacks on Mr. Robot, USA Network’s summertime hit TV show. We also talk about current news, technology in pop culture, and tips that you can use in your everyday life to keep your devices and data secure. Please subscribe to Avast Hack Chat on YouTube to see all of our videos.

 

Read our reviews of the hacks

Pilot episode 1: Are the hacks on Mr. Robot real?

Episode 1.1: Mr. Robot Review: Ones and Zer0s

Episode 1.2: Mr. Robot Review: d3bug.mkv

Episode 1.3: Mr. Robot Review: da3m0ns.mp4

Episode 1.4: Mr. Robot Review: 3xpl0its.wmv

It’s too bad that hacking is not just for TV and movies. Even trusted websites can fall victim to cybercrooks. Online shopping just got a little more risky when the largest e-commerce platform was hacked in order to spy on customers and steal credit card data.

Government agencies, businesses, and individuals need to stay on alert for ransomware. That’s the malware that locks up your files and demands that you pay money to provide the key. Cryptowall recently joined forces with a click fraud botnet to infect individuals and businesses. Our blog explains how to stay safe against infection.

Critical zero-day flaws were discovered in the Adobe Flash Player, Oracle’s Java, and Microsoft’s Internet Explorer. Patches for each have been released. In addition to these patches, Microsoft released a rare emergency “out-of-band” Windows security patch. Make sure that you apply these patches so your machines are running the most secure versions of software.

icon-browser-cleanupNow for some good news. Avast Browser Cleanup removes those unwanted browser add-ons. You know the ones. They take up space on your browser, change your search engine, and even your home page. Avast Browser Cleanup has removed more than 650 million unwanted add-ons and extensions from our users’ browsers in the past two years. You can get it for free in all Avast products or download it as a standalone version.

Avast for Business protects a private school for free

Schools and businesses around the USA are also happy. Two schools; one in Ohio and one in Arizona have recently adopted Avast for Business software to protect their entire network for free. And one lone IT administrator is now able to efficiently manage 500 computers because of Avast for Business’s cloud-based web console.

BYOD, or bring your own device, is a common practice at many businesses around the world. CEO Vince Steckler announced the acquisition of Remotium, a leader in virtual enterprise mobility. Their technology provides enterprises with secure access to business-critical applications from anywhere and from any mobile or desktop device.

SecureLine VPNStudents wanting to know how they did on their AP test installed Avast SecureLine VPN so they could see the scores right away. We have extended the 7-day free trial for an additional 30 days for all these clever kids. We hope you will keep your devices safe while using unsecured Wi-Fi around your new college campus this fall.

Follow Avast on FacebookTwitterYouTube, and Google+ where we keep you updated on cybersecurity news every day.

Avast

Malware that Just Won’t Give Up on Google Play

Leave a comment

A team of malware authors is playing a cat and mouse game with Google. The game goes like this: they upload their malware, Google Play quickly takes it down, they upload a new mutation and Google takes it down. Current status of the game: the malware is back on Google Play. So far, the malicious apps have infected hundreds of thousands of innocent victims.

In April, we discovered porn clicker malware on Google Play posing as the popular Dubsmash app.

Mutant malware

Two days ago, we reported that a mutation of the porn clicker malware, created by a Turkish group of malware authors, made its way back onto Google Play, but have since been removed from the Play Store.

Once the apps were downloaded they did not do anything significant when opened by the user, they just showed a static image. However, once the unsuspecting victim opened his/her browser or other apps, the app began to run in the background and redirect the user to porn sites. Users may not have necessarily understood where these porn redirects were coming from, since it was only possible to stop them from happening once the app waskilled. Fellow security researchers at Eset reported that more apps with this mutation were on Google Play earlier this week. Eset also reported that the original form of the malware was uploaded to Google Play multiple times in May. Our findings combined with that from Eset, prove that these malware authors are extremely persistent and determined to make Google Play a permanent residency for their malware.

I’ll be back…

… is what the authors of this malware must have said when Google removed their apps from the Play Store earlier this week. And sure enough, their malware is back on Google Play. The malware, which Avast detects as Clicker-AR, is in the following three apps: Doganin Güzellikleri, Doganin Güzellikleri 2, Doganin Güzellikleri 3. The name translates to “Nature’s Beauties”. Avast has reported the apps to Google.

Mobile Malware Clicker-AR

What can you do?

Google has a lot on its plate. It has to maintain the most popular mobile operating system in the world, along with an app store with around 1.5 million apps.

That is where security providers, like Avast, jump in. You don’t expect Windows to completely protect you from malware, so just as you would install antivirus on your PC as an extra layer of protection, it is vital you install antivirus on your mobile device. More and more people are using mobile devices and storing a plethora of valuable information on them. This large target pool, combined with the valuable data, naturally makes mobile devices an attractive target for cybercriminals and they are determined to come for you.

Be vigilant

In addition to having antivirus installed on your phone, make sure you do the following:

    1. Pay attention to app permissions. If an app requests permissions that you think it does not need to function properly, then something is probably not right with the app
    2. Check out the app’s reviews. If other users write bad reviews about the app, that is a sign that the app may not be something you want to download.

You can download Avast Mobile Security for free from the Google Play Store.

Hashes:

d8adb784d08a951ebacf2491442cf90d21c20192085e44d1cd22e2b6bdd4ef5f
2a14b4d190303610879a01fb6be85d577a2404dfb22ab42ca80027f3b11f1a6f
d05dcddecc2f93a17b13aa6cca587a15c4d82fe34fdb5e3acf97ddaaefb61941

*It seems as though “Zaren” may be sensing we are all onto him and has therefore changed his developer account name…

Clicker-Ar mobile malware

 

Avast

Can hackers get under the hood of your car?

Leave a comment

Driving under the influence of alcohol or texting while driving is still a bigger risk to your safety on the road, but the hacking experiments conducted on technology-heavy cars might be an indicator of break-downs to come.

Security researchers have proven that modern cars can be hacked.

Security researchers have proven that modern cars can be hacked.

Two security engineers proved that a car is not just a transportation device to get from point A to point B, but a vulnerable combination of individual software systems that can be hacked.

Back in 2013, Charlie Miller and Chris Valasek hacked a 2010 Ford Escape and a Toyota Prius. The two researchers demonstrated the ability to send commands from their laptop that did things like jerk the steering wheel, give false readings on the speedometer and odometer, sound the horn continuously, and slam on the brakes while going down the road.

They have done it again, this time with a 2014 Jeep Grand Cherokee.

When the hackers first did their experiment, they hardwired their MacBook directly into the vehicle. This year, they’ve gone wireless, breaking into a few of the 50 vulnerable attack points available to them.

Wired reporter Andy Greenberg acted as Miller and Valasek’s crash test dummy, as he did in the original demonstration. As he was driving the Jeep Cherokee at 70 mph down the interstate, the two hackers sat miles away in Miller’s basement and bombarded Greenberg with multiple attention diverting events at once. The air conditioner blasted cold air, the radio station changed and played at full volume, the windshield wipers came on and blinded his view with wiper fluid.

But it wasn’t only distracting annoyances that the hackers threw at Greenberg. The scary part started when they remotely cut the transmission. Remember, at the time he was driving down the interstate at 70 mph. The Jeep quickly lost speed and slowed to a snail-like crawl. On a busy interstate with zooming cars and an 18-wheeler closing in, you can imagine the fright that Greenberg felt.

Cybersecurity in the auto industry

At the Center for Automotive Research conference this year, it was acknowledged that almost every automaker in the U.S. has a connected “telematics” service, like GM’s OnStar, Ford SYNC, Chrysler’s Uconnect, and BMW Assist. The panelists said that these services are the first point of attack for hackers, and can be used as a springboard to gain access to the owner’s personal data. Because connected vehicles include easy access to smartphone and onboard apps, the driver’s credit cards, bank accounts, or other financial information could be accessed through the cloud. It’s also possible to access location data, vehicle locator, travel direction, and cell phone number.

The security risks presented by Miller and Valasek in 2013 got the attention of U.S. Senators Edward Markey and Richard Blumenthal. This past Tuesday they introduced legislation that would establish federal standards to secure our cars and protect drivers privacy.

 Do drivers need to worry about their vehicle getting hacked?

Drivers don’t need to get worried yet. Besides thieves opening car doors with wireless hacks as we described in Mr. Robot Review: da3m0ns.mp4, only one malicious car hacking attack has been documented. In February 2010, a disgruntled employee hacked a fleet with more than 100 cars in Austin, Texas. He infiltrated their web-based vehicle-immobilization systems and essentially “bricked” their vehicles and caused the horns to blast uncontrollably.

How to protect your car from being hacked

  • Think of your vehicle not as a simple car anymore, but a sophisticated device like your mobile phone. Familiarize yourself with the new electronic control units. These days that includes the lighting system, the engine and transmission, steering and braking, vehicle access system, and airbags.
  • Apply updates and patches when your car manufacturer issues them. For example, Chrysler just notified owners of vehicles with the Uconnect feature that a software update is available.
  • If you use services like OnStar, GM’s auto security & information service, don’t leave your documents or password in the car for a thief to find.
  • If you use your car as a Wi-Fi hotspot, use a strong password to protect it.

Follow Avast on FacebookTwitterYouTube, and Google+ where we keep you updated on cybersecurity news every day.

 

 

Avast

Mr. Robot Review: 3xpl0its.wmv

Leave a comment

The major theme of this week’s Mr. Robot episode revolved around vulnerabilities. As much as we sometimes try to deny it, we all have weaknesses. Cybercriminals, being the intelligent people they are, unfortunately often use their smarts for evil. They know that it is human nature to have weaknesses since no one is perfect, and they exploit these weaknesses using a tactic called social engineering.

“People make the best exploits”

Whether directly or indirectly, humans and the software they create can be exploited via their weaknesses and vulnerabilities.

FSociety penetrates Steel Mountain, E Corp’s data security center, by exploiting human weaknesses. We first see this happen when Elliot exploits Bill Harper, a sales associate at Steel Mountain, by dismantling his self-worth and telling him that no one in his life really cares about him. Elliot then requests to speak to someone who matters and Bill, disheartened and humiliated, calls his supervisor.

To FSociety’s surprise, Trudy comes instead of Wendy, the supervisor they were expecting and were prepared to utilize to get into the next level of Steel Mountain. This slightly throws off FSociety for a few seconds, but they make a quick comeback by doing a bit of online research. They learn that Trudy’s weakness is her husband and use a Linux distribution called Kali to send her a text message appearing to be sent from her husband saying that he is in the hospital. I researched more about this tool and found out that when using it, it is possible for anyone to spoof SMS and make messages appear as if they are from a number the recipient knows — a trick that is also employed in fraud emails.

The interesting thing about this, though, is they say they do not have Trudy’s number, just her husband’s number. Yet, they type her number into the program to send the message.

via USA Network - Mr. Robot airs on USA Network Wednesdays at 10/9 central

via USA Network – Mr. Robot airs on USA Network Wednesdays at 10/9 central

How cybercriminals use social engineering

I sat down with my colleague, Mobile Malware Analyst Nikolaos Chrysaidos, to discuss social engineering and how it can affect people just like you and me.

Stefanie: First off, what is social engineering?

Nikolaos: Social engineering is a combination of psychological techniques that cybercriminals use to trick people into giving up sensitive information or performing certain actions, such as downloading malware. Social engineering essentially exploits people’s weaknesses and as Elliot said in this episode, “People make the best exploits”. No one is perfect and not everyone always has the best judgment, which makes social engineering such a successful tactic. Social engineering is not successful because people are not intelligent enough; it is successful because cybercriminals specifically target and exploit people’s weaknesses.

Stefanie: We saw FSociety socially engineer their way into Steel Mountain, but what are some examples of social engineering that target consumers?

Nikolaos: Generally, social engineering tactics targeted at consumers either trick the victim into thinking they have won a prize, create fear by implying that something is wrong, or that the victim absolutely needs something. This can happen in the form of spearphishing attacks, in which hackers send messages pretending to be a trusted entity or friend of the victim. These messages include call-to-actions that, for example, prompt the victim to update their banking information, tell them there is an important attachment that they need to open which is really malware, or that they have won a prize and need to provide information to retrieve it. Social engineering can also use apps or advertising to trick people into doing certain things.

We often see in the mobile space that hackers scare victims into downloading fake antivirus apps by telling them that their device has a virus on it. In reality, the app steals private data from the device or holds files on the device for ransom, like Simplocker did.

Another way hackers trick users into downloading malware or into giving up personal information, is via malicious advertising. These ads often tell you, for example, that you do not have the latest version of Flash and should download it. They also tend to offer adult services, such as porn, live webcam chats or even mail-order brides. Once clicked on, these malicious ads can download malware onto your device.

Stefanie: Wow! Seems like people really need to be careful! What is some advice you can give to avoid becoming a victim of social engineering?

Nikolaos: Always double check emails from your bank to make sure they are legitimate. Banks should never email you asking to enter sensitive information via a link or send vital information as an email attachment. The same goes for emails from friends that contain links or attachments, if they seem fishy or off, call your friend and ask if the email really came from them before you take any actions.

As for mobile apps, make sure you only download apps from official app stores, like Google Play. If you do choose to download from a third-party store, make sure you have an antivirus solution installed and running. If an app asks you for permissions that don’t make sense to the app’s functions or if the app wants you to alter your security settings, then something is wrong and you should not download the app. You should be similarly cautious with advertisements offering you video players or adult content.

To maximize your protection against threats, you should have antivirus software installed on your PC and mobile device. In case you accidentally fall prey to a social engineering trick, antiviruses will catch malicious programs and websites before they can cause damage.

Never use Wikipedia as a trusted source

This was drilled into my head by my professors in college. Now, I am not saying Wikipedia is bad — there is a sea full of valuable information on Wikipedia, but the site can be edited by nearly anyone. Apparently people even try to delete entire pages –ahem, Donald Trump. You can’t always trust what you read on Wikipedia, despite the editors’ best efforts to keep the pages factual. FSociety, of course, knows how easily a Wikipedia page can be manipulated and abuses Mobley’s extensive Wikipedia editing history to edit Sam Sepiol’s Wiki page. Elliot tells Bill Harper, a sales associate at Steel Mountain, that he is Sam Sepiol, a young billionaire who co-founded tech startup Bleetz and that Bill should look him up. Bill searches for Sam Sepiol and reads his Wikipedia page, where Elliot’s picture is uploaded and thus Elliot is granted a tour of Steel Mountain.

Be aware of how much you share with the Internet

This week’s Ashley Madison data breach is, hopefully, a major wake up call for a lot of people. This breach should teach everyone that the minute you put your personal information online, it’sout of your hands and could be up for grabs. In this week’s episode, Fernando realizes this when he learns he was busted, because he put his business on social media. He did use codes to cipher his communications, but apparently the codes he used were too obvious and easily crackable. Clearly, Fernando should be looking to hire a new adviser and fire his “aspirational little brother”.

You should use caution when uploading your business onto social media. FSociety discovered the weaknesses of multiple people just by Google searching them and checking out their blogs, Twitter and Facebook profiles. This can be done by anyone, so make sure to examine your social media accounts’ settings and set everything to private. Also, be sure to think twice before you upload content or sign up for services online. Think about how these choices may affect you in the future, who can see them and if you really want the world to see it.

What did you think of this week’s Mr. Robot episode? Make sure you follow Avast on Twitter and check out our Hack Chat channel on YouTube to keep up with future Mr. Robot discussions!

Avast

Microsoft releases emergency Windows patch after discovery of critical security flaw

Leave a comment

With the release of their newest operating system just days away, now is not the most convenient time for Microsoft to be facing and dealing with security bugs. However, two thirds of all 1.5 billion PCs operated by Windows across the globe were recently left vulnerable due to a security flaw found in nearly every version of Windows, including Windows 10 Insider Preview.

If you use Windows, the time to update is now!

If you use Windows, the time to update is now!

The flaw (MS15-078) lies within the Windows Adobe Type Manager Library and can be exploited by cybercriminals to hijack PCs and/or infect them with malware. Users can be attacked when they visit untrusted websites that contain malicious embedded OpenType fonts. Microsoft explains more about the threat in a security bulletin advisory:

An attacker who successfully exploited this vulnerability could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

There are multiple ways an attacker could exploit this vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage that contains embedded OpenType fonts. The update addresses the vulnerability by correcting how the Windows Adobe Type Manager Library handles OpenType fonts.

The flaw has been classified as critical, which is Microsoft’s highest measured level of threat. Anyone running Windows Vista, Windows 7, Windows 8 and 8.1, Server 2008, Server 2012 and Windows RT are affected by the flaw. Microsoft’s online Security TechCenter includes a full list of affected software and additional vulnerability information.

How to ensure your safety

Taking into consideration that this is a critical security threat that potentially puts your whole system at risk, it only makes sense to install the Windows patch as quickly as possible. The majority of customers have automatic updating enabled and won’t need to take any action because the update will be downloaded and installed automatically. Customers who have not enabled automatic updating, or who install updates manually, can use the links in the Affected Software section to download and install the update. This article walks users through two different methods of obtaining and installing the security udpate. Both methods require a restart after the patch has been applied.

Avast Software Updater can lend a helping hand in ensuring that your software stays updated to the latest version. To find it, simply open your Avast user interface. Click Scan on the left side, then choose Scan for outdated software. You can then decide how to proceed.

Follow Avast on FacebookTwitterYouTube, and Google+ where we keep you updated on cybersecurity news every day.

Avast

Windows 10 security features consumers can look forward to

Leave a comment

Windows 10 will be launching in T-minus seven days and will be offered for free within its first year of availability to Windows 7 and 8 users. Not only will the beloved Start button be back in Windows 10, but Windows 10 will also include a personal assistant, Cortana. What’s more, the new operating system will introduce many promising security features and a new browser.

Image: TechRadar

Image: TechRadar

Hello there, Windows Hello and Passport!

Windows Hello is biometric authentication that either scans your face, iris or fingerprint to access your Windows 10 device – very secret agent-like security! By doing so, Windows Hello eliminates the chance of hackers stealing your password to access your device, simply because you will no longer have a password to begin with!

Windows Passport also eliminates the use of passwords to access your online accounts. For now, Microsoft will work with the Azure Active Directory and has joined the FIDO alliance to subsequently support password replacement for other consumer, financial and security services. Windows will verify that you are truly the one using your device through a PIN or via Windows Hello, and then it will authenticate Windows Passport so you can log in to websites and services without ever using a password. Combined use of Windows Hello and Windows Passport would mean that a hacker would not only have to physically steal your device, but also kidnap you to access your accounts.

You will, of course, need hardware that is capable of infrared scanning your face or iris, or that has a built-in fingerprint reader to use Windows Hello. Microsoft has already confirmed that all OEM systems with Intel® RealSense™ 3D Camera (F200) will support Windows Hello’s facial unlock features.

Bye-bye Patch Tuesday

Microsoft usually issues security patches on the second Tuesday of every month, which can leave users vulnerable until Patch Tuesday comes around. In Windows 10, Microsoft will regularly issue security patches and users will be forced to accept every update, meaning they will be immediately protected from zero-day bugs.

Forcing updates is a good move. It’s the same as with an antivirus – everyone wants to have an up-to-date database to protect their system as much as possible. – Jiri Sejtko, Director of Virus Lab Operations

More app developer security support

AMSI – Antimalware Scan Interface will help protect users from script-based malware by offering an interface standard that allows apps and services to integrate with antivirus programs on Windows 10 devices. App developers can have their application call the AMSI interface for additional scanning and analytical services. The interface will look for potentially malicious content such as obfuscation and evasion techniques used on Windows’ built-in scripting hosts. Antivirus vendors can implement support for AMSI so that their engine can gain deeper insight into the data that applications consider potentially malicious. Avast will be implementing AMSI in the near future.

Edge, the edgy new browser in town

Microsoft’s Internet Explorer doesn’t have the best reputation, which is probably why Microsoft is introducing the new Edge browser in Windows 10. Edge was created from the same core as Internet Explorer by removing many of the old outdated features that were kept for compatibility reasons, including support for binary extensions like Active X and Browser Helper Objects. Basically, Edge will not support any browser extensions in its initial release, but will add a Javascript/HTML model similar to that of Mozilla, Google, Apple and Opera later on to offer browser extensions. Flash will be built into the Edge browser as well as PDF rendering. Additionally, Edge will be deployed as a Universal Windows App, so users can update Edge from the Windows App Store rather than via Windows updates, and it will run in a sandbox, meaning it will have little to no access to the system and other apps running on your device.

Not supporting any extensions and running Edge inside Windows’ sandbox is very good from a security standpoint. Browser extensions can not only distract users, but they can slow down the browsing experience and can create a huge security risk if abused, as they can see everything you do within the browser, including on encrypted sites. – Lukas Rypacek, Director of Desktop Platform

Avast is already compatible with Windows 10

Avast has been compatible with Windows 10 since March.

No major changes were needed to make Avast compatible with Windows 10; we had to slightly change some components to make everything work as it should, but no changes were needed in terms of behavior and communication. What we are now doing is migrating users to the latest version of Avast to ensure a smooth Windows 10 upgrade. – Martin Zima, Senior Product Manager

Are you looking forward to Windows 10 and will you be upgrading? Let us know in the comments section :)

Follow Avast on Facebook where we keep you updated on cybersecurity news every day.

Avast

Is the Ashley Madison data breach worse than other data breaches?

Leave a comment

Ashley Madison calls itself the “most famous website for discreet encounters between married individuals”. Now, the platform for infidelity and dating has been hacked and its user database of 40 million cheaters with their real names, addresses, financial records, and explicit information were stolen. Discreet is done.

Did the married Ashley Madison customers really think their extramarital activities could be discreet?

Ashley Madison hookup site gets hacked

image: www.ashleymadison.com

The past months and years, Target was hacked, Home Depot, BlueCross BlueShield, and even the U.S. government was hacked and data of tens of millions of people were exposed. Wal-Mart, CVS, and Costco had to take down their photo service websites last week as they are investigating a possible data breach. News about new data breaches break every month, sometimes even every week. Just in May, the dating site AdultFriendFinder was hacked, and sensitive information about 3.5 million people was leaked. It shouldn’t come as a surprise to Ashley Madison users that this data breach happened. It was just a matter of time.

Avid Life Media (ALM), the owner of Ashley Madison, seems to have the same stance. In a statement to the media, published by Brian Krebs who first reported the hack, they said: “The current business world has proven to be one in which no company’s online assets are safe from cyber-vandalism, with Avid Life Media being only the latest among many companies to have been attacked, despite investing in the latest privacy and security technologies.”

Hackers holding ALM ransom
According to reports, a hacker group called “The Impact Team” seems to be behind this breach and they reportedly demand a ransom from ALM. The hacking group is threatening to expose “all customer records, including profile with all the customer’s secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails” if ALM does not take down Ashley Madison and their other casual dating platform, Established Men.

Moral reasons for the hack
In a document, The Impact Team explained its apparent moral motives behind the breach. Regarding the Ashley Madison users, they write “they’re cheating dirtbags and deserve no such discretion”, and describe Established Men as a “prostitution / human trafficking website for rich men to pay for sex.

Furthermore, they call out ALM for misguiding its users by offering a “full delete” feature that will allegedly delete your payment and address details from its database for a fee of $19. The Impact Teams writes: “It’s also a complete lie. Users almost always pay with credit card; their purchase details are not removed as promised, and include real name and address, which is of course the most important information the users want removed.” According to the hackers’ manifesto, ALM made $1.7 million in revenue alone with this feature in 2014.

How did The Impact Team get access to the data?

According to information revealed to Brian Krebs by ALM, it is likely that the data breach happened through somebody who internally had access to ALM’s technical systems, like a former employee or contractor.

As this data breach puts sensitive personal information at risk – is it worse than previous breaches, like the Target breach that exposed customer credit card numbers?

Jaromir Horejsi, Senior Malware Analyst at Avast said,

From what we know about the technical circumstances of how this happened, it isn’t worse than other breaches. As a former employee or contractor might have been involved, this doesn’t sound like something that required a sophisticated hack. However, more sensitive personal data is involved, and that is what is making people shiver.”

On the other hand, if somebody is cheating on their spouse, they always are walking on thin ice and have to fear that their partner will find out about it some way or another. This is nothing new.

“What’s more sensitive in this case, is that address and financial data was revealed and therefore could be abused for identity theft,” Jaromir Horejsi added. “The personal data may be sold on hacking forums and later used for spamming the affected individuals. It also didn’t take long until the data from the AdultFriendFinder breach made its rounds on hacking forums. People should take this seriously. What users can learn from this is that any information shared online can be stolen. Just because things take place or at least start in the virtual world doesn’t mean that they have a lower impact on your real life. Users that may be affected should start monitoring their credit card statements for unusual activities and report them to their bank.”

In theory, it would also be possible for the hacker group to start blackmailing individuals – in this case it would be best for those affected to be upfront with their partner to take the wind out of the criminal’s sails. However, judging from the type of ransom the hacker group is demanding, this is rather unlikely – as their real goal seems to be to take down Ashley Madison and Established Men.

Follow Avast on Twitter where we keep you updated on cybersecurity news every day.

Avast

Android malware Fobus now targeting users in the U.S., Germany and Spain

Leave a comment

Mid January we informed you of a data-stealing piece of Android malware called Fobus. Back then Fobus mainly targeted our users in Eastern Europe and Russia. Now, Fobus is also targeting our users in the USA, United Kingdom, Germany, Spain and other countries around the world.

Fobus can cost its unaware victims a lot of money, because it sends premium SMS, makes calls without the victims’ knowledge and can steal private information. More concerning is that Fobus also includes hidden features that can remove critical device protections. The app tricks users into granting it full control of the device and that is when this nasty piece of malware really begins to do its work. You can find some more technical details and analysis of Fobus in our previous blog post from January.

Today, we decided to look back and check on some of the data we gathered from Fobus during the last six months. We weren’t surprised to find out that this malware family is still active and spreading, infecting unaware visitors of unofficial Android app stores and malicious websites.

The interesting part of this malware is the use of server-side polymorphism, which we suspected was being used back in January but could not confirm. We have now confirmed that server-side polymorphism is being used by analyzing some of the samples in our database. Most of these have not only randomly-generated package names, but it also seems that they have randomly-generated signing certificates.

Number of users who have encountered Fobus

Number of users who have encountered Fobus

Geographical reach expanded from the East to the West

Previously, we predicted that we would probably see a steady growth in the number of encounters users have with this malicious application. A review of the results, however, beats all of our predictions. At the beginning, this malware mainly targeted mobile users in Russian speaking countries. As our detections got smarter and we discovered new mutations of Fobus, we discovered that many other countries are affected as well. Now Fobus, although it still mainly targets users in Eastern Europe and Russia, is also targeting our users in the USA, Germany, United Kingdom, Spain, and other countries around the world.

The above graph shows the number of unique users (user IDs) encountering Fobus per day. The graph is also geologically divided by country codes as reported by the users’ connection location.

Number of times users encountered Fobus by country (as of July 21, 2015):

  • Russia: 87,730
  • Germany: 25,030
  • Spain: 12,140
  • USA: 10,270
  • UK:  6,260
  • Italy: 5,910

There are two great leaps visible in the graph, which mark the days when new versions of Fobus were discovered and new detections protecting our users were released. These three detections seem to be particularly effective at their task. The high impact in countries outside of Russia and English speaking regions, which can be seen in the graph, is a little surprising. Especially considering that the malware typically is only in Russian and English and even the English version contains some strings in Russian. Seems like the authors were too lazy to translate their own app properly…

World map showing the percentage of users who encountered Fobus

World map showing the percentage of users who encountered Fobus

An app, built just for you

Now, let’s dig into the analysis. We will look at the certificates used to sign some of the Fobus samples. We already mentioned the problems connected with generating unique applications for each victim (server-side polymorphism). This does not only apply to rebuilding, repackaging and obfuscating each instance of the app itself, but also extends to their signing certificates. To back this up, we analyzed around 4,000 samples and data and inspected the usage of these certificates. We verified that each build of the malicious app is typically seen by one user only, even though its signing certificate can be used to sign multiple apps. Virtually all of the samples we have are very low prevalent, meaning that different users only very rarely see an app instance multiple times. As for the signing certificates, we believe that they are being regenerated on a timely basis. We were able to pick a few examples of such certificates from our statistics.

certs_may_28certs_may_30

 

 

 

 

 

 

 

 

 

 

As you can see from the screenshots above, these certificates are dated the 28th and 30th May 2015 and the time differences in the beginning of the validity period between these certificates are in the order of minutes, sometimes even seconds. We have also found some samples that have certificates with randomly generated credentials altogether.

certs_random

The above provided screenshot is an example of such randomly generated certificates.

To conclude, we would like to encourage you to think twice about the apps you install on your phone. Especially if the apps you download are from third party stores and unknown sources. If you download apps from the Google Play Store you’re on the safe side. Requiring nonstandard permissions – especially permissions that don’t seem necessary for the app to properly function – may be a sign that something fishy going on. You should be very suspicious of an app that requests device administrator access and think twice before downloading it.

Acknowledgement

Special thanks to my colleague, Ondřej David, for cooperation on this analysis.

Avast

How iOS users can stay protected against iScam threat

Leave a comment
iScam displays a "crash report" to affected users. (Photo via Daily Mail)

iScam displays a “crash report” to affected users. (Photo via Daily Mail)

It’s a common belief (and myth) that Apple products are invincible against malware. This false line of thinking has recently again been refuted, as iPhone and iPad users have been encountering a ransomware threat that freezes their Internet browsers, rendering their devices unusable. The ploy, commonly known as iScam, urges victims to call a number and pay $80 as a ransom to fix their device. When users visit an infected page while browsing using the Safari application, a message is displayed saying that the device’s iOS has crashed “due to a third party application” in their phone. The users are then directed to contact customer support to fix the issue.

How to clean your system if you’ve been infected by iScam

  • Turn on Anti-phishing. This can be done by visiting Settings > Safari and turn on ‘Fraudulent Website Warning’. When turned on, Safari’s Anti-phishing feature will notify you if you visit a suspected phishing site.
  • Block cookies. For iOS 8 users, tap Settings > Safari > Block Cookies and choose Always Allow, Allow from websites I visit, Allow from Current Websites Only, or Always Block. In iOS 7 or earlier, choose Never, From third parties and advertisers, or Always.
  • Allow JavaScript. Tap Settings > Safari > Advanced and turn JavaScript on.
  • Clear your history and cookies from Safari. In iOS 8, tap Settings > Safari > Clear History and Website Data. In iOS 7 or earlier, tap Clear History and tap Clear Cookies and Data. To clear other stored information from Safari, tap Settings > Safari > Advanced > Website Data > Remove All Website Data.

Check out Apple’s support forum for additional tips on how to keep your device safe while using Safari.

Avast

GrimeFighter is now Avast Cleanup

Leave a comment

Optimize your PC with Avast Cleanup’s advanced scanning features.

Change is good, especially when it pushes us forward and encourages us to improve. We’ve recently made a change that will benefit our users and make their experience using our products even better. Our PC optimization product formerly known as GrimeFighter has now emerged as Avast Cleanup. In addition to the name change, there’s more to this transition that Avast users can be excited about. In Avast Cleanup, we’ve got a bunch of great benefits for you to enjoy:

  • Rid your PC of up to 5x more junk. Avast Cleanup continues to search for junk files, unnecessary app processes and system settings that slow down your PC’s performance. The amount of issues detected by Avast Cleanup have been improved fivefold, ensuring that your PC is cleaned as thoroughly as possible.
  • Keep it clean, keep it fast. Avast Cleanup’s quick and easy scan is 10x faster, now capable of transforming your PC in minutes or even seconds. As always, exact scan times may vary due to Internet connection or amount of issues found.
  • Win precious space back with new, advanced scanning features. Even a new PC can be loaded with unnecessary apps. Avast Cleanup checks when you update a program or uninstall an app, ensuring that any unnecessary leftover files don’t take up space on your PC. Since you’re immediately informed if unneeded files are discovered, you can save more space on your device than ever before.
  • Organize Avast Cleanup to work around your agenda. You can schedule a daily clean, select which programs you want to load upon startup, and choose what you clean in a scan. What’s more, Avast Cleanup discreetly runs in the background while you go about your daily activities.

Avast Cleanup helps you store more of what you actually want and to accomplish it in just a few minutes. Don’t let your PC become a test of your patience — try Cleanup for yourself. Here’s how:

  • For licensed users, all you need to do is install the latest version of Avast. Your GrimeFighter will then be automatically updated to Avast Cleanup. You’ll receive a notification letting you know that the update was successful.
  • For users who have updated to the latest Avast version but haven’t yet purchased Avast Cleanup, you can do so either from our website or, better yet, directly through the program by navigating to the store link on left menu of the interface.
  • For users who haven’t updated, you can also buy Cleanup within Avast. For now, you’ll still see it as GrimeFighter and you’ll need to do an update to the latest version of Avast in order for it to work.