Tag Archives: VPN

New Avast SecureMe app protects iOS and Android users from Wi-Fi Hacking

Avast mobile security experts launched a new app today at the Mobile World Congress in Barcelona.

Avast booth at MWC15

Avast launches SecureMe app for iOS and Android at Mobile World Congress 2015

Avast SecureMe is the world’s first application that gives iPhone and iPad users a tool to protect their devices and personal data when they connect to Wi-Fi networks. The free app automatically locates Wi-Fi networks and tells users which of them are safe. Since many users connect without knowing the status of the Wi-Fi network – whether it’s protected or not – Avast SecureMe will create a secure connection in order to keep them safe.

“Public Wi-Fi and unsecured routers have become prime targets for hackers, which presents new risks for smartphones and tablets – even iOS devices aren’t immune,” said Jude McColgan, President of Mobile at Avast.

Avast SecureMe will be available in a invitation-only public beta test within the next few weeks. Check back on our blog, Facebook, and Google+ for more information on signing up coming soon.

The app notifies you if it finds security issues

Avast SecureMe includes a feature called Wi-Fi Security. (This feature is also available for Android users within the Avast Mobile Security app available on Google Play.) People who use open Wi-Fi in public areas such as airports, hotels, or cafes will find this helpful. This feature’s job is to scan Wi-Fi connections and notify you if it finds any security issues including routers with weak passwords, unsecured wireless networks, and routers with vulnerabilities that could be exploited by hackers.

“Avast SecureMe and Avast Mobile Security offer users a simple, one-touch solution to find and choose safe networks to protect themselves from the threat of stolen personal data,” said McColgan.

What’s the risk that my personal data will be stolen?

If you use unsecured Wi-Fi when you log in to a banking site, for example, thieves can capture your log in credentials which can lead to identify theft. On unprotected Wi-Fi networks, thieves can also easily see emails, browsing history, and personal data if you do not use a secure or encrypted connection like a virtual private network (VPN). See our global Wi-Fi hacking experiment to see how widespread the threat really is.

Avast SecureMe checks the security of Wi-Fi networks.
Avast SecureMe notifies you of security problems.
Avast SecureMe is a simple way to find and choose safe networks.

The SecureMe app includes a VPN to protect your privacy

Avast SecureMe features a VPN to secure your connections while you conduct online tasks you want to remain private, especially checking emails, doing your online banking, and even visiting your favorite social network sites. Avast SecureMe automatically connects to the secure VPN when it detects that you have connected to a public Wi-Fi making all transferred data invisible to prying eyes. For convenience, you can disable the protection for Wi-Fi connections you trust, like your home network.

Avast SecureMe for iOS will be available soon in the iTunes Store. Before it’s widespread release, we will conduct an invitation-only public beta test, so check back on our blog, Facebook, and Google+ for more information on signing up.

The Wi-Fi Security feature is now also included in the Avast Mobile Security app for Android, available on Google Play.

Americans willingly risk privacy and identity on open Wi-Fi

Is the convenience of open Wi-Fi worth the risk of identity theft? Most Americans think so.

In a recent survey, we found that only 6% of Americans protect their data by using a virtual private network (VPN) when using public Wi-Fi with their smartphone or tablet.  That leaves a whopping 94% unprotected. Why is this?

Do people not know the risks of using unsecured public Wi-Fi?

Is avoiding data overages or the convenience of no password more important than the data on their devices?

Are they not aware that there is protection available?

Are they scared they won’t understand how to use VPN because of the technical sounding name?

The truth about open, public Wi-Fi

The truth is that using unprotected Wi-Fi networks could end up costing you your privacy and identity when you use them without protection like Virtual Private Network (VPN) software. This is because unsecured networks, those are the ones that do not require registration or a password, give cybercrooks easy access to sensitive personal information.

“As mobile cloud storage becomes more popular and the quest for free Wi-Fi continues to grow, open networks that require no passwords place unprotected consumers at great risk of compromising sensitive personal data,” said Jude McColgan, president of mobile at Avast.

“The majority of Americans don’t realize that all the personal information on their mobile devices becomes defenseless over public Wi-Fi if used without protection. These networks create an easy entry point for hackers to attack millions of American consumers on a daily basis.”

WiFi survey blog

Avast can protect you and it’s not hard or expensive

“Unfortunately hacking isn’t a complicated process – there are tools available online that anyone can easily use to steal personal data,” says Ondrej Vlček, Chief Operating Officer at Avast. “Avast SecureLine VPN allows users to browse the web anonymously and safely, especially while using open Wi-Fi.”

Avast SecureLine VPN protects your Internet connections with military-grade encryption and hides your IP address. If that sounds like mumbo-jumbo to you, what it means is that essentially our VPN protection makes your device invisible to cybercriminals. In addition to that, using the VPN hides your browsing history, so no one can monitor your behavior online. We assure you, it’s as easy as can be to use.

Avast SecureLine VPN is available for Android phones and tablets on Google Play and for iOS devices in the Apple App Store. We also have VPN available for Windows PCs.

14 easy tips to protect your smartphones and tablets – Part II

More easy things you can do to secure your smartphone and tablet.

On our blog last week, we shared the first 7 easy security measures to protect your Android devices and the data stored there. But we haven’t finished them. Let’s go a little further.

8. Keep an eye in your phone or, if you can, set Geofencing protection

Don’t put your phone down and go somewhere else. And if you’re having fun in a bar and drinking a beer with friends, have a lucid thought before starting: Turn the Avast Geofencing module on. It’s easy. Open Avast Premium Mobile Security > Anti-Theft > Advanced Settings > Geofencing.

avast-Mobile-Premium_geo-fencing

Set Avast Geofencing on your phone to protect it from theft while you are occupied.

 

9. Be aware of what permissions apps require

Why should a flashlight app need access to your contacts? Why would a calculator need access to your photos and videos? Shady apps will try to upload your address book and your location to advertising servers or could send premium SMS that will cost you money. You need to pay attention before installing or, at least, uninstall problematic apps. It’s not easy to find a way (if any) to manage permissions in a non-rooted Android phone.

We have written about this before as apps could abuse the permissions requests not only while installing but also on updating. Read more to learn and be cautious: Google Play Store changes opens door to cybercrooks.

10. Keep your device up-to-date

Google can release security updates using their services running in your devices. Developers can do the same via an app update. Allow updates to prevent vulnerabilities, the same as you do in your computer. But pay attention to any changes. See tip #9.

11. Encryption

You can encrypt your account, settings, apps and their data, media and other files. Android allows this in its Security settings. Without your lockscreen PIN, password or gesture, nobody will be able to decrypt your data. So, don’t forget your PIN! Nevertheless, this won’t encrypt the data sent or received by your phone. Read the next tip for that.

12. In open/public Wi-Fi, use a VPN to protect your communication

Cybercrooks can have access to all your data in a public, open or free Wi-Fi hotspot at the airport or in a cafe. Avast gives you the ability to protect all inbound and outbound data of your devices with a secure, encrypted and easy-to-use VPN called Avast SecureLine. Learn more about it here.

13. Set the extra features of Lollipop (Android 5)

If you’re with Android Lollipop (v5), you can set a user profile to allow multiple users of the same device. You can create a restricted user profile that will keep your apps from being messed with by your kids or your spouse.

You can also pin the screen and allow other users to only see that particular screen and nothing more. It will prevent your friends and coworkers from accidentally (or on purpose) looking into your device.

14. Backup. Backup. Backup.

Well, our last tip is common digital sense. If everything fails, have a Plan B, and C and D… With Avast Mobile Backup you can protect all your data: contacts, call logs, messages, all your media files (photos, musics and videos) and your apps (with their data if you’re rooted) in safe servers. If your device gets broken, lost or stolen, everything will be there, encrypted and safe, for you to restore to your new device.

Have you followed all our tips? Are you feeling safe? Do you have an extra protection or privacy tip? Please, leave a comment below.

South Korea hit with banking malware using VPN connection

South Korean banks have been attacked by hackers again!

This is not the first time we reported malware which targets Korean banking customers. In the past, we wrote about Chinese threats against Korean Windows users and last year we published a series of blogposts, Fake Korean bank applications for Android (part 1, part 2, part 3), about malware targeting mobile platforms.

The Korean banking malware is based on the same principle previously used. The customer executes the infected binary, which modifies Windows hosts file. This file contains a list of domains with assigned IP addresses.  Malware, however, may modify this file. When a customer wants to visit his online bank website, he is redirected to the IP address specified in the hosts file, not to the original bank website!

XP Debugging2

The piece of malware we will discuss in this blog post performs the above mentioned modification of system settings. However, when we looked into the modified hosts file, we noticed something unusual.

hosts

As you can see in the figure above (shortened screenshot of hosts file), the malware redirects many websites of South Korean banks to the IP address 10.0.0.7. If you try to enter this address into your web browser, you probably won’t get any response, because this is the private IP address. The other websites which belong to South Korean search engines, like Naver, are redirected to the publicly accessible IP address. When visiting any of these search engines on the infected machine, the following banner is displayed on the top of the regular website.

popThe image says:

Do you have a security software or program in your PC or Do you have a security card? Due to hacking incidents and potential of compromising users’ information if you want to use internet banking you need to do identification procedure.

We found one very interesting technical detail about the malware behavior – it uses a VPN connection! When a user clicks on one of the bank’s logos below, he is connected to a VPN and the fake banking website is displayed. At first, the malware connects to the C&C server and obtains configuration by GET request on 69.30.240.106/index.txt. The C&C answer includes a link to an executable modifying the hosts file and VPN server IP address.

900
test.exe
vpn=204.12.226.98

The executable is responsible for properly rewriting %windows%system32driversetchost file, which is queried for address translation before querying DNS on Windows machines. For example, if you want to go to www.naver.com the system first accesses the host file, and if there is a match it uses the specified IP address (104.203.169.221) for that site which differs from the original DNS records – 202.131.30.12 for our geographical location.

The malware targets Korean bank customers who access the following bank websites:

www.nonghyup.com, nonghyup.com, banking.nonghyup.com, www.nonghyup.co.kr, nonghyup.co.kr, banking.nonghyup.co.kr, www.shinhan.com, shinhan.com, www.shinhanbank.com, shinhanbank.com, www.shinhanbank.co.kr, shinhanbank.co.kr, banking.shinhanbank.com, banking.shinhan.com, banking.shinhanbank.co.kr, www.hanabank.com, hanabank.com, www.hanabank.co.kr, hanabank.co.kr, www.wooribank.com, wooribank.com, www.wooribank.kr, wooribank.kr, www.wooribank.co.kr, wooribank.co.kr, www.kbstar.com, kbstar.com, www.kbstar.co.kr, kbstar.co.kr, www.keb.co.kr, keb.co.kr, ebank.keb.co.kr, online.keb.co.kr, www.ibk.co.kr, ibk.co.kr, www.ibk.kr, ibk.kr, mybank.ibk.co.kr, banking.ibk.co.kr, www.kfcc.co.kr, kfcc.co.kr, www.kfcc.com, kfcc.com, www.epostbank.co.kr, epostbank.co.kr, www.epost.kr, epost.kr, www.epostbank.kr, epostbank.kr

The bank domain names are translated into a private network address range (10.0.0.7) and the search engines are translated to webserver running IIS. Webserver runs a Chinese version of IIS, as shown from the error message displayed when supplying incorrect header information.

iis
The malware, however, is not connected to the VPN all the time. The malware searches for the active Internet Explorer windows and if found, depending on Internet Explorer version, it locates browser’s address bar and extracts the currently entered url address. If URL belonging to any of the banks is found, VPN connection is established.

At first, malware drops a file %USERPROFILE%profiles.pbk, which includes the basic configuration. The credentials for VPN (name and password) are hard coded in the binary. The connection is made with help of Windows RAS API interface.

rasdial

If we want to verify the VPN connection in Windows, we can simply locate the dropped PBK file and double click on it. In properties, we will choose “Prompt for name and passwords, certificate, etc.” We enter the username and password, which we previously extracted from the malicious binary. After pressing the “Connect” button, we are connected to the VPN, and if hosts file is properly modified, we can access the fake bank websites. After pressing “Hang Up”, we can disconnect from VPN.

pbk01

pbk02

pbk03

pbk04

 

After a successful connection, “ipconfig /all” command lists PPP connection to VPN, with the current machine’s assigned private IP address. At this moment, the infected machine is connected into the private network and it can access contents hosted on 10.0.0.7.

vpn

Example of visiting bank’s website on a compromised computer

When a customer visits nate, daum or naver on an infected machine, he is presented with the following banner.
XP Debugging1

After clicking on the logo of a bank, the customer is presented with the following modified website (the example below was taken for epostbank.kr, however this attack works the same way for the other banks). If the customer clicks on any link on the fake bank website, he is presented with an error message. The message says that the additional security measures are available. After clicking OK, the fake verification process starts.
epostbank_errormsg
The customer is asked to fill in some personal details.
epostbank01
Then he is asked for a phone number and numbers in his security card.
epostbank02
Lastly, he is presented with a link to download a malicious Android application. At the writing of this blog post, the link to the malicious Android app is not working anymore.
epostbank03

SHAs:

Original dropper

1C22460BAFDDBFDC5521DC1838E2B0719E34F258C2860282CD48DF1FBAF76E79

Dropped DLL, C&C communication

FDF4CAA13129BCEF76B9E18D713C3829CF3E76F14FAE019C2C91810A84E2D878

Hosts file modifier

1D1AE6340D9FAB3A93864B1A74D9980A8287423AAAE47D086CA002EA0DFA4FD4

 

Acknowledgements:

This analysis was jointly accomplished by Jaromir Horejsi, David Fiser and Honza Zika.