HiddenAds malware does manage to slip into Google Play… again

Google continues to struggle with keeping bad apps off Play marketplace. This time researchers have discovered malicious gaming apps packed with a new threat from HiddenAds malware family. Apps were downloaded 8 million… Yes, definitely – Google is still struggling with its marketplace security.

21 Malicious Apps Downloaded 8 Million Times From Google Play

Despite Google’s best efforts to keep Android users safe, malware does manage to slip into Google Play from time to time, and the 21 malicious apps that Avast identified recently are proof of that. Google has already removed 15 of them. 

Catered for gamers, the apps were found to include adware that is part of the HiddenAds family. The offending applications appear to have been downloaded roughly 8 million times before being discovered. 

The HiddenAds malware, Avast explains, poses as fun or useful apps but in reality delivers intrusive ads outside the application. Often, the malware would make detection difficult by hiding behind relevant-looking advertisements and would attempt to prevent removal by hiding icons.

In this case, the threat was disguised as games promising to provide users with highly engaging actions.

To stay protected, users are advised to always double-check any application they want to download and install on their devices, even those listed in Google Play. Checking the app’s reviews, price, and ratings in the store and paying attention to the requested permissions should help users identify suspicious apps.


KashmirBlack botnet behind attacks on CMSs like WordPress, Joomla, Drupal, others

A highly sophisticated botnet is believed to have infected hundreds of thousands of websites by attacking their underlying content management system (CMS) platforms. Named KashmirBlack, the botnet started operating in November 2019.

Security researchers from Imperva who analyzed the botnet said its primary purpose appears to be to infect websites and then use their servers for cryptocurrency mining, redirecting a site’s legitimate traffic to spam pages, and to a lesser degree, showing web defacements.

The botnet started out small, but after months, it has evolved into a sophisticated behemoth capable of attacking thousands of sites per day. Nowadays, KashmirBlack is “managed by one C&C (Command and Control) server and uses more than 60 – mostly innocent surrogate – servers as part of its infrastructure,” Imperva said. “It handles hundreds of bots, each communicating with the C&C to receive new targets, perform brute force attacks, install backdoors, and expand the size of the botnet.”

Source: ZDNet

KashmirBlack expands by scanning the internet for sites using outdated software and then using exploits for known vulnerabilities to infect the site and its underlying server. 

The exploits allowed KashmirBlack operators to attack sites running CMS platforms like WordPress, Joomla!, PrestaShop, Magneto, Drupal, vBulletin, osCommerce, OpenCart, and Yeager. Some exploits attacked the CMS itself, while others attacked some of their inner components and libraries.

Based on multiple clues it found, Imperva researchers said they believed the botnet was the work of a hacker named Exect1337, a member of the Indonesian hacker crew PhantomGhost.


There is a new TrickBot Linux variant deployed in the wild

No longer than two weeks ago a joined forces of Microsoft’s Defender team, FS-ISAC, ESET, Lumen’s Black Lotus Labs, NTT, and Broadcom’s cyber-security division Symantec tried to take down the command and control infrastructure of the TrickBot botnet.

Microsoft has taken down:

  1. 120 of the 128 servers that were composing the Trickbot infrastructure.
  2. 62 of the original 69 TrickBot C&C servers – seven servers that could not be brought down were Internet of Things devices.
  3. And after the botnet operators tried to resume the operations, MS brought down 58 of the 59 servers the operators attempted to bring online.

But according to the newest report published by Netscout, TrickBot’s operators have started to use a new variant of their malware in an attempt to Linux systems and expand the list of its targets.

Researchers analysed the communication flow between the bot and the C2 server. The client sends “c2_command 0” to the server along with information about the compromised system and the bot ID, the server, in turn, responds with the message “signal /1/” back to the bot. The infected host responds by sending the same message back to the C2, which in turn sends the command to be executed by the bot.

“The complexity of Anchor’s C2 communication and the payloads that the bot can execute reflect not only a portion of the Trickbot actors’ considerable capabilities but also their ability to constantly innovate, as evidenced by their move to Linux.” we read in the report.

Once executed the command, the bot sends the result of the execution to the C2 server.


Popular messaging apps are a security risk… again. But this time the problem is associated with Link Previews

Messaging apps cause a bunch of problems – leak IP addresses, expose links sent via end-to-end encrypted chats, and even unnecessarily download gigabytes of data stealthily in the background. Now it looks like there is a new problem on the list. These apps rely on servers to generate link previews and maybe violating the privacy of their users by sending links shared in a private chat to their servers.

Link previews are a common feature in most messaging apps. Some – like Signal and Wire – give users the option to turn on/off link previews. A few others like Threema, TikTok, and WeChat don’t generate a link preview at all.

The apps that do generate the previews do so either at the sender’s end or the recipient’s end or using an external server that’s then sent back to both the sender and receiver. Sender-side link previews – used in Apple iMessage or Facebook’s WhatsApp – works by downloading the link, followed by creating the preview image and summary, which is then sent to the recipient as an attachment. When the app on the other end receives the preview, it displays the message without opening the link, thus protecting the user from malicious links.

There is another problem. The messaging app, upon receiving a message with a link, opens the URL automatically to create the preview by disclosing the phone’s IP address in the request sent to the server. A bad actor is able to gain information about user approximate location without any action taken by the receiver by simply sending a link to a server under their control.

Lastly, does the server used to generate the preview retain a copy, and if so, for how long, and what do they use it for? Many apps impose a 15-50 MB cap when it comes to the files downloaded by their respective servers. Slack caches link previews for around 30 minutes. Facebook Messenger and Instagram, were found to download entire files, even if they ran into gigabytes in size. Do these servers retain a copy? What if there is ever a data breach of these servers?

Now answer this: have you ever shared bills, contracts, or anything that may be confidential this way?


Do you have thirst for knowledge? There is ten more cybersecurity stories below

1. Massive Nitro data breach impacts Microsoft, Google, Apple, more+ (Bleeping Computer
2. Hacker steals $24 million from cryptocurrency service ‘Harvest Finance’ (ZDNet)
3. LinkedIn, Instagram Vulnerable to Preview-Link RCE Security Woes(Threat Post)
4. Microsoft shares list of URLs required by Microsoft Defender ATP (Bleeping Computer)
5. Fragomen law firm data breach exposed Google employee’s data (Security Affairs)
6. Russian Turla hackers breach European government organization (Bleeping Computer)
7. Nando’s Hackers Feast on Customer Accounts (Threat Post)
8. Amazon sacks insiders over data leak, alerts customers (Bleeping Computer)
9. Containerd Bug Exposes Cloud Account Credentials (Threat Post
10. Google employees personal info exposed in law firm data breach (Bleeping Computer)