Spyhide stalkerware is spying on tens of thousands of phones

 

Image Credits: TechCrunch

Aphone surveillance app called Spyhide is stealthily collecting private phone data from tens of thousands of Android devices around the world, new data shows.

Spyhide is a widely-used stalkerware (or spouseware) app that is planted on a victim’s phone, often by someone with knowledge of their passcode. The app is designed to stay hidden on a victim’s phone’s home screen, making it difficult to detect and remove. Once planted, Spyhide silently and continually uploads the phone’s contacts, messages, photos, call logs and recordings, and granular location in real-time.

Despite their stealth and broad access to a victim’s phone data, stalkerware apps are notoriously buggy and are known to spill, leak, or otherwise put victims’ stolen private data at further risk of exposure, underlying the risks that phone surveillance apps pose.

Now, Spyhide is the latest spyware operation added to that growing list.

Switzerland-based hacker maia arson crimew said in a blog post that the spyware maker exposed a portion of its development environment, allowing access to the source code of the web-based dashboard that abusers use to view the stolen phone data of their victims. By exploiting a vulnerability in the dashboard’s shoddy code, crimew gained access to the back-end databases, exposing the inner workings of the secretive spyware operation and its suspected administrators.

Crimew provided TechCrunch with a copy of Spyhide’s text-only database for verification and analysis.

Years of stolen phone data

Spyhide’s database contained detailed records of about 60,000 compromised Android devices, dating back to 2016 up to the date of exfiltration in mid-July. These records included call logs, text messages, and precise location history dating back years, as well as information about each file, such as when a photo or video was taken and uploaded, and when calls were recorded and for how long.

TechCrunch fed close to two million location data points into an offline geospatial and mapping software, allowing us to visualize and understand the spyware’s global reach.

Our analysis shows Spyhide’s surveillance network spans every continent, with clusters of thousands of victims in Europe and Brazil. The U.S. has more than 3,100 compromised devices, a fraction of the total number worldwide, yet these U.S. victims are still some of the most surveilled victims on the network by the quantity of location data alone. One U.S. device compromised by Spyhide had quietly uploaded more than 100,000 location data points.

Image Credits: TechCrunch

Spyhide’s database also contained records on 750,000 users who signed up to Spyhide with the intention of planting the spyware app on a victim’s device.

Although the high number of users suggests an unhealthy appetite for using surveillance apps, most users who signed up did not go on to compromise a phone or pay for the spyware, the records show.

That said, while most of the compromised Android devices were controlled by a single user, our analysis showed that more than 4,000 users were in control of more than one compromised device. A smaller number of user accounts were in control of dozens of compromised devices.

The data also included 3.29 million text messages containing highly personal information, such as two-factor codes and password reset links; more than 1.2 million call logs containing the phone numbers of the receiver and the length of the call, plus about 312,000 call recording files; more than 925,000 contact lists containing names and phone numbers; and records for 382,000 photos and images. The data also had details on close to 6,000 ambient recordings stealthily recorded from the microphone from the victim’s phone.

Made in Iran, hosted in Germany

On its website, Spyhide makes no reference to who runs the operation or where it was developed. Given the legal and reputational risks associated with selling spyware and facilitating the surveillance of others, it’s not uncommon for spyware administrators to try to keep their identities hidden.

But while Spyhide tried to conceal the administrator’s involvement, the source code contained the name of two Iranian developers who profit from the operation. One of the developers, Mostafa M., whose LinkedIn profile says he is currently located in Dubai, previously lived in the same northeastern Iranian city as the other Spyhide developer, Mohammad A., according to registration records associated with Spyhide’s domains.

The developers did not respond to several emails requesting comment.

Stalkerware apps like Spyhide, which explicitly advertise and encourage secret spousal surveillance, are banned from Google’s app store. Instead, users have to download the spyware app from Spyhide’s website.

TechCrunch installed the spyware app on a virtual device and used a network traffic analysis tool to understand what data was flowing in and out of the device. This virtual device meant we could run the app in a protective sandbox without giving it any real data, including our location. The traffic analysis showed that the app was sending our virtual device’s data to a server hosted by German web hosting giant Hetzner.

When reached for comment, Hetzner spokesperson Christian Fitz told TechCrunch that the web host does not allow the hosting of spyware.

What you can do

Android spyware apps are often disguised as a normal-looking Android app or process, so finding these apps can be tricky. Spyhide masquerades as a Google-themed app called “Google Settings” featuring a cog icon, or a ringtone app called “T.Ringtone” with a musical note icon. Both apps request permission to access a device’s data, and immediately begin sending private data to its servers.

You can check your installed apps through the apps menu in the Settings, even if the app is hidden on the home screen.

Image Credits: TechCrunch

We have a general guide that can help you remove Android spyware, if it’s safe to do so. Remember that switching off spyware will likely alert the person who planted it.

Switching on Google Play Protect is a helpful safeguards that protects against malicious Android apps, like spyware. You can enable it from the settings menu in Google Play.

Read more »

Malwarebytes Introduces Malwarebytes for Android, Featuring Proprietary Anti-Ransomware Technology

SANTA CLARA, Calif., Aug. 24, 2017 /PRNewswire/ -- Malwarebytes™, the leader in advanced malware prevention and remediation solutions, today announced the release of Malwarebytes for Android, featuring targeted defense against mobile malware, ransomware, adware, infected applications and unauthorized surveillance. Combining multiple distinct protection layers, Malwarebytes for Android is a more effective and efficient replacement for antivirus on mobile devices.

According to data collected by Malwarebytes in the first half of 2017, incidences of Android malware increased more than five percent since the start of the year. Most notably, incidents of Android ransomware increased 138 percent in Q2 2017 (April to June) over Q1 2017 (January to March) , with Jisut, SLocker and Koler ransomware collectively accounting for nearly 95 percent of these detections. While Android ransomware is growing at this rapid pace, Trojans and potentially unwanted programs remain the biggest issues for Android users. Android Trojans accounted for more than 48 percent of all Android malware detections in the first half of 2017 and PUPs accounted for 47 percent of all detections.

Malwarebytes for Android features several distinct benefits and features for users to protect against this increasingly dangerous mobile threat landscape, including:

• Anti-Malware proactively and automatically scans mobile applications, files, native memory and SD cards for malware and spyware, in addition to potentially unwanted programs and adware for removal.
• Anti-Ransomware proactively stops ransomware in its tracks with proprietary next-generation technology and remediates ransomware incidents.
• Process Automation schedules automatic device scans and color codes device health issues by severity.
• Security Audit identifies security vulnerabilities on the device and suggests remediation.
• Privacy Manager identifies every application's access privileges in detail and breaks down access privileges by category.
• Scanner showcases scan progress and identifies types of infections found, removal results and scan history.

To optimize the mobility of these features, Malwarebytes for Android can be easily managed from a desktop widget. The app can also be controlled using SMS to remotely lock a device, remediate a device if it is being held ransom, and reset device pin codes.

"Windows devices are no longer the sole victims of damaging malware attacks, as strategic attacks on Android devices are rapidly on the rise," said Armando Orozco, Senior Mobile Malware Intelligence Analyst, Malwarebytes. "All Android users need to remain alert and proactively guard their identity and data on the go, just as they do on their computers at home."  

For further details on Malwarebytes for Android, click here.

About Malwarebytes

Malwarebytes is the next-gen cybersecurity company that millions worldwide trust. Malwarebytes proactively protects people and businesses against dangerous threats such as malware, ransomware and exploits that escape detection by traditional antivirus solutions. The company's flagship product combines advanced heuristic threat detection with signature-less technologies to detect and stop a cyberattack before damage occurs. More than 10,000 businesses worldwide use, trust and recommend Malwarebytes. Founded in 2008, the company is headquartered in California, with offices in Europe and Asia and a global team of threat researchers and security experts. For more information, please visit us at http://www.malwarebytes.com/.

Malwarebytes founder and CEO Marcin Kleczynski started the company to create the best disinfection and protection solutions to combat the world's most harmful Internet threats. Marcin was recently named "CEO of the Year" in the Global Excellence awards and has been named to the Forbes 30 Under 30 Rising Stars of Enterprise Technology list and the Silicon Valley Business Journal's 40 Under 40 award, adding those to an Ernst & Young Entrepreneur of the Year Award.

Follow us on Facebook: https://www.facebook.com/Malwarebytes 
Follow us on Twitter: @malwarebytes https://twitter.com/malwarebytes  
Follow us on LinkedIn: https://www.linkedin.com/company/malwarebytes
See us on YouTube: http://www.youtube.com/malwarebytes 
Read our latest Malwarebytes Labs blog: https://blog.malwarebytes.com/

View original content with multimedia:http://www.prnewswire.com/news-releases/malwarebytes-introduces-malwarebytes-for-android-featuring-proprietary-anti-ransomware-technology-300508887.html

SOURCE Malwarebytes

Read more »

25 Scariest Things You Didn't Know About Using Public Wi-Fi

Read more »

Alert (TA16-336A) Avalanche (crimeware-as-a-service infrastructure)

Systems Affected

Microsoft Windows

Overview

“Avalanche” refers to a large global network hosting infrastructure used by cyber criminals to conduct phishing and malware distribution campaigns and money mule schemes. The United States Department of Homeland Security (DHS), in collaboration with the Federal Bureau of Investigation (FBI), is releasing this Technical Alert to provide further information about Avalanche.

Description

Cyber criminals utilized Avalanche botnet infrastructure to host and distribute a variety of malware variants to victims, including the targeting of over 40 major financial institutions. Victims may have had their sensitive personal information stolen (e.g., user account credentials). Victims’ compromised systems may also have been used to conduct other malicious activity, such as launching denial-of-service (DoS) attacks or distributing malware variants to other victims’ computers.

In addition, Avalanche infrastructure was used to run money mule schemes where criminals recruited people to commit fraud involving transporting and laundering stolen money or merchandise.

Avalanche used fast-flux DNS, a technique to hide the criminal servers, behind a constantly changing network of compromised systems acting as proxies.

The following malware families were hosted on the infrastructure:

• Windows-encryption Trojan horse (WVT) (aka Matsnu, Injector,Rannoh,Ransomlock.P)
• URLzone (aka Bebloh)
• Citadel
• VM-ZeuS (aka KINS)
• Bugat (aka Feodo, Geodo, Cridex, Dridex, Emotet)
• newGOZ (aka GameOverZeuS)
• Tinba (aka TinyBanker)
• Nymaim/GozNym
• Vawtrak (aka Neverquest)
• Marcher
• Pandabanker
• Ranbyus
• Smart App
• TeslaCrypt
• Trusteer App
• Xswkit

Avalanche was also used as a fast flux botnet which provides communication infrastructure for other botnets, including the following:        

• TeslaCrypt
• Nymaim
• Corebot
• GetTiny
• Matsnu
• Rovnix
• Urlzone
• QakBot (aka Qbot, PinkSlip Bot)

Impact

A system infected with Avalanche-associated malware may be subject to malicious activity including the theft of user credentials and other sensitive data, such as banking and credit card information. Some of the malware had the capability to encrypt user files and demand a ransom be paid by the victim to regain access to those files. In addition, the malware may have allowed criminals unauthorized remote access to the infected computer. Infected systems could have been used to conduct distributed denial-of-service (DDoS) attacks.

Solution

Users are advised to take the following actions to remediate malware infections associated with Avalanche:

• Use and maintain anti-virus software – Anti-virus software recognizes and protects your computer against most known viruses. Even though parts of Avalanche are designed to evade detection, security companies are continuously updating their software to counter these advanced threats. Therefore, it is important to keep your anti-virus software up-to-date. If you suspect you may be a victim of an Avalanche malware, update your anti-virus software definitions and run a full-system scan. (See Understanding Anti-Virus Software for more information.)
• Avoid clicking links in email – Attackers have become very skilled at making phishing emails look legitimate. Users should ensure the link is legitimate by typing the link into a new browser (see Avoiding Social Engineering and Phishing Attacks for more information).
• Change your passwords – Your original passwords may have been compromised during the infection, so you should change them. (See Choosing and Protecting Passwords for more information.)
• Keep your operating system and application software up-to-date – Install software patches so that attackers cannot take advantage of known problems or vulnerabilities. You should enable automatic updates of the operating system if this option is available. (See Understanding Patches for more information.)
• Use anti-malware tools – Using a legitimate program that identifies and removes malware can help eliminate an infection. Users can consider employing a remediation tool. A non-exhaustive list of examples is provided below. The U.S. Government does not endorse or support any particular product or vendor.

          ESET Online Scanner

          https://www.eset.com/us/online-scanner/(link is external)  

          F-Secure

          https://www.f-secure.com/en/web/home_global/online-scanner(link is external)

          McAfee Stinger

          http://www.mcafee.com/us/downloads/free-tools/index.aspx(link is external)

          Microsoft Safety Scanner

          https://www.microsoft.com/security/scanner/en-us/default.aspx(link is external)

          Norton Power Eraser

          https://norton.com/npe(link is external)

         Trend Micro HouseCall

          http://housecall.trendmicro.com/(link is external)

References

• https://www.us-cert.gov/sites/default/files/publications/money_mules.pdf
• http://www.bankinfosecurity.com/avalanche-group-linked-to-fraud-a-2573(link is external)

Revisions

• December 1, 2016: Initial release
• December 2, 2016: Added TrendMicro Scanner

via: https://www.us-cert.gov/ncas/alerts/TA16-336A

Read more »

Five Best Malware Removal Tools

On Thursday we asked you to share your favorite tool for purging malware from your computer. We've tallied the votes and we're back with the top five contenders for best malware removal tool.

The internet—unfortunately—isn't a never-ending buffet of secure open-source software and Bollywood-style musicals starring LOLCats. There are people and organizations that delight in stealing your personal data, hijacking your computer, and making a general nuisance of themselves through malicious software. This week we're highlighting the top five tools for removing software with ill-intentions from you PC.

Spybot Search & Destroy (Windows, Freeware)

Spybot Search & Destroy has made quite a name for itself over the years, earning accolades from both general and computer-focused publications. Spybot Search & Destroy is the highest ranked freeware tool at 2Spyware.com, a website that ranks malware removal tools. In addition to scanning for malware, Spybot Search & Destroy also has a variety of additional functionality, including a botnet scanner, hosts-file modification (to keep malware from calling home), a secure file shredder, and a dummy code feature (it replaces malicious or questionable adware modules with inert code so the dependent program will keep functioning). As an added bonus Spybot Search & Destroy is compatible with every version of Windows dating back to Windows 95.

SUPERAntiSpyware (Windows, $30)

SUPERAntiSpyware Professional Edition 5.0 1-user License Annual…

From Amazon

301 purchased by readersGizmodo Media Group may get a commission

Buy now

SUPERAntiSpyware is available as both a freeware and premium edition like Malwarebytes' Anti-Malware (see below), but the level of restrictions on the freeware edition are considerably higher. The free version is limited to basic on-demand scanning and malware removal. The premium version includes real-time scanning, registry protection, a scheduling service, auto-scan on startup, and 50 startup diagnostics to stop malware infections before they spread. One of SUPERAntiSpyware's strongest selling points is its high level of compatibility with other protection tools like Avira, Kaspersky, Symantec, and McAfee. In most cases it can be run along side other tools without any conflict.

ComboFix (Windows, Freeware)

ComboFix is just as spartan as the screenshot here makes it look. You download ComboFix, run it, and it takes care of the rest. The basic ComboFix process looks like this: It backs up your registry, checks to see if you have Windows Recovery Console installed, and then it goes to town on your system scanning away through 40+ stages. When it's done, ComboFix spits out a log file and lists all the malware it found, which ones it was able to remove, and which ones you'll have to use your Google-fu to look up how to remove manually. It isn't fancy, but it gets the job done and gives you a detailed report at the end to take to security forums for help if you need it.

Malwarebytes' Anti-Malware (Windows, $25)

Malwarebytes Anti-Malware Pro 2013

From Amazon

723 purchased by readersGizmodo Media Group may get a commission

Buy now

Malwarebytes' flagship application Anti-Malware is a shareware malware-removal tool. The principle difference between the free and premium version of the application is real-time monitoring. If you don't need active scanning against threats, the free version uses the same database and does an admirable job ferreting out infections. Anti-Malware was, for example, one of the few malware removal tools that could detect and remove the Antivirus XP 2008, a spyware application that masqueraded as an antivirus app. The Anti-Malware installation includes another application from Malwarebytes called FileASSASSIN—a helpful tool for deleting files locked by Windows.

HijackThis (Windows, Freeware)

HijackThis stands alone in this Hive Five as being the least automated yet most likely to completely wreck your system if used incorrectly. HijackThis does a comprehensive scan of the state of your computer and reports back an enormous log file. The tool makes no judgement on whether or not an application, browser modification, or registry entry is malicious or not. It simply generates a list of things that could have been potentially altered or tampered with by spyware, malware, or other malicious programs. Advanced users can look over the log themselves and determine what needs to be pruned. If you're not comfortable doing that, your best bet is to take the log file to a popular security forum like BleepingComputer or SpywareInfoForum and ask their armies of knowledgeable volunteer malware slayers to comb over it for you. Alternately, while not a replacement for receiving expert help from people in the forums, HijackThis.de is a web-based HijackThis log reader which is updated nightly. You upload your log file, it scans the file for relevant entries and gives you links to articles on how to remove the malware found in the log.

---

Now that you've had a chance to look over the contenders for top malware killer, it's time to cast your vote and see who goes home with the crown. A note about the poll: the option for "Other" is missing from this week's poll. We understand that the best way to get rid of malware is to hit it with multiple tools until the infestation is good and dead, but we'd like you to cast your vote based on the best possible (single) tool for the job, not on the scorched earth policy of using them all. If you have an Other vote for a completely different malware-removal tool, we're happy to hear it in the comments.

Which Malware Removal Tool is Best? (Poll Closed)

Spybot Search and Destroy  48.78%  (3,327 votes) 

SUPERAntiSpyware  5.37%  (366 votes) 

ComboFix  5.31%  (362 votes) 

Malwarebytes' Anti-Malware  31.14%  (2,124 votes) 

HijackThis  9.4%  (641 votes) 

Total Votes: 6,820

This week's honorable mention goes to "Reformat" (as in your hard drive) as a last-ditch, foolproof solution to your malware problems. Apparently sometimes when you find a mouse in the kitchen the only way to be sure there aren't any more of them in the walls is to burn the whole house down. Have a malware horror story, a favorite tool, or a prevention tip you want to share? Sound off in the comments below.

via lifehacker

Read more »