Zscaler ThreatLabz found that the app claimed to give users access to the latest Android software updates, but in fact was being used to spy on a user’s exact geolocation, which could have been used for any number of malicious reasons.
Google intervened this week, after a report from mobile security firm Zscaler, but by the time Google took it down, between one and five million users had already installed it on their phones.
Android spyware masqueraded as a fake system update on Google Play's Store in an attempt to log unsuspecting users' location data. Zscaler's Shivang Desai answers that question in a blog post.
Discovered by IT security researchers at Zscaler, the SMSVova Android spyware poses as a system update in the Play Store and was downloaded between one million and five million times since it first appeared in 2014.
According to Zscaler, a US-based cybersecurity firm, the spyware was caught posing as an Android security update and had been downloaded between one and five million times since 2014. After responsible disclosure, Google removed the application from its marketplace.
This app made it to [the] Play Store in 2014. Google's app vetting process has improved tremendously over the years, but we are unsure if existing and older apps are vetted on an ongoing basis. This would be a heavy task given the size of these play stores
One of the alerts was from Zscaler, which said it had discovered a spyware tool posing as a system update in Google Play. The malware appears to have been available on the Google app store since at least 2014 and has been downloaded between 1 million and 5 million times, the security vendor said in an alert Wednesday.
Today, even financial services are embracing the cloud. And it's driven by two reasons. Number one, the cost competitiveness and the speed at which the development is happening with cloud applications, so they can get them faster. And two, better technologies are evolving to make sure data can be protected and regulatory requirements can be met.
"The jRAT payload is capable of receiving commands from a C&C server, downloading and executing arbitrary payloads on the victim's machine. It also has the ability to spy on the victim by silently activating the camera and taking pictures," said Sammer Patil, security researcher at Zscaler.
The RIG exploit kit is diminished, but continues to drop various ransomware payloads such as CryptoShield, Cerber and Locky, primarily in the geographic locations of South America, Southeast Asia, and Australia. That’s a shift, according to Zscaler, from targeting Western Europe, North America, and Russia.
Chris Hodson, EMEA CISO at Zscaler, is more positive about whether it can be achieved technically. “In a word, yes,” he told SC Media. “Though encryption remains only part of the security puzzle. Front loading the internet with the ‘silver bullet' of encryption only serves to protect information in transit between two parties and does not maintain security hygiene overall.
The Internet is the new network, connecting users to applications; and companies need to shift from the notion of protecting the network to policy based controls; together with VeloCloud we combine advanced cloud-based security with the exceptional performance, quality and reliability of VeloCloud Cloud-Delivered SD-WAN to bring agility to the branch, simplify networking and security, and reduce costs, comments Zscaler’s VP of business development, Punit Minocha.
“The malware author will usually target popular apps, especially the ones that do not leverage strong anti-tamper techniques” that check if an app has been tampered by a third party and stops it from working if modifications are detected,” said Deepen Desai, senior director of security research at Zscaler
“Mr Hodson pointed out that often businesses don't compare like with like when assessing cloud costs. A cloud deployment might be more expensive than the existing system but the real comparison should be with the cost of bringing the existing system up to the required current standard. In such instances, he said, the cloud is usually cheaper.”
“Zscaler has discovered a new Ransomware for Google's mobile operating system Android. The security researchers Gaurav Shinde and Viral Gandhi write in the Zscaler blog that the blackmail software was not recognized by any anti-virus software. However, it is also an example that a ransom payment does not automatically cause the cybercriminals to release an infected Android smartphone.”
“Almost all strings, method names, variable names, and class names are disguised in such a way that it's extremely difficult to understand the code. Most of these methods are invoked using Java reflection technique, which allows the author to evade static analysis detection”
"Considering the stealth tactics designed into this sample, it wouldn't be difficult to imagine the author successfully uploading this ransomware to the Google Play Store," said Gaurav Shinde, Zscaler analyst.
In view of the malware attacks and procedures discovered by the report, organizations are well-disposed to address the threat potential of encrypted data traffic. And also with the technical possibilities and processes through which the data protection is reconciled with the necessary data security. SSL inline scanning and, above all, interception and blocking of harmful data traffic can be prevented by law if companies take appropriate measures.
Chris Hodson, EMEA CISO at Zscaler said, "While some may argue that only half of all Android devices receiving a security update in the past year is nowhere near enough, it’s important to remember that Rome wasn’t built in a day. Cyber security is iterative and 50 per cent shows a dramatic increase compared to previous years. This is likely as a direct result of the prioritisation of security updates from phone carriers and the “over-the-air” update process of Android 7.0, which streamlined the boot-up process."
Zscaler researchers say these [dubious streaming] links are redirecting viewers "to a site that installs a browser hijacker, which prompts users to install toolbars and change the homepage to search.searchliveson[.]com to continue watching the game.”
Alley-OOPS! March Madness fans scouring the web for bracket contests and live game streams may instead find themselves all fouled up by online scams, Zscaler reported in a blog post this week. The cloud-based security company reported a sizable spike in malicious activity related to sporting events between March 4 and 21, with a huge jump on March 18 and 19 – the first weekend of the NCAA Division I Men's Basketball Tournament
One of those secrets included the creation of a dex file that when executed plays a specific YouTube video and generates ad revenue for the video’s author. A .dex file (Dalivk Executables) is a compiled version of Android program. The functionality of downloading and executing .dex files allows these adware apps to execute arbitrary code pushed by C2 server, explained Deepen Desai, senior director of research and operations at Zscaler.
In an analysis of more than 75,000 apps from the Google Play Store, mobile security company Zscaler found that 68 percent of the apps required SMS access permission, 46 percent asked for the phone’s state permission, which allows apps to access the phone’s SIM card information, and 36 percent requested GPS location permission.
What’s more, with a year to go until the GDPR comes into force, it’s a reminder of how far behind some firms are in their preparations. No company will want a breach to come as a surprise as we move into a regulatory minefield with excruciating consequences for non-compliance. Identification needs to be a priority moving forwards, so that dwell time can be reduced and unnecessary harm mitigated. Moving on from that, prevention can be achieved using platforms that meet GDPR requirements and are architected with ‘security and privacy by design
Zscaler, a cloud-based security platform for businesses, created a Value Management Office. The Office helps each client define, quantify, and track their unique business goals associated with Zscaler implementation. Zscaler and their clients hold each other accountable to specific, measurable, time-based results.
Chris Hodson, EMEA CISO at Zscaler told SC Media UK: "Reassuring customers that no financial details were exposed is irrelevant. If users are able to see other customers' bills, then there's a totally feasible scenario where one user could ask for a replacement sim based on the billing details, get a replacement phone and reset passwords for major accounts – including banking. This has real implications for identity fraud.”
Even with simple web browsing, exploit kits represent a significant threat. Infection with Ransomware may result in the user being denied access to his data. However, these infections can be prevented. For example, users should always block scripts and programs from untrusted sources. Also, suspicious advertising ads should not be clicked.
Punit Minocha, Zscaler VP for business development, said: “This joint effort brings together Zscaler’s ability to provide high-performance, cloud-delivered internet security with Barracuda’s experience in the small and midsize market to provide comprehensive security that is easy to deploy at an affordable price.”
Zscaler's Deepen Desai describes how attackers are increasingly hiding their activities within encrypted traffic in the below video, making this kind of inspection important. TLS/SSL inspection also lets administrators examine application, cross-network, cross-cloud, cross-datacenter and IoT communications for threats. If these communications aren't being inspected, then all the other security defenses in place become less effective.
“Now that criminals have the capacity to wreak havoc by hosting malware and injecting code through malvertising, we've reached a tipping point where all traffic must be treated as suspect, with every byte subject to the same scrutiny. There's now no excuse not to prioritise SSL encryption, especially when platforms exist that can scale to meet this demand without adding latency," said Chris Hodson, EMEA CISO at Zscaler.
“Zscaler Inc., a San Jose, Calif., cloud-security company, has appointed Karen Blasing to its board of directors. Besides her role as independent director, Ms. Blasing will chair the board’s audit committee. The move follows the appointment of Remo Canessa as chief financial officer in February.”
“Irrespective of where data resides, businesses cannot outsource responsibility. So, as more third party cloud services are adopted, this management of the supply chain must be considered. Especially as the EU GDPR age promises excruciating fines for those who cannot comply," said Chris Hodson, EMEA CISO at Zscaler
“Security tends to be a very compute-intensive operation,” observes Punit Minocha, Zscaler’s vice president of business development. “Given that our security is done in the cloud, the end customer no longer has to make a trade-off between security and performance.”
“‘Exploit kits still pose a significant threat. There is nothing new about exploit kit authors hiding their activities and frequently changing tactics,’ Deepen Desai, senior director of research and operations at Zscaler said. ‘There is no reason to believe we won’t see a resurgence of exploit kits in the future. The question is when.’”
We have seen new RIG gates and landing pages hosted in South America, Southeast Asia, and Australia. Previously, RIG hosts were mainly limited to Western Europe, North America, and Russia. These new hosts indicate an effort to increase the target demographics and potential victim pool worldwide for RIG-distributed ransomware.
"Zscaler is embracing an innovative approach to help enterprises transform and simplify their network infrastructure and provide fast and secure access to applications, whether they are on the corporate or cloud. As the SaaS landscape has changed dramatically in recent years, companies are struggling with increased network and security complexity and have a strong need for a new security approach, "said Aleksandra Verhoeve, explaining their decision to move to Zscaler.
Microsoft Office 365 has been widely praised for its ability to improve collaboration and productivity. But those benefits are quickly undone by poor performance, which is a major problem for Office 365 users in regional and branch offices. In these environments, traffic is often backhauled to centralised resources over MPLS links before it can go out to the Internet and connect to Office 365. Then the traffic from Office 365 takes the same circuitous route back to the user. It all leads to frustrating latency and high costs.
As companies discover the benefits of the cloud in terms of agility, productivity, and cost, organizations are increasingly embracing cloud applications and infrastructure services. Thus, global spending on the public cloud is expected to total $ 216 billion by 2020. But what about security? The Cloud Rush has highlighted the limitations of existing security systems as threats become increasingly strong.
Zscaler reported that the iSpy keylogger malware gets onto an endpoint when end users open a malicious attachment in a spam or phishing email, from which the main iSpy malware is downloaded onto the system.
We are approaching new problems with the same old solution,” said William Harmer, a senior director at Zscaler, a cloud security company. “We are coming at it from the perimeter, the corporate stack, … in a world that’s become mobile, where the network is irrelevant and the perimeter is porous.
So while the potential of AI for security is exciting – it remains a work in progress and by no means presents an imminent threat to skilled workers or deserves the bad reputation it has gained of late.
Attacks on IT via devices on the Internet of Things (IoT) have reached a new dimension. Similar to "Code Red" and "Nimda" about 15 years ago in the software environment, the hardware industry is now in the thread cross. At the end of last year the botnet "Mirai" with several attacks against different web services a pretaste on what the Industry.
“Zscaler had the best booth in terms of allowing attendees to relieve a bit of aggression. Taking a very literal approach to data destruction, Zscaler supplied an arsenal of destruction tools to eviscerate hard drives. With hammer in hand, attendees hacked away, splintering dated data to smithereens.”
Sinha explained how Zscaler is enabling a better security model for cloud-first workloads. “We want to sit between users and the destinations that they go to all across the world,” he said.
“If you want to introduce cloud computing in your company, you need a clear strategy, which also takes account of network infrastructure, remote access and Internet security. Read about how "clouding" succeeds in practice.”
“The main hurdle with “cloudification” is that network infrastructure has to be taken into consideration as well as security to ensure consistent user experience, when accessing cloud-based apps. Teams can’t just strengthen the hardware they’ve already got at a few internet gateways.”
“Businesses need to be careful when selecting a technology supplier. A wrong choice could lead to a false sense of security, more chaos and disastrous consequences,” he warned.
I don’t think enterprise were particularly well prepared for [the cloud]. I think now there’s this rush to move everything into the cloud. But networking teams were ill prepared; it’s crushing their network because they have all this new internet traffic. Security teams are scrambling because now they have to secure data in locations they don’t own and control.
Life was good when your users and your data were inside the network perimeter, but mobility in the cloud happened and your users moved out and your applications moved to the cloud, yet organizations are still building a perimeter around a network where the data no longer sits.
Office 365 is one of the number of apps to lead the confines of the data center to move to the cloud. For those of you who were at Microsoft’s night conference in September, the new recommendation for an optimal deployment was to go direct to the internet. So what they have realized is backhauling all the traffic across a traditional hub spoke architecture and going through some sort of centralized proxy could actually break Office 365.
“I have witnessed Zscaler’s momentum from the outside and I am thrilled to be joining the Zscaler team. Zscaler foresaw the massive growth in cloud services years ago, and I am convinced that Zscaler is unique in its ability to secure this transformation from the corporate data center to the cloud," Canessa said.
Mr. Canessa said Illumio was a “great” company, but he felt Zscaler was a better fit given its momentum. Mr. Canessa’s hiring follows just weeks after the company announced technology industry veteran Charles H. Giancarlo would join its board.
Cloud security startup Zscaler on Friday hired Remo Canessa as chief financial officer, tapping a person who has helped lead two big tech IPOs in the past.
Ransomware has become a profitable business for the bad guys. We’re seeing numerous affiliate schemes where criminals are leasing ransomware infrastructure to other criminals and taking a percentage of the profits. This evidences the same service-based model we see in all industries. With this framework, the barriers to entry are lowered, and more criminals are turning to ransomware.
“All over the world, Zscaler has seen the emergence of demand for cloud security causing a major transformation in IT business security operations from both startups to multiple multi-billion dollar industries - and Australia and New Zealand is no exception,” said Zscaler country manager for A/NZ, Sean Kopelke.
Based on today's data on malware, which is transported to the company via SSL-encrypted data traffic and the resulting threat potential, companies are doing well to expand their security strategy by legally compliant SSL scanning. It is important for the works council to collect and deal with concerns about data protection.
Zscaler: Another security solution gaining traction in our network is Zscaler. It's focus on next-generation firewalls, sandboxing, SSL inspection, and vulnerability management has made it the cloud-based internet security company to watch in our network.
Chris Hodson, EMEA CISO at Zscaler, plays devil's advocate and points out that “decrypting traffic has a significant time, performance and cost impact and in some areas is simply not possible because the necessary cryptographic keys aren't available
Android users must be more vigilant today than ever before and only deploy apps from legitimate Google and Apple application stores. We have identified examples of malware on these sites but a fraction of the likelihood," he told CNBC via email.
"Generally, when you go to business meetings, it's not for political talk," he said. "But I had a few business meetings today and every meeting would start with, 'So, America, you're closing down? You're going to build a wall around yourself?' I'm not sure we're gaining much from this. But we have a lot to lose. Every country out there used to look at America as a role model," he said. "This goes against our fundamental values. Reagan went to Berlin and said, 'Mr. Gorbachev, tear down this wall!' Now we've come full circle."
“Majority of these enterprises are based in Indian metros like Mumbai, Delhi, Bangalore, Chennai but they have branch offices across tier-2 and tier-3 cities,” he says. We have traditionally been in the business around the security controls which is a dire need across all verticals including pharma, ITES, retail, and manufacturing as per him.”
“The spyware in this analysis was portraying itself as the Netflix app. Once installed, it displayed the icon found in the actual Netflix app on Google Play,” Zscaler’s Shivang Desai explained in a blog post. “As soon as the user clicks the spyware’s icon for the first time, nothing seems to happen and the icon disappears from the home screen. This is a common trick played by malware developers, making the user think the app may have been removed. But, behind the scenes, the malware has not been removed; instead it starts preparing its onslaught of attacks.”
"Android apps for Netflix are enormously popular [...] but the apps, with their many millions of users, have captured the attention of the bad actors who are exploiting the popularity of Netflix to spread malware," shared Shivang Desai, a researcher with Zscaler.
Watch out for the fake Netflix app, which could be spying on you — stealing your contacts, uninstalling apps and more. Zscaler came across this fake app, which turned out to be a new variant of SpyNote RAT (Remote Access Trojan). Read more.
“Deepen Desai, Zscaler’s senior director of security research and operations, told Threatpost Tuesday that while researchers haven’t seen this particular RAT variant being spammed in the wild yet, they did see it on one of their threat feeds.”
“There were two interesting sub-classes found inside Main Activity: Receiver and Sender,” the blog said. “Receiver was involved in receiving commands from the Server and the main functionality of Sender was to send all the data collected to the C&C over Wi-Fi.”
“The spyware in this analysis was portraying itself as the Netflix app. Once installed, it displayed the icon found in the actual Netflix app on Google Play,” researchers explained, in an analysis. “As soon as the user clicks the spyware’s icon for the first time, nothing seems to happen and the icon disappears from the home screen. This is a common trick played by malware developers, making the user think the app may have been removed. But, behind the scenes, the malware has not been removed; instead it starts preparing its onslaught of attacks.”
“Security is fundamentally moving away from the box-based approach," Mr. Chaudhry said. "It’s almost like moving from individual power generators in homes to power plants.”
Technical expertise in the protection of critical data and infrastructures must be accompanied by a Chief Information Security Officer (CISO), as well as leadership skills, in order to be responsible for the management strategies. Employee mobility, digital transformation, increasingly intelligent attack scenarios, and legal requirements on data protection must be brought into line with the protection strategy in order to successfully counteract opportunistic attacks as well as industrial pioneering.
“The DroidJack RAT is another example of a growing trend in which malware authors seek to exploit public interest as a way to spread malware. In this case, like others before, the event of a popular game release became an opportunity to trick unsuspecting users into downloading the RAT. As a reminder, it is always a good practice to download apps only from trusted app stores such as Google Play,” Zscaler concludes.
Zscaler researchers also reveal that the RAT is able to extract WhatsApp data from the infected devices. All of the gathered information is stored in a database and is then sent to the command and control (C&C) server.
They include the main sections of their suite -- Skype, Office, Xbox are all accessible -- but they don't have full integration. For example, clicking on Skype will just send you to you Skype and leave you there and clicking Office Trust Center will send you to the help page of the Office Trust Center," Harmer told SearchSecurity via email."While not ideal, this setup is better than nothing as it reminds you that you have different places to deal with privacy for each of the components.
Der Internet-Security-Spezialist Zscaler hat nun in seiner Security Cloud die Gefahrensituation untersucht, die von IoT-Geräten seiner Kunden ausgeht, deren Traffic durch die Zscaler-Cloud läuft. Die zweimonatige Analyse von August bis Oktober verfolgte darüber hinaus das Ziel herauszufinden, ob diese Geräte in die prominenten DDoS-Attacken dieser Monate involviert waren. Die Untersuchung konzentrierte sich vor allem auf die Faktoren Gerätetyp, genutzte Protokolle der Geräte, Lokation der Server mit denen kommuniziert wird und die Häufigkeit der In- und Outbound-Kommunikation.
Zscaler also reports about this modus, knowing that Android users are eagerly waiting for "Super Mario Run," the Trojan malware will attempt to present a fake web page promoting its release. Some details of the malware are cited in their report.
The malware targets all the financial apps on a users’ device. When they use them they are presented with a fake login screen that captures their details. In the Zscaler blog, Ghandi lists the finance apps the malware targets. It includes the Android apps from banks such as Société Générale, BNP Paribas, RBS, NatWest, Halifax, HSBC, TSB and Santander. All data gathered is sent back to a Command and Control (C&C) server where it is harvested and shared.
Due to the constantly evolving nature of the malware, Zscaler researchers have previously dubbed Marcher "the most prevalent threat to the Android devices" and the malware attacks all versions of Google's mobile operating system.
“Once the user's mobile device has been infected, the malware waits for victims to open one of its targeted apps and then presents the fake overlay page asking for banking details. Unsuspecting victims will provide the details that will be harvested and sent out to the malware's command and control (C&C) server" Zscaler says.
Marcher is a sophisticated banking malware strain that targets a wide variety of banking and financial apps and credit cards by presenting fake overlay pages. Once the user's mobile device has been infected, the malware waits for victims to open one of its targeted apps and then presents the fake overlay page asking for banking details. Unsuspecting victims will provide the details that will be harvested and sent out to to the malware's command and control (C&C) server.
“Recently, ThreatlabZ came across a variant of Android Marcher Trojan disguised as the Super Mario Run app in one of our threat feeds,” the firm explained. “This malware scams users by presenting fake finance apps and credit card page in order to harvest banking details.”
“While it may be the CIO’s responsibility to enact the requirements needed to achieve a secure environment, the CSO is ultimately responsible for enabling security," Harmer said. "CSOs must understand the requirements laid out by the CIO and are responsible for providing the most effective, easily integrated and cost-effective security solutions. Separation of CIO and CSO responsibility is fundamental and should be implemented by default.”
“Android Marcher has been around since 2013 and continues to actively target mobile user’s financial information," says Zscaler’s Viral Gandhi. "To avoid being a victim of such malware, it is always a good practice to download apps from trusted app stores such as Google Play. This can be enforced by unchecking the ‘Unknown Sources’ option under the ‘Security’ settings of your device.”