Tag: spyware

Categories
Mobile Syrup

Android spyware linked to Russian hackers tracks location, records audio

Researchers uncovered a previously unknown, Russian-linked Android malware that masquerades as a system app called ‘Process Manager’ while collecting a wealth of user data.

According to Lab52 (via Bleeping Computer), the malware is linked to Turla, a Russian state-sponsored hacking group. Turla is known for using custom malware to target European and American systems, typically for espionage. Moreover, Turla was recently linked to the ‘Sunburst‘ backdoor used in the 2020 SolarWinds attack.

Lab52 identified a malicious APK — the file type used for Android applications — called ‘Process Manager.’ It’s not clear how threat actors distribute the APK to users. Based on the connection to Turla, it’s possible threat actors use phishing schemes or social engineering to get the app installed on devices.

Once installed, however, the app disguises itself with a gear-shaped icon to look like a system component. Coupled with the ‘Process Manager’ name, it could be easily mistaken for part of the Android system.

On first launch, Lab52 says the app prompts the user to grant it 18 permissions, including access to location, camera, call logs, SMS, the ability to read and write to storage, and more. With these permissions, Process Manager can effectively gather a huge amount of data about the device’s owner.

Lab52 noted it’s not clear if the app uses the Android Accessibility service to grant itself permissions, or if it tricks users into granting permission.

Further, once the malware gets the permissions, it removes its icon and runs in the background. Interestingly, the app shows a notification saying that it’s running, which seems counterintuitive for a spyware app that would want to remain hidden.

Lab52 also found that the malware installed additional apps on victims’ devices, including one called ‘Roz Dhan: Earn Wallet cash,’ a popular money earning app. The malware appears to install the app using its referral system, likely earning a commission for the creators.

All this seems relatively strange for spyware — Bleeping Computer suggests the unsophisticated nature may indicate the spyware is part of a larger system.

The publication also suggests some ways Android users can protect themselves. For one, check the ‘Permission manager’ feature in the Settings app (on my phone, it’s available in the ‘Privacy’ menu). It’s a good idea to revoke permissions for any apps you don’t trust, or that appear risky. Users should also pay attention to the new camera and microphone use indicators that appear on devices running Android 12. If these indicators show up when you’re not using the camera or microphone, it could indicate the presence of spyware on your device.

Source: Lab52 Via: Bleeping Computer

Categories
Mobile Syrup

Toronto’s Citizen Lab uncovered Predator, a Pegasus-like spyware, on iPhones

While Israeli cyberarms firm NSO Group’s ‘Pegasus‘ spyware dominated headlines, other groups quietly sold equally powerful spyware. Security researchers at Toronto-based Citizen Lab released a lengthy report on spyware called ‘Predator’ after finding it on an iPhone that had also been infected with NSO Group’s Pegasus.

Citizen Lab discovered Predator when an exiled Egyptian politician named Ayman Nour became suspicious because his phone was “running hot.” Researchers found Nour’s phone was infected with Pegasus and also identified other spyware, which researchers determined was Predator. They also connected Predator to Cytrox, based in North Macedonia.

Researchers also found Predator running on the phone of an Egyptian news show host who asked not to be named.

Both phones were iPhones running iOS 14.6 — the latest version at the time of the hacks — which suggests that Predator exploited a never-before-seen vulnerability in the iPhone’s software to infect the phones.

Techcrunch asked Apple about the vulnerability, but a company spokesperson declined to say whether Apple had patched it. Citizen Lab noted that it shared copies of “forensic artifacts” from its Predator investigation with Apple and that the iPhone-maker confirmed it was investigating.

Predator can survive a reboot, making it more persistent than Pegasus

Predator and Pegasus have similar feature sets and, according to Citizen Lab, Predator was delivered to Nour’s iPhone via a malicious link sent over WhatsApp. When Nour opened the link, Predator was able to gain access to the phone’s cameras and microphone, as well as pull data off the phone. Unlike Pegasus, however, Predator cannot silently infect a phone without user interaction. In other words, the spyware relies on user input, like clicking a malicious link, to activate.

Researchers said Predator makes up for that with persistence — the spyware can survive a reboot of an iPhone, which would typically clear out any spyware lurking in the phone’s memory. It does so by creating an automation using the Shortcuts feature built into iOS.

Meta banned Cytrox and other groups from its platforms

Techcrunch also detailed an effort by Facebook parent company Meta to ban surveillance-for-hire groups. Meta banned seven groups — including Cytrox — from its platforms and said it removed over 1,500 Facebook and Instagram accounts associated with the seven groups. Further, Meta said the accounts were used to send malicious links to targets in over 100 countries. The company alerted some 50,000 people it believes were targeted by these groups.

Citizen Lab said that Predator was likely being used by government customers in Armenia, Greece, Serbia, Indonesia, Madagascar, Oman, Egypt and Saudia Arabia. Meta’s investigation also found Predator customers in Vietnam, the Philippines and Germany.

While certainly concerning, it’s worth keeping in mind that these tools aren’t necessarily problems for the average person. Pegasus and Predator have so far been used to target journalists, politicians, human rights advocates and similar figures. Moreover, these spyware tools are commonly delivered through malicious links — as such, it’s a good idea to avoid clicking any link you receive, especially if it comes from an unfamiliar source.

You can read Citizen Lab’s full report here.

Source: Citizen Lab, Meta Via: Techcrunch

Categories
Mobile Syrup

Apple will send threat notifications to potential spyware targets

Following Apple’s announcement that it will sue NSO for attacking iOS users, the iPhone-maker also revealed its monitoring devices for signs of compromise and will alert users with affected devices.

As a refresher, NSO is an Israel-based company that developed the ‘Pegasus‘ spyware used to compromise iPhones. NSO claims it only sells the tool to governments and law enforcement agencies, but reports show that Pegasus was used against activists, journalists and even Jeff Bezos (just to name a few targets).

According to a new support document from Apple, the company will deliver threat notifications to people potentially targeted by Pegasus in three ways: via iMessage, email and an alert on the Apple ID website (pictured below).

Further, Apple says that these threat notifications will never ask users to click on any links or install anything. If you receive a threat notification and aren’t sure about its validity, Apple suggests you sign into ‘appleid.apple.com’ to check.

Apple ID threat notifications

However, the company also acknowledges that things can change quickly, and says it cannot guarantee it will detect all attacks. Apple warns that false alarms are possible as well.

Finally, Apple lays out several steps iPhone owners should take to further protect themselves from potential attacks. Steps include updating devices to the latest software and security fices, protecting devices with a passcode, using two-factor authentication (2FA) and a strong password for their Apple ID, only installing apps from the App Store (where else would you get them?), using strong passwords for online services and finally, Apple warns not to click on links or attachments from unknown senders.

That last one is particularly important when it comes to Pegasus. One of the main ways attackers deliver spyware is by sending links or files to targets. When clicked, these links or files can install Pegasus without the target’s knowledge.

It might also be wise to avoid clicking links or files sent by people in your contacts too. It’s entirely possible for attackers to spoof sender details to make it look like something’s coming from a familiar source.

All that said, most people probably don’t need to worry about Pegasus on their phones. The tool is often deployed against journalists, activists, politicians and other public or important figures, not average people. Still, at least now there’s some reassurance that if an attacker used Pegasus against you, Apple might be able to warn you about it.

Those interested can learn more about Apple’s threat notifications here.

Source: Apple Via: 9to5Mac