Advisory ID: NCC-CSIRT-180423-019
Summary: A New Android malware named 'Goldoson' has infiltrated Google Play through 60 legitimate apps that collectively have 100 million downloads. The Android malware, discovered by McAfee's research team, is capable of collecting a range of sensitive data, including information on the user's installed apps, WiFi and Bluetooth-connected devices, and GPS locations Additionally, it can perform ad fraud by clicking ads in the background without the user's consent.
Vulnerable Platform(s): Android Operating Systems
Threat Type: Malware
Product : Google Play Store Applications
Version: All Versions
Description:
The malicious malware component is part of a third-party library used by all sixty apps that the developers unknowingly added to their apps. When a user runs a Goldoson-containing app, the library registers the device and obtains its configuration from an obfuscated remote server. The configuration contains parameters that set which data-stealing and ad-clicking functions Goldoson should run on the infected device and how often.The data collection mechanism is commonly set to activate every two days, transmitting a list of installed apps, geographical position history, MAC addresses of devices connected via Bluetooth and WiFi, and other information to the C2 server. The amount of data collected is determined by the permissions granted to the infected app during installation as well as the Android version.
Some of the impacted apps are:
- L.POINT with L.PAY - 10 million downloads
- Swipe Brick Breaker - 10 million downloads
- Money Manager Expense & Budget - 10 million downloads
- GOM Player - 5 million downloads
- LIVE Score, Real-Time Score - 5 million downloads
- Pikicast - 5 million downloads
- Compass 9: Smart Compass - 1 million downloads
- GOM Audio - Music, Sync lyrics - 1 million downloads
- LOTTE WORLD Magicpass - 1 million downloads
- Bounce Brick Breaker - 1 million downloads
- Infinite Slice - 1 million downloads
- SomNote - Beautiful note app - 1 million downloads
- Korea Subway Info: Metroid - 1 million downloads
Consquences: Stealing of Sensitive Data and Performing Ad fraud by clicking ads in the background without the user's consent
Impact/Probability: HIGH/HIGH
Solution :
- Users are to update their applications with latest Security Patches.
- Users should install anti-malware software to routinely scan their devices for malware.
- Users should always download applications from official sites and application stores. (Avoid downloading Apps from third-party Android App store).
References:
https://www.bleepingcomputer.com/news/security/android-malware-infiltrates-60-google-play-apps-with-100m-installs/
https://malwaretips.com/threads/android-malware-infiltrates-60-google-play-apps-with-100m-installs.122573/
https://www.business-standard.com/amp/companies/news/android-malware-infects-60-google-play-apps-with-100-million-downloads-123041700123_1.html
Advisory ID: ngCERT-2023-0008
Summary: Phishing is a type of cyberattack that employs social engineering techniques to persuade a potential victim(s) to reveal sensitive information via deceptive emails, text messages, phone calls, and/or social media. The attacker may be looking for personally identifiable information (PII), banking details, and account credentials. The goal could also be to trick the victim into downloading malware.
Description: Such an attack usually starts with a phishing email, text message (also known as smishing), or even a direct message (DM) on a social media app that appears urgent and requires you to either click on a link that takes you to an external website or download a file attachment. This website is fraudulent and is intended to collect sensitive, potentially damaging information from the potential victim.Another technique involves using a phone call, or vishing, to trick victims into disclosing sensitive information. In order to collect their information and compromise their accounts, the attacker would either call the victim or use an automated system to pretend to be calling from their bank.
Consquences: Phishing attacks can lead to identity theft, data theft, and massive financial losses for the victims.
Damage/Probability: CRITICAL/HIGH
Solution : Some countermeasures against phishing are:
i. Enable multifactor authentication (MFA) – if possible, use more than a two-step process.
ii. Change passwords regularly.
iii. Use spam filters.
iv. Change web browser settings to prevent fraudulent websites from opening i.e. web filters.
v. Always use “https” when browsing the web (there are settings in most web browsers that allow for strict usage of “https”).
vi. Use anti-malware to detect malware in phishing emails
vii. Usage of comprehensive solutions by organisations such as security information and event management (SIEM) and endpoint detection and response (EDR) can help filter phishing emails before they get to the users.
viii. Cybersecurity awareness training for staff to spot characteristic features of phishing scams, such as:
a. Poor spelling or grammar
b. Requests to transfer money or for personal and payment information
c. Suspect file attachments
d. Discrepancies in the sender address
e. A sense of urgency e.g. ‘You will lose access to this service in 24 hours…’
f. Usage of a link-shortening service
Hyperlink:
Advisory ID: NCC-CSIRT-040423-018
Summary: In the world of messaging apps, one of the most popular and recognizable is WhatsApp. WhatsApp is 100% free-to-use, has a great mobile app, and supports audio and video calls. No matter how you rely on WhatsApp for all your messaging needs or just use it from time to time, it is recommended setting it up with two-factor authentication (2FA). With this enabled, you will need to enter a custom PIN every time you log in to WhatsApp from a new device, adding an extra layer of security to your account.
Vulnerable Platform(s): All Operating Systems
Threat Type: N/A
Product : WhatsApp
Version: All Versions
Description: Two-factor authentication (2FA) is an identity and access management security method that requires two forms of identification to access resources and data. 2FA gives businesses/ people the ability to monitor and help safeguard their most vulnerable information and networks. 2FA is important because it prevents cybercriminals from stealing, destroying, or accessing your internal data records for their own use. The popularity of WhatsApp which is a Meta-owned service makes it a prime target for hackers and scammers who are always looking for ways to gain unauthorized access to your account. For additional security, WhatsApp provides two-factor authentication so you can further secure your account using a PIN. It is an optional feature that adds more security to your WhatsApp account, but it is recommended that everyone installs 2FA to protect themselves.
Consquences: Account Takeover
Impact/Probability: HIGH/MEDUIM
Solution :
To Enable 2FA on WhatsApp, follow the following steps;
1. Open WhatsApp
2. Tap Settings
3. Tap Account
4. Tap Two-Step Verification
5. Tap Enable
6. Enter the Six-Digit PIN you wish to use
7. Tap Next, then enter it a second time to confirm it.
8. Tap Next
9. Add an email address for extra security (this step is optional but it is an extra way to retrieve your account if you forget your Pin).
10. Tap Next
How to Change Your WhatsApp Pin or Email Address
You may wish to do this regularly if you're worried that your PIN is easy to guess or someone else may have figured it out. Make sure an active email address is always used so you don't get locked out
1. Tap Settings > Two-Step Verification.
2. Tap Change PIN or Change Email Address.
3. Enter your new PIN or email address, then tap Next.
4. Your PIN or email address is now changed.
References:
https://www.lifewire.com/how-to-use-two-step-verification-2fa-in-whatsapp-4782837
https://www.microsoft.com/en-us/security/business/security-101/what-is-two-factor-authentication-2fa
https://www.androidpolice.com/whatsapp-would-please-you-enable-2fa/
https://faq.whatsapp.com/1278661612895630\
Advisory ID: NCC-CSIRT-280323-017
Summary: Fraud Prevention firm, Cleafy have dubbed an Andriod banking Trojan named Nexus as a new botnet under the malware-as-a-service (MaaS) business model. Nexus provides all the main features to perform ATO attacks (Account Takeover) against banking portals and cryptocurrency services, such as credentials stealing and SMS interception.
Vulnerable Platform(s): Android Operating Systems
Read more: Nexus Android Trojan Targeting Financial Applications
Advisory ID: NCC-CSIRT-200323-016
Summary: Hackers employ a sophisticated fake Chrome ChatGPT browser extension to compromise thousands of Facebook accounts, including high-profile business accounts. According to Jai Vijayan, a writer from DarkReading, at least 2,000 victims downloaded the malicious app from Goole Play app store. Successful exploits take advantage of the substantial level of public interest in ChatGPT to spread malware on the compromise systems.
Vulnerable Platform(s): Google Chrome Browser
- Xenomorph (Xenomorph 3rd generation) Android Banking Trojan That performs Financial Fraud in a seamless manner
- BlackLotus UEFI Bootkit Malware Targeted Fully Patched Windows 11 Systems
- Multiple Vulnerabilities on Google Chrome
- Apple Updates IOS as Security Firm Discloses New Class of Vulnerabilities