KEMOGE: a vicious new Android malware

This malware is spotted spreading worldwide quickly, and it allows the complete compromise and takeover of the targeted Android device. The malware has turned up in countries such as the U.S., China, Singapore, Indonesia, Russia, England, and France.

A list of popular applications that have been repackaged with Kemoge are:

Smart Touch
Calculator
Talking Tom
Light Browser
Easy Locker
Privacy Lock
Other adult applications.

On the initial launch of the adware, Kemoge collects device information and uploads it to the server. Then it starts serving ads from the background, which appear all the time, even on the home screen. After that, Kemoge delivers a .zip payload to the devices, which is encrypted multiple times and is made to look as an .mp4. file. After gaining persistent root, it infiltrates itself further into the system with names similar to the launcher service or other services such as the ones from Facebook or Google.

To avoid malware:

  • Never click on suspicious links from emails/SMS/websites/advertisements.
  • Don’t install apps outside the official app store.
  • Keep Android devices updated to avoid being rooted by public known bugs. (Upgrading to the latest version of OS will provide some security, but it does not guarantee that you will remain protected.

new iOS malware

Recently-discovered malware evades Apple’s App Store security net and infects iPhones and iPads, jailbroken or not, displaying full-page ads on Safari and forcing to download a defunct media player.

Called YiSpecter, the malware YiSpecter can infiltrate any iOS device via a variety of means, posing as a genuine Apple-signed app once installed. Once on your iOS device, the app can then make itself invisible to the user by disguising itself as an actual iOS app, or hiding itself from the home screen – which means the user has no means of deleting it.

On infected iOS devices, YiSpecter can download, install and launch arbitrary iOS apps, replace existing apps with those it downloads, hijack other apps’ execution to display advertisements, change Safari’s default search engine, bookmarks and opened pages, and upload device information to the C2 [command and control] server.

There are many ways of installing YiSpecter on the phone, including hijacking traffic from nationwide ISPs, a worm on Windows, offline app installations, and community promotions. The app takes advantage of Apple’s enterprise certificates that are used to sign four app components to fool the operating system into believing it’s a genuine app.

There is a way of removing the malware app and additional apps that it may have installed, but you might require third-party programs that give you access to the phone’s file system – check it out below:

1. In iOS, go to Settings -> General -> Profiles to remove all unknown or untrusted profiles;
2. If there’s any installed apps named “情涩播放器”, “快播私密版” or “快播0”, delete them;
3. Use any third-party iOS management tool (e.g., iFunBox, though note that Apple’s iTunes doesn’t work in this step) on Windows or Mac OS X, to connect with your iPhone or iPad;
4. In the management tool, check all installed iOS apps; if there are some apps have names like Phone, Weather, Game Center, Passbook, Notes, or Cydia, delete them. (Note that this step won’t affect original system apps but just delete faked malware.)

UPDATE: Apple checks in to say that this issue has been fixed starting with iOS 8.4 so stay updated and only download from trusted sources like the App Store and pay attention to any warnings as they download apps.