A newly discovered Android malware xbot

xbot android malware

It tries to steal victims’ banking credentials and credit card information via phishing pages crafted to mimic Google Play’s payment interface as well as the login pages of 7 different banks’ apps. It can also remotely lock infected Android devices, encrypt the user’s files in external storage (e.g., SD card), and then ask for a U.S. $100 PayPal cash card as ransom. In addition, Xbot will steal all SMS messages and contact information, intercept certain SMS messages, and parse SMS messages for mTANs (Mobile Transaction Authentication Number) from banks.

Besides stealing credentials for banking portals, Xbot also pays a lot of attention to getting the user’s credit card details via a phishing page made to look like the Google Play payment page.

Locky Ransomware

Users/Victims receive an email with an attachment disguised as an invoice. Once the user opens the document, a rigged Word file, if Office macros are turned on in Word, then the malware installation begins. If not, the victim sees blocks of garbled text in the Word document below the text, “Enable macro if the data encoding is incorrect”—and then infects the system if the user follows that instruction. After doing so the malware downloads an executable, executes and begins encrypting users’ files.

Like most strains of ransomware, text files left behind by the attackers warn victims their files have been encrypted and that to retrieve them they’ll need to download Tor, visit a special site, and pay a certain amount of Bitcoin.

“When Locky encrypts a file it will rename the file to the format [unique_id][identifier].locky,” It leaves a ransom note text file called “_Locky_recover_instructions.txt” in each directory that’s been encrypted, pointing to servers on the Tor anonymizing network (both via Tor directly and through Internet relays) where the victim can make payment, and changes the Windows background image to a graphic version of the same message. It also stores some of the data in the Windows Registry file under HKCUSoftwareLocky.

Android malware that can ‘wipe phones’ via SMS

A Danish security company has detected an attempt to spread a powerful form of Android malware via text messages.

The malware, dubbed Mazar Android BOT, spreads via SMS and MMS messages. Crafted with a malicious link, the message reads:

“You have received a multimedia message from +[country code] [sender number] Follow the link http: //www.***mms.apk to view the message.” This message links to an Android application package (APK). The user is then prompted to download the package, which is given a generic name — “MMS Messaging” — to make the potential victim more likely to trust the download.

If installed, the malicious code hidden within grants itself administrator rights on an Android device, giving attackers the option to send premium messages without consent, hijack browser sessions, root the device, monitor phone and text messages and retrieve device data.

In addition, but perhaps most crucially, Mazar can also completely erase the infected device and all information stored within, make calls or read texts, as well as read authentication codes sent to the device as part of two-factor authentication systems used by online banking and social media accounts.

However, it will not install on phones where the language is set to Russian.

Are YOUR Skype chats being watched?

The researchers also warned it is so sophisticated, it can hide from even the most popular anti-virus software, making it extremely difficult to detect.

T9000 allows the attacker to capture encrypted data, take screenshots of specific applications and specifically target Skype users. The malware goes to great lengths to identify a total of 24 potential security products that may be running on a system and customizes its installation mechanism to specifically evade those that are installed. It uses a multi-stage installation process with specific checks at each point to identify if it is undergoing analysis by a security researcher.

It stores critical files dropped by the Trojan in a directory named “Intel.” T9000 is pre-configured to automatically capture data about the infected system and steal files of specific types stored on removable media.

The Trojan is said to involve what’s known as a multi-stage installation process and checks at each point for any installed anti-virus programs. After checking everything, T9000 installs itself and then collects information stored on the infected system, sending it to the hacker’s server.

The malware is said to have spread originally via spear phishing emails sent to organisations in the US. Spear phishing is an e-mail spoofing fraud attempt that targets a specific group or organisation. The intent is to steal intellectual property, financial data, trade or military secrets and other personal information. However, researchers believe this new backdoor malware is so sophisticated it can adapt to be used against any victim that a cybercriminal wishes to hack.