Who viewed me on Instagram

Recently, a malicious application called “InstaCare – Who cares with me” was released via Google Play Store and App Store. This application serves as a hook to lure Instagram users, pretending to let them know who has viewed their profile; but in reality it abuses the authentication process to connect to Instagram. It steals your instagram password and gains access to your profile.

This app displays your friend list in order, who cares your profile most with your profile interaction. This app can show you up to most recent 100 list for your Instagram profile.


It’s common for many applications to use API’s or authorization protocols such as OAuth to authenticate with third-party applications. This is very convenient for users as they can use the same credentials to authenticate with different applications and services. The problem here is that this feature can be used maliciously for some applications to gain access to the user’s information, such as their profile and contacts, or to steal their credentials.

Last week the InstaAgent developer “Turker Bayram” released a new app for the Android and iOS AppStore, after his (malicious) app “InstaAgent” was pulled by Apple&Google from their AppStores. It was astonishing that Apple and Google didn’t have a closer look at his new application. One should assume a developer who already published a malicious app, should be watched more closely. His new app is called “Who Viewed Me on Instagram” (Android Version 50K – 100K downloads), and “InstaCare – Who cares with me?” (iOS Version top grossing app in Germany Category: Entertainment). The app promises the same functionality as InstaAgent .

iPhones can get infected even if they are not jail broken

A brand new malware strain is just discovered, a sneaky attacks that has fooled not only Apple’s app review team into allowing malware apps into the App Store, but that can also quietly install apps on any iOS device without the user’s explicit knowledge or permission. A jailbreak status is not even needed for the attack to work.

AceDeceiver is the first iOS malware we’ve seen that abuses certain design flaws in Apple’s DRM protection mechanism — namely FairPlay — to install malicious apps on iOS devices regardless of whether they are jailbroken. The attack requires a PC to deploy the software. Called AceDeceiver, the malware is currently affecting users in China. Three AceDeceiver apps disguised as wallpaper tools made their way onto the App Store between July 2015 and February 2016.

This is not the first iOS malware that we have seen in the recent times. Researchers found a strain of malware called YiSpecter that targeted jailbroken as well as non-jailbroken devices in Taiwan and China. The app, however, leveraged private APIs that are signed with enterprise certificates to look authentic.

As for AceDeceiver, only users in China seem to be affected for now. However, it adds, that with slight tweaks, users in other regions can also be targeted. Apple normally prides itself on iOS’ security, but has still had to periodically remove App Store titles because of dangerous code.

Chinese App creates another App Store inside Apple’s iOS App Store

An iOS app that provided access to pirated apps successfully got through Apple’s strict approval process. The Chinese developers of an app called Happy Daily English have found a way to go around Apple’s review process and embed a fully functional iOS app store inside their application and had it hosted on the official iOS App Store itself.

For non-Chinese users, the app would be a simple educational app that taught Chinese users English, but for Chinese users, the app would transform itself into an app store that allowed them to install rogue, pirated or cracked apps using various tricks, without requiring users to go through the side-loading process.

The app got approved and added to Apple’s website when the iOS App Store reviewers accessed the app, from somewhere outside China, and didn’t notice anything strange, seeing its educational interface. On top of this, ZergHelper was coded in Lua, a programming language that allowed the developers to dynamically update the app, but without going through Apple’s app review process. This technique allowed the developers to change the app’s behavior without the risk of being discovered during subsequent updates.

The malicious store-in-store app existed on the official App Store from October 30, 2015, to February 19, 2016. Apple removed the app after it was reported by its discoverer.

Triada Trojan Exists in memory and uses Zygote process to Hook all Applications on Android

Dubbed Triada (Backdoor.AndroidOS.Triada), this malware family was mainly designed to redirect financial SMS transactions to buy additional content or steal money from the user. The Triada Trojan is able to infiltrate all process running on the mobile devices gaining persistence. The Android malware is spread through an “advertising botnet” that was used by crooks to spread also other threats, including Leech, Ztorg, and Gorpo and AndroidOS.Iop.

The Triada trojan was clearly developed by cybercriminals who have a clear understanding of how Android functions at a core level and a tremendous amount of research and work went into developing this malware.

It also marks the first time that malware developed for Android has the same complexity as malware written for Windows. Before now most of the threats encountered on mobile devices were not nearly as well developed and were very primitive in nature.
Users are more at risk of being affected by Triada if they download and install apps from unknown sources as opposed to from the Google Play Store.

New OS X Ransomware ‘KeRanger’ encrypts Mac files

Ransomware, one of the fastest-growing types of cyber threats, encrypts data on infected machines, then typically asks users to pay ransoms in hard-to-trace digital currencies to get an electronic key so they can retrieve their data.

Security experts estimate that ransoms total hundreds of millions of dollars a year from such cyber criminals, who typically target users of Microsoft’s Windows operating system.

KeRanger is the name given to what is believed to be the “first fully functional” ransomware on the OS X platform. When incorporated into an app, the malware connects to a remote server via the Tor anonymizing service, then “begins encrypting certain types of document and data files on the system.”

The malware then “demands that victims pay one bitcoin (about $400) to a specific address to retrieve their files.” Researchers say the malicious code is “under active development” and seems to be trying to also encrypt users’ Time Machine backups to also prevent them from being able to recover their backed up data.

Transmission BitTorrent client installer for OS X was infected with ransomware, who directly installed Transmission between March 4th and March 5th may be infected with the KeRanger malware. Apple has already revoked the certificate, anyone attempting to open a known-infected version of the Transmission app will now be given a warning dialog box that notes “Transmission.app will damage your computer. You should move it to the Trash,” or “Transmission can’t be opened. You should eject the disk image.”

A newly discovered Android malware xbot

xbot android malware

It tries to steal victims’ banking credentials and credit card information via phishing pages crafted to mimic Google Play’s payment interface as well as the login pages of 7 different banks’ apps. It can also remotely lock infected Android devices, encrypt the user’s files in external storage (e.g., SD card), and then ask for a U.S. $100 PayPal cash card as ransom. In addition, Xbot will steal all SMS messages and contact information, intercept certain SMS messages, and parse SMS messages for mTANs (Mobile Transaction Authentication Number) from banks.

Besides stealing credentials for banking portals, Xbot also pays a lot of attention to getting the user’s credit card details via a phishing page made to look like the Google Play payment page.

Locky Ransomware

Users/Victims receive an email with an attachment disguised as an invoice. Once the user opens the document, a rigged Word file, if Office macros are turned on in Word, then the malware installation begins. If not, the victim sees blocks of garbled text in the Word document below the text, “Enable macro if the data encoding is incorrect”—and then infects the system if the user follows that instruction. After doing so the malware downloads an executable, executes and begins encrypting users’ files.

Like most strains of ransomware, text files left behind by the attackers warn victims their files have been encrypted and that to retrieve them they’ll need to download Tor, visit a special site, and pay a certain amount of Bitcoin.

“When Locky encrypts a file it will rename the file to the format [unique_id][identifier].locky,” It leaves a ransom note text file called “_Locky_recover_instructions.txt” in each directory that’s been encrypted, pointing to servers on the Tor anonymizing network (both via Tor directly and through Internet relays) where the victim can make payment, and changes the Windows background image to a graphic version of the same message. It also stores some of the data in the Windows Registry file under HKCUSoftwareLocky.

Android malware that can ‘wipe phones’ via SMS

A Danish security company has detected an attempt to spread a powerful form of Android malware via text messages.

The malware, dubbed Mazar Android BOT, spreads via SMS and MMS messages. Crafted with a malicious link, the message reads:

“You have received a multimedia message from +[country code] [sender number] Follow the link http: //www.***mms.apk to view the message.” This message links to an Android application package (APK). The user is then prompted to download the package, which is given a generic name — “MMS Messaging” — to make the potential victim more likely to trust the download.

If installed, the malicious code hidden within grants itself administrator rights on an Android device, giving attackers the option to send premium messages without consent, hijack browser sessions, root the device, monitor phone and text messages and retrieve device data.

In addition, but perhaps most crucially, Mazar can also completely erase the infected device and all information stored within, make calls or read texts, as well as read authentication codes sent to the device as part of two-factor authentication systems used by online banking and social media accounts.

However, it will not install on phones where the language is set to Russian.

Are YOUR Skype chats being watched?

The researchers also warned it is so sophisticated, it can hide from even the most popular anti-virus software, making it extremely difficult to detect.

T9000 allows the attacker to capture encrypted data, take screenshots of specific applications and specifically target Skype users. The malware goes to great lengths to identify a total of 24 potential security products that may be running on a system and customizes its installation mechanism to specifically evade those that are installed. It uses a multi-stage installation process with specific checks at each point to identify if it is undergoing analysis by a security researcher.

It stores critical files dropped by the Trojan in a directory named “Intel.” T9000 is pre-configured to automatically capture data about the infected system and steal files of specific types stored on removable media.

The Trojan is said to involve what’s known as a multi-stage installation process and checks at each point for any installed anti-virus programs. After checking everything, T9000 installs itself and then collects information stored on the infected system, sending it to the hacker’s server.

The malware is said to have spread originally via spear phishing emails sent to organisations in the US. Spear phishing is an e-mail spoofing fraud attempt that targets a specific group or organisation. The intent is to steal intellectual property, financial data, trade or military secrets and other personal information. However, researchers believe this new backdoor malware is so sophisticated it can adapt to be used against any victim that a cybercriminal wishes to hack.

Ransomware Racket Demanding Bitcoin from India cos.

Earlier this month, the ransomware infected three Indian banks and a pharmaceutical company, demanding one bitcoin per compromised computer and reportedly causing millions of dollars in damage.
LeChiffre is not your typical ransomware and works only if launched into execution manually. The hacker managed to infiltrate the networks of all companies, and then escalated his access to other computers via unprotected Remote Desktop ports.

Once he gained access to a computer, the hacker would download the ransomware from his server and then double-click it to start the encryption process.

LeChiffre’s encryption operates by encrypting the first and last 8192 bytes of each file and then appending the encryption key to the file as a 32-byte blob. The encryption is AES. This ransomware is written in Delphi, and that its interface is in Russian.

“LeChiffre looks very unprofessional , practically, no countermeasures against analysis has been taken, but still it has managed to damage.

Here is LeChiffre message after files are infected: