new iOS malware

Recently-discovered malware evades Apple’s App Store security net and infects iPhones and iPads, jailbroken or not, displaying full-page ads on Safari and forcing to download a defunct media player.

Called YiSpecter, the malware YiSpecter can infiltrate any iOS device via a variety of means, posing as a genuine Apple-signed app once installed. Once on your iOS device, the app can then make itself invisible to the user by disguising itself as an actual iOS app, or hiding itself from the home screen – which means the user has no means of deleting it.

On infected iOS devices, YiSpecter can download, install and launch arbitrary iOS apps, replace existing apps with those it downloads, hijack other apps’ execution to display advertisements, change Safari’s default search engine, bookmarks and opened pages, and upload device information to the C2 [command and control] server.

There are many ways of installing YiSpecter on the phone, including hijacking traffic from nationwide ISPs, a worm on Windows, offline app installations, and community promotions. The app takes advantage of Apple’s enterprise certificates that are used to sign four app components to fool the operating system into believing it’s a genuine app.

There is a way of removing the malware app and additional apps that it may have installed, but you might require third-party programs that give you access to the phone’s file system – check it out below:

1. In iOS, go to Settings -> General -> Profiles to remove all unknown or untrusted profiles;
2. If there’s any installed apps named “情涩播放器”, “快播私密版” or “快播0”, delete them;
3. Use any third-party iOS management tool (e.g., iFunBox, though note that Apple’s iTunes doesn’t work in this step) on Windows or Mac OS X, to connect with your iPhone or iPad;
4. In the management tool, check all installed iOS apps; if there are some apps have names like Phone, Weather, Game Center, Passbook, Notes, or Cydia, delete them. (Note that this step won’t affect original system apps but just delete faked malware.)

UPDATE: Apple checks in to say that this issue has been fixed starting with iOS 8.4 so stay updated and only download from trusted sources like the App Store and pay attention to any warnings as they download apps.

ATM malware in Mexico

GreenDispenser Malware allows an attacker to walk up to an infected ATM and, with a series of pinpad entries, direct the machine to dispense all of its cash.

Once this has been accomplished, the attacker initates a “deep delete” of GreenDispenser, leaving virtually no trace of the malware,

You probably know the internal computers of ATMs are under lock and key, but you may not know the many of the locks can be opened by a single master key. Hackers in Mexico apparently have copies of that key and are programming the computers to steal your money

once installed on an ATM machine, will display a fake error message that reads: “We regret this ATM is temporary out of service.”

Only the hacker can bypass this error, and the malware unusually requires two-factor authentication. The hacker must first enter a pin code that has been hard-coded into the malware, and then use a smartphone to scan a QR code that appears on the ATM screen.

Apple App Store Malware Outbreak

Apple is moving to contain an outbreak of malware-infected apps that may have been downloaded by hundreds of millions of iOS App Store users.

Apple on Sept. 20 confirmed that it had deleted malicious iPhone, iPad and iPod Touch software after multiple information security firms warned that “XcodeGhost” malware had been found embedded in otherwise legitimate apps, many of which were aimed at Chinese-language speakers.

The malicious apps, included Tencent’s WeChat app, which has an estimated 600 million users, although not all of them would be using the iOS client. Other infected Chinese-language apps included China’s most popular car-hailing app, Didi Kuaidi; a streaming-music app from Internet portal NetEase; the Railway 12306 app, which is the country’s only official app for purchasing train tickets; and a mobile banking app from China CITIC Bank.

The infected iOS apps include IMs, banking apps, mobile carrier’s app, maps, stock trading apps, SNS apps, and games.

Ghost Push Android Malware

Ghost Push’ is essentially a Android malware apk build that installs unwanted apps on to your Android device which suck up precious resources and generally run a muck with your phone or tablet. Distributed through non-Google app stores, infecting more than 600,000 new users each day, it cannot be removed easily even through “factory reset.

The maker of the antivirus apps reported that the new virus is contaminating smartphones at a faster pace and it estimated that it’s infecting more than 600,000 users each day.

Banking Trojan Escelar Infects Thousands In Brazil and the US

Attackers deliver the Trojan using generic Portuguese language phishing emails and are currently targeting seven Brazilian banks. Once delivered, Escelar has multiple installation stages where malware is downloaded using direct connections to multiple Microsoft SQL servers. These SQL servers are also used for command and control (C2) functionality.

Escelaris is designed to steal online banking authentication credentials and further compromise the accounts of victims. Even worse, Escelar is capable of manipulating the victim’s banking web session, and also executing fraudulent transactions. Also, Escelar forces the user to connect to the Internet via Internet Explorer (IE). If the victim attempts to use other browsers (e.g. Google Chrome) to access online banking accounts, Escelar generates a false error code which makes the victim return to IE.

The most recently discovered Microsoft SQL server being used as Escalar infrastructure contained records of 1660 infections that all connected in a two-day time frame.

Escelar is distributed almost exclusively through phishing emails. Organizations should monitor their networks for unexpected outbound Microsoft SQL traffic (App-ID mssql) that may indicate an Escalar infection.

Encryptor RaaS (Ransomware as a Service)

A new Ransomware-as-a-Service (RaaS) advertisement called “Encryptor RaaS”. The service is advertised on an onion-based domain via Tor2Web service.

The seller explicitly calls its website “Ransomware as a Service”, an AV industry language, where the advertised business model closely resembles the recently discovered “Tox” RaaS. The seller earns a 20% commission per infected user who opts to pay ransom. Additionally, all transactions are made via Bitcoin where affiliates or “customers” of this RaaS signs up via their Bitcoin address and victims need Bitcoin to recover their files. Below is a screenshot of the advertisement.They will encrypt all the files (not system files) and then show an ad for you to paythem 99usd for the key to decrypt.

It is always a good idea to regularly back up your files to prevent losing your files in case of a ransomware infection. Max Total Security now offres a Data back up tool which is scheduled to back your data on your hard drive for recovery in such cases of data loss.

24 Chinese Android Smartphone Models Come with Pre-Installed Malware

Security firm G Data has uncovered more than two dozens of Android smartphones from popular smartphone manufacturers — including Xiaomi, Huawei and Lenovo — that have pre-installed spyware in the firmware.

This report is about the devices purchased primarily through third-party websites & not from the Official stores. There are many International websites like AliExpress, Tinydeal, Gearbest, Geekbuying, etc., where the middlemen might be able to install malwares without the information of any entities.

The pre-installed spyware, disguised in popular Android apps such as Facebook and Google Drive, can not be removed without unlocking the phone since it resides inside the phone’s firmware.
The spyware is capable of doing the following actions:

Listening in to telephone conversations
Accessing the Internet
Viewing and copy contacts
Installing unwanted apps
Asking for location data
Taking and copying images
Recording conversations using the microphone
Sending and reading SMS/MMS
Disabling Anti-Virus software
Listening in to chats via messaging services (Skype, Viber, WhatsApp, Facebook and Google+)
Reading the browser history
The affected Smartphone brands include Xiaomi, Huawei, Lenovo, Alps, ConCorde, DJC, Sesonn and Xido. Most of the suspected models are sold in Asia and Europe.

WhatsApp bug could affect millions of users

The flaw allows hackers to distribute malware, including ransomware, which demands victims pay a fee to regain access to their files. All an attacker needed to do to exploit the vulnerability was to send a user a seemingly innocent vCard containing malicious code.

it was possible to change the file extension for a vCard to .bat, or a batch executable script. WhatsApp thinks a user is just receiving a vCard, but it’s actually executable code.

Discovered last month, the flaw which affected the messaging service’s web app allowed hackers to distribute ransomware, which demands victims pay a fee to regain access to files. WhatsApp has quickly fixed the flaw.

Make Smartphone safer

Smartphones these days can do everything that a personal computer can do. With the increase in number of Apps available , security risks are also increasing. We are not only playing Games on Smartphones but also doing Bank transactions, keeping al of our personal data such as Photos, Contacts, Emails, SMS and notes on the phone.
1. You must keep your phone locked so that even if you loose it not much is lost except for economic factors.
2. Monitor and check everyApp that you install using some tools such as maxprivacymanager on Google Play. This fantasic App will tell you about the privacy risks posed on yor device by instlled Apps.
3. Swith Off Bluetooth to avoid unnecessary access,
4. Use a reputable Anti Virus prouct such as Max total Security o keep all malware out of your device.
5. Do not jailbreak your device as thi exposes to even more threats.
6. Use a secure password manager program to hide data on the phone and no need to fill form everytime..

Malware steals 225,000 Apple accounts

KeyRaider distributed through Chinese Cydia repositories.

A large amount of Apple accounts on jailbroken iOS devices appear to have been compromised by a new malware dubbed KeyRaider.

KeyRaider is distributed through third-party Cydia repositories, primarily in China. It hooks system processes through MobileSubstrate and steals Apple account usernames, passwords and device GUIDs by intercepting iTunes traffic. It also steals Apple push notification service certificates and private keys, steals and shares App Store purchasing information, and disables local and remote unlocking functionalities on iPhones and iPads.

The stolen data is uploaded to a command and control server and used by two jailbreak tweaks (iappstore and iappinbuy) to facilitate free App Store purchases.

Apart from the valid Apple accounts, KeyRaider is said to have grabbed thousands of digital certificates, private encryption keys and software purchase receipts and uploaded them to command and control servers in China.