Android adware disguised as game, TV, remote control Apps infects 9 million Google Play users

85 apps in Google Play that collectively have been installed nine million times by users all over the world came with an adware strain capable of showing full screen adverts at regular intervals or when the user unlocks the device.

None of the apps had real functionality and their true purpose was to make money for their developer by dropping a deluge of advertisements on the devices that installed them. The fake apps were disguised as games (car simulators), apps for streaming television channels from various countries (Brazil, Canada, South Africa, Spain), or posed as remote controllers for TV sets.

Google has now removed 85 such Apps. While the apps were uploaded on the Play Store from different developer accounts and were signed by different digital certificates, they exhibited similar behaviors and shared the same code, the most popular of the fraudulent apps was Easy Universal TV Remote, last updated on November 12, 2018. It is unclear how long it survived in Google Play, but it accumulated over five million installations.

Use Max Total Security to remove viruses and adware from all of your Android devices.

Shamoon Disk Wiper Malware returns

The Shamoon or Disttrack worm is a wiper. It is known to overwrite files stored in the affected system and infects its master boot record (MBR). Its first iteration overwrites documents, pictures, videos, and music files, wipes the MBR, and replaces it with an image of a burning flag.

It can overwrite the infected system’s disk with random data or could take the following names (dropped and executed in the system folder as %System%\{wiper name}):

_tdibth.exe
_wialx002.exe
acpipmi2z.exe
af0038bdax.exe
arcx6u0.exe
averfix2h826d_noaverir.exe
hidirkbdmvs2.exe
mdamx_5560.exe
mdmgcs_8.exe
mdmusrk1g5.exe
megasasop.exe
netbxndxlg2.exe
prncaz90x.exe
prngt6_4.exe
prnlx00ctl.exe
prnsv0_56.exe
tsprint_ibv.exe
vsmxraid.exe
wiacnt7001.exe

Shamoon spreads by dropping copies of itself in the system’s administrative shares. The Shamoon worm propagates in these shared network/administrative folders: ADMIN$, C$\WINDOWS, D$\WINDOWS, and E$\WINDOWS.

Users should enforce Patch and update the system to prevent vulnerabilities from being exploited. Regularly back up important data to mitigate damage. Employ multilayered security mechanisms such as application control, firewall and intrusion prevention and detection systems. We receommend using Max Total Security which provides all of these features.

Rotexy Android Trojan Banker and Ransomware

In a three-month period from August to October 2018, it launched over 70,000 attacks against users located primarily in Russia. An interesting feature of this family of banking Trojans is the simultaneous use of three command sources:

Google Cloud Messaging (GCM) service – used to send small messages in JSON format to a mobile device via Google servers;
malicious C&C server;
incoming SMS messages.

It spreads under the name AvitoPay.apk (or similar) and downloads from websites with names like youla9d6h.tk, prodam8n9.tk, prodamfkz.ml, avitoe0ys.tk, etc. These website names are generated according to a clear algorithm: the first few letters are suggestive of popular classified ad services, followed by a random string of characters, followed by a two-letter top-level domain.

After infection, the Trojan displays a fake HTML update page (update.html) that blocks the device’s screen for a long period of time.
The Trojan displays the extortion page (extortionist.html) that blocks the device and demands a ransom for unblocking it. The sexually explicit images in this screenshot have been covered with a black box.
The Trojan displays a phishing page (bank.html) prompting the user to enter their bank card details. This page mimics a legitimate bank form and blocks the device screen until the user enters all the information. It even has its own virtual keyboard that supposedly protects the victim from keyloggers.

According to our data, 98% of all Rotexy attacks target users in Russia. Indeed, the Trojan explicitly targets Russian-speaking users. There have also been cases of users in Ukraine, Germany, Turkey and several other countries being affected.

To avoid such Trojans form landing on your mobile device:

A powerful, updated security solution is a must for all devices you use to shop online. Avoid buying anything online from websites that look potentially dangerous or resemble an incomplete version of a trusted brand’s website.
Don’t click on unknown links in email or social media messages, even from people you know, unless you were expecting the message.

Use Max Total Security for Android devices for total protection.

PedCont ransomware

Pedcont is a ransomware-type virus that stealthily infiltrates systems. Unlike most other ransomware, Pedcont does not encrypt or rename/modify data in any way, but it does display a pop-up window with a ransom-demand message.

The message states that stored data has been copied to a remote server and that users must pay a ransom of $50 in the Bitcoin cryptocurrency. Once payment is submitted, all stored files are supposedly deleted from the server. If, however, the victim decides not to pay, or payment is not submitted within the given time-frame (72 hours after infiltration), all data is transferred to ‘authorities’. In this way, users are threatened: those who have potentially illegal files may face serious issues. As mentioned above, this behavior is unusual to ransomware-type viruses. This ransomware does not append any specific file extension to the targeted data.

PedCont virus seems to be more of a scareware than a real ransomware because it does not properly encrypt data on the targeted computer. The main purpose of this cyber threat is to trick users that they are criminals who used internet for illegal activities, and now they have to make a payment in order to avoid prosecution.

Soon after the infiltration, PedCont ransomware displays a window on the screen with a threatening message where people can learn what had happened to their files, Criminals use pure psychological terror in order to convince victims into paying the ransom. Paying $50 does not seem as painful as being arrested. However, people standing behind PedCont have nothing in common with legal authorities. This malicious program is created for swindling the money from inexperienced and naive computer users.

pedcont

As soon as PedCont ransomware has infected your computer system, the virus may drop it’s payload files, which in their turn may reside in the following Windows directories:

%AppData%
%Local%
%LocalLow%
%Roaming%
%Temp%

As always, we recommend to not pay any ransom to these companies and use your back up to restore files. Always use Max Total Security to keep all ramsomware away and have peace of mind with automatic back up on local drive, network and on Google Drive.

StalinLocker Ransomware

A new , sophisticated screenlocker / Ransomware has been detected which gives you only 10 minutes to enter code or it locks your screen and starts wiping data on your PC.
stalin

It displays a screen that shows Stalin while playing the USSR anthem and displaying a countdown until files are deleted.

StalinLocker may land on computers via phishing emails and corrupted updates to browser plugins like Adobe Flash and Java. The StalinLocker is a severe threat to PC users as it is designed to wipe data securely if the victim fails to enter a “disarm code” on the Stalin Screen Lock window. Once the StalinLocker Wiper is on the computer, it loads ‘C:\Users\\AppData\Local\stalin.exe’ that covers the screen with a program window completely. As the name implies, the Screen Lock window includes a Photoshopped photo of Josef Stalin after he is appointed as the acting political and military leader of the Soviet Union (USSR). Additionally, it play an MP3 file from ‘C:\Users\\AppData\Local\USSR_Anthem.mp3’.

The Screen Lock message presented to users features the following quote from Josef Stalin:

Translated into English:
‘The victory of socialism in our country is assured
The foundation of the socialist economy is complete
The reality of our production plan is millions of working people who are creating a new life.
J. Stalin.’

A detailed review of the code showed that the StalinLocker Wiper is programmed to give its victims the chance to disable it by entering a code until eleven minutes (660 seconds) are passed. Researchers pointed out that the unlock code is a sequence of numbers. The correct sequence is determined by subtracting 1922.12.30 from the current date. Interestingly, December 30th, 1922 is the date the USSR was established after a revolution took over Russia. If PC users fail to enter the correct disarm code, the StalinLocker Wiper proceeds to delete all data on the local drives starting with drive letter A:\ all the way to Z:\. The StalinLocker Wiper is reported to terminate the processes of the Windows Explorer (explorer.exe) and the Windows Task Manager (taskmgr.exe) when it is loaded on the desktop.

The StalinLocker Wiper does not demand money from users like other Ransomware, and it does not need users to play a game to unlock their files . On the contrary, StalinLocker is a simple data wiper, which can be countered by only one way — backups. We advise PC users to incorporate a reliable backup solution such as provided by Max Total Security.