Skip to content

Android security: This malware will mine cryptocurrency until your smartphone fails

March 29, 2018

Monero-mining Android malware will exhaust your phone in its quest for cash.

A new strain of Android malware will continuously use an infected device’s CPU to mine the Monero cryptocurrency until the device is exhausted or even breaks down.

Security company Trend Micro has named the malware HiddenMiner because of the techniques it uses to protect itself from discovery and removal.

Like most cryptocurrency-mining software, HiddenMiner uses the device’s CPU power to mine Monero.
But Trend Micro said that because there is no switch, controller, or optimizer in HiddenMiner’s code it will continuously mine Monero until the device’s resources are exhausted.

Given HiddenMiner’s nature, it could cause the affected device to overheat and potentially fail,” the company said.

If the researchers’ concerns are correct, this is not the first cryptocurrency-mining malware to put your smartphone at risk: last year the Loapi Android malware worked a phone so hard that its battery swelled up and burst open the device’s back cover, wrecking the handset within 48 hours.

Trend Micro said the two pieces of malware share similarities, noting that Loapi’s technique of locking the screen after revoking device administration permissions is analogous to HiddenMiner’s.

Researchers at the company identified the Monero mining pools and wallets connected to the malware, and spotted that one of its operators withdrew 26 XMR — around $5,360 — from one of the wallets.
This, they said, indicates a “rather active” campaign of using infected devices to mine cryptocurrency.

HiddenMiner poses as a legitimate Google Play update app, and forces users to activate it as a device administrator.
It will persistently pop up until victims click the Activate button; once granted permission, HiddenMiner will start mining Monero in the background.

It also attempts to hide itself on infected devices, for example by emptying the app label and using a transparent icon after installation.
Once activated as device administrator, it will hide the app from the app launcher.
The malware will hide itself and automatically run with device administrator permission until the next device boot.
HiddenMiner also has anti-emulator capabilities to bypass detection and automated analysis.

It’s also hard to get rid of: users can’t uninstall an active system admin package until device administrator privileges are removed first.
But HiddenMiner locks the device’s screen when a user wants to deactivate its device administrator privileges, taking advantage of a bug found in Android operating systems before Android 7.0 Nougat.

Trend Micro said that HiddenMiner is found in third-party app marketplaces and is affecting users in India and China, but it won’t be a surprise if it spreads beyond these countries.

The emergence of this malware should reinforce the need for mobile security hygiene, said Trend Micro: download only from official app marketplaces; regularly update the device’s OS, and be careful about the permissions you grant to applications.



AVCrypt ransomware attempts to eradicate your antivirus

March 27, 2018

The malware attempts to take your antivirus products out of the equation before locking systems.

A new type of ransomware which tries to uninstall security software on victim PCs has been discovered in the wild.

The ransomware, dubbed AVCrypt, was first discovered by MalwareHunterTeam and later analyzed by security professionals at Bleeping Computer.

According to an analysis of the malware, AVCrypt will attempt to not only remove existing antivirus products before encrypting a compromised computer but will also delete a selection of Windows services.

Researchers Lawrence Abrams and Michael Gillespie say that the ransomware “attempts to uninstall software in a way that we have not seen before,” which marks the malware as unusual.

The true purpose of the malware — which appears to be ransomware due to its capabilities — is also in question, as some elements appear unfinished.
There are elements of encryption, but no true ransom note, and together with AVCrypt’s process deleting, it is possible the malware may also be utilized as a wiper.

It is not yet known how AVCrypt targets victims.
However, when the malicious code executes on a victim’s PC, the malware will first attempt to remove security software by targeting Windows Defender and Malwarebytes, or by specifically querying for other antivirus software before attempting to uninstall the programs.

In order to eradicate AV products, the ransomware deletes Windows services which are required for the protective services to run properly, including MBAMProtection, Schedule, TermService, WPDBusEnum, WinDefend, and MBAMWebProtection.

The malware then checks to see if any antivirus software is registered with the Windows Security Center and deletes these details through the command line.

During tests, however, the researchers say that the malware was unable to delete Emisoft antivirus software through these techniques.

Whether or not the deletion of Windows services to hamper AV protections would work with other solutions is unknown.

The wiper features do not completely destroy Windows builds, but likely will cause service degradation.

Once this stage is complete, AVCrypt then uploads an encryption key to a TOR location together with system information and timezone.
The malware then scans for files to encrypt, renaming them in the process.

The ransom note, saved as “+HOW_TO_UNLOCK.txt,” does not contain any decryption instructions or contact information; instead, there is what appears to be placeholder “lol n” text.

It appears that the ransomware is in development stages, and while there is a tenuous link between AVCrypt and a recent attack on a Japanese university, it is not known whether the malware was responsible.

Microsoft told the publication that only two samples of this malware have been detected and so the company also believes that AVCrypt is not yet complete.

This ransomware is quite destructive to an infected computer, yet at the same time does appear to upload the encryption key to a remote server,” the researchers say.
Therefore, it is not known whether this is a true ransomware or a wiper disguised as one.”


Beware the fake Facebook sirens that flirt you into sextortion

March 23, 2018

Fake Facebook profiles of hot women who invite targets to join them in sexy webcam masturbation sessions – sessions that lead to image capture and extortion – are part of a “three-tiered, industrial process” that allows a sophisticated criminal network to “find, filter and defraud victims, all the while protecting itself,” according to an investigation done by Radio Canada.

We’ve covered plenty of lone-wolf sextortionists: one who targeted underaged girls until he was caught by investigators’ booby-trapped video; the guy who preyed on Miss Teen USA and 150 others; and a former US Embassy worker who sextorted, phished, broke into email accounts, stole explicit images and cyberstalked hundreds of women around the world from his London office. And there are many others.

Not to downplay the suffering caused by such operators in any way – there have been multiple suicides related to such cases – but those lone wolves are rank amateurs compared with the massive network of fraudulent accounts that catfish male victims using stolen photos of young women and adolescent girls.

To find out how the networks spin their webs, Radio Canada journalists Marie-Eve Tremblay and Jeff Yates – an expert in online disinformation who’s found and mapped the connections between fake profiles to learn how they support each other – conducted a months-long investigation into what he believes is a “massive network.”

They knew that the accounts were fake because the photos had been stolen from Instagram accounts or personal Facebook profiles.
Some of the fake accounts are massive: they have 100,000, 200,000, or even 500,000 followers.

Yates believes that the fake profiles are just the first layer of a massive sextortion scheme.

It starts with a friend request from a young, hot babe.
Within minutes of an intended victim accepting the request, the fake account will invite the target to join her in a sexy webcam chat, such as on Skype or Google Hangouts.

What hetero man – or anybody else who likes the attention of young, hot women and is innocent enough to fall for the come-on – wouldn’t jump at the chance?
Once they do, the first step into a sextortion trap has been taken.
If the target can be coerced into taking off their clothes and/or masturbating, images are collected, and the ransom demands soon follow.

Yates, in the Radio-Canada web series Corde sensible, paraphrases a typical sextortion threat:

‘If you don’t give me this or that amount of money, I’m going to tell your girlfriend or your boyfriend or your friends that you’ve been chatting with sexy girls on the internet and that you’ve sent me nude pictures of yourself,’ etc.

To scam the scammers while still protecting Yates from having his photos fall into the crooks’ hands and then getting extorted himself, Radio Canada turned Tremblay into a guy.
Using a facial transformation app, the journalists turned her into “William,” a 24-year-old from France who likes soccer and his BMW.
They opted for France because they’d found evidence that that’s where the network is based.

To attract the network’s attention, “William” liked fake accounts’ photos and wrote a few comments.
That worked quite well, Tremblay said:

Result: friend requests from sexy girls began overloading my inbox.

Private conversations soon ensued.
Within an hour, one fake account asked “William” to add her on Skype.
After six minutes of chatting, she asked him to turn on his camera so they could have video sex.

Radio Canada didn’t get into the steamy details, but it did talk to a real-life victim whose experience paralleled what the media outlet described.

Cédrick said that within 20 minutes, “you’re already in over your head.”
“She” will have taken off her clothes, and/or done a sexy dance, and/or started touching herself, and will have asked her target to do the same.
The point is to get a full-body shot, along with the victim’s face, all the better to extort.

Once they have the images they want, everything cuts, and that’s where the intense stuff begins.
She starts off by showing you the video, she sends you a link on YouTube.

‘If you disconnect, if you leave, if you block me, I’m sending this videotape to everyone.’

It’s too well-organized for there to be only one person running it, Yates says.
To figure out how it was structured, he analyzed around 200 Facebook posts from about 40 fake accounts.
Every time one fake profile tagged another, he recorded the source and its target.

Then, using network analysis software, he mapped accounts according to their relationships.
He also used a network-detecting algorithm that determines which profiles interact with each other more than with the rest of the network.

What he came up with was a structure comprising three categories: feeder accounts, bait accounts and hunter accounts.

Feeder accounts are on the front line, serving as a gateway into the network.
They often have hundreds of thousands of followers, but they themselves don’t share sexy images.
Instead, they publish clickbait: phony contests, dummy IQ tests and lifehacks. Radio Canada says the posts often get hundreds or thousands of likes, shares and comments.

The feeder posts, acting as advertisements, tag other fake accounts belonging to the second layer, which is where the “bait” accounts are.
Given that those bait accounts appear to belong to beautiful women, the titillated will click on the bait accounts and start following them.
That’s how perfect victims self-select: they’re obviously interested in following Facebook profiles of sexy young women and girls, so they venture that much further into the sextortion web.

Bait accounts often share links that purportedly lead to a pornographic video – some of which are promoted as being of underage girls – but Radio Canada says they “invariably” lead to phishing sites where visitors are asked to enter their credit card information.
(Radio Canada didn’t click on links purporting to lead to illegal images of minors.)

The second tier isn’t where sextortion takes place.
Given that they promote porn, the bait accounts are sometimes flagged and removed by Facebook.
It doesn’t matter, though: the gateway feeder accounts stay up, given that no racy material is posted at that initial layer.

Bait accounts entice targets to write comments, either by asking questions such as “Do you think I’m hot?” or by promising to send private photos to those who post a comment.
Radio Canada says that this is an important step that leads to the innermost layer where the sextortion trap is sprung: the layer of fake accounts it calls hunter accounts.

Bait accounts have created a perfect environment for sextortion to happen.
The users who have commented aren’t afraid of publicly signaling their interest in young girls and, moreover, don’t have the wherewithal to realise that they’re dealing with fake accounts.
They are perfect targets for the hunter accounts.
These users receive, by the dozen, friend requests from the hunter accounts.

These hunter accounts often get banned, having triggered Facebook algorithms that spot fake accounts by picking out ones that amass a huge number of followers in a brief amount of time.
That’s why the “women” in the hunter accounts quickly send private messages to intended victims, trying to hustle them off Facebook as soon as possible: once they’re in a web chat, they’re out of Facebook’s reach and can go after the photos they need for extortion.

Beware the fake Facebook sirens that flirt you into sextortion

Fake Amazon ad ranks top on Google search results

March 20, 2018

Dang! Don’t you just hate it when you search for Amazon on Google, you click on the top link (which of course must be legit, right? – it’s from Google!) and then you somehow wind up infected with “Malicious Pornographic Spyware” with a dab of “riskware” on top?

Yep, not for the first time, Google’s been snookered into serving a scam tech support ad posing as an Amazon ad.

This is déjà vu.
Thirteen unlucky months ago, scammers slipped a fake Amazon ad under Google’s nose.
Anybody who clicked on it was whisked to a Windows support scam.

ZDNet reported on that one in February 2017, and it brings us news of the bad ad rebirth once again.
On Friday, ZDNet’s Zack Whittaker reported that for hours on Thursday, the top Google search result for “Amazon” was pointing to a scam site.

Top, as in, it outranked even the legitimate search result for
Users who clicked on the bad ad were whisked to a page that tried to terrify them with reports of malware infection so they’d call a number for “help.”
The ad masqueraded as an official Apple or Windows support page, depending on the type of computer in use.

Then, just as fake tech support ads tend to do, and just as the fake Amazon ad did last February, the bad ad shrugged off users’ attempts to dismiss a popup box that warned them about malicious pornographic spyware and riskware etc.
(What IS “pornographic spyware?” Spyware accompanied by heavy breathing?).

According to ZDNet’s analysis of the code, trying to close the popup would have likely triggered the browser to expand and fill up the entire screen, making it look like a system had been grabbed by ransomware.

ZDNet says it appeared through a proxy script on a malicious domain to make it look as though the link fully resolved to an page, “likely in an effort to circumvent Google’s systems from flagging the ad.”

The malicious domain was registered by GoDaddy, and the apparent domain owner didn’t respond to ZDNet’s inquiries.
A spokesperson for Google told ZDNet that the company doesn’t tolerate advertising of illegal activity and takes “immediate action to disable the offending sources” when it finds ads that violate its policies.

GoDaddy pulled the site offline within an hour of being contacted by ZDNet.
A GoDaddy spokesperson said that its security team found that the ad violated its terms of services, so they removed it.

Google’s swimming in these bad ads.

Last week, it announced that in 2017, it took down more than 3.2 billion that violated advertising policies.

That’s an average of 100 per second, Google said, and it’s up from 1.7 billion removals of bad ads in the prior year.
Google also booted 320,000 online publishers off for violations like showing Google-supplied ads alongside inappropriate or controversial content, according to Scott Spencer, Google’s director of sustainable ads.

What to do?

Google’s working hard to kill bad ads, but they’re obviously still getting through, including those that contain malware.
So to help you stay vigilant, here are some suggestions on what to do if you get hit with one of these fake tech support scams, be it on the phone or as “Riskware! Spyware!” taking over your browser:

  • If you receive a cold call about accepting support, just hang up.
  • If you receive a web popup or ad urging you to call for support, ignore it.
  • If you need help with your computer, ask someone whom you know and trust.
  • When searching for Amazon, remember that you don’t need to use Google. Simply go straight to
  • Source:
    Fake Amazon ad ranks top on Google search results

    Facebook loses control of 50 million users’ data, suspends analytics firm

    March 19, 2018

    Cambridge Analytica – the data-crunching firm with tools so muscular that founder Christopher Wylie has described it as “Steve Bannon’s psychological warfare mindf**k tool” – has been collecting Facebook user data without permission through “a scam and a fraud,” Facebook said on Friday.

    That statement to the New York Times came from Paul Grewal, a Facebook vice president and deputy general counsel.
    It preceded a day of chaos inspired by big data use and abuse that has raged all weekend and promises to keep playing out as lawmakers pledge to launch investigations.

    On Friday, after a week of questions from investigative reporters, Facebook suspended Cambridge Analytica and parent company Strategic Communication Laboratories (SCL) from its platform.
    The suspensions came late in the game, news outlets are charging, given that Facebook has known about this for three years.
    Facebook, for its part, claims that the parties involved lied about having deleted harvested data years ago.
    At least one of the parties involved has shown evidence that points to Facebook having done very little to make sure the data was deleted.

    The banishment was unveiled a day before the publishing of two investigatory reports – one from the New York Times, another from The Observer.
    The reports both detailed how Cambridge used personal information taken without authorization from more than 50 million Facebook users in early 2014 to build a system that could profile individual US voters in order to target them with personalized political ads.

    Cambridge is owned by conservative Republican hedge fund billionaire Robert Mercer.
    It’s a voter-profiling company that was used by conservative investors during both the Trump and Brexit campaigns.

    The NYT/Observer reports relied on interviews with six former employees and contractors plus a review of the firm’s emails and documents.
    One such source was whistleblower Christopher Wylie, who worked with Cambridge University professor Aleksandr Kogan to obtain the data.
    The Observer quoted Wylie:

    We exploited Facebook to harvest millions of people’s profiles.
    And built models to exploit what we knew about them and target their inner demons.
    That was the basis the entire company was built on.

    Cambridge did so, the newspapers reported, because it had a $15 million investment from Mercer burning a hole in its pocket.
    Cambridge wanted to woo Steve Bannon with a tool to identify American voters’ personalities and to influence behavior, but it first needed data to flesh out that tool.
    So it took Facebook users’ data without their permission, according to the newspapers.

    They called it “one of the largest data leaks in the social network’s history” – one that allowed Cambridge to “exploit the private social media activity of a huge swath of the American electorate, developing techniques that underpinned its work on President Trump’s campaign in 2016.”

    Not surprisingly, Facebook immediately pushed back against the characterization of a massive data leak in an update to its initial announcement of the suspensions.
    It said that the data got out not through a leak but because some 270,000 Facebook users willingly signed up for a Facebook personality test called thisisyourdigitallife that billed itself as “a research app used by psychologists.”

    The claim that this is a data breach is completely false.
    Aleksandr Kogan requested and gained access to information from users who chose to sign up to his app, and everyone involved gave their consent.
    People knowingly provided their information, no systems were infiltrated, and no passwords or sensitive pieces of information were stolen or hacked.

    Source and more info:
    Facebook loses control of 50 million users’ data, suspends analytics firm

    Windows 7 Monthly Rollup Update KB4088875 Causes Network Adapter Issues

    March 16, 2018

    Ghost NIC might be created after installing the update

    This month’s Patch Tuesday rollout is slowly proving to be quite a fiasco, as more reports seem to be pointing to issues with the updates Microsoft published for Windows devices.

    After Windows 10 cumulative updates KB4088787 and KB4088776 showed signs of failed installs, it’s now the turn of the Windows 7 monthly rollup to cause problems, this time in a pretty different way.

    There are reports that installing KB4088875,and the security-only update KB4088878 remove or break down virtual Network Interface Cards (NICs), and in some cases, they delete the static IP address configuration.
    The update also creates a ghost NIC on some systems, according to this reddit discussion.

    KB4088875 is available for Windows 7 Service Pack 1 and Windows Server 2008 R2 Service Pack 1, and the issues mentioned above are said to be experienced on both OS versions.

    One reddit user says that removing the ghost NICs returns systems to full functionality and adding new ones without first deleting these greyed-out entries would only cause conflicting IPs.

    Meltdown and Spectre fixes

    Delaying KB4088875 and the security-only update doesn’t really seem to be an option since they bring quite critical patches for Windows 7 systems.
    They include new Meltdown and Spectre protections, as well as security updates for Internet Explorer, the Windows Shell, Windows Installer, and the Windows Kernel.

    Microsoft is aware of four different issues with this monthly rollup for Windows 7, including a BSOD occurred when the update is installed on a 32-bit system with the Physical Address Extension (PAE) mode disabled.

    Microsoft is working on fixing this issue, and this update is, therefore, currently made available to machines with the Physical Address Extension (PAE) mode enabled,” the firm says.

    We’re seeing reports that KB4088787 is no longer being offered via Windows Update, but we can’t confirm this just yet. If this is the case, Microsoft could be aware of the problem and the company temporarily halted the update until a fix is released.


    13 flaws found in AMD processors, AMD given little warning

    March 15, 2018

    CTS-Labs of Israel claims it found 13 critical vulnerabilities in AMD processors, and gave AMD only 24 hours notice before disclosing them.

    It’s probably a good thing AMD didn’t rub Intel’s nose in the Meltdown and Spectre flaws too much because boy, would it have a doosy of a payback coming to it.

    A security firm in Israel has found 13 critical vulnerabilities spread across four separate classes that affect AMD’s hot new Ryzen desktop and Epyc server processors.

    However, the handling of the disclosure is getting a lot of attention, and none of it good.
    The company, CTS-Labs of Israel, gave AMD just 24 hours notice of its plans to disclose the vulnerabilities.
    Typically companies get 90 days to get their arms around a problem, and Google, which unearthed Meltdown, gave Intel six months.

    Yet CTS-Labs went through the trouble of setting up a dedicated website,, to host its findings and white papers.
    Mind you, there isn’t much for supporting evidence, just claims, and no independent verification.
    Its white paper is replete with disclaimers, like this:

    The report and all statements contained herein are opinions of CTS and are not statements of fact.
    To the best of our ability and belief, all information contained herein is accurate and reliable, and has been obtained from public sources we believe to be accurate and reliable.
    Our opinions are held in good faith, and we have based them upon publicly available facts and evidence collected and analyzed, which we set out in our research report to support our opinions.
    We conducted research and analysis based on public information in a manner that any person could have done if they had been interested in doing so.
    You can publicly access any piece of evidence cited in this report or that we relied on to write this report.
    Although we have a good faith belief in our analysis and believe it to be objective and unbiased, you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports.
    Any other organizations named in this website have not confirmed the accuracy or determined the adequacy of its contents.

    The result is CTS-Labs is getting roasted on Twitter, and rightfully so.
    The veracity of its claims will be proven in the coming days.
    Most everyone agrees, though, that CTS-Labs’ handling of the matter was awful.

    4 categories of vulnerabilities in AMD processors

    CTS-Labs classifies the four categories of the vulnerabilities as as Ryzenfall, Masterkey, Fallout, and Chimera.
    The company claims it discovered the vulnerabilities while studying what it called known backdoors in ASMedia chipsets, AMD’s third-party chipsets for Ryzen and Epyc.

    It should be noted that the Epyc chip hasn’t really come to market yet. It takes longer to launch a server than a desktop.
    Ryzen, though, has been selling very well, so desktop users are primarily at risk if these vulnerabilities all check out.

    The company claims these backdoors have existed for six years and would allow hackers to inject malicious code directly into the Platform Secure Processor (PSP), which is a separate and secure processor that provides global management functions.
    PSP is similar to Intel’s Management Engine (ME), which has also had security issues.

    Each of the four classes of vulnerabilities has several individual vulnerabilities of its own.
    Masterkey has three, including persistent malware running inside PSP, bypassing firmware security, and even doing physical damage to hardware through flash wear.

    The first three — Ryzenfall, Masterkey, and Fallout — overlap with a slew of vulnerabilities, such as accessing Windows Isolated User Mode and Isolated Kernel Mode (VTL1), direct tampering with trusted code running on AMD Secure Processor, network credential theft, bypassing Microsoft virtualization-based security (VBS), and memory-resilient malware.

    A fourth Ryzenfall error slows for arbitrary code execution on an AMD Secure Processor by bypassing firmware-based security, network credential theft and hardware damage.

    The two Chimera vulnerabilities are manufacturer backdoors, one implemented in firmware, the other in hardware.
    They allow malware to be injected into the chipset’s internal 8051 architecture processor, which links the CPU to USB, SATA, and PCI Express devices.