Skip to content

ESET researchers detect a new trick used by malware to slip into the official Android app store

Bratislava – May 22, 2020 – ESET researchers discovered an extremely stealthy – yet surprisingly simple – technique that allowed Android malware to stay under the radar. Analyzing the DEFENSOR ID app that was – at the time – available on the official Android app store, ESET researchers learned the app misused Accessibility Services but required no other suspicious permission nor had any other malicious functionality. 

“The Accessibility Services feature is long known to be the Achilles’ heel of the Android operating system, and security solutions have been tuned to detect various combinations of misuse of this weak spot with other indicators of malicious behavior,” explains Lukáš Štefanko, the ESET malware researcher who conducted the analysis into DEFENSOR ID.  

Faced with malware that displayed no additional functionality nor suspicious permissions on top of Accessibility Services, all known security mechanisms failed to trigger any alarm. As a result, DEFENSOR ID made it onto the Google Play store, stayed there for a few months and was never detected by any security vendor participating in the VirusTotal program.

“This has been a valuable lesson for us. Based on what we’ve learned about DEFENSOR ID, we’ve fine-tuned our detection technologies to also cover malware with such a uniquely low detection cross-section,” says Štefanko.

Apart from being extremely stealthy, DEFENSOR ID is capable of inflicting serious harm on its victims. It belongs to the banking trojans malware category and is exceptionally insidious: once installed, it needs its victim to take only one action to fully unleash its power.  

“Once the user activates Accessibility Services, DEFENSOR ID can pave the way for the attacker to clean out the victim’s bank account or cryptocurrency wallet and take over their email or social media accounts, among other malicious actions,” comments Štefanko.  

Following ESET’s notice, Google removed DEFENSOR ID from the official Android app store.

“We decided to publish the results of our investigation into this malware to help defenders cope with ultra-low cross-section Android malware. The creators of such malware are definitely going to face hardened protections around both Google Play and the users’ devices,” concludes ESET’s Štefanko.  

For more details, read “Insidious Android malware gives up all malicious features but one to gain stealth” on WeLiveSecurity.com. Make sure to follow the ESET Research account on Twitter for the latest news from ESET Research.

 The DEFENSOR ID app on Google Play – Portuguese version (Google Translate: “Your new Defensor app available for: / Physical People / Legal entities / From now on you will have more protection when using your applications, encryption for end-to-end users”)

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.

ESET to Lead Linux Malware Workshop and Showcase Groundbreaking Amazon Echo KRACK Research at RSA 2020

Bratislava, Slovakia – January 23, 2020 ESET, a global leader in IT security, today announced a number of activities at next month’s RSA Conference 2020 (February 24-28 in San Francisco). 

ESET Malware Researcher Marc-Etienne M. Léveillé will lead a main stage workshop titled “Hunting Linux Malware for Fun and Flags.” The 50-minute workshop will take place on February 27 at 1:30 PM at Moscone West 3002. Attendees will learn to fight real-world Linux malware targeting server environments and to search for malicious processes and concealed backdoors in a compromised web server. Several examples of malware will be demonstrated with increasing layers of complexity, from scripts to ELF binaries with varying degrees of obfuscation.

ESET Senior Malware Researcher Robert Lipovský and Senior Detection Engineer, Štefan Svorenčík will present a 30-minute session on “Kr00k: How KRACKing Amazon Echo Exposed a Billion+ Vulnerable Wi-Fi Devices” on Wednesday, February 26 at 3:00pm PT at Moscone South. 

On the RSA trade show floor, ESET will be located at booth #753 in the South Hall. Senior Malware Researcher Robert Lipovský will discuss ESET’s latest cutting-edge threat research, including Operation Ghost and KRACKing the Amazon Echo. Malware Removal Support Supervisor James Rodewald will be leading demonstrations of ESET’s award-winning enterprise, SMB and consumer products. Malware Researcher Marc-Etienne M. Léveillé will also review his conference presentation and answer questions from attendees. 

Directly outside the conference, ESET will be running a four-day contest. Attend any of ESET’s inspiring presentations or live demos and get a chance to win the newest MacBook Pro 13, an iPhone 11, iPad, or Apple Watch in a prize raffle. Please see here for more details and contest rules. 

“RSA is a fantastic opportunity for our customers – both current and prospective – to see our multilayered suite of security solutions in action,” said Tony Anscombe, chief security evangelist at ESET. “The cybersecurity landscape has evolved drastically over the past decade, and we expect this to continue in the years to come. ESET is proud to be at the forefront of the field, and we are looking forward to showcasing our groundbreaking research, both on stage and at our trade show booth. We’re excited to meet and talk to attendees next month at RSA.”

Want to meet on-site with ESET at RSA? Please visit https://www.eset.com/us/rsac/.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.


About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.

EQUIFAX DISCLOSES MASSIVE DATA BREACH

Today, September 8, 2017, Equifax, one of the largest credit reporting agencies in the United States, has disclosed that they suffered a massive data breach because their network was compromised by unknown hackers. According to the Equifax’s press release, attackers gained access to personal data of almost 143 million Americans. Social security numbers, birth dates and addresses of nearly half the population lost in this breach of the US could be misused by hackers for years to come. Credit card numbers of US-customers and non-US customers were also stolen. After Equifax announced the cyberattack, their shares dropped 13%.

Official information posted on the Equifax website states: “Based on the company’s investigation, the unauthorized access occurred from mid-May through July 2017.” The breach was disclosed only yesterday, meaning it took six weeks to detect the cyberattack.

Network security solutions like GREYCORTEX that identify anomalous behavior within your network are especially important in this situation. These solutions mean your IT team can identify malware by its anomalous movement within the network, and identify it as it replicates. GREYCORTEX MENDEL identifies such anomalous behavior, offers deep network visibility, and differentiates between human and machine behavior, meaning you can find infected devices within your network and secure your company’s data and reputation.

BEING “SMART” DOESN’T MAKE YOU SAFE

As you may have noticed, we have posted a lot on LinkedIn recently about new cyber attacks. The biggest link between these is that those attacks are commonly caused by not following best practices, or relying only on “legacy” security tools and/or the use of weak passwords.

Even with the use of today’s most advanced security tools, it can all fail at the weakest link of the security chain – people. According to csoonline, 56% of IT decision-makers claim that targeted phishing attacks are their top security threat. And this fear isn’t wrong. Everyone can be conned, even conmen. In many cases, it’s easier to get inside of the network if you abuse that fact. The most commonly used methods of exploiting people are phishing and blackmailing.

Phishing in its simplest form can be easily detected by regular humans. Because it’s not targeted, people on the receiving end can simply ask question “why did I get this email when it has nothing to do with me?” When it comes to more advanced phishing forms, like “whale” (going for the big target, e.g. top management or CEO) or spear phishing (targeted attacks against certain group/ individual), the attacker does the research and gets to know as much as possible about victims, which can be done with a search on the Internet or dumpster diving (think about what you throw away – are there any documents?). Once equipped with knowledge about the target, those attempts are way more effective.

Let’s examine it the security context. In this example, paraphrased from Christopher Hadnagy’s book “Social Engineering: The Art of Human Hacking,” an overconfident CEO is the target. The CEO thought that it’s not possible to hack him mainly for two reasons: he doesn’t utilize much technology in his personal life, and he thought that he was too smart to fall for phishing. Turns out he wasn’t that smart after all. In this example, the CEO expected an audit and readied himself for it. After scouring various sources of information, attackers decided to go with: the name of his favorite baseball team, favorite restaurant, and that he contributed funding to cancer research. On one Friday evening, a phone call took place. In it, the attacker approached the CEO with a plea asking about small contribution to the cancer cure research stating that here will be also a contest for contributors – winners will get two tickets to CEO’s favorite baseball team match (claiming that they know that baseball is not everyone’s cup of tea) and a voucher to one of three restaurants, including CEO’s favorite one. The CEO was willing to contribute, motivated by his desire to cure cancer and the possibility of winning tickets and a voucher, he told the attacker his email address, so they would be able to send him a .pdf file. That file contained a malicious code and CEO opened it, thus providing the attacker with access to his computer and everything in its reach.

Now that his computer has been compromised, as well as access to everything within the organization his authority (and passwords) will let him touch. So what to do? The attacker has access from his computer, so access rights to sensitive files are not an issue, nor is it an issue for the security team that the CEO is accessing files throughout the company. Is there a way to identify that the “CEO” accessing sensitive data is not actually the “real” CEO? Here’s where NTA technology can help. The next step following gaining access to the CEO’s accounts is to exfiltrate data. Network traffic analysis identifies that the computer in question is transmitting data where it shouldn’t, and/or in volumes that it shouldn’t. The computer can then be quarantined, the CEO alerted, and the attacker caught.

But while phishing may be the attack that’s on the mind of management, IT teams understand that “legacy” security tools, like sandbox, IDS, endpoint security or even a firewall, are not sufficient anymore. Let’s look at why.

Modern malware has many methods of detecting if it has infiltrated a “real” environment, or in cases of targeted attacks, if it has hit the right target. When such malware determines that it could be exposed, it lies dormant. This means that if you check everything that enters your company using a sandbox, malicious software can still enter the network if it is sufficiently advanced.

Known threats are usually detected by known patterns or hashes used by endpoint security or IDS, which makes them ineffective against new or advanced threats. Some endpoint security tools use AI to determine malicious behavior and are better equipped to fight new threats, but not every device can have endpoint security. Personal or “bring your own device (BYOD)” are a great example – like a laptop that an employee brings from home and connects to the network – or an IoT sensor where endpoint software cannot be installed. These devices are connected, but not secured by endpoint security.

Firewalls are essential to any networks security infrastructure, and stop communication that goes through them, meaning that generally they are able to protect the company for any threat that comes from the external network. But what if the attack starts after a user accidentally opens a communication link which allows the attacker to get behind the firewall and inside the network? What if the threat was brought inside the company by other means than through the Internet and then tries to spread in the internal network?

While the technology is different in each of these possible attacks, they all have one thing in common – attackers who exploit a gap in the security. The best gap fillers currently available are NTA solutions, like MENDEL from GREYCORTEX. MENDEL monitors all network traffic and analyzes changes of behavior in hosts, detects policy violations, data leaks, and much more. Not every unauthorized entry can be prevented before hit happens. Relying on legacy security tools means it can take months (some statistics reference nearly 200 days) to detect attackers as they move in the network. NTA solutions like MENDEL lower this time to between minutes and a few hours, often before actual damage happens in the network or the attacker knows they’ve gained access.

The question is not if you will get hacked. The question is when you will get hacked. And when that happens, are you ready for it and can you stop it, or will you still rely solely on best practices, as the CEO did, or on “legacy” security tools?

Fighting persistent malware with a UEFI scanner, or ‘What’s it all about UEFI?”

The short answer to the headline’s question is that a UEFI scanner is all about helping you protect your computer against people who seek to take it over by abusing its Unified Extensible Firmware Interface (UEFI). A successful attack on a system’s UEFI can give the attacker complete control of that system, including persistence: the ability to secretly maintain unauthorized access to the machine despite rebooting and/or reformatting of the hard drive.

As you can imagine, this form of persistence is not a virtue and can prolong the pain and inconvenience of a malicious code infection. If your security software only scan drives and memory, without scanning UEFI, it is possible to think you have a clean machine when you don’t, that’s why we recommend a security solution that scans it, like ESET.

Why does my device have a UEFI?

Computing devices work by executing code: the instructions that we call software and which make the hardware – such as a laptop or smartphone – do something useful. Code can be fed to the device in several ways. For example, it can be read from storage on a disk, held in memory, or delivered via a network connection. But when you power on a digital device it has to start somewhere (bootstrap), and that first piece of code is typically stored in a chip on the device. This code, referred to as firmware, may include a “power-on self-test” or POST to make sure things are working correctly, followed by the loading into memory of the basic instructions for handling input and output.

If you’ve been into computers for a while you might recognize this chip-based code as BIOS or Basic Input Output System. In fact, BIOS technology dates back to the 1970s and so it is not surprising that it would eventually struggle to meet the demands of today’s computers, a point made by my colleague, Cameron Camp, in this excellent article on UEFI scanning. As Cameron details, UEFI technology has evolved to replace BIOS, although some devices still refer to it as BIOS. (I’m tempted to say “Meet the new BIOS, same as the old BIOS” but UEFI is signifcantly different, and besides, this article already has a headline that exploits a classic lyric: “What’s it all about, Alfie?”)

“FOR MOST PEOPLE, THIS IS THE RIGHT QUESTION TO BE ASKING, AND THE RIGHT ANSWER WILL DEPEND ON WHO YOU ARE”

Technically, UEFI is a specification, maintained by the Unified Extensible Firmware Interface Forum (uefi.org). According to the forum, the specification defines a new model for the interface between personal computer operating systems and platform firmware, and it “consists of data tables that contain platform-related information, plus boot and runtime service calls that are available to the operating system and its boot loader.” Without going into greater technical detail, UEFI added a great deal of functionality to the boot process, including some serious security measures (these are discussed in the  ESET white paper referenced by this article).

Unfortunately, the illicit benefits of devising code that can surreptitiously take over a system early in the boot process – generically referred to as a bootkit – are a powerful motivator to the folks who specialize in unauthorized access to digital devices. Such folks could be: cybercriminals; domestic and foreign agencies like NSA and CIA; and private companies that sell “surveillance tools” to governments.

For more details, check out the excellent article by my ESET colleague Cassius Puodzius that discusses these “threat actors” and their interest in UEFI. The broader topic of bootkit evolution from early days through 2012 is ably covered by ESET Senior Research Fellow, David Harley, in this article. You might also check out the paper “Bootkits, Past, Present, and Future”, presented at Virus Bulletin 2014. And of course there are plenty of technical papers on the UEFI Forum site.

So what’s my UEFI risk?

For most people, this is the right question to be asking, and the right answer will depend on who you are. For example, are you someone whose computer might be of interest to the NSA or CIA or other government entity that has the resources to invest in code that abuses UEFI, either its own code or a commercial surveillance product purchased from a commercial vendor? Are you using your computer to develop, review, or otherwise handle intellectual property worth stealing? If you answered either of those questions in the affirmative, then I would say you have an above average risk of encountering UEFI malware.

Currently, I am not aware of any large-scale, broadly-targeted criminal malware campaigns that exploit UEFI to attack the general public’s computer systems (if you know of any, please share the knowledge). However, even if you are not in a high risk category, I strongly suggest you still need security software with UEFI scanning capability. Why? Remember those three letter agencies that have been developing UEFI attacks? Well, they don’t have a stellar reputation for keeping their tools secret. In fact, the biggest news in malware so far this year has been WannaCryptor a.k.a. WannaCry, and one reason that particular ransomware spread so fast was because it used a “top secret” exploit developed by the NSA, an agency known to have dabbled in UEFI compromise.

In other words, we just don’t know when a new malware campaign that abuses UEFI to maintain persistence on compromised systems will appear in the wild. What I can say is that folks who are performing UEFI scans on a regular basis will be better prepared to protect their systems from future malware than people who are not. And that is what UEFI scanning is all about.

ESET latest endpoint security products now include an industry first UEFI scanning.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.

THREAT HUNTING WITH MENDEL

“Threat hunting,” or “cyber threat hunting” is the process of proactively and iteratively searching through networks and datasets to detect threats that evade existing automated tools and is done by a threat hunter or security analyst. It is essential for network security because it works to identify hidden threats within an existing set of network data.
Threat hunting utilizes manual techniques from the threat hunter and machine-assisted techniques, the combination of which aims to find Tactics, Techniques, and Procedures (TTPs) of advanced adversaries. While this methodology is both time-tested and effective, it is also time consuming, and can sometimes miss important clues in mountains of network data. In the article below, we will discuss not only what threat hunting is, but also how it can be made more efficient through the use of modern tools.
Download the article here.

GREYCORTEX MENDEL DETECTS BADRABBIT

GREYCORTEX is happy to report that it is able to detect the BadRabbit ransomware. This ransomware appeared in Eastern Europe (Russia, Ukraine) but has begun to spread across several countries including South Korea, Poland, the Baltic, and regions. It uses an NSA-based exploit known as “EternalRomance” to enter networks and spreads by SMB port.
MENDEL is able to detect this ransomware in two different ways:

  • MENDEL’s integrated ruleset includes a rule specifically detecting the BadRabbit ransomware.
  • Independent from this IDS rule, MENDEL’s advanced artificial intelligence and machine learning detects the ransomware’s anomalous port sweep activity.

This detection capability demonstrates that MENDEL can identify unknown threats before rules are created in rules-based security tools. MENDEL provides network security teams vital extra time to protect their networks.

“TALES FROM THE MALWARE LAB” IS LIVE!

Following the success of our video describing the WannaCry ransomware, we are happy to announce an ongoing series of YouTube videos: “Tales from the Malware Lab – Powered by GREYCORTEX.” In it, we will leverage our in-house malware lab, complete with the latest version of GREYCORTEX MENDEL to provide useful information about emerging network security threats in an easy-to-follow visual format.

 The videos will provide an overview of each threat’s activity within the network, and visualize these attacks from the network traffic analysis standpoint. We are releasing these videos as a public service to the greater network security community, which will benefit from this video-based approach to malware.

 The first video, addressing the “EternalRocks” malware, is available here: https://youtu.be/vI1lRi5e-SM

GREYCORTEX PROTECTS AGAINST WANNACRY

GREYCORTEX is happy to report that MENDEL, our network traffic analysis solution, affirmatively detects infection by the WannaCry ransomware, its possible variants/clones, and protects users more effectively than rule-based detection tools alone.

Because GREYCORTEX MENDEL uses advanced artificial intelligence, machine learning, and data analysis to identify network anomalies, it easily identifies threats like WannaCry, allowing network security teams to take rapid action and stop threats before they do damage.

In the case of WannaCry, GREYCORTEX tested the ransomware in our malware lab. It was found to engage in aggressive and anomalous practices, like port-scanning behavior on an SMB port (445), attempting to connect to over 4000 devices in 175 countries across the Internet in five minutes, and downloading TOR network software. All of these behaviors were identified by MENDEL’s advanced network behavior analysis.

MENDEL users are better protected from malware like WannaCry and its variants/clones than users of firewall, IDS, or other rule-based security solutions alone. Rule-based security solutions require a known malware signature in order to create a rule. This means an attack must happen before the signature of the attack can be added as a rule. MENDEL doesn’t need a signature to identify the attack. It’s network behavior analysis features detect the attack’s symptoms before it harms the network. This means security teams have the peace of mind to know that should an attack happen, they will see it, and be able to stop it before it does damage.

If you are concerned about malware attacks, either from WannaCry or from other ransomware or malware, you may benefit from a 30 day Proof of Concept (PoC) from GREYCORTEX. During the PoC, MENDEL automatically learns your network to identify threats which may exist, including ransomware which is lying dormant in your network, or unpatched applications, which may leave you vulnerable. Do not hesitate to contact your network security professional, or GREYCORTEX  directly to arrange a PoC.

MS VULNERABILITIES EXPOSED BY GOOGLE

Google has disclosed the latest of several unpatched flaws in Microsoft software. GREYCORTEX MENDEL’s advanced machine learning and predictive analysis can identify these attacks.

Google’s “Project Zero” team recently disclosed a second unpatched Microsoft Windows security flaw, after Microsoft failed to fix the bug within Google’s set 90 day window. The vulnerability is identified as CVE-2017-0037, and is classed as a “type confusion flaw” in a module of Microsoft Edge and Internet Explorer. This flaw can lead to arbitrary code execution, and be used to crash IE or Edge, and allow hackers to execute code and gain administrator privileges on infected systems.

Advanced hackers may have either already exploited this flaw or they may soon exploit it. Network security solutions like GREYCORTEX that identify anomalous behaviour within your network are especially important in this situation. These solutions mean your IT team can identify malware by its anomalous movement within the network, and identify it as it replicates. GREYCORTEX MENDEL identifies such anomalous behavior, offers deep network visibility, and differentiates between human and machine behavior, meaning you can find infected devices within your network and secure your company’s data and reputation even without relying on Microsoft to fix vulnerabilities in its browsers.

You can read more about the vulnerability here: http://thehackernews.com/2017/02/google-microsoft-edge-bug.html