Watch Out for X-Rated Ransomware!

Apps have quickly become a favorite element for mobile device users. They allow users to easily access social networks, news, games, even shopping networks. Users become so accustomed and dependent on apps that it might not occur to them that these apps can be a source of distress.

Certain users became fully aware of just how distressing an app can be when they downloaded “Adult Player.” This app lured consumers with the promise of provocative photos, but once the app was opened the user found themselves as the subject of a photo, rather than the viewer. Using the phone’s front-facing camera, the app secretly took a picture of the owner and then locked the device. Afterwards, the mobile device displayed a demand for $500 to unlock it. It was the picture perfect crime and a prime example of ransomware.

Ransomware occurs when a device or app demands money from people with the threat of releasing private information, or wiping the device. In the August McAfee Labs Threat Report, we discussed how examples of ransomware have increased 127% since 2014. Although most cases affect desktop computers and laptops, the high volume of mobile traffic is incenting hackers to apply their ransomware tactics to mobile devices.

The increase is not unsurprising either, since ransomware is one of the more lucrative methods of cybercrime and can target large numbers of mobile devices. In fact, there have been reports of groups making upwards of $75,000 in 10 weeks.

A tactic most used to obtain money from victims is to prey on human emotions. “Apps like this rely on the embarrassment factor. If you don’t pay, your reputation is on the line,” said Raj Samani, CTO, EMEA, Intel Security.

This isn’t the first time ransomware criminals have focused on mobile device users, and it certainly won’t be the last. “Ransomware is more prevalent on computers than phones, but this could be the start of a trend,” continued Samani. Most users can protect devices by utilizing a mixture of best practices and security software.

  • Back up your data right, and do it often. Some ransomware scams threaten to delete your photos and videos and the best way to avoid losing your data is to back it up on an external hard drive. Then, if you fall victim to a cyber criminal, you can wipe your system and start over.
  • Only download apps from a reliable source. Individuals who downloaded the “Adult Player” app found it on a website, not the Google Play or Apple App store. When an app isn’t approved by the proper store, it’s a red herring for malware.
  • Download security software to protect your mobile device. McAfee® Mobile Securityis free for Android and can help protect your device from bad apps and ransomware.

To keep up with the latest security threats, make sure to follow @IntelSec_Home on Twitter and like us on Facebook.

lianne-caetano

Zimperium Wins Telecom Council’s ‘Most Disruptive Technology’ Award

SPIFFY logoWe’re thrilled to announce that Zimperium’s Mobile Threat Protection solution won the San Andreas Award for Most Disruptive Technology at the 8th annual TC3 Summit. The Service Provider Innovation Forum (SPIF) of the Telecom Council of Silicon Valley recognized Zimperium for our innovation, execution, management and technology at the Council’s SPIFFY awards ceremony in Mountain View, CA. Judges recognized Zimperium as showing the highest promise to disrupt the mobile security market.

“Today’s workforce is increasingly conducting business via mobile devices, so it is critical that enterprises take steps to properly protect their data,” said Liz Kerton, president of Telecom Council. “Many of our global service providers see the opportunity for their service and believe Zimperium has the technology and execution to disrupt this market segment.”   

Zimperium’s solution is powered by the proprietary z9 engine, which uses advanced machine learning algorithms to analyze threats in real-time, and prevent attacks before they happen. It is an on-device solution, which secures the mobile device even when it is not connected to the internet.

Telecom Council is a great platform for telecom companies to meet providers of innovative  solutions, and accelerate the development of IoT ecosystem. Zimperium had a strong Zuk Avraham after winning SPIFFY Awardpresence at the recent TC3 Summit. Telcos, device vendors and other platform providers are now focused on mobile security to add value to the end-user experience.  “As pioneer in enterprise mobile security, we foresee mobile cyber attacks becoming a major challenge”, said Zuk Avraham, founder and Chairman of Zimperium. “After six years of hard work, we are happy to receive this award for the most disruptive technology. We are glad our technology is able to help carriers, vendors and developers turn mobile endpoints from a threat to an advantage!”

Follow Us

zYiRemoval – Free tool to remove YiSpecter

An enterprise security vendor, Palo Alto Networks,  followed up on a threat discovered by Cheetah Mobile and Qihoo360, and identified a malware spreading through social media and other channels. This malware, named YiSpecter, is abusing enterprise code signing to trick the user into installing a malicious app. Following Zimperium’s investigation, we have not observed any ‘never-seen-before’ tricks in this malware and the main infection point is through social engineering. In the original blog by PAN it appears that ISPs are helping to spread out this malware – we could not verify this claim at this time.

The YiSpecter is abusing a signed enterprise certificate of “Beijing Yingmob Interaction Technology Co.,  ltd.” to deploy the malware, which is not part of the official iOS store.

At Zimperium zLabs, we created a command line tool for OSX and Windows to remove any known instances of YiSpecter. You can download the tool for free here: 

To use the tool plug your infected iOS device and simply execute it from the terminal:

./zYiRemoval

zYiRemoval will enumerate all connected devices and perform the administrative actions to remove malicious apps and profiles planted by YiSpecter.

iOS, Malware

It is advised to take the following steps to ensure that you are not impacted by YiSpecter:

Upgrade to iOS 9.0.2 as soon as possible.

If you were impacted by zYiSpecter, use zYiRemoval to uninstall the following profiles / apps, or perform this steps manually.

Uninstall any of the following profiles:

  • “Changzhou Wangyi Information Technology Co., Ltd.”
  • “Baiwochuangxiang Technology Co., Ltd.”
  • Beijing Yingmob Interaction Technology Co.,  ltd.

If you any of the apps below installed on your device, delete them:

  • “情涩播放器”
  • “快播私密版”
  • “快播0”
  • HYQvod (bundle id: weiying.Wvod)
  • DaPian (bundle id: weiying.DaPian)
  • NoIcon (bundle id: com.weiying.hiddenIconLaunch)

NoIcon silently installs two additional malicious apps “ADPage” and “NoIconUpdate”.

  • ADPage (bundle id:  com.weiying.ad)
  • NoIconUpdate (bundle id: com.weiying.noiconupdate)

Do not install profiles from unknown developers – be extra careful when typing your pin-code: iOS asks you to type your pincode before installing new profiles.

C&C IPs

According to the original analysis, YiSpecter uses these subdomains:

  • iosnoico [dot] bb800 [dot] com: used to upload information, download configs and commands, download – currently responds to: 182.254.147.109
  • qvod [dot] bb800 [dot] com: used to download main app – 182.254.131.13
  • qvios [dot] od [dot] bb800 [dot] com: used to download main app – 182.254.131.13
  • dp [dot] bb800 [dot] com: used to download promoted iOS apps – 182.254.145.194
  • iosads [dot] cdn [dot] bb800 [dot] com:  used to download promoted iOS apps and malicious components – 112.90.51.173

We are currently in the process of notifying all of our customers if any instance of YiSpecter is found and we are taking action to ensure that our enterprise customers are protected.

Additional IOCs:

Samples of YiSpecter from the original analysis:

57cc101ee4a9f306236d1d4fb5ccb3bb96fa76210142a5ec483a49321d2bd603  ADPage

4938b9861b7c55fbbe47d2ba04e9aff2da186e282f1e9ff0a15bbb22a5f6e0e7  ADPage.ipa

fc55c5ced1027b48885780c87980a286181d3639dfc97d03ebe04ec012a1b677  DaPian

5259854994945a165996d994e6484c1afc1c7e628cb5df2dc3750f4f9f92202e  DaPian.ipa

7714dbb85c5ebcd85cd1d93299479cff2cc82ad0ed11803c24c44106530d2e2f  HYQvod

ddd16577b458a5ec21ea0f57084033435a46f61dc5482f224c1fe54f47d295bc  HYQvod.ipa

8fa135fc74583e05be208752e8ce191060b1617447815a007efac78662b425d0  HYQvod_3.3.3

526e1dc893629c00c017fbe62b53392cb26bc6b15947e7b8b7df10a62f40cbad  HYQvod_3.3.3.ipa

41176825ba0627f61981280b27689a0c5cc6bfb310a408fa623515e6239b8647  NoIcon

98e9e65d6e674620eccaf3d024af1e7b736cc889e94a698685623d146d4fb15f  NoIcon.ipa

e7f071929a4304447cf638057d9499df9970b2a3d53d328a609f191a4bc29ffd  NoIconUpdate

8873908061f9c8d563de26fe6fa671080a90a2d60f795cc0664ef686e1162955  NoIconUpdate.ipa

Samples in VirusTotal

iOS, Malware

Follow Us

For the PLA, Cyber War is the Battle of Triangle Hill

In June 2011 I wrote a blog post with the ever polite title China’s View Is More Important Than Yours. I was frustrated with the Western-centric, inward-focused view of many commentators, which put themselves at the center of debates over digital conflict, neglecting the possibility that other parties could perceive the situation differently. I remain concerned that while Western thinkers debate war using Western, especially Clausewitzian, models, Eastern adversaries, including hybrid Eastern-Western cultures, perceive war in their own terms.

I wrote in June 2011:

The Chinese military sees Western culture, particularly American culture, as an assault on China, saying “the West uses a system of values (democracy, freedom, human rights, etc.) in a long-term attack on socialist countries

Marxist theory opposes peaceful evolution, which… is the basic Western tactic for subverting socialist countries” (pp 102-3). They believe the US is conducting psychological warfare operations against socialism and consider culture as a “frontier” that has extended beyond American shores into the Chinese mainland.

The Chinese therefore consider control of information to be paramount, since they do not trust their population to “correctly” interpret American messaging (hence the “Great Firewall of China”). In this sense, China may consider the US as the aggressor in an ongoing cyberwar.

Today thanks to a Tweet by Jennifer McArdle I noticed a May 2015 story featuring a translation of a People’s Daily article. The English translation is posted as Cybersovereignty Symbolizes National Sovereignty.

I recommend reading the whole article, but the following captures the spirit of the message:

Western hostile forces and a small number of “ideological traitors” in our country use the network, and relying on computers, mobile phones and other such information terminals, maliciously attack our Party, blacken the leaders who founded the New China, vilify our heroes, and arouse mistaken thinking trends of historical nihilism, with the ultimate goal of using “universal values” to mislead us, using “constitutional democracy” to throw us into turmoil, use “colour revolutions” to overthrow us, use negative public opinion and rumours to oppose us, and use “de-partification and depoliticization of the military” to upset us.

This article demonstrates that, four years after my first post, there are still elements, at least in the PLA, who believe that China is fighting a cyber war, and that the US started it.

I thought the last line from the PLA Daily article was especially revealing:

Only if we act as we did at the time of the Battle of Triangle Hill, are riveted to the most forward position of the battlefield and the fight in this ideological struggle, are online “seed machines and propaganda teams”, and arouse hundreds and thousands in the “Red Army”, will we be able to be good shock troops and fresh troops in the construction of the “Online Great Wall”, and will we be able to endure and vanquish in this protracted, smokeless war.

The Battle of Triangle Hill was an engagement during the Korean War, with Chinese forces fighting American, South Korean, Ethiopian, and Colombian forces. Both sides suffered heavy losses over a protracted engagement, although the Chinese appear to have lost more and viewed their attrition strategy as worthwhile. It’s ominous this PLA editorial writer decided to cite a battle between US and Chinese forces to communicate his point about online conflict, but it should make it easier for American readers to grasp the seriousness of the issue in Chinese minds.

Personal Info Stolen? Seven Response Steps

Yesterday on Bloomberg West, host Emily Chang reported on a breach that affected her personally identifiable information (PII). She asked what she should do now that she is a victim of data theft. This is my answer.

First, I recommend changing passwords for any accounts associated with the breached entities.

Second, if you used the same passwords from the breached entities at unrelated sites, change passwords at those other sites.

Third, if any of those entities offer two factor authentication, enable it. This likely involves getting a code via text message or using an app that generates codes.

Fourth, read Brian Krebs’ post How I Learned to Stop Worrying and Embrace the Security Freeze. It’s a personal decision to go all the way to enable a security freeze. I recommend everyone who has been a PII or credit data theft victim, at the minimum, to enable a “fraud alert.” Why? It’s free, and you can sign up online with one credit bureau and the others will enable it as well. The downside is that it expires 90 days later, unless you re-enable it. So, set a reminder in your calendar app to renew before the 90 days expire.

Fifth, create a schedule to periodically check your credit reports. Theft victims usually get credit monitoring for free, but everyone should take advantage of AnnualCreditReport.com, the FTC-authorized place to order credit reports, once per year, for free. For example, get one bureau’s report in January, a second in May, the third in September, and repeat with the first the next January.

Sixth, visit your credit, investing, and bank Web sites, and enable every kind of monitoring and alerting you can handle. I like to know about every purchase, withdrawal, deposit, etc. via email. Also keep a close eye on your statements for odd purchases.

Last, secure your email. Email is the key to your online existence. Use a provider that takes security seriously and provides two factor authentication.

Good luck!