There has been a recent surge of a malware most commonly known as Shedun or HummingBad that has infected around 10 million Android phones. Lookout discovered Shedun back in November of 2015, and found that the creators of the malware have made it quite easy to deceive their victims into unintentionally downloading the software. The user will go to the Google Play store and download what they believe is a legitimate app such as Facebook, Twitter, WhatsApp etc., but what they’re actually doing is installing the Shedun malware on to their phone.Read More
Indicators of compromise (IOC) are important breadcrumbs that let you know your organization may have been exposed to an attack. Learning what these indicators are and how to recognize them will help you to stay one step ahead of attackers and stop breaches before they happen, or enable you to stop attacks while they are still in the early stages.Read More
The new big thing this week is: Pokémon. After being out of the pop-culture spotlight for years, Pokémon Go has grabbed the attention (and wallets) of the masses. The app, which launched last week, quickly became a viral phenomenon, topping download charts in the United States, Australia and New Zealand. With current estimates showing that around five percent of all Android users in America have downloaded the app.
The wild popularity of Pokémon Go may have led to it becoming a victim of its own success. Server issues aside, the game instantly became a target for attackers keen to take advantage of the trend, and shortly following the official release, a malicious Pokémon Go app containing the DroidJack RAT (remote access tool) was released. Players eager to get their hands on the game—the primary targets for the attackers, whom struck in countries where the game had not been made officially available—downloaded the compromised version of the game from various sites that specialize in unofficial Android executable files (.APKs).
The infected version of the Pokémon Go app bypassed Android device security by requiring a sideload install. That is, the .APK file needed to be downloaded from a third-party website, and then copied into the device. This circumvented security conventions provided by Google's Play store, and allowed an easy vector for the attackers to exploit. Sideloading apps is not a new practice, Android users—particularly developers—have been able to do this since the devices were released. The reason for this loophole in security is to allow developers (and advanced Android users) to load applications that have not been signed by Google's Play store into their devices for testing or use. Unfortunately in this case it also allowed attackers to exploit the mass interest in Pokémon Go, a staged release cycle, and human anticipation to allow for malware to be installed.
The malware in question is an evolution of the SandroRAT software, developed by the same group that made the original DroidJack app. DroidJack actually started life as a legitimate application to allow family members to track one another. DroidJack has maintained similar functionality to its predecessor, and is behaviorally similar to Dendroid, another RAT.
While it may be that your network is secured from the outside, that may not apply to the inside. The reality today is that people bring their personal devices to work all the time. When those devices—be they smartphones, laptops, or any other device—are linked into your network, it opens the door to a malware infection. The only way to be truly safe is to stop threats from communicating with their command and control infrastructure, and immediate threat remediation upon detection.