Android: The phone is not the target, your money is

android-target-money-malware

Tags :- Avira Tech Support | Avira Support NumberAvira Refund.

Having grown in popularity, Android devices are naturally the favorite target of cyber-criminals. They are concentrating their efforts in breaching the Google developed OS. The lack of attention that many Android users have is also being manipulated. A key factor is that users aren’t paying attention to what they are downloading from Google Play Store. Many devices are getting infected with malware that gives itself root access after being downloaded, followed by an immediate start of malicious operations.

The most-known malware for mobile platforms is currently the Locker ransomware. It usually starts as a “message” from law enforcement agencies like the FBI, BKA, LKA and they use various tricks to obtain payment from their victims. This malicious software is becoming more and more professional, even offering up alleged “examples” of user misdeeds that could be used as evidence against the user to ensure that payment is made as quickly as possible. The bitcoin payment methods used make it next to impossible to either trace or to recover the ransom money.

But how do you get rid of this malware from your Android device?

One of the most important steps in reducing potential damage from malware is to make a weekly backup of the most important files on the Android device. In this way, after a user restarts in safe mode, the most important data on the phone will remain untouched. Beyond that, the default factory settings may have to be restored if it is not possible to make the device work again due to the malware intrusion.

Most attacks on Android have a clear purpose: making money from users. That is why only a small amount of the malware is focused on directly attacking the phone. The growth curve is developing similarly as it  happened with Windows; as Android becomes more known and apps are more easy to develop, cybercriminal attacks increasingly focus on it. Although they are still, at least at the moment, far lower than the attacks on Windows PCs, the numbers of these attacks are quickly rising over time.

Security you can trust

At Avira, we have developed a free security system for Android which is available in the Google Play Store. Independent testing labs have found that Avira Free Antivirus for Android has a superior detection of mobile device threats when compared to most paid solutions. Also,  Avira prevents unwanted premium calls (a prime way that cybercriminals make money from mobile malware), blocks banking Trojans, and stops Ransomware from restricting access to data or encrypting it. Free Antivirus for Android also includes features that protect your e-mails and browsing and. It contains the Android Optimizer which accelerates the phone’s operation by freeing up extra memory (RAM), protecting your privacy, and extending the device’s battery life.

Source : blog.avira.com

Avira Tech Support : Blog

Android users: beware the porn-clicker Trojan in Play Store

porn-clicker-trojan-play-store

Tags :- Avira Tech Support | Avira Support NumberAvira Refund.

Android devices are getting infected due to a Clicker Trojan, a family of Android malware, which is hidden in counterfeit versions of various apps. After installation, it uses the browser of the infected device to click on porn ads in the background. The way in which this Trojan manages to infect isn’t at all complicated. The virus is disguised in a version of a very popular game or app, from which it “borrows” even the name and icon. Also, the malicious apps are available for free, and are completely unrelated with the original.

Apps and games to avoid

As we have mentioned before, the Clicker Trojan usually has a popular name such as “Temple Run 3”, “Subway Surfers 2”, “Travel Wallpapers”, etc., and each app has a different icon matching the name. Once they are installed, they start a hidden browsing session, load different porn websites and trick the user to click on ads. This way, the malware authors are collecting revenue.

google-play-fake-app

Avira Antivirus for Android detects the Trojan

Avira Virus Lab ensures that Avira Antivirus detects the Trojan and they explain how it is possible for the porn-clicker to trick Google’s filters:

suspicious-permissions

A common feature of the Clicker family is that it is requesting “draw over other apps” permissions.

“The Clicker Trojan is a family of Android Malware that poses as legitimate apps but once they are installed they click on Porn ads in the background,” said Mihai Grigorescu, Virus Analyst at Avira Protection Lab – ”They are present in Google Play as they have been able to bypass Google’s automatic filters as well as the human review process. Avira Antivirus is detecting the Trojan as Android/Clicker with subtypes like Android/Clicker.B, Android/Clicker.AC, etc. and we are successfully blocking it.”

This type of malware usually deletes the shortcut from the android main menu, so that it apears it is not installed. You can find it by going to Settings and then Applications and safely uninstall it from there.

Also, in order to spot these fake Apps, Avira advises Android users to check carefully the name of the publisher, the number of downloads, and the number of positive reviews. The more comments it has, the better. Otherwise, when you notice plenty of bad reviews for an app, it’s a suspicious sign and please inform our Virus Lab team about this.

Source : blog.avira.com

Avira Tech Support : Blog

KeRanger ransomware is now a menace for your Mac too

keranger-ransomware-attack-mac

Tags :- Avira Tech Support | Avira Support NumberAvira Refund.

Mac computers were attacked by KeRanger ransomware

As you know, ransomware is one of the fastest-growing types of cyber threats. It attacks by encrypting data on infected machines, then typically asks users to pay ransoms in hard-to-trace digital currencies to get an electronic key so they can retrieve their data. According to security experts, cyber criminals manage to get from their victims hundreds of millions of dollars a year, especially by targeting Microsoft Windows operating system.  Now it looks like they have just expanded their horizons.

Ryan Olson (Palo Alto Threat Intelligence Director)  confirmed the “KeRanger” malware, which appeared on 4th of March, was the first functioning ransomware attacking Apple’s Mac computers.

“This is the first one in the wild that is definitely functional, encrypts your files and seeks a ransom,” said Olson in an interview for Reuters.

This time the attack vector was very specific since an affected user had to download a specific program which download website was compromised.

How did it happen?

Hackers infected Macs through a tainted copy of a popular program known as Transmission, which is used to transfer data through the BitTorrent peer-to-peer file sharing network, Palo Alto said on a blog article posted on Sunday afternoon.

When users downloaded version 2.90 of Transmission, which was released on Friday, their Macs were infected with the ransomware, the blog said.

Apple’s immediate intervention over the weekend

Apple  had taken steps over the weekend to prevent further infections by revoking a digital certificate that enabled the rogue software to install on Macs. Other details were not provided yet.

Transmission, also, responded by removing the malicious version of its software from its website. On Sunday it released a version that its website said automatically removes the ransomware from infected Macs. Transmission users were advised to immediately install the new update, version 2.92, if they suspected they might be infected.

How the ransomware acts after infecting your Mac

Palo Alto said on its blog that KeRanger is programmed to stay quiet for three days after infecting a computer, then connect to the attacker’s server and start encrypting files so they cannot be accessed.

Once the encryption complete, KeRanger demands a ransom of 1 bitcoin, or about $400, the blog said.

Olson also mentioned that the victims whose machines were compromised but not cleaned up could start losing access to data on Monday, which is three days after the virus was loaded onto Transmission’s site.

Be safe under Avira’s umbrella right away

Our Free Antivirus for Mac is able to detect the new KeRanger ransomware on Apple computers. If you are already seeking for solutions to protect your Mac against ransomware attacks.

Source : blog.avira.com

Avira Tech Support : Blog

To get infected, follow the directions – Avira Support

install-avira-free-antivirus

Tags :- Avira Tech Support | Avira Support NumberAvira Refund.

The directions come as a zipped text file along with the Trojan downloader with the malware hiding on the recipient’s computer behind the standard icon for an Excel file. If the downloader does not automatically open or is stopped by the recipient’s antivirus software, the directions in the readme.txt give detailed directions how to execute that malware.

Here is a summary:

  • Just click to agree to everything: Double click on the extracted file. And from there, just click on “Agree” and then “Run”. For PCs with Windows 8 or the newer 10, click on “More Information” -> “Download anyway” at the standard SmartScreen warning.
  • Disable or turn off your antivirus or firewall: AVs and firewalls can block all files downloaded from the internet. If there are problems, add this file to the exceptions list and try again. Or, temporarily turn off the AV or firewall until the file has been downloaded.

“They really want to be sure that the user ‘properly’ gets infected,” pointed out Oscar Anduiza, malware analyst at Avira. “These directions are pretty much exactly 180 degrees off from what computer users should actually do.”

inside_zip

The readme.txt file is in standard, but slightly irregular German, but does not appear to be a machine translation. This indicates that the text has been written for the German mass-market but is probably also being distributed in other languages such as English.

malwarereadme

“This gives the cybercriminals a second chance at a successful installation, especially after the AV has blocked the initial attempt. This is an interesting social engineering trick, especially as the downloader and malware are not especially sophisticated,” added Anduiza.

ComodoIf users click, they begin an “installation process” that starts with a popup of suspicious root certificate. This official-looking certificate — apparently issued by COMODO — gives the issuers unlimited permission to make changes on the system, move freely past the firewall and circumvent the already installed AV.

The malware will download a malicious file that is copied to three places in the computer.  One of them is copied into the Startup folder, insuring that the malware will be executed every time the computer starts Windows.

c:\ProgramData\VCFKARJR.com
c:\Users\All Users\VCFKARJR.com
c:\Users\%user%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.pif

As of March 3, the installed malware was a banking Trojan that steals credentials and financial information. However, the precise link or new variants can be added by the cybercriminals at short notice. The current banking Trojans are covered by Avira detections.

Source : blog.avira.com

Avira Tech Support : Blog

Locky ransomware is dead, long live Locky

ransomware_is_dead_long_live_locky

Tags :- Avira Tech Support | Avira Support NumberAvira Refund.

The first wave of Locky has passed, but the ransomware is still being distributed globally and within the DACH region. While this secondary distribution seems to be smaller than the first wave, the financial success of this malware for its authors and distributors gives us some clues as to what features will likely be included in the NEXT rounds of malware. “Follow the money” was the key phrase in All the President’s Men, Robert Redford’s classic film on Watergate — and this very much applies to malware. These clues from Locky are a mix of technical, distribution, and operational features – and should be a warning for computer users and companies planning their defensive strategies.

1. Drive me baby – Locky encrypted all drives on computers and networks – even the unmapped drives and shares. This expanded reach for encryption is expected to be included in future ransomware variants.

Response: Have a solid backup plan in place, ideally with a cloud service, as they offer file versioning and rollbacks. For consumers, having a spare HDD/SSD for a local backup is fine – but only if the harddisk is disconnected after the backup is finished. This also protects the backup against damage from other dangers like lightning-caused electrical surges.

2. New money from old tricks – Locky went to work by directly using macros in Word documents – and also by tossing in a bit of social engineering to get document recipients to activate the macros. That is quite old school – but it worked and was profitable for the cybercriminals.

Response: While zero-day threats are sexy, don’t forget to do the basic protection against continuing vulnerabilities such as macro manipulation. Consider enabling only digitally signed Office macros and disabling the rest. For corporate networks, this can be done in a way where end users are not able to see this option.

3. What the FUD! – In the early moments of the Locky onslaught, security publications pointed out the low detection scores in VirusTotal by most antivirus companies. This is a valid – but incomplete – look at the situation. We consider Locky to be FUD-level malware (Fully Undetected Malware), which means that the malware files were “optimized” until no AV scanner detected them anymore. Cybercriminals are testing their malware samples against the publicly available detection in VirusTotal – or against private and internal testing systems that in a similar way. The low detection scores have to be read with caution. Only some of the AV firms have cloud detection or other advanced detection methods in their products enabled on VirusTotal – sometimes, just as in poker, it is better to not show your full capabilities.

Response: Be skeptical about everything and always keep your eyes open.

4. Wisdom from the cloud – Avira detects Locky on several layers within its cloud detection and analysis. At the Auto Dump layer, Locky is being detected after layers of obfuscation have been removed. In the Night Vision machine learning layer, files are scored according to around 7,000 features, allowing us to catch malware in a very efficient way. In case that other detection layers catch the malware first, the Night Vision system will dynamically learn about the sample within a few minutes, and subsequently cover variants of this malware sample. In addition, the cloud analysis is out of reach for the cybercriminals.

Response: For complete protection, make sure that the cloud protection in your AV is fully activated. We feel this is so important, we’ve automatically included our consumer users in the APC. Corporate clients must, for data protection issues, sign off that they approve the EULA before stepping into the APC.

Source : blog.avira.com

Avira Tech Support : Blog

Ransomware “Tesla”: Are ransomware writers kidding us?

ransomware_avira

Tags :- Avira Tech Support | Avira Support NumberAvira Refund.

Most of us have probably seen e-mails like the one below in our inbox at one point or another:

phising

This is basically the typical phishing email sent out by cybercriminals. They want to get the victim with “evil” social engineering: In order to succeed they try and make the user open the invoice using scare tactics like unpaid bills, invoices, lost packages, and so on. The icing on the cake is the attached copy of the “invoice” so it can be opened ASAP.

In comparison to the other phishing emails we received before, they don’t insert the original “Tesla” ransomware file anymore. Instead they put an obfuscated JavaScript file inside the archive. Cool! That makes them more flexible than ever before.

java_obf

The obfuscation is a pretty good one from my point of view. It doesn’t allow anyone to understand what’s going on. But nothing is perfect … enough ;-). It may take several tries but you can decode the script. This easy decryption leads me to the conclusion that they have automated its creation. Well, it seems that even the world of the criminals is changing.

An interesting fact is that to deploy ransomware, no knowledge of any programming language is needed anymore: Everything is offered ready to go on the darknet for anyone who is willing to pay. You can read a cool article I wrote on this topic over here.

java_dec

But let’s get back to the malicious script. It’s just a downloader. It shows the download source for the “Tesla” ransomware, where it will be stored on the system (e.g. %temp%), and it also takes care of running the binary after running some “quality checks” like file size.

Interesting? I believe so, because the criminals have changed the way they ensure that the ransomware is downloaded to the victim’s computer. They now also have the possibility to use different URLs as sources. And, last but not least, it seems to be easier for them to deploy new scripts than to make adjustments to the binary itself when it comes to by-passing antivirus solutions in order to stay undetected. With more samples to choose from they have more possibilities to successfully infect your device.

You might be confused about the last sentence, but let me explain: Once we analyzed the Tesla ransomware file in more detail, it seemed like they didn’t invest any additional time in their “Tesla” ransomware files itself. The latest and newest binaries which we have received and analyzed are already covered by our detections from more than three years ago! That’s friggin’ old-school  🙂 !

how to restore small

Nope, that’s no joke. We’ve also seen that – after executing yet another script –  instead of the Tesla ransomware binary, the latest Avira launcher is being downloaded. We know that they took our launcher and put it on their commanding control server.

launcher

Please note: You should know that we NEVER collaborate with cybercriminals or force something like this! We also don’t spread malware with our launcher! But we want to say thanks to everyone who wants to promote our product for better protected world detections nonetheless! 🙂

In the end it shows us once again how strong our detection pattern is when it comes to daily threats. It’s funny to find “new” samples which we’ve already been detecting for more than 3 years. But anyway, don’t forget our Avira Protection Cloud: in combination with our main antivirus, it becomes a powerful tool and a much stronger protective shield! So, ENABLE the Avira Protection Cloud in our product – and live free.

Source : blog.avira.com

Avira Tech Support : Blog