Red Alert 2.0: New Android Banking Trojan for Sale on Hacking Forums

The Recent discoveries of dangerous variants of the Android banking Trojan families, including




, and


, present a significant threat to online users who may have their login credentials and valuable personal data stolen.

Security researchers from SfyLabs have now


a new Android banking Trojan that is being rented on many dark websites for $500 per month, SfyLabs’ researcher Han Sahin told The Hacker News.


Red Alert 2.0

, the Android banking malware has been fully written from scratch, unlike other banking trojans, such as


and ExoBot, which were evolved from the leaked source code of older trojans.

The Red Alert banking malware has been distributed via many online hacking forums since last few months, and its creators have continuously been updating the malware to add new functionalities in an effort to make it a dangerous threat to potential victims.

Malware Blocks Incoming Calls from Banks

Like most other Android banking trojans, Red Alert has a large number of capabilities such as stealing login credentials, hijacking SMS messages, displaying an overlay on the top of legitimate apps, contact list harvesting, among others.

Besides this, Red Alert actors have also added an interesting functionality to its malware, like blocking and logging all incoming calls associated with banks and financial associations.

This would potentially allow the Red Alert malware to prevent warnings of a compromised account to be received by the victims from their associated banks.

Malware Uses Twitter As Backup C&C Infrastructure

Another most interesting thing about Red Alert 2.0 is that it uses Twitter to prevent losing bots when its command and control server is knocked offline.

“When the bot fails to connect to the hardcoded C2 it will retrieve a new C2 from a Twitter account,” SfyLabs researchers said in a blog post. 

“This is something we have seen in the desktop banking malware world before, but the first time we see it happening in an Android banking trojan.”

The Red Alert 2.0 is currently targeting victims from more than 60 banks and social media apps across the world and works on Android 6.0 (Marshmallow) and previous versions.

Here’s How the Red Alert 2.0 Trojan Works:

Once installed on victim’s phone via the third-party app store, the malware waits for the victim to open a banking or social media app, whose interface it can simulate, and once detected, the Trojan immediately overlays the original app with a fake user interface.

The fake interface then informs the victim that there is an error while logging the user in and requests the user to re-authenticate his/her account.

As soon as the user enters the credentials into the fake user interface, Red Alert records them and sends them to the attacker-controlled command and control (C&C) server to be used by the attackers to hijack the account.

In case of banking apps, the recorded information is being used by attackers to initiate fraudulent transactions and drain the victim’s bank account.

Since Red Alert 2.0 can also intercept SMS text messages received by the infected smartphone, the trojan could work around two-factor authentication techniques that otherwise are designed to throttle such attacks.

Ways to Protect Yourself Against Such Android Banking Trojans

The easiest way to prevent yourself from being a victim of one such

mobile banking Trojan

is to avoid downloading apps via third-party app stores or links provided in SMS messages or emails.

Just to be on the safer side, go to Settings → Security and make sure “Unknown sources” option is turned off on your Android device that blocks installation of apps from unknown sources.

Most importantly, verify app permissions before installing any app, even from official Google Play Store, and if you find any application asking more than what it is meant for, just do not install it.

It is always a good idea to install an anti-virus app from a reputed vendor that can detect and block such Trojan before it can infect your device.

Also, always keep your system and apps up-to-date.

from THN : The Hacker News


Yet Another Android Malware Infects Over 4.2 Million Google Play Store Users

Even after so many efforts by Google, malicious apps somehow managed to fool its Play Store’s anti-malware protections and infect people with malicious software.

The same happened once again when at least 50 apps managed to make its way onto Google Play Store and were successfully downloaded as many as 4.2 million times—one of the biggest malware outbreaks.

Security firm Check Point on Thursday published a

blog post

revealing at least 50 Android apps that were free to download on official Play Store and were downloaded between 1 million and 4.2 million times before Google removed them.

These Android apps come with hidden malware payload that secretly registers victims for paid online services, sends fraudulent premium text messages from victims’ smartphones and leaves them to pay the bill—all without the knowledge or permission of users.



by Check Point researchers because it was found in the Lovely Wallpaper app, the malware comes hidden in free wallpaper, video or photo editing apps. It’s a new variant of malware that Mcafee


earlier this year on the Play Store.

But what makes ExpensiveWall malware different from its other variants is that it makes use of an advanced obfuscation technique called “packed,” which compresses malicious code and encrypts it to evade Google Play Store’s built-in anti-malware protections.

The researchers notified Google of the malicious apps on August 7, and the software giant quickly removed all of them, but within few days, the malware re-emerged on the Play Store and infected over 5,000 devices before it was removed four days later, Check Point said.

Here’s How ExpensiveWall Malware Works:

Once an app with ExpensiveWall—which researchers think came from a software development kit called GTK—is downloaded on a victim’s device, the malicious app asks for user’s permission to access the Internet, and send and receive SMS messages.

The internet access is used by the malware to connect the victim’s device to the attacker’s command and control server, where it sends information on the infected handset, including its location alongside unique hardware identifiers, such as MAC and IP addresses, IMSI and IMEI numbers.

The C&C server then sends the malware a URL, which it opens in an embedded WebView window to download JavaScript code that begins to clock up bills for the victim by sending fraudulent premium SMS messages without their knowledge, and uses the victim’s phone number to register for paid services.

However, according to the Check Point researchers, it is still unclear how much revenue was generated via ExpensiveWall’s premium SMS scam.

Google’s Play Store—Home for Malware

Android malware continues to evolve with more sophisticated and never-seen-before capabilities with every passing day, and spotting them on Google Play Store has become quite a common thing.

Last month, over

500 Android apps with spyware capabilities

were found on Play Store, which had been downloaded more than 100 million times.

In July,

Lipizzan spyware apps

were spotted on Play Store that can steal a whole lot of information on users, including text messages, emails, voice calls, photos, location data, and other files, and spy on them.

In June, more than

800 Xavier-laden apps

were discovered on Google Play that had been downloaded millions of times, and the same month researchers found first

code injecting rooting malware

making rounds on Google Play Store.

A month prior to it, researchers spotted 41 apps on Play Store hidden with the

Judy Malware

that infected 36.5 million Android devices with malicious ad-click software.

In April, over

40 apps with hidden FalseGuide

malware were spotted on Play Store that made 2 Million Android users victims.

Earlier this year, researchers also discovered a new variant of the

HummingBad malware

, dubbed


, hidden in more than 20 apps on Google Play Store, which were downloaded by over 12 Million users.

How to Protect Your Android From Such Malware Apps

Even after Google removed all the malware-tainted apps from its official Play Store marketplace, your smartphones will remain infected with the ExpensiveWall malware until you explicitly uninstall the malicious apps, if you have downloaded any.

Google has recently provided a security feature known as

Play Protect

that uses machine learning and app usage analysis to automatically remove malicious apps from the affected smartphones to prevent further harm.

However, according to the Check Point researchers, many phones run an older version of Android that does not support the feature, leaving a wide audience open to malware attacks.

You are strongly advised to always keep a good antivirus app on your device that can detect and block any malicious app before it can infect your device, and always keep your device and all apps up-to-date.

from The Hacker News

Does your mobile anti-virus app protect or infect you? The truth behind DU Antivirus Security

With mobile attacks representing nearly 20% of all cyberattacks in the Americas during the first half of 2017, users are constantly warned to be aware of security risks affecting their data and privacy, and install security software to protect their device. But what happens when antivirus solutions can’t be trusted, and actually compromise users’ privacy?

Check Point mobile threat researchers recently discovered a free mobile anti-virus app developed by the DU group, a developer of Android apps, which collects user data without the device owners’ consent. The app, called DU Antivirus Security, was distributed over Google Play, Google’s official app store, and downloaded between 10 and 50 million times, according to Google Play data.

Figure 1: The DU Antivirus Security app on Google Play

According to Check Point’s research, when the app runs for the first time, the DU Antivirus Security app collects information from the device, such as unique identifiers, contact list, call logs, and potentially the location of the device. This information is then encrypted and sent to a remote server. The customer information is later used by another app offered by the DU group, called “Caller ID & Call Block – DU Caller,” which provides users with information about incoming phone calls.

While users trusted DU Antivirus Security to protect private information, it did the exact opposite. It collected the personal information of its users without permission and used that private information for commercial purposes. Information about your personal calls, who you’re speaking with and for how long, was logged and later used.

Check Point reported the illegal use of the users’ private information to Google on August 21, 2017, and the app was removed from Google Play on August 24, 2017. A new version that doesn’t include the harmful code was uploaded to the Play store on August 28, 2017. Version number 3.1.5 of DU Antivirus Security is the latest version number found to include this privacy-leaking code, but older versions might still include it.

In addition to DU Antivirus Security, Check Point researchers detected the same code in 30 other apps, 12 of which were found on Google Play, and subsequently removed. These apps probably implemented the code as an external library, and transmitted the stolen data to the same remote server used by DU Caller. All in all, the illicit code affected between 24 and 89 million users who installed these apps, according to Google Play data.

Users who installed the DU Antivirus Security or any of the other apps should verify they are upgrading to the latest version that does not include this code.

Since anti-virus apps have a legitimate reason to request unusually extensive permissions, they are the perfect cover for fraudsters looking to abuse these permissions. In some cases, mobile anti-virus apps are even used as a decoy for delivering malware. Users should be aware of these suspicious anti-virus solutions, and use only mobile threat protection from reputable vendors that are proven to be capable of safeguarding mobile devices and the data stored in them.

Technical Details:

DU Antivirus Security steals the information from the user’s device when the app is first run. The stolen information is then sent to the server, which is not registered to DU apps. However, this domain has two subdomains which indicate it is indeed connected to the DU caller app. First, the subdomain is a PHP webpage, which specifies its hostname: us02-Du_caller02.usaws02, and contains the name of the DU caller app.

See Check Point Research for the complete technical report.

In addition, the sub domain is hosted on IP, a private server which also hosts the domain This domain is registered to, a Baidu employee, who used the same email address to post about parsing phone numbers ( Since the DU apps are part of the Baidu group, and the post deals with a functionality related to the caller app, this indicates a connection between the stolen information and the caller app.

Figure 2: Connections between DU Antivirus Security app and Caller app

The DU caller app already came under fire for an ambiguous privacy policy, which displays different terms on separate pages, and of executing its activity regardless of whether it received the user’s consent. Last year, Cheetah Mobile’s Anti-Virus faced similar accusations after providing a service which may violate privacy regulations.


The post Does your mobile anti-virus app protect or infect you? The truth behind DU Antivirus Security appeared first on Check Point Blog.

from Check Point Blog

ExpensiveWall: A dangerous ‘packed’ malware on Google Play that will hit your wallet

Check Point’s mobile threat research team identified a new variant of an Android malware that sends fraudulent premium SMS messages and charges users’ accounts for fake services without their knowledge. According to Google Play data, the malware infected at least 50 apps and was downloaded between 1 million and 4.2 million times before the affected apps were removed.

The new strain of malware is dubbed ‘ExpensiveWall,’ after one of the apps it uses to infect devices, ‘Lovely Wallpaper.’ ExpensiveWall is a new variant of a malware found earlier this year on Google Play. Downloads of the entire malware family reached between 5.9 million and 21.1 million.

What makes ExpensiveWall different than its other family members is that it is ‘packed’ – an advanced obfuscation technique used by malware developers to encrypt malicious code – allowing it to evade Google Play’s built-in anti-malware protections.

Learn how SandBlast Mobile protects against malware like ExpensiveWall.

Check Point notified Google about ExpensiveWall on August 7, 2017, and Google promptly removed the reported samples from its store. However, even after the affected Apps were removed, within days another sample infiltrated Google Play, infecting more than 5,000 devices before it was removed four days later.

Figure 1: One of the malicious apps containing ExpensiveWall.

It’s important to point out that any infected app installed before it was removed from the App store, still remains installed on users’ devices. Users who downloaded these apps are therefore still at risk and should manually remove them from their devices.

What does ExpensiveWall do?

The malware registers victims to premium services without their knowledge and sends fraudulent premium SMS messages, charging their accounts for fake services.

Why is ExpensiveWall dangerous?

While ExpensiveWall is currently designed only to generate profit from its victims, a similar malware could be easily modified to use the same infrastructure in order to capture pictures, record audio, and even steal sensitive data and send the data to a command and control (C&C) server. Since the malware is capable of operating silently, all of this illicit activity takes place without the victim’s knowledge, turning it into the ultimate spying tool.

How does ExpensiveWall work?

Once ExpensiveWall is downloaded, it requests several common permissions, including internet access – which allows the app to connect to its C&C server – and SMS permissions – which enable it to send premium SMS messages and register users for other paid services all without the users knowledge.

While these permissions are harmful within the context of a malware, many apps request the same permissions for legitimate purposes. Most users grant these permissions without thinking, especially when installing an app from a trustworthy source such as Google Play.

ExpensiveWall contains an interface that connects between in-app actions and the JavaScript code, which runs on a web interface called WebView, meaning JavaScript running inside the WebView can trigger in-app activities. After it is installed and granted the necessary permissions, ExpensiveWall sends data about the infected device to its C&C server, including its location and unique identifiers, such as MAC and IP addresses, IMSI, and IMEI.


Figure 2: Clicking functionality used by the ExpensiveWall malware.

Each time the device is switched on, or experiences a connectivity change, the app connects to its C&C server and receives a URL, which it opens in an embedded WebView. This page contains a malicious JavaScript code that can invoke in-app functions using JavascriptInterface, like subscribing them to premium services and sending SMS messages. The malware initiates the JavaScript code by silently clicking on the links in the webpage, in the same way it clicks on ads in other occasions.

Subscribing victims to paid services

The malware obtains the device’s phone number and uses it to subscribe the user to different paid services, such as the example below:

Figure 3: Code used to obtain phone number.


Figure 4: A premium service the malware subscribes the user to.

Sending premium SMS messages

In some cases, the SMS activity takes place without giving the user any notice. In other cases, the malware presents the user with a button called “Continue,” and once the user clicks the button, the malware sends a premium SMS on his behalf. Below is an example of the HTML code containing the embedded JavaScript:

Figure 5: embedded JavaScript responsible for sending SMS messages.

ExpensiveWall on Google Play

The malicious activities did not go unnoticed by the users, as one notes below:

Figure 6: User’s comments on an ExpensiveWall app.


As seen in the image above, many users suspected that ExpensiveWall was a malicious app. The comments indicate that the app is promoted on several social networks including Instagram, which might explain how it came to be downloaded so many times.

See Check Point Research for the complete technical report.

After analyzing different samples of the malware, Check Point mobile threat researchers believe ExpensiveWall is spread to different apps as an SDK called “gtk,” which developers embed in their own apps. Three versions of apps containing the malicious code exist. The first is the unpacked version, which was discovered earlier this year. The second is the packed version, which is being discussed here, and the third contains the code but does not actively use it.

Users and organizations should be awre that any malware attack is a severe breach of their mobile network, even if it starts out as a seemingly harmless adware. ExpensiveWall is yet another example of the immediate need to protect all mobile devices against advanced threats.

How to stay protected
Cutting-edge malware such as ExpensiveWall requires advanced protections, capable of identifying and
blocking zero-day malware by using both static and dynamic app analysis. Only by examining the
malware within context of its operation on a device can successful strategies to block it be created.
Users and enterprises should treat their mobile devices just like any other part of their network, and
protect them with the best cybersecurity solutions available.

Check Point customers are protected by SandBlast Mobile, and on the network front by Check Point
Anti-Bot blade, which provides protection against this threat with the signature:

The post ExpensiveWall: A dangerous ‘packed’ malware on Google Play that will hit your wallet appeared first on Check Point Blog.

from Check Point Blog

Mobile Bootloaders From Top Manufacturers Found Vulnerable to Persistent Threats

Security researchers have discovered several severe zero-day vulnerabilities in the mobile bootloaders from at least four popular device manufacturers that could allow an attacker to gain persistent root access on the device.

A team of nine security researchers from the University of California Santa Barbara created a special static binary tool called


that automatically detects security vulnerabilities in bootloaders.

Since bootloaders are usually closed source and hard to reverse-engineer, performing analysis on them is difficult, especially because hardware dependencies hinder dynamic analysis.

Therefore, the researchers created BootStomp, which

“uses a novel combination of static analysis techniques and underconstrained symbolic execution to build a multi-tag taint analysis capable of identifying bootloader vulnerabilities.”

The tool helped the researchers discover six previously-unknown critical security bugs across bootloaders from HiSilicon (Huawei), Qualcomm, MediaTek, and NVIDIA, which could be exploited by attackers to unlock device bootloader, install custom malicious ROM and persistent rootkits.

Five of the vulnerabilities have already been confirmed by their respective by the chipset vendors. Researchers also found a known bug (CVE-2014-9798) in Qualcomm’s bootloaders, which was previously reported in 2014, but still present and usable.

In a research paper [


], titled

“BootStomp: On the Security of Bootloaders in Mobile Devices,”

presented at the USENIX conference in Vancouver, the researchers explain that some of the discovered flaws even allow an attacker with root privileges on the Android operating system to execute malicious code as part of the bootloader or to perform permanent denial-of-service attacks.

According to the researchers, the vulnerabilities impact the ARM’s “Trusted Boot” or Android’s “Verified Boot” mechanisms that chip-set vendors have implemented to establish a Chain of Trust (CoT), which verifies the integrity of each component the system loads while booting the device.

Overview: Discovered Bootloader Vulnerabilities

The researchers tested five different bootloader implementations in Huawei P8 ALE-L23 (Huawei / HiSilicon chipset), Nexus 9 (NVIDIA Tegra chipset), Sony Xperia XA (MediaTek chipset) and two versions of the LK-based bootloader, developed by Qualcomm.

The researcher discovered five critical vulnerabilities in the Huawei Android bootloader:

  • An arbitrary memory write or denial of service (DoS) issue when parsing Linux Kernel’s DeviceTree (DTB) stored in the boot partition.
  • A heap buffer overflow issue when reading the root-writable oem_info partition.
  • A root user’s ability to write the nve and oem_info partitions, from which configuration data and memory access permissions governing the smartphone’s peripherals can be read.
  • A memory corruption issue that could allow an attacker to install a persistent rootkit.
  • An arbitrary memory write bug that lets an attacker run arbitrary code as the bootloader itself.

Another flaw was discovered in NVIDIA’s hboot, which operates at EL1, meaning that it has equivalent privilege on the hardware as the Linux kernel, which once compromised, can lead to an attacker gaining persistence.

The researchers also discovered a known, already patched vulnerability (


) in old versions of Qualcomm’s bootloader that could be exploited to cause a denial of service situation.

The researchers reported all the vulnerabilities to the affected vendors. Huawei confirmed all the five vulnerabilities and NVIDIA is working with the researchers on a fix.

The team of researchers has also proposed a series of mitigations to both limit the attack surface of the bootloader as well as enforce various desirable properties aimed at safeguarding the security and privacy of users.

from The Hacker News

Huawei jumps Apple to become second biggest smartphone vendor (for now)

Industry pundits have been echoing tales of Huawei’s uprise for years, and the company has enjoyed a solid spot among the top 3 smartphone manufacturers for quite some time now. But if the other juggernauts in the industry weren’t already worried, they can no longer afford to take them lightly: Huawei has surpassed Apple in global smartphone sales for both June and July 2017.

The news comes from Counterpoint Research, who unfortunately doesn’t yet have August figures available. Huawei’s conquest over the past couple of months is impressive, however it’s not yet certain that they can maintain the momentum as we move into the autumn months.

For one, they only narrowly beat Apple in July after completely blasting them in June, and that was without any launch of their own on the table.The iPhone 8 will be announced next week, and you have to think Apple is going to bounce back in a big way as this particular history as a knack for repeating itself.

Still, it’s an impressive badge for Huawei, a company which once didn’t care to have their brand on smartphones as they made products for others. Meanwhile, Samsung is still slaughtering just about everyone, and we don’t see that changing much anytime soon.

via Counterpoint Research

from Phandroid

All Nokia Android phones will receive the Oreo update

HMD Global will roll out the Android 8.0 Oreo update to all Nokia-branded Android phones.

One of the key selling points of Nokia’s Android phones is the promise of quick updates. The phones have picked up monthly security updates on time, and now HMD Global’s Chief Product Officer Juho Sarvikas has announced that all Nokia-branded Android phones — including the entry-level Nokia 3 — will receive the Android 8.0 Oreo update.

Sarvikas isn’t committing to a timeline for the update, but it should be available in due course for the Nokia 3, Nokia 5, Nokia 6, and the flagship Nokia 8. The Nokia 3 is now making the switch to Android 7.1.1 Nougat, so it may be a while before the phone makes the switch to Oreo.

Oreo brings a slew of new features, including a system-wide autofill API, notification channels, picture-in-picture mode, new emoji, adaptive icons, background execution limits, and much more.

from Android Central