ESET Finds Flashlight Trojan in Google Play Store – Google Removes It

Android users were targeted by a banking malware with screen locking capabilities, masquerading as a flashlight app on Google Play. Google was notified and removed the application – however, 5,000 or so users had downloaded the app before it was removed from the Google Play store.

Android users were the target of another banking malware with screen locking capabilities, masquerading as a flashlight app on Google Play. Unlike other banking trojans with a static set of targeted banking apps, this trojan is able to dynamically adjust its functionality.

Aside from delivering promised flashlight functionality, the remotely controlled trojan comes with a variety of additional functions aimed at stealing victims’ banking credentials. Based on commands from its C&C server, the trojan can display fake screens mimicking legitimate apps, lock infected devices to hide fraudulent activity and intercept SMS and display fake notifications in order to bypass two-factor authentication.

The malware can affect all versions of Android. Because of its dynamic nature, there might be no limit to targeted apps – the malware obtains HTML code based on apps installed on the victim’s device and uses the code to overlay the apps with fake screens after they’re launched.

The trojan, detected by ESET as Trojan.Android/Charger.B, was uploaded to Google Play on March 30 and was installed by up to 5,000 unsuspecting users before being pulled from the store on ESET’s notice on April 10.

Flashlight banking trojan discovered on Google Play

Figure 1: Flashlight banking trojan discovered on Google Play

How does it operate?

As soon as the app is installed and launched, it requests device administrator rights. Users with Android 6.0 and above also need to manually permit usage access and drawing over other apps. With the rights and permissions granted, the app hides its icon, appearing on the device only as a widget.

The actual payload is encrypted in the assets of the APK file installed from Google Play, evading detection of its malicious functionality. The payload is dropped, decrypted and executed when the victim runs the app.

The trojan first registers the infected device to the attackers’ server. Apart from sending device information and a list of installed applications, the malware gets up close and personal with its victims – it also attaches a picture of the device owner taken by the front camera.

If the sent information indicates the device is located in Russia, Ukraine or Belarus, the C&C commands the malware to stop its activity – most likely to avoid prosecution of the attackers in their home countries.

Based on the apps found installed on the infected device, the C&C sends corresponding fake activity in the form of a malicious HTML code. The HTML is displayed in WebView after the victim launches one of the targeted apps. Legitimate activity is then overlaid by a fake screen requesting a victim’s credit card details or banking app credentials.

However, as mentioned before, specifying what apps qualify as “targeted” is tricky, as the requested HTML varies based on what apps are installed on the particular device. During our research, we’ve seen fake screens for Commbank, NAB and Westpac Mobile Banking, but also for Facebook, WhatsApp, Instagram and Google Play.

The credentials inserted into the fake forms are sent unencrypted to the attackers’ C&C server.

As for the device locking, we suspect this function enters the picture when cashing out the compromised bank accounts. The attackers can remotely lock devices with a fake update lookalike screen to hide fraudulent activity from victims, as well as to ensure they can’t interfere.

Figure 2: How a Trojan Banking Application Tricks Users

Figure 2: How a Trojan Banking Application Tricks Users

Has my device been infected? How do I clean it?

If you’ve recently downloaded a Flashlight app from Google Play, you might want to check if you haven’t accidentally reached for this trojan.

The malicious app can be found in Setting > Application Manager/Apps > Flashlight Widget.

Figure 3: Check if you have 'Flashlight Widget' installed.

Figure 3: Check if you have ‘Flashlight Widget’ installed.

While locating the app is simple, uninstalling it is not. The trojan tries to prevent this by not allowing victims to turn off the active device administrator – a necessary step for removing the app. When trying to deactivate the rights, the pop-up screen doesn’t go away until you change your mind and click “activate” again.

In such a case, the app can be uninstalled by booting your device into Safe mode, which will enable you to go through the following two steps to remove the malicious app.

See video below for instructions:

How to stay safe

To avoid dealing with the consequences of mobile malware, prevention is always the key.

Whenever possible, opt for official app stores when downloading apps. Although not flawless, Google Play does employ advanced security mechanisms to keep malware out, which isn’t necessarily the case with alternative stores.

When in doubt about installing an app, check its popularity by the number of installs, its ratings, and, most importantly, the content of reviews.

After running anything you’ve installed on your mobile device, pay attention to what permissions and rights it requests. If an app asks for permissions that don’t seem adequate to its function – like device administrator rights for a Flashlight app – you might want to rethink your choice.

Last but not least, use a reputable mobile security solution to protect your device from latest threats.

Windows Defender Shows a Warning with a Third Party Antivirus

In recent Windows Updates, there have been some changes to how Microsoft’s own Antivirus, Windows Defender behaves on your system. The theory is, that if you have no antivirus, or Windows Defender is turned of, then it will remind you that this is the case, so that you at least have some kind of antivirus running.

Confusion has arisen with some customers thinking that this means they must uninstall their ESET protection. Let us be clear – Windows Defender is better than no protection, but is NOT better than your ESET protection – not even close. Windows Defender is NOT AS GOOD as ESET. There – we said it another way as well.

So – how do you get Windows Defender to quit bugging you?

Windows Defender may show you an Exclamation Mark - or Warning!

Windows Defender may show you an Exclamation Mark – or Warning!

Well – first off – you will NOT get Windows Defender to turn green unless it is the primary (only) antivirus – it will always stay ‘yellow’ – but we can help you get rid of the warning messages.

First – turn on Periodic scanning

Turn on Periodic Scanning - but do not be tempted to uninstall your SUPERIOR Antimalware solution from ESET.

Turn on Periodic Scanning – but do not be tempted to uninstall your SUPERIOR Antimalware solution from ESET.

Now you should start a ‘quick scan’ – the Exclamation mark will remain until Windows Defender has completed some type of scan.

If you are using PC cleaner solution – such as ‘ccleaner’ – we recommend that you upgrade to the latest version and then UNCHECK the Windows Defender option – because cleaning up the Windows Defender scan results, will cause the warning from Defender to come back!

In ccleaner - remove the checkmark next to 'Windows Defender'

In ccleaner – remove the checkmark next to ‘Windows Defender’.

If you continue to have problems with Windows Defender, please contact us for support.

New Year Order Processing 2017

We wish you a Happy and Prosperous New Year, and we sincerely thank you for your on-going custom…

ESET is performing a MASSIVE upgrade of their online ordering systems, which means we are unable to process orders until January 3rd. All new and renewal orders will be processed on the 3rd of January.

We apologize for the delay, it is entirely beyond our control.

Your Computer Security Solution Team>/u>

Christmas Specials at BetterAntivirus.com

In celebration of the season, we’re running a huge sale on all our New 1-Year Licenses – Save 25%!!

Product
Price
Special
Buy
ESET NOD32 Antivirus: 1 Computer, 1 Year – Save 25%
$39.99
$29.99
ESET NOD32 Antivirus: 1 Computer, 1 Year - Save 25%
ESET NOD32 Antivirus: 2 Computers, 1 Year – Save 25%
$49.99
$37.49
ESET NOD32 Antivirus: 2 Computers, 1 Year - Save 25%
ESET NOD32 Antivirus: 3 Computers, 1 Year – Save 25%
$59.99
$44.99
ESET NOD32 Antivirus: 3 Computers, 1 Year - Save 25%
ESET NOD32 Antivirus: 4 Computers, 1 Year – Save 25%
$69.99
$52.49
ESET NOD32 Antivirus: 4 Computers, 1 Year - Save 25%
ESET NOD32 Antivirus: 5 Computers, 1 Year – Save 25%
$79.99
$59.99
ESET NOD32 Antivirus: 5 Computers, 1 Year - Save 25%

ESET Internet Security: 1 Computer, 1 Year – Save 25%
$59.99
$44.99
ESET Internet Security: 1 Computer, 1 Year - Save 25%
ESET Internet Security: 2 Computers, 1 Year – Save 25%
$69.99
$52.49
ESET Internet Security: 2 Computers, 1 Year - Save 25%
ESET Internet Security: 3 Computers, 1 Year – Save 25%
$79.99
$59.99
ESET Internet Security: 3 Computers, 1 Year - Save 25%
ESET Internet Security: 4 Computers, 1 Year – Save 25%
$89.99
$67.49
ESET Internet Security: 4 Computers, 1 Year - Save 25%
ESET Internet Security: 5 Computers, 1 Year – Save 25%
$99.99
$74.99
ESET Internet Security: 5 Computers, 1 Year - Save 25%

ESET Smart Security: 1 Computer, 1 Year – Save 25%
$59.99
$44.99
ESET Smart Security: 1 Computer, 1 Year - Save 25%
ESET Smart Security: 2 Computers, 1 Year – Save 25%
$69.99
$52.49
ESET Smart Security: 2 Computers, 1 Year - Save 25%
ESET Smart Security: 3 Computers, 1 Year – Save 25%
$79.99
$59.99
ESET Smart Security: 3 Computers, 1 Year - Save 25%
ESET Smart Security: 4 Computers, 1 Year – Save 25%
$89.99
$67.49
ESET Smart Security: 4 Computers, 1 Year - Save 25%
ESET Smart Security: 5 Computers, 1 Year – Save 25%
$99.99
$74.99
ESET Smart Security: 5 Computers, 1 Year - Save 25%

ESET Smart Security Premium: 1 Computer, 1 Year – Save 25%
$79.99
$59.99
ESET Smart Security Premium: 1 Computer, 1 Year - Save 25%

ESET Multi Devices Security: 6 Devices, 1 Year – Save 25%
$84.99
$63.74
ESET Multi Devices Security: 6 Devices, 1 Year - Save 25%
ESET Multi Devices Security: 10 Devices, 1 Year – Save 25%
$99.99
$74.99
_ALT_

ESET CyberSecurity for Mac: 1 Mac, 1 Year – Save 25%
$39.99
$29.99
ESET CyberSecurity for Mac: 1 Mac, 1 Year - Save 25%
ESET CyberSecurity for Mac: 2 Macs, 1 Year – Save 25%
$49.99
$37.49
ESET CyberSecurity for Mac: 2 Macs, 1 Year - Save 25%
ESET CyberSecurity for Mac: 3 Macs, 1 Year – Save 25%
$59.99
$44.99
ESET CyberSecurity for Mac: 3 Macs, 1 Year - Save 25%
ESET CyberSecurity for Mac: 4 Macs, 1 Year – Save 25%
$69.99
$52.49
ESET CyberSecurity for Mac: 4 Macs, 1 Year - Save 25%
ESET CyberSecurity for Mac: 5 Macs, 1 Year – Save 25%
$99.99
$74.99
ESET CyberSecurity for Mac: 5 Macs, 1 Year - Save 25%

ESET CyberSecurity Pro for Mac: 1 Mac, 1 Year – Save 25%
$59.99
$44.99
ESET CyberSecurity Pro for Mac: 1 Mac, 1 Year - Save 25%
ESET CyberSecurity Pro for Mac: 2 Macs, 1 Year – Save 25%
$69.99
$52.49
ESET CyberSecurity Pro for Mac: 2 Macs, 1 Year - Save 25%
ESET CyberSecurity Pro for Mac: 3 Macs, 1 Year – Save 25%
$79.99
$59.99
ESET CyberSecurity Pro for Mac: 3 Macs, 1 Year - Save 25%
ESET CyberSecurity Pro for Mac: 4 Macs, 1 Year – Save 25%
$99.99
$74.99
ESET CyberSecurity Pro for Mac: 4 Macs, 1 Year - Save 25%
ESET CyberSecurity Pro for Mac: 5 Macs, 1 Year – Save 25%
$119.99
$89.99
ESET CyberSecurity Pro for Mac: 5 Macs, 1 Year - Save 25%

ESET earns a record 100 VB100 Awards from Virus Bulletin

ESET has Achieved a monumental 100 VB100 Awards from Virus Bulletin:

ESET has reached a monumental milestone in the security industry. ESET NOD32 is the first product to ever pass the magical threshold of 100 VB100 Awards received by a single product. The one hundredth VB100 Award was presented to ESET CEO, Richard Marko by John Hawes, Virus Bulletin’s Chief of Operations, at a ceremony on December 16th, 2016.

“We are honored to be the first to receive 100 VB100 Awards for a single product,” said Richard Marko, ESET CEO at the ceremony. “Since the first VB100 Award in 1998, we have grown from a small dynamic company made up of a few technologists, into an established endpoint security vendor with over 100 million users in more than 200 countries and territories.”

Between now and the end of the year, we have 25% off new 1-year ESET Home Licenses!

Cyber Monday 2016 – One Day Only – save 25% on New ESET Home Licenses

Cyber Monday Deal Details – One Day Only!

Save 25% on new ESET Home Licenses

Save 25% on New ESET NOD32 Antivirus
Save 25% on New ESET Smart Security
Save 25% on CyberSecurity for Mac OSX
Save 25% on CyberSecurity Pro for Mac OSX

By Popular Demand: Save 25% extended to ESET + Carbonite Bundles

Save 25% on New ESET NOD32 Antivirus + Carbonite Bundles
Save 25% on New ESET Smart Security + Carbonite Bundles

Crysis Ramsomware Decryption Tools Released by ESET

Since it first appeared, ransomware’s profitable business – in short, compromising and encrypting data belonging to companies and users and requesting payment in exchange for the restoration of infected files –has grown rapidly.

One of the threats that has had a significant impact and infected a considerable number of users worldwide was the family detected by ESET solutions as Win32/Filecoder.Crysis. However, and luckily, ESET has developed a free tool to decrypt files and recover the information that might have been compromised.

A new tool to recover encrypted files

ESET has created a free decryption tool for Crysis ransomware victims in order to help anyone whose data or devices have been affected by the Crysis family. The tool was developed using the master decryption keys recently published.

If you have been a victim of Crysis ransomware, you can find and download the ESET Crysis decryptor from our free utilities page. If you need additional information on how to use the tool, please refer to ESET Knowledgebase.

5 Tips on How to Avoid Phishing Attacks

As a report from the Anti-Phishing Working Group (APWG) revealed earlier this year, there has been a notable rise in the number phishing attacks. It’s a widespread problem, posing a huge risk to individuals and organizations (there were, for example, more attacks in Q1 2016 than in any other quarter in history).

Needless to say, it’s something we all need to be aware of, as these types of attacks are not going to go away anytime soon. But worry not, as our Top 5 guide will help keep these criminals at bay.

Before we go into that, here’s a brief overview of what phishing is (for more detail, check out this expert feature). In short, it’s a vector for identity theft where cybercriminals try to get users to hand over personal and sensitive information (without them knowing it). Interestingly, phishing has – in one form or another – been around for years via phone calls and physical letter scams.

Cybercriminals have typically deployed phishing attacks post-breach. This was the case with the Anthem and eBay data breaches, where criminals sent out warnings to users advising them to change their passwords (but directing them to a fake website in an attempt to harvest their details).

However, some information security pros now believe that cybercriminals view phishing attacks as a successful (and easy) way of getting into an enterprise to launch more sophisticated attacks. Humans are, after all, increasingly seen as the weakest link (insider threats are a big problem) and thus the most effective target for criminals looking to infiltrate an enterprise or SME.

Follow the tips below and stay better protected against phishing attacks.

1. Be sensible when it comes to phishing attacks

You can significantly reduce the chance of falling victim to phishing attacks by being sensible and smart while browsing online and checking your emails.

For example, as ESET’s Bruce Burrell advises, never click on links, download files or open attachments in emails (or on social media), even if it appears to be from a known, trusted source.

You should never click on links in an email to a website unless you are absolutely sure that it is authentic. If you have any doubt, you should open a new browser window and type the URL into the address bar.

Be wary of emails asking for confidential information – especially if it asks for personal details or banking information. Legitimate organizations, including and especially your bank, will never request sensitive information via email.

2. Watch out for shortened links

You should pay particularly close attention to shortened links, especially on social media. Cyber criminals often use these – from Bitly and other shortening services – to trick you into thinking you are clicking a legitimate link, when in fact you’re being inadvertently directed to a fake site.

You should always place your mouse over a web link in an email to see if you’re actually being sent to the right website – that is, “the one that appears in the email text” is the same as “the one you see when you mouse-over”.

Cybercriminals may use these ‘fake’ sites to steal your entered personal details or to carry out a drive-by-download attack, thus infesting your device with malware.

3. Does that email look suspicious? Read it again

Plenty of phishing emails are fairly obvious. They will be punctuated with plenty of typos, words in capitals and exclamation marks. They may also have an impersonal greeting – think of those ‘Dear Customer’ or ‘Dear Sir/Madam’ salutations – or feature implausible and generally surprising content.

Cyber criminals will often make mistakes in these emails … sometimes even intentionally to get past spam filters, improve responses and weed out the ‘smart’ recipients who won’t fall for the con.

Indeed, it has been rumored that China’s infamous PLA Unit 61398 spends time seeing just how many people would open and interact with their worst phishing emails.

4. Be wary of threats and urgent deadlines

Sometimes a reputable company does need you to do something urgently. For example, in 2014, eBay asked its customers to change their passwords quickly after its data breach.

However, this is an exception to the rule; usually, threats and urgency – especially if coming from what claims to be a legitimate company – are a sign of phishing.

Some of these threats may include notices about a fine, or advising you to do something to stop your account from being closed. Ignore the scare tactics and contact the company separately via a known and trusted channel.

5. Browse securely with HTTPs

You should always, where possible, use a secure website (indicated by https:// and a security “lock” icon in the browser’s address bar) to browse, and especially when submitting sensitive information online, such as credit card details.

You should never use public, unsecured Wi-Fi for banking, shopping or entering personal information online (convenience should not trump safety). When in doubt, use your mobile’s 3/4G or LTE connection.

As a slight aside, it should be easier to spot dodgy, unsecure websites – Google, for example, is looking to crack down on this soon by labeling sites that do not offer appropriate protection.

Ransomware: To pay or not to pay?

Towards the end of July 2016, Kevin Townsend brought it to my attention that Europol, the European Union’s law enforcement agency, had announced an initiative to address the ransomware problem. No More Ransom is intended to provide information and help victims recover their data without paying a ransom to the criminals. As well as being quoted by Kevin in his article linked above, I commented on the No More Ransom portal at more length for AVIEN, where I maintain information resources on ransomware and on tech support scams.

Subsequently, however, Kevin came back to me when he was researching another article based on research commissioned by Malwarebytes indicating that:

39% of enterprises were hit by ransomware last year … Of those, 40% paid the attackers in order to retrieve their data.

Picking up on the suggestion that ‘40% of corporate victims pay up’, he said:

Many AV companies say there is little chance of recovery without the keys. FBI says corporates have a risk decision to make. Europol says simply ‘don’t pay’. Is Europol being realistic?

You can read a brief extract from my response to that question in Kevin’s article, as well as the replies of other commentators such as Jérôme Segura and Graham Cluley. However, here’s my full response (slightly re-edited for clarity):

In the abstract, there’s an undeniable argument that if you give in and pay the ransom, you’ve directly contributed to the wellbeing of criminality. In many cases, it’s a purely economic decision: it’s cheaper to pay up than lose the data. In other words, you’re providing sustenance to a protection racket.

On the other hand, if you don’t pay up, you probably don’t get your data back – sometimes there is an effective free decrypter available, but most of the time the security industry can’t provide one – and maybe the damage is so severe that you go out of business. You can’t blame people – or companies – if they decide to pay up rather than commit financial suicide, any more than you can blame them for giving their wallets to people who threaten them with knives. In fact, since we’re talking about corporates rather than individuals, it might be seen as being more responsible to pay up rather than destroy the livelihoods of all staff, including those right at the bottom of the hierarchy who are generally less likely than the board of directors to survive the damage to their finances.

If people and companies didn’t pay up, then ransomware attacks would become uneconomic, which wouldn’t stop criminality, but would force crooks to explore other avenues – or maybe I should say dark and sinister alleyways. However, the attacks will remain economically viable as long as people aren’t willing or able to defend their data proactively. It’s easy for those who have the knowledge and resources to implement adequate defences – which is not as easy as many commentators point out – to say that it’s ‘wrong’ to give in to ransom demands. Of course companies should implement such defences, and that would impact on the viability of the attacks. If they don’t do so because it’s cheaper to pay up than to spend money on a backup strategy, then that is reprehensible. I don’t know how often that happens, though: after all, sound backup practice is a defence against all sorts of misfortune, not just ransomware.

We sometimes hear of instances where organizations pay ransomware even though they do have backups because it’s the cheaper option. That’s not only irresponsible (because there is no doubt that it encourages criminality) but it suggests something significantly wrong with the backup strategy they have in place. A deterrent that you can’t afford to use is of little practical use.

Most security bloggers will advise individuals and businesses not to pay the ransom, taking the same view as Europol, as quoted in another article.

If your own business data are at stake, or even your personal data such as photographs which are irreplaceable by any other means, you might feel differently. It seems to me, though, that there is a certain amount of recent softening on that hard-line view. Martijn Grooten pointed out for Virus Bulletin that:

… Paying the ransom should always be the last resort … but sometimes … the only sensible business decision left is to pay the criminals …

As you may have gathered from the above, I’m pretty much in agreement. Ryan Naraine also admits to a shift in his viewpoint. He described in How to avoid becoming the next victim of ransomware, how he was forced to acknowledge that some institutions have real difficulty in resourcing the sort of security that defeats ransomware and have no choice but to pay up after a ransomware incident simply in order to stay in business. Specifically, he quotes from a healthcare organization’s IT administrator, who pointed out that:

We have no computers to use. All our backups are encrypted. It’s a case of desperation. We either pay $800 or we spend thousands to rebuild systems and try to recover data. In practice, we have no choice but to pay the ransom …”

It’s worth pointing out that in such a case an organization is not only obliged to meet statutory obligations but also has a duty of care to the people who use their services. In the event of a failure to protect their data, irrespective of whether that failure is down to technological shortcomings or human error, and where there is no other way of retrieving those data, that duty of care might – and perhaps should – outweigh the point of principle stressed by Europol. Healthcare is not the only area in which such a conflict may arise with a serious impact on the individual, of course, but healthcare organizations have been heavily and publicly hit by ransomware over the last year or so.

Nevertheless I’m going to repeat my own advice that an ounce of prevention (and backup) is worth a ton of Bitcoins, and doesn’t encourage the criminals to keep working on their unpleasant technologies and approaches to social engineering. It’s worth remembering that paying the ransom doesn’t get the data back, either. And there’s unlikely to be a money-back guarantee, as pointed out in an advisory issued by the FBI that also takes a strong ‘no pay’ position.

The agency also offers a series of basic tips on reducing the risk from ransomware that will benefit individuals as well as corporate users, and reduce the risk from other kinds of attack too. I’m still mildly amused, though, by the advice to:

Secure your backups. Make sure they aren’t connected to the computers and networks they are backing up.

Since it’s a bit tricky to back up data without connecting to the system used for primary storage, I suspect that what they meant was that you shouldn’t have your secure backups routinely or permanently accessible from that system, since that entails the strong risk that the backups will also be encrypted by the ransomware. The expanded tips given in an FBI brochure are somewhat clearer on that point.

By David Harley