May 11 2023

Millions of mobile phones come pre-infected with malware, say researchers

Category: Information Security,Malware,Mobile Securitydisc7 @ 12:03 pm

The threat is coming from inside the supply chain

BLACK HAT ASIA Threat groups have infected millions of Androids worldwide with malicious firmware before the devices have even been shipped from their manufacturers, according to Trend Micro researchers at Black Hat Asia.

The mainly mobile devices, but also smartwatches, TVs and more, have their manufacturing outsourced to an original equipment manufacturer (OEM), a process the researchers say makes them easily infiltrated.

“What is the easiest way to infect millions of devices?” posed senior threat researcher Fyodor Yarochkin, speaking alongside colleague Zhengyu Dong.

He compared infiltrating devices at such an early stage of their life cycle to a tree absorbing liquid: you put the infection at the root, and it gets distributed everywhere, out to every single limb and leaf.

The malware installation technique began as the price of mobile phone firmware dropped. Competition between firmware distributors became so furious that eventually the providers could not charge money for their product.

“But of course there’s no free stuff,” said Yarochkin, who explained that the firmware started to come with an undesirable feature – silent plugins. The team manually analyzed dozens of firmware images looking for malicious software. They found over 80 different plugins, although many of those were not widely distributed.

The plugins that were the most impactful were those that had built a business model around them and were selling underground services, marketing them out in the open on places like Facebook, in blog posts, and on YouTube.

    The objective of the malware is to steal info or make money from information collected or delivered.

    The malware turns the devices into proxies which are used to steal and sell SMS messages, social media and online messaging accounts, and used as monetization opportunities via adverts and click fraud.

    One type of plugin, proxy plugins, allow the criminal to rent out devices for up to around five minutes at a time. For example, those renting the control of the device could acquire data on keystrokes, geographical location, IP address and more.

    “The user of the proxy will be able to use someone else’s phone for a period of 1200 seconds as an exit node,” said Yarochkin. He also said the team found a Facebook cookie plugin that was used to harvest activity from the Facebook app.

    Through telemetry data, the researchers estimated that at least millions of infected devices exist globally, but are centralized in Southeast Asia and Eastern Europe. A statistic self-reported by the criminals themselves, said the researchers, was around 8.9 million.

    As for where the threats are coming from, the duo wouldn’t say specifically, although the word “China” showed up multiple times in the presentation, including in an origin story related to the development of the dodgy firmware. Yarochkin said the audience should consider where most of the world’s OEMs are located and make their own deductions.

    “Even though we possibly might know the people who build the infrastructure for this business, its difficult to pinpoint how exactly the this infection gets put into this mobile phone because we don’t know for sure at what moment it got into the supply chain,“ said Yarochkin.

    The team confirmed the malware was found in the phones of at least 10 different vendors, but that there was possibly around 40 more affected. For those seeking to avoid infected mobile phones, they could go some way of protecting themselves by going high end.

    “Big brands like Samsung, like Google took care of their supply chain security relatively well, but for threat actors, this is still a very lucrative market,” said Yarochkin. ®

    https://www.theregister.com/2023/05/11/bh_asia_mobile_phones/

    #Pegasus: How a Spy in Your Pocket Threatens the End of Privacy, Dignity, and Democracy

     InfoSec tools | InfoSec services | InfoSec books

    Tags: Mobile phone security, Pegasus


    Aug 02 2022

    Pegasus is listening

    Category: SpywareDISC @ 1:55 pm
    Pegasus is listening: Q&A with Paul Rusesabagina’s daughter Carine Kanimba

    Pegasus is listening: Q&A with Paul Rusesabagina’s daughter Carine Kanimba

    You may not recognize the name Carine Kanimba, but you have probably heard of her dad: Paul Rusesabagina. He was the manager of Hôtel des Milles Collines and rather famously decided to shelter some 1,200 mostly Tutsi Rwandans in his hotel during the 1994 genocide in Rwanda. Don Cheadle played him in the movie Hotel Rwanda.

    After, Rusesabagina became a superstar ambassador of human rights. He wrote an autobiography about his work during the genocide; President George W. Bush awarded him the Medal of Freedom; and he went on the speakers’ circuit not just talking about 1994 – but criticizing the current government of President Paul Kagame for trampling on human rights.

    In August 2020, Rusesabagina boarded a private jet for what he thought would be a trip to Burundi, but instead he was rendered to Rwanda. He’s since been sentenced to 25-years in prison.

    Carine Kanimba was on Capitol Hill last week to talk not just about her dad (who adopted sisters Carine and Anaïse shortly after the genocide), but also her recent discovery that she’s been targeted by a commercial spyware program called Pegasus. And she believes the Rwandan government was behind it.

    Pegasus spyware is the brainchild of an Israeli company called NSO Group and it has been found on the phones of so many activists around the world it has become a kind of cautionary tale about the commercial spyware industry. It has been linked to the murder of journalist Jamal Khashoggi, discovered on the phones of Mexican opposition leadersCatalonian politicians, and journalists and lawyers around the world. (In a statement, NSO Group told Click Here that it “thoroughly investigates any claim for illegal use of its technology by customers, and terminates contracts when illegal use is found.”)

    The Click Here podcast sat down with Kanimba shortly after her Congressional testimony to talk to her about her role as a human rights advocate, what it is like finding oneself on the receiving end of a spyware campaign, and why she is confident she will win her father’s release. The interview has been edited and shortened for clarity.

    CLICK HERE: We wanted to start by saying we’re very sorry about what you’re going through with your father…

    For complete interview – Pegasus is listening: Q&A with Paul Rusesabagina’s daughter Carine Kanimba

    Pegasus: How a Spy in Your Pocket Threatens the End of Privacy, Dignity, and Democracy

    Tags: A Privacy Killer, NSO’s Pegasus, Pegasus, Pegasus spyware