Security specialists state they’ve discovered more than a dozen iPhone apps covertly communicating with a server associated with Golduck, a historically Android-focused malware that infects popular classic game apps, according to a report by Techcrunch.
The malware, which was first discovered by Appthority over a year, for infecting classic and retro games on Google Play, by embedding backdoor code that allowed malicious payloads to be silently pushed to the device. At the time, more than 10 million users were affected by the malware, allowing hackers to run malicious commands at the highest privileges, like sending premium SMS messages from a victim’s phone to make money.
Now, the researchers say iPhone apps linked to the malware could also present a risk.
Wandera, an enterprise security firm, said it found 14 apps — all retro-style games — that were communicating with the same command and control server used by the Golduck malware.
“The [Golduck] domain was on a watchlist we established due to its use in distributing a specific strain of Android malware in the past,” said Michael Covington, Wandera’s vice-president of product. “When we started seeing communication between iOS devices and the known malware domain, we investigated further.”
The affected apps include: Commando Metal: Classic Contra, Super Pentron Adventure: Super Hard, Classic Tank vs Super Bomber, Super Adventure of Maritron, Roy Adventure Troll Game, Trap Dungeons: Super Adventure, Bounce Classic Legend, Block Game, Classic Bomber: Super Legend, Brain It On: Stickman Physics, Bomber Game: Classic Bomberman, Classic Brick – Retro Block, The Climber Brick, and Chicken Shoot Galaxy Invaders.
It was further discovered that the command and control server simply pushes a list of icons in a pocket of ad space in the upper-right corner of the app, When the user opens the game, the server tells the app which icons and links it should serve to the user, according to the enterprise security firm research(Wandera). They did, however, see the apps sending IP address data — and, in some cases, location data — back to the Golduck command and control server.
However, TechCrunch verified their claims, running the apps on a clean iPhone through a proxy, allowing us to see where the data goes. Based on what we saw, the app tells the malicious Golduck server what app, version, device type, and the IP address of the device — including how many ads were displayed on the phone.
As of now, the researchers say that the apps are packed with ads — likely as a way to make a quick buck. But they expressed concern that the communication between the app and the known-to-be-malicious server could open up the app — and the device — to malicious commands down the line.
“The apps themselves are technically not compromised; while they do not contain any malicious code, the backdoor they open presents a risk for exposure that our customers do not want to take.
“A hacker could easily use the secondary advertisement space to display a link that redirects the user and dupes them into installing a provisioning profile or a new certificate that ultimately allows for a more malicious app to be installed,” said the researchers.
One of the iPhone apps, “Classic Bomber,” which was spotted communicating with a malicious command and control server. It’s since been pulled from the U.S. store. (Screenshot: TechCrunch)
That could be said for any game or app, regardless of device maker or software. But the connection to a known malicious server isn’t a good look. Covington said that the company has “observed malicious content being shared from the server,” but that it wasn’t related to the games.
The implication is that if the server is sending malicious payloads to Android users, iPhone users could be next.
TechCrunch sent the list of apps to data insights firm Sensor Tower, which estimated that the 14 apps had been installed close to one million times since they were released — excluding repeated downloads or install across different devices.
When we tried contacting the app makers, many of the App Store links pointed to dead links or to pages with boilerplate privacy policies but no contact information. The registrant on the Golduck domain appears to be fake, along with other domains associated with Golduck, which often have different names and email addresses.
Apple did not comment when reached prior to publication. The apps are appear to still be downloadable from the App Store, but all now say they are “not currently available in the U.S. store.”
Apple’s app stores may have a better rap than Google’s, which every once in a while lets malicious apps slip through the net. In reality, neither store is perfect. Earlier this year, security researchers found a top-tier app in the Mac App Store that was collecting users’ browsing history without permission, and dozens of iPhone apps that were sending user location data to advertisers without explicitly asking first.
For the average user, malicious apps remain the largest and most common threat to mobile users — even with locked down device software and the extensive vetting of apps.
If there’s one lesson, now and always: don’t download what you don’t need, or can’t trust.
Why Your Password is the Next to Get Nabbed[Infographics]
Passwords are like keys to your personal home online. You should do everything you can prevent people from gaining access to your password. You can also further secure your accounts by using additional authentication methods.
Typing a username and password into a website isn’t the only way to identify yourself on the web services you use. Today infographics is titled Why Your Password is the Next to Get Nabbed…follow it ,read through it and learn.
Hackers Hit Sony Again , as PlayStation goes offline
Sony was hit by another hack Monday when its PlayStation network went offline for a few hours.
According to a report by CNN , Customers trying to access the PlayStation Store were greeted by a note saying “Page Not Found! It’s not you. It’s the internet’s fault.”
Hacker group Lizard Squad claimed responsibility for the attack. It posted “PSN Login #offline #LizardSquad” on its Twitter feed.
PlayStation owners were able to play games offline, but couldn’t communicate with other players or make use of network functions.
Sony (SNE) said the problem had been resolved and it was investigating what caused the outage.
PlayStation’s competitor, Xbox Live, suffered a similar attack by Lizard Squad last week. The outage meant owners of the Microsoft (MSFT, Tech30) console were unable to download apps, games, movies, and connect with other gamers.
Sony hack could lead to censorship
Lizard Squad warned more attacks were coming.
“Unlike Santa, we don’t like giving all of our Christmas presents out on one day. This entire month will be entertaining,” Lizard Squad tweeted.
The attacks come only days after hackers — possibly connected to North Korea — brought Sony Pictures to its knees by stealing more than 100 terabytes of data.
They leaked new movies, such World War II drama “Fury”, and exposed internal memos and personal information about Sony’s employees — including the salaries and Social Security numbers of celebrities Conan O’Brien and Sylvester Stallone.
The FBI has warned other companies to be on alert for the malicious software that infected Sony’s computers.
The attacks on the games’ networks appear to be unrelated to the major Sony breach last week.
Online passwords could be replaced by photos
Now that we’re all well and truly quaking from the news Russians have stolen over a billion passwords perhaps you’ve thought about stepping up your online security.
But changing to another password after yet another massive security breech is proving tiresome and just bloody hard to remember. There may be an easy solution in the form of an app idea from an 18-year-old: just use pictures.
The app called uSig has been created by Aussie Dan Crowther and he’s currently showing it off to fellow cybersecurity geeks at Passwords Con in Las Vegas.
To ensure the highest strength password around you need to make it as complex as possible but good luck trying to remember that. But you could have a 512-character length password and all you’d need to do is pick a photo on your mobile.
A photo is easy to remember and it could avoid hacking tricks such as keylogging as the tiles of photos on screen will never be in the same place twice. It could even work with websites continually changing passwords to confuse hackers, but not you, as all you need to do is choose that image. Easy.
The idea has yet to be tested in the wild. Problems such as someone looking over your shoulder and easily clocking that picture, because it’s easier for hackers to remember a picture too, will have to be addressed. But the idea could be a great step for security as even biometric security is vulnerable. It’ll also be a massive timesaver.
source : new.com.au