Archive for April 17, 2017

Ruh Oh! Android Trojan Found On The Google Play Store

Posted in Commentary with tags , on April 17, 2017 by itnerd

One of the things that I’ve always been leery about when it comes to Android is the prevalence of malware on that platform. As in, you can trip over it without trying too hard and get yourself in trouble in the process. Here’s a case in point. The Hacker News is reporting that an app that advertised itself as a funny video player was on the Google Play Store. Here’s what it could do to you if you installed it:

Once downloaded, the app persistently requests administrative rights, and if granted, the banking malware can control everything that’s happening on an infected smartphone.

The BankBot springs into action when the victim opens any of the mobile apps from a pre-configured list of 425 banking apps. A complete list of banks a BankBot variant is currently imitating can be found on the blog post published by the researcher.

Once one of the listed apps is opened, BankBot immediately displays an overlay, which is a page on the top of legitimate mobile banking app and tricks Android users entering their banking credentials into the overlay, just like a phishing attack.

This was found by a researcher who contacted Google, who in turn yanked the app. But that’s not to say that there’s other variants floating around out there. But here’s the key point: This was found on the Google Play Store and not some shadowy third party app store. You have to wonder how that happened and if Google really tries to mitigate this stuff from showing up on the Play Store. From where I stand I have to question that because this is not a trivial Trojan seeing as it is clear that a significant amount of effort went into creating it and getting it to be able to do its evil work transparently.


An Exploit That Is “Impossible To Detect” Exists On Chrome, Firefox, & Opera

Posted in Commentary with tags , , , on April 17, 2017 by itnerd

A Chinese researcher has found an exploit that can be leveraged for phishing attacks on Chrome, Firefox, and Opera. Here’s the kicker, there’s no way you can protect yourself. Here’s the details from The Hacker News:

Hackers can use a known vulnerability in the Chrome, Firefox and Opera web browsers to display their fake domain names as the websites of legitimate services, like Apple, Google, or Amazon to steal login or financial credentials and other sensitive information from users.


Okay, then before going to the in-depth details, first have a look at this demo web page, set up by Chinese security researcher Xudong Zheng, who discovered the attack.

“It becomes impossible to identify the site as fraudulent without carefully inspecting the site’s URL or SSL certificate.” Xudong Zheng said in a blog post.

If your web browser is displaying “” in the address bar secured with SSL, but the content on the page is coming from another server (as shown in the above picture), then your browser is vulnerable to the homograph attack.

Homograph attack has been known since 2001, but browser vendors have struggled to fix the problem. It’s a kind of spoofing attack where a website address looks legitimate but is not because a character or characters have been replaced deceptively with Unicode characters.

Lovely. Google (via Engadget) says that they have a fix on the way for this. Firefox users can mitigate the attack by doing the following:

  1. Type about:config in address bar and press enter.
  2. Type Punycode in the search bar.
  3. Browser settings will show parameter titled: network.IDN_show_punycode, double-click or right-click and select Toggle to change the value from false to true.

Opera and Chrome users have no mitigation strategies available at this time. Hopefully, all three browsers will be fixed shortly as this is extremely dangerous.