ESET’s research found that the Android app “iRecorder – Screen Recorder” introduced the malicious code as an app update almost a year after it was first listed on Google Play. According to ESET, the code allowed the app to invisibly upload one minute of ambient audio from the device’s microphone every 15 minutes, as well as extract documents, web pages and media files from the user’s phone.

Google Play has removed the app from its list. It’s a good idea to delete the app if it was installed on your device. The malicious app has accumulated more than 50,000 downloads.

ESET is calling the malicious code AhRat, a customized version of an open-source remote access trojan called AhMyth. Remote access trojans (or RATs) take advantage of broad access to a victim’s device and can often include remote control, but also function similarly to spyware and stalkerware.

In fact, AhMyth isn’t sneaking onto Google Play for the first time. Both Google and Apple check apps for malware before listing them for download. Last year, Google said it prevented more than 1.4 million privacy-violating apps from accessing Google Play.

Developers can take advantage of the performance and security capabilities in Rust to create software for IoT devices and other embedded systems that may be the target of botnets and other malware.

The move by tech giant Microsoft, which introduced the idea back in June 2022, coincides with Google’s decision that it will support third-party Rust libraries in its open-source Chronium project. Like Microsoft, Google highlighted the security features in the programming language.

“Rust and Azure Sphere are a good match – a programming language that can improve safety of code with strict compile time safety checks alongside Azure Sphere’s secure identity, update, and end-to-end encrypted communication services for internet-connected devices should provide greater security to the customer applications,”

Akshatha Udayashankar, an embedded software engineer at Microsoft, wrote in a blog post.

Azure Sphere includes built-in security features for Internet-connected devices and consists of hardware built on chips from MediaTek and a Linux-based operating system. It also includes cloud-based Azure Sphere Security Services (AS3), which creates a secure connection between devices and the Internet or cloud.

AS3 provides secure boot, device identity authentication, software trust, and device certification that works with trusted code. Thanks to it, Microsoft can securely download updates to the Azure Sphere operating system and apps to devices.

The Microsoft blog explains that Rust strives to make code safe and code fast. Zero-cost abstractions ensure that higher-level features are compiled into low-level code as quickly as code is written by hand. Checks performed by the Rust compiler ensure stability by adding features and refactoring. This contrasts with legacy code in languages without these checks, which is riskier and requires more careful attention, review, and testing.

Like other Azure Sphere applications, those now built in Rust are expected to be fully functional in 2031, regardless of security patches, fixes, and new features added to Azure Sphere OS by then. Rust can be very efficient, but by including many dependencies in the application itself, in some cases it may be necessary to evaluate how a Rust implementation uses memory compared to a C-language application.

The official alert was released yesterday (Wednesday) by the Department of Energy (DOE), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI), The agencies warned critical infrastructure operators of potential attacks targeting multiple industrial control systems (ICS) and supervisory control and data acquisition (SCADA) devices.

Time to focus on ICS/SCADA. Isolating ICS/SCADA networks and limiting connections, along with strong passwords/monitoring, aren't new mitigations but they help critical infrastructure defenders prevent disruptions stop threat actors from their objectives. https://t.co/oEwFee2Cbd

— Dave Luber (@NSA_CSDirector) April 13, 2022

The alert says the tools used in the attacks were designed specifically for Schneider Electric programmable logic controllers (PLCs), OMRON Sysmac NEX PLCs, and Open Platform Communications Unified Architecture (OPC UA) servers.

The agencies urged energy sector organizations and other critical infrastructure facilities to implement the detection and mitigation recommendations provided in the alert.

The alert said the actors are specifically targeting Schneider Electric MODICON and MODICON Nano PLCs, including TM251, TM241, M258, M238, LMC058, and LMC078; and OMRON Sysmac NJ and NX PLCs, including NEX NX1P2, NX-SL3300, NX-ECC203, NJ501-1300, S8VK, and R88D-1SN10F-ECT.

Robert Lee, CEO of security company Dragos, said the company has been tracking an ICS-specific malware called PIPEDREAM that was developed by a group they named CHERNOVITE.

Lee said the malware initially targets Schneider Electric and Omron controllers and takes advantage of native functionality in operations, making it more difficult to detect.

“It includes features such as the ability to spread from controller to controller and leverage popular ICS network protocols such as ModbusTCP and OPC UA,” Lee explained. “Uniquely, this malware has not been employed in target networks. This provides defenders a unique opportunity to defend ahead of the attacks.”

Lee noted that they assess “with high confidence“ that CHERNOVITE is a state actor that created the PIPEDREAM malware for use in disruptive or destructive operations against ICS.

“Specifically the initial targeting appears to be liquid natural gas and electric community specific. However, the nature of the malware is that it works in a wide variety of industrial controllers and systems,” Lee added.

CISA has released several warnings about attacks on energy facilities since the invasion of Ukraine by Russia.

BleepingComputer reports that BRATA was first spotted by Kaspersky back in 2019 as an Android RAT (remote access tool) and mainly targeted Brazilian users.

In December 2021, a report by Cleafy underscored the emergence of the malware in Europe, where it was targeting e-banking users and stealing their credentials. Cleafy analysts continued to monitor BRATA for new features, and in a new report, illustrate how the malware continues to evolve.

The latest versions of BRATA now target e-banking users based in the UK, Poland, Italy, Spain, China, and Latin America. Variants focus on different banks with dedicated overlay sets, languages, and different apps to target specific audiences.

The authors use similar obfuscation techniques in all versions, such as wrapping the APK file into an encrypted JAR or DEX package. This obfuscation successfully bypasses antivirus detections. On that front, BRATA now actively seeks signs of AV presence on the device and attempts to delete the detected security tools before proceeding to the data exfiltration step.

The best way to avoid infections by Android malware is to install apps from the Google Play Store. Users should avoid APKs from other non-authorised websites, and always scan them with an AV tool. During installation, we need to pay close attention to the requested permissions and avoid granting the ones that appear unnecessary for the app’s core functionality. We also have to monitor battery consumption and network traffic volumes so that we can identify any inexplicable spikes that may be attributed to malicious processes running in the background.

Cryptocurrency mining is the main malicious activity that is conducted by attackers after taking advantage of misconfigured instances hosted on GCP.

In many cases, the attackers move really quickly after they compromise an instance and install crypto-mining malware to free-ride off others’ CPU and GPU resources to turn a profit for themselves. In its first Cloud Threat Intelligence report, Google commented:

“Analysis of the systems used to perform unauthorized cryptocurrency mining, where timeline information was available, revealed that in 58% of situations the cryptocurrency mining software was downloaded to the system within 22 seconds of being compromised.”

Another shocking trend was how quickly attackers can find and compromise unsecured, internet-facing instances. Palo Alto Networks, a security firm, found that 80% of 320 internet-facing ‘honeypot’ instances hosted in the cloud — and designed to attract attackers — were compromised within 24 hours.

Google’s report says that crypto-mining malware is a problem for users on GCP and they don’t take steps to protect their cloud instances. Google notes:

“While data theft did not appear to be the objective of these compromises, it remains a risk associated with the cloud asset compromises as bad actors start performing multiple forms of abuse. The public Internet-facing Cloud instances were open to scanning and brute force attacks.”

A significant target for attackers were Internet-facing GCP instances. Just under half of the compromised instances were carried by attackers who gain access to instances with either no password or a weak password for user accounts or API connections. Google also added:

“This suggests that the public IP address space is routinely scanned for vulnerable cloud instances. It will not be a matter of if a vulnerable Cloud instance is detected, but rather when.”

Furthermore, 26% of compromised instances were due to vulnerabilities in third-party software which are being used by the owner. Bob Mechlar, who is a director at Google Cloud’s Office of the CISO commented:

“Many successful attacks are due to poor hygiene and a lack of basic control implementation,”.

The report is a summary of observations over the last year by Google Threat Analysis Group (TAG), Google Cloud Security and Trust Center, and Google Cloud Threat Intelligence for Chronicle, Trust and Safety.

Taiwan-based MediaTek supplies chips for Android handsets and “internet of things” products. Their silicon powers 37% of all smartphones and IoT devices, according to market research cited by Check Point Software.

The four vulnerabilities discovered by the cybersecurity firm affect some of MediaTek’s systems, which combine a central processing unit with additional computing modules. Those modules include an artificial intelligence accelerator and a digital signal processor that performs audio processing tasks.

The vulnerabilities affect the digital signal processor. Three of them are in the processor’s firmware, the low-level software that controls how a chip operates. The fourth security issue was found in the hardware abstraction layer. The hardware abstraction layer is a technology that is used by a device’s operating system, in this case, Android, to control the chip on which it runs.

According to Check Point Software, the vulnerabilities can be used by a malicious Android application to infect a MediaTek digital signal processor with malware users. Hackers can install the malware by causing the processor to generate a software flaw known as a heap overflow. In a heap overflow, parts of a processor’s memory that contain application data are overwritten with malicious code.

By themselves, the settings cannot cause a severe risk because they can’t be accessed by Android apps under normal conditions. But access is made possible by a separate set of problems affecting a piece of software that the digital signal processor uses to coordinate its work with other components.

Check Point Software has added the vulnerabilities to the CVE system that the cybersecurity community uses to track cybersecurity flaws.

The vulnerabilities are tracked as following: CVE-2021-0661, CVE-2021-0662, CVE-2021-0663 and CVE-2021-0673.

The Digital Scouts app is available completely for free in the two online shops App Store and Google Play and became the most downloaded app in the “Games” category of the App Store.

The easiest question for the users was related to Instagram – ”What is forbidden on Instagram?” and the most difficult one was “Which behavior on the Internet does NOT pose any danger?”

The Little scouts were not alone in their online adventures. The campaign was joined by popular influencers such as Andy Studio, Balan, Haha.bg and Isabel Ovcharova, who have been part of the campaign since its very beginning. Online safety is an important topic for the gamer Konstantin Kanev (nothxtv) and Emil Conrad too, who  also took part in communicating the campaign to the youngsters.

The iPhone maker has been a fierce critic of EU antitrust chief Margrethe Vestager’s proposed rules, which were announced last year in a bid to rein in Apple, Amazon, Facebook and Alphabet unit Google. Building on CEO Tim Cook’s comments in June about the risks to privacy and security of iPhones, Apple on Wednesday published an analysis on the threats of so-called side-loading.

“If Apple were forced to support sideloading, more harmful apps would reach users because it would be easier for cybercriminals to target them – even if sideloading were limited to third-party app stores only.”

It warned of malicious apps migrating to third-party stores and infecting consumer devices, while users would have less control over downloaded apps.

The study cited figures from cybersecurity services provider Kaspersky Lab which showed nearly six million attacks per month affected Android mobile devices.

Apple also took a swipe at digital advertisers with whom it is at loggerheads over its new privacy controls designed to limit them from tracking iPhone users.

According to the report, large companies that rely on digital advertising allege that they have lost revenue due to these privacy features, and may therefore have an incentive to distribute their apps via sideloading specifically to bypass these protections.

Dubbed FontOnLake, by cybersecurity researchers at ESET, samples of the malware date as far back as May 2020. According to researchers, the malware makes use of several carefully crafted modules that not just collect credentials, but also give remote access to the threat actors. Vladislav Hrčka, malware analyst and reverse engineer at ESET, commented:

“The sneaky nature of FontOnLake’s tools in combination with advanced design and low prevalence suggest that they are used in targeted attacks.”

Trojanized utilities

Hrčka notes that all the malware disguises itself inside trojanized versions of standard Linux utilities, including cat, kill, and sshd. In fact, one of the samples the researchers analyzed was created specifically for CentOS and Debian. However, the exact mechanism employed by the threat actors to replace the original utilities with the malicious ones remains a mystery.

Analyzing the malware, the researchers note that the samples contained three custom backdoors written in C++, which gave remote access to the infected machines to the operators of the malware.

The location of the Command and Control (C2) server and the countries from which the samples were uploaded indicate that the attackers were after targets based in Southeast Asia. Hrčka also added:

“Following our discovery while finalizing our white paper on this topic, vendors such as Tencent Security Response Center, Avast and Lacework Labs published their research on what appears to be the same malware.”

Hrčka concluded that ESET’s products can flag all the components of the malware.

Citizen Lab has identified the group as a company called Candiru. Sourgum generally sells cyberweapons that enable its customers, often government agencies around the world, to hack into their targets’ computers, phones, network infrastructure and internet-connected devices. These agencies then choose who to target and run the actual operations themselves.

Microsoft initially started this work after receiving a tip from Citizen Lab about malware used by Sourgum. The Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC) spent weeks examining the malware, documenting how it works and building protections that can detect and neutralize it. The malware is named DevilsTongue. Protections against DevilsTongue were built into their security products, and they’ve shared these protections with others in the security community so they can protect their customers.

By examining how Sourgum’s customers were delivering DevilsTongue to victim computers, Microsoft saw they were doing so through a chain of exploits that impacted popular browsers and their Windows operating system. Earlier this week, updates where released, which, when installed, protect Windows customers from two key Sourgum exploits.

These attacks have largely targeted consumer accounts, indicating Sourgum’s customers were pursuing particular individuals. The protections they issued this week will prevent Sourgum’s tools from working on computers that are already infected and prevent new infections on updated computers and those running Microsoft Defender Antivirus as well as those using Microsoft Defender for Endpoint.

This is part of broader legal, technical and advocacy work Microsoft are undertaking to address the dangers caused when PSOAs build and sell weapons. These companies increase the risk that weapons fall into the wrong hands and threaten human rights. That’s why, for example, Microsoft filed an amicus brief in a legal case brought by WhatsApp against another PSOA called NSO Group.

Microsoft will continue to identify them using the names given to trees and shrubs, as they’ve done with Sourgum. This is similar to how they use elements of the periodic table to name nation-state actor groups they have identified.