Contribuez à SecuObs en envoyant des bitcoins ou des dogecoins.
Nouveaux articles (fr): 1pwnthhW21zdnQ5WucjmnF3pk9puT5fDF
Amélioration du site: 1hckU85orcGCm8A9hk67391LCy4ECGJca

Contribute to SecuObs by sending bitcoins or dogecoins.

Chercher :
Newsletter :  


Revues :
- Presse
- Presse FR
- Vidéos
- Twitter
- Secuobs





Sommaires :
- Tendances
- Failles
- Virus
- Concours
- Reportages
- Acteurs
- Outils
- Breves
- Infrastructures
- Livres
- Tutoriels
- Interviews
- Podcasts
- Communiques
- USBsploit
- Commentaires


Revue Presse:
- Tous
- Francophone
- Par mot clé
- Par site
- Le tagwall


Top bi-hebdo:
- Ensemble
- Articles
- Revue
- Videos
- Twitter
- Auteurs


Articles :
- Par mot clé
- Par auteur
- Par organisme
- Le tagwall


Videos :
- Toutes
- Par mot clé
- Par site
- Le tagwall


Twitter :
- Tous
- Par mot clé
- Par compte
- Le tagwall


Commentaires :
- Breves
- Virus
- Failles
- Outils
- Tutoriels
- Tendances
- Acteurs
- Reportages
- Infrastructures
- Interviews
- Concours
- Livres
- Communiques


RSS/XML :
- Articles
- Commentaires
- Revue
- Revue FR
- Videos
- Twitter


RSS SecuObs :
- sécurité
- exploit
- windows
- attaque
- outil
- microsoft


RSS Revue :
- security
- microsoft
- windows
- hacker
- attack
- network


RSS Videos :
- curit
- security
- biomet
- metasploit
- biometric
- cking


RSS Twitter :
- security
- linux
- botnet
- attack
- metasploit
- cisco


RSS Comments :
- Breves
- Virus
- Failles
- Outils
- Tutoriels
- Tendances
- Acteurs
- Reportages
- Infrastructures
- Interviews
- Concours
- Livres
- Communiques


RSS OPML :
- Français
- International











Revue de presse francophone :
- Appaloosa AppDome nouent un partenariat pour accompagner les entreprises dans le déploiement et la protection des applications mobiles
- D-Link offre une avec un routeur VPN sans fil AC
- 19 mai Paris Petit-Déjeuner Coreye Développer son business à l'abri des cyberattaques
- POYNTING PRESENTE LA NOUVELLE ANTENNE OMNI-291, SPECIALE MILIEU MARITIME, CÔTIER ET MILIEU HUMIDE
- Flexera Software Les utilisateurs français de PC progressent dans l'application de correctifs logiciels, mais des défis de tailles subsistent
- Riverbed lance SD-WAN basé sur le cloud
- Fujitsu multi-récompensé VMware lui décerne plusieurs Partner Innovation Awards à l'occasion du Partner Leadership Summit
- Zscaler Private Access sécuriser l'accès à distance en supprimant les risques inhérents aux réseaux privés virtuels
- QNAP annonce la sortie de QTS 4.2.1
- Une enquête réalisée par la société de cyber sécurité F-Secure a décelé des milliers de vulnérabilités graves, potentiellement utilisables par des cyber criminels pour infiltrer l'infrastru
- Trouver le juste équilibre entre une infrastructure dédiée et cloud le dilemme de la distribution numérique
- 3 juin - Fleurance - Cybersécurité Territoires
- Cyber-assurances Seules 40 pourcents des entreprises françaises sont couvertes contre les violations de sécurité et les pertes de données
- Des étudiants de l'ESIEA inventent CheckMyHTTPS un logiciel qui vérifie que vos connexions WEB sécurisées ne sont pas interceptées
- Les produits OmniSwitch d'Alcatel-Lucent Enterprise ALE gagnent en sécurité pour lutter contre les cyber-attaques modernes

Dernier articles de SecuObs :
- DIP, solution de partage d'informations automatisée
- Sqreen, protection applicative intelligente de nouvelle génération
- Renaud Bidou (Deny All): "L'innovation dans le domaine des WAFs s'oriente vers plus de bon sens et d'intelligence, plus de flexibilité et plus d'ergonomie"
- Mises à jour en perspective pour le système Vigik
- Les russes ont-ils pwn le système AEGIS ?
- Le ministère de l'intérieur censure une conférence au Canada
- Saut d'air gap, audit de firmware et (in)sécurité mobile au programme de Cansecwest 2014
- GCHQ: Le JTRIG torpille Anonymous qui torpille le JTRIG (ou pas)
- #FIC2014: Entrée en territoire inconnu
- Le Sénat investit dans les monnaies virtuelles

Revue de presse internationale :
- VEHICLE CYBERSECURITY DOT and Industry Have Efforts Under Way, but DOT Needs to Define Its Role in Responding to a Real-world Attack
- Demand letter served on poll body over disastrous Comeleak breach
- The Minimin Aims To Be The Simplest Theremin
- Hacking group PLATINUM used Windows own patching system against it
- Hacker With Victims in 100 Nations Gets 7 Years in Prison
- HPR2018 How to make Komboucha Tea
- Circuit Bender Artist bends Fresnel Lens for Art
- FBI Director Suggests iPhone Hacking Method May Remain Secret
- 2016 Hack Miami Conference May 13-15, 2016
- 8-bit Video Wall Made From 160 Gaming Keyboards
- In An Era Of Decline, News Sites Can t Afford Poor Web Performance
- BeautifulPeople.com experiences data breach 1m affected
- Swedish Air Space Infringed, Aircraft Not Required
- Why cybercriminals attack healthcare more than any other industry
- Setting the Benchmark in the Network Security Forensics Industry

Annuaire des videos
- FUZZING ON LINE PART THREE
- Official Maltego tutorial 5 Writing your own transforms
- Official Maltego tutorial 6 Integrating with SQL DBs
- Official Maltego tutorial 3 Importing CSVs spreadsheets
- install zeus botnet
- Eloy Magalhaes
- Official Maltego tutorial 1 Google s websites
- Official Maltego tutorial 4 Social Networks
- Blind String SQL Injection
- backdoor linux root from r57 php shell VPS khg crew redc00de
- How To Attaque Pc With Back Track 5 In Arabique
- RSA Todd Schomburg talks about Roundup Ready lines available in 2013
- Nessus Diagnostics Troubleshooting
- Panda Security Vidcast Panda GateDefender Performa Parte 2 de 2
- MultiPyInjector Shellcode Injection

Revue Twitter
- RT @fpalumbo: Cisco consistently leading the way ? buys vCider to boost its distributed cloud vision #CiscoONE
- @mckeay Looks odd... not much to go on (prob some slideshow/vid app under Linux)
- [SuggestedReading] Using the HTML5 Fullscreen API for Phishing Attacks
- RT @BrianHonan: Our problems are not technical but cultural. OWASP top 10 has not changed over the years @joshcorman #RSAC
- RT @mikko: Wow. Apple kernels actually have a function called PE_i_can_has_debugger:
- [Blog Spam] Metasploit and PowerShell payloads
- PinkiePie Strikes Again, Compromises Google Chrome in Pwnium Contest at Hack in the Box: For the second time thi...
- @mikko @fslabs y'all wldn't happen to have lat/long data sets for other botnets, wld you? Doing some research (free/open info rls when done)
- RT @nickhacks: Want to crash a remote host running Snow Leopard? Just use: nmap -P0 -6 --script=targets-ipv6-multicast-mld #wishiwaskidding
- An inexpensive proxy service called is actually a front for #malware distribution -

Mini-Tagwall
Revue de presse : security, microsoft, windows, hacker, attack, network, vulnerability, google, exploit, malware, internet, remote, iphone

+ de mots clés pour la revue de presse

Annuaires des videos : curit, security, biomet, metasploit, biometric, cking, password, windows, botnet, defcon, tutorial, crypt, xploit

+ de mots clés pour les videos

Revue Twitter : security, linux, botnet, attack, metasploit, cisco, defcon, phish, exploit, google, inject, server, firewall

+ de mots clés pour la revue Twitter

Top bi-hebdo des articles de SecuObs
- [Ettercap – Partie 2] Ettercap par l'exemple - Man In the Middle et SSL sniffing
- [Infratech - release] version 0.6 de Bluetooth Stack Smasher
- [IDS Snort Windows – Partie 2] Installation et configuration
- [Infratech - vulnérabilité] Nouvelle version 0.8 de Bluetooth Stack Smasher
- Mises à jour en perspective pour le système Vigik
- USBDumper 2 nouvelle version nouvelles fonctions !
- EFIPW récupère automatiquement le mot de passe BIOS EFI des Macbook Pro avec processeurs Intel
- La sécurité des clés USB mise à mal par USBDUMPER
- Une faille critique de Firefox expose les utilisateurs de Tor Browser Bundle
- Installation sécurisée d'Apache Openssl, Php4, Mysql, Mod_ssl, Mod_rewrite, Mod_perl , Mod_security

Top bi-hebdo de la revue de presse
- StackScrambler and the Tale of a Packet Parsing Bug

Top bi-hebdo de l'annuaire des videos
- DC++ Botnet. How To DDos A Hub With Fake IPs.
- Comment creer un server botnet!!!!(Réseau de pc zombies)
- Defcon 14 Hard Drive Recovery Part 3

Top bi-hebdo de la revue Twitter
- RT @secureideas: I believe that all the XSS flaws announced are fixed in CVS. Will test again tomorrow if so, release 1.4.3. #BASESnort
- Currently, we do not support 100% of the advanced PDF features found in Adobe Reader... At least that's a good idea.
- VPN (google): German Foreign Office Selects Orange Business for Terrestrial Wide: Full
- @DisK0nn3cT Not really, mostly permission issues/info leak...they've had a couple of XSS vulns but nothing direct.
- Swatting phreaker swatted and heading to jail: A 19-year-old American has been sentenced to eleven years in pris..
- RT @fjserna You are not a true hacker if the calc.exe payload is not the scientific one... infosuck.org/0x0035.png

Top des articles les plus commentés
- [Metasploit 2.x – Partie 1] Introduction et présentation
- Microsoft !Exploitable un nouvel outil gratuit pour aider les développeurs à évaluer automatiquement les risques
- Webshag, un outil d'audit de serveur web
- Les navigateurs internet, des mini-systèmes d’exploitation hors de contrôle ?
- Yellowsn0w un utilitaire de déblocage SIM pour le firmware 2.2 des Iphone 3G
- CAINE un Live[CD|USB] pour faciliter la recherche légale de preuves numériques de compromission
- Nessus 4.0 placé sous le signe de la performance, de l'unification et de la personnalisation
- [Renforcement des fonctions de sécurité du noyau Linux – Partie 1] Présentation
- [IDS Snort Windows – Partie 1] Introduction aux IDS et à SNORT
- Origami pour forger, analyser et manipuler des fichiers PDF malicieux

SlemBunk An Evolving Android Trojan Family Targeting Users of Worldwide Banking Apps

Si vous voulez bloquer ce service sur vos fils RSS
Si vous voulez nous contacter ou nous proposer un fil RSS

Menu > Articles de la revue de presse : - l'ensemble [tous | francophone] - par mots clé [tous] - par site [tous] - le tagwall [voir] - Top bi-hebdo de la revue de presse [Voir]

S'abonner au fil RSS global de la revue de presse



SlemBunk An Evolving Android Trojan Family Targeting Users of Worldwide Banking Apps

Par Security Bloggers Network
Le [2015-12-18] à 04:06:29



Présentation : FireEye mobile researchers recently identified a series of Android trojan apps that are designed to imitate the legitimate apps of 33 financial management institutions and service providers across the globe. We dub the family SlemBunk, and have seen it covering three major continents North America, Europe, and Asia Pacific. SlemBunk apps masquerade as common, popular applications and stay incognito after running for the first time. They have the ability to phish for and harvest authentication credentials when specified banking and other similar apps are launched. At the time of this writing, we can confirm that a set of the control servers gathering gleaned credentials is still live and active. We have not observed any instances of SlemBunk on Google Play, so users will only get infected if the malware is sideloaded or downloaded from a malicious website. Newer versions of SlemBunk were observed being distributed via porn websites. Users who visit these sites are incessantly prompted to download an Adobe Flash update to view the porn, and doing so downloads the malware. Our comprehensive investigation of SlemBunk has led to the identification of more than 170 samples in the wild. These SlemBunk samples exhibit a range of characteristics and behaviors, including Highly customized login UI for a variety of financial management services such as high profile banks Running in the background and monitoring the active running processes Detecting the launch of specified legitimate apps and intelligently displaying corresponding fake login interfaces Hijacking user credentials and transmitting to a remote command and control CnC server Harvesting and exfiltrating sensitive device information to the CnC servers including phone number, installed app list, device model, OS version Receiving and executing remote commands sent through text messages and network traffic Persisting on the infected device via device administrator privilege. This discovery is supported by findings reported by Fortinet 1 . Our in-depth analysis into the full set of samples provides more insights into this malware family. Since its debut, SlemBunk has gone through several iterations, with each one raising the bar of sophistication by adding more advanced capabilities. Based on our examination of SlemBunk over time, we observed the following developments Advanced features are added to support more remote control commands Remote CnC servers keep changing among samples More financial services apps are added into the list, with new UI and their corresponding logic Different levels of obfuscation mechanisms are adopted to avoid detection. Through our investigation, we have discovered SlemBunk spoofing the apps of 31 banks across the globe some of which are among the biggest banks in the world as well as users of two popular mobile payment service provider apps. While financial gain is the primary goal of this malware, SlemBunk is also interested in user data. This is reflected by its attempt to hijack the login credentials of high profile Android applications, including popular social media apps, utility apps instant messaging apps. Technical Details ----------------- The remainder of this blog presents the technical and operational aspects of this malware in greater detail. Major Components The core objective of SlemBunk is to phish for authentication credentials primarily for financial institutions by pushing a fake login interface when a specified app is running in the foreground. Figure 1 the Manifest file from one of the non-obfuscated samples with package name org.slempo.service shows an overview of the main components of SlemBunk. ServiceStarter An Android receiver that will be invoked once an app is launched or the device boots up. Its functionality is to start the monitoring service, MainService, in the background. MainService An Android service that runs in the background and monitors all running processes on the device. It prompts the user with an overlay view that resembles the legitimate app when that app is launched. This monitoring service also communicates with a remote host by sending the initial device data, notifying of device status and app preferences. MessageReceiver An Android receiver that handles incoming text messages. In addition to the functionality of intercepting the authentication code from the bank, this component also acts as the bot client for remote command and control. activities Card One UI view designed to mimic those of the targeted apps. MyDeviceAdminReceiver Device admin functionality requested the first time this app is launched. This makes the app more difficult to remove. Figure 1. SlemBunk main components Figure 2 offers a glance into the execution flow of the malware. When the app is launched for the first time, it activates the registered receiver, which subsequently starts the monitoring service in the background. On the surface it pops up a fake UI claiming to be Adobe Flash Player, or other advertised applications, and requests to be the device admin. Upon being granted admin privileges, it removes its icon from the launcher and remains running in the background. A corresponding UI requesting for authentication credentials shows up when one of the specified apps is detected running in the foreground. Figure 2. The workflow graph of SlemBunk Targeted App Detection Interface Overlay SlemBunk employs a long running service in the background MainService , which schedules a few tasks. One of the tasks is to query all the running processes and check if any of the specified apps are running in the foreground. The detection of a legitimate app is as simple as comparing the package name of the top running app to that of a specified app. Figure 3 shows a snippet of code from one of the samples. Figure 3. Specified app detection and Phishing UI activity starter We noticed the SlemBunk authors have invested time in making sure that the look and feel of the phishing UI closely resembles that of the original. In some instances, the phishing interface requests that the user type in their credentials twice rather than once. It also forces the user to go through a fake verification process, which we suspect is to increase the user s confidence in its authenticity. Remote Communication SlemBunk utilizes a simple yet effective remote communication mechanism that enables a server to command and control theinstalled malware. We identified two ways a SlemBunk sample communicates with its control server HTTP Many of the remote server IPs are hardcoded in the source code for early developed samples. For newer samples, SlemBunk authors used basic Base64 encoding in the hope of fending off reverse engineering. Figure 4 shows a short snippet of code that decodes the encoded data. There are primarily three requests from the client to the server Initial Checkin this request informs the server about successful installation and running, with device data being uploaded to the server. That data includes device model, OS version, phone number, app list, and country name. Figure 5 is a screenshot of the live traffic. Figure 4. The Base64 decoding of SlemBunk remote server Figure 5. Initial Checkin Regular Status Report this request informs the server about its status. The status report often covers the status of SMS listening and interception, the phone number, and the locking status. Figure 6 shows the captured traffic for this process. Figure 6. Regular Status Report Phished Data Upload once the malware gets a hold of credentials, it sends them to the remote server. Figure 7 shows the captured traffic for this process. Figure 7. Phished Data Upload SMS The remote server is capable of controlling the malicious app s behavior through text messages. For instance, intercept_sms_stop stops the interception of SMS messages and intercept_sms_start restarts the interception. Command lock mutes the device s audio system, which effectively conceals the arrival of text messages or phone calls. Command wipe_data wipes all the data partition of the infected device. The complete list of supported commands is shown in Appendix A. The relevant code is shown in Figure 8. Figure 8. SMS based command control Evolution of the Family SlemBunk has evolved throughout time. The earliest samples mainly target users of popular social networking apps, but later samples started to be more focused on defrauding users of financial services apps, with a clear objective on financial gain. Among all the specified apps, we have observed that banks in Australia are among SlemBunk s favorites, with banks in the U.S. coming in second. As SlemBunk expands its coverage of banks, its code has also become more sophisticated. Notably, later samples utilize different techniques to obscure potential reverse engineering. Figure 4 shows an obscured string that is Base64 encoded. Appendix B gives more details about the decoded text and its usage in the SlemBunk family. In a few cases, SlemBunk authors took advantage of a commercial packer, DexProtector, which was designed to protect apps from being pirated. However, when used by a malicious application, it raises the difficulty for the analysis process. Conclusion ---------- The rise and evolution of the SlemBunk trojan clearly indicates that mobile malware has become more sophisticated and targeted, and involves more organized efforts. We have already seen crackdowns on malware campaigns targeting mobile banking users 2, 3 , but we do not expect this type of activity to go away anytime soon. To protect yourself from these threats, FireEye suggests that you Do not install apps outside the official app store. Keep Android devices updated. Upgrading to the latest version of OS will provide some security, but it does not guarantee that you will remain protected. To detect and defend against such attacks, we advise our customers to deploy our mobile security solution, FireEye MTP MSM. This helps our clients gain visibility into threats in their user base, and also enables them to proactively hunt down devices that have been compromised. In addition, we advise our customers with NX appliances to ensure that Wi-Fi traffic is scanned by NX appliances to extend coverage to mobile devices. 1 https blog.fortinet.com post fake-android-flash-player-hits-global-financial-institutions 2 http blog.trendmicro.com trendlabs-security-intelligence malware-campaign-targets-south-korean-banks-uses-pinterest-as-cc-channel 3 http www.symantec.com connect blogs android-banking-trojan-delivers-customized-phishing-pages-straight-cloud Appendix A List of the Control Commands Delivered via SMS block_numbers control_number disable_forward_calls intercept_sms_start intercept_sms_stop lock unblock_all_numbers unblock_numbers unlock update_html wipe_data check check_gps control_number grab_apps listen_sms_start listen_sms_stop sentid show_dialog show_html Appendix B Base64-Decoded String to Customize SlemBunk's Behavior Some of recent SlemBunk samples use Base64 coding scheme to hide the data exchange protocol used to communicate with remote CnC server. Figure 7 shows a snippet of code to decode an obscured text string at runtime. Table 1 shows partially the decoded data that SlemBot uses later to customize its behavior Table 1 Decoded text segments and their usage in SlemBunk apps

Les mots clés de la revue de presse pour cet article : android trojan
Les videos sur SecuObs pour les mots clés : android trojan
Les éléments de la revue Twitter pour les mots clé : android trojan



AddThis Social Bookmark Widget



Les derniers articles du site "Security Bloggers Network" :

- In An Era Of Decline, News Sites Can t Afford Poor Web Performance
- BeautifulPeople.com experiences data breach 1m affected
- Swedish Air Space Infringed, Aircraft Not Required
- Why cybercriminals attack healthcare more than any other industry
- Setting the Benchmark in the Network Security Forensics Industry
- Spotify denies hack users subjected to weird music beg to differ
- The Dangerous Game of DNS
- Threat Recap Week of April 22nd
- Is your security appliance actually FIPS validated
- Deploying SAST Static Application Security Testing




S'abonner au fil RSS global de la revue de presse

Menu > Articles de la revue de presse : - l'ensemble [tous | francophone] - par mots clé [tous] - par site [tous] - le tagwall [voir] - Top bi-hebdo de la revue de presse [Voir]



Si vous voulez bloquer ce service sur vos fils RSS :
- avec iptables "iptables -A INPUT -s 88.190.17.190 --dport 80 -j DROP"
- avec ipfw et wipfw "ipfw add deny from 88.190.17.190 to any 80"
- Nous contacter par mail




SecuToolBox :

Mini-Tagwall des articles publiés sur SecuObs :

Mini-Tagwall de l'annuaire video :

Mini-Tagwall des articles de la revue de presse :

Mini-Tagwall des Tweets de la revue Twitter :