The specialists of “Kaspersky Lab” has published information that the spyware FinSpy learned to “read” ordinary and secret chats users even in these seemingly secure instant messengers like Telegram, WhatsApp, and Signal. At the same time, Google acknowledged that its experts listen to the users command the voice assistant. Moreover, some of these data were in open access after one of the company’s employees violated confidentiality rules. The journalists of the Daily Storm find out whether you can understand that your phone monitored, and what to do if you become a victim of such surveillance.
So, how to understand that watching me through my gadgets?
All experts with whom managed to communicate the Daily Storm, agree unambiguously determine that you were the object of surveillance by the gadget, which were infected with malicious software, can only specialist.
However, there are several signs that may indirectly indicate that you are a victim of spyware.
Here are some of them:
· your phone suddenly started to restart, sometimes several times in a row;
· mobile device is strongly heated;
· sudden spike in the volume used by the traffic gadget;
· phone for no apparent reason was quickly discharged.
There are quite obvious reasons to think, for example, when attackers steal your passwords and hacking accounts in social networks or you will begin to receive SMS-notification that your account tried to access from another IP from some distant (or not) of the country.
“Spyware such as FinSpy, developed with an eye to the fact that they were very difficult to detect. To understand what the device is compromised, you must have special skills: for example, you need to be able to keep track of what the gadget connects with defined addresses that are not standard for operating systems.
You need to watch which apps are directly installed on the system, which files are modified and so on. There are special instruments that a person who understands this can understand what a device is infected. A layman probably should just install the antivirus solution for mobile devices that, in principle, now for the phone on the Android operating system is necessary”, — told the Daily Storm senior virus expert “Kaspersky Lab” Sergey Lozhkin.
Technical Director and founder of “Roskomsnab” Stanislav Shakirov explained that the existence of the device spyware is possible to determine by installing software that either scans incoming and outgoing traffic and tries to find out whether there are unnecessary connections, or analyzes the running processes in the system. As for indirect evidence, they can signal a problem, but do not indicate it clearly. “If we are talking about FinSpy, which reads the correspondence, it is, relatively speaking, consumes energy and traffic as Telegram. That is, it will not include anything that would be eaten battery and bandwidth. So indirectly it can not be detected,” — said Shakirov.
In the lab of cybersecurity Group-IB Daily Storm confirmed the existence of spyware software, to discover that, not being an expert, it is impossible. “In the case of using spyware Pegasus that came through a vulnerability in older versions of WhatsApp messenger, a regular user to identify the infection impossible. Remove the infected virus is possible only by full flashing of the phone (the factory reset doesn’t work) — this also applies to Android and iPhone. With regard to banking Trojans and financial fraud, we often know about them too late — when the money has already been stolen,” reported the Daily Storm the Deputy head of the laboratory of computer forensics, Group-IB Sergey Nikitin.
Even more dramatic problem outlined Daily Storm company founder Dr. Web Igor Danilov: “the Man will not be able to determine whether it phone spyware. May be different programs: built-in phone and installed. And if the embedded phone is a good program, he will not have to warm up, nothing. So people will go with their phone, computer or tablet”.
What information about you can find out the spy software?
If very briefly, absolutely any. Yes, and the secret chats too.
There are spyware programs that have full access to the phone. The malware can intercept all data that is entered from the keyboard, take screenshots and screenshots of any chat programs… everything you type and read the screen. No matter secret or not secret chat: an attacker can do with your phone everything that you can do with it you. To write the sound they can also.
Who and what all does it?
The main motivation of cyber-criminals — of course, money. “Doing it in the first place cybercriminals with financial motivations. There are groups that are involved in cyber espionage: it is not so important financial information from the user on the device, it is important just to follow it, to access its service data, science and technology or his private photographs and other information to use for blackmail. Here a wide field for the activities of cybercriminals, what they do,” — said the representative of “Kaspersky Lab”. At the same time Sergey Lozhkin noted that cyberspying programs — a minority compared to the same banking Trojans.
In the laboratory, Group-IB reported that such programs are also used by cryptainerle. The software in the background “watching” the rollers and wind the views.
According to Stanislav Shakirov, “the most critical is the stealing of banking information, drive encryption for blackmail and phishing, when the user of the stolen user names and passwords”. And with the help of this application the villains learned to bypass even two-factor authentication.
“There is another way — when the gadgets are infected by Trojans, which just go to certain sites with the aim of DDoS attacks is botsite. The so-called command and control softina is poured on the gadget and at the behest of the attacker sends it to a particular site. When a hacker comes a request for a DDoS attack, it sends to all devices where you installed this program, the signal “to go at the same time on such and such site” and the site crashes under the load of 10, 100 thousand or million units. This, too, earn money”, — explained the founder of the public organization “Roskomsvoboda”.
However, soon this practice will become the past. “Soon these attacks will be done through the Internet of things, because no one changes the passwords on all the outlets and the coffee maker and not bother anyone, how it works,” said Stanislav Shakirov.
There is another purpose of such applications — espionage at the state level or for political purposes.
“This is the point things. This may make special services or it may be industrial espionage. There are cheap methods, such as the same FinSpy. There are expensive: for example, buy a “zero day exploit” — said Stanislav Shakirov.
A “zero day exploit”, or Zero Day vulnerability, a bug in the program or operating system that does not know the developer. This error allows you to remotely infect the device with malware and used by hackers until such time as the developer will not detect or eliminate it.
“There’s a black market, where hang the hackers that are hacking everything. They want to make money. On these forums hang out representatives of the special services that these “zero day exploit” buy and can break those who interest them. Basically we are talking really about the “bad guys” like terrorists or criminals, but just as all secret services of all countries of the world to “break” the opposition”, — said the representative of “Roskomsnab”.
“For sale “zero-day vulnerabilities” there are even certain companies. For example, in Israel there is a firm called NSO Group is the people from mashadovskih cyberarmies. They did a commercial company and various States to sell the set of these Zero Day vulnerabilities through the approval of the government of Israel. And then these States, in addition to terrorists, catch political opponents. Recent history, when he killed a Saudi journalist at the Turkish Embassy, was implemented after the sale of the vulnerabilities of Saudi Arabia. Are sold by the Israelis “zero day exploit” the Russian special services, is unknown. It is known that directly in Russia, they did not sell. But some of Saudi Arabia, bought it for myself, hypothetically could outsource that to other intelligence agencies,” — said Stanislav Shakirov.
The company’s founder Dr. Web Igor Danilov also believes that for ordinary citizens of the following States and corporations. “All people need for all States: and by our secret services, and Chinese — all you need. They’re all watching us. And “Vkontakte”, and so on — all follow. Social network what is needed? In order to monitor the users,” said Danilov.
Sometimes spyware is on the mobile device directly to the factories-producers, the expert said.
“Why the Americans are kicked out from everywhere Huawei? Because they put on their phones all sorts of bad… read More I can’t tell you on the phone is the software which monitors the user. They listen to conversations, intercept messages, SMS and everything you do on your phone — all interceptions. I don’t know what it was really with Huawei, but the Americans caught them on the fact that they were working against the Americans. And they banned in their stores and so on… Google is banned to cooperate with Huawei. So it can now fly off of the market. He’s trying to enter into a contract, so we sold it, but I don’t know why we need this Huawei. There were other manufacturers noticed. And ATM was installed at the plants,” said Danilov.
As malicious software gets on the phone?
Malicious software can be on your mobile device or remotely, if you download infected software directly or click on the infected link, or if your phone will be directly in the hands of the attacker.
“iPhone if not jailbreak, Android safer for the reason that it is impossible to download everything. Infected applications are not able to get into your operating system. Android devices are more susceptible to, because they can put anything. As a result, anything and put anything, it puts the viruses. There may be that the time the user poked at it, and off it went. It is a question of business models: often people choose Android because there you can do anything,” said Stanislav Shakirov.
According to the representative “Roskomsnab”, most viruses are written for Android and Windows in connection with the architectural features of the systems. “Statistics zarahemla unknown to me, but it logically follows: if you follow information hygiene, you do not become infected. If you don’t comply, you are one hundred percent get infected”, he said.
Similar is the opinion of the representative of “Kaspersky Lab”: “iPhone is much better protected, and the possibility of infection it remotely — an order of magnitude lower than the possibility of infection of the same Android device. To infect iPhone applications like threat actors, you need to have a “zero day exploit”, but finding such vulnerabilities is extremely difficult, and it is quite expensive. And so, you need to have physical access to the phone, and the device had to be subjected to jailbreak and then you can install anything anywhere”
Sergey Lozhkin noted that a remote infected iPhone to exercise is much easier if the phone was subjected to jailbreak, that is hacked.
According to the representative of the Laboratory to install malicious applications on the phone often use the following schema: “create a mobile game that’s something of musical matters. The functionality of the application can be any. Moreover, this app can be quite a work. His different ways of trying to spin to make it ad. Such programs have been moderation in the market, in the same Google Play. After some time the cyber criminals upgrade it, change its functionality, and surfing, and update the application, which was initially absolutely legitimate, suddenly becomes malicious. The other way is if there is a vulnerability in the software: you can send a picture message or a malicious link that the user will go, and if there is a vulnerability in the operating system such as Android, it will proekspluatirovat, and he remotely downloaded the same malicious app”.
App stores as a major loophole
Download malicious application to the smartphone turned out to be simple: the specialised markets, though relatively protected from malicious software, but globally have a high percentage of vulnerabilities.
Company Positive Technologies against cyber threats, recently conducted a study of safety applications on the two major stores for iOS and Android: App Store and Google Play. The results were not too good: 43% of apps in Google Play and 35% of apps in the App Store are affected by critical vulnerabilities.
And it’s not that the applications fall within the markets already infected — this is hardly possible, given that they are moderated by both platforms.
Sergey Lozhkin, a senior virus expert “Kaspersky Lab” said that initially the app into the stores is quite legitimate and safe, but can later transform into a threat.
“After a certain time, cybercriminals can upgrade to change functionality. The app, which was completely legitimate, it becomes malicious,” explained Lozhkin.
One of the grounds on which it is possible to compute a similar, low rating and small number of downloads. However, here much depends, quite from the market, which may not be so simple.
Many probably never used anything except the usual App Store or Google Play, but in the market there are also quite a large and popular alternative stores like the Amazon Appstore, Opera Mobile Store, SlideME or the same Yandex.Store.
Amazon and Yandex, for example, are actively moderated and checked for the presence of malicious code. SlideME, in turn, checks only every third application. But that’s not the worst case scenario.
There are so-called alternative the alternative with smaller and very lightly regulated stores. Chance to hook up with an infected BY these platforms even higher.
“Monitor informal markets is very difficult, even though it is done, but to trace among millions of apps it software that is no easy task,” continued Lozhkin.
Some of the most troubled stores in this sense, the Chinese. For the last time in the Asian market and then identify dangerous application.
So, through the resource 9Apps, which is owned by Chinese company Alibaba Group, was infected about 25 million smartphones around the world.
Affected Android users who downloaded various applications such as photo editors or games, which were sewn malicious code under the name “Agent Smith”. It is important that in this case the principle of the “few downloads, low rating” has not worked: it had a high rating and suspicions did not cause.
“Agent Smith” disguised as icons WhatsApp or one of the browsers. When you activate users in programs, a large amount of hype.
The virus, however, went further: dangerous app, “agent” was later revealed in the official Google Play.
In this sense, the App Store is a more stringent policy compared to the main competitor. At the end of the 2018 Apple cleaned 718 applications of the Chinese version of the store.
The problem was not even any particular category, but in General, the policy of Chinese software developers who are not willing to negotiate with Apple to update their applications directly providing them to your users.
Apart from the fact that it was contrary to the rules, such actions represent a threat to the security of not having the ability to verify the update, the App Store is actually allowed to be in your shop who knows what with strange consequences.
This is why Apple has taken such a radical decision and expelled from the platform of all violators to avoid further escalation of the vicious practice.
Globally the situation with Chinese apps looks pretty scary.
Israeli cyber security experts from Check Point this spring rolled out a review of how the Chinese market and Google Play, where it is reported that recently, malware has been downloaded over 250 million times.
During the period of research, the experts found hundreds of dangerous applications that not only attacked users of Intrusive advertising, but also stolen personal data.
For example, SimBad malicious code was disguised as much in 210 games-simulators. He filled out the application a large amount of advertising, affecting the speed of the phone. To remove the application was extremely difficult.
Moreover, this could in itself open Google Play or browser 9Apps and download various malicious files.
Affected users and applications that have been sharpened to the collection of personal information. Basically happened to download a popular Chinese markets, Tencent MyApp, Wandoujia, AppGallery Huawei and Xiaomi Mi Store.
According to Check Point, the attackers used the fact that the developers were in a hurry to download apps to the stores without additional security checks.
Unfortunately, the store had the opportunity to identify a malicious application, it somehow needs to suffer users. Lozhkin noted that, as a rule, the detection can take several hours or several days.
From the point of view of Google Play, the online in recent years has done much to limit the receipt of unwanted software on its platform, but it is a safety issue for the most part still depends on the user.
The head of the research group mobile application security Positive Technologies Nicholas Anisina in comments to the Daily Storm indicated that smartphone owners should always remember: 100% protection from dangerous applications does not happen, but everyone has it is possible to reduce the possibility of cyber criminals.
“Do not raise privileges on the smartphones. This disables the protection mechanisms of the data. Do not install apps that require too many permissions (Android, iOS), conduct an audit of granted permissions and revoke them or delete the app (Android)” — advised Anisina.
Do not trust and third-party mobile application stores. Suspicious programs (e.g., allegedly “hacked” free versions of commercial applications) can contain malicious code.
What should I do if I know that my phone is infected by spy software?
Most experts agree that for getting rid of malware, you must return the device to factory settings.
“Ways that will really help, a little, and they are costly because you have to completely destroy everything that was on the phone, that is to upgrade the operating system from scratch to use the phone. This user is associated with certain difficulties: it is necessary to reserve all that was, is the data different programs for backup copy or manually transfer all data and then re-install all apps, re-install the information on the phone,” said Sergey Lozhkin.
In the lab of cybersecurity Group-IB is recommended to regularly update the operating system, do not download applications from unreliable sources, not to click on links that you send.
“When the gadget is not updated and support is completed by the manufacturer is a reason to change it. If you have serious concerns about the infection, it is recommended to do full reset the device and configure it as a new, installing only trusted apps from the official app store,” said Sergey Nikitin.
At the same time, all experts recommended to act proactively and in a timely manner to install an anti-virus program, especially on Android devices.
Read more •••