Update, August 2, 2024 (04:10 PM ET): Google has reached out to us with a message of reassurance:

Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services.

Of course, the key word there is “known” versions, and as the team at Cleafy reported, BingoMod is still evolving and working on new tricks to evade detection. Play Protect isn’t going to rest on its laurels, either, so expect this cat-and-mouse game to continue. And for your own part, keep using best practices when it comes to sourcing your apps.

Original article, August 2, 2024 (11:44 AM ET): Getting malware on your smartphone is just a recipe for a bad day, but even within that misery there’s a spectrum of how awful things will be. Some malware may be interested in exploiting its position on your device to send spam texts or mine crypto. But the really dangerous stuff just wants to straight-up steal from you, and the example we’re checking out today has a particularly nasty going-away present for your phone when it’s done.

A remote access trojan (RAT) dubbed BingoMod was first spotted back in May by the researchers at Cleafy (via BleepingComputer). The software is largely spread via SMS-based phishing, where it masquerades as a security tool — one of the icons the app dresses itself up with is that from AVG antivirus. Once on your phone, it requests access to Android Accessibility Services, which it uses to get its hooks in for remotely controlling your device.

Once established, the malware’s goal is setting up money transfers. It steals login data with a keylogger, and confirmation codes by intercepting SMS. And then when it has the credentials and access it needs, the threat actor controlling the malware can start transferring all your savings away. With language support for English, Romanian, and Italian, the app seems targeted at European users, and circumstantial evidence suggests Romanian devs may be behind it.

All this sounds bad, but not that different from plenty of malware, right? Well, BingoMod, it seems, is a little paranoid about being found out. Besides the numerous tricks it uses to evade automatic detection, it’s got a doomsday weapon it’s ready to deploy after achieving its goals and wiping your accounts clean: it wipes your phone.

While BingoMod supports a built-in command for wiping data, that’s limited to external storage, which isn’t going to get it very far. Instead, Cleafy’s team suspects that the people controlling the malware remotely are manually executing these wipes when they’re done stealing from you, just like you’d do yourself before getting rid of an old phone. Presumably, that’s in the goal of destroying evidence of the hack — losing your personal data is just collateral damage.

That’s a fresh kind of awful that we would be very happy never having to deal with. The good news is that you really don’t have to. Get your apps from official sources, don’t install software from sketchy text messages, and you’ll be well on your way to not losing all your data in a malware attack.

Enlarge (credit: Marco Verch Professional Photographer and Speaker)

Hackers delivered malware to Windows and Mac users by compromising their Internet service provider and then tampering with software updates delivered over unsecure connections, researchers said.

The attack, researchers from security firm Volexity said, worked by hacking routers or similar types of device infrastructure of an unnamed ISP. The attackers then used their control of the devices to poison domain name system responses for legitimate hostnames providing updates for at least six different apps written for Windows or macOS. The apps affected were the 5KPlayer, Quick Heal, Rainmeter, Partition Wizard, and those from Corel and Sogou.

These aren’t the update servers you’re looking for

Because the update mechanisms didn’t use TLS or cryptographic signatures to authenticate the connections or downloaded software, the threat actors were able to use their control of the ISP infrastructure to successfully perform machine-in-the-middle (MitM) attacks that directed targeted users to hostile servers rather than the ones operated by the affected software makers. These redirections worked even when users employed non-encrypted public DNS services such as Google’s 8.8.8.8 or Cloudflare’s 1.1.1.1 rather than the authoritative DNS server provided by the ISP.

Read 12 remaining paragraphs | Comments

Update, August 2, 2024 (04:10 PM ET): Google has reached out to us with a message of reassurance:

Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services.

Of course, the key word there is “known” versions, and as the team at Cleafy reported, BingoMod is still evolving and working on new tricks to evade detection. Play Protect isn’t going to rest on its laurels, either, so expect this cat-and-mouse game to continue. And for your own part, keep using best practices when it comes to sourcing your apps.

Original article, August 2, 2024 (11:44 AM ET): Getting malware on your smartphone is just a recipe for a bad day, but even within that misery there’s a spectrum of how awful things will be. Some malware may be interested in exploiting its position on your device to send spam texts or mine crypto. But the really dangerous stuff just wants to straight-up steal from you, and the example we’re checking out today has a particularly nasty going-away present for your phone when it’s done.

A remote access trojan (RAT) dubbed BingoMod was first spotted back in May by the researchers at Cleafy (via BleepingComputer). The software is largely spread via SMS-based phishing, where it masquerades as a security tool — one of the icons the app dresses itself up with is that from AVG antivirus. Once on your phone, it requests access to Android Accessibility Services, which it uses to get its hooks in for remotely controlling your device.

Once established, the malware’s goal is setting up money transfers. It steals login data with a keylogger, and confirmation codes by intercepting SMS. And then when it has the credentials and access it needs, the threat actor controlling the malware can start transferring all your savings away. With language support for English, Romanian, and Italian, the app seems targeted at European users, and circumstantial evidence suggests Romanian devs may be behind it.

All this sounds bad, but not that different from plenty of malware, right? Well, BingoMod, it seems, is a little paranoid about being found out. Besides the numerous tricks it uses to evade automatic detection, it’s got a doomsday weapon it’s ready to deploy after achieving its goals and wiping your accounts clean: it wipes your phone.

While BingoMod supports a built-in command for wiping data, that’s limited to external storage, which isn’t going to get it very far. Instead, Cleafy’s team suspects that the people controlling the malware remotely are manually executing these wipes when they’re done stealing from you, just like you’d do yourself before getting rid of an old phone. Presumably, that’s in the goal of destroying evidence of the hack — losing your personal data is just collateral damage.

That’s a fresh kind of awful that we would be very happy never having to deal with. The good news is that you really don’t have to. Get your apps from official sources, don’t install software from sketchy text messages, and you’ll be well on your way to not losing all your data in a malware attack.

Enlarge (credit: Jacqui VanLiew; Getty Images)

As generative AI systems like OpenAI's ChatGPT and Google's Gemini become more advanced, they are increasingly being put to work. Startups and tech companies are building AI agents and ecosystems on top of the systems that can complete boring chores for you: think automatically making calendar bookings and potentially buying products. But as the tools are given more freedom, it also increases the potential ways they can be attacked.

Now, in a demonstration of the risks of connected, autonomous AI ecosystems, a group of researchers has created one of what they claim are the first generative AI worms—which can spread from one system to another, potentially stealing data or deploying malware in the process. “It basically means that now you have the ability to conduct or to perform a new kind of cyberattack that hasn't been seen before,” says Ben Nassi, a Cornell Tech researcher behind the research.

Nassi, along with fellow researchers Stav Cohen and Ron Bitton, created the worm, dubbed Morris II, as a nod to the original Morris computer worm that caused chaos across the Internet in 1988. In a research paper and website shared exclusively with WIRED, the researchers show how the AI worm can attack a generative AI email assistant to steal data from emails and send spam messages—breaking some security protections in ChatGPT and Gemini in the process.

Read 15 remaining paragraphs | Comments

Enlarge (credit: NurPhoto / Contributor | NurPhoto)

WhatsApp will soon be granted access to explore the "full functionality" of the NSO Group's Pegasus spyware—sophisticated malware the Israeli Ministry of Defense has long guarded as a "highly sought" state secret, The Guardian reported.

Since 2019, WhatsApp has pushed for access to the NSO's spyware code after alleging that Pegasus was used to spy on 1,400 WhatsApp users over a two-week period, gaining unauthorized access to their sensitive data, including encrypted messages. WhatsApp suing the NSO, Ars noted at the time, was "an unprecedented legal action" that took "aim at the unregulated industry that sells sophisticated malware services to governments around the world."

Initially, the NSO sought to block all discovery in the lawsuit "due to various US and Israeli restrictions," but that blanket request was denied. Then, last week, the NSO lost another fight to keep WhatsApp away from its secret code.

Read 12 remaining paragraphs | Comments

Enlarge (credit: Getty Images)

Code uploaded to AI developer platform Hugging Face covertly installed backdoors and other types of malware on end-user machines, researchers from security firm JFrog said Thursday in a report that’s a likely harbinger of what’s to come.

In all, JFrog researchers said, they found roughly 100 submissions that performed hidden and unwanted actions when they were downloaded and loaded onto an end-user device. Most of the flagged machine learning models—all of which went undetected by Hugging Face—appeared to be benign proofs of concept uploaded by researchers or curious users. JFrog researchers said in an email that 10 of them were “truly malicious” in that they performed actions that actually compromised the users’ security when loaded.

Full control of user devices

One model drew particular concern because it opened a reverse shell that gave a remote device on the Internet full control of the end user’s device. When JFrog researchers loaded the model into a lab machine, the submission indeed loaded a reverse shell but took no further action.

Read 17 remaining paragraphs | Comments