Security Bulletin #127 – 14 June 2017
Beware! Over 800 Android Apps on Google Play Store Contain 'Xavier' Malware
Over 800 different Android apps that have been downloaded millions of times from Google Play Store found to be infected with malicious ad library that silently collects sensitive user data and can perform dangerous operations. Dubbed ``Xavier,`` the malicious ad library, initially emerged in September 2016, is a member of AdDown malware family, potentially posing a severe threat to millions of Android users. According to security researchers at Trend Micro, the malicious ad library comes pre-installed on a wide range of Android applications, including photo editors, wallpapers and ringtone changers, Phone tracking, Volume Booster, Ram Optimizer and music-video player. The previous variant of Xavier Ad library was a simple adware with an ability to install other APKs silently on the targeted devices, but in the latest release, the malware author has replaced those features with more sophisticated ones, including: evade detection, remote code execution and info-stealing module. The easiest way to prevent yourself from being targeted by a clever malware like Xavier, always beware of fishy applications, even when downloading them from official Play Store and try to stick to the trusted brands only. Always look at the reviews below left by other users who have downloaded the app and verify app permissions before installing any app. It is strongly advised to always keep a good antivirus application on your device and keep your device and apps up-to-date.
Adobe Patches 20 Flaws in Flash Player
Nine vulnerabilities have been patched in Flash Player with the release of version 220.127.116.11. The security holes have been described as critical use-after-free and memory corruption flaws that can lead to remote code execution. The flaws have been assigned the following CVE identifiers: CVE-2017-3075, CVE-2017-3081, CVE-2017-3083, CVE-2017-3084, CVE-2017-3076, CVE-2017-3077, CVE-2017-3078, CVE-2017-3079 and CVE-2017-3082. Nine flaws have also been fixed by Adobe in the Digital Editions eBook reader. However, these bugs have a lower priority rating and only four memory corruptions that can be exploited for remote code execution are considered critical. The other vulnerabilities, classified as important, can lead to privilege escalation and memory address disclosure. Fortinet employees also informed Adobe of a remote code execution vulnerability in Shockwave Player for Windows. The problem is considered critical, but it has been assigned a priority rating of “2,” which means it’s less likely to be exploited. One important information disclosure flaw has been fixed in the Windows and Macintosh versions of Adobe Captivate, an authoring tool that is used for creating e-learning content.
Emerging Matrix Banker Trojan is targeting banks in Latin America
Malware researchers at Arbor Networks have spotted a new banking trojan, initially called ‘Matrix Banker’, that is targeting Latin America. The malicious code seems to be still under development, most of the victims were located in Mexico and Perù. The initial loader for Matrix Banker Trojan gains persistence through Registry Run, it extracts and injects a DLL into most popular Internet Browser, including Chrome, Firefox, Internet Explorer or Edge. The main DLL is injected in a browser to hook browser functions and run a Man-In-the-Browser attack. The malware then contacts the C&C server to get the webinject config. Matrix Banker is the first malware that encodes and encrypts response from the C&C server with the Salsa20 crypto algorithm. Salsa20 is an unpatented stream cipher developed by Daniel Bernstein, it is the same algorithm used by the Petya ransomware to encrypt victims’ Master File Table. Experts noticed the malware uses a very difficult and effective redirection to a phishing page that looks like a perfect copy of the targeted bank’s login page.”