Android iBanking Trojan Source Code Leaked Online

Smartphone is the need of everyone today and so the first target of most of the Cyber Criminals. Malware authors are getting to know their market and are changing their way of operations. Since last year we have seen a rise in the number of hackers moving from the Blackhat into the Greyhat.

The Head of knowledge delivery and business development for RSA's FraudAction Group, Daniel Cohen warned users about the new threat via a company blog on Thursday, that explains everything about the malware app, called iBanking.

iBanking, a new mobile banking Trojan app which impersonates itself as an Android 'Security App', in order to deceive its victims, may intimidate a large number of users as now that its source code has been leaked online through an underground forum.

It will give an opportunity to a larger number of cybercriminals to launch attacks using this kind of ready-made mobile malware in the future.

Since many banking sites use two-factor authentication and transaction authorization systems in order to deal with the various threats, by sending unique one-time-use codes to their customers' registered phone numbers via SMS, but in order to defraud them, cyber criminals have started to create various mobile malware like iBanking to solve their purpose.

According to Security Researcher Daniel Cohen, the iBanking mobile bot is a relative all new to the mobile malware arena, and has been available for sale in the Underground Hacking Marketplace [Forum Link] since late last year for $5,000.

"We first saw the iBanking malware was distributed through HTML injection attacks on banking sites, social engineering victims into downloading a so called 'security app' for their Android devices," said the RSA researchers in a blog post.

In addition, with the iBanking malware, Computer malware is used to defeat the mobile-based security mechanisms used by the banking sites.

"Apart from the server-side source-code, the leaked files also include a builder that can un-pack the existing iBanking APK file and re-pack it with different configurations, essentially providing fraudsters with the means to create their own unique application," added Daniel Cohen.

In addition to SMS Sniffing, the iBanking app allows an attacker to redirect calls to any pre-defined phone number, capture audio using the device's microphone and steal other confidential data like call history log and the phone book contacts. 

During the installation process, the malicious app attempts to Social Engineer the user into providing it with administrative rights, making its removal much more difficult.

"The malware is an example of the ongoing developments in the mobile malware space and we are now seeing the next generation of malicious apps being developed and commercialized in the underground, boasting web-based control panels and packing more data-stealing features," said Daniel and added that 

"The malware’s ability to capture SMS messages and audio recordings, as well as divert voice calls makes step-up authentication all the more challenging as fraudsters gain more control over the OOB device. This highlights the need for stronger authentication solutions capable of validating users’ identities using multiple factors including biometric solutions."

These Days, the malware apps are particularly dangerous as they are often designed to look as authentic as possible and one in five mobile threats are now bots, which is a sign that the complexity of Mobile Malware is increasing.

Learn How to Hide WhatsApp 'Last seen at' Time and Profile Picture from Other Users

WhatsApp for Android added most awaited privacy option for all who do not want to display information about when they last used the app.

This is the first impressive update of the WhatsApp after acquisition by Facebook, who has paid a lot of money in cash and stock to acquire it.

The Popular Smartphone messaging application WhatsApp version 2.11.169 will provide you more ability and control over privacy options i.e. Hiding ‘last seen at’ time, Profile picture, status updates from others, which are currently visible for all WhatsApp users.

Currently, these options are set to 'everyone' by default, that allows any WhatsApp user to find out exactly when you used WhatsApp for the last time, also reveals your image and Status message. Most of the times we don't want it to be shown to anyone or to non-contact users.

How to hide WhatsApp 'last seen at' time and Profile Picture?
WhatsApp now allows you to Modify your Privacy settings in three ways:

1. Show to 'Everyone'
2. Show to 'My Contacts'
3. Show to 'Nobody'

To Apply, Open your WhatsApp Settings -> Account -> Privacy and here you can set your Privacy settings as you wish.

So, if you set all the options to 'My Contacts', then only your phone contacts can see your 'last seen  at' time, profile picture and Status, and no one else would have these visibility available.

The WhatsApp's Founder said in a statement:

"There would have been no partnership between our two companies (Facebook and Whatsapp) if we had to compromise on the core principles that will always define our company, our vision and our product."

I wish, the company keeps doing great work for the users' privacy and Security.

How to Get the latest version before official release?

It is not known that the same has been released for other platforms or not, at the time of writing the article. The Latest version update has not yet rolled out via Google Play Store, but users can manually download and install it from WhatsApp's Official website.

First Tor-Based Android Malware Spotted in the Wild

We use our Smartphone devices to do almost everything, from Internet Banking to Sharing private files and at the same pace, the mobile malware sector is also growing.

The number of variants of malicious software aimed at mobile devices has reportedly risen about 185% in less than a year. 

Security researchers have observed a growth in the numbers of computermalware families starting to use TOR-based communications, but recently the Security Researchers at anti-virus firm Kaspersky Lab havespotted the world's first Tor-Based Malware for Android Operating system.

The Android Malware dubbed as 'Backdoor.AndroidOS.Torec.a', using Tor hidden service protocol for stealth communication with Command-and-Control servers.

Researchers detected that the Trojan is running from .Onion Tor domain and working on the functionality of an open source Tor client for Android mobile devices, called 'Orbot', thus eliminating the threat of the botnet being detected and blocked by law enforcement authorities, although often it's not clear how many devices has been infected by this malware till now.

The Trojan is capable of intercepting and stealing incoming SMS, can make USSD requests, stealing device information including 'the phone number, country, IMEI, model, version of OS', can retrieve the list of installed applications on the mobile device, and also can send SMSs to a specified number.

Kaspersky didn't mention particularly that the malware is focused on stealing banking information or not, but the popularity of Android OS is kept motivating cyber criminals to develop far more advanced Android malware with more stealthy and anti-reverse methods.

Here are some things you can do to dramatically reduce the risk of malware infections on your Android phone:

• Install apps from official Android Market instead of third-party app stores or websites.
• Before installing any apps, check the publisher and app reviews.
• Pay attention to app permissions during the installation.
• Install Antivirus and Firewall apps.

Why You need to Stop using WhatsApp?

If you haven’t heard by now, Facebook just made its biggest move ever, buying the messaging serviceWhatsApp in a deal worth some $19 billion. That’s 19 times what Facebook paid for Instagram two years ago.

The WhatsApp Service run by the team of just 32 engineers, handles more than 50 Billion messages daily, and approx 385 million active users.

WhatsApp acquisition has also brought out fresh criticism over security for the billions of messages delivered on the platform. Security Researcher at Praetorian Labs identified several SSL-related security issues in WhatsApp application using Project Neptune, a mobile application security testing platform.

"WhatsApp communication between your phone and our server is fully encrypted. We do not store your chat history on our servers. Once delivered successfully to your phone, chat messages are removed from our system." Company said in a blog post.

But researchers found that WhatsApp is vulnerable to Man-in-theMiddle attack because the app has not enforced SSL pinning and hence user credentials can be easily stolen. SSL pinning prevents the user of the application from being a victim of an attack made by spoofing the SSL certificate. SSL pinning won't prove a great solution is not validated properly.

"WhatsApp does not perform SSL pinning when establishing a trusted connection between the mobile applications and back-end web services. Without SSL pinning enforced, an attacker could man-in-the-middle the connection between the mobile applications and back-end web services. This would allow the attacker to sniff user credentials, session identifiers, or other sensitive information."

WhatsApp is allowing its backend servers to use weak 40-bit and 56-bit encryption schemes, which can be easily cracked using brute force attack. 'This is the kind of stuff the NSA would love,' researchers said.

WhatsApp team has confirmed that they are actively working on adding SSL Pinning to their app, but still that is not enough to protect our privacy.

Facebook and WhatsApp assured that nothing is going to change after the acquisition and WhatsApp will continue to function as an independent service, but is that statement satisfied? May be we can trust Facebook, Google, WhatsApp.. But we really can't trust the U.S. Government  and the Security agencies like the NSA, that don't respect our privacy and freedom of speech.

Mobile messaging apps often used to deliver sensitive data or used for personal and corporate communications, so the data stored by the service provider should be encrypted end-to-end, which is not yet in the case of WhatsApp.

But there are many other free secure chat applications are available like Telegram, Surespot, Threema, TextSecure, RedPhone etc., that you should use to keep your data private and Secure, until WhatsApp will not adopt end-to-end encryption.

5 Best WhatsApp alternatives with end-to-end Encryption

WhatsApp acquisition may have had a negative impact on the reputation of the company, it seems many users are planning to switch the service and a few of them have already done it.

In our previous article, we have mentioned that why you should switch from WhatsApp to an encrypted Chat messaging service.

Mobile messaging apps often used to deliver sensitive data or used for personal and corporate communications, so the data stored by the service provider should be encrypted end-to-end, which is not yet in the case of WhatsApp.

There are many mobile messaging applications like Japan-based Line, China’s WeChat, Korea-based KakaoTalk, and Canada’s Kik, India-based Hike and many more, but they are not end-to-end encrypted messengers.

Time is loudly announcing the need to shift to some alternates which provides end-to-end encryption for communication between two devices and respect your Privacy. There are a number of solutions available includes - Telegram, Surespot, Threema, TextSecure, RedPhone etc.

1.) Telegram offers end-to-end encryption and have a 'Secret Chat' feature, that self-destruct messages after the conversation. The company is offering $200,000 Prize in Bitcoin to the first person to crack its Encryption.

"We support two layers of secure encryption (server-client and client-client). Our encryption is based on 256-bit symmetric AES encryption, RSA 2048 encryption and Diffie–Hellman secure key exchange." Company states on their website.

Regular and Secret chats are encrypted, but during Secret chat no data stored on the company server.

There are a couple of more advantages Telegram brings which really are interesting. Telegram is free and an open source project, which means that the source code of the project is freely available, and according to their official website, 'Telegram has an open API and protocol free for everyone'.

Download Telegram for Android and iOS.

2.) Surespot allows you to send and receive text messages, pictures and audio clip with end-to-end encryption. It uses 256 bit AES-GCM encryption using keys created with 521 bit ECDH which can only be decrypted by sender and receiver.

Unlike WhatsApp, if you delete a message, it's deleted from the recipient's phone, too. Surespot supports multiple identities on a single device. Download Surespot for Android and iOS.

 

3.) Threema is not free, but a perfect alternate for WhatsApp, use end-to-end encryption and gives you all features of WhatsApp like text messaging, image sharing, and voice chat as well.

You can also sync your contact list automatically and manually. German users have started a shift to Threema after Facebook's acquisition and the app have become top paid app on the app store in Germany. Download Threema for iOS and Android.

4.) TextSecure and 5.) RedPhone also provides end-to-end encryption for messaging and voice calls respectively. RedPhone allows you to upgrade a normal call to secure call whenever it senses the possibility to fulfil the requirements.

TextSecure encrypts the messages stored locally, making your information hard to leak even if you lost your device. Download TextSecure for Android and Download RedPhone for Android.

So, if you are also now planning to switch, get any of above best suitable mobile messaging application for you.

Silent Circle's Blackphone - A $629 Privacy and Security Focused Smartphone

Earlier this year encrypted communications firm Silent Circle and Spanish Smartphone makerGeeksphone announced a privacy-focused encrypted Smartphone called 'Blackphone' and today the company has revealed it as 'Mobile World Congress' in Barcelona.

The Blackphone titled as, “world’s first Smartphone which places privacy and control directly in the hands of its users,” has a fully customized version customized version of Android called PrivatOS and pre-installed with lots of privacy-enabled applications, is now available for pre-order for about $629.

Silent Circle was co-founded by a respected Cryptographer Phil Zimmermann, best known as the creator of Pretty Good Privacy (PGP), which is a widely used email encryption software.

The Blackphone handsets main focus is keeping all of your data secure, and to stop government agencies snooping on your communications. Blackphone will come with a set of application developed by Silent Circle, including Silent Phone, Silent Text, and Silent Contacts as well as other features for firewall and remote wipe when required.

Blackphone also has a 'Kismet Smart Wi-Fi Manager' to improve the security device on public networks, and also provides the private web browsing and secure file-sharing options. The Android-based Blackphone is powered by a quad-core 2 GHz processor, 2GB of RAM, 16GB of onboard storage and support for LTE networks.

The Blackphone also comes with SpiderOak, which provides 5GB of encrypted data backup, and Virtual Private Network from Disconnect.me.

But if you think 'Blackphone' is a shield against the NSA or other intelligence agencies Blackphone, then you should know this - Blackphone cannot mask metadata entirely from NSA. No piece of man-made technology is entirely hack-proof.

Mike Janke, co-founder and CEO of Silent Circle told Mashable, "If you are on the terrorist wanted list or a criminal, intelligence services will get into your device... There's no such thing as 100% secure phone."

The Blackphone’s main security feature is voice and text encryption, not about hiding metadata which is related to a communication data such as date, time, location and identity of the users.

Hacking a Car remotely with $20 iPhone sized Device

In the era of Smart devices, we have Smartphones, Smart TVs, Smart Fridges, and even the Smart cars! We have made our life very easy and comfortable by providing the master control of every task to such smart devices.

But imagine if an attacker wants to take revenge or hurt someone, now they can hack your car, rather failing breaks in the traditional way. Sounds Horrible !

WELL, Two Security researchers - Javier Vazquez-Vidal and Alberto Garcia Illera have developed a home-made gadget called 'CAN Hacking Tools (CHT)', a tiny device smaller than your Smartphone, which is enough to hack your Cars.

The Kit costs less than $20, but is far capable to give away the entire control of your car to an attacker from windows and headlights to its steering and brakes.

The device uses the Controller Area Network (CAN) ports that are built into cars for computer-system checks, and draws power from the car’s electrical system. Injecting a malicious code to CAN ports allows an attacker to send wireless commands remotely from a computer. Once hackers take hold of this network they can control lights, locks, steering and even brakes.

“It can take five minutes or less to hook it up and then walk away,” says Vazquez Vidal to Forbes, adding, “We could wait one minute or one year, and then trigger it to do whatever we have programmed it to do.”

They have already tested their CHT device on four different vehicles and successfully did tricks, including applying Emergency brakes while the car was in motion that could potentially cause a sudden stop in traffic, switching off headlights, setting off alarms, and affecting the steering.

Till now their device is capable to communicate via Bluetooth only, which is limited to minor range, but soon they will upgrade it to use a GSM cellular radio that would make their device possible to control from miles away.

“All the ingredients of their tool are off-the-shelf components, so that even if the device is discovered, it wouldn’t necessarily provide clues as to who planted it. It’s totally untraceable”, says Vazquez Vidal. “A car is a mini network,” says his second partner Garcia Illera adding, “And right now there’s no security implemented.”

- See more at: http://thehackernews.com/2014/02/hacking-car-remotely-with-20-iphone.html#sthash.2t92hkGZ.dpuf

Sim Card Cloning Hack affect 750 millions users around the world

SIM cards are among the most widely-deployed computing platforms with over 7 billion cards in active use. Cracking SIM cards has long been the Holy Grail of hackers because the tiny devices are located in phones and allow operators to identify and authenticate subscribers as they use networks.

A German cryptographer Karsten Nohl, the founder of Security Research Labs claims to have found encryption and software flaws that could affect millions of SIM cards, and allows hackers to remotely gain control of and also clone certain mobile SIM cards.

This is the first hack of its kind in a decade. Nohl will be presenting his findings at the Black Hat security conference this year. He and his team tested close to 1,000 SIM cards for vulnerabilities, exploited by simply sending a hidden SMS.

According to him, Hackers could use compromised SIMs to commit financial crimes or engage in espionage. Once a hacker copies a SIM, it can be used to make calls and send text messages impersonating the owner of the phone.

The exploit only works on SIMs that use an old encryption technology known as DES. DES is used in around three billion mobile SIMs worldwide, of which Nohl estimates 750 million are vulnerable to the attack.

GSMA, which represents nearly 800 mobile operators, will notify telecommunications regulators and other government agencies in nearly 200 countries about the potential threat and also reach out to hundreds of mobile companies, academics and other industry experts.

Nohl believes that cyber criminals have already found the bug. Now the theoretical details of the vulnerability is out, he expects it would take them at least six months to crack it, by which time the wireless industry will have implemented available fixes.

- See more at: http://thehackernews.com/2013/07/sim-card-cloning-hack-affect-750.html#sthash.5zATOvS6.dpuf

Extreme GPU Bruteforcer - Crack passwords with 450 Million passwords/Sec Speed

Extreme GPU Bruteforcer, developed by InsidePro is a program meant for the recovery of passwords from hashes of different types, utilizing the power of GPU which enables reaching truly extreme attack speed of approx 450 Millions passwords/Second .

The software supports hashes of the following types: MySQL, DES, MD4, MD5, MD5(Unix), MD5(phpBB3), MD5(Wordpress), NTLM, Domain Cached Credentials, SHA-1, SHA-256, SHA-384, SHA-512 and many others.

The software implements several unique attacks, including mask and hybrid dictionary attacks, which allow recovering even the strongest passwords incredibly fast. Utilizing the power of multiple graphics cards running simultaneously (supports up to 32 GPU), the software allows reaching incredible search speeds of billions of passwords per second!

Type hashes average speed (Using NVIDIA GTS250):

• MD5 420 000 000 n / a
• MySQL 1.08 billion n / a
• MD4 605 000 000 n / a
• NTLM 557 000 000 n / a
• SHA-1 120 000 000 n / a
• MySQL5 66 million p / s
• LM 49 million p / s

The Program is easy to use, to launch the program, just pass the command-line parameters like - Name of the INI file with attack settings and Name of the text file with hashes.

• INI File Parameters - (Please Read here for details)

[Settings]
AttackMode=1
LastPassword=
CurrentDevice=1
StreamProcessors=128
PasswordsPerThread=3000
Base64Hashes=0
AttackTime=0
DeleteHashes=0
OutputFileFormat=0
AppendToOutputFile=1
AppendToDictionaryFile=1
CustomCharacterSet1=
; ...
CustomCharacterSet9=
CustomCharacterSetA=
; ...
CustomCharacterSetZ=


[BruteForceAttack]
1=?d,0,9
2=?l?d,1,7
3=?l?d?s?u,1,5


[MaskAttack]
1=?u?l?l?l?l


[DictionaryAttack]
1=Dictionaries\InsidePro (Mini).dic
2=Dictionaries\PasswordsPro.dic


[HybridAttack]
Dictionary=Dictionaries\InsidePro (Mini).dic
1=@
2=@?d
3=@?d?d

• The name of a text file with hashes. The format string to hash a "one line = one hash". In the distribution of the program includes test files with examples of hashes.

Here in above screenshot you can see that a alphanumeric 7 character NTLM password cracked with the speed of 553.510 Million passwords per second, this cracking process takes a few second to get the actual hash value by bruteforce process.

In another Example a 7 character alphanumeric MD5 password cracked with speed of 423.966 million passwords per second.

The main requirement is that your video card must support the CUDA technology. By default, the program is configured to run in the extreme operating mode to recovering passwords at the highest speed possible. But if it slow down your PC, then you can decrease the load on your computer, decrease the value in the PasswordsPerThread parameter in the INI file.

Download the trial version or buy the full version from here