Charger Malware Calls and Raises the Risk on Google Play

 
Several weeks ago, Check Point Mobile Threat Prevention detected and quarantined the Android device of an unsuspecting customer employee who downloaded and installed a 0day mobile ransomware from Google Play dubbed “Charger.” This incident demonstrates how malware can be a dangerous threat to your business, and how advanced behavioral detection fills mobile security gaps attackers use to penetrate entire networks.   Charger was found embedded in an app called EnergyRescue. The infected app steals contacts and SMS messages from the user’s device and asks for admin permissions. If granted, the ransomware locks the device and displays a message demanding ...

A Whale of a Tale: HummingBad Returns

 
  Check Point researchers have found a new variant of the HummingBad malware hidden in more than 20 apps on Google Play. The infected apps in this campaign were downloaded several million times by unsuspecting users. Check Point informed the Google Security team about the apps, which were then removed from Google Play. This new variant, dubbed ‘HummingWhale,’ includes new, cutting edge techniques that allow it to perform ad fraud better than ever before.   HummingBad is a malware first discovered by Check Point on customer’s devices in February 2016. HummingBad stands out as an extremely sophisticated and well-developed malware, which employed a ...

What’s the Proteus Botnet and how does it work?

 
  The Proteus botnet emerged toward the end of November 2016.  Only a few samples of it were found in the wild and, at the moment, it doesn’t seem to have a widespread campaign.  So, what does it do? It launches a multi-layered attack on an infected machine where it runs several processes aimed at coin mining, credential theft, and keylogging.  In addition, the bot can perform on its own; it offers the cybercriminal to send commands over HTTP to download malicious executables and execute them.   In some samples, the botnet disguises itself as a Google Chrome executable. The functionality of the botnet is highly reliant on its C&C (command and control) server, ...

Malware Takes a Christmas Break in December’s Global Threat Index

 
Global malware attacks decreased by 8% in December compared with the previous month, with the popular Locky ransomware recording a huge 81% decrease per week, according to the latest monthly Global Threat Index from Check Point’s Threat Intelligence Research Team. This isn’t an invitation to businesses to sit back and relax, however. Our team predicts that this lull really is due to malicious cybercriminals taking a Christmas break – and, following the same trends last year, when December recorded a 9% drop in the number of malware attacks worldwide, we expect attack volumes to bounce back in January.   The Global Threat Index tracks malware attacks against ...

Looking for a New Employee? Beware of a New Ransomware Campaign

 
Despite trying to brand itself as a new malware, GoldenEye, the latest Petya variant, is very similar to older versions and differs mostly in its “golden” motif. The most prominent change, however, is how the campaign spreads the ransomware. The current campaign used to distribute GoldenEye has a job application theme. It is therefore aimed at companies’ Human Resources departments, due to the fact they usually cannot avoid opening emails and attachments from strangers, a common malware infection method. HR-Targeted Ransomware The new campaign targets German speakers and mimics a job application. The email contains a brief message supposedly from a job applicant and ...

How We Found Two New Ransomware Families and Built Their Decryptors

 
Ransomware is one of the most common and effective attack methods today, and it seems this trend isn’t going to change anytime soon. This last November, we found that ransomware attacks are surging, with our Global Threat Index showing that the number of ransomware attacks using Locky and Cryptowall increased by 10%. Today, Check Point’s Threat Intelligence Team reveals two new ransomware samples that were found in the wild, but also the decryption solutions which can help victims retrieve their lost data free of charge. Check Point is an Associate Partner of the No More Ransom (NMR) project, which aims to fight back against the ransomware epidemic. As such, our new decryption ...

Check Point discovers three Zero-Day Vulnerabilities in web programming language PHP 7

 
PHP 7, the latest release of the popular web programming language that powers more than 80% of websites, offers great advantages for website owners and developers. Some of them include doubling the performance and adding numerous functionalities. Yet for hackers, it represents a completely fresh attack vector, where they can find previously undisclosed vulnerabilities. During the past few months, we have analyzed PHP 7 and made it a priority to look into one of the most notoriously vulnerable areas of PHP: The unserialize mechanism. This is the same mechanism that was heavily exploited in PHP 5 and allowed hackers to compromise popular platforms as Magento, vBulletin, Drupal, Joomla!, ...

An In-depth Look at the Gooligan Malware Campaign

 
Check Point mobile threat researchers today published a technical report that provides deep technical analysis of the Gooligan Android malware campaign, which was first announced on November 30. The report discusses the ins and outs of how more than one million Google accounts were breached, potentially exposing messages, documents, photos, and other sensitive data. A new variant of the Android malware found by Check Point researchers in the SnapPea app in 2015, Gooligan roots devices and steals email addresses and authentication tokens stored on the device. With this information, an attacker can access a user's Google account data within Google Play, Google Photos, Gmail, Google ...

Two Thanksgiving Presents from the Leading Ransomware

 
Cerber and Locky, the two most popular ransomwares out there, have launched new variants to the wild simultaneously. The new ransomware versions released perform slender, yet very interesting, changes that may affect the way they are being detected. CERBER 5.0 Uses New IP Ranges as well as Old Ones The actors behind Cerber, like other actors in the ransomware industry, innovate on a daily basis. Only yesterday (November 23rd, 2016) a new version of Cerber was released (4.1.6); however no prominent changes were noticeable in it. Less than 24 hours later, Cerber released the new version, 5.0, which is described in this article. A notable change introduced in this Cerber version is ...