Avast Blog_Security News: Beware the adware, and more news of the week

[harlan4096]

A sophisticated strain of adware called BeiTaAd lurked in the background of Google Play apps downloaded 440 million times.

Adware on Google Play gets 440M downloads

An array of 238 apps that have been downloaded a collective total of 440 million times were found to contain “heavily obfuscated adware” known as BeiTaAd, reported Dark Reading, citing the recent findings of security intelligence engineer Kristina Balaam. Responding to a user’s report of strange pop-up ads, Balaam’s team found the adware hidden in almost 240 apps available for download from the Google Play store, all published by the same company — CooTek.

While some apps actually do ship with a legal load of adware, the BeiTaAd malware is overly aggressive, rendering the infected device essentially useless. There is no question that the adware was deliberately hidden within the CooTek apps, as it “was renamed, given a different filetype extension, and given AES encryption,” according to the Dark Reading article.

Avast security evangelist Luis Corrons commented, “We are talking here about really advanced adware designed to bypass Google screening systems in place for all apps sold in the official store. On top of having a good antivirus installed on our phones, we have to check that the apps we install really need all the permissions they request.”

Balaam reported the infected apps to Google Play, stating in her blog that as of May 23, they have been either updated to versions without the adware or removed from the online shop completely.

This week’s quote

“This BeiTaAd plugin family provides insight into future development of mobile adware. As official app stores continue to increase restrictions on out-of-app advertisements, we are likely to see other developers employ similar techniques to avoid detection.”

—Researcher Kristina Balaam, on adware launching from an infected plugin instead of needing to be installed on the device

Scattered Canary grows into flock of trouble

The Agari Cyber Intelligence Division (ACID), a security group focused on business email compromise (BEC), this week called out cybercrime syndicate Scattered Canary as a lead perpetrator of BEC scams, Bleeping Computer reported yesterday. Starting in 2008 as a one-man operation committing romance scams and check fraud on Craig’s List, Scattered Canary’s founder — a person cybersecurity researchers call “Alpha” — gradually enlarged operations. “Once they had secured enough mules via their romance scams to launder their stolen money, they shifted from targeting individuals to targeting enterprises, and the group’s BEC operation was born,” stated ACID, pointing out that along with its highly profitable business email scams, the crime group is running dozens of other schemes as well including more romance scams, employment scams, Social Security fraud, and tax fraud.

Scattered Canary came under the microscope when it targeted the Agari CFO for wire transfer fraud. ACID began observing the group’s activity, and over the course of two months gathered info on eight of its “mule” money collection accounts. ACID also made note of various tactics, techniques, and procedures used by the cybercriminals, including an index of 26 different phishing email templates, which ACID shared with authorities.

Continue Reading