Category Archives: Malware

GlobalHackNews Is The Popular Blog of IT Security, Cybersecurity, and Latest Hacking News Update. Read Regular News to Improve Your Security.

Fake Pornhub apps are spreading online to lock you out of your Android device


Fake Pornhub apps are spreading online to lock you out of your Android device

Be careful regarding streaming any of the sexytime videos online on your smartphone– your device force just end up getting locked up and held hostage, but unquestionably not of the kinky sort.

According to cybersecurity organization ESET, fake Pornhub apps are out to affect Android smartphones, barring users out from using them, and then requiring ransom money to set the phone free.

While Pornhub effects surely have an Android app, Google doesn’t permit pornographic content to be hosted on the Play Store. This then led users of the service into looking for the app on the vast web, potentially falling into dangerous and malicious content one way or another.

Including some possibility like sideloading apps on Android, apps are made available via raw APK files. Since there is no official entry for Pornhub on the store, cybercriminals can easily cloak any app as the adult video service, inject malicious code, and then wait for unsuspecting victims to download the app.

If one of the rogue apps is installed, it will first say that it needs to check the phone for viruses before it can play any pornographic videos. However, during this process, it is silently installing a ransomware for Android, which will lock a user out of their device.

The lock screen demanding $100 to settle the case | via ESET
A “police ransomware” lock screen will be displayed subsequently, demanding that the victim pay $100 to be able to unlock the device. The report advances to take legal action should special victim refuse to pay, yet provided that one of the lock screen messages has such bad grammar, as shown above, it can easily be seen that the legal issue is not legitimate.


To be effective to rid this malware for good, ESET notifies victims to start their device in Safe mode, and then revoke the app’s Device Administrator privileges. Once these steps are taken, those infected can now proceed with uninstalling the app through Settings. If all else fails, resetting the device to factory settings is still an option.

With these rogue software in consideration, it pays to stay away from third-party apps as much as possible. Application discretion in sideloading APK files as well, as some might contain malware that can compromise you or your device’s security.

Go spy, GO ! Popular GoKeyboard App Spying on 200M+ of Android Users.

Go spy, GO! A popular app with 200M+ users crosses the red line.

Android smartphone users, online life is forever on the edge as all another day there is a new way by which cybercriminals plan to keep a tab on their devices and attack privacy. It is the rule of the thumb that an Android user must never trust the means for collecting private data as even the common harmless looking apps can perform unnoticeable surveillance. Blame it on the way app developers and OEMs design their products and services.
Still, thankfully we are honored with security experts and researchers working day-in-and-day-out to alert us about the secret functions and capabilities of certain apps beforehand so that we bypass downloading them.

AdGuard assurance researchers have identified that Go Keyboard, an app generated by Chinese GOMO developer team, cannot be trusted because it handles spying and since, Android smartphone owners must not download or install this app.
According, to researchers  there are two variants of Go Keyboard possible on Google namely “GO Keyboard – Emoji keyboard, a Swipe input, GIFs” and “GO Keyboard – Emoticon keyboard, Free Theme, GIF.“ Both versions send out private data to remote servers and execute unauthorized code on the android device. Each of the versions has about 100k to 500k downloads so far, and on Play Store these apps are rated at 4.5 and 4.4 stars.

Researchers from Ad-Guard became alerted about suspicious spying acts of keyboard apps after Touchpal keyboard app was identified to display ads on HTC devices earlier in 2017. It was suspected that GOMO developer team was trying to collect private and confidential data such as the email address used to connect with Google Play Store, Android version, screen size, network type and phone’s make/model number.
Moreover, the keyboard apps were communicating with tracking networks as well as executing code like dex files or native coding through a remote server. This is a violation of the Developers’ Policy Center’s Malicious Behaviours section. The app also contradicts the information provided by developers in the app’s description. It reads:
“We will never collect your info including credit card information. In fact, we care for privacy of what you type and who you type!”

The app does the exact opposite of what it promises or claims. It starts giving personal data right after its installation on the device and communicates with dozens of tracking servers apart from collecting sensitive, confidential information.
It’s worth noting that some downloaded plugins of these apps have been declared as adware by prominent anti-virus software programs. The dangers are pretty obvious; if the keyboard apps can register and send out everything that we type like passwords, message texts, social media login IDs, phone number and bank account numbers, etc., then this information can be exploited in a variety of ways one of which is selling them to third parties.
Some of the permissions we noticed are: “retrieve running apps, read sensitive log data, find accounts on the device, read your contacts, read call log, record audio, display unauthorized windows, read terms you added to the dictionary and add words to user-defined dictionary etc.”
“We find this behavior unacceptable and dangerous. Having 200+ Million users does not make an app trustworthy. Do not blindly trust mobile apps and always check their privacy policy and what permissions do they require before the installation,” stated AdGuard researchers.
AdGuard has notified Google regarding its findings, and the company is yet to release an official statement about the issue. However, three days ago, in their comment section, AdGuard’s Andrey Meshkov wrote that Google never replied to their report.
GoKeyboard Secret Spying on Android Users - Researchers Claim
AdGuard’s comment section

 don’t forget to comment and subscribe for more intresting article. 

Apple macOS High Sierra Abuse! Lets Hackers Steal Keychain Passwords in Plaintex.

After a Long Time yesterday  Apple rolled out the latest version of its macOS operating system, dubbed (High Sierra 10.13)—a few hours before an ex-NSA hacker openly exposed the details of a critical vulnerability that assumes High Sierra as well as all newer versions of macOS.

Ex-NSA hacker and now head of the investigation at security firm Synack found a critical zero-day vulnerability in macOS that could allow any fixed application to steal usernames and plaintext passwords of online accounts stored in the Mac Keychain.

The macOS Keychain is a created-in password control system that helps Apple users securely cache passwords for applications, servers, websites, cryptographic keys and credit card numbers—which can be located using only a user-defined master password Typically no statement can access the contents of Keychain unless the user enters the master password.

I discovered a flaw where malicious non-privileged code (or apps) could programmatically access the keychain and dump all this data …. including your plain text passwords. This is not something that is supposed to happen! :(patrick wardle.)

The safety flaw actually resides in macOS’s kernel extension SKEL (Secure Kernel Extension Loading) security feature, which was disclosed earlier this month, allowing an attacker to run any third-party at kernel level extension without requiring user approval.

patrick wardle recently posted a proof-of-concept video of the achievement, demonstrating how the hack can be used to exfiltrate every single plaintext password from Keychain without requiring the user to enter the master password.

           Steal y0 (macOS) Keychain from patrick wardle on Vimeo..

This video shows whereby a malicious installed application, signed or unsigned, enabled an attacker to remotely steal all the passwords stored in the keychain and does not notify the user of the attack either.

“macOS is intended to be secure by default, and Gatekeeper warns users against installing unsigned apps, like the one shown in this proof of concept, and prevents them from launching the app outdoors explicit approval,” said Apple in a statement released today.

“We assist users to download software only from trusted sources like the Mac App Store and to pay careful attention to security dialogs that macOS presents.”

patrick wardle
 maintained that he announced the issue to Apple last month, and made the public disclosure when the company planned to release High Sierra without fixing the vulnerability, which not only affects the newest version but also older versions of macOS.

Passwords For 540,000 Car Tracking Devices Leaked Online.

Over 500,000 car tracking devices’ passwords accidentally leaked due to misconfigured cloud server

In another time case of an accidental data leak, login credentials of over 500,000 car tracking devices were freely exposed due to a misconfigured cloud server. The data came from SVR Tracking, which is a firm that claims to specialize in “vehicle recovery.”

 allows SVR its clients to pursue their vehicles around the timer so they can control and recover them in case their vehicle has been stolen. The firm attaches a tracking device to a vehicle in a discreet place, so if the vehicle is stolen, an untold driver would have no knowledge of it denoting monitored.
researchers at Kromtech Security, who saw the violation, the data exposed included SVR users’ account credentials, such as emails and passwords. Users’ vehicle data, including VIN numbers and license plates, were also easily imperiled. The data was imperiled via an insecure Amazon S3 bucket.
Each repository restrained over a half of a million records with logins/passwords, emails, VIN (vehicle identification number), IMEI numbers of GPS devices and additional data that is settled on their plans, clients and auto dealerships. Interestingly, the exposed database also comprised notice wherever correctly in the car the tracking unit was ducked,” Kromtech researcher Bob Diachenko said in a blog.

Download Hacking book free

SVR’s car tracking method monitors control a vehicle has been for the past 120 days, which can be openly obtained by anyone who has entree to users’ login credentials.
The unstable Amazon S3 pot has been secured after Kromtech reached out to SVR and informed them around the violation. It still continues unclear as to how long the data rested freely displayed. It is also debatable whether the data was mayhap accessed by hackers.
“In the age where corruption and technology go hand in hand, assume the possible threat if cybercriminals could find out where a car is by logging in with the credentials that were publically possible online and keep that car? The overall number of devices could be much bigger given the fact that many of the resellers or customers had large numbers of devices for tracking,” Diachenko said.


Current FinFisher surveillance attacks: Are internet providers involved?

Current FinFisher surveillance attacks: Are internet providers involved?

Current FinFisher surveillance attacks: Are internet providers involved?

Security has found that legitimate downloads of several favorite applications/Software including WhatsApp, Skype, VLC Player and WinRAR have reportedly been compromised at the ISP level to share the infamous FinFisher spyware also known as FinSpy.

FinSpy is a highly unknown inspection tool that has previously been connected with British company Gamma Group, a company that professionally sells surveillance and spying software to government agencies over in the world.

Digital surveillance tools are sold by a global firm called Gamma Group and have in the past been sold to oppressive regimes including Bahrain, Egypt and the United Arab Emirates (UAE).
 And In March this year, the company served a security discussion sponsored by the UK Home Office.
This Month (21 September 2017), specialists from cybersecurity firm Eset required that new FinFisher variants had been discovered in seven countries, two of which were being targeted by “man in the middle” (MitM) attacks at an ISP level – packaging genuine downloads with spyware.
Organizations being hit included (WhatsApp, Skype, Avast, VLC Player and WinRAR) it said, attaching that “virtually any application could be misused in this way.”
During a sufferer of the inspection was downloading the software, they would be silently redirected to a version infected with FinFisher, the research found.
During download, the software would install as regular – but Eset found it would also be covertly bundled with the surveillance tool.
The secret virus process was reported as being “invisible to the naked eye.”
And A Microsoft spokesperson, referencing the assumed Skype infections, told IBTimes UK: “We’re aware of the vendor blog and are evaluating claims.” or Avast spokesperson said: “Attackers will always focus on the most prominent targets. Wrapping approved installers of legal apps with malware is not a new concept and we aren’t surprised to see the PC apps mentioned in this report. “What’s new is that this seems to be happening at a higher level. “We don’t know if the ISPs are in cooperation with the malware distributors or whether the ISPs‘ infrastructure has been hijacked.”
Current FinFisher surveillance attacks: Are internet providers involved?
The newest version of FinFisher was spotted with new customised code which kept it from being discovered, what Eset described as “tactical improvements.” Some tricks, it added, were aimed at compromising end-to-end (E2E) encryption software and known privacy tools. One such application was Threema, a secure messaging service. “The geographical dispersion of Eset’s detections of FinFisher variants suggests the MitM attack is happening at a higher level – an ISP arises as the most probable option,” the team said. 
“One of the main implications of the discovery is that they decided to use the most effective infection method and that it actually isn’t hard to implement from a technical perspective,” FilipKafka, a malware researcher at Eset, told IBTimes UK. “Since we see have seen more infections than in the past surveillance campaigns, it seems that FinFisher is now more widely utilized in the monitoring of citizens in the affected countries.”

Here’s How the Attack Works:

During the destination users search for one of the affected applications on legitimate websites and click on its download link, their browser is served a modified URL, which redirects victims to a trojanized installation package hosted on the attacker’s server.

The issues in the installation of a version of the intended legitimate application bundled with the surveillance tool.

“The redirection is achieved by the legitimate download link being replaced by a malicious one,” the researchers say. “The malicious link is delivered to the user’s browser via an HTTP 307 Temporary Redirect status response code indicating that the requested content has been temporarily moved to a new URL.”

And the intact redirection rule, according to researchers, is “invisible to the naked eye” and occurs without user’s knowledge.

Current FinFisher surveillance attacks: Are internet providers involved?

FinFisher Appropriating a Whole Lot of New Tricks

That extra tricks employed by the latest version of FinFisher kept it from being spotted by the researchers.

Maybe Some researchers also note that the advanced version of FinFisher received several technological improvements in terms of stealthiness, including the use of custom code virtualization to protect the majority of its parts like the kernel-mode driver.

It additionally presents control of anti-disassembly tricks, and numerous anti-sandboxing, anti-debugging, anti-virtualization and anti-emulation tricks, aiming at compromising end-to-end encryption software and known privacy tools.

 then guarded messaging application, called Threema, was discovered by the researchers while they were analyzing the recent campaigns.

“FinFisher spyware masqueraded as an executable file named “Threema.” Such a file could be used to target privacy-concerned users, as the legitimate Threema application provides secure instant messaging with end-to-end encryption,” the researchers say. 

“Ironically, getting tricked into downloading and running the infected file would result in the privacy-seeking user being spied upon.” 

Gamma Group has not yet replied to the ESET report.

Hackers used Avast’s c to attack technology companies :Cisco

.CCleaner Command and Control Causes Concern.

Cisco’s Talos security limb Talos has penetrated the malware-laden CCleaner use that Avast so kindly gave to the world and has achieved its purpose was to produce short attacks that attempted to insert top technology organizations. Talos also thinks the malware may have superseded in carrying a payload to targeted organizations.
Hackers broke into publicly used network utility software in August also tried to infect organizations at Microsoft, Intel, and other top technology organizations, according to an analysis by Cisco Systems published late on Wednesday.
Hackers used Avast's c to attack technology companies :Cisco
That implies the crime, uncovered on Monday, was far more serious than originally described by Piriform, maker of the infected CCleaner utility and now a part of Prague-based Avast Software.
Piriform and more newly Avast said in blog posts this week that no harm had been detected, although more than 2 million people had installed tainted versions of CCleaner.
Still, though the translations allotted for antique information with websites guided by the hackers, Avast said the alarm was unwarranted because the company cooperated with researchers and law pressure and took handle of the command sites early on.
Hackers used Avast's c to attack technology companies :Cisco
 Researchers at Cisco, one of the organizations that had warned Avast of the attack, said Wednesday that a switch server caught by US law requirement showed that the hackers had placed further hateful software on a selected assortment of at least 20 devices.
Hackers used Avast's c to attack technology companies :Cisco
 unclear which organizations housed these networks, but the data showed that the hackers had gone after systems at major technology companies. The list included Samsung, Sony, Akamai and Cisco itself.
Truly like the bad guys cast a net and took all the fish, but only wanted to infect the devices that were most interesting,” said researcher Craig Williams of Cisco’s Talos unit.
The hacker could possess working the space given by CCleaner investments to steal technology secrets from those companies, Williams said.
Also troubling, they could have been looking to get the hateful code inside those companies’ products, which are used by high-value targets in government and business around the world.
But Avast Chief Technology Officer Ondrej Vlcek confirmed that “a very small minority of the endpoints” had received subsequent infections. He said the company had been contacting affected firms quietly.
“We effect believe in working public with any of this stuff while the research is still continuing,” he said. “We know that this is also the preference of the law enforcement personnel.”
Hackers used Avast's c to attack technology companies :Cisco
Defense firm Kaspersky Lab, Cisco and others said the attack reused code before seen in hacks connected to Chinese executives. But the code could have been stolen so the CCleaner hackers might not be from that country.
Vlcek said consumer CCleaner users still did not need to restore their networks from reserves.
Our Standards: © Thomson Reuters 2017

CCleaner Software Hacked with Backdoor; 2 Million Users Infected

CCleaner Software Hacked with Backdoor; 2 Million Users Infected

If you have downloaded or updated CCleaner application on your computer between August 15 and September 12 of this year from its official website, then pay attention—your computer has been compromised.
CCleaner is a popular application with over 2 billion downloads, created by Piriform and recently acquired by Avast, that allows users to clean up their system to optimize and enhance performance.
Security researchers from Cisco Talos discovered that the download servers used by Avast to let users download the application were compromised by some unknown hackers, who replaced the original version of the software with the malicious one and distributed it to millions of users for around a month.

According to Cisco Talos’ blog post, the download server for CCleaner was compromised with a backdoor on September 11, 2017, and the firm was able to identify the threat on September 13, 2017.

“We identified that even though the downloaded installation executable was signed using a valid digital signature issued to Piriform, CCleaner was not the only application that came with the download. During the installation of CCleaner 5.33, the 32-bit CCleaner binary that was included also contained a malicious payload that featured a Domain Generation Algorithm (DGA) as well as hardcoded Command and Control (C2) functionality. We confirmed that this malicious version of CCleaner was being hosted directly on CCleaner’s download server as recently as September 11, 2017,” said Cisco.
“In reviewing the Version History page on the CCleaner download site, it appears that the affected version (5.33) was released on August 15, 2017. On September 12, 2017, version 5.34 was released. The version containing the malicious payload (5.33) was being distributed between these dates. This version was signed using a valid certificate that was issued to Piriform Ltd by Symantec and is valid through 10/10/2018. Piriform was the company that Avast recently acquired and was the original company who developed the CCleaner software application,” Cisco further explained.
The malicious software was programmed to collect a large number of user data, including:

  • Computer name
  • List of installed software, including Windows updates
  • List of all running processes
  • IP and MAC addresses
  • Additional information like whether the process is running with admin privileges and whether it is a 64-bit system.

How to Remove Malware From Your PC

According to the Talos researchers, around 5 million people download CCleaner (or Crap Cleaner) each week, which indicates that more than 20 Million people could have been infected with the malicious version the app.

“The impact of this attack could be severe given the extremely high number of systems possibly affected. CCleaner claims to have over 2 billion downloads worldwide as of November 2016 and is reportedly adding new users at a rate of 5 million a week,” Talos said.

However, Piriform estimated that up to 3 percent of its users (up to 2.27 million people) were affected by the malicious installation.

Affected users are strongly recommended to update their CCleaner software to version 5.34 or higher, in order to protect their computers from being compromised. The latest version is available for download  HERE !!


Google Chrome will warn users of ‘man in the middle’ attack.

Google Chrome will warn users of ‘man in the middle’ attack.
Google Chrome will warn users of ‘man in the middle’ attack.

Looks like Google is finally taking serious measure to secure its most used product the Chrome web browser  And giant have announced that upcoming Chrome 63 browser will be equipped with a new security feature aiming to alert users of ‘man in the middle’ attacks in which an attacker intercepts communication between two systems.

Google Chrome will warn users of ‘man in the middle’ attack.

Coming this year in December, Chrome 63 will send notification after detecting a large number of SSL connection errors implying and the attacker is trying to intercept your system web traffic. The new security measure will also send notifications for malware as well as legitimate applications. That means in case your firewall or anti-virus software fails to detect and notify you or a malware evades anti-virus detection Chrome 63 will have your back.

Behind developing this feature is Sasha Prego who announced the news on Twitter. “Excited to announce my intern project is launching in @Google Chrome M63! New error pages to help users struggling with MITM software,” tweeted Prego‏.

Excited to announce my intern project is launching in @GoogleChrome M63! New error pages to help users struggling with MITM software. ?✨

— Sasha Perigo (@sashaperigo) September 8, 2017

1 error page, we say a user has “misconfigured” software if they Did not  have the root required for the “ man in the middle” attack  program – 2 We check the error code the certificate validator threw, and check fields on the missing cert to see if it is a man of the middle attack  software – 3 This error page will only be shown to users who were already seeing SSL errors. If you’re not seeing SSL errors right now, you’re all good”, Prego.

Google plans to release the Chrome 63 browser on 5th December however you can test the feature on Chrome Canary.

Remember, about six months ago; Google introduced “Safe Browsing” feature for mac-OS that sends a notification to users whenever they visit a malicious website or download a file containing malware. Moreover, Google also launched bug bounty program for Android operating system showing its commitment to a secure mobile operating system. Let’s hope for a secure web. 


Facebook slapped with $1.43 million fine for violating users’ privacy in Spain

Facebook slapped with $1.43 million fine for violating users' privacy in Spain
photo by ::

Facebook is once again in trouble regarding its users’ privacy.
The social media giant has recently been heavily fined once again for a series of privacy violations in Spain.

Recently, Google also incurred a record-breaking fine of $2.7 billion (€2.42 billion) by the European antitrust officials for unfairly manipulating search results since at least 2008.
Now, the Spanish Data Protection Agency (AEPD) has issued a €1.2 Million (nearly $1.4 Million) fine against Facebook for breaching laws designed to protect its people’s information and confidentiality.

According to the data protection watchdog, the social network collects its users’ personal data without their ‘unequivocal consent’ and makes the profit by sharing the data with advertisers and marketers.

The AEPD also found Facebook collects sensitive data on user’s ideology, religious beliefs, sex and personal tastes and navigation—either directly from its own services or through third parties—without clearly informing its users how this information would be used.

This activity constituted a “very serious” infringement of the country’s local data protection law (LOPD), for which the authority fined the company €600,000 ($718,062).

The regulator also identified two “serious” violations of privacy laws, including:
  1. Tracking people through the use of “Like” button social plug-ins embedded in other non-Facebook web pages—for which it is fined €300,000 ($359,049).
  2. Failing to delete data collected from users once it has finished using it, in fact, the company “retains and reuses it later associated with the same user”—which resulted in another €300,000 ($359,049) fines.
The AEPD also said that Facebook’s existing privacy policy contains “generic and unclear terms,” and doesn’t “adequately collect the consent of either its users or nonusers, which constitutes a serious infringement.”
“Users choose which information they want to add to their profile and share with others,” said Sally Aldous, a company spokeswoman. “We do not use this information to target adverts to people.”
While the Spanish agency has become one of the few privacy watchdogs worldwide to issue financial penalties against the social networking giant, the fine represents a mere rounding error to the company’s tens of billions of dollars of revenue generated each year.
In May, the French data protection authority also finds Facebook €150,000 — its maximum fine — for violations similar to what was discovered by its Spanish counterpart. The social network denies any wrongdoing.
Facebook has become a lightning rod for controversy over how it collects and uses people’s online information, as well as its role in disseminating potential fake news and hate speech to users around the globe

Microsoft shrugs off Windows kernel bug that can block malware detection

Microsoft shrugs off Windows kernel bug that can block malware detection

According to a write-up on security blog, Breaking Malware, the bug in the system is a coding error that affects the PsSetLoadImageNotifyRoutine, which is supposed to monitor what modules are loading.“During research into the Windows kernel, we came across an interesting issue with PsSetLoadImageNotifyRoutine which as its name implies, notifies of module loading,” explains the security firm enSilo on its blog.

Microsoft Security Response Center has been sitting on the bug all year bug in the Microsoft Windows kernel can render security tools useless by blocking the detection of malware threats by a system utility written specifically to highlight potential threats to security software
“The thing is, after registering a notification routine for loaded PE images with the kernel the callback may receive invalid image names.
“After digging into the matter, what started as a seemingly random issue proved to originate from a coding error in the Windows kernel itself. This flaw exists in the most recent Windows 10 release and past versions of the operating system, dating back to Windows 2000.”
The bug defeats the purpose of the PsSetLoadImageNotifyRoutine, which is designed to spot malware threats as they make their way through Windows. It is also rather ironic. Bleeping Computer has spoken to one of the security researchers, Omri Misgav, who said that Microsoft did not see the issue as a security problem.
“We did not test any specific security software,” Misgav told Bleeping Computer. “We are aware that some vendors do use this mechanism, however at this point in time we cannot say if and how the use of the faulty [PsSetLoadImageNotifyRoutine] information affects them.”