ExpensiveWall Affects Millions

Google has been battling malicious apps throughout the year, most recently malware was packed in an app called “Lovely Wallpaper”. This new strain of malware was titled “ExpensiveWall”, and hid in the wallpaper application while stealthily racking up premium SMS fees. It further propagates by sending out text messages on your behalf, inviting others to download the same compromised app.

The malware was compressed and encrypted within an SDK used by roughly 50 different apps without being detected by Google. It is still undetermined how much money was actually generated from this SMS scam.

How it Works

ExpensiveWall uses JavaScript along with the enhanced permissions on the infected device to orchestrate the attack. It creates an interactive interface between the app downloaded and a web interface called WebView. This action allows the malware to run in-app controls through this WebView interface including but not limited to sending SMS messages and registering the user devices to premium paid services without notice. The only way for this malware to work is if the user allows full SMS control and communication to its command and control server. This communication will send data about the infected device including IP address, MAC address and Geolocation data.

What can you do to Prevent it?

Simply put, be aware of what permissions you are granting applications when you install them. The fact that millions of other people have downloaded an app and given it good reviews does not mean that it is safe. This app is clear cut proof to that effect. Below are some things that should throw up red flags when installing an application.

• Make calls or texts on your behalf
• Receive SMS
• Read contacts or sensitive device logs
• Communicate with other applications
• Control/disable the keyboard
• Kill processes
• Write secure settings
• Have the ability to authenticate accounts
• Create system services
• Control in-app billing/services
• Accessing GPS data

Some of these may actually be needed in order for certain applications to function properly, but be cautious. If you don’t think that flashlight app needs to make calls on your behalf, don’t install it. Lastly, a solid antivirus with web-browsing and application scanning is a necessity for your mobile device.

More Mac Malware Thus Far in 2017 Than Any Other Year

More Mac Malware Thus Far in 2017 Than Any Other Year

With more than 4 months to go before the year ends, this year has already seen more Mac specific malware than any other. Is this finally the end of Mac OS’s reputation as relatively virus-free?

Obviously, Macs have never been totally virus-free. Compared to Windows malware however, the amount of Mac targeted malware has always been minimal. This has largely been due to the substantially smaller market share of Mac OS X. With far fewer users to target compared to Windows, malware creators didn’t have enough incentive to develop as many viruses for Apple’s personal computing platform.

Interestingly, this year has been quite different in regards to Mac malware activity. According to Malwarebytes, not only was there a 230% year-on-year increase in Mac malware last July, the first half of 2017 has already seen more Mac malware than all of 2016 or indeed, any other year. While we’re accustomed to seeing more malware year after year, Mac focused malware is a bit different.

Could the significant uptick in Mac malware due to a corresponding increase in user base? Not really. In fact, OS X market share hasn’t changed significantly since last year.

Malware in the App Store

What makes this surge even more alarming is that a significant amount of malware has managed to invade even the App Store. Apple is known to be very thorough in screening the applications that make it to the Mac App Store.

They review each app for objectionable content, acceptability, app completeness, hardware compatibility, intellectual property, spam, ability to inflict harm, and a host of other criteria. Apple has even been quick to pull apps from the store if they’re later found to be problematic.

Apple touts the App Store as the safest place to download apps and many users believe that to be wholly accurate. This false sense of security leaves them more vulnerable to attacks as they are perhaps not as vigilant or discerning as they might be on another platform.

Proton RAT leads off 2017 surge

One of the biggest threats to emerge this year was a RAT (Remote Access Trojan) known as OSX.Proton.B or simply Proton. Being a RAT, Proton takes the form of a legitimate application accompanied by a back door that provides administrative control to a victim’s system.

During one campaign, Proton handlers were able to modify Handbrake, an app built to convert video files. Proton’s handlers infiltrated one of Handbrake’s download mirrors, enabling them to replace the app’s DMG file with a modified version infected with Proton code.

Once the compromised application is installed onto a victim’s device, the Proton RAT kicks in. Proton can carry out several malicious acts, including: recording keystrokes, stealing passwords, controlling the webcam, allowing remote access, and gaining access to the user’s iCloud account.

Proton can be installed surreptitiously because the malware uses genuine Apple code-signing signatures. This allows it to bypass Apple’s Gatekeeper, an OS X feature that blocks apps if they aren’t digitally signed using a valid Apple Developer ID.

Proton’s existence was uncovered when researchers from cyber security firm Sixgill chanced upon a post on a notorious Russian cybercrime message board. The post introduced Proton as the “Newest and only macOS RAT in the market.” Originally priced at approximately 100 BTC (bitcoin), which was equivalent to about $100,000 at the time, Proton was out of reach for most.

Findzip Ransomware

Another piece of Mac malware that emerged this year is Findzip. Ransomware has been gaining a lot of notoriety lately, so people in the Mac community were rightly alarmed upon learning that one of the the biggest malware threats in the world today is now right on their doorstep.

Findzip is usually disguised as a crack for either Adobe Premier Pro or Microsoft Office. Being a crack, it doesn’t go through the normal Mac application installation process. People who use cracks typically employ workarounds to bypass Apple’s security measures meant to prevent the installation of malicious programs. Of course, the use of these workarounds plays right into the hands of Findzip’s operators.

Unlike Proton, Findzip isn’t digitally signed using an Apple-issued certificate. As such, it will be considered as coming from an unidentified developer, marked with a ‘quarantine’ flag, and ultimately denied installation. Well and good, but that doesn’t stop Findzip from getting through.

Normally, apps that aren’t downloaded from the App Store, are downloaded through a Web browser. Some popular web browsers are designed to identify the quarantine flag as well as invalid signatures- so if a user attempts to open such a DMG file, the system will prevent the file from being opened.

Alas, people who want to install cracked applications and other pirated software don’t go down that route. Instead, they download files through alternative means, usually torrents. Torrent clients don’t set the quarantine flag when they download a file. Thus, when the user opens the DMG file, the system won’t be able to do anything about it.

It’s comforting to note however that 1) Findzip will not be able to affect users who download apps through legitimate means and 2) it’s now easy to find tools or methods for decrypting files encrypted by Findzip. In fact, if you google for ‘findzip ransomware’, the first search results actually point to removal/remediation solutions, and not just information about the malware itself.

Flashback to Flashback?

The last time there was a surge of Mac malware activity of this magnitude was in 2011-1012, when the Flashback Trojan struck. Flashback was said to have infected about 600,000 Macs then. That number amounted to more than 1% of the total number of Macs at that time.

Taken individually, none of the Mac malware detected this year appear to have infected as many devices as Flashback. The Flashback outbreak remains the largest Mac-based malware outbreak in history, but 2017 shows a disturbing trend that all Mac users should pay close attention to.

How Trojans Withdraw Money From Your Account

How Trojans Withdraw Money From Your AccountGone are the days when malware were simply irritants that caused minor disruptions. Today, most of them are serious threats that can cause considerable financial loss. One class of malware can even steal money straight from your bank account. Known as banking trojans, these types of malware can empty your account once they’ve infected your system.

How banking trojans steal money

Banking trojans infect systems through the same methods used by most malware, including exploit kits, social engineering, phishing emails, droppers, and so on. We’ve already discussed these in many of our previous blog posts, so let’s skip infection methods for now. Instead, let’s focus on how banking trojans actually steal money from your bank account.

Generally speaking, there are two ways these types of malware can steal money from your bank account:

1. By stealing login credentials to your bank account, or
2. By diverting your funds during a legitimate transaction

Stealing login credentials to your bank account

In this method, the trojan acquires your account’s login credentials and then sends those credentials to the malware operators. Once the operators get ahold of your credentials, they can then use them to take over your account and transfer your funds to either their own accounts or to money mule accounts.

Money mules are accomplices who simply open bank accounts for receiving the stolen money before it’s ultimately transferred to the account of the malware operators themselves. Some of these money mules don’t even know they’re doing something illegal. All they know is that they’ve been hired (often through work-at-home schemes) to facilitate in the transfer of funds. Because a single heist can involve several money mules, it is difficult for authorities to trace the main perpetrators.

But how are these bank trojans able to acquire your credentials in the first place? In most cases, they use any or all of these techniques: keylogging, form grabbing, screen capture, video capture, or man-in-the-browser.


Keylogging is probably the oldest trick in the bank trojan’s book. It involves recording user key strokes and then transmitting them to the malware operators. Keyloggers, however, have two major problems: 1) they don’t work with virtual keyboards, auto-fill features, and copy-paste actions, and 2) they normally collect a large number of irrelevant keystrokes.

Cyber criminals are only interested in login credentials and other information that can help them steal from the user’s bank account. Because keyloggers don’t choose which keystrokes to record, malware operators usually have to spend considerable effort parsing the data they receive to find exactly what they want.

Form grabbing

Unlike keyloggers, which grab credentials as they’re being entered into a web form, form grabbers grab credentials straight from a web form before they’re transmitted to the bank’s web server. Specifically, form grabbers grab GET/POST requests. That means, they’re able to acquire credentials before the browser encrypts the data (in the case of an HTTPS session) and even if the user employs a virtual keyboard, an auto-fill tool, or a simple copy-paste.

Screen and video capture

Other trojans capture multiple screenshots or even entire videos and then send those captures to the malware operators. These techniques allow the operators to literally see actual footages of the screen when the user fills up the online bank’s web forms.

Thus, like form grabbing, screen and video captures are immune to the use of virtual keyboards, auto-fill tools, or copy-pastes. The downside of these techniques is that they typically slow down the computer’s performance or consume a significant amount of bandwidth, so they can easily raise red flags.


Arguably the most widely used technique for stealing credentials, the man-in-the-browser (MITB) can be found in the toolbox of almost all notorious banking trojans, including Bebloh, Carberp, Cridex, Gameover, Gozi, Silent Banker, Spyeye, and Zeus. Just like a man-in-the-middle attack, a MITB attack intercepts the interactions between a user and a legitimate entity, which, in this case, is the bank’s website.

Through a man-in-the-browser attack, the malware can not only steal credentials. It can also alter how a web page or form appears to the user. One common modification is to insert additional fields in order to request more information than is required.

The trojan can, for instance, ask the user to enter his/her PIN, credit card information (name, card number, expiration date, and CVV), cellphone number, additional authentication data, and many others. All this information can be used to gain greater control over the account. Some of this information can come in handy in case the banking site asks for more identification information along the way.

Diverting funds during a legitimate transaction

Also known as a webinject, the man-in-the-browser attack has other, more sophisticated capabilities. In addition to their basic functions like intercepting data and modifying the content of a web page, more advanced webinjects can also alter the values users enter into a web form.

Let’s say a user is in the process of transferring funds to a business partner. A webinject with Automatic Transfer System (ATS) capabilities can change the B2B transaction details and direct the transfer to a money mule account instead. It can even alter the transaction values (e.g. from $500 to $5,000).

The user won’t be able to notice any of these changes because these webinjects can also alter the content displayed to the user. So, even if $5,000 may have been deducted from the user’s account, the user will still see his current balance to be exactly what he/she expected, i.e., only $500 less.

All of this typically takes place after the user logs in, so webinjects can bypass the authentication process, thereby rendering even 2-factor authentication useless.

Stealth and persistence

Banking trojans are designed to spring into action only when certain conditions are met. For instance, when the user visits certain online banking sites or, in the case of ATS-capable trojans, when the user is about to make a transaction.

Because they need to stay undetected for long stretches of time before they can go to work, banking trojans require exceptional stealth and persistence capabilities. One of the stealth methods employed by these trojans is steganography. Steganography applications in malware take on different forms but the basic idea is to hide the malware (or crucial parts of the malware) in an image.

In the case of ZeusVM (a variant of Zeus), for example, this malware used steganography to hide its configuration files in an image of a beautiful sunset. Configuration files play a crucial role in the makeup of banking trojans, for they usually contain the domains of online banks a specific trojan is designed to attack.

Another method trojans use is obfuscation. Obfuscation enables the malware to circumvent heuristic analysis, a security countermeasure employed by antivirus solutions to detect malware whose signatures have not yet been added to their database.

Heuristic analysis involves running a suspicious program in a controlled environment (usually a virtual machine) and monitoring for malware-like behaviors like replication, establishing connection with a remote server, etc. The purpose of obfuscation is to make any binary or text in the malware difficult for the antivirus to decipher or understand.

Since most advanced anti-malware software perform heuristic analysis in virtual environments known as sandboxes, some trojans try to avoid sandboxes altogether. Basically, a trojan with sandbox evasion capabilities checks first if the environment it’s landed on is a sandbox. If there are indications the environment is indeed a sandbox, the malware doesn’t execute.

One particular banking trojan named Ursnif, for example, runs different checks to determine if it’s running in a sandbox. One of these checks involves finding out whether there are more than 50 tasks with a graphical interface on the system, a normal number in real systems. If there are less than 50, then it’s likely the system is actually a sandbox. There are many other sandbox evasion techniques but that’s for another blog post.

A threat to business

While it might initially appear only individuals can be victimized by this type of malware, several enterprises, particularly small and medium businesses, can also be affected. If a banking trojan manages to infect the system of whoever is in charge of carrying out online banking transactions, the malware will be able to initiate a corporate account takeover and facilitate fraudulent fund transfers.

Some of these fraudulent transfers might even be ACH (Automated Clearing House) transfers involving payroll payments. Once the cyber criminals have taken over the corporate account, they could, for instance, change the names in the payroll file to the names of their money mules.

Because most of these accounts aren’t reconciled on a daily basis, the fraudulent transaction can go unnoticed for days. By the time it’s discovered, the funds would have already been in the hands of the perpetrators.

To learn how to protect your corporate bank accounts from these types of threats, contact us.