At a glance.
- Mandrake spyware found in Google Play.
- CreepRank against creepware.
- A surcharge to delete stolen data.
- Contact tracing smishing scam steals personal information.
Mandrake found infesting Google Play.
Bitdefender has found a strain of spyware, "Mandrake," in Google Play. The researchers believe Mandrake has been active in the wild for at least four years. It had been masquerading as a variety of legitimate apps, including, according to an account in the Register, the Coinbase alt-coin wallet, various apps for Amazon, Gmail, the Chrome browser, some Australian and German banks, the XE currency conversion service, and PayPal.
The Register quotes members of Bitdefender's team as saying that Mandrake represents the work of a nation-state's intelligence service, Russian-speaking and probably based in either Russia or Kazakhstan. The spyware is unusually discriminating and deliberately keeps an unusually low profile, infecting devices only selectively, and choosing its targets mostly for the likelihood that the infection will go unnoticed, which suggests that the targeting is more interested in high payoff than high value. In keeping with the desire for obscurity, Mandrake avoids "hard" countries with active cyber and counterespionage programs in favor of targets in "softer" countries where vigilance is more relaxed.
It's also unusual in the way it dangles its bait. "The malware also uses advanced manipulation tactics to bait users," Bitdefender writes. "For instance, it re-draws what the user sees on the screen to hijack taps. What the users perceive as accepting an End-User License Agreement is actually a complex series of requesting and receiving extremely powerful permissions. With those permissions, the malware gets complete control of the device and data on it."
According to ZDNet, Google has used an algorithm, "CreepRank," developed by a university-industry team to identify 813 creepware apps for removal from the Play store. Creepware is similar to spyware or stalkerware, only generally less aggressive. It’s used, as ZDNet explains, to “stalk, harass, defraud, or threaten another person, directly or indirectly.”
CreepRank, the work of a team of researchers from New York University, Cornell Tech, and NortonLifeLock, looks for apps that exhibit creepy functionality ("creepy" in this technical sense) and then scores them on their likely adaptation to creepware purposes. A paper the researchers published in Semantic Scholar says CreepRank looks for:
- Surveillance (which includes the ability to "both covertly and overtly track someone’s location, record phone call audio, call metadata and call logs, forward or snoop on SMS messages, continuously surveil social media accounts (mostly WhatsApp and Facebook)," or "turn on the phone’s camera and microphone and forward a stream to a remote device," or the capability to "record, stream, and/or take a snapshot of a device’s screen").
- Harassment (including message "bombing," and messages falsely suggesting that the target is under surveillance).
- Accompanying tutorials and hacking tips.
- Information extraction.
And CreepRank also scores apps through a kind of guilt-by-association with other known-creepy activity. It's a screening tool, and Google appears to have put it to good use.
A surcharge to delete stolen data.
Ransomware gangs routinely steal victims' data to gain additional leverage. Maze, Sodinokibi, DoppelPaymer, Clop, Sekhmet, Nephilim, Mespinoza, and Netwalker are among the more prominent strains of ransomware that now do this as a matter of course, having established dump sites where they can dox victims who are reluctant to pay up. Such doxing is usually progressive, beginning with the criminals showing a small sample and suggesting to the victims that they have a lot more, and that what's being held in reserve would be even more damaging if it were leaked. But how do you know that the extortionists have deleted your data even after you've paid the ransom?
BleepingComputer reports that one gang, the operators of Ako, are now also imposing a surcharge for deleting their copies of stolen files. If you pay ransom for a decryptor, you'll get the decryptor, and so (presumably) renewed access to your files. But if you want to avoid public exposure of your data, you'll have to pay more, between $100,000 and $2,000,000. What guarantee the victims have that their data have in fact been deleted is unknown. Presumably their honest virtual face and reputation for probity?
Contact tracing smishing scam steals personal information.
Britain's Chartered Trading Standards Institute (CTSI) has warned, Computing reports, that bogus messages purporting to come from the NHS's contact-tracing app are in circulation. The baited message reads, "Someone who came in contact with you tested positive or has shown symptoms for Covid-19 & recommends you self-isolate/get tested." Judging from CTSI's account, it's a straightforward smishing scam. The victims receive a message with a link that takes them to a site that asks them to enter personal information, which the criminals in turn can use for various forms of fraud. CTSI advised victims in England and Wales to report scams to Action Fraud. In Scotland, they should call Police Scotland on 101.