Interesting Apple security news is being reported today. Apparently some Apple devices have been hijacked via Apple's "Find My iPhone" feature. How? Likely via poorly defended iCloud accounts, i.e., iCloud accounts with weak passwords.
Once you have access to iCloud, you have access to the Find My iPhone's "Lost Mode", which can be used to lock associated devices and send messages such as "Reward if found! Call this number."
Or then it could be an extortion attempt.
Here's an example from a German colleague's iPhone:
According to the sources linked above, "Oleg Pliss" is demanding money to a PayPal account. If the iPhone user has a passcode, they can unlock their device. If they don't have a passcode set… then they have a problem.
It's also worth mentioning the Find My iPhone feature includes a "Delete" option. Besides extortion, your iPhone can also be burned. And remember too that iCloud provides access to contacts and calendars.
So… besides enabling a passcode, you should also be using a strong and unique password for your Apple/iCloud/iTunes account. Sure, it will be annoying to input when you want to buy an app — but that's the price you'll need to pay.
On Tuesday, Facebook Security announced its new effort to make malware cleanup easier. And we're very happy to be part of that effort. F-Secure is one of two vendors now partnered with Facebook do to malware clean-up.
With over one billion users, Facebook has a very unique vantage point from which to detect threats. It can see patterns on a scale few others can. And user accounts pumping spam links that have uncommon browser plugins installed… well, those accounts are connecting from computers affected by malware. So what to do about it?
That's where we come in…
When Facebook determines a case of Facebook-focused malware, it introduces this prompt during login:
The user then has the option to download our Online Scanner:
Once downloaded and started, the user can continue to their Facebook feed.
Our scanner runs in the background and produces a Facebook notification when it's finished.
While Facebook-focused malware is the trigger which prompts the scan, our scanner will of course detect more threats if present. If a difficult case is discovered, Facebook will move our UI into the foreground.
"Chanki" — our service manager for this project — makes the following observations:
1 — There are a tremendous amount of suspect installers out there, which while not necessarily malicious, are difficult to classify as clean by default. Separating the wheat from the chaff is a challenge when installers can be configured to install multiple items utilizing a common platform that also has legitimate uses.
2 — We also needed to come up with approaches for handling the classification, detection and removal of malicious browser extensions on Firefox and Chrome, which represent a significant attack vector against Facebook's platform. This is typified by families such as the Turkish-oriented Kilim malware, and older attacks such as FBSuper which we have previously written about on this blog. The attack surface is not just Win32 OS; we have to take into account the platforms represented by the browsers as well.
3 — We also discovered that Bitcoin remains a significant motivation for malware authors. We identified at least two malware families, Napolar and Lecpetex, that utilize Facebook as a vector to spread and install Bitcoin miners.
Great work, Chanki!
You don't need to be prompted by Facebook to try our Online Scanner. Feel free to download and run it yourself. Add it to your USB toolkit, it needs online access for our latest detections, it isn't Web-based. If complex threats are discovered, the scanner includes neat tech such as an ability to reboot into a virtual Linux machine and then back to Windows. Nice.
Crimeware has steadily transferred Windows-based technology to Android. We've seen phishing, fake-antivirus scams, banking trojan components, and now… ransomware.
Yep. "Police ransomware" on Android. Our name for it is, Koler.
The crimeware ecosystem has long been aware of Android systems it routinely comes into contact with — it's not really much of a surprise to see ransomware attempt to make the jump.
Here's how it works:
Compromise occurs when the user visits a booby trapped (pornographic) website with his Android device. The malware then pretends to be video player and requests installation. This is dependent upon the "enable unknown sources" setting being configured.
When the installation is completed, Koler sends the phone's identification information to its remote server. After this, the server returns a webpage declaring that the user has visited an illegal porn site and the phone is locked. To unlock, the user is told to pay a fine (ransom).
Even though Koler claims to encrypt files, in reality, nothing is encrypted.
These domains are hardcoded to be Koler's remote servers:
At the moment, Koler's servers are offline. Google Cache finds (NSFW) content from only one server but the malware has been removed. The servers are/were hosted in US. Whois lists contact information, such as phone numbers, from Denmark and Russia.
At present, country-specific versions of localization have been seen for more than 30 countries. The content has been ported from Windows versions of "police ransomware" and is formatted for mobile browsers.
How to remove Koler:
The ransomware prevents disables the back button, but the home screen button is active. The user has only a few seconds in which to get to the phone's settings to remove the malware, or to restore factory settings.
Another option is to restart the device to the service menu and remove Koler from there.
Koler also prevents access to the device via the adb.exe. You are able to start shell but the viewing of files is not allowed.