IT News

WordPress admins are being warned to remove a buggy plugin or risk a total site takeover.

This particular threat relates to a plugin which is no longer in use: Modern WPBakery page builder addons. The vulnerability in the plugin, known as CVE-2021-24284, allows “unauthenticated arbitrary file upload via the ‘uploadFontIcon’ AJAX action”. This means that attackers could upload rogue PHP files to the WordPress site, leading to remote code execution and a complete site takeover.

There’s been a sudden increase in attacks related to this abandoned WordPress relic. In 2021, researchers discovered “several vulnerable endpoints” which could lead to injection of malicious JavaScript or even deletion of arbitrary files in Modern WPBakery. This time around, the aim of the game is to once again upload rogue PHP files then inject malicious JavaScript into the site.

Roughly 1.6 million sites have been scanned to check for the plugin’s presence by bad actors, and current estimates suggest somewhere in the region of 4,000 to 8,000 websites are still playing host to the plugin.

Check and remove ASAP

The current advice is to check for the plugin, and then remove it as soon as you possibly can. It’s been completely abandoned, and no security-related fixes will be forthcoming.

If you have it installed, you’re on your own, and it’s likely only a matter of time before the exploiters make their way to your Modern WPBakery hosting website and start getting up to mischief.

Do yourself and your site visitors a favour: Remove this outdated invitation to site-wide compromise as soon as you possibly can.

The post Warning for WordPress admins: uninstall the Modern WPBakery plugin immediately! appeared first on Malwarebytes Labs.

A new phishing campaign targeting PayPal users aims to get extensive data from potential victims. The data it’s after includes government documents like passport, as well as selfie photos. In a nutshell, it’s an extensive form of information theft, the likes of which could result in someone’s identity being fully stolen and their financial and other online accounts being taken over.

PayPal phishing sites are a dime a dozen due to the number of people and companies using it as another form of payment method. However, what’s notable about this campaign is that all the phishing pages are hosted on legitimate WordPress sites.

Hundreds—if not thousands—of WordPress sites remain vulnerable and easily exploited by scammers because of their poor security and the use of weak passwords. This was evident after Akamai found an attacker had planted a phishing kit on its WordPress honeypot.

After successfully brute-forcing their way into the WordPress site using a list of common credentials, the attackers then installed a file manager plugin that let them upload the phishing kit to the compromised site.

To avoid detection, the phishing kit cross-referenced IP addresses to domains belonging to companies it wants to avoid. Naturally, some of these domains include those belonging to cybersecurity organizations.

Blending into the background

Akamai researchers also noticed how the scammers made an effort to make their phishing page as indistinguishable as possible from the legitimate one. For one thing, the actors used .htaccess (short for hypertext access), a file that allows an admin to modify how a URL destination appears on the address bar.

In this case, the scammers wanted their phishing URL to make it look like it wasn’t a PHP file, so they edited out the “.php” bit of the URL. This makes sense because PayPal’s sign-in page doesn’t have an extension.

Oddly enough, the phish starts off asking users to type in the alphanumeric string they see on the “Security Challenge” page, under the guise of a means to verify that the user isn’t a bot.

The next page then asks for the user’s PayPal credentials. Normally, phishing kits would stop here, and the scammers would leave content with the PayPal credentials they can then misuse and abuse.

But not here. In this case they want more. This is just the start of a sophisticated work-up to get users to provide such sensitive information without them realizing it.

After users provide their PayPal credentials, they are then presented with a notice of “unusual activity” in the next screen.

Once users click the “Secure My Account” button, they are then directed to a page telling them to confirm all their card details. Here, Akamai noted that a ZIP code and CVV are normally sufficient.

Next, the scammers then ask users for yet more information, specifically their ATM PIN, social security number (SSN), and their mother’s maiden name—a bit of detail that could bypass an additional security layer for an account.

The PayPal phishing site then encourages users to link an email address to their PayPal account, giving the attackers a token, and therefore access, to that email account. It also encourages victims to upload official government documents, such as a passport, driver’s license, or national ID, to secure the account.

Uploading government documents and taking a selfie to verify them is a bigger ballgame for a victim than just losing credit card information — it could be used to create cryptocurrency trading accounts under the victim’s name. These could then be used to launder money, evade taxes, or provide anonymity for other cybercrimes. 

~ Akamai Security Research, Akamai

For a verification process for an account showing unusual activity, the amount of information being asked from users is ridiculous and overkill. However, Akamai researchers believe that socially engineering PayPal users to let them keep giving away their data is what makes this phishing kit successful.

“People judge brands and companies on their security measures these days,” said Akamai in the report. “Not only is it commonplace to verify your identity in a multitude of ways, but it’s also an expectation when logging in to sites with ultrasensitive information, such as financial or healthcare companies.”

Phishing, in general, has come a long way. Attackers have been learning from their mistakes thanks to our growing understanding of their tactics and social engineering techniques.

As users of online services, we, too, have an obligation over our own online security and privacy. And the only way one can tell apart two seemingly identical websites is to look at your browser’s address bar.

To rephrase a line: to err is human, to scrutinize URLs is divine.

Stay safe!

The post PayPal phishing campaign goes after more than just your login credentials appeared first on Malwarebytes Labs.

Together with the Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA), the FBI has released a warning about cybercriminals creating fraudulent cryptocurrency investment apps in order to defraud cryptocurrency investors.

The threat actors convince investors to download fraudulent mobile apps with the promise of huge opportunities and even larger gains.

And this new type of fraud turns out to be very profitable indeed, for the criminals at least—the FBI has identified 244 victims and estimates the approximate loss associated with this activity to be $42.7 million.

Mobile apps

It’s common for financial institutions to have a mobile app. These apps enhance the user experience and increase legitimate investment. Needless to say, threat actors sniffed out this opportunity to take advantage of the increased interest in mobile banking and cryptocurrency investing.

The FBI has observed threat actors using the names, logos, and other identifying information of legitimate financials in apps and websites.

Examples

While the basics are the same, there are some variants of this type of fraud which the FBI demonstrates with a few examples.

In the first one, victims were duped into downloading an app that used the name and logo of an actual US financial institution. Then the threat actors encouraged the victims to deposit cryptocurrency into wallets associated with their accounts on the app. But the app did not originate from the company the victims thought, and when they tried to withdraw funds from the app, they received an email stating they had to pay taxes on their investments before making withdrawals. After paying the supposed tax, the victims remained unable to withdraw funds.

Separately, threat actors operating under the name of a legitimate cryptocurrency exchange that closed in 2018 used the same method of having the victims pay taxes after which there was still no way to get a refund.

Then, threat actors using a name very similar to that of a currency exchange provider in Australia defrauded a victim by telling them that they had enrolled in a program requiring a minimum balance of $900,000. When the victim tried to cancel the subscription, they received instructions to deposit the requested funds or have all assets frozen.

Mitigation

To stay out of the claws of these imposters there are a few precautions you can take.

• Be wary of unsolicited requests to download investment applications, especially from unexpected sources.
• Verify the legitimacy of the app by checking out whether the company is legitimate and operates the app, and ensure that any financial disclosures or documents are tailored to the app’s purpose and the proposed financial activity.
• Treat applications with limited and/or broken functionality with skepticism.

Financial institutions should warn their customers about fake websites and apps using their logos to dupe investors.

Defrauded financial institutions and their customers are encouraged to contact the FBI via the Internet Crime Complaint Center or their local FBI field office.

Stay safe, everyone!

The post Fraudulent cryptocurrency investment apps are duping investors appeared first on Malwarebytes Labs.

A data compromise situation has impacted Roblox Corporation, the developers of the massive smash-hit video game Roblox. An as-yet unknown attacker has breached an employee account, and is in the process of exposing the data they’ve collected.

Nobody knows if they’ve exhausted their newly-plundered treasure trove, or if more leaks will follow.

Hacks and compromise: from myth to reality

The Roblox player base is young, and naturally enough worried about risks from cheats and account compromise. As a result, Roblox spends a fair amount of time debunking hacking myths. The most well known of these debunks probably relates to its John Doe and Jane Doe developer managed accounts.

Sadly for Roblox, this time around it appears that the compromise is very real with one key difference. It’s the developers under attack, rather than the players. For the time being, at least, they remain unaffected.

Internal employee information: leaked

A Roblox forum post has been playing host to around 4GB of stolen data. This data includes identification documents, spreadsheets related to Roblox creators, and various email addresses. At time of writing, there’s no specifics with regard to the “identification documents”. This could mean driving licence, passport, employee ID scan…we simply don’t know at the moment.

Roblox informed Motherboard that the documents were “illegally obtained as part of an extortion scheme that we refused to cooperate with”.

While there isn’t much information available yet, extortion tactics could suggest a double extortion attempt. The first thing to spring to mind here would be a ransomware attack. If the victim refuses to pay the ransom, the malware authors threaten to leak files. This can be incredibly damaging for all concerned, especially as files are often published even when the ransom is paid.

Of course, the extortion could spring from another source. Motherboard mentions the cache being stolen from an employee. The employee may have been phished. In this scenario, there is no ransomware involvement. Whatever the reason for the attack origin, players will naturally enough be very concerned.

What can you do to keep your Roblox account safe?

We don’t know if data has been grabbed outside of what’s already been leaked. There’s no indication from Roblox that user data has been accessed, which may only be known for certain as the investigation into the attack wraps up.

This is how you can help to keep your own account safe from harm in the meantime:

Watch out for phishing. Phishing attacks often follow on from breaches, although it may take days, or even weeks for an attempt to land in your mailbox. Be wary of mails asking you to login, or claiming that there has been a problem with your account. We suggest navigating to the official Roblox site directly instead of clicking links sent to your email address.

Set up two-step verification. This will help keep your account secure even if you were to hand over your login to a bogus website. Visit your account settings page, and then from the security tab select the type of two-step verification that you’d prefer. Roblox allows for a variety of different authenticator apps for use with your account.

Logout of public and shared devices. Roblox is great to play on the go. However, leaving your account logged in at on a public computer could result in item or account theft. Make sure you’ve fully logged out of any device which doesn’t belong to you. Public device compromise is still a very easy way to lose account access, and one which younger gamers could easily forget about as a potential threat.

The post Roblox breached: Internal documents posted online by unknown attackers appeared first on Malwarebytes Labs.

After the overturning of Roe V Wade, many feared that using, having access to, and sharing reproductive and sexual health data—once done freely—would be outlawed with the practice of abortion in many states. To protect such data from falling into the wrong hands,  Congresswoman Sara Jacobs (D-CA) sponsored the “My Body, My Data Act of 2022” bill.

Four days after the bill entered the House of Representatives and the Senate, US President Joe Biden signed an Executive Order Protecting Access to Reproductive Health Care Services, an order aimed at safeguarding healthcare services and protecting patient privacy and access to accurate information, among others.

Following this, the FTC (Federal Trade Commission) has warned tech companies and data brokers about potentially misusing the health data the US government seeks to protect.

The interconnectedness of devices has made life easier for most of us, but it remains a major nightmare for privacy-conscious consumers and organizations.

And while location data (among others) is generated by apps, consumers regularly generate their own sensitive data, too, in the form of apps aiding them in testing their blood sugar, recording their sleep patterns, or capturing their biometric features to access devices. In matters related to personal reproductive health, this could be in the form of apps for tracking periods, monitoring fertility, or managing contraceptive use.

The FTC asserts that a combination of these generated data “creates a new frontier of potential harms to consumers”.

“The misuse of mobile location and health information—including reproductive health data—exposes consumers to significant harm,” said the FTC in a post. “Criminals can use location or health data to facilitate phishing scams or commit identity theft. Stalkers and other criminals can use location or health data to inflict physical and emotional injury.”

The exposure of health information and medical conditions, especially data related to sexual activity or reproductive health, may subject people to discrimination, stigma, mental anguish, or other serious harms.

The FTC renewed its vow to go after companies that use American digital data unfairly or deceptively.

“The Commission is committed to using the full scope of its legal authorities to protect consumers’ privacy. We will vigorously enforce the law if we uncover illegal conduct that exploits Americans’ location, health, or other sensitive data. The FTC’s past enforcement actions provide a roadmap for firms seeking to comply with the law.”

The regulator will closely scrutinize corporate claims that data is “anonymized”, as research has shown that it can be trivial to de-anonymize such data, even when they’re part of a seemingly homogenous data set. The FTC would also be after companies that gather more than what they ask users to consent for or those that retain data indefinitely.

The post The FTC will go after companies misusing location, health, and other sensitive data appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs:

• Elden Ring maker Bandai Namco hit by ransomware and data leaks
• Predatory Sparrow massively disrupts steel factories while keeping workers safe
• New variant of Android SpyJoker malware removed from Play Store after 3 million+ installs
• China’s Tonto Team increases espionage activities against Russia
• Endpoint security for Mac: 3 best practices
• Low-income consumers preyed on by fake ISP during pandemic, FCC says
• Ransomware rolled through business defenses in Q2 2022
• Cobalt Strikes again: UAC-0056 continues to target Ukraine in its latest campaign
• WhatsApp warns users: Fake versions of WhatsApp are trying to steal your personal info
• Update now—July Patch Tuesday patches include fix for exploited zero-day
• Fake streamed cricket matches knocks victims for six
• PyPI starts rolling out required 2FA for important projects
• Insecure password leads to Mangatoon data breach

Stay safe!

The post A week in security (July 11 – July 17) appeared first on Malwarebytes Labs.

Restaurants and other eating establishments are being targeted by extortionists who post fake reviews online and then offer to remove them in exchange for a gift card.

The possibility has always existed to leave poor reviews on Google Maps and elsewhere. However, seeing fraudsters get organised and issue extortion threats alongside the review is a new development.

According to the New York Times, businesses are being “deluged” with the poor reviews. Extortion threats are then mailed to the business owners, apologising for the actions but insisting that $75 Google Play gift cards be purchased in order to have the poor reviews erased.

Card codes are mailed to a ProtonMail account, where the scammers pick up their bounty. The codes are likely sold on at this point to turn a tidy profit. We don’t know if anyone actually sent a card code to the relevant mail address, nor if any reviews were removed by the fraudsters in cases where a payment was made.

The group claims to be based in India, and is currently targeting businesses in San Francisco, New York, and Chicago.

The bad review bombing technique

Review bombing is something you’ve probably heard about in relation to gaming. When fans of certain titles become annoyed with changes in a game, or something is released which they object to, some turn to leaving bad reviews.

These reviews tend to be organised by groups, and plaster a product’s page with poor ratings. This has a negative impact on the title, and comes with a variety of side effects. It might even make the product less visible to other shoppers due to the product review score tanking.

Platforms selling games have had to take significant action against these tactics in recent years, developing new ways to spot inauthentic reviews and hiding them away from the public.

Defending your business from bad review practices

Google offers several guides for both reviewers and business owners where reviews are concerned.

Firstly, there’s detailed information about adding a review on Maps. While this is useful to know as a business owner, the really important information is on the How to remove reviews guide. Review removal requests are initiated via the Manage Reviews page. Before you submit, you need to check through the Prohibited and Restricted content section and see which category extortion attempts would fall under.

We suspect Civil Discourse > Harassment, or Deceptive Content > Misrepresentation would be good places to start.

• We don’t allow users to post content to harass other people or businesses, or encourage others to participate in harassment.

• Misleading information can impact the quality of information on Google Maps. For this reason, we don’t allow individuals to use Google Maps to mislead or deceive others, or make misrepresentations.

This includes:

• False or misleading accounts of the description or quality of a good or service. 

No matter which rules you feel that your extortion-laced missives fall under, here’s how to report in both Maps and Search:

Flag a review in Google Maps

1. On your computer, open Google Maps.
2. Find your Business Profile.
3. Find the review you’d like to report.
4. Click More > Flag as inappropriate.

Flag a review in Google Search

1. On your computer, go to Google.
2. Find your Business Profile.
3. Click Google Reviews.
4. Find the review you’d like to report.
5. Click More > Report review. Select the type of violation you want to report.

The post Extortionists target restaurants, demand money to take down bad reviews appeared first on Malwarebytes Labs.

On the evening of June 23, in the United States, millions of women went to bed with a Constitutional right to choose to have an abortion, and they went to bed with the many assurances that are tied to that right—to speak about getting an abortion, to organize and provide support to those seeking abortions, to search for abortion services safely online, to digitally track their menstrual cycles, to record their reproductive plans, all without too much concern about who would be interested in that information.

But on June 24, that Constitutional right was removed by the Supreme Court.

Immediately, this legal story has become one of data privacy, as countless individuals ask themselves: What surrounding activity is now allowed?

Should Google be used to find abortion providers out of state? Can people write on Facebook or Instagram that they will pay for people to travel to their own states, where abortion is protected? Should people continue texting friends about their thoughts on abortion? Should they continue to use a period-tracking app? Should they switch to a different app that is now promising to technologically protect their data from legal requests? Should they clamp down on all their data? What should they do?

Today, on the Lock and Code podcast with host David Ruiz, we speak with two experts on this intersection of data privacy and legal turmoiil—Electronic Frontier Foundation staff attorney Saira Hussain and senior staff technologist Cooper Quintin.

As Quintin explains in the podcast, while much of the focus has recently been on the use of period-tracking apps, there are so many other forms of data out there that people should protect: 

“Period-tracking apps aren’t the only apps that are problematic. The fact is that the majority of apps are harvesting data about you. Location data, data that you put into the apps, personal data. And that data is being fed to data brokers, to people who sell location data, to advertisers, to analytics companies, and we’re building these giant warehouses of data that could eventually be trawled through by law enforcement for dragnet searches.”

By spotlighting how benign data points—including shopping habits and locations—have already been used to reveal pregnancies and miscarriages and to potentially identify abortion-seekers, our guests explain what data could now be of interest to law enforcement, and how people at home can keep their decisions private and secure.

Tune in to hear all this and more on the most recent episode of Lock and Code.

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

Show notes and credits:

Intro Music: “SCP-x5x (Outer Thoughts)” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

The post Roe v. Wade: How the cops can use your data: Lock and Code S03E15 appeared first on Malwarebytes Labs.

According to analyses of several cybersecurity firms and CERT (Computer Emergency Response Team) Ukraine (CERT-UA), the state-sponsored threat actor group Tonto Team, which has been linked to China-backed cyber operations, is ramping up its spying campaign against Russian government agencies. 

The campaign, which involves an email, a Word document file in RTF (Rich Text File) format, and a backdoor payload, starts off with socially engineering recipients to convince them to open a malformed attachment, triggering the execution of an MS Office exploit, particularly in the Equation Editor.

According to SentinelOne, the RTF file masquerades as a government advisory or security warning to agencies and infrastructure providers of potential attacks.

The fake advisory is written in Russian. Below is the Google-translated text in English:

Dear colleagues!

In addition, we remind you that recently there have been more cases of attempts to steal logins / passwords for access of employees of the Minsitry to official mail and the Service Portal.

Attackers on behalf of representatives of the Department of the Ministry of Foreign Affairs, government and other organizations send letters to e-mail addresses, in which they convince you to familiarize yourself with various documents and information.

Under no circumstances do not enter your service login / password in such cases.

Please note that the documents must be attached to the letter and opened from the body of the letter.

Compliance with these rules will allow you to maintain the confidentiality of not only your data, but also the data of other employees of the Ministry.

The Tonto Team used Royal Road (sometimes called “8.t”) to create the malicious RTF file. First analyzed by nao_sec, Royal Road is a document builder that gives threat actors the ability to embed malicious code within RTF files, aiding actors in compromising target systems.

The exploit is triggered upon opening the file, and the malware payload, Bisonal, is dropped. Bisonal, a tool many Chinese threat actors use, is a RAT (remote access Trojan). Apart from Chinese APTs (Advanced Persistent Threats), no other threat actor has used Bisonal.

The Tonto Team, an APT group that has been around almost as long as Bisonal, has many aliases: Karma Panda, Bronze Huntley, CactusPete, and Earth Akhlut. The group is known for targeting Asian nations (South Korea, Taiwan, and Japan) and Russia. So, this isn’t the first time China has been in the case of the former Soviet state. Rather, this is about a notable increase in targeting activity against Russia.

“What we’re seeing here is a potential Chinese government increase in intelligence collection requirements from inside Russia,” SentinelOne Senior Threat Researcher Tom Hegel told Dark Reading in an interview. “Perhaps an increased prioritization or expansion of resources assigned to such tasking.”

China is prioritizing its espionage campaign against Russia due to the ongoing Russian invasion of Ukraine. And while Chinese officials see themselves with Russia as “comprehensive strategic partners of coordination”, their diplomatic relations have strengthened through the years, mainly to suppress the expansion of Western alliances.

What China is doing is “simply China looking out for itself in uncertain times,” Hegel is also quoted saying. “Like any well-resourced nation, they seek to support their own agenda through cyber, and the state of affairs in Russia may be adjusting just what they prioritize.”

Chinese hacking groups have been using Royal Road and Bisonal for years, which says a lot. Its longevity points to the shared use of resources among these groups, making attribution very difficult. The repeated use of these tools through the years also suggests that campaigns against targeted nations have been successful, which gives us an idea of the state of security of these countries.

“The fact that these toolkits evolve and continue to operate really speaks to how well they’re resourced, and the state of the defense side,” Hegel told CyberScoop in a separate interview. “Nothing can really stop them from continuing to use this. It’s still successful in many cases, as we see here. You look at the exploits they’re using in these documents, they’re years old exploits. They’re popping people that are out of date by quite a few years.”

The post China’s Tonto Team increases espionage activities against Russia appeared first on Malwarebytes Labs.

Security researcher Maxime Ingrao has found a new variant of Android/Trojan.Spy.Joker which he’s dubbed Autolycos. Malware in this family secretly subscribes users to premium services. The researcher noted that the eight applications that contained this malware had racked up a total of over 3 million downloads.

Toll fraud malware

Toll fraud malware is a subcategory of billing fraud in which malicious applications subscribe users to premium services without their knowledge or consent. At the moment, toll fraud malware—also known as fleeceware—is one of the most prevalent types of Android malware. And not only does the number of infections keep going up, so does the sophistication of the malware.

Joker

Android/Trojan.Spy.Joker was the first major family that specialized in this field. It was first found in the Play Store in 2017. Joker is capable of clicking on online ads, and asks for SMS permissions during installation so it can access One Time Passwords (OTPs) to secretly approve payments. The user will never know that they have been subscribed to some service online until they check their bank statements or phone invoice.

Detection

Google uses the name Bread for the Joker malware family. In January, 2020, Google Play Protect detected and removed 1,700 unique Bread apps from the Play Store. By using as little code as possible and thoroughly hiding it, Joker generates a very discreet footprint which makes it hard to detect. But SMS and toll fraud generally require some basic functionality like disabling WiFi which needs one of a handful of APIs. Since Joker expects security researchers to look for those APIs, it uses a wide variety of techniques to mask the usage of them.

Slow response

The small footprint and masked usage of APIs must make it hard to find malicious apps among the multitude of apps that can be found in the Google Play Store. But that doesn’t explain why it took Google over a year to remove the eight apps reported by Maxime Ingrao. He reported the apps in June, 2021, and the last two were removed on July 13, 2022. It’s possible they would still be available if the researcher hadn’t gone public because he said he got tired of waiting.

Autolycos

As mentioned earlier, the malware is still undergoing development. What is new about this type is that it no longer requires a WebView. WebViews are exactly what the name indicates—a small view to a piece of Web content. A WebView can be a tiny part of the app screen, a whole page, or anything in between. Not requiring a WebView greatly reduces the chances that the user of an affected device notices something fishy is going on. Autolycos avoids WebView by executing URLs on a remote browser and then including the result in HTTP requests.

Malicious apps

BleepingComputer posted the list of malicious apps found by Maxime Ingrao, which users may still have installed:

• Vlog Star Video Editor (com.vlog.star.video.editor) – 1 million downloads
• Creative 3D Launcher (app.launcher.creative3d) – 1 million downloads
• Wow Beauty Camera (com.wowbeauty.camera) – 100,000 downloads
• Gif Emoji Keyboard (com.gif.emoji.keyboard) – 100,000 downloads
• Freeglow Camera 1.0.0 (com.glow.camera.open) – 5,000 downloads
• Coco Camera v1.1 (com.toomore.cool.camera) –  1,000 downloads
• Funny Camera by KellyTech –  500,000 downloads
• Razer Keyboard & Theme by rxcheldiolola – 50,000 downloads

Pradeo researchers have also identified four new malicious applications that embed the Joker malware:

• Smart SMS Messages 50.000+ installs
• Blood Pressure Monitor 10.000+ installs
• Voice Languages Translator 10.000+ installs
• Quick Test SMS 10.000+ installs

How to avoid toll fraud malware

Users that have any of the listed apps installed are advised to remove them as soon as possible. To avoid getting infected and duped by toll fraud malware there are a few countermeasures you can take:

• Keep Play Protect active.
• Pay attention to apps asking for permissions, in this case especially SMS permissions.
• Minimize the number of apps you install, however useful they may seem. The Autolycos operators created numerous advertising campaigns on social media.
• Do not rely on user reviews alone, since the malware authors use bots to maintain a good user rating.

Also, always keep an eye on your background internet data, battery consumption, phone invoices, and bank statements, just in case. The sooner you stop it, the smaller the damages.

The post New variant of Android SpyJoker malware removed from Play Store after 3 million+ installs appeared first on Malwarebytes Labs.