Beware Android Phone-Melting Malware

A type of crypto-currency mining malware has been found to overload an android phone with so much constant traffic that its battery physically bulges and bends the phone cover.

Malware Causing Physical Damage

The Android phone-wrecking Trojan malware, dubbed “Loapi”, was discovered by Kaspersky researchers. In tests, after running it for several days mining the Minero crypto-currency, the android phone used in the test was overloaded with activity (trying to open about 28,000 unique URLs in 24 hours) to the point that the battery and phone cover were badly damaged and distorted by the resulting heat.

The Loapi malware is reported to have been found hiding in applications in the Android mobile operating system.

How It Works

Loapi reportedly works by hijacking a smartphone’s processor and using the computing power to mine crypto-currency.

‘Mining’ refers to the process of completing complex algorithms to get rewards of new crypto-currency units e.g. Bitcoin.

Loapi uses Javascript code execution hidden in web pages (usually via advertising campaigns) with WAP billing to subscribe the user to various services. This works in conjunction with the SMS module to send the subscription message.

What makes Loapi particularly dangerous is the amount of device-attacking techniques present in it, and the modular architecture of this Trojan which means that more functionality could be added to it at any time.

Part Of Trend For Mining Scams

It is likely, therefore, that Loapi is loaded onto an android OS when a user visits a web page website where mining software / mining code is running in the background, without the knowledge of the website owners or visitors.

For the scammer who plants the code, they can use the power of multiple computers / devices to join networks so that the combined computing power will enable them to solve mathematical problems first (before other scammers) and thereby claim / generate cash in the form of crypto-currency.

A report by ad blocking firm AdGuard in October this year showed that the devices of 500 million people may be inadvertently mining crypto-currencies as a result of visiting websites that run mining software in the background.

What Does This Mean For Your Business?

Unfortunately, many cyber criminals are now trying to leverage the processing power of computers, smartphones and other devices to generate revenue from mining crypto-currency. Mining software e.g. Coin Hive, has been found in popular websites, and crypto-currency mining scams are now being extended to target cloud-based computing services with the hope harnessing huge amounts of computing power and using multiple machines to try and generate more income.

The increased CPU usage and slowing down of computers caused by mining scripts waste time and money for businesses, and this new threat of actually having your phone melted by malware adds another level of risk, including that of fire.

There are some simple measures that your business can take to avoid being exploited as part of this popular scam, although it is unclear how well these will work with the newly discovered Loapi. For example, you can set your ad blocker (if you’re using one) to block one specific JavaScript URL, which could stop the miner from running without stopping you from using any of the websites that you normally visit.

Also, browser extensions are available e.g. the ‘No Coin’ extension for Chrome, Firefox and Opera (to stop Coin Hive mining code being used through your browser).

You can generally steer clear of dodgy Android apps by sticking to Google Play, by avoiding cloned apps from unknown developers within Google Play, by checking app permissions before you install them, by keeping Android apps up to date (and by deleting the ones you don’t use), and by installing an antivirus app.

Maintaining vigilance for unusual computer symptoms, keeping security patches updated, and raising awareness within your company of current scams and what to do to prevent them, are just some of the ways that you could maintain a basic level of protection for your business.

Kaspersky Tries To Overturn U.S. Directive

Embattled Moscow-based cyber security firm, Kaspersky Lab, is appealing against a U.S. Government’s ban on its software on the grounds that it is unconstitutional, and that there is no technical evidence.

What Directive?

Back in September, The U.S. Department of Homeland Security (DHS) issued a Directive ordering civilian government agencies to remove Kaspersky software from their networks within 90 days. Kaspersky Lab is the world’s largest privately held vendor of endpoint protection solutions (anti-virus software).

Concerns Over Many Years

The U.S. Directive (ban) came after concerns about possible Russian state interference in the U.S. elections, but Kaspersky have long been the subject of suspicion and concerns by western governments.

In July this year, for example, security researchers claimed to have found a way to force the anti-virus product to assist snoops in stealing data from segmented networks (not connected to the wider internet).

Back in 2015, it was also reported that the US National Security Agency and GCHQ had sought to carry out reverse engineering of Kaspersky anti-virus as far back as 2008 to discover any vulnerabilities.

Long-running fears about Kaspersky have also been fuelled by leaks from the NSA through Edward Snowdon (2013), Hal Martin (2016), and by allegations (printed in the Wall Street Journal) that a Vietnamese NSA contractor was hacked on his home computer by Russian spies via Kaspersky.

Earlier this month Barclays bank in the UK emailed its 290,000 online banking customers to say that it will no longer be offering Kaspersky Russian anti-virus because of information and news stories about possible security risks.

The Appeal

A federal appeal has now been filed by Kaspersky Lab appeal under the Administrative Procedure Act against the U.S. Directive to remove Kaspersky software from civilian government agency networks. According to Kaspersky, the DHS has acted unconstitutionally and has violated Kaspersky Lab’s right to due process by issuing Binding Operational Directive 17-01.

Kaspersky Lab argues that the issuing of the Directive was based on no technical evidence, and the company has repeatedly denied any ties to any government and has said that it would not help a government with cyber espionage.

Damage

Kaspersky Lab has publicly stated that the Directive and the wide-scale media coverage and public / business reaction to it have damaged the company’s position in the market. Sales are reported to be down, Kaspersky has announced the closing of its D.C. headquarters as a direct result of the U.S. government’s public suspicion toward its business, and the company’s founder, Eugene Kaspersky, has said that the company has also suffered damage to its reputation.

Submitting Code

As well as strenuously denying the allegations and launching an appeal, Kaspersky Lab said in October that it would submit the source code of its software and future updates for inspection by independent parties. U.S. officials.

What Does This Mean For Your Business?

For businesses using Kaspersky in the UK, it is worth remembering that although Barclays Bank have stopped using the software, and a U.S. Directive remains in place, no actual evidence of wrongdoing related to espionage / spying, or of the company colluding with the Russian state has been publicly provided.

Businesses will need to take an individual view of any possible risks, taking into account the context of a certain amount of paranoia and the recent focus in the media about Russia following allegations of interference in the US elections.

On a technical and security note, it may not be a good idea anyway to remove Kaspersky anti-virus from a computer without immediately putting a suitable alternative in place. Anti-virus forms an important part of a company / organisation’s basic cyber defences and this, and other software should be kept up to date with patches and updates to enable evolving threats to be combated as part of a wider strategy.

No More Chrome Apps From Next Year

Google has announced that Chrome apps for Mac and Windows will no longer be available from the Chrome Web Store by early next year and that they will be replaced next year by Progressive Web Apps (PWA).

Why?

Google has had Chrome-browser supported stand-alone apps on Mac, Windows and Linux since 2013, but back in August 2016 it was announced that Google would be phasing-out these apps because only 1% of users actively used them, and most hosted apps were already implemented as regular web apps e.g. Netflix.

Google, therefore, wanted to simplify its browser and move developers to more standardized web apps, and, therefore, planned to phase out standalone Chrome apps over 2 years, starting with the limiting of newly published apps to users on Chrome OS.

This latest announcement is the beginning of the final phase of that two-year plan.

Why Chrome Apps?

Chrome apps / packaged apps are basically Google’s own web-apps that are able to run offline, in their own window, and integrate with the underlying operating system and hardware.

Google has stated that it originally launched Chrome apps to give users experiences that the web, at the time (2013) couldn’t provide e.g. working offline, sending notifications, and connecting to hardware.

The Replacement – PWAs From APIs

Google’s work to move developers to more standardised apps has led to the introduction of powerful APIs e.g. service worker and web push, to enable the building of Progressive Web Apps that work across multiple browsers. These PWAs (launched earlier this year on Android) are essentially the replacement for Google’s standalone Chrome apps and blur the line between websites and installed software. PWAs will be available on desktops from the middle of 2018. According to Google, the benefits of PWAs are that they offer:

  • Reliability – they load instantly and don’t slow everything down.
  • Speed – they respond quickly to interactions with users, and animations are smooth.
  • Engagement – They offer the user an immersive experience with help from a web app manifest file (allowing users to control how an app appears and how it’s launched). A PWA feels like a natural app on a device.
  • Improved Conversions – Google has quoted the example of how AliExpress were able to improve conversions for new users across all browsers by 104% and on iOS by 82%.

What Does This Mean For Your Business?

It appears that the standalone Chrome apps may have been a welcome introduction back in 2013, but are now not being used because they have been replaced by regular web apps anyway. This announcement by Google shouldn’t, therefore, cause any real concern to most businesses.

Anything that can be done to simplify the use of browsers such as Chrome has to be good news.

The benefits of PWAs are also promising for developers and users, and the possibility of increased engagement and conversions are clearly of interest to businesses.

School Heating Hack Risk

Cyber-security Company, Pan Test Partners, have warned that schools with building management systems that are linked to the Internet could face the risk of hackers turning the school heating system off – or worse.

The Problem

The problem is that many electricians and engineers may be lacking in knowledge about cyber security and / or may have linked a school’s HVAC system to Internet controls against the manufacturer’s guidelines. Also, many smart school heating systems may have vulnerabilities in them that hackers may find easy to exploit.

Tested

The researchers at Pan Test Partners tested for potential hacking risks by looking for building management system controllers made by Trend Control Systems via IoT search tool Shodan. This online tool (see https://www.shodan.io) provides a public API and enables anyone to discover which devices are connected to the Internet, where they are located and who is using them.

In a test, it was revealed that it took less than 10 seconds to find more than 1,000 examples of a 2003 model of a school heating system known to be vulnerable when connected to the Internet. The visibility of a known vulnerable system via a public website is a clear example that the risk of school heating systems being controlled remotely by hackers is real.

Not Just Schools

The same / similar heating systems may also be used in buildings used by retailers, government offices, businesses and even military bases, thereby highlighting a much wider potential risk.

Incentive

Security commentators have pointed out that there would be very little incentive for hackers to access school systems because many hacks are carried out for financial gain.

The risks could, however, increase in future as more devices and systems become part of the IoT.

What Does This Mean For Your Business?

It is possible that some businesses may be in buildings where the heating systems are exposed to a hacking risk. Risks could be reduced if companies used skilled IT workers who are aware of the potential risks and if systems are checked properly after installation.

To make heating systems really secure they should also be configured behind a firewall or virtual private network, and they should have the latest firmware and other security updates.

It is also important to note that some responsibility rests with the manufacturers of heating and other smart building systems to design security features into them because even if a device is not directly connected to the internet, there may be an indirect way to access it.

This story also highlights the wider challenge of tackling security for IoT devices and products. There have been many occasions in recent years when concerns about the security / privacy vulnerabilities in IoT / smart products have been publicly expressed and reported. The truth is that the extent of the current vulnerabilities are unknown because the devices are so widely distributed globally, and many organisations tend not to include them in risk assessments for devices, code, data, and infrastructure. Home / domestic users have no real way of ascertaining the risks that smart / IoT devices pose, probably until it’s too late.

It has also been noted that not only is it difficult for businesses, including manufacturers of smart products, to ascertain whether all their hardware, software, and service partners are maintaining effective IoT security, but there is also still no universal, certifiable standard for IoT security.

For businesses, it’s a case of conducting an audit and risk assessment for known IoT devices that are used in the business. One basic security measure is to make sure that any default username and passwords in these devices are changed as soon as possible. For home users of smart products (who don’t run checks and audits), it appears that others (as in the case of the German Federal Network Agency) need to step in on their behalf and force the manufacturers to take security risks seriously.

Tech Tip – Storage Sense

If you want to make sure that you don’t start running out of space on your device, Windows 10 includes the Storage sense tool to monitor and free up space on your device automatically.

Storage Sense can empty the recycle bin every 30 days, and automatically cleaning up any temporary files from on your drives. Here’s how to activate it:

  • Open ‘Settings’.
  • Click on ‘System’.
  • Click on ‘Storage’.
  • Turn on the Storage sense toggle switch.