Skip Navigation
BlackBerry Blog

This Week in Security: Backdoors, Ransomware, Enigma

There’s a (Spy)App for That

The proliferation of mobile phones and their accompanying app store ecosystems have made mobile applications an enticing target for malicious developers. Researchers at Lookout discovered the Igexin advertising library contained a backdoor, allowing Igexin to execute arbitrary code.

The advertising library was used by over 500 applications on the Google Play store which were downloaded over 100 million times. The affected applications allowed Igexin to surreptitiously steal call histories, GPS location, and other phone metadata.

In an age where there (apparently) needs to be an app for everything, developers are heavily relying on third party libraries to quickly publish an application. This approach of bolt-on development means there’s plenty of un-vetted code running on users’ devices.

The developers of the affected applications were likely unaware of the backdoor functionality hidden in the Igexin advertising library. In a different case, two malicious apps were spotted on the Google Play store which abuse the Accessibility features to install mobile malware.

Take the following steps to protect yourself:

  • Avoid installing unnecessary applications
  • Restrict the permissions granted to applications
  • Keep your phone’s operating system up to date
  • Be cautious with applications requesting accessibility permissions

Accounting for Ransomware Attacks

The servers of Crystal Finance Millennium (CFM), an accounting software firm in Ukraine, were hacked to serve up a malware dropper. This discovery comes on the heels of a notification sent out by the Ukraine Central Bank of an impending attack.

Hackers behind the attack sent phishing emails to various targets which contained a ZIP file attachment. Inside the ZIP archive was a JavaScript file which would download and execute the dropper from CFM’s webserver which installs the Purge ransomware.

The notification sent out by the Ukraine Central Bank pointed towards emails containing Microsoft Word document attachments as the infection vector.

As always, users should be cautious when receiving unsolicited emails:

  • Don’t open files attached to unsolicited emails
  • Be cautious of links in emails
  • Keep your operating system and antivirus software up to date

The Enigma of Two-Factor Authentication

There’s no creative limit when it comes to digital grifting. Hackers managed to seize control of Engima’s Slack group, mailing list, and domain in order to post a fake initial coin offering (ICO) pre-sale which scammed users out of almost $500k USD in Ethereum coins.

This isn’t the first-time hackers targeted ICO events and it’s unlikely it will be the last. In this instance, the Enigma CEO’s password was compromised in a previous data breach, and the lack of two-factor authentication meant hackers could track down the password and reuse it everywhere until they found success.

Ironically, Enigma proposed a solution to hackers hijacking ICO events by hardcoding the address of the token sale contract. It just goes to show that the security of blockchain technology has a critical weak point that vexes all technology: humans.

In response to the security incident, Enigma has implemented a stronger authentication policy to include:

  • Strong, different, random passwords for each account – whether held by an employee or official communication channels for the company
  • 2FA for all such accounts
  • Weekly password rotation, and daily rotation in the week leading to the token sale
  • Proper access control management and compartmentalization

All of those measures, with the possible exception of the weekly/daily password rotation,  should be standard security methods for every organization, of any size, in any industry.

We can dream, right?

The Cylance Research and Intelligence Team

About The Cylance Research and Intelligence Team

Exploring the boundaries of the information security field

The Cylance Research and Intelligence team explores the boundaries of the information security field identifying emerging threats and remaining at the forefront of attacks. With insights gained from these endeavors, Cylance stays ahead of the threats.