Kaspersky Lab experts have recently discovered a malicious app on the Google Play store called “Guide for Pokémon Go”, which is capable of seizing root access rights on Android smartphones. The app has reportedly been downloaded more than 500,000 times.
The global phenomenon of Pokémon Go has resulted in a growing number of related apps and, inevitably, increased interest from the cybercriminal community. Kaspersky Lab’s analysis of the “Guide for Pokémon Go” Trojan has uncovered malicious code that downloads rooting malware, securing access to the core Android OS for the purposes of app installation and removal as well as the display of advertising.
The Trojan includes some interesting features that help it to bypass detection. For example, it doesn’t start as soon as the victim launches the app. Instead, it waits for the user to install or uninstall another app, and then checks to see whether that app runs on a real device or on a virtual machine. If it’s dealing with a device, the Trojan will wait a further two hours before starting its malicious activity. Even then, infection is not guaranteed. After connecting with its command server and uploading details of the infected device, including country, language, device model and OS version, the Trojan will wait for a response. Only if it hears back will it proceed with further requests and the downloading, installation and implementation of additional malware modules.
This approach means that the control server can stop the attack from proceeding if it wants to – skipping those users it does not wish to target, or those which it suspects are a sandbox/virtual machine, for example. This provides an additional layer of protection for the malware.
Once rooting rights have been enabled, the Trojan will install its modules into the device’s system folders, silently installing and uninstalling other apps and displaying unsolicited ads to the user. Kaspersky Lab analysis shows that at least one other version of the malicious Pokémon Guide app was available through Google Play in July 2016. Further, researchers have tracked back at least nine other apps infected with the same Trojan and available on Google Play Store at different times since December 2015.
Kaspersky Lab’s data suggests that there have been just over 6,000 successful infections to date, including in Russia, India and Indonesia. However, since the app is oriented towards English-speaking users, people in such geographies, and more, are also likely to have been hit.
“In the online world, wherever the consumers go, the cybercriminals will be quick to follow. Pokémon Go is no exception. Victims of this Trojan may, at least at first, not even notice the increase in annoying and disruptive advertising, but the long term implications of infection could be far more sinister. If you’ve been hit, then someone else is inside your phone and has control over the operating system and everything you do and store on it. Even though the app has now been removed from the store, there’s up to half a million people out there vulnerable to infection – and we hope this announcement will alert them to the need to take action,” said Roman Unuchek, Senior Malware Analyst, Kaspersky Lab.
People concerned that they may encounter the Trojan should install a reliable security solution, such as Kaspersky Internet Security for Android, on their device. If the security scan shows that they are already infected, the best way to remove the rooting malware is to backup all data and reset the device to factory settings.
In addition, Kaspersky Lab advises users to always check that apps have been created by a reputable developer, to keep their operating system and application software up-to-date, and not to download anything that looks at all suspicious or whose source cannot be verified.
To learn more about the Pokémon Go Guide rooting Trojan, read the blog on Securelist.com.
Personal computing devices sales still decline in MEA
The Middle East and Africa (MEA) personal computing devices (PCD) market, which is made up of desktops, notebooks, workstations, and tablets, suffered a decline of -7.3% year on year in Q2 2017, according to the latest insights from International Data Corporation (IDC).
The global technology research and consulting firm’s Quarterly PCD Tracker for Q2 2017 shows that PCD shipments fell to around 6 million units for the quarter.
“As forecast, the market followed a similar pattern to recent quarters, with the downturn primarily stemming from a decline in shipments of slate tablets and desktops,” says Fouad Charakla, IDC’s senior research manager for client devices in the Middle East, Turkey, and Africa. “This was the result of desktop users increasingly switching to mobile devices such as notebooks or even refurbished notebooks, while users of slate tablets shifted to smartphones. These trends translated into year-on-year declines of -21.9% for desktops and -15.7% for slate tablets in Q2 2017, while shipments of notebooks and detachable tablets increased 11.0% and 63.3%, respectively over the same period.”
“Market sentiment in the region remained low overall, although an aggressive push from some slate tablet vendors meant the market declined much slower than expected,” continues Charakla. “At the same time, heightened competition has also made it harder for certain players to sustain their slate tablet businesses and generate profits, causing them to lose interest in the slate tablet market altogether. Despite this, slate tablets are still the most popular computing device among home users in the region.”
Looking at the region’s key markets, IDC’s research shows that when compared to Q2 2016 overall PCD shipments were down -11.4% in the UAE, -8.9% in Turkey, and -6.7% in the ‘Rest of Middle East’ sub-region (comprising Iran, Iraq, Syria, Yemen, Palestine, and Afghanistan). South Africa and Saudi Arabia bucked this trend, recording year-on-year increases of 3.5% and 9.6%, respectively.
A massive education delivery in Pakistan acted as a key driver for notebook shipments in the region overall. Similarly, the education sector was the biggest driver of detachable tablet shipments, triggered by a huge delivery in Kenya, as well as two other deliveries in Pakistan and Turkey, which enabled this category to achieve the fastest growth of all the PCD categories.
“While a component shortage prevented market players from reducing their prices too much, the average price of consumer notebooks experienced a considerable year-on-year decline in Q2 2017,” says Charakla. “This played a key role in driving demand from the consumer segment, and was reflected in the growing popularity of lower-priced notebook models.”
Looking at the PC market’s vendor rankings, each of the top five vendors maintained their respective positions compared to the previous quarter, with the top four all gaining share.
Middle East & Africa PC Market Vendor Shares – Q2 2016 vs. Q2 2017
|Brand||Q2 2016||Q2 2017|
Although Samsung continued to lead the tablet market, the vendor rankings in the space saw quite a few changes, with Huawei catapulting itself to second place. Lenovo also climbed up a position compared to the previous quarter, causing Apple to drop to fourth place.
Middle East & Africa Tablet Market Vendor Shares – Q2 2016 vs. Q2 2017
|Brand||Q2 2016||Q2 2017|
“Looking to the future, the MEA PCD market is expected to decline at a faster rate than previously forecast for 2017 as a whole,” says Charakla. “Technological shifts are playing a pivotal role in deciding the future of this market, with demand for certain products shifting to other PCD products and beyond (i.e., smartphones). Accordingly, shipments of slate tablets are expected to continue declining over the coming years as demand is cannibalized by smartphones. Meanwhile, the ongoing shift to mobile computing will see growth in the desktop market remain close to flat throughout IDC’s forecast period ending 2021. Notebook shipments will experience very slow growth beyond 2018, while detachable tablets will remain the fastest growing PCD category, eating away share from other computing devices.”
Gazer cyber-spies exposed
ESET has released new research into the activities of the Turla cyberespionage group, and specifically a previously undocumented backdoor that has been used to spy on consulates and embassies worldwide.
ESET’s research team are the first in the world to document the advanced backdoor malware, which they have named “Gazer”, despite evidence that it has been actively deployed in targeted attacks against governments and diplomats since at least 2016.
Gazer’s success can be explained by the advanced methods it uses to spy on its intended targets, and its ability to remain persistent on infected devices, embedding itself out of sight on victim’s computers in an attempt to steal information for a long period of time.
ESET researchers have discovered that Gazer has managed to infect a number of computers around the world, with the most victims being located in Europe. Curiously, ESET’s examination of a variety of different espionage campaigns which used Gazer has identified that the main target appears to have been Southeastern Europe as well as countries in the former Soviet Union Republic.
The attacks show all the hallmarks of past campaigns launched by the Turla hacking group, namely:
- Targeted organisations are embassies and ministries;
- Spearphishing delivers a first-stage backdoor such as Skipper;
- A second stealthier backdoor (Gazer in this instance, but past examples have included Carbon and Kazuar) is put in place;
- The second-stage backdoor receives encrypted instructions from the gang via C&C servers, using compromised, kegitimate websites as a proxy.
Another notable similarity between Gazer and past creations of the Turla cyberespionage group become obvious when the malware is analysed. Gazer makes extra efforts to evade detection by changing strings within its code, randomizing markers, and wiping files securely.
In the most recent example of the Gazer backdoor malware found by ESET’s research team, clear evidence was seen that someone had modified most of its strings, and inserted phrases related to video games throughout its code.
Don’t be fooled by the sense of humour that the Turla hacking group are showing here, falling foul of computer criminals is no laughing manner.
All organisations, whether governmental, diplomatic, law enforcement, or in traditional business, need to take today’s sophisticated threats serious and adopt a layered defence to reduce the chances of a security breach.