Tag Archives: After

Facebook Password Stealing Apps Found on Android Play Store

facebook-password-hacking

Even after many efforts made by Google last year, malicious apps always somehow manage to make their ways into Google app store.

Security researchers have now discovered a new piece of malware, dubbed GhostTeam, in at least 56 applications on Google Play Store that is designed to steal Facebook login credentials and aggressively display pop-up advertisements to users.

Discovered independently by two cybersecurity firms, Trend Micro and Avast, the malicious apps disguise as various utility (such as the flashlight, QR code scanner, and compass), performance-boosting (like file-transfer and cleaner), entertainment, lifestyle and video downloader apps.

Like most malware apps, these Android apps themselves don’t contain any malicious code, which is why they managed to end up on Google’s official Play Store.

Once installed, it first confirms if the device is not an emulator or a virtual environment and then accordingly downloads the malware payload, which prompts the victim to approve device administrator permissions to gain persistence on the device.

facebook-account-hacking

“The downloader app collects information about the device, such as unique device ID, location, language and display parameters,” Avast said. “The device’s location is obtained from the IP address that is used when contacting online services that offer geolocation information for IPs.”

How Android Malware Steals Your Facebook Account Password

As soon as users open their Facebook app, the malware immediately prompts them to re-verify their account by logging into Facebook. Instead of exploiting any system or application vulnerabilities, the malware uses a classic phishing scheme in order to get the job done.

These fake apps simply launch a WebView component with Facebook look-alike login page and ask users to log-in. Apparently, WebView code steals the victim’s Facebook username and password and sends them to a remote hacker-controlled server.

“This is most likely due to developers using embedded web browsers (WebView, WebChromeClient) in their apps, instead of opening the webpage in a browser,” Avast said.

Trend Micro researchers warn that these stolen Facebook credentials can later be repurposed to deliver “far more damaging malware” or “amass a zombie social media army” to spread fake news or generate cryptocurrency-mining malware.

Stolen Facebook accounts can also expose “a wealth of other financial and personally identifiable information,” which can then be sold in the underground markets.

Security firms believe that GhostTeam has been developed and uploaded to the Play Store by a Vietnamese developer due to considerable use of Vietnamese language in the code.

According to the researchers, the most users affected by the GhostTeam malware reportedly resides in India, Indonesia, Brazil, Vietnam, and the Philippines.

Besides stealing Facebook credentials, the GhostTeam malware also displays pop up adverts aggressively by always keeping the infected device awake by showing unwanted ads in the background.

android-malware

All the apps have since been removed by Google from the Play Store after researchers reported them to the company. However, users who have already installed one such app on their devices should make sure they have Google Play Protect enabled.

Play Protect security feature uses machine learning and app usage analysis to remove (i.e. uninstall) malicious apps from users Android smartphones in an effort to prevent any further harm.

Although malicious apps floating on the official app store is a never-ending concern, the best way to protect yourself is always to be vigilant when downloading apps, and always verify app permissions and reviews before you download one.

Moreover, you are strongly advised to keep a good antivirus app on your mobile device that can detect and block such threat before they infect your device, and most importantly, always keep your device and apps up-to-date.

Fourth Fappening Hacker Admits to Stealing Celebrity Pics From iCloud Accounts

Fourth Fappening Hacker Admits to Stealing Pics From Celebrities’ iCloud Accounts

Almost three years after the massive leakage of high-profile celebrities’ nude photos—well known as “The Fappening” or “Celebgate” scandal—a fourth hacker has been charged with hacking into over 250 Apple iCloud accounts belonged to Hollywood celebrities.

A federal court has accused George Garofano, 26, of North Branford, of violating the Computer Fraud and Abuse Act, who had been arrested by the FBI.

Garofano has admitted to illegally obtaining credentials for his victims’ iCloud accounts using a phishing scheme, which eventually allowed him to steal personal information on his victims, including sensitive and private photographs and videos.

Among celebrities whose nude photographs were posted online back in 2014 are Jennifer Lawrence, Kim Kardashian, Kirsten Dunst, and Kate Upton. Also, female victims also include American Olympic gold medallist Misty May Treanor and actors Alexandra Chando, Kelli Garner and Lauren O’Neil.

Between April 2013 to October 2014, Garofano engaged in sending phishing emails pretended to be from Apple security team to several celebrities, tricking them into providing their iCloud account credentials, which they stole to access their accounts illegally.

“Garofano admitted that he sent emails to victims that appeared to be from security accounts of Apple and encouraged the victims to send him their usernames and passwords, or to enter them on a third-party website, where he would later retrieve them,” the Justice Department said.

Besides stealing victims’ personal information, including sensitive and private photographs and videos, from their iCloud accounts using stolen credentials, Garofano, in some instances, also traded the stolen credentials, along with the materials he stole from the victims’ accounts, with other individuals.

In a plea agreement signed Thursday in U.S. District Court in Los Angeles, Garofano agreed to plead guilty to one count of unauthorised access to a protected computer to obtain information, facing up to 5 years in prison.

Garofano is the fourth hacker charged in connection with the Celebgate incident. Emilio Herrera, 32, Edward Majerczyk, 28, and Ryan Collins, 36, pleaded guilty last year to being involved in the celebrity photo hack.

While Herrera is waiting for sentencing next month, Majerczyk was sentenced to nine months in prison and Collins was sentenced to 18 months last year.

The investigation into the Celebgate scandal is being conducted by the U.S. Federal Bureau of Investigation.

Password Stealing Apps With Over A Million Downloads Found On Google Play Store

google-playstore-malware

Even after so many efforts by Google like launching bug bounty program and preventing apps from using Android accessibility services, malicious applications somehow manage to get into Play Store and infect people with malicious software.

The same happened once again when security researchers discovered at least 85 applications in Google Play Store that were designed to steal credentials from users of Russian-based social network VK.com and were successfully downloaded millions of times.

The most popular of all masqueraded as a gaming app with more than a million downloads. When this app was initially submitted in March 2017, it was just a gaming app without any malicious code, according to a blog post published Tuesday by Kaspersky Lab.

However, after waiting for more than seven months, the malicious actors behind the app updated it with information-stealing capabilities in October 2017.

Besides this gaming app, the Kaspersky researchers found 84 such apps on Google Play Store—most of them were uploaded to the Play Store in October 2017 and stealing credentials for VK.com users.

Other popular apps that were highly popular among users include seven apps with between 10,000 and 100,000 installations, nine with between 1,000 and 10,000 installations, and rest of all had fewer than 1,000 installations.

Here’s How Cyber Criminals Steal Your Account Credentials:

The apps used an official SDK for VK.com but slightly modified it with malicious JavaScript code in an effort to steal users’ credentials from the standard login page of VK and pass them back to the apps.

Since these apps looked like they came from VK.com – for listening to music or for monitoring user page visits, requiring a user to login into his/her account through a standard login page did not look suspicious at all.

The stolen credentials were then encrypted and uploaded to a remote server controlled by the attackers.

“The interesting thing is that although most of these malicious apps had a described functionality, a few of them were slightly different—they also used malicious JS code from the OnPageFinished method, but not only for extracting credentials but for uploading them too,” Kaspersky said.

Researchers believe that the cybercriminals use stolen credentials mostly for promoting groups in VK.com, by silently adding users to promote various groups and increase their popularity by doing so, since they received complaints from some infected users that their accounts had been silently added to unknown groups.

The cybercriminals behind these apps had been publishing their malicious apps on the Play Store for more than two years, so all they had to do is modify their apps to evade detection.

Since VK.com is popular mostly among users in CIS countries, the malicious apps were targeting Russian, Ukrainian, Kazakh, Armenian, Azerbaijani, Romanian, Belarusian, Kyrgyz, Tajik, and Uzbek users.

The apps did so by first checking the device language and asked for login credentials from users with one of the above-mentioned languages.

In addition, researchers also noted that they found several other apps on Google Play Store that were submitted by the same cyber criminals and published as unofficial clients for the popular messaging app Telegram.

“These apps were not only masquerading as Telegram apps, they were actually built using an open source Telegram SDK and work almost like every other such app,” the researchers said, adding that these apps also add infected users to promoted groups/chats based on a list received from their server.

How to Protect Your Device From Such Malicious Apps

All the apps, including the credential-stealing apps (detected as Trojan-PSW.AndroidOS.MyVk.o) and malicious Telegram clients (detected as not-a-virus:HEUR:RiskTool.AndroidOS.Hcatam.a), have since been removed by Google from the Play Store.

However, those who have already installed one of the above apps on their mobile devices should make sure their devices have Google Play Protect enabled.

Play Protect is Google’s newly launched security feature that uses machine learning and app usage analysis to remove (uninstall) malicious apps from users Android smartphones to prevent further harm.

Although it is a never-ending concern, the best way to protect yourself is always to be vigilant when downloading apps from Google’s official Play Store, and always verify app permissions and reviews before you download one.

Moreover, you are strongly advised to always keep a good antivirus app on your mobile device that can detect and block such malicious apps before they can infect your device, and always keep your device and apps up-to-date.

Imgur—Popular Image Sharing Site Was Hacked In 2014; Passwords Compromised

imgur-data-breach

Only after a few days of Uber admitting last year’s data breach of 57 million customers, the popular image sharing site disclosed that it had suffered a major data breach in 2014 that compromised email addresses and passwords of 1.7 million user accounts.

In a blog post published on Friday, Imgur claimed that the company had been notified of a three-year-old data breach on November 23 when a security researcher emailed the company after being sent the stolen data.

Imgur Chief Operating Officer (COO) then alerted the company’s founder and the Vice President of Engineering to the issue before began working to validate that the data belonged to Imgur users.

After completing the data validation, the company confirmed Friday morning that the 2014 data breach impacted approximately 1.7 million Imgur user accounts (a small fraction of its 150 million user base) and that the compromised information included only email addresses and passwords.

Since Imgur has never asked for people’s real names, phone numbers, addresses, or any other personally-identifying information (PII), no other personal information was allegedly exposed in the data breach.

The company also said that the stolen passwords were scrambled with older SHA-256 hashing algorithm—which can be easily cracked using brute force attacks.

However, Imgur’s COO Roy Sehgal said the website had already moved from SHA-256 to much stronger bcrypt password scrambler last year.

“We have always encrypted your password in our database, but it may have been cracked with brute force due to an older hashing algorithm (SHA-256) that was used at the time,” the image sharing service said. “We updated our algorithm to the new bcrypt algorithm last year.”

The company has begun notifying affected users along with enforcing a password change.

Moreover, those using the same email address and password combination across multiple sites and applications are also advised to change those details as well.

It’s still known how this incident occurred and went unnoticed for roughly three years. Imgur is still actively investigating the hacking intrusion and will be sharing details as soon as they become available.

Security expert Troy Hunt who notified Imgur of the incident praised the company for its swift response to the breach notification and disclosure of the data breach.

“I want to recognise @imgur’s exemplary handling of this: that’s 25 hours and 10 mins from my initial email to a press address to them mobilising people over Thanksgiving, assessing the data, beginning password resets and making a public disclosure. Kudos!” Hunt tweeted. 

“This is really where we’re at now: people recognise that data breaches are the new normal and they’re judging organizations not on the fact that they’ve had one, but on how they’ve handled it when it happened.”

Imgur is yet another company in a series of security breaches that took place years ago but have only come to light in 2017. Other companies revealing previously-occurred major breaches years after included Yahoo, Uber, LinkedIn, Disqus, and MySpace.

BankBot Returns On Play Store – A Never Ending Android Malware Story

android-bankbot-malware

Even after so many efforts by Google for making its Play Store away from malware, shady apps somehow managed to fool its anti-malware protections and infect people with malicious software.

A team of researchers from several security firms has uncovered two new malware campaigns targeting Google Play Store users, of which one spreads a new version of BankBot, a persistent family of banking Trojan that imitates real banking applications in efforts to steal users’ login details.

BankBot has been designed to display fake overlays on legitimate bank apps from major banks around the world, including Citibank, WellsFargo, Chase, and DiBa, to steal sensitive information, including logins and credit card details.

With its primary purpose of displaying fake overlays, BankBot has the ability to perform a broad range of tasks, such as sending and intercepting SMS messages, making calls, tracking infected devices, and stealing contacts.

Google removed at least four previous versions of this banking trojan from its official Android app store platform earlier this year, but BankBot apps always made their ways to Play Store, targeting victims from major banks around the world.

The second campaign spotted by researchers not only spreads the same BankBot trojan as the first campaign but also Mazar and Red Alert. This campaign has been described in detail on ESET blog.

According to an analysis performed by the mobile threat intelligence team at Avast in collaboration with ESET and SfyLabs, the latest variant of BankBot has been hiding in Android apps that pose as supposedly trustworthy, innocent-looking flashlight apps.

First spotted by the researchers on 13 October, the malicious BankBot apps uses special techniques to circumvent Google’s automated detection checks, such as starting malicious activities 2 hours after the user gave device admin rights to the app and publishing the apps under different developer names.

After tricking victims into downloading them, the malicious apps check for the applications that are installed on the infected device against a hard-coded, list of 160 mobile apps.

According to the researchers, this list includes apps from Wells Fargo and Chase in the U.S., Credit Agricole in France, Santander in Spain, Commerzbank in Germany and many other financial institutions from around the world.

If it finds one or more apps on the infected smartphone, the malware downloads and installs the BankBot APK from its command-and-control server on the device, and tries to trick the victim into giving it administrator rights by pretending to be a Play Store or system update using a similar icon and package name.

Once it gets the admin privileges, the BankBot app displays overlay on the top of legitimate apps whenever victims launch one of the apps from the malware’s list and steal whatever banking info the victim’s types on it.

The Avast Threat Labs has also provided a video demonstration while testing this mechanism with the app of the local Czech Airbank. You can see how the app creates an overlay within milliseconds and tricks the user into giving out their bank details to criminals.

Since many banks use two-factor-authentication methods for secure transactions, BankBot includes functionality that allows it to intercept text messages, allowing criminals behind BankBot to steal mobile transaction number (mTAN) sent to the customer’s phone and transfer money to their accounts.

Here’s one important thing to note is that Android mechanism blocks apps installation from outside the Play Store. Even if you have already permitted installation from unknown sources, Google still requires you to press a button to continue such installations.

“Unlike this newer version of BankBot, droppers from previous campaigns were far more sophisticated,” the researchers note. “They applied techniques such as performing clicks in the background via an Accessibility Service to enable the installation from unknown sources.”

The latest BankBot version does not utilize this Accessibility Service feature due to Google’s recent move of blocking this feature for all applications, except those designed to provide services for the blind.

Google has already removed all recently-discovered BankBot apps after being notified by the researchers.

Although it is a never-ending concern, the best way to protect yourself is always to be vigilant when downloading apps even from Google’s official Play store. So, always verify app permissions and reviews before downloading an app from Google Play Store.

Even though the BankBot apps made it way into the Play Store, its payload was downloaded from an external source. So, don’t allow any unknown third-party APK to be installed on your smartphone.

To do so, Go to Settings → Security and then Turn OFF “Allow installation of apps from sources other than the Play Store.”

Most importantly, be careful which apps you give administrative rights to, as it is powerful and can provide a full app control of your device.

Another Shady App Found Pre-Installed on OnePlus Phones that Collects System Logs

oneplus-logkit-app

The OnePlus Saga Continues…

Just a day after the revelation of the hidden Android rooting backdoor pre-installed on most OnePlus smartphones, a security researcher just found another secret app that records tons of information about your phone.

Dubbed OnePlusLogKit, the second pre-installed has been discovered by the same Twitter user who goes by the pseudonym “Elliot Alderson” and discovered the controversial “EngineerMode” diagnostic testing application that could be used to root OnePlus devices without unlocking the bootloader.

OnePlusLogKit is a system-level application that is capable of capturing a multitude of things from OnePlus smartphones, including:

  • Wi-Fi, NFC, Bluetooth, and GPS location logs,
  • Modem signal and data logs, hot and power issue logs,
  • list of the running processes, list of running service and battery status,
  • media databases, including all your videos and images saved on the device.

Unlike EngineerMode (which was found on devices by several manufacturers including HTC, Samsung, LG, Sony, Huawei, and Motorola), the OnePlusLogKit application (decompiled APK) most certainly is present only in OnePlus devices.

Since OnePlusLogKit is disabled by default, the attacker would require access to the victim’s smartphone to enable it.

With the physical access to the targeted smartphone, one can quickly enable it by dialing *#800# → “oneplus Logkit” → enable “save log,” or one can use social engineering to get the owner of the device to do it themselves.

Once enabled, any other application installed on your device can collect the logged information (stored unencrypted in the /sdcard/oem_log/ folder) remotely without requiring user interaction.

Although the app in question has been designed for device manufacturers and engineers to log the events/activities to diagnose system issues, the amount of information collected here could also be used for nefarious purposes.

OnePlus has yet to comment on this latest issue, while the Chinese company did not see the previous EngineerMode diagnostic tool as a major security issue, although it promised to remove the adb root function in the upcoming OxygenOS update.

“While it can enable adb root which provides privileges for adb commands, it will not let 3rd-party apps access full root privileges,” the OnePlus spokesperson said in a statement.

“Additionally, adb root is only accessible if USB debugging, which is off by default, is turned on, and any sort of root access would still require physical access to your device.”

Qualcomm, who was believed to be the creator of the EngineerMode APK, also responded to allegations, saying that there are traces of source code from their original app, but the current APK found on devices from various manufacturers has been modified by someone else.

“After an in-depth investigation, we have determined that the EngineerMode app in question was not authored by Qualcomm,” Qualcomm claims.

“Although remnants of some Qualcomm source code is evident, we believe that others built upon a past, similarly named Qualcomm testing app that was limited to displaying device information. EngineerMode no longer resembles the original code we provided.”

Meanwhile, another security researcher has released an Android application to root OnePlus phones quickly by using the backdoor discovered in EngineerMode.

OnePlus Left A Backdoor That Allows Root Access Without Unlocking Bootloader

oneplus-root-backdoor

Another terrible news for OnePlus users.

Just over a month after OnePlus was caught collecting personally identifiable information on its users, the Chinese smartphone company has been found leaving a backdoor on almost all OnePlus handsets.

A Twitter user, who goes by the name “Elliot Anderson” (named after Mr. Robot’s main character), discovered a backdoor (an exploit) in all OnePlus devices running OxygenOS that could allow anyone to obtain root access to the devices.

The application in question is “EngineerMode,” a diagnostic testing application made by Qualcomm for device manufacturers to easily test all hardware components of the device.

This APK comes pre-installed (accidentally left behind) on most OnePlus devices, including OnePlus 2, 3, 3T, and the newly-launched OnePlus 5. We can confirm its existence on the OnePlus 2, 3 and 5.

You can also check if this application is installed on your OnePlus device or not. For this, simply go to settings, open apps, enable show system apps from top right corner menu (three dots) and search for EngineerMode.APK in the list.

oneplus

If it’s there, anyone with physical access to your device can exploit EngineerMode to gain root access on your smartphone.

EngineerMode has been designed to diagnose issues with GPS, check the root status of the device, perform a series of automated ‘production line’ tests, and many more.

After decompiling the EngineerMod APK, the Twitter user found ‘DiagEnabled’ activity, which if opened with a specific password (It is “Angela”, found after reverse engineering) allows users to gain full root access on the smartphone—without even unlocking the bootloader.

Although the chance of this application already being exploited in the wild is probably low, it seems to be a serious security concern for OnePlus users as root access can be achieved by anyone using a simple command.

root-oneplus-android-phone

Moreover, with root access in hands, an attacker can perform lots of dangerous tasks on victim’s OnePlus phone, including stealthy installing sophisticated spying malware, which is difficult to detect or remove.

Meanwhile, in order to protect themselves and their devices, OnePlus owners can simply disable root on their phones. To do so, run following command on ADB shell:

“setprop persist.sys.adb.engineermode 0” and “setprop persist.sys.adbroot 0” or call code *#8011#

In response to this issue, OnePlus co-founder Carl Pei said that the company is looking into the matter.

The Twitter user has promised to release a one-click rooting app for OnePlus devices using this exploit. We will update the article as soon as it is available.

Apple iPhone X’s Face ID Hacked (Unlocked) Using 3D-Printed Mask

apple-iphone-face-id-unlocked-hacked

Just a week after Apple released its brand new iPhone X on November 3, a team of hackers has claimed to successfully hack Apple’s Face ID facial recognition technology with a mask that costs less than $150.

Yes, Apple’s “ultra-secure” Face ID security for the iPhone X is not as secure as the company claimed during its launch event in September this year.

“Apple engineering teams have even gone and worked with professional mask makers and makeup artists in Hollywood to protect against these attempts to beat Face ID,” Apple’s senior VP of worldwide marketing Phil Schiller said about Face ID system during the event.

“These are actual masks used by the engineering team to train the neural network to protect against them in Face ID.”

However, the bad news is that researchers from Vietnamese cybersecurity firm Bkav were able to unlock the iPhone X using a mask.

Yes, Bkav researchers have a better option than holding it up to your face while you sleep.

Bkav researchers re-created the owner’s face through a combination of 3D printed mask, makeup, and 2D images with some “special processing done on the cheeks and around the face, where there are large skin areas” and the nose is created from silicone.

The researchers have also published a proof-of-concept video, showing the brand-new iPhone X first being unlocked using the specially constructed mask, and then using the Bkav researcher’s face, in just one go.

“Many people in the world have tried different kinds of masks but all failed. It is because we understand how AI of Face ID works and how to bypass it,” an FAQ on the Bkav website said.

“You can try it out with your own iPhone X, the phone shall recognize you even when you cover a half of your face. It means the recognition mechanism is not as strict as you think, Apple seems to rely too much on Face ID’s AI. We just need a half face to create the mask. It was even simpler than we ourselves had thought.”

Researchers explain that their “proof-of-concept” demo took about five days after they got iPhone X on November 5th. They also said the demo was performed against one of their team member’s face without training iPhone X to recognize any components of the mask.

“We used a popular 3D printer. The nose was made by a handmade artist. We use 2D printing for other parts (similar to how we tricked Face Recognition 9 years ago). The skin was also hand-made to trick Apple’s AI,” the firm said.

The security firm said it cost the company around $150 for parts (which did not include a 3D printer), though it did not specify how many attempts its researchers took them to bypass the security of Apple’s Face ID.

It should be noted that creating such a mask to unlock someone’s iPhone is a time-consuming process and it is not possible to hack into a random person’s iPhone.

However, if you prefer privacy and security over convenience, we highly recommend you to use a passcode instead of fingerprint or Face ID to unlock your phone.

Vault 8: WikiLeaks Releases Source Code For Hive – CIA’s Malware Control System

Almost two months after releasing details of 23 different secret CIA hacking tool projects under Vault 7 series, Wikileaks today announced a new Vault 8 series that will reveal source codes and information about the backend infrastructure developed by the CIA hackers.

Not just announcement, but the whistleblower organisation has also published its first batch of Vault 8 leak, releasing source code and development logs of Project Hive—a significant backend component the agency used to remotely control its malware covertly.

In April this year, WikiLeaks disclosed a brief information about Project Hive, revealing that the project is an advanced command-and-control server (malware control system) that communicates with malware to send commands to execute specific tasks on the targets and receive exfiltrated information from the target machines.

Hive is a multi-user all-in-one system that can be used by multiple CIA operators to remotely control multiple malware implants used in different operations.

Hive’s infrastructure has been specially designed to prevent attribution, which includes a public facing fake website following multi-stage communication over a Virtual Private Network (VPN).

“Using Hive even if an implant is discovered on a target computer, attributing it to the CIA is difficult by just looking at the communication of the malware with other servers on the internet,” WikiLeaks says.

As shown in the diagram, the malware implants directly communicate with a fake website, running over commercial VPS (Virtual Private Server), which looks innocent when opened directly into the web browser.

CIA Malware Hive

However, in the background, after authentication, the malware implant can communicate with the web server (hosting fake website), which then forwards malware-related traffic to a “hidden” CIA server called ‘Blot’ over a secure VPN connection.

The Blot server then forwards the traffic to an implant operator management gateway called ‘Honeycomb.’

In order to evade detection by the network administrators, the malware implants use fake digital certificates for Kaspersky Lab.

“Digital certificates for the authentication of implants are generated by the CIA impersonating existing entities,” WikiLeaks says. 

“The three examples included in the source code build a fake certificate for the anti-virus company Kaspersky Laboratory, Moscow pretending to be signed by Thawte Premium Server CA, Cape Town.”

The whistleblowing organisation has released the source code for Project Hive which is now available for anyone, including investigative journalists and forensic experts, to download and dig into its functionalities.

The source code published in the Vault 8 series only contains software designed to run on servers controlled by the CIA, while WikiLeaks assures that the organisation will not release any zero-day or similar security vulnerabilities which could be abused by others.

New Rapidly-Growing IoT Botnet Threatens to Take Down the Internet

Just a year after Mirai—biggest IoT-based malware that caused vast Internet outages by launching massive DDoS attacks—completed its first anniversary, security researchers are now warning of a brand new rapidly growing IoT botnet.

Dubbed ‘IoT_reaper,’ first spotted in September by researchers at firm Qihoo 360, the new malware no longer depends on cracking weak passwords; instead, it exploits vulnerabilities in various IoT devices and enslaves them into a botnet network.

IoT_reaper malware currently includes exploits for nine previously disclosed vulnerabilities in IoT devices from following manufactures:

  • Dlink (routers)
  • Netgear (routers)
  • Linksys (routers)
  • Goahead (cameras)
  • JAWS (cameras)
  • AVTECH (cameras)
  • Vacron (NVR)

Researchers believe IoT_reaper malware has already infected nearly two million devices and growing continuously at an extraordinary rate of 10,000 new devices per day.

This is extremely worrying because it took only 100,000 infected devices for Mirai to took down DNS provider Dyn last year using a massive DDoS attack.

Besides this, researchers noted that the malware also includes more than 100 DNS open resolvers, enabling it to launch DNS amplification attacks.

Currently, this botnet is still in its early stages of expansion. But the author is actively modifying the code, which deserves our vigilance.” Qihoo 360 researchers say.

Meanwhile, researchers at CheckPoint are also warning of probably same IoT botnet, named “IoTroop,” that has already infected hundreds of thousands of organisations.

“It is too early to guess the intentions of the threat actors behind it, but with previous Botnet DDoS attacks essentially taking down the Internet, it is vital that organisations make proper preparations and defence mechanisms are put in place before attack strikes.” researchers said.

According to CheckPoint, IoTroop malware also exploits vulnerabilities in Wireless IP Camera devices from GoAhead, D-Link, TP-Link, AVTECH, Linksys, Synology and others.

At this time it is not known who created this and why, but the DDoS threat landscape is skyrocketing and could reach tens of terabits-per-second in size.

“Our research suggests we are now experiencing the calm before an even more powerful storm. The next cyber hurricane is about to come.” CheckPoint researchers warned.

You need to be more vigilant about the security of your smart devices. In our previous article, we have provided some essential, somewhat practical, solutions to protect your IoT devices.

Also Read: How Drones Can Find and Hack Internet-of-Things Devices From the Sky.