sb-nz logo
Story image

Unit 42 researchers suspect Ewind adware Trojan is 100% Russian

18 Apr 2017

The Android Ewind family has just become a little bigger, after Unit 42 researchers discovered multiple new samples of the family.

According to the Unit 42 blog, threat actors are using a simple approach to distribute the adware - they’re downloading legitimate Android apps, recomposing them with malicious routines and then redistributing the apps on their own Russian language-targeted Android Application websites.

So far apps that have been hit include Avast! Ransomware Removal, Opera Mobile, AVG cleaner, VKontakte and consumer games such as GTA Vice City and Minecraft - Pocket Edition.

Researchers believe that although Ewind is predominantly focused on delivering advertising on the victim’s device, it can also collect device data and forward SMS messages on to the attacker.

“The functionality to forward SMS messages to a C2 hints at possible intentions beyond just delivering adware. Of real concern is that although we’ve only observed these Trojans being used to deliver advertising to victims, as our analysis shows, with device-admin access and the functionality to download and execute any file on the device, the actor behind this activity can easily take full control of the victim device,” the blog says.

They also warn that the Trojan could also potentially allow full remote access to the infected device.

Of particular significance is the fact that the threat actor is not only developing malware for monetisation, but also maintaining an Android App Store infrastructure that is being used to serve downloads that support monetisation.

Initially, researchers did not see any connection between the threat actor and the sites the infected apps were hosted on. They say that actors often upload Trojanised apps to website that enable sharing of ‘cracked’ apps, but for the Ewind family, there is a stronger connection.

Unit 42 researchers said that the applications, injected advertising and the attackers are all Russian.

“While identifying a Malware author as Russian is not at all surprising, usually Russian actors avoid targeting Russian subjects. Deliberate targeting of Russians, in this case – by an apparently Russian actor – is therefore somewhat unusual,” the blog says.

Story image
The retailer safety guide for the world of online shopping
Are you an online retailer? This guide details the threats that you need to be aware of to keep safe in the biggest ever year of online shopping.More
Story image
Rising threat of data breaches among enterprises drives growth in network security revenue
"Key factors leading to the growth of network security market revenue in the Asia Pacific region includes instances of ransomware attacks, targeted attacks and phishing."More
Story image
IDC names ESET a Major Player second year running
“ESET is strong in the areas of threat research, especially around Android malware identification and behavior detection.”More
Story image
DevSecOps increasingly important, but APAC organisations lagging behind
The rise of DevSecOps comes at a time when IT leaders are faced with an increasingly active cyber threat landscape, coupled with higher consumer expectations of digital offerings and application usage due to a sharp increase in online activities.More
Story image
Forrester names Thycotic a Leader in privileged access management
Thycotic received the highest possible score in 11 of the 24 criteria in the study, including SaaS/cloud, innovation roadmap, and integrations, deployment, supporting products and services, commercial model, and PIM installed base.More
Story image
Zerto launches security solutions for containerised applications
The company has launched its beta program of Zerto for Kubernetes (Z4K), an extension of its Zerto Platform, to support next-generation, cloud native applications.More