Go to listing page

Cyware Daily Threat Intelligence, April 23, 2019

Cyware Daily Threat Intelligence, April 23, 2019

Share Blog Post

Cybercriminals are increasingly leveraging fake and malicious apps to steal users’ personal data or generate profits. Lately, security experts have uncovered a massive ad-fraud campaign that is conducted via six fake apps that promise to boost the performance of Android phones. The campaign is used to distribute ‘PreAMo’ malware that is capable of generating revenue for the attackers. In total, 90 million Android phones have been found to be affected by the campaign.

In another major incident related to the security of personal data, an app named ‘Wi-Fi Finder’ has exposed two million Wi-Fi network passwords due to a misconfigured database. Apart from passwords, the database also contained details about Wi-Fi network’s precise geolocation and Basic Service Set Identifier (BSSID). It is believed that a majority of exposed Wi-Fi passwords belong to networks in the US. Upon learning, the firm has taken the server hosting the exposed database offline.

Talking more about data leaks, an unprotected ElasticSearch database has leaked legal documents and contracts of a startup named Evisort. The information exposed in the leak includes several non-disclosure and loan agreements.

Top Breaches Reported in the Last 24 Hours

Wi-Fi Finder exposes passwords
Wi-Fi Finder app has exposed 2 million Wi-Fi network passwords due to an unprotected database. The leaky database also contained details about Wi-Fi network name, its precise geolocation and Basic Service Set Identifier (BSSID). Researchers discovered that the passwords were stored in the database in the plaintext format. Although the number of affected users is unknown, it is believed that tens of thousands of exposed Wi-Fi passwords belong to networks based in the US.

Evisort leaks confidential data
An ElasticSearch database without a password has exposed several sensitive documents belonging to a startup named Evisort. The documents exposed in the incident include many non-disclosure agreements that were made between Evisort and Samsung. The database also contains many files related to employee contracts, loan agreements and resumes.

Bodybuilding[.]com data breach
Bodybuilding[.]com has disclosed that it has been affected by a data breach. The firm learned about the unauthorized access after it detected abnormal activity on an employee’s email account in February 2019. The unauthorized activity was traced to a phishing email its staff received in July 2018. The firm has notified the users about the incident and is working on enhancing the security of its systems.    

Top Malware Reported in the Last 24 Hours

PreAMo malware
Security researchers have come across a new ad-fraud campaign that is used to generate revenues. The attackers are distributing ‘PreAMo’ malware via six fake apps that promise to boost the performance of Android phones. A total of 90 million Android phones have been affected by the campaign.

The source code of Carbanak available
The source code of Carbanak trojan has gone unnoticed for two years on VirusTotal. Security researchers from FireEye have uncovered two archives from the malware scanning portal and made it public today. The malware is associated with the infamous FIN7 threat actor, also known as Carbanak, Anunak or the Cobalt Group. The malware has been used by the cybercriminal group to steal more than $1.2 million from banks and financial institutions.

Software supply chain attacks
Cybercriminals are increasingly leveraging compromised servers and tampered malicious code to launch software supply chain attacks. Four prominent methods that are used to execute such attacks have been observed in the wild. One of them includes injecting malicious code inside C/C++ compiler runtime libraries. Other less intrusive methods include deploying a benign updated version on a compromised server and repackaging legitimate software with a malicious implant.  

Top Vulnerabilities Reported in the Last 24 Hours

Nokia releases update
Nokia has released a security update to fix a bug in Nokia 9 PureView handsets. The bug allowed an unregistered fingerprint to bypass the in-screen fingerprint scanner of the model. The incident came to light after users updated the OS to version 4.22 released on April 18. The update was meant to improve the phone's fingerprint scanning quality. However, it did not work as the company expected and allowed unauthorized users to unlock anyone’s phone. Until a fix to the bug is released, users are advised to switch to other modes of authentication such as using facial recognition, a PIN code or a password. 

Flaws in Social Warfare plugin
Two vulnerabilities in Social Warfare plugin have been spotted in the wild. Both the vulnerabilities are tracked as CVE-2019-9978 and affect all versions of Social Warfare prior to 3.5.3. While one vulnerability is a Stored Cross-site Scripting(XSS) vulnerability, the other is a remote code execution vulnerability. A security patch to address these vulnerabilities has been released on March 21, 2019.

Top Scams Reported in the Last 24 Hours

BestVPN[.]com dupes users
TheBestVPN[.]com has tricked users into helping it become one of the biggest platforms for VPN reviews on Google. The site leveraged fake identities to increase its visibility on Google. The site is said to be created by a man named John Mason and claims to offer honest, in-depth and transparent reviews from real users. However, after an extensive analysis, it is found that the site’s creator does not exist in reality. Further dig into the site reveals that the ‘BestVPN[.]com’s privacy policy is run by a company called ‘Godmode OU’ which is registered as a company in Estonia run by someone named Robert Mardisalu. Godmode OU has also registered two more websites - Hostingfacts[.]com and Websitesetup[.]org, both which use fake personas.


social warfare plugin
supply chain attacks
cross site scriptingxss vulnerability
carbanak trojan
remote code execution vulnerability
preamo malware

Posted on: April 23, 2019

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.