sb-as logo
Story image

Unit 42 researchers suspect Ewind adware Trojan is 100% Russian

18 Apr 2017

The Android Ewind family has just become a little bigger, after Unit 42 researchers discovered multiple new samples of the family.

According to the Unit 42 blog, threat actors are using a simple approach to distribute the adware - they’re downloading legitimate Android apps, recomposing them with malicious routines and then redistributing the apps on their own Russian language-targeted Android Application websites.

So far apps that have been hit include Avast! Ransomware Removal, Opera Mobile, AVG cleaner, VKontakte and consumer games such as GTA Vice City and Minecraft - Pocket Edition.

Researchers believe that although Ewind is predominantly focused on delivering advertising on the victim’s device, it can also collect device data and forward SMS messages on to the attacker.

“The functionality to forward SMS messages to a C2 hints at possible intentions beyond just delivering adware. Of real concern is that although we’ve only observed these Trojans being used to deliver advertising to victims, as our analysis shows, with device-admin access and the functionality to download and execute any file on the device, the actor behind this activity can easily take full control of the victim device,” the blog says.

They also warn that the Trojan could also potentially allow full remote access to the infected device.

Of particular significance is the fact that the threat actor is not only developing malware for monetisation, but also maintaining an Android App Store infrastructure that is being used to serve downloads that support monetisation.

Initially, researchers did not see any connection between the threat actor and the sites the infected apps were hosted on. They say that actors often upload Trojanised apps to website that enable sharing of ‘cracked’ apps, but for the Ewind family, there is a stronger connection.

Unit 42 researchers said that the applications, injected advertising and the attackers are all Russian.

“While identifying a Malware author as Russian is not at all surprising, usually Russian actors avoid targeting Russian subjects. Deliberate targeting of Russians, in this case – by an apparently Russian actor – is therefore somewhat unusual,” the blog says.

Story image
Research: Younger cybersecurity pros more fearful of being replaced by AI
According to the findings, 53% of respondents under 45 years old either agreed or strongly agreed that AI and ML are a threat to their job security, despite 89% of this demographic believing that it would improve their jobs.More
Story image
Creating private data regulations for employees
Whether employees are hired on a part-time or full-time basis, everyone must know about data privacy regulations. Everyone needs to be responsible for keeping the organisation’s data secure. More
Story image
Gartner reveals the top strategic tech trends for 2021
“CIOs are striving to adapt to changing conditions to compose the future business - this requires the organisational plasticity to form and reform dynamically. Gartner’s top strategic technology trends for 2021 enable that plasticity.”More
Story image
Why zero trust could fail due to lack of understanding​, not technology
Security architects are being forced to re-examine the concept of identity, with many turning to a zero trust security model to provide a better architecture for protecting their sensitive resources.More
Story image
Gartner names ThreatQuotient a representative vendor for SOAR
The company is listed in Gartner’s 2020 Market Guide for Security Orchestration, Automation and Response Solutions.More
Story image
Insider threat report reveals deception in the workforce
Insider threats come from people inside an enterprise, whether they divulge proprietary information with nefarious intentions, or are just careless employees that unwittingly share sensitive data, writes Bitglass product marketing manager Juan Lugo.More