Story image

Unit 42 researchers suspect Ewind adware Trojan is 100% Russian

18 Apr 17

The Android Ewind family has just become a little bigger, after Unit 42 researchers discovered multiple new samples of the family.

According to the Unit 42 blog, threat actors are using a simple approach to distribute the adware - they’re downloading legitimate Android apps, recomposing them with malicious routines and then redistributing the apps on their own Russian language-targeted Android Application websites.

So far apps that have been hit include Avast! Ransomware Removal, Opera Mobile, AVG cleaner, VKontakte and consumer games such as GTA Vice City and Minecraft - Pocket Edition.

Researchers believe that although Ewind is predominantly focused on delivering advertising on the victim’s device, it can also collect device data and forward SMS messages on to the attacker.

“The functionality to forward SMS messages to a C2 hints at possible intentions beyond just delivering adware. Of real concern is that although we’ve only observed these Trojans being used to deliver advertising to victims, as our analysis shows, with device-admin access and the functionality to download and execute any file on the device, the actor behind this activity can easily take full control of the victim device,” the blog says.

They also warn that the Trojan could also potentially allow full remote access to the infected device.

Of particular significance is the fact that the threat actor is not only developing malware for monetisation, but also maintaining an Android App Store infrastructure that is being used to serve downloads that support monetisation.

Initially, researchers did not see any connection between the threat actor and the sites the infected apps were hosted on. They say that actors often upload Trojanised apps to website that enable sharing of ‘cracked’ apps, but for the Ewind family, there is a stronger connection.

Unit 42 researchers said that the applications, injected advertising and the attackers are all Russian.

“While identifying a Malware author as Russian is not at all surprising, usually Russian actors avoid targeting Russian subjects. Deliberate targeting of Russians, in this case – by an apparently Russian actor – is therefore somewhat unusual,” the blog says.

SonicWall secures hybrid clouds by simplifying firewall deployment
Once new products are brought online in remote locations, administrators can manage local and distributed networks.
What MSPs can learn from Datto’s Channel Ransomware Report
While there have been less high profile attacks making the headlines, the frequency of attacks is, in fact, increasing.
Cisco expands security capabilities of SD­-WAN portfolio
Until now, SD-­WAN solutions have forced IT to choose between application experience or security.
AlgoSec delivers native security management for Azure Firewall
AlgoSec’s new solution will allow a central management capability for Azure Firewall, Microsoft's new cloud-native firewall-as-a-service.
How to configure your firewall for maximum effectiveness
ManageEngine offers some firewall best practices that can help security admins handle the conundrum of speed vs security.
Exclusive: Why botnets will swarm IoT devices
“What if these nodes were able to make autonomous decisions with minimal supervision, use their collective intelligence to solve problems?”
Why you should leverage a next-gen firewall platform
Through full lifecycle-based threat detection and prevention, organisations are able to manage the entire threat lifecycle without adding additional solutions.
The quid pro quo in the IoT age
Consumer consciousness around data privacy, security and stewardship has increased tenfold in recent years, forcing businesses to make customer privacy a business imperative.