Story image

Unit 42 researchers suspect Ewind adware Trojan is 100% Russian

18 Apr 2017

The Android Ewind family has just become a little bigger, after Unit 42 researchers discovered multiple new samples of the family.

According to the Unit 42 blog, threat actors are using a simple approach to distribute the adware - they’re downloading legitimate Android apps, recomposing them with malicious routines and then redistributing the apps on their own Russian language-targeted Android Application websites.

So far apps that have been hit include Avast! Ransomware Removal, Opera Mobile, AVG cleaner, VKontakte and consumer games such as GTA Vice City and Minecraft - Pocket Edition.

Researchers believe that although Ewind is predominantly focused on delivering advertising on the victim’s device, it can also collect device data and forward SMS messages on to the attacker.

“The functionality to forward SMS messages to a C2 hints at possible intentions beyond just delivering adware. Of real concern is that although we’ve only observed these Trojans being used to deliver advertising to victims, as our analysis shows, with device-admin access and the functionality to download and execute any file on the device, the actor behind this activity can easily take full control of the victim device,” the blog says.

They also warn that the Trojan could also potentially allow full remote access to the infected device.

Of particular significance is the fact that the threat actor is not only developing malware for monetisation, but also maintaining an Android App Store infrastructure that is being used to serve downloads that support monetisation.

Initially, researchers did not see any connection between the threat actor and the sites the infected apps were hosted on. They say that actors often upload Trojanised apps to website that enable sharing of ‘cracked’ apps, but for the Ewind family, there is a stronger connection.

Unit 42 researchers said that the applications, injected advertising and the attackers are all Russian.

“While identifying a Malware author as Russian is not at all surprising, usually Russian actors avoid targeting Russian subjects. Deliberate targeting of Russians, in this case – by an apparently Russian actor – is therefore somewhat unusual,” the blog says.

SecOps: Clear opportunities for powerful collaboration
If there’s one thing security and IT ops professionals should do this year, the words ‘team up’ should be top priority.
Interview: Culture and cloud - the battle for cybersecurity
ESET CTO Juraj Malcho talks about the importance of culture in a cybersecurity strategy and the challenges and benefits of a world in the cloud.
Enterprise cloud deployments being exploited by cybercriminals
A new report has revealed a concerning number of enterprises still believe security is the responsibility of the cloud service provider.
Ping Identity Platform updated with new CX and IT automation
The new versions improve the user and administrative experience, while also aiming to meet enterprise needs to operate quickly and purposefully.
Venafi and nCipher Security partner on machine identity protection
Cryptographic keys serve as machine identities and are the foundation of enterprise information technology systems.
Machine learning is a tool and the bad guys are using it
KPMG NZ’s CIO and ESET’s CTO spoke at a recent cybersecurity conference about how machine learning and data analytics are not to be feared, but used.
Seagate: Data trends, opportunities, and challenges at the edge
The development of edge technology and the rise of big data have brought many opportunities for data infrastructure companies to the fore.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.