Information Technology

Security technology titan Palo Alto Networks this afternoon reported fiscal Q2 revenue and profit that both topped Wall Street’s expectations, and raised its outlook for the year. The report sent Palo Alto Networks shares up over 5% in late trading. CEO Nikesh Arora remarked that Palo Alto “continued to benefit from strength across our three security platforms, driven by strong cybersecurity demand, organizations architecting for hybrid work and growing their hyperscale cloud footprints.”Added Arora, “On the back of this strength, notably in our next-generation security offerings, we are raising our guidance for the year across revenue, billings, and earnings per share.”CFO Dipak Golechha remarked, “Total shareholder return was at the forefront of our Q2 results as we continued to deliver on accelerated revenue growth and strong cash flow generation as well as returned capital to shareholders.”Revenue in the three months ended in December rose 30%, year over year, to $1.3 billion, yielding a net profit of $1.74 a share, excluding some costs.Analysts had been modeling $1.28 billion and $1.65 per share.

Palo Alto said its “remaining performance obligation,” a measure of the total value of contracts with customers, rose by 36% to $6.3 billion.For the current quarter, the company sees revenue of $1.345 billion to $1.61 billion, and EPS in a range of $1.65 cents to $1.68. That compares to consensus for $1.35 billion and a $1.63 profit per share.For the full year, the company sees revenue in a range of $5.425 billion to $5.475 billion, and EPS of $7.23 to $7.30. That is above an outlook offered in November for $5.35 billion to $5.4 billion, and $7.15 to $7.25 per share. The forecast compares to consensus of $5.39 billion and a $7.23 profit per share.

Tech Earnings More

Peloton’s outages have ended after a morning of complaints from customers who could not access classes or pages on the web. Also: The best peloton alternatives for your home gymThe problem stopped users from accessing their logins, live classes, on-demand classes, and leaderboards. Peloton users also could not activate their services on Peloton bikes or treadmills. 

We are currently investigating an issue with Peloton services. This may impact your ability to take classes or access pages on the web. We apologize for any impact this may have on your workout and appreciate your patience. Please check https://t.co/Dxcht2tQB0 for updates.— Peloton (@onepeloton) February 22, 2022

Peloton said the issue began around 10:45 am ET and was resolved by about 2 pm ET, and it took place amid other unexplained outages on Tuesday. Slack also experienced widespread outages, and reports surfaced of problems on other platforms like GitHub. By Tuesday afternoon most services had returned to normal. The Peloton outages came at a time of turmoil for the company, which recently removed co-founder and CEO John Foley, announced about 2,800 layoffs, and canceled plans for a new factory in Ohio. For Q2, Peloton reported a net loss of $439 million on a revenue of $1.14 billion. This pushed its guidance for the full fiscal year down by nearly $1 billion. 

Despite the lack of positive news, The Wall Street Journal reported that Amazon has expressed interest in acquiring Peloton while The Financial Times said Nike is also interested. The BBC added that Disney, Sony, and Apple have similarly shown interest in Peloton.   More

GitHub announced on Tuesday that their Advisory Database for security data is now open to contributions from experts. GitHub senior product manager Kate Catlin explained that the company has teams of security researchers that review all changes and help keep security advisories up to date. 

But with the amount of new vulnerabilities and different attack vectors emerging each day, the company believes members of its community may be able to share additional insights and intelligence on CVEs.”GitHub is publishing the full contents of the Advisory Database to make it easier for the community to benefit from this data. We’ve also built a user interface for making contributions… The data is licensed under a Creative Commons license, and has been since the database’s inception, making it forever free and usable by the community,” Catlin said. “The GitHub Advisory Database is the largest database of vulnerabilities in software dependencies in the world. It is maintained by a dedicated team of full-time curators and powers the security audit experience for npm and NuGet, as well as GitHub’s own Dependabot alerts. By making it easier to contribute to and consume, we hope it will power even more experiences and will further help improve the security of all software.”GitHub has built a “suggest improvements for this vulnerability” workflow into security advisories in the database. This allows researchers from GitHub Security Lab and the maintainer of the project who filed the CVE to review your request. The form allows you to suggest changes or to provide more context on packages, affected versions, impacted ecosystems, and more.
GitHub

Catlin added that the advisories in the GitHub Advisory Database repository will use the Open Source Vulnerabilities (OSV) format. Oliver Chang, software engineer for Google’s Open Source Security Team, said in order for vulnerability management in open source to scale, security advisories “need to be broadly accessible and easily contributed to by all.” “OSV provides that capability,” Chang said. GitHub repeatedly pushed its users to enable two-factor authentication last year and, in August, announced that it would stop accepting account passwords when authenticating Git operations. The platform began requiring people to use stronger authentication factors like personal access tokens, SSH keys, and OAuth or GitHub App installation tokens for all authenticated Git operations on GitHub.com. In January GitHub announced that two-factor authentication will be available to all users through GitHub Mobile.  More

Logistics and freight forwarding giant Expeditors International announced a cyberattack on Sunday that crippled some of their operating systems and continues to slow their operations around the globe. The Seattle-based freight company, which brought in $10.1 billion in revenue last year, said they shut down most of their operating systems globally after discovering the cyberattack. 

“The situation is evolving, and we are working with global cybersecurity experts to manage the situation. While our systems are shut down, we will have limited ability to conduct operations, including but not limited to arranging for shipments of freight or managing customs and distribution activities for our customers’ shipments,” the company said in a statement. “We are conducting a thorough investigation to ensure that our systems are restored both promptly and securely, and on a parallel track, evaluating ways with our carriers and service providers to mitigate the impact of this event on our customers. Since it is extremely early in the process, we cannot provide any specific projections on when we might be operational. Still, we will provide regular updates when we are able to do so confidently. We are incurring expenses relating to the cyber-attack to investigate and remediate this matter and expect to continue to incur expenses of this nature in the future. Depending on the length of the shutdown of our operations, the impact of this cyber-attack could have a material adverse impact on our business, revenues, results of operations and reputation.”The company did not say whether it was a ransomware attack and did not respond to requests for comment. On Sunday, they said systems may be unavailable as they try to secure their system, noting that “backup procedures are being implemented.”Another update was released on Monday explaining that the company’s global operations were still being affected by the attack. Expeditors said it was working through its crisis management and business continuity response plans but was still struggling to recover. Expeditors have thousands of employees across 350 locations in more than 100 countries. It has become just the latest logistics company to be hit with a cyberattack over the last month. 

Earlier this month, Swiss airport management service Swissport reported a ransomware attack affecting its IT systems that were later attributed to the BlackCat ransomware group. Another cyberattack on two German oil suppliers forced energy giant Shell to reroute oil supplies to other depots over the last month. The German Federal Office for Information Security (BSI) said the BlackCat ransomware group was also behind the incident, which affected 233 gas stations across Germany.Multiple ports in Belgium and the Netherlands reported issues after a cyberattack affecting IT services in early February. Terminals operated by SEA-Tank, Oiltanking, and Evos in Antwerp, Ghent, Amsterdam, and Terneuzen were all dealing with issues related to their operational systems. In a statement to ZDNet, Oiltanking said it “declared force majeure” due to the attacks. A spokesperson from Evos told ZDNet at the time that they were continuing to operate their terminals but were having some delays after the attack disrupted IT services at terminals in Terneuzen, Ghent, and Malta. Prosecutors in Antwerp opened an investigation into the cyberattacks.Billion-dollar German logistics firm Hellmann Worldwide Logistics was also hit with ransomware in December. More

Slack confirmed widespread outages on Tuesday morning, writing that some customers may be “experiencing issues” with loading the platform.

Some customer may be experiencing issues with loading Slack. We’ll provide a status update once we have more information. We’re sorry for the disruption. https://t.co/rd7foQMlhf— Slack Status (@SlackStatus) February 22, 2022

In another message, they apologized for the issue and said they were “digging into the problem with the highest priority.” Slack also confirmed the issues people were reporting on its status site. The situation was a major topic of discussion on social media, as some returned from long holiday weekends to find that they were unable to communicate with team members. AWS, Github and Peloton were among the other sites reporting outages alongside Slack. Downdetector noted that the reports of outages for all of the platforms began around 8:45 am ET. 
Slack
Slack said some users were reporting issues with logging in, messaging, sending files, and getting notifications. Slack previously had a major outage on January 4, 2021, which was the first working day of the year for many. The company later attributed the outage to infrastructure issues that led to a variety of problems. 

Salesforce acquired Slack for $27.7 billion in 2021, with plans to make it the glue of the company’s Customer 360 efforts. More

Many organisations that fall prey to ransomware attacks end up paying a ransom multiple times as cyber criminals exploit weaknesses in cybersecurity to squeeze their victims for as much cash as they can. According to analysis by cybersecurity researchers at Proofpoint, 58% of organisations infected with ransomware paid a ransom to cyber criminals for the decryption key – and in many cases, they paid up more than once. 

ZDNet Recommends

Law enforcement agencies and cybersecurity experts warn organisations against paying ransoms, because not only is there no guarantee that the supplied decryption key will work, giving in to ransom demands just encourages more ransomware attacks as it shows cyber criminals that the attacks work.SEE: Cybersecurity: Let’s get tactical (ZDNet special report)Of those who paid the ransom, just over half – 54% – regained access to data and systems after the first payment. But another third of ransomware victims ended up paying an additional ransom demand before they received the decryption key, while a further 10% also received additional ransom demands but refused the additional payment, walking away without their data. In 4% of cases, organisations paid a ransom or ransoms but still couldn’t retrieve their data, either because of a faulty decryption key, or because the cyber criminals simply took the money and ran. When organisations fall victim to ransomware attacks, the crooks have often been inside that network for weeks or months prior to the attack. That means that even if the ransom is paid, the hackers have the necessary controls and permissions to return and trigger another attack. 

“I don’t think a lot of organisations are aware of the fact that you might pay the ransom once, but if the criminals have been in your infrastructure for eight weeks, you don’t know what else they stole,” Adenike Cosgrove, cybersecurity strategist at Proofpoint, told ZDNet.  Stolen data is commonly used as additional leverage in ransomware attacks, as the cyber criminals threaten to publish it if they don’t receive a ransom payment. While this does force some victims into paying, there’s no guarantee that the cyber criminals won’t return with additional threats to publish the stolen data later. “The first run is ‘give me a ransom so I can give you the decryption key’. The second ransom is ‘give me a ransom or I’m going to put this data on the dark web’,” Cosgrove explained. “Third might be ‘give me a ransom or I’m going to tell media publications about this data breach that you have and tell the regulators that, hey you didn’t notify customers that their privacy was impacted,'” she added. The best way to deal with ransomware attacks is to prevent them from happening in the first place.  According to Proofpoint, 75% of ransomware incidents begin with phishing attacks, which cyber criminals use to steal usernames and passwords, or plant remote access trojans to gain an initial foothold in the network. Being able to detect suspicious activity early on can, therefore, provide a means of preventing a full-scale ransomware attack. “The assumption is that a ransomware attack is the beginning of an incident, but the reality is the incident started weeks ago,” said Cosgrove. Training users to identify and report suspicious emails can help organisations detect ransomware and other malware attacks early.Enabling two-factor authentication can also provide a significant stumbling block to phishing attacks that aim to steal usernames and passwords, because without access to the authentication app, it’s much harder for cyber criminals to leverage compromised login credentials. MORE ON CYBERSECURITY More

How secure is your home or office network?I’ll assume you already have an antimalware/antivirus solution in place, such as Windows Security, which is built into Windows 10 and Windows 11 (and which I believe works particularly well). But antivirus isn’t enough.Escalating international tensions — coupled with an ever-increasing number of professionals working remotely — are driving the need for small-scale solutions and best practices to secure home- and small-business networks and mobile devices from malware, malvertising, and other threats. 

ZDNet Recommends

What follows is a brief guide — with product recommendations and best practices — for those of you looking to navigate the rapidly evolving cybersecurity landscape. If you have limited network security experience but want to provide additional security for yourself, your small business, or your friends and family, this guide is for you. (If you’re looking for more extensive resources on networking security, CISA’s guide is a good place to start.) Below are the products I am currently using to protect my family’s home networks and mobile devices. (I expect to add more product and service recommendations when I have sufficient time to investigate them.)Mobile and device-based DNS VPN firewall

If you can have only one solution, because you or your friends or loved ones cannot afford a hardware-based firewall device, look no further than NextDNS, which combines an encrypted VPN traffic tunnel with a hosted firewall and DNS blocking and filtering service. When installed as an app on a device, the service creates a private encrypted connection (VPN) to its cloud servers. Its basic functionality includes proxying Domain Name Services (DNS) queries against a large database of potentially malicious sites and blocking them, depending on how restrictive the service is set up. This means if you try to access a site listed on its blocklists, it will stop the connection. This also includes blocklists for advertisements and pornography, if enabled. It should be noted that NextDNS is not a VPN service (such as these covered recently by David Gewirtz) for creating anonymized private connections to the public internet and for end-to-end enterprise VPN connectivity (such as with OpenVPN) even though it uses its own VPN for the service to work. However, it can work in tandem with those services as needed.The service has native clients for iOS, MacOS, Android, Windows, Linux, and Chrome OS, and can be set as the default DNS on a broadband router or an IoT device. And best of all, the lowest tier of service is absolutely free. The “Pro” service has unlimited devices, unlimited queries, unlimited configurations, and is a whole $20 per year.The only main drawback of this service is that it is client-based — meaning you need to install this software on every device you use it on. So it’s ideal for smartphones, tablets, and laptops when you are on a mobile network or using a public Wi-Fi or ethernet connection, but not suitable for “blanket” device coverage on a home or small office broadband network. It is also a DNS-based solution rather than an IP-based and connection-oriented solution, so it is not a true intrusion prevention solution such as a hardware firewall.

To begin using it, simply visit nextdns.io, and start a new configuration. The first thing you will want to take note of is your randomly-issued ID, which is how you and your family members will identify yourself to the service and how it will apply specific security settings you choose to them.NextDNS initial configuration screen web user interface
Jason Perlow/ZDNet
The clients all have similar configuration screens and are all easy to install, but the key thing to remember is the Configuration ID and to “Send Device ID”, because that ensures you are using the service with your specified configuration and that when the system logs activity, you will be able to narrow down to which device is having an event.NextDNS Client configuration in iOS
Jason Perlow/ZDNet

Once you have the clients connected to the NextDNS VPN, you can verify they are using the service and that it is logging the connections with the Logs tab at the top of the web portal UX. The logs page allows you to look at traffic logs on a device per device basis, for all DNS queries or just blocked queries.Logs menu of NextDNS user interface
Jason Perlow/ZDNet
Security protection options can be set in the Security menu tab where various services can be enabled, such as for AI-Driven Threats, Google Safe Browsing, Cryptojacking, DNS Rebinding, IDN Homograph Attacks, Typosquatting, Domain Generation Algorithms, Newly Registered Domains, Parked Domains, and Child Sexual Abuse Material. I have all of these currently turned on in my own configuration.Tracking and Ad blocking are enabled in the Privacy menu tab. The two blocklists I currently have enabled are NextDNS’s maintained list and OISD, which covers enough ground to protect mobile devices for most regular browsing and mobile app use while keeping functionality the least restrictive as possible. If you enable too many lists, you may find that certain apps (such as Facebook, with its Graph API) may begin to misbehave, and then you will need to disable NextDNS for them to work again temporarily. So I would only start adding more blocklists such as AdGuard and a few others on their curated list one at a time to see how it affects your usability. NextDNS Privacy menu
Jason Perlow/ZDNet
NextDNS also has a Parental Controls menu for locking out specific websites, apps, and games, as well as the ability to lock out pornography, piracy, dating, and social networks. NextDNS has the ability to have multiple Configuration IDs per account, so if you want to configure your children’s devices, you might want to assign them a separate Configuration ID as well as enter a Parental Passcode in their NextDNS app settings screen so it cannot be altered. You’ll also want to set Parental Controls on their devices using native app restrictions (Such as the Content and Privacy Restrictions menu on iOS) so the NextDNS app cannot be deleted.Open Source wide-spectrum DNS blocking

If you are inclined to host your own DNS proxy, and want the most flexible control over the domains you want to block on your premises, look no further than Pi-Hole. Originally built for the Raspberry Pi embedded development board, the open source project has become hugely popular with cybersecurity and privacy enthusiasts alike for its ability to block not just advertisers and trackers, but also malicious domains. 

The easiest way to run it is to download Docker Desktop for your operating system (Windows, Mac), or Docker Engine for Linux, and then install Pi-Hole into a Docker Container. This sounds scarier than it actually is – the Docker Desktop is an easy wizard-based install, and the Pi-Hole part involves issuing a single command line to pull the Pi-Hole repository (docker pull pihole/pihole), and another command line to fire up the container:docker run -d –name pihole -e ServerIP=172.16.154.130 -e WEBPASSWORD=password -e TZ=Europe/Copenhagen -e DNS1=127.17.0.1 -e DNS2=1.1.1.1 -e DNS3=8.8.8.8 -p 80:80 -p 53:53/tcp -p 53:53/udp -p 443:443 –restart=unless-stopped pihole/pihole:latestYou will want to change the bolded sections to reflect your actual local IP address for ServerIP, the desired password, and the Time Zone (I used America/New_York). More elaborate instructions for Windows documented by Andrew Denty on his blog can be found here and Mac can be found in Nathan Alderman’s article at iMore here.You will also want to make sure the system you intend to run it on has a static rather than a dynamic IP.Once you have Pi-Hole installed, you’ll want to connect via browser to the administrative interface on the system running it. Pi-Hole administrative interface
Jason Perlow/ZDNet
As you can see, I have over two million domains set to be blocked. How do you do the same? You go into Group Management, choose Adlist (this is what Pi-Hole uses to refer to community-sourced lists of domains to be blocked), and then plug in the URL of the Adlist.Which Adlists should you use? Well, there are many lists you can choose from, all of which have different purposes such as Advertising, Suspected Malware, Malvertising, and others. But I consulted with Jason Ford, a principal engineer at a prominent Silicon Valley-based infosec company, and asked him what he used on his Pi-Hole. He was nice enough to give me his lists and his regular expressions for domain blocking. These include some very popular ones such as OISD, Steven Black, and some curated ones from Firebog. If you decide to use all of his lists, you’ll have over 2 million domains blocked on your Pi-Hole.Once you have pasted the URLs of the Adlists into the UX, you’ll want to go into Tools and choose Update Gravity. This is what refreshes the local database and populates the blocking engine. If there are specific domains you want to block or permit, you want to go into the Blacklist or Whitelist menus and put them in individually.(Note to Pi-Hole’s project team: These are considered noninclusive terminology; we suggest you use Denylist and Allowlist instead and have a look at the Inclusive Naming Initiative.)To begin using Pi-Hole on your devices and clients, change your DNS settings to reflect that of the Pi-Hole machine. So, for example, my Pi-Hole is running on my 192.168.1.78 Windows machine – so I’ve set my Mac and my wife’s Windows PC and a few other things to use it as the DNS.If you find the Pi-Hole is blocking a specific site or functionality that you need to use (such as a needed tracking cookie or script), simply whitelist the site, or temporarily, click on Disable from the left-hand administrative menu. You can choose to disable it indefinitely, for 10 seconds, for 30 seconds, for 5 minutes, or a custom time.Enterprise-grade firewall appliance for home and SMB: FirewallaWhile there are many hardware firewall and network intrusion protection products available in the medium/large SMB and the Enterprise space (such as Cisco Meraki, Sonicwall, Palo Alto Networks, Fortinet, Ubiquiti, Watchguard, and Sophos), there are very few priced for home and smaller SMBs. What I currently use for myself, my immediate family, and have recommended to friends and colleagues is the Firewalla series of products, which is a company founded by a group of former Cisco engineers.Firewalla web user interface (dashboard view)
Jason Perlow/ZDNet
I like Firewalla because it is very easy to install, it isn’t particularly expensive, and it has no ongoing fees. Unlike the DNS blocking solutions above, it is a true embedded Linux, IP-based rules firewall with advanced intrusion detection capabilities that can monitor every device on your home network. Firewalla web interface (flows)
Jason Perlow/ZDNet
Firewalla also has a very good user interface and app for mobile devices for administrating it and receiving alerts and a pretty robust remote management web interface. You don’t need to be a network security genius to set rules and protect your network. Firewalla mobile device app (iPad)
Jason Perlow/ZDNet
You can certainly do some very granular protections and permissions on a per-device basis and set block lists of different target groups and lots of other things, but for the most part, the default configuration when applied to all devices on the network is likely sufficient for most home users. Firewalla’s CEO and founder, Jerry Chen, has published a best practices guide (Part 1, Part 2, Part 3) that I suggest you review once you get your box running. Additionally, if you are not sure which router mode to use with your Firewalla (Router, Bridge, DHCP, Simple) read this guide, and if you want to understand how it intercepts network traffic, read here.

Firewalla Red is for residences with 100 meg broadband or less. It’s a small red box powered by a USB cable that plugs into one of the spare ports of your home broadband router. It uses ARP spoofing or DHCP mode to monitor all your network devices. 

Firewalla Blue Plus is for residences with 500 meg broadband or less. In addition to the faster network port and the capabilities of the Red, it has Geo-IP filtering so you can block entire countries off your network, not just IP ranges or domains. It also incorporates a VPN Server, VPN Client, and Site to Site VPN. Because of the Geo-IP filtering, and the currently evolving situation in Eastern Europe, my suggestion is that the Blue Plus should be the minimum considered configuration unless you are really on a budget or have a minimalistic device footprint at home.

Firewalla Purple is for residences with 1 gig of broadband or less. It is the newest product released by the company and is pretty much the ultimate home network defense device you can buy for the money. In addition to the capabilities of the Blue Plus, it is a complete router replacement (which can act in bridge mode if the existing broadband router needs to stay in place) with twin gigabit Ethernet ports. It has a short-range Wi-Fi access point for tethering to a smartphone as backup internet connectivity.

Firewalla Gold is a powerful intrusion detection, IP firewall, and multi-gigabit router for SMBs (100 employees or less). Introduced before the Purple, it is essentially a Firewalla Purple on steroids, with four gigabit Ethernet ports, powered by an x86-based chip rather than an Arm-based chip the Purple, Red, and Blue all use. However, it’s probably overkill for most homes unless you have a broadband connection with higher than gigabit network traffic requirements.

Open Source Firewalls: OPNSense and pfSenseIf you are inclined to set up an actual software-based firewall on a border gateway on your premises and want something that is robust but not expensive, then look no further than OPNsense. 

OPNSense, Hagennos, CC BY-SA 4.0, via Wikimedia Commons

OPNSense is an open source firewall system based on the BSD UNIX operating system (which, in turn, is also forked from other projects such as pfSense and m0n0wall.) It has the following list of core features:Traffic Shaper Two-factor Authentication throughout the system Captive portal Forward Caching Proxy (transparent) with Blacklist support Virtual Private Network (site to site & road warrior, IPsec, OpenVPN & legacy PPTP support) High Availability & Hardware Failover ( with configuration synchronization & synchronized state tables) Intrusion Detection and Prevention Built-in reporting and monitoring tools including RRD Graphs Netflow Exporter Network Flow Monitoring Support for plugins DNS Server & DNS Forwarder DHCP Server and Relay Dynamic DNS Encrypted configuration backup to Google Drive Stateful inspection firewall Granular control over state table 802.1Q VLAN support

Image: OPNSense, Hagennos, CC BY-SA 4.0, via Wikimedia Commons
The complete feature list of what this software project can do extends far beyond this list. It is downloadable as a 64-bit x86 ISO or USB installer image so that you can install it on a PC with (at least two) Ethernet ports. The project also sells it pre-installed on a hardware appliance in multiple configurations, starting with 4-port gigabit networking, a 600mbps IPsec VPN, 16GB of flash storage, 4GB RAM, and a fanless casing and mainboard for 549 EUR.Similar to OPNSense is pfSense, which has a comparable feature set and similar hardware requirements. As with OPNSense, pre-configured appliances are available, from as

low as $189 for a small office/branch office configuration

. You could certainly use one of these for a home firewall solution, but you’d need a considerable amount of networking and network security experience to administrate it. More

Researchers have found almost 100,000 new variants of mobile banking Trojans in just a year.

ZDNet Recommends

As our digital lives have begun to center more on handsets rather than just desktop PCs, many malware developers have shifted part of their focus to the creation of mobile threats. Many of the traditional infection routes are still workable — including phishing and the download and execution of suspicious software — but cyberattackers are also known to infiltrate official app stores, including Google Play, to lure handset owners into downloading software that appears to be trustworthy.  This technique is often associated with the distribution of Remote Access Trojans (RATs). While Google maintains security barriers to stop malicious apps from being hosted in its store, there are methods to circumvent these controls quietly.  In 2021, for example, Malwarebytes found an app in Google Play disguised as a useful barcode scanner with over 10 million active installs. While the app was submitted as legitimate software, an update was issued to the software after it had accumulated a huge user base turning the app into an aggressive adware nuisance.  The same tactic can be used to turn seemingly benign apps into banking Trojans designed to steal your financial data and account credentials from online services. In the mobile world, theft can occur by redirecting users to phishing pages or by performing overlay attacks, in which a phishing window covers a banking app’s display. Trojans may also quietly sign up their victims to premium telephone services.Recent examples of Trojans ending up in Google Play include Joker and Facestealer.

According to new research published by Kaspersky, 97,661 new mobile banking Trojan variants were detected in 2021, alongside 17,372 new mobile ransomware Trojans and a total of 3,464,756 malicious installation packages, .APKs that can be installed on jailbroken devices or those that accept apps from unknown developers.  The banking Trojans responsible for the most detected attacks over 2021 were Trojan-Banker.AndroidOS.Agent, Trojan-Banker.AndroidOS.Anubis, and Trojan-Banker.AndroidOS.Svpeng.
Kaspersky
Residents of Japan, Spain, Turkey, France, Australia, Germany, Norway, Italy, Croatia, and Austria are most commonly targeted by mobile banking Trojans.Kaspersky says that after a steep climb in the number of attacks detected in 2020, banking Trojan rates are now on the decline. 
Kaspersky
The cybersecurity researchers added that there is a “downward” trend on mobile attacks in general, but “attacks are becoming more sophisticated in terms of both malware functionality and vectors.” See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More