Information Technology

Cybersecurity researchers have unmasked six applications on the Google Play store with a combined total of over 200,000 downloads in yet another example of the highly persistent malware that has been plaguing Android users for the past three years.
Joker malware pretends to be a legitimate app in the Play Store but after installation conducts billing fraud by either sending SMS messages to a premium rate number or using the victim’s account to repeatedly make purchases using WAP billing, which also lines the pockets of Joker’s operators.

More on privacy

The activity occurs behind the scenes and without any input required from the user, meaning they often won’t find out that they’ve been scammed until they receive a phone bill full of additional charges.
SEE: Cybersecurity: Let’s get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)
Google has removed over 1,700 apps containing Joker malware from the Play Store since 2017, but the malware keeps re-emerging and now six new malicious apps have been identified by researchers at cybersecurity company Pradeo.
Of the six apps uncovered as delivering Joker, one called ‘Convenient Scanner 2’ has been downloaded over 100,000 times alone, while ‘Separate Doc Scanner’ has been downloaded by 50,000 users.
Another app, ‘Safety AppLock’, claims to ‘protect your privacy’ and has been installed 10,000 times by unfortunate victims who will eventually find that the malicious download harms, rather than protects, them.
Two more apps have also received 10,000 downloads each – ‘Push Message-Texting&SMS’ and ‘Emoji Wallpaper’, while one named Fingertip GameBox has been downloaded 1,000 times.
The six apps have now been removed from the Play Store after being disclosed to Google by Pradeo. ZDNet has attempted to contact Google for comment; no response had been received at the time of publication.
Users who have any of the applications on their Android smartphone are urged to remove them immediately.
The six apps are just the latest in a long line of malicious downloads that the group behind Joker – also known as Bread – have attempted to sneak into the Play Store.
A previous blog post by Google’s Android security and privacy team describes Joker as one of the most persistent threats the Play Store faces, with the attackers behind it having “at some point used just about every cloaking and obfuscation technique under the sun in an attempt to go undetected”. They also note that the sheer number of attempted submissions to the Play Store is one of the reasons it has remained so successful, with up to 23 different apps submitted a day during peak times.
SEE: Google details its three-year fight against the Bread (Joker) malware operation
In many cases, the malicious apps have been able to bypass the defences of the Play Store by submitting clean apps to begin with, only to add malicious functionalities at a later date.
“These apps are riddled with permission requests and submitted to Google Play by their developers. They get approved, published and installed by users. Once running on users’ devices, they automatically download malicious code,” Pradeo’s Roxane Suau told ZDNet. “Then, they leverage their numerous permissions to execute the malicious code. Security checks of these apps’ source code as it is published on the store do not detect the malware, because it’s not there yet,” she added.
The authors of Joker attempt to encourage downloads of the malware by entering fake positive reviews – although many of the apps identified by Pradeo also have many negative reviews by users who’ve fallen victim to the malware, something that users should look out for when downloading apps.
The individual or group behind Joker is highly likely to still be active and attempting to trick more users into downloading malware in order to continue the fraud operation.
MORE ON CYBERSECURITY More

Cyber-security firm ESET has published a report today detailing a new strain of Windows malware that the company has named KryptoCibule.
ESET says the malware has been distributed since at least December 2018, but only now surfaced on its radar.
According to the company, KryptoCibule is aimed at cryptocurrency users, with the malware’s main three features being to (1) install a cryptocurrency miner on victims’ systems, (2) steal cryptocurrency wallet-related files, and (3) replace wallet addresses in the operating system’s clipboard to hijack cryptocurrency payments.
These features are the results of extensive development work from the part of the malware’s creators, who have slowly added new items to KryptoCibule’s code since its first version back in late 2018.
Image: ESET
According to ESET, the malware has slowly evolved into a convoluted multi-component threat, far above what we have seen in most other malware strains.
Currently, the malware is spread via torrent files for pirated software. ESET says that users who download these torrents will install the pirated software they wanted, but they’ll also run the malware’s installer as well.
This installer sets up a reboot persistence mechanism that relies on scheduled tasks and then installs the core of the KryptoCibule malware (the launcher), the OS clipboard hijacker module, and Tor and torrent clients.
ESET says KryptoCibule uses the Tor client to securely communicate with its command-and-control (C&C) servers, hosted on the dark web, while the torrent client is used to load torrent files that will eventually download other additional modules, such as proxy servers, crypto-mining modules, and HTTP and SFT servers, all useful for one or more tasks in the malware’s modus operandi.

Image: ESET
All in all, KryptoCibule is bad news for cryptocurrency users, since this is clearly a strain designed by persons with knowledge of modern malware operations.
However, there is also good news, at least for now. ESET says that despite being a pretty complex threat, KryptoCibule’s distribution appears to have been limited to only two countries, namely the Czech Republic and Slovakia.
ESET researchers say that almost all the malicious torrents distributing pirated software laced with KryptoCibule were only available on uloz.to, a popular file-sharing site in the two countries.
This limited distribution appears to have been something that was planned from the beginning, as KryptoCibule also contains a feature that checks for the presence of antivirus software on a victim’s computer, and this module only checks for the presence of ESET, Avast, and AVG – all three being antivirus companies based either in the Czech Republic and Slovakia and most likely to be on the computers of most targeted users.
However, the fact that this malware strain is currently only distributed in a small area of the globe is no reason to believe this will remain so in the future.
Users should remain vigilant, and the simplest way to avoid a threat like KryptoCibule is to not install pirated software. Multiple reports over the last decade have warned users that most torrent files for pirated software are usually laced with malware and not worth the risk. More

Red Background with Binary Code Numbers. Data Breach Concept
Getty Images/iStockphoto
The Australian Computer Emergency Response Team (AusCERT) denied claims today that hackers had breached the Department of Education, Skills, and Employment (DoE), and downloaded the personal details of more than one million students, teachers, and staff.
Rumors of a supposed hack first surfaced yesterday after a hacker shared an archive file on a hacker forum, which they initially advertised as data obtained from the Australian DoE.
According to a screenshot of a now-deleted forum post, the hacker claimed the data contained more than one million records for Australian students, teachers, and DoE staff, that they obtained back in 2019.

Actor hacked and dumped the Australian department of education’s database containing 1,000,000 records of students, teachers, and staff.The leak contains information such as emails, names, and hashed passwords. pic.twitter.com/MmewoWPuWE
— Alon Gal (Under the Breach) (@UnderTheBreach) September 1, 2020

However, AusCERT says that such a hack never took place. 
In a statement posted on its website, AusCERT said that after analyzing the data with cyber-security firm Cosive, it determined that the leaked data originated from K7Maths, an online service providing school e-learning solutions.
“It’s likely that the data came from an exposed Elasticsearch instance,” AusCERT said, also adding that this was not a new leak, and had been previously shared online already, back in March 2020.
Per AusCERT, the leaked data contained details such as first names, emails, password strings, and K7Maths site settings.
“There are no plaintext passwords exposed, just bcrypt hashes, although they can be cracked with enough effort,” AusCERT said.
The non-profit organization, which provides cyber-security alerting services for the Australian public and private sector, said that only the email addresses and country of origin fields in the leaked data count as “personal information,” and the leak is not severe enough to trigger a need to notify victims via a data breach. 
AusCERT is now urging Australian schools to check if their staff are using the K7Maths service for their daily activities, and take appropriate measures, such as resetting the teacher and students’ password, in case they had re-used passwords across other internal applications.
Furthermore, AusCERT says that staff accounts should also be monitored for suspicious logins, just in case an account is compromised and used to access school resources.
K7Maths could not be immediately reached for comment. ZDNet will update this article with a statement from the company if it wishes to issue one. More

Australia’s Department of Defence has started its search for a partner that can help deliver a new recruitment system for the Australian Defence Force (ADF).
Defence said under the contract, which will be worth more than AU$1 billion over 10 years, the successful partner would be responsible for delivering an “adaptable, scalable, modern, competitive, collaborative, and transparent” recruiting system.
“The partner will bring expertise in marketing, recruiting operations and candidate management, medical and psychological testing and assessments, ICT, facilities management and administration,” the agency said.
“Defence is focused on maximising industry participation and engaging with a wide range of companies with the capability and capacity to deliver the requirements. Defence aims to modernise its ADF recruiting approach through the process.”
Defence said the tender process would be undertaken in two stages. The first involves an open market request for proposal (RFP) to identify potential respondents, and the second would be a request for tender (RFT) to a number of shortlisted respondents that were successful in stage one.
Submissions for the RFP will close on December 18, with plans to notify shortlisted respondents by July 2021. Shortlisted respondents will then have until December 2021 to provide their submission to the RFT.
Defence said the successful contractor would be finalised by October 2022.
Plans to develop the new recruitment system come after the Australian Signals Directorate (ASD) notified Defence and its recruitment database contractor that it had reason to believe it was vulnerable to a Netscaler bug a month after Citrix made the vulnerability public.
“On the 24th of January … through sensitive other sources, had a concern that the Department of Defence and its contractor running the DFRN [Defence Force Recruiting Network] may have been vulnerable to a malicious act as a result of the Citrix issue,” director-general of the Australian Signals Directorate Rachel Noble told Senate Estimates in March.
See also: Aussie Parliament’s sad cyber espionage saga is a salient lesson for others  
Noble added that ASD believed no data was compromised, but it did see attempts to access the network related to the vulnerability.
The ASD said the database was full of personal information such as health information, medical exams, and psychological information.
“This particular network that we are talking about here for the Defence Force recruiting is an external network, not part of the Defence network,” Defence CIO Stephen Pearson said.
As reported by the ABC, the DFRN was offline and quarantined for 10 days from February 2 to February 12. A source told the ABC that the issue was detected before Christmas and crisis meetings were held twice a day over the issue. The database was run by ManpowerGroup, the ABC reported.  
In response to Questions on Notice, Defence said Citrix issued its notice on 17 December 2019, but the agency was only aware of it a week later.
“On 24 December 2019, Defence became aware of the vulnerability through normal monitoring of open source reporting and commenced assessments with the DFR hosting provider to ascertain the relevance of this vulnerability to Defence,” Defence said.
“The Australian Cyber Security Centre (ACSC) issued public advice on 25 December 2019 that notified of the vulnerability and mitigations strategies.
Defence said on December 27 that it began monitoring for “external reconnaissance and scanning attempts” against Citrix assets in its environment.
“On 6 January 2020, a Vulnerability Alert was issued to all identified system owners within Defence, and to our Managed Service Providers,” it said.
“Between 6 January 2020 and 19 January 2020 Defence continued working with system owners and managed service providers to ensure mitigations were applied.”
The Defence timeline showed the department had a month before the ASD stepped in.
Related Coverage More

Earlier this week, it was revealed information on thousands of New South Wales driver’s licence-holders was breached, with reports indicating a cloud storage folder that had over 100,000 images was mistakenly left open.
According to Transport for NSW (TfNSW), it was told on Thursday by Cyber Security NSW that a cloud storage folder hosted by Amazon Web Services (AWS) containing personal information, including photos of driver’s licences, was not adequately secured.
“Transport for NSW quickly established that it was not the owner of the cloud storage folder,” it said in a statement.
On Tuesday, Cyber Security NSW confirmed a commercial entity was responsible for the breach of scanned driver’s licence images. It said it was the responsibility of the commercial entity to investigate this matter and notify any customers if their data had been breached.
AWS has so far not provided information on the identity of the commercial entity, nor the customers that may have been affected by the breach, Cyber Security NSW chief cybersecurity officer Tony Chapman said.
“There are mandatory reporting requirements under the Office of the Australian Information Commissioner that the commercial entity needs adhere to,” he said. “Cyber Security NSW will continue to work with other organisations to seek more information about the commercial entity involved and encourage them to reach out to their customers if their information has been breached.”
Need to disclose a breach? Read this: Notifiable Data Breaches scheme: Getting ready to disclose a data breach in Australia
Chapman said the information was not provided by, nor sourced from NSW government agencies, and that his team does not know how long this commercial entity had this data open for, nor who had access to it.
TfNSW said as it is not the owner of the folder and does not have access to its contents, the identities of all those who may have been affected cannot be determined.
“Transport for NSW takes customer data security concerns seriously and will support those who have been the victim of identity theft,” TfNSW said. “Where necessary new driver licence/photo cards are reissued on a case-by-case basis.”
Cyber Security NSW launched its Cyber Security Vulnerability Management Centre in July. Operating out of Bathurst, 200kms west of Sydney, the centre is responsible for detecting, scanning, and managing online vulnerabilities and data across departments and agencies. 
Service NSW in April fell victim to a phishing attack. The email accounts of 47 Service NSW Staff members were illegally accessed, with the emails containing customer information.
A spokesperson for Service NSW told ZDNet that an investigation into the matter was still ongoing.
“The analysis into the attack on Service NSW staff email accounts is ongoing and the specialist teams are working through complexities including ensuring the data remains secure during the review,” they said.
Also this year, the state government experienced a power outage at one of its data centres in Silverwater, west of Sydney, resulting in many state health and customer service functions reverting to manual processes.
RELATED COVERAGE
NSW pledges AU$60m to create cyber ‘army’
As part of the New South Wales government’s AU$240 million commitment to all things cyber.
New South Wales to implement sector-wide cybersecurity strategy
With help from industry, the new document will supersede the 2018 strategy.
Australian government pledges 10-year, AU$1.35 billion cyber kitty
AU$470 million will be used to create 500 cyber-related jobs within the Australian Signals Directorate. More

In an effort to combat the prevalence of deepfakes, Microsoft has launched a new video authenticator tool, which can analyse a still photo or video to provide a percentage of the chance that a piece of media is artificially manipulated.
In the case of a video, Microsoft said it could provide this percentage in real time for each frame as the video plays. It works by detecting the blending boundary of the deepfake and subtle fading or greyscale elements that might not be detectable by the human eye.
Deepfakes, or synthetic media, can be photos, videos, or audio files manipulated by artificial intelligence (AI). Microsoft said detection of deepfakes is crucial in the lead up to the US election.
See also: Deepfakes’ threat to 2020 US election isn’t what you’d think (CNET)
The tech was created using a public dataset from Face Forensic++ and Microsoft said it was tested on the DeepFake Detection Challenge Dataset, which it considers to be a leading model for training and testing deepfake detection technologies.
“We expect that methods for generating synthetic media will continue to grow in sophistication. As all AI detection methods have rates of failure, we have to understand and be ready to respond to deepfakes that slip through detection methods,” the company said in a blog post.
“Thus, in the longer term, we must seek stronger methods for maintaining and certifying the authenticity of news articles and other media.”
With few tools available to do this, Microsoft has also unveiled a new technology it said can both detect manipulated content and assure people that the media they’re viewing is authentic.
The tech has two components, with the first being a tool built into Microsoft Azure that enables a content producer to add digital hashes and certificates to a piece of content.
“The hashes and certificates then live with the content as metadata wherever it travels online,” Microsoft explained.
The second is a reader, which can be included in a browser extension, that checks the certificates and matches the hashes to determine authenticity.
In its deepfake fight, Microsoft has also partnered with the AI Foundation. The partnership will see the two parties make the video authenticator available to organisations involved in the democratic process, including news outlets and political campaigns through the foundation’s Reality Defender 2020 initiative.
The video authenticator will initially be available only through the initiative.

Microsoft’s video authenticator tool
Image: Microsoft
Another partnership with a consortium of media companies, known as Project Origin, will see Microsoft’s authenticity technology tested. An initiative from a number of publishers and social media companies, the Trusted News Initiative, have also agreed to engage with Microsoft on testing its technology.
The University of Washington, deepfake detection firm Sensity, and USA Today have also joined Microsoft to boost media literacy.
“Improving media literacy will help people sort disinformation from genuine facts and manage risks posed by deepfakes and cheap fakes,” Microsoft said. “Practical media knowledge can enable us all to think critically about the context of media and become more engaged citizens while still appreciating satire and parody.”
Through the partnership, there will be a public service announcement campaign encouraging people to take a “reflective pause” and check to make sure information comes from a reputable news organisation before they share or promote it on social media ahead of the election.
The parties have also launched a quiz for US voters to learn about synthetic media.
RELATED COVERAGE More

A Chinese national has been sentenced to 18 months in US prison by the District Court of Northern California for stealing trade secrets from semiconductor companies Avago and Skyworks.
The charged individual, Hao Zhang, was found to have stolen trade secrets such as semiconductor recipes, source code, specifications, presentations, design layouts, and other confidential information from these companies.
The original indictment had pressed charges against Zhang and five other Chinese nationals, but only Zhang will face prison time. 
The other five individuals are currently labelled as fugitives and are not based in the United States. 
According to the indictment, Zhang and Wei Pang — one of the charged individuals — had met at the University of Southern California (USC) during their studies. They then worked as semiconductor engineers at Skyworks and Avago, respectively, and stole trade secrets. 
These trade secrets were then shared with Tianjin University to enable the construction of a semiconductor fabrication plant and a China-based semiconductor business, the indictment explained.
In addition to facing prison time, Zhang was ordered by District Judge Edward Davila to pay around $477,000 in restitution to the two semiconductor companies. 
Davila’s decision brings an end to a case that was unsealed in 2015, when Zhang and the other individuals were charged. Zhang was arrested in the same year upon arriving at the Los Angeles International airport from China. 
The court verdict follows the Department of Justice earlier this week pressing charges against another Chinese national for allegedly destroying evidence in relation to a separate investigation into the potential illegal transfer of US technology to China. 
There has been a surge of these investigations since 2018, according to FBI Director Christopher Wray, when the DoJ launched the China Initiative campaign to counter and investigate Beijing’s economic espionage. 
“The FBI has about a thousand investigations involving China’s attempted theft of US-based technology in all 56 of our field offices and spanning just about every industry and sector,” Wray said earlier this year.
RELATED COVERAGE
Scientist sentenced to 2 years behind bars for stealing next-generation battery tech secrets
The intellectual property had an estimated value of $1 billion to the US company it belonged to.
DOJ indicts two Chinese hackers for attempted IP theft of COVID-19 research
The DOJ suggests in the indictment that the hackers were working for both themselves and for the benefit the Chinese government’s Ministry of State Security.
US charges Huawei with racketeering and conspiracy to steal trade secrets
US updates charges against Huawei, adds racketeering and IP theft allegations against the Chinese telco provider and its CFO.
FBI is investigating more than 1,000 cases of Chinese theft of US technology
US officials talk about all the methods the Chinese government and its agents have been using to target US companies and universities to steal intellectual property.
Engineer flees to China after stealing source code of US train firm
The 57-year-old is now considered a fugitive.  More

Image: Getty Images/iStockphoto
The liability for failing to protect systems from cyber incidents will fall directly onto many CEOs by 2024, Gartner is predicting.
The analyst firm expects liability for cyber-physical systems (CPSs) incidents will pierce the corporate veil to personal liability for 75% of CEOs.
“Regulators and governments will react promptly to an increase in serious incidents resulting from failure to secure CPSs, drastically increasing rules and regulations governing them,” research vice president at Gartner Katell Thielemann said.
See also: Cybersecurity: Let’s get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)
“In the US, the FBI, NSA, and Cybersecurity and Infrastructure Security Agenda (CISA) have already increased the frequency and details provided around threats to critical infrastructure-related systems, most of which are owned by private industry.”
Thielemann believes that CEOs will no longer be able to plead ignorance or retreat behind insurance policies.
Without even taking the actual value of human lives into the equation, Gartner said the costs for organisations in terms of compensation, litigation, insurance, regulatory fines, and reputation loss will be significant.
The financial impact of CPS attacks resulting in casualties to human life is predicted to reach over $50 billion by 2023.  
Gartner defines CPSs as systems that are engineered to orchestrate sensing, computation, control, networking, and analytics to interact with the physical world, including humans.
CPSs, therefore, underpin all connected IT, operational technology, and Internet of Things efforts where security considerations span both the cyber and physical worlds, such as asset-intensive, critical infrastructure, and clinical healthcare environments.
“Technology leaders need to help CEOs understand the risks that CPSs represent and the need to dedicate focus and budget to securing them,” Thielemann continued. “The more connected CPSs are, the higher the likelihood of an incident occurring.”
She said that with operational technology, smart buildings, smart cities, connected cars, and autonomous vehicles evolving, risks, threats, and vulnerabilities now exist in a bidirectional, cyber-physical spectrum.
“However, many enterprises are not aware of CPSs already deployed in their organisation, either due to legacy systems connected to enterprise networks by teams outside of IT, or because of new business-driven automation and modernisation efforts,” she added.
RELATED COVERAGE
The key to stopping cyberattacks? Understanding your own systems before the hackers strike
Organisations struggle to monitor their networks because they often don’t know what’s there. And that allows hackers to sneak in under the radar.
Ransomware: Cyber-insurance payouts are adding to the problem, warn security experts
“It seems like a fix but it really isn’t”. Paying the ransom might be the cheapest short-term option to get your data back, but it causes long-term problems.
Eight reasons more CEOs will be fired over cybersecurity breaches (TechRepublic)
Security is everyone’s problem, but CEOs should make sure their organisation doesn’t block its success. Gartner offers eight situations for CEOs to avoid if a breach occurs within their organisation. More