This Android Malware Is Stealing Login Credentials

If you’re deeply involved in IT security, you may already be familiar with the ERMAC Android banking trojan.

If this is the first time you’re hearing of it, be aware that the hackers who authored the malicious code have recently released ERMAC 2.0, which represents a significant upgrade in capabilities from the previous iteration.

ERMAC’s main purpose is to steal and send login credentials to the person controlling the code.  That person then uses the stolen passwords to take control of a target’s bank accounts and/or cryptocurrency wallets and conduct fraud. Or in some cases, simple theft.

Access to ERMAC is subscription based on the Dark Web.  The 1.0 version of the malware could be yours for $3k USD per month.  This latest iteration is subscription priced at $5k USD per month.  Pricey, yes, but those who use it swear by it and are happy to pay.

ERMAC 2.0 was first spotted during a fake Bolt Food application that targeted the Polish market.  Bolt Food is a quite legitimate European food delivery service.  In this case, the hackers created a fake site that looked convincingly like the real thing and tricked users into downloading what they thought was a food delivery app.

Naturally, it was nothing of the sort, and instead of convenient food service, what the victims got was ERMAC 2.0 and a whole slew of headaches after that.

Although the Bolt Food app was the first, it is by no means the only app that the malicious code impersonates.  In fact, according to the latest research, ERMAC 2.0 is currently impersonating nearly five hundred popular Android apps.

In every case however, the campaigns that have been seen so far rely on a user agreeing to download an app from what they believe to be a legitimate third-party vendor site.  While it’s an undeniably dangerous strain of malware, it is easily avoided simply by sticking to apps on the Google Play Store.  Stay vigilant, it’s getting dangerous out there.

Screencastify Issue Could Allow Someone To Steal Recorded Videos

Are you one of the legions of users making use of the Screencastify Chrome extension?  It’s a fantastic Chrome extension that allows you to almost effortlessly create screencasts for a variety of purposes.

Unfortunately, the web extension also suffers from a critical security vulnerability that allows attackers to take control of a user’s webcam and steal recorded videos.

The cross-site scripting (XSS) vulnerability that made this possible was reported by independent security researcher Wladimir Palant and it was reported on Valentine’s Day of this year (February 14, 2022).  The vendor that created the extension responded quickly to the reported flaw and issued a fix just days after the issue was reported to them.

While we applaud the rapid response, unfortunately, the fix didn’t completely address the issue and it may still be possible. Although the threat from external attackers has been eliminated.  Unfortunately, three months later the lingering issues that could allow an unscrupulous insider to make the same kind of attack remain unaddressed.

That’s problematic because Screencastify boasts more than ten million installations worldwide on the Chrome store. The total number of installations may be significantly higher, but the site’s counter only goes to ten million.

The extension’s popularity exploded during the pandemic because it represented such a quick and easy solution to a problem that only emerged when tens of millions of people around the world started working from home.

Mr. Palant sums up the core issue thusly:

“The problem was located in the error page displayed if you already submitted a video to a challenge and were trying to submit another one.  This error page is located under a fixed address, so it can be opened directly rather than triggering the error condition.”

In any case, if you use the extension just be aware of the risks associated with it.  There is no word from the vendor on if or when another fix might be coming.

Update Google Chrome Soon To Fix Multiple Security Issues

Are you a Google Chrome user?  If so, be aware that the company recently released a stable version of Chrome 102 and is urging all users of its browser to update right away. The latest release contains a total of 32 security fixes on Windows, Mac and Linux.

Of the 32 flaws addressed, eight are high-severity, nine are medium, seven are low-severity and one is critical.  The critical flaw, tracked as CVE-2022-1853, is a “user after free in IndexedDB” which is an interface where data is stored in a user’s browser.

Details about the bug or how hackers could exploit it is limited. Pieter Arntz is a security researcher at Malwarebytes, and according to them, a hacker could exploit the flaw by creating a poisoned website that would take over the visitor’s browser by manipulating the IndexedDB.

None of the flaws addressed in Chrome 102 are “Zero Day” issues, meaning flaws that were exploited before Google released the patch to address the flaw.  Even so, many people are somewhat slow to update their browser, and if you are one of them, then you could be in for a world of headaches if a hacker sets their sights on your system.

You can get Chrome 102 for Windows, Mac, and Linux right now. In case you weren’t aware, normally Chrome is updated every four weeks but the extended release gains an additional four weeks by Google back-porting important security fixes to it.

Also be aware that an extended stable release is updated every eight weeks.  Grab yours today and kudos to Google for their tireless work!  Last year, Google’s Project Zero team counted a total of 58 Zero-Day exploits for popular software, with twenty-five of these impacting web browsers.

General Motors Customer Data Leaked By Credential Stuffing Attacks

Do you own a Chevrolet, Buick, GMC, or Cadillac?  If so, be aware that GM recently acknowledged that they fell victim to a credential stuffing attack a little over a month ago.

The attack exposed some customer information to the attackers and allowed them to redeem an undisclosed number of rewards points for gift cards.

The company said that they detected suspicious network activity between April 11th and April 29th of 2022.  In a letter sent to those impacted by the breach, GM indicated that they would be restoring rewards points for everyone who was impacted.

While it’s small consolation, it’s worth noting that this isn’t a case of the company being hacked.  Credential stuffing attacks see the threat actors use many different usernames and passwords purchased from the Dark Web in a wholesale attempt to find a combination that will work on a given website.  The company stressed that there is no evidence the attackers gained this information from GM’s network itself.

If you were among the impacted customers, be aware that the following information was exposed:

  • Customer first and last name
  • Personal email address
  • Personal physical address
  • Username and phone number for registered family members tied to the account
  • Last known and saved favorite location information
  • Currently subscribed OnStar package (if applicable)
  • Family members’ avatars and photos (if uploaded)
  • Profile picture
  • And search & destination information

The attackers may have also gained access to less useful information such as car milage history, service history, Wi-Fi Hotspot settings, emergency contact information and the like.

As breaches go, this one wasn’t as bad as many of the others we’ve heard about thus far this year. However, armed with the information above, a hacker would certainly have enough details to steal someone’s identity. So be warned and stay vigilant.

The Latest Windows 11 Update Fixes Dozens Of Issues

Are you a Windows 11 early adopter?  If so, you’ll want to grab the latest update KB5014019.  It contains several important bug fixes including fixes for Direct3D app crashing issues, slow file copying issues, and an issue with the TPM (Trusted Platform Module) driver. Some users have reported the TPM driver was dramatically increasing system startup time.

In addition to that, if you’ve been annoyed by blurry icons, incorrect search results scaling, and if your system is failing to maintain your preferred brightness setting after you change it, this latest fix has you covered.

In the area of new features, the latest update adds a small one but one that’s sure to bring a smile to at least some people’s faces.  Microsoft is experimenting with a new “Windows Spotlight” feature which aims to bring the world to your desktop with new background pictures.

The Windows 10 background pictures and blurbs are both compelling and interesting, and the company is hoping to build on that.  New pictures will automatically appear when you enable the feature.  To do so, simply make your way to Settings, then Personalization and then Background.

Once there, select “Personalize your Background” and then choose “Windows Spotlight.”

It’s a small feature and certainly not critical but it’s one of those “user experience” things that a great many people expressed fondness for in Windows 10.  Kudos to the Windows 11 design team for building on it.

In addition to KB5014019, Microsoft also released KB5014022 for Windows 10 users (version 1809) and KB5014021 for Windows Server 2022.  If you’re using any of those, be sure to grab and install the latest today to stay up to date.  While this latest release doesn’t contain anything groundbreaking, it’s a solid update that won’t disappoint.