Mac Malware Steals Cryptocurrency Exchanges’ Cookies

Palo Alto Networks’ Unit 42 recently discovered malware that we believe has been developed from OSX.DarthMiner, a malware known to target the Mac platform. This malware is capable of stealing browser cookies associated with mainstream cryptocurrency exchanges and wallet service websites visited by the victims. It also steals saved passwords in Chrome. Finally, it seeks

New Android Trojan “Xbot” Phishes Credit Cards and Bank Accounts, Encrypts Devices for Ransom

We recently discovered 22 Android apps that belong to a new Trojan family we’re calling “Xbot”. This Trojan, which is still under development and regularly updated, is already capable of multiple malicious behaviors. It tries to steal victims’ banking credentials and credit card information via phishing pages crafted to mimic Google Play’s payment interface as

Rootnik Android Trojan Abuses Commercial Rooting Tool and Steals Private Information

We recently analyzed a Trojan named “Rootnik” which uses a customized commercial root tool named “Root Assistant” to gain root access on Android devices. By reverse engineering and repackaging this tool, the creators of Rootnik successfully stole at least five exploits that give them root access to Android devices that are running Android 4.3 and

Chinese Taomike Monetization Library Steals SMS Messages

Mobile app creators are often looking for ways to monetize their software. One of the most common ways to do this is by displaying advertisements to users or by offering in-app purchases (IAPs). Mobile monetization platforms create software libraries that authors can embed into their apps to start earning money quickly. We previously highlighted the

New Android Malware Family Evades Antivirus Detection by Using Popular Ad Libraries

NOTICE: We have updated this blog to clarify that Airpush is not responsible for Gunpoder. Airpush’s platform was abused by the malware author to hide malicious activity. Executive Summary Unit 42 discovered a new family of Android malware that successfully evaded all antivirus products on the VirusTotal web service. We named this malware family “Gunpoder”

Android Installer Hijacking Vulnerability Could Expose Android Users to Malware

Executive Summary We discovered a widespread vulnerability in Google’s Android OS we are calling “Android Installer Hijacking,” estimated to impact 49.5 percent of all current Android users. In detail: Android Installer Hijacking allows an attacker to modify or replace a seemingly benign Android app with malware, without user knowledge. This only affects applications downloaded from

Protecting Users from iOS App Provisioning Profile Abuse

Recently, we announced the discovery of WireLurker, a new family of malware that abuses app provisioning profiles to install potentially malicious apps on any iOS device, regardless of whether it is jailbroken.  Shortly after, FireEye highlighted the Masque Attack, which also relies on malware apps signed by provisioning profiles and had previously been disclosed by

Bad Certificate Management in Google Play Store

Following a recent study of apps in the Google Play Store, let’s discuss several security risks caused by the bad certificate management practiced in many Android apps, from social to mobile banking. All Android apps must be digitally signed with a certificate from the developer. As described in Google’s official document, the app developer is

SMS-Based In-App Purchase on Android Is Not Worth The Risk

In-App Purchase (IAP) has become a popular way to sell services and virtual items through mobile applications. In the Android ecosystem, in addition to the official IAP service by Google, there are many third-party IAP Software Development Kits (SDKs) spread around the world. Some of these third-party SDKs provide IAP services based on existing online

Funtasy Trojan Targets Spanish Android Users with Sneaky SMS Charges

Summary A new Android Trojan, named Funtasy, began targeting Spanish Android users in mid-April. Users have downloaded 18 different variants of Funtasy between 13,500 and 67,000 times from the Google Play store. Funtasy currently targets users of multiple Spanish mobile networks, and one Australian mobile network. Funtasy subscribes victim’s phones to premium SMS services which

Get updates on Unit 42

Sign up to receive the latest news, cyber threat intelligence and research from Unit 42

Follow us on