Posts created by: Zhi Xu

Palo Alto Networks’ Unit 42 recently discovered malware that we believe has been developed from OSX.DarthMiner, a malware known to target the Mac platform.

This malware is capable of stealing browser cookies associated with mainstream cryptocurrency exchanges and wallet service websites visited by the victims, stealing saved passwords in Chrome and seeks to steal iPhone text messages from iTunes backups on the tethered Mac.

Unit 42 uncovers 145 malicious Google Play apps. Get the full report.

Palo Alto Networks Unit 42 researchers have uncovered a high severity vulnerability in the Android overlay system, which allows a new Android overlay attack by using the “Toast type” overlay.

Palo Alto Networks researchers discovered an advanced Android malware we’ve named “SpyDealer” which exfiltrates private data from more than 40 apps and steals sensitive messages from communication apps by abusing the Android accessibility service feature

Unit 42 researchers uncover aggressive adware abusing third-party DroidPlugin framework on Android.

We recently discovered 22 Android apps that belong to a new Trojan family we’re calling “Xbot”. This Trojan, which is still under development and regularly updated, is already capable of multiple malicious behaviors. It tries to steal victims’ banking credentials and credit card information via phishing pages crafted to mimic Google Play’s payment interface as

We recently analyzed a Trojan named “Rootnik” which uses a customized commercial root tool named “Root Assistant” to gain root access on Android devices. By reverse engineering and repackaging this tool, the creators of Rootnik successfully stole at least five exploits that give them root access to Android devices that are running Android 4.3 and

Mobile app creators are often looking for ways to monetize their software. One of the most common ways to do this is by displaying advertisements to users or by offering in-app purchases (IAPs). Mobile monetization platforms create software libraries that authors can embed into their apps to start earning money quickly. We previously highlighted the

NOTICE: We have updated this blog to clarify that Airpush is not responsible for Gunpoder. Airpush’s platform was abused by the malware author to hide malicious activity. Executive Summary Unit 42 discovered a new family of Android malware that successfully evaded all antivirus products on the VirusTotal web service. We named this malware family “Gunpoder”

Executive Summary We discovered a widespread vulnerability in Google’s Android OS we are calling “Android Installer Hijacking,” estimated to impact 49.5 percent of all current Android users. In detail: Android Installer Hijacking allows an attacker to modify or replace a seemingly benign Android app with malware, without user knowledge. This only affects applications downloaded from

Recently, we announced the discovery of WireLurker, a new family of malware that abuses app provisioning profiles to install potentially malicious apps on any iOS device, regardless of whether it is jailbroken.  Shortly after, FireEye highlighted the Masque Attack, which also relies on malware apps signed by provisioning profiles and had previously been disclosed by

Following a recent study of apps in the Google Play Store, let’s discuss several security risks caused by the bad certificate management practiced in many Android apps, from social to mobile banking. All Android apps must be digitally signed with a certificate from the developer. As described in Google’s official document, the app developer is

In-App Purchase (IAP) has become a popular way to sell services and virtual items through mobile applications. In the Android ecosystem, in addition to the official IAP service by Google, there are many third-party IAP Software Development Kits (SDKs) spread around the world. Some of these third-party SDKs provide IAP services based on existing online

Summary A new Android Trojan, named Funtasy, began targeting Spanish Android users in mid-April. Users have downloaded 18 different variants of Funtasy between 13,500 and 67,000 times from the Google Play store. Funtasy currently targets users of multiple Spanish mobile networks, and one Australian mobile network. Funtasy subscribes victim’s phones to premium SMS services which

On April 21st our WildFire analysis cloud detected a new Android Trojan, which is currently completely undetected in VirusTotal and uses a new combination of tactics to make money for the author. Based on the state of the code and the limited distribution we believe we may have detected this malware during a testing phase,