News

Authored by SangRyol Ryu  

We live in a world where advertisements are everywhere, and it’s no surprise that users are becoming tired of them. By contrast, developers are driven by profit and seek to incorporate more advertisements into their apps. However, there exist certain apps that manage to generate profit without subjecting users to the annoyance of ads. Is this really good?  

Recently, McAfee’s Mobile Research Team discovered a concerning practice among some apps distributed through Google Play. These apps load ads while the device’s screen is off, which might initially seem convenient for users. However, it’s a clear violation of Google Play Developer policy on how ads should be displayed. This affects not only the advertisers who pay for invisible Ads, but also the users as it drains battery, consumes data and poses potential risks such as information leaks and disruption of user profiling caused by Clicker behavior. 

The team has identified 43 apps that collectively downloaded 2.5 million times. Among the targeted apps are TV/DMB Player, Music Downloader, News, and Calendar applications. McAfee is a member of the App Defense Alliance focused on protecting users by preventing threats from reaching their devices and improving app quality across the ecosystem. We reported the discovered apps to Google, which took prompt action. Most apps are no longer available on Google Play while others are updated by the developer. McAfee Mobile Security detects this threat as Android/Clicker. For more information, and to get fully protected, visit McAfee Mobile Security. 

Many affected apps

How does it work? 

This ad fraud library uses specific tactics to avoid detection and inspection. It deliberately delays the initiation of its fraudulent activities, creating a latent period from the time of installation. What’s more, all the intricate configurations of this library can be remotely modified and pushed using Firebase Storage or Messaging service. These factors significantly add to the complexity of identifying and analyzing this fraudulent behavior. Notably, the latent period typically spans several weeks, which makes it challenging to detect. 

Getting latent period by using Firebase Messaging Service 

It is important to be cautious about the implications of granting permissions, such as excluding ‘power saving’ and allowing ‘draw over other apps’. These permissions can enable certain activities to occur discreetly in the background, raising concerns about the intentions and behavior of the applications or libraries in question. Allowing these permissions can result in more malicious behavior, such as displaying phishing pages, also to displaying ads in the background. 

Asked permissions to run in the background and keep it hidden 

When the device screen is turned off after the latent period, the fetching and loading of ads starts, resulting in users being unaware of the presence of running advertisements on their devices. This ad library registers device information by accessing the unique domain (ex: mppado.oooocooo.com) linked with the application. Then go to Firebase Storage to get the specific advertisement URL and show the ads. It is important to note that this process consumes power and mobile data resources. 

Observed traffic when the screen off 

If users quickly turn on their screens at this point, they might catch a glimpse of the ad before it is automatically closed. 

Example of an advertising site displayed when the screen is off 

In conclusion, it is essential for users to exercise caution and carefully evaluate the necessity of granting permissions like power saving exclusion, or draw over other apps before allowing them. While these permissions might be required for certain legitimate functionalities for running in the background, it is important to consider the potential risks linked with them, such as enabling hidden behaviors or reducing the relevance of ads and contents displayed to users because the hidden Clicker behavior. By using McAfee Mobile Security products, users can further safeguard their devices and mitigate the risks linked with these kinds of malware, providing a safer and more secure experience. For more information, visit McAfee Mobile Security

 

Indicators of Compromise (IoC’)

Domains:

best.7080music.com 

m.gooogoole.com 

barocom.mgooogl.com 

newcom.mgooogl.com 

easydmb.mgooogl.com 

freekr.mgooogl.com 

fivedmb.mgooogl.com 

krlive.mgooogl.com 

sixdmb.mgooogl.com 

onairshop.mgooogle.com 

livedmb.mgooogle.com 

krbaro.mgooogle.com 

onairlive.mgooogle.com 

krdmb.mgooogle.com 

onairbest.ocooooo.com 

dmbtv.ocooooo.com 

ringtones.ocooooo.com 

onairmedia.ocooooo.com 

onairnine.ocooooo.com 

liveplay.oocooooo.com 

liveplus.oocooooo.com 

liveonair.oocooooo.com 

eightonair.oocooooo.com 

krmedia.oocooooo.com 

kronair.oocooooo.com 

newkrbada.ooooccoo.com 

trot.ooooccoo.com 

thememusic.ooooccoo.com 

trot.ooooccoo.com 

goodkrsea.ooooccoo.com 

krlive.ooooccoo.com 

news.ooooccoo.com 

bestpado.ooooccoo.com 

krtv.oooocooo.com 

onairbaro.oooocooo.com 

barolive.oooocooo.com 

mppado.oooocooo.com 

dmblive.oooocooo.com 

baromedia.oooocooo.com 

musicbada.oouooo.com 

barolive.oouooo.com 

sea.oouooo.com 

blackmusic.oouooo.com 

Android Packages 

Package Name	Application Name	SHA256	Google Play Downloads
band.kr.com	DMB TV	f3e5aebdbd5cd94606211b04684730656e0eeb1d08f4457062e25e7f05d1c2d1	10,000+
com.dmb.media	DMB TV	6aaaa6f579f6a1904dcf38315607d6a5a2ca15cc78920743cf85cc4b0b892050	100,000+
dmb.onair.media	DMB TV	a98c5170da2fdee71b699ee145bfe4bdcb586b623bbb364a93bb8bdf8dbc4537	10,000+
easy.kr	DMB TV	5ec8244b2b1f516fd96b0574dc044dd40076ff7aa7dadb02dfefbd92fc3774bf	100,000+
kr.dmb.onair	DMB TV	e81c0fef52065864ee5021e1d4c7c78d6a407579e1d48fc4cf5551ff0540fdb8	5,000+
livedmb.kr	DMB TV	33e5606983526757fef2f6c1da26474f4f9bf34e966d3c204772de45f42a6107	50,000+
stream.kr.com	DMB TV	a13e26bce41f601a9fafdec8003c5fd14908856afbab63706b133318bc61b769	100+
com.breakingnews.player	뉴스 속보	d27b8e07b7d79086af2fa805ef8d77ee51d86a02d81f2b8236febb92cb9b242d	10,000+
jowonsoft.android.calendar	달력	46757b1f785f2b3cec2906a97597b7db4bfba168086b60dd6d58d5a8aef9e874	10,000+
com.music.free.bada	뮤직다운	a3fe9f9b531ab6fe79ed886909f9520a0d0ae98cf11a98f061dc179800aa5931	100,000+
com.musicdown	뮤직다운	5f8eb3f86fc608f9de495ff0e65b866a78c25a9260da04ebca461784f039ba16	5,000+
new.kr.com	뮤직다운	397373c39352ef63786fe70923a58d26cdf9b23fa662f3133ebcbc0c5b837b66	100,000+
baro.com	바로TV	3b4302d00e21cbf691ddb20b55b045712bad7fa71eb570dd8d3d41b8d16ce919	10,000+
baro.live.tv	바로TV	760aa1a6c0d1e8e4e2d3258e197ce704994b24e8edfd48ef7558454893796ebe	50,000+
baro.onair.media	바로TV	b83a346e18ca20ac5165bc1ce1c8807e89d05abc6a1df0adc3f1f0ad4bb5cd0c	10,000+
kr.baro.dmb	바로TV	84a4426b1f8ea2ddb66f12ef383a0762a011d98ff96c27a0122558babdaf0765	100,000+
kr.live	바로TV	cccfdf95f74add21da546a03c8ec06c7832ba11091c6d491b0aadaf0e2e57bcc	1,000+
newlive.com	바로TV	c76af429fabcfd73066302eeb9dd1235fd181583e6ee9ee9015952e20b4f65bf	50,000+
onair.baro.media	바로TV	6c61059da2ae3a8d130c50295370baad13866d7e5dc847f620ad171cc01a39e9	10,000+
freemusic.ringtone.player	벨소리 무료다운	75c74e204d5695c75209b74b10b3469babec1f7ef84c7a7facb5b5e91be0ae3e	100,000+
com.app.allplayer	실시간 TV	8d881890cfa071f49301cfe9add6442d633c01935811b6caced813de5c6c6534	50,000+
com.onair.shop	실시간 TV	1501dd8267240b0db0ba00e7bde647733230383d6b67678fc6f0c7f3962bd0d3	50,000+
eight.krdmb.onair	실시간 TV	bbd6ddbfee7482fe3fe8b5d96f3be85e09352711a36cd8cf88cfdeaf6ff90c79	10,000+
free.kr	실시간 TV	5f864aa88de07a10045849a7906f616d079eef94cd463e40036760f712361f79	10,000+
kr.dmb.nine	실시간 TV	ea49ad38dd7500a6ac12613afe705eb1a4bcab5bcd77ef24f2b9a480a34e4f46	100,000+
kr.live.com	실시간 TV	f09cff8a05a92ddf388e56ecd66644bf88d826c5b2a4419f371721429c1359a7	10,000+
kr.live.onair	실시간 TV	e8d2068d086d376f1b78d9e510a873ba1abd59703c2267224aa58d3fca2cacbd	100,000+
kr.live.tv	실시간 TV	1b64283e5d7e91cae91643a7dcdde74a188ea8bde1cf745159aac76a3417346e	50,000+
kr.media.onair	실시간 TV	bd0ac9b7717f710e74088df480bde629e54289a61fc23bee60fd0ea560d39952	100,000+
kr.onair.media	실시간 TV	d7dd4766043d4f7f640c7c3fabd08b1a7ccbb93eba88cf766a0de008a569ae4d	1,000+
live.kr.onair	실시간 TV	b84b22bc0146f48982105945bbab233fc21306f0f95503a1f2f578c1149d7e46	10,000+
live.play.com	실시간 TV	516032d21edc2ef4fef389d999df76603538d1bbd9d357a995e3ce4f274a9922	50,000+
new.com	실시간 TV	5d07a113ce389e430bab70a5409f5d7ca261bcdb47e4d8047ae7f3507f044b08	50,000+
newlive.kr	실시간 TV	afc8c1c6f74abfadd8b0490b454eebd7f68c7706a748e4f67acb127ce9772cdb	100,000+
onair.best	실시간 TV	6234eadfe70231972a4c05ff91be016f7c8af1a8b080de0085de046954c9e8e7	50,000+
com.m.music.free	음악다운	ded860430c581628ea5ca81a2f0f0a485cf2eeb9feafe5c6859b9ecc54a964b2	100,500,000+
good.kr.com	음악다운	bede67693a6c9a51889f949a83ff601b1105c17c0ca5904906373750b3802e91	100,000+
new.music.com	음악다운	fee6cc8b606cf31e55d85a7f0bf7751e700156ce5f7376348e3357d3b4ec0957	1,000+
play.com.apps	음악다운	b2c1caab0e09b4e99d5d5fd403c506d93497ddb2de3e32931237550dbdbe7f06	100,000+
com.alltrot.player	트로트 노래모음	469792f4b9e4320faf0746f09ebbcd8b7cd698a04eef12112d1db03b426ff70c	50,000+
com.trotmusic.player	트로트 노래모음	879014bc1e71d7d14265e57c46c2b26537a81020cc105a030f281b1cc43aeb77	5,000+
best.kr.com	파도 MP3	f2bbe087c3b4902a199710a022adf8b57fd927acac0895ab85cfd3e61c376ea5	100,000+
com.pado.music.mp3	파도 MP3	9c84c91f28eadd0a93ef055809ca3bceb10a283955c9403ef1a39373139d59f2	100,000+

 

 

The post Invisible Adware: Unveiling Ad Fraud Targeting Korean Android Users appeared first on McAfee Blog.

What does a hacker want with your social media account? Plenty. 

Hackers hijack social media accounts for several reasons. They’ll dupe the victim’s friends and followers with scams. They’ll flood feeds with misinformation. And they’ll steal all kinds of personal information—not to mention photos and chats in DMs. In all, a stolen social media account could lead to fraud, blackmail, and other crimes. 

Yet you have a strong line of defense that can prevent it from happening to you: multi-factor authentication (MFA). 

What is multi-factor authentication (MFA)? 

MFA goes by other names, such as two-factor authentication and two-step verification. Yet they all boost your account security in much the same way. They add an extra step or steps to the login process. Extra evidence to prove that you are, in fact, you. It’s in addition to the usual username/password combination, thus the “multi-factor” in multi-factor authentication.  

Examples of MFA include: 

• Sending a one-time code via a text or phone call, often seen when logging into bank and credit card accounts. 
• Sending a one-time code to an authentication app, such as when logging into a gaming service. 
• Asking for the answer to a security question, like the name of your elementary school or the model of your first car. 
• Biometric information, like a fingerprint or facial scan. 

With MFA, a hacker needs more than just your username and password to weasel their way into your account. They need that extra piece of evidence required by the login process, which is something only you should have. 

This stands as a good reminder that you should never give out the information you use in your security questions—and to never share your one-time security codes with anyone. In fact, scammers cobble up all kinds of phishing scams to steal that information. 

How to set up MFA on your social media accounts. 

Major social media platforms offer MFA, although they might call it by other names. As you’ll see, several platforms call it “two-factor authentication.”  

Given the way that interfaces and menus can vary and get updated over time, your best bet for setting up MFA on your social media accounts is to go right to the source. Social media platforms provide the latest step-by-step instructions in their help pages. A simple search for “multi-factor authentication” and the name of your social media platform should readily turn up results. 

For quick reference, you can find the appropriate help pages for some of the most popular platforms here: 

• Facebook two-factor authentication help page 
• Instagram two-factor authentication help page 
• Twitter two-factor authentication help page 
• TikTok two-factor authentication help page 
• Snapchat two-factor authentication help page 

Another important reminder is to check the URL of the site you’re on to ensure it’s legitimate. Scammers set up all kinds of phony login and account pages to steal your info. Phishing scams like those are a topic all on their own. A great way you can learn to spot them is by giving our Phishing Scam Protection Guide a quick read. It’s part of our McAfee Safety Series, which covers a broad range of topics, from romance scams and digital privacy to online credit protection and ransomware.  

MFA – a good call for your social media accounts, and other accounts too. 

In many ways, your social media account is an extension of yourself. It reflects your friendships, interests, likes, and conversations. Only you should have access to that. Putting MFA in place can help keep it that way. 

More broadly, enabling MFA across every account that offers it is a smart security move as well. It places a major barrier in the way of would-be hackers who, somehow, in some way, have ended up with your username and password. 

On the topic, ensure your social media accounts have strong, unique passwords in place. The one-two punch of strong, unique passwords and MFA will make hacking your account tougher still. Wondering what a strong, unique password looks like? Here’s a hint: a password with eight characters is less secure than you might think. With a quick read, you can create strong, unique passwords that are tough to crack. 

Lastly, consider using comprehensive online protection software if you aren’t already. In addition to securing your devices from hacks and attacks, it can help protect your privacy and identity across your travels online—both on social media and off.   

The post Protect Your Social Media Passwords from Hacks and Attacks appeared first on McAfee Blog.

Phylum said the attack demonstrated a carefully crafted development cycle