All the news
18.04 Components updated in Dr.Web 12.0 products for Windows
April 18, 2019
Changes made to Dr.Web Control Service:
- The module has been updated to be compatible with the upcoming Windows 10 Redstone 6 release.
Changes made to Dr.Web Updater:
- An updating issue involving the update mirror directories on FAT32 partitions has been resolved.
Changes made to Dr.Web Security Space, Anti-virus for Windows setup:
- The UI elements are now displayed correctly in the setup window.
The update will be downloaded and installed automatically.
15.04 Dr.Web Security Space for Android on Google Play updated to version 12.3.2
April 15, 2019
Enhanced threat detection:
- The ability to detect the
EvilParcel vulnerability; - An improved ability to detect signs of infection in previously installed applications;
- The added ability to detect malicious applications packed with Bangcle, Sechell, and the latest version of Tencent;
- A fix that ensures uninterrupted anti-virus scanning.
Changes affecting the application’s UI and features:
- The Call and SMS Filter and Anti-theft components have been disabled;
- The URL shortening feature is no longer available;
The Call and SMS Filter and Anti-theft components have been disabled to comply with Google Play policy changes. Under the new permission policy, anyone who has an anti-virus installed on their Android device can no longer access features related to SMS data.
The Dr.Web software will be updated automatically under Android 4.4 and later. If automatic updates are disabled on your device, go to Google Play, select Dr.Web Security Space on the application list, and tap "Update."
To update via the Doctor Web site, you need to download a new distribution file. If the “New app version” option has been enabled in the settings, a notification will be displayed whenever the virus databases are updated. You can start the download directly from this dialogue box.
April 12, 2019
The attackers embed the trojan in initially harmless software and then distribute the modified copies via popular third-party Android stores, such as Nine Store and Apkpure. Our experts detected Android.InfectionAds.1 in games and software such as HD Camera, ORG 2018_19\Tabla Piano Guitar Robab Guitar, Euro Farming Simulator 2018, and Touch on Girls. Some of them were installed by at least several thousand mobile device owners. However, the number of infected applications and affected users may be much greater.
When a user launches a program containing a trojan, it extracts auxiliary modules from file resources to decrypt and launch them as well. One of them is designed to display obnoxious ads, while others infect applications and automatically install software.
Android.InfectionAds.1 overlays advertising banners on the system interface and running applications, making it difficult to work with the devices. In addition, if triggered by the command and control server, the trojan can modify the code of popular advertising platforms, such as Admob, Facebook, and Mopub, which are used in many programs and games. It replaces their advertising identifiers with its own identifier so that all profits from displaying advertisements in infected applications are transferred to the attackers.
Android.InfectionAds.1 exploits the critical vulnerability CVE-2017-13315 in Android, which allows the trojan to launch system activities. As a result, it can automatically install and uninstall programs without a user’s knowledge. The trojan is based on the PoC code (Proof of Concept) by Chinese researchers, written to prove the possibility of exploiting this system breach.
CVE-2017-13315 falls under the EvilParcel class of vulnerabilities. This means that a number of system components contain an error that allows for alteration of data during the exchange between applications and the operating system. The final value of the specifically generated fragment of the transmitted data will differ from the initial one. Thus, programs are able to bypass operating system checks, obtain higher privileges, and perform previously unavailable actions. As of now, we know of 7 vulnerabilities of this type, but the number may increase over time.
Using EvilParcel, Android.InfectionAds.1 installs the hidden APK file that contains all components of the trojan. Similarly, Android.InfectionAds.1 is able to install its own updates, downloaded from the command and control server, as well as other software or malware. For example, during our analysis, the trojan downloaded and installed the malware Android.InfectionAds.4, one of its own modifications.
An example of how the trojan installs applications without the user’s permission:
Along with EvilParcel, the trojan also exploits another Android vulnerability known as Janus (CVE-2017-13156). This system breach can be used to infect previously installed applications by embedding the trojan’s copy within them. Android.InfectionAds.1 connects to the command and control server and obtains a list of programs that it needs to infect. If it fails to connect to the remote server, it will infect applications specified in the initial settings. Depending on the modification, the list may contain different items. See below an example from one of the versions of Android.InfectionAds.1 we have investigated:
- com.whatsapp (WhatsApp Messenger);
- com.lenovo.anyshare.gps (SHAREit - Transfer & Share);
- com.mxtech.videoplayer.ad (MX Player);
- com.jio.jioplay.tv (JioTV - Live TV & Catch-Up);
- com.jio.media.jiobeats (JioSaavn Music & Radio – including JioMusic);
- com.jiochat.jiochatapp (JioChat: HD Video Call);
- com.jio.join (Jio4GVoice);
- com.good.gamecollection;
- com.opera.mini.native (Opera Mini - fast web browser);
- in.startv.hotstar (Hotstar);
- com.meitu.beautyplusme (PlusMe Camera - Previously BeautyPlus Me);
- com.domobile.applock (AppLock);
- com.touchtype.swiftkey (SwiftKey Keyboard);
- com.flipkart.android (Flipkart Online Shopping App);
- cn.xender (Share Music & Transfer Files – Xender);
- com.eterno (Dailyhunt (Newshunt) - Latest News, LIVE Cricket);
- com.truecaller (Truecaller: Caller ID, spam blocking & call record);
- com.ludo.king (Ludo King™).
To infect software, the trojan embeds its components in APK files without changing the digital signature. Then it installs the modified versions of the apps instead of the originals. Since the vulnerability helps the digital signature of the infected files remain the same, the programs are installed as their own updates. At the same time, EvilParcel helps perform the installation independently from the user. As a result, the affected software continues its normal operations, but with a functioning copy of Android.InfectionAds.1 within it. Once apps are infected, the trojan gets access to their data. For example, if WhatsApp is infected, the trojan gets access to all users’ messages, if a browser is infected, saved logins and passwords are available to the trojan.
The only way to remove the trojan and restore the security of the infected programs is to remove the applications containing it and reinstall their normal versions from reliable sources, such as Google Play. The updated version of Dr.Web Security Space for Android is able to detect EvilParcel vulnerabilities. This feature is available in Security Auditor. You can download a new distribution package from the Doctor Web official website. Soon it will be available on Google Play as well. All Dr. Web products for Android successfully detect and remove known modifications of Android.InfectionAds.1, so the trojan does not pose any threat to our users.
[Read more about Android.InfectionAds.1]
#Android, #trojan, #malware
11.04 Dr.Web Anti-rootkit API updated in Dr.Web 12.0 products for Windows
April 11, 2019
Specifically it resolves a threat neutralisation issue involving directory names containing invalid path characters.
The update will be downloaded and installed automatically.
11.04 The official website of a popular video editing software was infected with a banking trojan
April 11, 2019
VSDC is a popular, free software for editing video and sound. According to SimilarWeb statistics, monthly visits of the VSDC website come close to 1.3 million users. However, the security measures taken by the website’s developers often turn out to be insufficient for such traffic volume, which endangers a large number of people.
Last year unknown hackers gained access to the administrative side of the VSDC website and replaced the download links. Instead of the editing software, users received a JavaScript file, which then downloaded the AZORult Stealer, X-Key Keylogger and the DarkVNC backdoor. The VSDC team stated that they closed the vulnerability, but recently we received information about additional cases of infection through their website.
According to our researchers, the VSDC developer’s computer has been compromised several times since the previous incident. One such hack led to the website being compromised again between 2019-02-21 and 2019-03-23. This time hackers took a different approach to spreading the malware: they embedded a malicious JavaScript code inside the VSDC website. Its task was to determine the visitor’s geolocation and replace download links for users from the UK, USA, Canada and Australia. Native website links were substituted by links to another compromised website:
- https://thedoctorwithin[.]com/video_editor_x64.exe
- https://thedoctorwithin[.]com/video_editor_x32.exe
- https://thedoctorwithin[.]com/video_converter.exe
Users that downloaded software from that website also received a dangerous banking trojan, Win32.Bolik.2. Same as its predecessor,
Additionally, on 22.03.2019 the attackers changed the Win32.Bolik.2 trojan to another malware, a variation of the Trojan.PWS.Stealer, KPOT Stealer. This trojan steals information from browsers, Microsoft accounts, several messengers and some other programs. In just one day it was downloaded by 83 users.
The VSDC developers were notified about the threat; and at the present moment, download links were restored to the originals. However, Doctor Web experts recommend that all VSDC users check their devices with our antivirus.
#banker #banking_trojan #virus
10.04 Dr.Web Security Space for Android updated to version 12.3.2
April 10, 2019
Improvements in the new version include:
- Ability to detect the EvilParcel vulnerability;
- An improved ability to detect signs of infection in previously installed applications;
- The added ability to detect malicious applications packed with Bangcle, Sechell, and the latest version of Tencent;
- A fix that ensures uninterrupted anti-virus scanning.
To update via the Doctor Web site, you need to download a new distribution file. If the “New app version” option has been enabled in the settings, a notification will be displayed whenever the virus databases are updated. You can start the download directly from this dialogue box.
10.04 Full version of Dr.Web Security Space for Android available only from Doctor Web`s site
April 15, 2019
Dr.Web anti-viruses with SMS functionality were removed from Google Play as a follow-up to the recent changes in Google’s permission policy—first Dr.Web Security Space for Android Life became inaccessible, and then Dr.Web Security Space for Android was removed too. To comply with the new requirements, we removed the affected protection components from the applications, and now the programs are once again available for download from Google Play, albeit without the Call and SMS filter and the Anti-theft.
Doctor Web invites all customers wanting to use the full version of Dr.Web Security Space for Android to download the application from Doctor Web's official site. You will still be able to use the serial number you acquired from Google Play.
Download the full version of Dr.Web Security Space for Android
#Android #mobile #subscription #Google #Google_Play
09.04 Anti-virus Dr.Web Light on Google Play updated
April 9, 2019
Improvements in the new version include:
- An improved ability to detect signs of infection in previously installed applications;
- The added ability to detect malicious applications packed with Bangcle, Sechell, and the latest version of Tencent;
- A fix that ensures uninterrupted anti-virus scanning.
Anti-virus Dr.Web Light for Android will be updated to the new version automatically. If automatic updates are disabled on your device, you need to go to Google Play, choose Dr.Web Light on the application list, and click "Update".
08.04 The international companies official newsletters are used to steal money from bank accounts
April 8, 2019
Recently several Russian users received phishing emails from well-known international companies such as Audi, Austrian Airlines and S-Bahn Berlin. Those emails were sent from official company addresses and didn’t raise any suspicions. The header and the email itself are written in English or German; but the letter begins with words in Russian saying “money for you”.
At the beginning of the email, a link leads users to the hacked page of a dating website. Then due to malicious code embedded into the website’s stub page users are redirected through several other websites to a phishing one.
Once there, victims see a message saying that their email address won a chance to participate in the international promo called “The lucky e-mail”. If victims agree to participate, they must complete a survey in order to receive the prize money ranging from 10 to 3000 EUR. To increase creditability, the website’s developers added comments from people who allegedly received the prize, including comments from people not satisfied with the size of the reward.
After a few survey questions, the website displays information about the promo, reward size, and withdrawal conditions. One condition is that the winner must pay a commission for exchanging EUR to RUB.
To pay the commission, victims are redirected to a fake payment page where they are supposed to enter their credit card information. Once complete, victims are asked to provide the verification code sent by SMS. When all the steps are completed, the victim’s bank account is debited and their credit card data is left to the hackers. Additionally, no funds are credited to the victim’s bank account.
What’s interesting is how the hackers send the phishing emails. They use official email newsletter signup forms on company websites. Special symbols are allowed in the forms, so it’s possible to send malicious links via official company newsletters. To do this, hackers fill in the “Name” field with words like “Money for you” and the “Last name” with a link to the phishing website. As a result, victims receive an email from the official company address, asking them to confirm the subscription.
Doctor Web researchers recommend using caution when opening links in any emails and not to leave any personal information on suspicious websites.
08.04 Dr.Web for IBM Lotus Domino distribution updated to version 12.0
April 8, 2019
Changes made to Dr.Web Scanning Engine:
- Scanning issues involving password-protected archives have been fixed.
Changes made to Dr.Web for Lotus Domino setup:
- An issue involving new version upgrade routines has been resolved.
You can download the updated distribution file from Doctor Web's site.
04.04 Dr.Web for Microsoft Exchange setup component updated in Dr.Web for Microsoft Exchange
April 4, 2019
Changes made to the Dr.Web for Microsoft Exchange distribution file (12.0.0.03290):
- Updated virus databases;
- An updated anti-spam filtering database;
- Dr.Web Scanning Engine (12.0.3.201903270) and Dr.Web for Microsoft Exchange setup (12.0.0.03290) have been updated.
Changes made to Dr.Web Scanning Engine:
- Scanning issues involving password-protected archives have been fixed.
Changes made to Dr.Web for Microsoft Exchange setup (12.0.0.03290):
- The setup now displays up-to-date information about the operating systems that are incompatible with the Dr.Web application.
You can download the updated distribution file from Doctor Web's site.
04.04 Dr.Web Enterprise Security Suite 11.0 updated
April 4, 2019
Changes made to the Outlook Plugin:
- An issue causing MS Outlook to launch slowly and exhibit performance problems when switching between messages has been resolved.
Changes made to the Scanning Engine:
- An issue preventing system scans from being paused during rootkit checks has been resolved.
- Scanning issues involving password-protected archives have been fixed.
The update will be performed automatically; however, a system reboot will be required.
April 3, 2019
| Go to the review |
03.04 Doctor Web’s March 2019 virus activity review
April 3, 2019
In March, Doctor Web’s analysts finished studying the trojan that threatened the Counter-Strike 1.6 players. Included in the main threats identified in March is a dynamic in how principal threats compare to the previous month’s. For example, the activity of Trojan.MulDrop8.60634 has decreased three times since February, while the number of threats like Trojan.Packed.24060 and Adware.OpenCandy.243 increased in March. Additionally, the number of domain names added to Dr.Web’s database of non-recommended and dangerous websites has decreased. Doctor Web has also received more data decoding requests from ransomware victims.
Principal trends in March
- The rise of malicious browser extensions
- A spike in adware activity and unwanted programs
- An increase in the number of applications submitted by ransomware victims
Threat of the month
In March Doctor Web’s analysts published a thorough study of the Belonard trojan, which exploits zero-day vulnerabilities in the Counter-Strike 1.6 Steam client. Once on the victim’s computer, the trojan replaces the client files and creates proxies to infect other users. The number of malicious CS 1.6 servers created by the Belonard trojan rose to 39% of all official servers registered on Steam. Now all modules of the Belonard Trojan have been successfully detected by Dr.Web’s products and no longer pose a threat to our customers.
According to Doctor Web’s statistics servers
Threats of the month:
Trojan.Packed.24060 - This program installs malicious browser extensions that redirect search results to different websites.
- Adware.Softobase.12
- Installation adware that spreads outdated software and changes the browser’s settings. Installation adware that spreads outdated software and changes the browser’s settings.
Adware.OpenCandy.243 - A family of applications designed to install other software in the system. These programs are used by free software developers in order to monetize their apps. A family of applications designed to install other software in the system. These programs are used by developers of free software in order to monetize their apps.
- Adware.Ubar.13
- A torrent client designed to install unwanted programs on a user’s device.
- Trojan.Starter.7394
- A trojan designed to launch other malicious software on a victim’s device.
Decreased amount of threats from:
- Trojan.MulDrop8.60634
- Installs malware in a system. All the components necessary for installation are usually stored inside the MulDrop itself.
- Adware.Downware.19283
- The sort of adware that is usually distributed as an installer for pirated software. Upon installation, it changes a browser’s settings and may install other software without asking for the user’s permission.
Statistics for malware discovered in email traffic
- Exploit.ShellCode.69
- Another malicious Microsoft Office Word document. This one uses vulnerability called CVE-2017-11882.
- W97M.DownLoader.2938
- A family of downloader Trojans that exploit vulnerabilities in office applications. Designed to download other malware onto a compromised computer.
- Exploit.Rtf.CVE2012-0158
- A modified Microsoft Office document. It exploits the CVE2012-0158 vulnerability in order to run malicious code.
Trojan.SpyBot.699 - A multi-module banking trojan. It allows cybercriminals to download and launch various applications on an infected device and to execute their commands. The trojan is intended to steal money from bank accounts.
- JS.DownLoader.1225
- A variety of malicious code written in JavaScript and designed to download and install other malware on a computer.
Trojan.PWS.Stealer.23680 - A family of Trojans designed to steal passwords and other confidential information stored on an infected computer.
Encryption ransomware
In March, Doctor Web’s technical support was most often contacted by victims of the following encryption ransomware:
Trojan.Encoder.858 —28.39%;Trojan.Encoder.18000 —9.54%;Trojan.Encoder.27210 —4.25%;Trojan.Encoder.11464 —4.14%;Trojan.Encoder.11539 —4.14%;Trojan.Encoder.567 —2.76%;Trojan.Archivelock —2.34%
Dr.Web Security Space for Windows protects against encryption ransomware
Dangerous websites
During March 2019, Doctor Web added 270,227 URLs into the Dr.Web database of non-recommended sites.
| February 2019 | March 2019 | Dynamics |
|---|---|---|
| + 288 159 | + 270 227 | - 6.63% |
Malicious and unwanted programs for mobile devices
In the past month Doctor Web specialists found many new malicious programs on Google Play. Among them was the infamous family of
Beyond that, more trojans of the
Additionally, hackers continued to spread banking trojans. Doctor Web reported on one such trojan at the end of March. The malicious software known as Flexnet steals money from banking accounts and mobile phones balance.
At the end of the month, Doctor Web’s researchers disclosed details about the vulnerability in the popular Android browser, “UC Browser”, which was able to download plug-ins bypassing the Google Play servers. This vulnerability could have been exploited by hackers in order to spread malware.
Among the most noticeable events related to mobile malware in March:
- the detection of a vulnerability in the UC Browser;
- the spread of malicious programs on Google Play.
- the distribution of banking trojans.
Find out more about malicious and unwanted programs for mobile devices in our special overview.
Find out more with Dr.Web
April 3, 2019
03.04 March 2019 mobile malware review from Doctor Web
April 3, 2019
In March, Doctor Web reported a vulnerability in the mobile app, UC Browser, which can download new modules from third-party server. Cybercriminals could use this feature to infect Android smartphones and tablets. Additionally, malware analysts shared information about the Flexnet trojan that stole money from bank cards and mobile credit accounts. During March, other malicious applications were detected on Google Play.
PRINCIPAL TRENDS IN MARCH
- Detection of a vulnerability in UC Browser
- Distribution of banking trojans
- The detection of new malicious programs on Google Play
Mobile threat of the month
At the end of March, Doctor Web reported a vulnerability in the UC Browser app for Android, discovered by our malware analysts. This program downloaded additional plugins, bypassing Google Play servers and thus violating Google’s policies. Cybercriminals could interfere with the download and make the browser download and launch malicious files instead. Over 500,000,000 mobile users have been exposed to threats. See the details of this vulnerability in our virus library.
According to statistics collected by Dr.Web for Android
Android.Backdoor .682.originAndroid.Backdoor .2080- Trojans that execute commands from attackers and allow them to control infected mobile devices.
Android.RemoteCode .197.origin- Malicious application designed to download and execute arbitrary code.
Android.HiddenAds .659Android.HiddenAds .261.origin- Trojans designed to display intrusive advertisements. They are distributed as popular applications by other malicious programs, which in some cases covertly install them in the system catalog.
- Adware.Zeus.1
- Adware.Jiubang.2
- Adware.Toofan.1.origin
- Adware.Gexin.3.origin
- Unwanted program modules that incorporate themselves into Android applications and display obnoxious ads on mobile devices.
Tool.VirtualApk .1.origin- A potentially dangerous software platform that allows applications to run APK files without installing them.
Banking trojans for Android
Cybercriminals continue to distribute banking trojans based on the source code of the
Threats on Google Play
In March, we found more malicious programs on Google Play, including the trojans
In addition, our malware analysts identified more trojans of the
After installation and launch, they hide their icons and begin constantly overlaying ads over program windows and the operating system interface, making it difficult to work with the Android devices.
Users of Android devices are threatened by trojans not only distributed via malicious websites, but also via the official Google Play store. To protect smartphones and tablets, we recommend that you install Dr.Web for Android.
Your Android needs protection!
Use Dr.Web
- First Russian anti-virus for Android
- Over 140 million downloads—just from Google Play!
- Available free of charge for users who purchase Dr.Web home products
03.04 Components updated in Dr.Web 11.1 products for Unix-like systems
April 2, 2019
Changes affecting all the products:
- A drweb-configd module (11.1.1-1903211617) issue preventing the MeshD component from being started under FreeBSD, unless additional parameters were specified, has been resolved;
- Adjustments have been made to the drweb-cloudd (11.1.2-1903221816) and drweb-filecheck (11.1.1-1903221816) modules to improve their stability.
- The drweb-openssl (11.1.1-1903011310) module now supports OpenSSL 1.0.2r.
Changes made to Dr.Web Anti-virus 11.1 for Unix Mail Servers, Dr.Web Anti-virus 11.1 for Unix Server, and Dr.Web Anti-virus 11.1 for Internet gateways Unix:
- The drweb-httpd-webconsole module (11.1.1-1902271448) now contains an up-to-date list of the component settings for 11.1 products;
- UI texts have been corrected for the drweb-httpd-webconsole module (11.1.1-1902271448);
- A web console sign-in issue involving the drweb-libs (11.1.1-1903211533) module under FreeBSD has been addressed.
Changes made to the drweb-gui (11.1.1-1903191718) module in Dr.Web Anti-virus 11.1 for Linux:
- Now only the first two digits of the version number are displayed in the About section.
Minor tweaks have been made to the drweb-configd (11.1.1-1903211617) and drweb-esagent (11.1.1-1903062330) modules in all the products. Less significant changes have also been introduced in the drweb-antispam (11.1.1-1903051843) and drweb-gui (11.1.1-1903191718) modules in Dr.Web Anti-virus 11.1 for Linux as well as in the drweb-antispam (11.1.1-1903051843) module in Dr.Web Anti-virus 11.1 for Unix Mail Servers.
The updated products can be installed using the official Dr.Web repository.
01.04 Dr.Web vxCube 1.3 updated
April 01, 2019
Changes made to the analysis service:
- An issue resulting in analysis errors has been resolved.
- False positives involving certain analysis rules have been addressed.
To purchase a license, please contact our sales support service.
With a Dr.Web vxCube trial license, you can examine 10 objects in 10 days. You can give it a try here.
To learn more about Dr.Web vxCube and its system requirements, please read the release notes.
#Dr.Web #services #analysis
01.04 Components updated in Dr.Web 12.0 products for Windows
April 1, 2019
Changes made to email-templates:
- Email notifications now contain additional information, including the computer name and OS version.
Changes made to Dr.Web Scanning Engine:
- An issue preventing system scans from being paused during rootkit checks has been resolved.
- A scanning issue involving password-protected archives has been fixed.
Changes made to Dr.Web SpIDer Agent for Windows:
- Fixed an issue related to using an input field in the window of adding exclusions for files and folders. The issue prevented a manually entered name or mask from saving.
The update will be performed automatically; however, a system reboot will be required.
28.03 Dr.Web Link Checker updated to version 3.9.16
March 28, 2019
Changes made to Dr.Web LinkChecker:
- A compatibility issue involving the Disconnect and Adblock Plus browser extensions has been resolved;
- Also eliminated was a problem preventing the extension from checking links in social media on pages that were opened in new tabs with the middle mouse button;
- An issue causing no refresh warning to appear after the settings had been changed has been resolved;
- Minor issues interfering with the look and feel of webpages have been fixed;
- Plugin UI texts have been updated.
To use the latest Dr.Web Link Checker, download it from the extensions catalogue that corresponds to your browser (Google Chrome or Mozilla Firefox). Please note that you can also visit the Google Chrome Web Store to download Dr.Web LinkChecker for the latest versions of Opera and Yandex.Browser. If you already use Dr.Web Link Checker, it will be updated automatically.
28.03 Dr.Web Enterprise Security Suite 11.0 updated
March 28, 2019
Changes made to Dr.Web Updater and Dr.Web Enterprise Agent for Windows setup:
- Issues preventing the Dr.Web agent from being deployed on PCs that already have Dr.Web Security Space installed on them have been resolved.
The update will be downloaded and installed automatically.
28.03 Lua-Updater rolled back in Dr.Web 12.0 for Windows
March 28, 2019
If you experience any problems, install the latest Windows 10 update or contact Doctor Web's technical support.
The module will be rolled back to the previous version automatically.
26.03 Doctor Web reports on Dr.Web Security Space Life`s sudden removal from Google Play
March 26, 2019
This step comes as a follow-up to Google’s recent change of its call log and SMS permission policy. The Call and SMS filter and Anti-theft components of the Doctor Web app require these permissions. The company has been negotiating with Google for all the application features to remain available to users. However, currently Dr.Web Security Space Life is not available on Google Play.
Doctor Web is doing its best to make the application available in the software catalogue again.
Users owning Dr.Web Security Space Life licenses can contact our support service. Provide your license order number and the associated email address in the support query. In response, you will receive the application apk-file. Information about other life license usage options will be made available later.
April 15, 2019
To comply with the new Google requirements, we have removed the Call and SMS filter and the Anti-theft from the application, and now the program is once again available for download.
26.03 Hundreds of millions of UC Browser users for Android are threatened
March 26, 2019
As of now, UC Browser has been downloaded by over 500,000,000 Google Play users. Anyone who has installed this software may be in danger. Doctor Web has detected its hidden ability to download auxiliary components from the Internet. The browser receives commands from the command and control server and downloads new libraries and modules, which add new features and can be used to update the software.
For example, during our analysis, UC Browser downloaded an executable Linux library from a remote server. The library was not malicious; it is designed to work with MS Office documents and PDF files. Initially, this library was not in the browser. After downloading, the program saved the library to its directory and launched it for execution. Thus, the application is actually able to receive and execute code, bypassing the Google Play servers. This violates Google’s rules for software distributed in its app store. The current policy states that applications downloaded from Google Play cannot change their own code or download any software components from third-party sources. These rules were applied to prevent the distribution of modular trojans that download and launch malicious plug-ins. Such trojans include
A potentially dangerous updating feature has been present in the UC Browser since at least 2016. Although the application has not been seen distributing trojans or unwanted software, its ability to load and launch new and unverified modules poses a potential threat. It’s impossible to be sure that cybercriminals will never get ahold of the browser developer’s servers or use the update feature to infect hundreds of millions of Android devices.
The vulnerable feature of UC Browser can be used to perform man-in-the-middle attacks (MITM). To download new plug-ins, the browser sends a request to the command and control server and receives a link to file in response. Since the program communicates with the server over an unsecured channel (the HTTP protocol instead of the encrypted HTTPS), cybercriminals can hook the requests from the application. They can replace the commands with ones containing different addresses. This makes the browser download new modules from malicious server instead of its own command and control server. Since UC Browser works with unsigned plug-ins, it will launch malicious modules without any verification.
See below an example of such an attack, modeled by our virus analysts. The video shows a potential victim who downloads a PDF document via UC Browser and tries to view it. To open the file, the browser tries to download the corresponding plug-in from the command and control server. However, due to the MITM substitution, the browser downloads and launches a different library. This library then creates a text message that says, “PWNED!”.
Thus, MITM attacks can help cybercriminals use UC Browser to spread malicious plug-ins that perform a wide variety of actions. For example, they can display phishing messages to steal usernames, passwords, bank card details, and other personal data. Additionally, trojan modules will be able to access protected browser files and steal passwords stored in the program directory.
Read more about this vulnerability here.
The browser’s “younger brother”, the UC Browser Mini application, can also download untested components, bypassing Google Play servers. It has been equipped with this feature since at least December 2017. So far, over 100,000,000 Google Play users have downloaded the program, putting them all at risk. However, the above MITM attack will not work with UC Browser Mini, unlike UC Browser.
Upon detecting a dangerous feature in UC Browser and UC Browser Mini, Doctor Web specialists contacted the developer of both browsers, but they refused to comment on the matter. So our malware analysts then reported the case to Google, but as of the publication date of this article, both browsers are still available and can download new components, bypassing Google Play servers. Owners of Android devices should independently decide whether to continue using these programs or remove them and wait until they are updated to fix potential vulnerabilities.
Meanwhile, Doctor Web continues monitoring the situation.
Your Android needs protection!
Use Dr.Web
- First Russian anti-virus for Android
- Over 140 million downloads—just from Google Play!
- Available free of charge for users who purchase Dr.Web home products
26.03 Doctor Web notifies users of Dr.Web Security Space Life’s sudden removal from Google Play
March 26, 2019
This step comes as a follow-up to changes Google recently made to its call log and SMS permission policy. The Call and SMS filter and Anti-theft components of the Doctor Web app require these permissions. The company has been negotiating with Google for all the application features to remain available to users. However, currently Dr.Web Security Space Life is not available on Google Play.
