Light Dark
September 2, 2019 By David Bisson 3 min read

Last week in security news, researchers came across a new variant of TrickBot that arrived with new features allowing it to target U.S. mobile users. Speaking of mobile threats, analysts spotted several Android Trojans, including one that potentially infected up to 100 million users on the Google Play store. Security researchers detected plenty of other malware attacks as well. In one case, they succeeded in shutting down a worm by cooperating with law enforcement overseas.

Top Story of the Week: TrickBot’s New Features

Last week, Secureworks discovered that the GOLD BLACKBURN threat group had modified TrickBot’s dynamic webinjects to target Verizon Wireless, T-Mobile and Sprint. Those features enabled the malware to intercept a server response whenever a victim decided to navigate to the websites of one of those U.S. mobile carriers. At that point, TrickBot proxied the response through its command-and-control (C&C) server.

The threat’s C&C server in turn injected HTML and JavaScript into the webpage, code that, when rendered in a victim’s browser, added a field for users to supply their PIN codes. With this information, attackers could perpetuate port-out or SIM swap fraud against their victims.

Source: iStock

Also in Security News

  • China Chopper Still Relevant After Nine Years: Cisco Talos found that the China Chopper web shell has remained relevant nine years after it was first spotted. Researchers attributed this ongoing relevance to the fact that several threat groups staged their own China Chopper attack campaigns over the previous two years.
  • New Ares ADB Botnet Targeting Android-Based Internet of Things (IoT) Devices: While investigating Android set-top boxes, WootCloud Labs uncovered the botnet targeting Android-based IoT devices. Researchers specifically witnessed the botnet leveraging the Android Debug Bridge (ADB) interface to discover additional Android devices and installing other malicious payloads.
  • 100 Million Users Potentially Exposed to Trojan via Google Play: Kaspersky Lab examined CamScanner – Phone PDF Creator and found that the app used an advertising library containing the malicious dropper Trojan-Dropper.AndroidOS.Necro.n. Based on researchers’ analysis, this Trojan might have affected more than 100 million users who downloaded the app from the Google Play store.
  • Dropper Earns Spot on Top 10 List of Mobile Malware: Over the summer, Malwarebytes Labs witnessed a dropper, dubbed Android/Trojan.Dropper.xHelper, earn a spot on its list of the top 10 most detected mobile malware strains. Researchers took a closer look and determined that the Trojan came in semi-stealth and full-stealth modes; in either case, the malware avoided creating an icon and shortcut on an infected device.
  • Joint Effort Shuts Down Retadup Worm: Avast revealed that it first began actively monitoring the Retadup worm in March 2019. This investigation uncovered a design flaw in the threat’s C&C protocol, which the security firm then leveraged in collaboration with the French National Gendarmerie to neutralize 850,000 infections and shut down the malware.
  • Nemty Ransomware Shows No Kindness to Antivirus Industry: A deep dive into the code of Nemty ransomware revealed several hidden messages. In particular, Bleeping Computer found that the threat used a strongly worded message directed at the antivirus industry as the name for its key that decodes base64 strings and creates URLs.
  • Attackers Leverage Two Remote Access Trojans (RATs) to Target Various Sectors: Near the end of August, Cisco Talos revealed that it had spotted attackers using RevengeRAT and Orcus RAT to target government entities, financial services organizations and other companies. Researchers observed the malware using persistence mechanisms typical of fileless attacks along the way.

Security Tip of the Week: Defending Against Mobile Malware

In its analysis of Android/Trojan.Dropper.xHelper, Malwarebytes Labs emphasized how important it is for organizations to leverage best practices in the fight against mobile malware:

“If confirmed to be true, our theory highlights the need to be cautious of the mobile websites you visit. Also, if your web browser redirects you to another site, be extra cautious about click anything. In most cases, simply backing out of the website using the Android’s back key will keep you safe.”

For added protection, security professionals should leverage mobile security solutions that can account for context and correlate it with facts to deter mobile threats. Organizations should do this in tandem with a unified endpoint management (UEM) platform that monitors all endpoints and automatically flags instances of suspicious activity.

 |  |  |  |  |  |  |  |  |  |  |  |  |  | 
David Bisson
Contributing Editor

More from

January 30, 2025

When ransomware kills: Attacks on healthcare facilities

4 min read - As ransomware attacks continue to escalate, their toll is often measured in data loss and financial strain. But what about the loss of human life? Nowhere is the ransomware threat more acute than in the healthcare sector, where patients’ lives are literally on the line.Since 2015, there has been a staggering increase in ransomware attacks on healthcare facilities. And the impacts are severe: Diverted emergency services, delayed critical treatments and even fatalities. Meanwhile, the pledge some ransomware groups made during…

January 29, 2025

AI and cloud vulnerabilities aren’t the only threats facing CISOs today

6 min read - With cloud infrastructure and, more recently, artificial intelligence (AI) systems becoming prime targets for attackers, security leaders are laser-focused on defending these high-profile areas. They’re right to do so, too, as cyber criminals turn to new and emerging technologies to launch and scale ever more sophisticated attacks.However, this heightened attention to emerging threats makes it easy to overlook traditional attack vectors, such as human-driven social engineering and vulnerabilities in physical security.As adversaries exploit an ever-wider range of potential entry points…

January 28, 2025

4 trends in software supply chain security

4 min read - Some of the biggest and most infamous cyberattacks of the past decade were caused by a security breakdown in the software supply chain. SolarWinds was probably the most well-known, but it was not alone. Incidents against companies like Equifax and tools like MOVEit also wreaked havoc for organizations and customers whose sensitive information was compromised.Expect to see more software supply chain attacks moving forward. According to ReversingLabs' The State of Software Supply Chain Security 2024 study, attacks against the software…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2025 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature