Light Dark
September 2, 2019 By David Bisson 3 min read

Last week in security news, researchers came across a new variant of TrickBot that arrived with new features allowing it to target U.S. mobile users. Speaking of mobile threats, analysts spotted several Android Trojans, including one that potentially infected up to 100 million users on the Google Play store. Security researchers detected plenty of other malware attacks as well. In one case, they succeeded in shutting down a worm by cooperating with law enforcement overseas.

Top Story of the Week: TrickBot’s New Features

Last week, Secureworks discovered that the GOLD BLACKBURN threat group had modified TrickBot’s dynamic webinjects to target Verizon Wireless, T-Mobile and Sprint. Those features enabled the malware to intercept a server response whenever a victim decided to navigate to the websites of one of those U.S. mobile carriers. At that point, TrickBot proxied the response through its command-and-control (C&C) server.

The threat’s C&C server in turn injected HTML and JavaScript into the webpage, code that, when rendered in a victim’s browser, added a field for users to supply their PIN codes. With this information, attackers could perpetuate port-out or SIM swap fraud against their victims.

Source: iStock

Also in Security News

  • China Chopper Still Relevant After Nine Years: Cisco Talos found that the China Chopper web shell has remained relevant nine years after it was first spotted. Researchers attributed this ongoing relevance to the fact that several threat groups staged their own China Chopper attack campaigns over the previous two years.
  • New Ares ADB Botnet Targeting Android-Based Internet of Things (IoT) Devices: While investigating Android set-top boxes, WootCloud Labs uncovered the botnet targeting Android-based IoT devices. Researchers specifically witnessed the botnet leveraging the Android Debug Bridge (ADB) interface to discover additional Android devices and installing other malicious payloads.
  • 100 Million Users Potentially Exposed to Trojan via Google Play: Kaspersky Lab examined CamScanner – Phone PDF Creator and found that the app used an advertising library containing the malicious dropper Trojan-Dropper.AndroidOS.Necro.n. Based on researchers’ analysis, this Trojan might have affected more than 100 million users who downloaded the app from the Google Play store.
  • Dropper Earns Spot on Top 10 List of Mobile Malware: Over the summer, Malwarebytes Labs witnessed a dropper, dubbed Android/Trojan.Dropper.xHelper, earn a spot on its list of the top 10 most detected mobile malware strains. Researchers took a closer look and determined that the Trojan came in semi-stealth and full-stealth modes; in either case, the malware avoided creating an icon and shortcut on an infected device.
  • Joint Effort Shuts Down Retadup Worm: Avast revealed that it first began actively monitoring the Retadup worm in March 2019. This investigation uncovered a design flaw in the threat’s C&C protocol, which the security firm then leveraged in collaboration with the French National Gendarmerie to neutralize 850,000 infections and shut down the malware.
  • Nemty Ransomware Shows No Kindness to Antivirus Industry: A deep dive into the code of Nemty ransomware revealed several hidden messages. In particular, Bleeping Computer found that the threat used a strongly worded message directed at the antivirus industry as the name for its key that decodes base64 strings and creates URLs.
  • Attackers Leverage Two Remote Access Trojans (RATs) to Target Various Sectors: Near the end of August, Cisco Talos revealed that it had spotted attackers using RevengeRAT and Orcus RAT to target government entities, financial services organizations and other companies. Researchers observed the malware using persistence mechanisms typical of fileless attacks along the way.

Security Tip of the Week: Defending Against Mobile Malware

In its analysis of Android/Trojan.Dropper.xHelper, Malwarebytes Labs emphasized how important it is for organizations to leverage best practices in the fight against mobile malware:

“If confirmed to be true, our theory highlights the need to be cautious of the mobile websites you visit. Also, if your web browser redirects you to another site, be extra cautious about click anything. In most cases, simply backing out of the website using the Android’s back key will keep you safe.”

For added protection, security professionals should leverage mobile security solutions that can account for context and correlate it with facts to deter mobile threats. Organizations should do this in tandem with a unified endpoint management (UEM) platform that monitors all endpoints and automatically flags instances of suspicious activity.

 |  |  |  |  |  |  |  |  |  |  |  |  |  | 
David Bisson
Contributing Editor

More from

December 23, 2024

FYSA – Adobe Cold Fusion Path Traversal Vulnerability

2 min read - Summary Adobe has released a security bulletin (APSB24-107) addressing an arbitrary file system read vulnerability in ColdFusion, a web application server. The vulnerability, identified as CVE-2024-53961, can be exploited to read arbitrary files on the system, potentially leading to unauthorized access and data exposure. Threat Topography Threat Type: Arbitrary File System Read Industries Impacted: Technology, Software, and Web Development Geolocation: Global Environment Impact: Web servers running ColdFusion 2021 and 2023 are vulnerable Overview X-Force Incident Command is monitoring the disclosure…

November 22, 2024

What does resilience in the cyber world look like in 2025 and beyond?

6 min read -  Back in 2021, we ran a series called “A Journey in Organizational Resilience.” These issues of this series remain applicable today and, in many cases, are more important than ever, given the rapid changes of the last few years. But the term "resilience" can be difficult to define, and when we define it, we may limit its scope, missing the big picture.In the age of generative artificial intelligence (gen AI), the prevalence of breach data from infostealers and the near-constant…

November 21, 2024

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2025 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature