Jahanzaib Hassan
The IT security researchers at Palo Alto Network have discovered new samples of the Adware-family “Ewind” have been discovered by security researchers. As if earlier versions of the Adware weren’t good enough, hackers have made some lethal modifications in the new samples, and it is looking even more dangerous than before.
Researchers believe that the new modifications in “Ewind” have made it much more than just an ordinary adware. As written in their blog post “Ewind is more than simply Adware. Ewind is, at very least, an actual Trojan – subverting genuine Android apps. The actor behind this activity can easily take full control of the victim device.”
When investigating multiple samples of the Ewind, researchers found that the Adware can do a lot of damage to its victim and could perform multiple tasks. On gaining the administrative rights, attackers can send several commands to the infected device including locking the screen, displaying different ads, preventing the uninstallation of the app, etc.
Ewind can also be used to steal SMS and contacts of an infected device. The hackers can steal the sender’s phone number and the SMS content, and it is likely that the feature can be used to bypass two-factor authentication.
In case you are wondering how an adware can perform all the above-said function, here is the answer: -Ewind has a list of “Targeted apps” on it, and every time it spots a targeted app, the adware sends a signal to its command and control (C2) server, which then notify Ewind to execute the relevant command.
Old School Trick: Hackers behind the adware are using an old school trick to promote Ewind. The trick involves disassembling a popular app of the play store, cloning it with a malicious code inside, and uploading it to third party stores to hunt unwitty users.
Some of the popular cloned apps targeted by Ewind include GTA Vice City, AVG cleaner, Minecraft – Pocket Edition, Avast! Ransomware Removal, Vkontakte, and Opera Mobile.
The security firm also found conclusive evidence suggesting that the culprits behind this vicious scheme are from Russia. However, they noticed something strange, something unusual. The hackers are not even sparing their countrymen; this has never happened before.
The researchers further explained that “Usually Russian actors avoid targeting Russian subjects. Deliberate targeting of Russians, in this case – by an apparently Russian actor – is therefore somewhat unusual.”
Stay safe! Here is what you need to do to avoid being a victim of this vicious malware. Never download anything from an untrusted third party store, at least avoid giving administration access to those apps.