CERT-In warns of new viruses that steal money, user data

Two social media-triggered spyware viruses - ‘virtual girlfriend’ and ‘panda banker’ -- have creeped into the Indian cyberspace and can steal a user’s banking details and secret data once activated unknowingly, a cyber security advisory has said.

The more notorious one is personal data stealing virus ‘virtual girlfriend’ that “infects” a user’s android-based smartphone via popular social media site Twitter. “There have been reports of a new android malware family which is being spread disguised as an adult game known as virtual girlfriend through Twitter,” the Computer Emergency Response Team of India (CERT-In) said in a latest advisory. “This malware has the capability to steal the user’s data on to the C2 server (command and control server used by the virus),” it said.

Virtual Girlfriend

CERT-In is the nodal agency to combat hacking, phishing and to fortify security-related defences of the Indian internet domain. The advisory said that the “primary source of this malware is Twitter” and there are multiple handles (possibly bots) on this micro-blogging site that “have been sharing” the short link to this malware to entice users into installing it on their devices.

“The short link leads to the website hxxp://miakhalifagame[.]com/,” it said. The agency said the malware cons the user by flashing a message that it is getting un-installed but instead, it “hides” its icon from the app (application) drawer and continues to run silently in the background.

It then steals the android phone user’s mobile number, account detail, installed app list, contacts and SMSes, the advisory said. Once the classified information is compromised, the person becomes more vulnerable to cyber frauds that may lead to the user’s money being robbed rob and personal details such as photos and message content compromised, a cyber security expert said.

Panda Banker

Similarly, the other spyware that has been noticed on the Internet is the ‘panda banker’, a spin-off of the zeus banking trojan malware (a prominent hacking virus). “It leverages man-in the-browser or web inject attack techniques to steal user’s banking credentials,” the advisory said.

The malware, it said, generally spreads via unscrupulous attachments or via exploit kits (malicious snooping virus programmes) such as “ngler”, “nuclear” and “neutrino” exploit kits. “Though, the prime-targeted sector of this malware is financial sector and crypto currency sites, it also expands its attack in different organisation sectors like social networking sites, search, e-mail and adults sites,” it said.

Once successfully installed, this virus starts analysing the victim’s system to get information such as name of anti-virus, computer name, spyware installed, username, local time, among others, and sends this data to the C2 server, it said.

The malware finally starts performing unauthorised, malicious activities like stealing the banking credentials, generating fraudulent transactions using automatic transfer system (ATS), web inject ,installing ransomware, crypto mining among others.

Safety measures

The CERT-In has suggested users to follow safe browsing practices along with deploying certain countermeasures to thwart the two viruses. “Don’t open attachments in unsolicited e-mails, even if they come from people in your contact list and never click on a URL (universal resource locator) contained in an unsolicited e-mail, even if the link seems benign. “In cases of genuine URLs close out the e-mail and go to the organisation’s website directly through browser,” the cyber security watchdog said.

It made a specific suggestion that prior to downloading or installing apps on android devices (even from Google play store), one should always review the app details, number of downloads, user reviews, comments and the additional information section there.

Users should also “enable” the two-factor authentication for their Google or other accounts and should use device encryption or encrypting external SD card, it said, adding one should avoid using unsecured, unknown wi-fi networks.