In this post, first we’ll discuss the researchers’ main findings. Then we’ll explore what it all means practically speaking — and whether you should be concerned about someone roasting your smartphone through a wireless charger.

The main idea behind the VoltSchemer attacks

The Qi standard has become the dominant one in its field: it’s supported by all the latest wireless chargers and smartphones capable of wireless charging. VoltSchemer attacks exploit two fundamental features of the Qi standard.

The first is the way the smartphone and wireless charger exchange information to coordinate the battery charging process: the Qi standard has a communication protocol that uses the only “thing” connecting the charger and the smartphone — a magnetic field — to transmit messages.

The second feature is the way that wireless chargers are intended for anyone to freely use. That is, any smartphone can be placed on any wireless charger without any kind of prior pairing, and the battery will start charging immediately. Thus, the Qi communication protocol involves no encryption — all commands are transmitted in plain text.

It is this lack of encryption that makes communication between charger and smartphone susceptible to man-in-the-middle attacks; that is, said communication can be intercepted and tampered with. That, coupled with the first feature (use of the magnetic field), means such tampering  is not even that hard to accomplish: to send malicious commands, attackers only need to be able to manipulate the magnetic field to mimic Qi-standard signals.

To illustrate the attack, the researchers created a malicious power adapter: an overlay on a regular wall USB socket. Source

And that’s exactly what the researchers did: they built a “malicious” power adapter disguised as a wall USB socket, which allowed them to create precisely tuned voltage noise. They were able to send their own commands to the wireless charger, as well as block Qi messages sent by the smartphone.

Thus, VoltSchemer attacks require no modifications to the wireless charger’s hardware or firmware. All that’s necessary is to place a malicious power source in a location suitable for luring unsuspecting victims.

Next, the researchers explored all the ways potential attackers could exploit this method. That is, they considered various possible attack vectors and tested their feasibility in practice.

VoltSchemer attacks don’t require any modifications to the wireless charger itself — a malicious power source is enough. Source

1. Silent commands to Siri and Google Assistant voice assistants

The first thing the researchers tested was the possibility of sending silent voice commands to the built-in voice assistant of the charging smartphone through the wireless charger. They copied this attack vector from their colleagues at Hong Kong Polytechnic University, who dubbed this attack Heartworm.

The general idea of the Heartworm attack is to send silent commands to the smartphone’s voice assistant using a magnetic field. Source

The idea here is that the smartphone’s microphone converts sound into electrical vibrations. It’s therefore possible to generate these electrical vibrations in the microphone directly using electricity itself rather than actual sound. To prevent this from happening, microphone manufacturers use electromagnetic shielding — Faraday cages. However, there’s a key nuance here: although these shields are good at suppressing the electrical component, they can be penetrated by magnetic fields.

Smartphones that can charge wirelessly are typically equipped with a ferrite screen, which protects against magnetic fields. However, this screen is located right next to the induction coil, and so doesn’t cover the microphone. Thus, today’s smartphone microphones are quite vulnerable to attacks from devices capable of manipulating magnetic fields — such as wireless chargers.

Microphones in today’s smartphones aren’t protected from magnetic field manipulation. Source

The creators of VoltSchemer expanded the already known Heartworm attack with the ability to affect the microphone of a charging smartphone using a “malicious” power source. The authors of the original attack used a specially modified wireless charger for this purpose.

2. Overheating a charging smartphone

Next, the researchers tested whether it’s possible to use the VoltSchemer attack to overheat a smartphone charging on the compromised charger. Normally, when the battery reaches the required charge level or the temperature rises to a threshold value, the smartphone sends a command to stop the charging process.

However, the researchers were able to use VoltSchemer to block these commands. Without receiving the command to stop, the compromised charger continues to supply energy to the smartphone, gradually heating it up — and the smartphone can’t do anything about it. For cases such as this, smartphones have emergency defense mechanisms to avoid overheating: first, the device closes applications, and if that doesn’t help it shuts down completely.

Using the VoltSchemer attack, researchers were able to heat a smartphone on a wireless charger to a temperature of 178°F — approximately 81°C. Source

Thus, the researchers were able to heat a smartphone up to a temperature of 81°C (178°F), which is quite dangerous for the battery — and in certain circumstances could lead to its catching fire (which could of course lead to other things catching fire if the charging phone is left unattended).

3. “Frying” other stuff

Next, the researchers explored the possibility of “frying” various other devices and everyday items. Of course, under normal circumstances, a wireless charger shouldn’t activate unless it receives a command from the smartphone placed on it. However, with the VoltSchemer attack, such a command can be given at any time, as well as a command to not stop charging.

Now, take a guess what will happen to any items lying on the charger at that moment! Nothing good, that’s for sure. For example, the researchers were able to heat a paperclip to a temperature of 280°C (536°F) — enough to set fire to any attached documents. They also managed to fry to death a car key, a USB flash drive, an SSD drive, and RFID chips embedded in bank cards, office passes, travel cards, biometric passports and other such documents.

Also using the VoltSchemer attack, researchers were able to disable car keys, a USB flash drive, an SSD drive, and several cards with RFID chips, as well as heat a paperclip to a temperature of 536°F — 280°C. Source

In total, the researchers examined nine different models of wireless chargers available in stores, and all of them were vulnerable to VoltSchemer attacks. As you might guess, the models with the highest power pose the greatest danger, as they have the most potential to cause serious damage and overheat smartphones.

Should you fear a VoltSchemer attack in real life?

Protecting against VoltSchemer attacks is fairly straightforward: simply avoid using public wireless chargers and don’t connect your own wireless charger to any suspicious USB ports or power adapters.

While VoltSchemer attacks are quite interesting and can have spectacular results, their real-world practicality is highly questionable. Firstly, such an attack is very difficult to organize. Secondly, it’s not exactly clear what the benefits to an attacker would be — unless they’re a pyromaniac, of course.

But what this research clearly demonstrates is how inherently dangerous wireless chargers can be — especially the more powerful models. So, if you’re not completely sure of the reliability and safety of a particular wireless charger, you’d be wise to avoid using it. While wireless charger hacking is unlikely, the danger of your smartphone randomly getting roasted due to a “rogue” charger that no longer responds to charging commands isn’t entirely absent.

What a toy robot can do

The toy robot model that we studied is a kind of hybrid between a smartphone/tablet and a smart-speaker on wheels that enables it to move about. The robot has no limbs, so rolling around the house is its only option to physically interact with its environment.

The robot’s centerpiece is a large touchscreen that can display a control UI, interactive learning apps for kids, and a lively, detailed animated cartoon-like face. Its facial expressions change with context: to their credit the developers did a great job on the robot’s personality.

You can control the robot with voice commands, but some of its features don’t support these, so sometimes you have to catch the robot and poke its face the built-in screen.

In addition to a built-in microphone and a rather loud speaker, the robot has a wide-angle camera placed just above the screen. A key feature touted by the vendor is parents’ ability to video-call their kids right through the robot.

On the front face, about halfway between the screen and the wheels, is an extra optical-object-recognition sensor that helps the robot avoid collisions. Obstacle recognition being totally independent of the main camera, the developers very usefully added a physical shutter that completely covers the latter.

So, if you’re concerned that someone might be peeping at you and/or your child through that camera — sadly not without reason as we’ll learn later — you can simply close the shutter. And in case you’re worried that someone might be eavesdropping on you through the built-in microphone, you can just turn off the robot (and judging by the time it takes to boot back up, this is an honest-to-goodness shutdown — not a sleep mode).

As you’d expect, an app for controlling and monitoring the toy is available for parents to use. And, as you must have guessed by now, it’s all connected to the internet and employs a bunch of cloud services under the hood. If you’re interested in the technical details, you can find these in the full version of the security research, which we’ve published on Securelist.

As usual, the more complex the system — the more likely it is to have security holes, which someone might try to exploit to do something unsavory. And here we’ve reached the key point of this post: after studying the robot closely, we found several serious vulnerabilities.

Unauthorized video calling

The first thing we found during our research was that malicious actors could make video calls to any robot of this kind. The vendor’s server issued video session tokens to anyone who had both the robot ID and the parent ID. The robot’s ID wasn’t hard to brute-force: every toy had a nine-character ID similar to the serial number printed on its body, with the first two characters being the same for every unit. And the parent’s ID could be obtained by sending a request with the robot ID to the manufacturer’s server without any authentication.

Thus, a malicious actor who wanted to call a random child could either try to guess a specific robot’s ID, or play a chat-roulette game by calling random IDs.

Complete parental account hijack

It doesn’t end there. The gullible system let anyone with a robot ID retrieve lots of personal information from the server: IP address, country of residence, kid’s name, gender, age — along with details of the parental account: parent’s email address, phone number, and the code that links the parental app to the robot.

This, in turn, opened the door for a far more hazardous attack: complete parental-account hijack. A malicious actor would only have needed to have taken a few simple steps:

• The first one would have been to log in to the parental account from their own device by using the email address or phone number obtained previously. Authorization required submitting a six-digit one-time code, but login attempts were unlimited so trivial brute-forcing would have done the trick.
• It would only have taken one click to unlink the robot from the true parental account.
• Next would have been linking it to the attacker’s account. Account verification relied on the linking-code mentioned above, and the server would send it to all comers.

A successful attack would have resulted in the parents losing all access to the robot, and recovering it would have required contacting tech support. Even then, the attacker could still have repeated the whole process again, because all they needed was the robot ID, which remained unchanged.

Uploading modified firmware

Finally, as we studied the way that the robot’s various systems functioned, we discovered security issues with the software update process. Update packages came without a digital signature, and the robot installed a specially formatted update archive received from the vendor’s server without running any verifications first.

This opened possibilities for attacking the update server, replacing the archive with a modified one, and uploading malicious firmware that let the attacker execute arbitrary commands with superuser permissions on all robots. In theory, the attackers would then have been able to assume control over the robot’s movements, use the built-in cameras and microphones for spying, make calls to robots, and so on.

How to stay safe

This tale has a happy ending, though. We informed the toy’s developers about the issues we’d discovered, and they took steps to fix them. The vulnerabilities described above have all been fixed.

In closing, here are a few tips on staying safe while using various smart gadgets:

• Remember that all kinds of smart devices — even toys — are typically highly complex digital systems whose developers often fail to ensure secure and reliable storage of user data.
• As you shop for a device, be sure to closely read user feedback and reviews and, ideally, any security reports if you can find them.
• Keep in mind that the mere discovery of vulnerabilities in a device doesn’t make it inferior: issues can be found anywhere. What you need to look for is the vendor’s response: it’s a good sign if any issues have been fixed. It’s not a good thing if the vendor appears not to care.
• To avoid being spied or eavesdropped on by your smart devices, turn them off when you’re not using them, and shutter or tape over the camera.
• Finally, it goes without saying that you should protect all your family members’ devices with a reliable security solution. A toy-robot hack is admittedly an exotic threat — but the likelihood of encountering other types of online threats is still very high these days.

An attack they dubbed KeyTrap, which exploits the vulnerability, can disable a DNS server by sending it a single malicious data packet. Read on to find out more about this attack.

How KeyTrap works and what makes it dangerous

The DNSSEC vulnerability has only recently become public knowledge, but it was discovered back in December 2023 and registered as CVE-2023-50387. It was assigned a CVSS 3.1 score of 7.5, and a severity rating of “High”. Complete information about the vulnerability and the attack associated with it is yet to be published.

Here’s how KeyTrap works. The malicious actor sets up a nameserver that responds to requests from caching DNS servers – that is, those which serve client requests directly – with a malicious packet. Next, the attacker has the caching-server request a DNS record from their malicious nameserver. The record sent in response is a cryptographically-signed malicious one. The way the signature is crafted causes the attacked DNS server trying to verify it to run at full CPU capacity for a long period of time.

According to the researchers, a single such malicious packet can freeze the DNS server for anywhere from 170 seconds to 16 hours – depending on the software it runs on. The KeyTrap attack can not only deny access to web content to all clients using the targeted DNS server, but also disrupt various infrastructural services such as spam protection, digital certificate management (PKI), and secure cross-domain routing (RPKI).

The researchers refer to KeyTrap as “the worst attack on DNS ever discovered”. Interestingly enough, the flaws in the signature validation logic making KeyTrap possible were discovered in one of the earliest versions of the DNSSEC specification, published as far back as… 1999. In other words, the vulnerability is about to turn 25!

The origins of KeyTrap can be traced back to RFC-2035, the DNSSEC specification published in 1999

Fending off KeyTrap

The researchers have alerted all DNS server software developers and major public DNS providers. Updates and security advisories to fix CVE-2023-50387 are now available for PowerDNS, NLnet Labs Unbound, and Internet Systems Consortium BIND9. If you are an administrator of a DNS server, it’s high time to install the updates.

Bear in mind, though, that the DNSSEC logic issues that have made KeyTrap possible are fundamental in nature and not easily fixed. Patches released by DNS software developers can only go some way toward solving the problem, as the vulnerability is part of standard, rather than specific implementations. “If we launch [KeyTrap] against a patched resolver, we still get 100 percent CPU usage but it can still respond,” said one of the researchers.

Practical exploitation of the flaw remains a possibility, with the potential result being unpredictable resolver failures. In case this happens, corporate network administrators would do well to prepare a list of backup DNS servers in advance so they can switch as needed to keep the network functioning normally and let users browse the web resources they need unimpeded.

Complicating matters is the heightened uncertainty about the identity of your virtual conversational partner, and the disconcerting possibility of digital stalking.

In fact, we recently commissioned a report on digital stalking to ascertain the reality of these risks and concerns. We engaged with over 21,000 participants to cast light on the alarming prevalence of digital abuse experienced by those in pursuit of love.

Revelations from the survey

As per our survey findings, 34% of respondents believe that googling or checking social media accounts of someone they’ve just started dating is a form of “due diligence”. While seemingly harmless, 23% reported encountering some form of online stalking from a new romantic interest, suggesting that some individuals may take a swift Google search a bit too far.

Furthermore, and somewhat alarmingly, over 90% of respondents expressed a willingness to share or consider sharing passwords that grant access to their location. While seemingly innocuous on the surface, there can loom there specter of stalkerware: silent software capable of continuously tracking user whereabouts and spying on messages.

How to protect yourself? Tips from the experts

We’ve compiled advice from leading online security, dating, and safety experts to help you navigate the waters of love safely this Valentine’s Day!

Enhanced password safety measures

• Create complex passwords using a mix of letters, numbers, and symbols.
• Never reuse passwords across different sites and apps; keep them private.
• Use two-factor authentication for an added layer of security.
• Change your password immediately if you’ve shared it with someone you’ve been dating but are no longer in touch with.
• Use a password manager to keep all your passwords strong and safe.

Proactive verification techniques of online dating profiles

• Run a reverse-image search for that profile; if it appears on multiple pages under various names, it’s likely a catfisher.
• Look for inconsistencies in daters’ stories and profile details.
• Be wary of sudden, intense expressions of love, or requests for money.
• Use video calls to verify a dater’s identity before meeting in person.

Maximizing online dating profile security:

• Conduct your own privacy audit of your social media accounts to understand what’s publicly visible.
• Customize your privacy settings to control who can see your posts and personal information.
• Regularly review your friends/followers list to ensure you know who has access to your information.

Strategic sharing guidelines:

• Avoid posting details that could disclose your location, workplace, or routines.
• Think twice before sharing emotionally charged or intimate content.
• Be mindful of metadata or other identifiable clues in photos (like geotags) that can reveal your identity, location, or details you’d rather keep private.
• Set personal boundaries on the type of information you share early on in a relationship; only reveal personal details gradually as trust builds over time.
• Listen to your instincts – if something feels off, take a step back and give yourself a moment.
• Consider how the data you share could be used to piece together a profile or compromise your physical safety.

Comprehensive safety plan for offline meetings:

• Choose well-lit, public places for initial meetings.
• Avoid sharing or displaying personal items that might reveal your address or sensitive information.
• Arrange your own transportation to and from the meeting place.
• Have a check-in system with a friend or family member.

As we embrace the possibilities for romance and connection in the digital age, let’s not forget the importance of our safety and wellbeing. By implementing these strategies, you can confidently explore the world of online dating while safeguarding both your digital and physical self. For more details, please take a look at our safe dating guide. And our premium security solution with identity protection and privacy features can help you keep calm and carry on… dating!

There are three reasons why this situation might occur:

1. A hacking attempt. Hackers have somehow learned, guessed, or stolen your password and are now trying to use it to access your account. You’ve received a legitimate message from the service they are trying to access.
2. Preparation for a hack. Hackers have either learned your password or are trying to trick you into revealing it, in which case the OTP message is a form of phishing. The message is fake, although it may look very similar to a genuine one.
3. Just a mistake. Sometimes online services are set up to first request a confirmation code from a text message, and then a password, or authenticate with just one code. In this case, another user could have made a typo and entered your phone/email instead of theirs — and you receive the code.

As you can see, there may be a malicious intent behind this message. But the good news is that at this stage, there has been no irreparable damage, and by taking the right action you can avoid any trouble.

What to do when you receive a code request

Most importantly, don’t click the confirmation button if the message is in the “Yes/No” form, don’t log in anywhere, and don’t share any received codes with anyone.

If the code request message contains links, don’t follow them.

These are the most essential rules to follow. As long as you don’t confirm your login, your account is safe. However, it’s highly likely that your account’s password is known to attackers. Therefore, the next thing to do is change the password for this account. Go to the relevant service by entering its web address manually — not by following a link. Enter your password, get a new (this is important!) confirmation code, and enter it. Then find the password settings and set a new, strong password. If you use the same password for other accounts, you’d need to change the password for them, too — but make sure to create a unique password for each account. We understand that it’s difficult to remember so many passwords, so we highly recommend storing them in a dedicated password manager.

This stage — changing your passwords — is not so urgent. There’s no need to do it in a rush, but also don’t postpone it. For valuable accounts (like banking), attackers may try to intercept the OTP if it’s sent via text. This is done through SIM swapping (registering a new SIM card to your number) or launching an attack via the operator’s service network utilizing a flaw in the SS7 communications protocol. Therefore, it’s important to change the password before the bad guys attempt such an attack. In general, one-time codes sent by text are less reliable than authenticator apps and USB tokens. We recommend always using the most secure 2FA method available; a review of different two-factor authentication methods can be found here.

What to do if you’re receiving a lot of OTP requests

In an attempt to make you confirm a login, hackers may bombard you with codes. They try to log in to the account again and again, hoping that you’ll either make a mistake and click “Confirm”, or go to the service and disable 2FA out of annoyance. It’s important to keep cool and do neither. The best thing to do is go to the service’s site as described above (open the site manually, not through a link) and quickly change the password; but for this, you’ll need to receive and enter your own, legitimate OTP. Some authentication requests (for example, warnings about logging into Google services) have a separate “No, it’s not me” button — usually, this button causes automated systems on the service side to automatically block the attacker and any new 2FA requests. Another option, albeit not the most convenient one, would be to switch the phone to silent or even airplane mode for half-an-hour or so until the wave of codes subsides.

What to do if you accidentally confirm a stranger’s login

This is the worst-case scenario, as you’ve likely allowed an attacker into your account. Attackers act quickly in changing settings and passwords, so you’ll have to play catch-up and deal with the consequences of the hack. We’ve provided advice for this scenario here.

How to protect yourself?

The best method of defense in this case is to stay one step ahead of the criminals: si vis pacem, para bellum. This is where our security solution comes in handy. It tracks leaks of your accounts linked to both email addresses and phone numbers, including on the dark web. You can add the phone numbers and email addresses of all your family members, and if any account data becomes public or is discovered in leaked databases, Kaspersky Premium will alert you and give advice on what to do.

Included in the subscription, Kaspersky Password Manager will warn you about compromised passwords and help you change them, generating new uncrackable passwords for you. You can also add two-factor authentication tokens to it or easily transfer them from Google Authenticator in a few clicks. Secure storage for your personal documents will safeguard your most important documents and files, such as passport scans or personal photos, in encrypted form so that only you can access them.

Moreover, your logins, passwords, authentication codes and saved documents will be available from any of your devices — computer, smartphone or tablet — so even if you somehow lose your phone, you’ll lose neither your data nor access, and you’ll be able to easily restore them on a new device. And to access all your data, you only need to remember one password — the main one — which isn’t stored anywhere except in your head and is used for banking-standard AES data encryption.

With the “zero disclosure principle”, no one can access your passwords or data — not even Kaspersky employees. The reliability and effectiveness of our security solutions have been confirmed by numerous independent tests, with one recent example being our home protection solutions having received the highest award — Product of the Year 2023 — in tests run by the independent European laboratory AV-Comparatives.

What a crypto (wallet) drainer is

A crypto drainer — or crypto wallet drainer — is a type of malware that’s been targeting crypto owners since it first appeared just over a year ago. A crypto drainer is designed to (quickly) empty crypto wallets automatically by siphoning off either all or just the most valuable assets they contain, and placing them into the drainer operators’ wallets.

As an example of this kind of theft, let us review the theft of 14 Bored Ape NFTs with a total value of over $1 million, which occurred on December 17, 2022. The scammers set up a fake website for the real Los Angeles-based movie studio Forte Pictures, and contacted a certain NFT collector on behalf of the company. They told the collector that they were making a film about NFT. Next, they asked the collector if they wanted to license the intellectual property (IP) rights to one of their Bored Ape NFTs so it could be used in the movie.

According to the scammers, this required signing a contract on “Unemployd”, ostensibly a blockchain platform for licensing NFT-related intellectual property. However, after the victim approved the transaction, it turned out that all 14 Bored Ape NFTs belonging to them were sent to the malicious actor for a paltry 0.00000001 ETH (about US¢0.001 at the time).

What the request to sign the “contract” looked like (left), and what actually happened after the transaction was approved (right). Source

The scheme relied to a large extent on social engineering: the scammers courted the victim for more than a month with email messages, calls, fake legal documents, and so on. However, the centerpiece of this theft was the transaction that transferred the crypto assets into the scammers’ ownership, which they undertook at an opportune time. Such a transaction is what drainers rely on.

How crypto drainers work

Today’s drainers can automate most of the work of emptying victims’ crypto wallets. First, they can help to find out the approximate value of crypto assets in a wallet and identify the most valuable ones. Second, they can create transactions and smart contracts to siphon off assets quickly and efficiently. And finally, they obfuscate fraudulent transactions, making them as vague as possible, so that it’s difficult to understand what exactly happens once the transaction is authorized.

Armed with a drainer, malicious actors create fake web pages posing as websites for cryptocurrency projects of some sort. They often register lookalike domain names, taking advantage of the fact that these projects tend to use currently popular domain extensions that resemble one another.

Then the scammers use a technique to lure the victim to these sites. Frequent pretexts are an airdrop or NFT minting: these models of rewarding user activity are popular in the crypto world, and scammers don’t hesitate to take advantage of that.

These X (Twitter) ads promoted NFT airdrops and new token launches on sites that contain the drainer. Source

Also commonplace are some totally unlikely schemes: to draw users to a fake website, malicious actors recently used a hacked Twitter account that belonged to a… blockchain security company!

X (Twitter) ads for a supposedly limited-edition NFT collection on scam websites. Source

Scammers have also been known to place ads on social media and search engines to lure victims to their forged websites. In the latter case, it helps them intercept customers of real crypto projects as they search for a link to a website they’re interested in. Without looking too closely, users click on the “sponsored” scam link, which is always displayed above organic search results, and end up on the fake website.

Google search ads with links to scam websites containing crypto drainers. Source

Then, the unsuspecting crypto owners are handed a transaction generated by the crypto drainer to sign. This can result in a direct transfer of funds to the scammers’ wallets, or more sophisticated scenarios such as transferring the rights to manage assets in the victim’s wallet to a smart contract. One way or another, once the malicious transaction is approved, all the valuable assets get siphoned off to the scammers’ wallets as quickly as possible.

How dangerous crypto drainers are

The popularity of drainers among crypto scammers is growing rapidly. According to a recent study on crypto drainer scams, more than 320,000 users were affected in 2023, with total damage of just under $300 million. The fraudulent transactions recorded by the researchers included around a dozen — worth more than a million dollars each. The largest value of loot taken in a single transaction amounted to a little over $24 million!

Curiously, experienced cryptocurrency users fall prey to scams like this just like newbies. For example, the founder of the startup behind Nest Wallet was recently robbed of $125,000 worth of stETH by scammers who used a fake website promising an airdrop.

How to protect against crypto drainers

• Don’t put all your eggs in one basket: try to keep only a portion of your funds that you need for day-to-day management of your projects in hot crypto wallets, and store the bulk of your crypto assets in cold wallets.
• To be on the safe side, use multiple hot wallets: use one for your Web3 activities — such as drop hunting, use another to keep operating funds for these activities, and transfer your profits to cold wallets. You’ll have to pay extra commission for transfers between the wallets, but malicious actors would hardly be able to steal anything from the empty wallet used for airdrops.
• Keep checking the websites you visit time and time again. Any suspicious detail is a reason to stop and double-check it all again.
• Don’t click on sponsored links in search results: only use links in organic search results – that is, those that aren’t marked “sponsored”.
• Review every transaction detail carefully.
• Use companion browser extensions to verify transactions. These help identify fraudulent transactions and highlight what exactly will happen as a result of the transaction.
• Finally, be sure to install reliable security on all devices you use to manage crypto assets.

How protection from crypto threats works in Kaspersky solutions

By the way, Kaspersky solutions offer multi-layered protection against crypto threats. Be sure to use comprehensive security on all your devices: phones, tablets, and computers. Kaspersky Premium is a good cross-platform solution. Check that all basic and advanced security features are enabled and read our detailed instructions on protecting both hot and cold crypto wallets.

We recently discovered a new campaign of this kind targeting Apple computers running newer versions of macOS (13.6 and later) and leveraging certain Domain Name System (DNS) features for downloading malicious payloads. Victims are offered to download cracked versions of popular apps for free. So what’s in store for those who give in to temptation?

Fake activation

After downloading a disk image purportedly containing the cracked app, the victim is prompted to copy two files to the Applications folder: the app itself, and a so-called “activator”. If you just copy and launch the app, it won’t run. According to the manual, the cracked app must be “activated” first. Our analysis found that the activator doesn’t do anything sophisticated: it simply removes several bytes from the beginning of the application executable to make it functional. In other words, the cybercriminals have modified a pre-cracked app to prevent it from running unless it’s “activated” first. To no one’s surprise, the activator has a nasty side-effect: it asks for admin permissions when it runs, and uses those to install a downloader script in the system. The script then downloads from the web a further payload — a backdoor that requests commands from its operators every now and then.

Installation manual, activator window, and prompt for administrator password

Linking via DNS

To download the malicious script, the activator employs a tool that’s both exotic and innocent-looking: the Domain Name System (DNS). We wrote about DNS and Secure DNS earlier, but we left out an interesting technical feature of the service. Each DNS record not only links the internet name of a server with its IP address, but can also contain a free-form text description of the server — called a TXT record. This is what the malicious actors exploited by embedding snippets of malicious code within TXT records. The activator downloads three TXT records belonging to a malicious domain and assembles a script from these.

Although seemingly complicated, the setup has a number of advantages. To start with, the activator does nothing particularly suspicious: any web application requests DNS records — this is how any communication session has to begin. Secondly, the malicious actors can easily update the script to modify the infection pattern and the final payload by editing the TXT records of the domain. And finally, removing malicious content from the Web is no easy task due to the distributed nature of the Domain Name System. Internet service providers and companies would find it hard to even detect the violation of their policies because each of these TXT records is just a snippet of malicious code that poses no threat in and of itself.

The final boss

The periodically-running download script allows the attackers to update the malicious payload and perform whatever actions they want on the victim’s computer. At the time of our analysis, they showed interest in stealing crypto. The backdoor automatically scans the victim’s computer for Exodus or Bitcoin wallets, and replaces these with trojanized versions. An infected Exodus wallet steals the user’s seed phrase, and an infected Bitcoin wallet — the encryption key that’s used to encrypt private keys. The latter gives the attackers the ability to sign transfers on behalf of the victim. This is how one can try to save a few dozen dollars on pirated apps — only to lose a vastly larger amount in crypto.

Protecting yourself against an attack on crypto wallets

This isn’t novel but still true: to keep away from this threat and avoid becoming a victim, download apps from official marketplaces only. Before downloading an app from a developer’s website, make sure it’s the genuine item and not from one of many phishing sites.

If you’re thinking of downloading a cracked version of an app, think again. “Scrupulous and trustworthy” pirating sites are about as rare as elves and unicorns.

No matter how highly you think of your computer literacy, caution, and attention to detail, be sure to use comprehensive security on all your devices: phones, tablets, and computers. Kaspersky Premium is a good cross-platform solution. Check that all basic and advanced security features are enabled. As for crypto owners, in addition to the above, we suggest reading our detailed instructions on protecting both hot and cold crypto wallets.

What the firms claimed

In calls with clients, podcasts, and blogs, CMG and Mindshift told much the same story — albeit devoid of any technical detail: smartphones and smart TVs allegedly help them recognize predetermined keywords in people’s conversations, which are then used to create custom audiences. These audiences, in the form of lists of phone numbers, email addresses, and anonymous advertising IDs, can be uploaded to various platforms (from YouTube and Facebook to Google AdWords and Microsoft Advertising) and leveraged to target ads at users.

If the second part about uploading custom audiences sounds quite plausible, the first is more than hazy. It’s not clear at all from the companies’ statements which apps and which technologies they use to collect information. But in the long (now deleted) blog post, the following non-technical passage stood out most of all: “We know what you’re thinking. Is this even legal? It is legal for phones and devices to listen to you. When a new app download or update prompts consumers with a multi-page term of use agreement somewhere in the fine print, Active Listening is often included.”

After being pestered by journalists, CMG removed the post from its blog and issued an apology/clarification, adding that there’s no eavesdropping involved, and the targeting data is “sourced by social media and other applications”.

The second company, Mindshift, just quietly erased all marketing messages about this form of advertising from its website.

When did they lie?

Clearly, the marketers “misspoke” either to their clients in promising voice-activated ads, or to the media Most likely it was the former; here’s why:

• Modern operating systems indicate clearly when the microphone is in use by a legitimate app. And if, say, some weather app is constantly listening to the microphone, waiting for, say, the words “coffee machine” to come from your lips, the microphone icon will light up in the notification panel of all the most popular operating systems.
• On smartphones and other mobile devices, continuous eavesdropping will drain the battery and eat up data. This will get noticed and cause a wave of hate.
• Constantly analyzing audio streams from millions of users would require massive computing power and be financial folly — since advertising profits could never cover the costs of such a targeting operation.

Contrary to popular belief, the annual revenue of advertising platforms per user is quite small: less than $4 in Africa, around $10 on average worldwide, and up to $60 in the U.S. Given that these figures refer to income, not profit, there’s simply no money left for eavesdropping. Doubters are invited to study, for example, Google Cloud’s speech recognition pricing: even at the most discounted wholesale rate (two million+ minutes of audio recordings per month), converting speech to text costs 0.3 cents per minute. Assuming a minimum of three hours of speech recognition per day, the client would have to spend around $200 per year on each individual user — too much even for U.S. advertising firms.

What about voice assistants?

That said, the above reasoning may not hold true for devices that already listen to voice commands by nature of their primary purpose. First and foremost are smart speakers, as well as smartphones with voice assistants permanently on. Less obvious devices include smart TVs that also respond to voice commands.

According to Amazon, Alexa is always listening out for the wake word, but only records and sends voice data to the cloud upon hearing it, and stops as soon as interaction with the user is over. The company doesn’t deny that Alexa data is used for ad targeting, and independent studies confirm it. Some users consider such a practice to be illegal, but the lawsuit they filed against Amazon is still ongoing. Meanwhile, another action brought against Amazon by the U.S. Federal Communications Commission resulted in a modest $30 million settlement. The e-commerce giant was ordered to pay out for failing to delete children’s data collected by Alexa, in direct violation the U.S. Children’s Online Privacy Protection Act (COPPA). The company is also barred from using this illegally harvested data for business needs — in particular training algorithms.

And it’s long been an open secret that other voice assistant vendors also collect user interaction data: here’s the lowdown on Apple and Google. Now and then, these recordings are listened to by living people — to solve technical issues, train new algorithms, and so on. But are they used to target ads? Some studies confirm such practices on the part of Google and Amazon, although it’s more a case of using voice search or purchase history rather than constant eavesdropping. As for Apple, there was no link between ads and Siri in any study.

We did not find a study devoted to smart TV voice commands, but it has long been known that smart TVs collect detailed information about what users watch — including video data from external sources (Blue-ray Disc player, computer, and so on). It can’t be ruled out that voice interactions with the built-in assistant are also used more extensively than one might like.

Special case: spyware

True smartphone eavesdropping also occurs, of course, but here it’s not about mass surveillance for advertising purposes but targeted spying on a specific victim. There are many documented cases of such surveillance — the perpetrators of which can be jealous spouses, business competitors, and even bona fide intelligence agencies. But such eavesdropping requires malware to be installed on the victim’s smartphone — and often, “thanks” to vulnerabilities, this can happen without any action whatsoever on the part of the target. Once a smartphone is infected, the attacker’s options are virtually limitless. We have a string of posts dedicated to such cases: read about stalkerware, infected messenger mods, and, of course, the epic saga of our discovery of Triangulation, perhaps the most sophisticated Trojan for Apple devices there has ever been. In the face of such threats, caution alone won’t suffice — targeted measures are needed to keep your smartphone safe, which include installing a reliable protection solution.

How to guard against eavesdropping

• Disable microphone permission on smartphones and tablets for all apps that don’t need it. In modern versions of mobile operating systems, in the same place under permissions and privacy management, you can see which apps used your phone’s microphone (and other sensors) and when. Make sure there’s nothing suspicious or unexpected in this list.
• Control which apps have access to the microphone on your computer — the permission settings in the latest versions of Windows and macOS are much the same as on smartphones. And install reliable protection on your computer to prevent snooping through malware.
• Consider turning off the voice assistant. Although it doesn’t listen in continuously, some unwanted snippets may end up in the recordings of your conversations with it. If you’re worried that the voices of your friends, family, or coworkers might get onto the servers of global corporations, use keyboards, mice, and touchscreens instead.
• Turn off voice control on your TV. To make it easier to input names, connect a compact wireless keyboard to your smart TV.
• Kiss smart speakers goodbye. For those who like to play music through speakers while checking recipes and chopping vegetables, this is the hardest tip to follow. But a smart speaker is pretty much the only gadget capable of eavesdropping on you that really does it all the time. So, you either have to live with that fact — or power them up only when you’re chopping vegetables.

This post is about our most interesting findings: fake “gas” apps in Android store recommendations; “oil investment” apps in the App Store and on Google Play; as well as a series of fake videos in which “Erdogan”, “Musk”, and other famous people promote non-existent investment platforms.

Gas scammers in Android app stores

First of all, let’s outline the scale of the problem. We discovered several hundred scam apps in different languages — more than 300 in total — offering investments in natural resources, “quantum investment algorithms”, and other fancy things that purport to turn a small sum into untold riches.

Such apps can be found crawling all over stores that are pre-installed on phones of various brands: for example, GetApps on Xiaomi smartphones, or Palm Store on Tecno devices.

Hundreds of scam investment apps in GetApps and Palm Store for Android

One of the stores even included a number of scam apps in the list of recommendations shown to the user when they open it, and those apps were even pre-checked — so the store itself encourages the user to install them!

Scam investment apps in Palm Store’s recommended list

Some Android advertising apps were found to contain ads for either “gas” and “quantum” apps, or scam sites offering the same: natural resources, investment algorithms, and other sure-fire ways of earning hundreds of dollars a day without lifting a finger.

Ad for “gas” and “quantum” scam apps for Android

Fake videos: “Musk” and “Erdogan” advertise investment platforms

Besides such apps and sites themselves, we uncovered some massive information campaigns promoting various “investment platforms”.

In particular, these spread fake news about how ordinary users got rich through investments, and each campaign was tailored to the target region in the style of leading local media and featuring the names of famous politicians and businesspeople.

Fake news content about earnings on investment platforms

Also discovered were many (around 800) fake videos, localized for almost all regions of the world and “starring” well-known politicians, actors, businesspeople, and others.

Naturally, the media persons themselves don’t even suspect that their images are being exploited for such purposes. The creators of the videos use real footage of an official nature — interviews with national TV stations, public speeches and the like that are familiar to the regional target audience. In this way, the scammers maximize the number of victims likely to be persuaded by such fakes.

The videos, it must be said, are made quite well. Overlaid on top of the edited video footage are audio tracks that sound very convincing — strongly suggesting the use of audio deepfakes. The audio is also carefully subtitled, so the videos can be watched without sound.

In addition, the scammers use company names similar to ones everyone’s heard of. For instance, a Russian-language video promotes the “Tesla X investment platform”, allegedly created by Elon Musk as a by-product of developing a vehicle autopilot system. The operating principle of this investment algorithm is “like a multicooker: you put in the ingredients and get a ready dinner” (indirect quote).

Scam video with Musk, DiCaprio, and the “Tesla X investment platform”

In another video in Turkish, the main character is… the president of Türkiye, who appears to unveil an “investment platform” promising big bucks. All it takes is to “invest” just 5000 lira (around $170, or €160) in supposed shares of a Turkish state-owned oil-and-gas pipeline company.

“Recep Tayyip Erdoğan” offers a get-rich opportunity by “investing” just 5000 lira

Next up is a video in Spanish. In it, Mexican billionaire Carlos Slim “advises” his fellow citizens to invest in oil through an “investment platform” called Oil Profit.

Carlos Slim appears to promote an “investment” app called Oil Profit

Such videos, created for a host of countries and regions, are myriad, and most give the impression of being endorsed by national or regional heads, who “encourage” investing money in large public and private projects — which, of course, in reality goes straight into the scammers’ pockets.

Citizens of Moldova are promised a juicy rate of return from Moldindconbank, because “payments are guaranteed by the head of the Central Bank!” Citizens of Kazakhstan are advised to “invest” in KazMunayGas, and citizens of Romania — in Romgaz; in both videos, the lead character is the country’s president. Meanwhile, Korean citizens are invited to invest in a fake “national-level investment platform” seemingly from Samsung, and Bulgarian citizens — in a no-less fake scheme from Bulgarian Energy Holding. And the list goes on…

Not by gas alone: “oil” scammers in the App Store and on Google Play

Researching the case of Carlos Slim seemingly promoting investments in oil, we discovered several more apps in the App Store and on Google Play with the name “Oil Profit” in the title (the creators’ own spelling and punctuation are retained):

• Oil Profit – Trading Insignts [sic]
• Oil – Profit, Trade, News
• Oil Profit – News & Help
• Oil Profit : Ai Technology

Scam Oil Profit apps on Google Play and in the App Store

These “oil” apps work in roughly the same way as their “gas” cousins, only in English — although analysis of the code points to the campaign being aimed at Arab countries, Mexico, France, Italy, and Poland. First, the potential victim is shown videos promising out-of-this-world enrichment. Next, they’re asked to complete a survey in the form of a conversation with a chatbot (“the Oil Profit system’s AI”), after which they’re told to expect a whopping rate of return of $777 per day!

The internal mechanics of the scam Oil Profit app: an enticing video, a survey with the promise of vast riches, and an offer to take a call from a “representative”

This, naturally, is followed by an offer to take another call, this time from a “specialist” who’ll be in touch within one business day. During this call, of course, the victim is persuaded to part with their money under one pretext or another.

How to stay protected

When someone offers you a pile of cash for nothing, it’s a sure sign you’ll end up giving them money rather than the other way round. To guard against scam apps and mobile malware, secure all your devices with comprehensive protection, such as our Kaspersky Premium.

Roblox extensions with a backdoor

To set the tone and also highlight one of the biggest concerns associated with dangerous extensions, let’s start with a story that began last year. In November 2022, two malicious extensions with the same name — SearchBlox — were discovered in the Chrome Web Store, the official store for Google Chrome browser extensions. One of these extensions had over 200,000 downloads.

The declared purpose of the extensions was to search for a specific player on the Roblox servers. However, their actual purpose was to hijack Roblox players’ accounts and steal their in-game assets. After information about these malicious extensions was published on BleepingComputer, they were removed from the Chrome Web Store, and automatically deleted from the devices of users who’d installed them.

Malicious SearchBlox extensions published in the Google Chrome Web Store hijacked Roblox players’ accounts. Source

However, the Roblox story doesn’t end there. In August 2023, two more malicious extensions of a similar nature — RoFinder and RoTracker — were discovered in the Chrome Web Store. Just like SearchBlox, these plugins offered users the ability to search for other players on the Roblox servers, but in reality had a backdoor built into them. The Roblox user community eventually managed to get these extensions removed from the store as well.

The RoTracker malicious extension, also hosted on the Google Chrome Web Store. Source

This suggests that the quality of moderation at the world’s most official platform for downloading Google Chrome extensions leaves much to be desired, and it’s easy enough for creators of malicious extensions to push their creations in there. To get moderators to spot dangerous extensions and remove them from the store, reviews from affected users are rarely sufficient — it often requires efforts from the media, security researchers, and/or a large online community.

Fake ChatGPT extensions hijacking Facebook accounts

In March 2023, two malicious extensions were discovered in the Google Chrome Web Store within a few days of each other — both taking advantage of the hype surrounding the ChatGPT AI service. One of these was an infected copy of the legitimate “ChatGPT for Google” extension, offering integration of ChatGPT’s responses into search engine results.

The infected “ChatGPT for Google” extension was uploaded to the Chrome Web Store on February 14, 2023. Its creators waited for some time and only started actively spreading it precisely a month later, on March 14, 2023, using Google Search ads. The criminals managed to attract around a thousand new users per day, resulting in over 9000 downloads by the time the threat was discovered.

The infected version of “ChatGPT for Google” looked just like the real thing. Source

The trojanized copy of “ChatGPT for Google” functioned just like the real one, but with extra malicious functionality: the infected version included additional code designed to steal Facebook session cookies stored by the browser. Using these files, the attackers were able to hijack the Facebook accounts of users who’d installed the infected extension.

The compromised accounts could then be used for illegal purposes. As an example, the researchers mentioned a Facebook account belonging to an RV seller, which started promoting ISIS content after being hijacked.

After being hijacked, the Facebook account started promoting ISIS content. Source

In the other case, fraudsters created a completely original extension called “Quick access to Chat GPT”. In fact, the extension actually did what it promised, acting as an intermediary between users and ChatGPT using the AI service’s official API. However, its real purpose was again to steal Facebook session cookies, allowing the extension’s creators to hijack Facebook business accounts.

“Quick access to Chat GPT” malicious extension. Source

Most interestingly, to promote this malicious extension, the perpetrators used Facebook ads, paid for by — you guessed it — the business accounts they’d already hijacked! This cunning scheme allowed the creators of “Quick access to Chat GPT” to attract a couple of thousand new users per day. In the end, both malicious extensions were removed from the store.

ChromeLoader: pirated content containing malicious extensions

Often, creators of malicious extensions don’t place them in the Google Chrome Web Store, and distribute them in other ways. For example, earlier this year researchers noticed a new malicious campaign related to the ChromeLoader malware, already well-known in the cybersecurity field. The primary purpose of this Trojan is to install a malicious extension in the victim’s browser.

This extension, in turn, displays intrusive advertisements in the browser and spoofs search results with links leading to fake prize giveaways, surveys, dating sites, adult games, unwanted software, and so on.

This year, attackers have been using a variety of pirated content as bait to make victims install ChromeLoader. For example, in February 2023, researchers reported the spread of ChromeLoader through VHD files (a disk image format) disguised as hacked games or game “cracks”. Among the games used by the distributors were Elden Ring, ROBLOX, Dark Souls 3, Red Dead Redemption 2, Need for Speed, Call of Duty, Portal 2, Minecraft, Legend of Zelda, Pokemon, Mario Kart, Animal Crossing, and more. As you might guess, all these VHD files contained the malicious extension installer.

A few months later, in June 2023, another group of researchers released a detailed report on the activities of the same ChromeLoader, detailing its spread through a network of sites offering pirated music, movies, and once again, computer games. In this campaign, instead of genuine content, VBScript files were downloaded onto victims’ computers, which then loaded and installed the malicious browser extension.

One of the sites that distributed the ChromeLoader malware under the guise of pirated content. Source

Although the altered search results quickly alert victims to the presence of the dangerous extension in their browser, getting rid of it isn’t so easy. ChromeLoader not only installs the malicious extension but also adds scripts and Windows Task Scheduler tasks to the system that reinstall the extension every time the system reboots.

Hackers reading Gmail correspondence using a spy extension

In March 2023, the German Federal Office for the Protection of the Constitution and the South Korean National Intelligence Agency issued a joint report on the activities of the Kimsuky cybercriminal group. This group uses an infected extension for Chromium-based browsers — Google Chrome, Microsoft Edge, as well as the South Korean browser Naver Whale — to read the Gmail correspondence of their victims.

The attack begins with the perpetrators sending emails to specific individuals of interest. The email contains a link to a malicious extension called AF, along with some text convincing the victim to install the extension. The extension starts working when the victim opens Gmail in the browser where it’s installed. AF then automatically sends the victim’s correspondence to the hackers’ C2 server.

Thus, Kimsuky manages to gain access to the contents of the victim’s mailbox. What’s more, they don’t need to resort to any tricks to hack into this mailbox; they simply bypass the two-factor authentication. As a bonus, this method allows them to do everything in a highly discreet manner — in particular, preventing Google from sending alerts to the victim about account access from a new device or suspicious location, as would be the case if the password were stolen.

Rilide: malicious extension stealing cryptocurrency and bypassing two-factor authentication

Criminals also often use malicious extensions to target cryptocurrency wallets. In particular, the creators of the Rilide extension, first discovered in April 2023, use it to track cryptocurrency-related browser activity of infected users. When the victim visits sites from a specified list, the malicious extension steals cryptocurrency wallet info, email logins, and passwords.

In addition, this extension collects and sends browser history to the C2 server and lets the attackers take screenshots. But Rilide’s most interesting feature is its ability to bypass two-factor authentication.

When the extension detects that a user is about to make a cryptocurrency transaction on one of the online services, it injects a script into the page that replaces the confirmation code input dialog, and then steals that code. The payment recipient’s wallet is replaced with one belonging to the attackers, and then, finally, the extension confirms the transaction using the stolen code.

How the malicious Rilide extension was promoted on X (Twitter) under the guise of blockchain games. Source

Rilide attacks users of Chromium-based browsers — Chrome, Edge, Brave, and Opera — by imitating a legitimate Google Drive extension to avoid suspicion. Rilide appears to be freely sold on the black market, so it’s used by criminals unrelated to one another. For this reason, various distribution methods have been discovered — from malicious websites and emails to infected blockchain game installers promoted on Twitter X.

One of the particularly interesting Rilide distribution methods was through a misleading PowerPoint presentation. This presentation posed as a security guide for Zendesk employees, but was actually a step-by-step guide for installing the malicious extension.

A step-by-step guide for installing the malicious extension, disguised as a security presentation for Zendesk employees. Source

Dozens of malicious extensions in the Chrome Web Store — with 87 million downloads combined

And, of course, one cannot forget the story of the summer when researchers discovered several dozen malicious extensions in the Google Chrome Web Store, which collectively had more than 87 million downloads from the store. These were various kinds of browser plugins — from tools for converting PDF files and ad blockers to translators and VPNs.

The extensions were added to the Chrome Web Store as far back as 2022 and 2021, so by the time they were discovered they’d already been there for several months, a year, or even longer. Among reviews of the extensions, there were some complaints from vigilant users who reported that the extensions were spoofing search results with advertisements. Unfortunately, the Chrome Web Store moderators ignored these complaints. The malicious extensions were only removed from the store after two groups of security researchers brought the issue to Google’s attention.

The most popular of the malicious extensions — Autoskip for YouTube — had over nine million downloads from the Google Chrome Web Store. Source

How to protect yourself from malicious extensions

As you can see, dangerous browser extensions can end up on your computer from various sources —including the official Google Chrome Web Store. And attackers can use them for a wide range of purposes — from hijacking accounts and altering search results to reading correspondence and stealing cryptocurrencies. Accordingly, it’s important to take precautions:

• Try to avoid installing unnecessary browser extensions. The fewer extensions you have in your browser, the better.
• If you do install an extension, it’s better to install it from an official store rather than from an unknown website. Sure, this doesn’t eliminate the risk of encountering dangerous extensions completely, but at least the Google Chrome Web Store does take its security seriously.
• Before installing, read reviews of an extension. If there’s something wrong with it, someone might have already noticed it and informed other users.
• Periodically review the list of extensions installed in your browsers. Remove any you don’t use — especially ones you don’t remember installing.
• And be sure to use reliable protection on all your devices.