Tue | Aug 10, 2021 | 4:40 AM PDT

Every single electronic device with a microprocessor, operating system, and memory is susceptible to malware. In fact, there are so many types of malware— from logic bombs to ransomware—that the definitions and classifications are mind-bogglingly complex and often overlap based on a threat actor's intent.

Unfortunately, some devices are perceived as less vulnerable than others, but the truth is all devices can be infected and when a vulnerability exists that allows for code to execute as a part of a working exploit, the malware can be quite severe. However, what about malware that preys on native functionality but in a malicious way? These are simple design flaws in features and functions that turn everyday functionality into malicious activity based on a threat actor's malintent. Many times, no foreign software executes and the perceived problem is a virus, but in reality, the results are just an abused feature. The big question: Are these truly malware or just an advanced form of "nagware" with all roar and no teeth? The answer might surprise you.

Nagware_phone_calendar_HaberLet's start with this real-world example of a rogue calendar subscription applied to a fully patched Apple iPhone. The nagware is a malicious calendar subscription that fills the user's iOS calendar with tens of thousands of calendar events that inform, remind, and nag you that your device is infected with a virus. Every few minutes displays a new "Infected Device?" message and requests that you click on a link to fix the infection. The link requests a payment to resolve the issue, but in reality, only unsubscribes you from the calendar invites. This is a form of nagware and ransomware that can even infect your mobile phone and not leverage any vulnerabilities or even execute any local code. Unless you are tech-savvy enough to delete calendars and unsubscribe to internet calendars yourself, the perceived problem is that your expensive mobile phone got infected!

The truth is, unfortunately, far from that. Threat actors are pushing the envelope to monetize information technology in any way possible, from ransomware to extortion. Creating a simple but viciously nasty automated internet-based calendar subscription is just yet another way threat actors can target technology that was previously considered out of reach for an attack. The fact is that these calendar invites are truly a form of nagware, but the results appear to be a persistent virus that are brutally alarming.

To that end, we have yet another new form of malware that needs another definition. For today, I will leave that in the hands of malware hunters, but for end-users, I have a five tips to keep you and your family safe from these attacks:

1. Security basics:
Do not click on any foreign links or accept calendar subscriptions from unknown sources. Most mobile operating systems will prompt you with an "Accept or Cancel" message before you commit to the subscription. If you do not recognize the URL or sender, always hit cancel.

2. Updates:
Apple and Android regularly send out operating system updates, and the application marketplaces for both are regularly releasing updated versions with new features and security and privacy fixes of their own. It is in your best security interests to apply and update your device and applications when they are released. This will help prevent a real virus or exploit from compromising your device.

3. Common sense:
As a cardinal rule, do not "jailbreak" or sideload applications on your mobile device. This provides a relatively easy method for threat actors to compromise your device since jailbreaking a phone does introduce foreign code in the first place.

4. Remediation:
While an attack like this seems rare, fixing the problem could be worse. If you reverted to a previous back-up, the calendar subscription could still be in your configuration. For vendors like Apple, their Knowledge Base can help you eradicate the nagware: https://support.apple.com/en-us/HT202361. And remember, there is no such thing as antivirus on an iPhone, but it does exist on Android devices.

5. Ransomware:
While the threat of ransomware appears to be in the news every day, the main motivation around the attack is for criminal organizations to make money with little fear of law enforcement. The best recommendation if your device or organization falls prey to an attack is NOT to pay the ransom. While this may not be possible for many organizations because a recovery to normal operations is just not possible based on current backups, if we pay the ransom we just prove the criminal's business model is working. For home devices, don't pay either. Restore them to your initial settings or use a clean backup. This is truly better than supporting internet-based criminal organizations.

The threats from malware and abuse of common applications are truly evolving. Some introduce viruses, some advance malware, and others use native features to con a user into an advanced attack. One thing is certain: the more money cybercriminals make from these attacks, the more proof they have that their business models—and yes, it is a business—are succeeding. This example of an application and feature gone awry proves just how creative and abusive they have become. Common sense, diligence, and awareness are the best defenses today to remediate these types of attacks. And remember, there are so many types of malware that many of them now do not even have real foreign code to implement.

Tags: Malware,
Comments