Google: We caught a Russian state hacker crew uploading badness to the Play Store

Adtech firm also sent 12k phishing warnings to users of its services

Google has said it fired off 12,000 warnings to unlucky users of its GMail, Drive and YouTube services telling them it believes they're being phished by state-backed hackers.

The ad tech firm’s Threat Analysis Group (TAG) said in a blog post that between July and September it told people in 149 countries around the world that they were being “targeted by government-backed attackers”, adding that this was consistent with the same number of warnings sent during the same periods of 2017 and 2018.

“Over 90 per cent of these users were targeted via ‘credential phishing emails’, wrote Google’s Shane Huntley, who gave an example of one of these phishing emails having been sent from “Goolge”.

TAG went on to highlight a Russian state-sponsored hacking crew named Sandworm* which in 2017 started deploying Android-based malware to the Google Play store and evolved over time to simply phishing and compromising legit devs before deploying malicious updates to previously trusted apps. Google’s TAG, naturally, said they detected this and stopped Sandworm from doing these bad things.

Kevin Bocek, threat intelligence veep from Venafi, said:

“The most troubling of [Google TAG’s] examples was that [Sandworm] was able to compromise code signing keys from a legitimate app developer, via a phishing email, and add its own backdoor into an app... This just shows the power of code signing, it’s like a god that machines trust blindly. As more and more hackers see the potential, and ease, for misusing keys and certificates we'll see more of these attacks. We must ensure in the software build process code signing and machine identities are protected”

Sandworm previously used a Windows zero-day in 2014 to spy on NATO and the EU, among other targets.

Piers Wilson, product management head of Huntsman Security, opined that all this means companies must be “constantly vigilant”, saying: “Google’s announcement highlights that anyone could be a target of nation state attacks. You might assume you’re not of interest to government-backed attackers, but even someone only tangentially related to people or organisations in power could be a way into that target and so a valid target themselves.”

Cesar Cerrudo, chief techie of IOActive, advised folks to “avoid clicking on links unless you are sure they are safe and install strong protections on your endpoint devices.” Sound advice – provided you also take care while thumbing through emails on your phone or tablet. ®


Sandworm has also been named (deep breath): TEMP.Noble; Electrum; Telebots; Quedagh Group; BE2 APT; Black Energy; and Iridium, not to be confused with the element or the satcom company.

The wildly unchecked proliferation of different names for hacking crews is intended mainly as a marketing gimmick to make threat intel companies appear to be first with the latest news about FancyAPT007PandaSeaTeamCalc!heeheeCr3wBlurt and to drown out the fact that there’s a score of competing firms all tracking the same threats. This is incredibly frustrating for anyone trying to figure out whether this week’s Big Scary Thing is actually the same one from last week but under a different name.

A common problem, it has driven sensible people to build public spreadsheets resolving and deconflicting the various company-specific hacker crew names. El Reg wholeheartedly endorses this approach to making infosec comprehensible again.

Other stories you might like

  • Robotics and 5G to spur growth of SoC industry – report
    Big OEMs hogging production and COVID causing supply issues

    The system-on-chip (SoC) side of the semiconductor industry is poised for growth between now and 2026, when it's predicted to be worth $6.85 billion, according to an analyst's report. 

    Chances are good that there's an SoC-powered device within arm's reach of you: the tiny integrated circuits contain everything needed for a basic computer, leading to their proliferation in mobile, IoT and smart devices. 

    The report predicting the growth comes from advisory biz Technavio, which looked at a long list of companies in the SoC market. Vendors it analyzed include Apple, Broadcom, Intel, Nvidia, TSMC, Toshiba, and more. The company predicts that much of the growth between now and 2026 will stem primarily from robotics and 5G. 

    Continue reading
  • Deepfake attacks can easily trick live facial recognition systems online
    Plus: Next PyTorch release will support Apple GPUs so devs can train neural networks on their own laptops

    In brief Miscreants can easily steal someone else's identity by tricking live facial recognition software using deepfakes, according to a new report.

    Sensity AI, a startup focused on tackling identity fraud, carried out a series of pretend attacks. Engineers scanned the image of someone from an ID card, and mapped their likeness onto another person's face. Sensity then tested whether they could breach live facial recognition systems by tricking them into believing the pretend attacker is a real user.

    So-called "liveness tests" try to authenticate identities in real-time, relying on images or video streams from cameras like face recognition used to unlock mobile phones, for example. Nine out of ten vendors failed Sensity's live deepfake attacks.

    Continue reading
  • Lonestar plans to put datacenters in the Moon's lava tubes
    How? Founder tells The Register 'Robots… lots of robots'

    Imagine a future where racks of computer servers hum quietly in darkness below the surface of the Moon.

    Here is where some of the most important data is stored, to be left untouched for as long as can be. The idea sounds like something from science-fiction, but one startup that recently emerged from stealth is trying to turn it into a reality. Lonestar Data Holdings has a unique mission unlike any other cloud provider: to build datacenters on the Moon backing up the world's data.

    "It's inconceivable to me that we are keeping our most precious assets, our knowledge and our data, on Earth, where we're setting off bombs and burning things," Christopher Stott, founder and CEO of Lonestar, told The Register. "We need to put our assets in place off our planet, where we can keep it safe."

    Continue reading

Biting the hand that feeds IT © 1998–2022