Super Mario Run(s) — Away With Your Money

If you are an Android user and a big fan of Super Mario beware: there is no Android version! There has been no official news on the Android version yet, let alone a version of the game. There is, however, a version circulating outside of Google Play market that will steal your bank account.

Right now attackers are taking advantage of the game’s popularity and Android users despair to spread malware posing as an Android version of Super Mario Run as they did in the past for Pokemon GO. The trojan is called Android Marcher and has been around since 2013, mostly targeting mobile users financial information. After installation, the application attempts to trick users with fake finance apps and a credit card page in an effort to capture banking details. The malware also locks out Google Play until the user supplies their credit card information.

In this new variant of Marcher, it can monitor the device and steal login data of regular apps, not just banking and payment apps, and send the stolen data back to command and control (C&C) servers. Facebook, WhatsApp, Skype, Gmail, the Google Play store are all vulnerable. Criminals can exploit these stolen accounts to carry out additional fraud.

Zscaler researchers advice is:

To avoid becoming a victim of such malware, it is a good practice to download apps only from trusted app stores such as Google Play. This practice can be enforced by unchecking the “Unknown Sources” option under the “Security” settings of your device.

We may add to turn on “App Verification”. Verify Apps regularly checks activity on your device and prevents or warns you about potential harm. Verify Apps is on by default, as is Unknown Sources turned off. Verify Apps also checks apps when you install them from sources other than Google Play. Of course, there is a privacy trade-off. Some information has to be sent about the apps you install back to Google.

The main advice is: use common sense. It’s common practice for companies to release official apps versions through Google Play and highly unlikely to do it via any other way.

FANCY BEAR Targets Ukrainian Howitzers

Just in case you’re one of the people out there who still doesn’t believe in “the cyber” — it appears that the Russian military served malicious cell-phone apps to the Ukrainian army that allowed them to track a particular artillery cannon.

The legitimate version of the Android app helped its operator use the 1960’s-era former Soviet howitzer. The trojanized version of this application did just the same, except it also phoned home to Russian military intelligence with its location. In addition to giving the Russian army valuable information about troop movements in general, it also led to the destruction of 80% of the cannons in question over two years.

The cited article goes into depth about how certain it is that a hacking group, referred to as FANCY BEAR, are nearly certainly responsible for the attack. The exploit has fingerprints that are not widely known outside of the security research community, and the use of the exploit against the Ukrainian army pretty much ties FANCY BEAR to the Russian military.

This is also the same exploit that was used against the Democratic National Committee in the United States. Attribution is one of the hardest parts of white-hat hacking — attackers don’t want to be found and will leave misleading clues when they can — but the use of the same proprietary malware in these two attacks is pretty convincing evidence that Russian military intelligence has also hacked into US political parties and NGOs.

(Banner image by Vitaly Kuzmin, CC-BY-SA 3.0.)

Computers For The Masses, Not The Classes

Retro is new again, and everywhere you look you’ll find films, documentaries, and TV shows cashing in on the nostalgia of their target audience. There is one inaccuracy you’ll find with this these shows: Apple computers are everywhere. This isn’t a historical truth – Commodore was everywhere, the C64 was the computer the nerds actually used, and to this day, the Commodore 64 is still the best-selling computer in history.

Commodore is gone, replaced with a superfund site, but the people who made the best computers in history are still around. At the 2016 Hackaday SuperConference, Bil Herd gave a talk on the second act of Commodore’s three-act tragedy. Bil is a frequent contributor around these parts, and as always he illuminates the 1980s far better than Halt and Catch Fire ever could.

Continue reading “Computers For The Masses, Not The Classes”

Pioneer AVIC Infotainment Units Hacked to Load Custom ROMs

Pioneer’s flagship AVIC line of in-car multimedia systems is compatible with both Android Auto and Apple Car Play, and offers all manner of multimedia features to the driver of today. What’s more, these in-dash wonders have spawned their own community, dedicated to hacking the units. The ultimate infotainment hack is to develop custom ROMs for these devices.

What this means is that owners of Pioneer AVIC units will eventually be able to flash a custom ROM onto their in-car device, allowing it to operate more like any other generic Android tablet on the market. The potential is there for installing custom applications, extra hardware (such as OBD II readers), or pretty much anything else you can do with an Android device.

The hack involves a whole lot of delicate steps, beginning with using a USB stick with a special image to boot the device into a test mode. This allows the internal SD card to be backed up, then overwritten with a new image itself.

Mostly, the hack has been used to allow map files to be updated on the internal SD card — inability to update maps has been a long festering thorn in the side of in-dash navigation systems. Users have been customizing this to suit their requirements, also adding speed camera locations and other features. But overall this hack is a great example of hacking something to get full control over the things you own. At the least, this will allow drivers to ditch the phones suction-cupped to the windshield and run common apps like Waze, Uber, and Lyft directly on the infotainment screen (assuming you can rig up an Internet connection).

Check out another great Android ROM hack — using a cheap old smartphone as a low-cost ARM platform.

This Old Mouse Keeps Track of Filament Usage

Keeping track of your 3D-printer filament use can be both eye-opening and depressing. Knowing exactly how much material goes into a project can help you make build-versus-buy decisions, but it can also prove gut-wrenching when you see how much you just spent on that failed print. Stock filament counters aren’t always very accurate, but you can roll your own filament counter from an old mouse.

[Bin Sun]’s build is based around an old ball-type PS/2 mouse, the kind with the nice optical encoders. Mice of this vintage are getting harder to come by these days, but chances are you’ve got one lying around in a junk bin or can scrounge one up from a thrift store. Stripped down to its guts and held in place by a 3D-printed bracket, the roller that used to sense ball rotation bears on the filament on its way to the extruder. An Arduino keeps track of the pulses and totalizes the amount of filament used; the counter handily subtracts from the totals when the filament is retracted.

Simple, useful, and cheap — the very definition of a hack. And even if you don’t have a 3D-printer to keep track of, harvesting encoders from old mice is a nice trick to file away for a rainy day. Or you might prefer to just build your own encoders for your next project.

Continue reading “This Old Mouse Keeps Track of Filament Usage”

The Joy of the ESP8266 and Blynk

I’ll admit it. I can be a little cheap. I also find it hard to pass up a bargain. So when I saw a robot kit at the local store that had been originally $125 marked down to $20, I had to bite. There was only one problem. After I got the thing home, I found they expected you to supply your own radio control transmitter and receiver.

Normally, that wouldn’t be a problem but lately… let’s just say a lot of my stuff is in storage and I didn’t have anything handy. I certainly didn’t want to go buy something that would double the cost of this robot that I really didn’t need to begin with.

However, I did have a few ESP8266 modules handy. Good ones, too, from Adafruit with selected 5 V I/O compatibility and an onboard regulator. I started thinking about writing something for the ESP8266 to pick up data from, say, a UDP packet and converting it into RC servo commands.

joymainSeemed like a fair amount of work and then I remembered that I wanted to try Blynk. If you haven’t heard of Blynk, it is a user interface for Android and Apple phones that can send commands to an embedded system over the Internet. You usually think of using Blynk with an Arduino, but you can also program the embedded part directly on an ESP8266. I quickly threw together a little prototype joystick.
Continue reading “The Joy of the ESP8266 and Blynk”

Raspberry Pi Radio Makes the Sweet Music of Bacteria

We’ve noticed a lot of musical groups are named after insects. Probably has something to do with the Beatles. (If you study that for a while you’ll spot the homophonic pun, and yes we know that the Crickets inspired the name.) There’s also Iron Butterfly, Adam Ant, and quite a few more. A recent art project by a Mexican team — Micro-ritmos — might inspire some musical groups to be named after bacteria.

The group used geobacter — a kind of bacteria found in soil — a Raspberry Pi, an Arduino, and a camera to build an interesting device. As it looks at the bacteria and uses SuperCollider to create music and lighting from the patterns. You can see a video of Micro-ritmos, below.

Continue reading “Raspberry Pi Radio Makes the Sweet Music of Bacteria”