• Advanced Persistent Threat
• Application Firewall
• Arp Poisoning
• Asymmetric-Key Encryption
• Banking Trojan
• Branch Office Security
• Brute Force Attack
• Buffer Overflow
• Cache Poisoning
• Certificate Authority
• Cloud Hopper
• Cyber Attack
• Data Loss Prevention
• Denial-of-service attack
• Distributed Denial of Service
• DoS Defense System
• Endpoint Security
• Hacker Defender
• Intrusion Prevention Systems
• Macro Virus
• Malicious Code
• Mobile Remote Access Trojan
• Network Security
• Next Generation Firewall NGFW
• Polymorphic Virus
• RIG Exploit Kit
• Secure Web Gateway
• Social Engineering
• SQL Injection
• URL Filtering
• Zero Day
Advanced Persistent Threat (APT)
Continuous hacking process conducted over a long period of time, often unnoticed, to gain access to a network and steal data. The targets are usually national or government institutions. In a simple attack, the intruder tries to get in and out of the system as quickly as possible. Due to the sustained period of an APT attack, the intruder employs sophisticated evasion techniques to remain unnoticed.
Adware covers programs designed to display advertisements (usually in the form of banners), redirect search requests to advertising websites, and collect marketing-type data about the user in order to display customized advertising on the computer. Other than displaying advertisements and collecting data, these types of program generally do not make their presence in the system known: there will be no signs of the program in the system tray, and no indication in the program menu that files have been installed. Often, Adware programs do not have any uninstall procedures and use technologies which border on virus technology to help the program stealthily penetrate the computer and run unnoticed.
Check Point researchers have revealed a vulnerability in AirDroid, a device manager application which allows users to access their Android devices through their computers. The flaw allows an attacker to steal data from unsuspecting users by the following procedure: an attacker sends an SMS or its equivalent which contain a malicious payload to his victim, masqueraded as a legitimate contact. The user then saves the contact to his device, allowing the malicious payload to exploit a vulnerability in the AirDroid application. Once exploited, the App enables the attackers to execute code on the device in order to steal data. This vulnerability affects all AirDroid users around the globe, an estimated number of 50 million.
The McDonald’s India app, McDelivery, leaked the personal data of over 2.2 million customers, including name, email address, phone number, home address and social profiles. The leak is the result of an unsecured public API. Although McDelivery acknowledged the issue on February 13, as of March 17, the fix had not yet been completed and the app was still leaking customer data.
A group of activist hackers first identified in 2003. Members of the group wear Guy Fawkes masks to hide their identities, and the group’s logo is an image of a man in a suit with a question mark in place of a head. Anonymous has a very loose and decentralized command structure and operates on ideas rather than directives, thus making it easy for people to identify with the group. Anonymous consists of both beginners and expert hackers. The group gained notoriety with a series of well-publicized stunts as well as DDOS attacks on government, religious and corporate websites.
Antivirus, anti-virus, or AV software is computer software used to prevent, detect and remove malicious computer viruses. Most software described as antivirus also works against other types of malware, such as malicious Browser Helper Objects (BHOs), browser hijackers, ransomware, keyloggers, backdoors, rootkits, trojan horses, worms, malicious LSPs, dialers, fraudtools, adware and spyware.
An application firewall is a form of firewall which controls input, output, and/or access from, to, or by an application or service. It operates by monitoring and potentially blocking the input, output, or system service calls which do not meet the configured policy of the firewall. The application firewall is typically built to control all network traffic on any OSI layer up to the application layer. It is able to control applications or services specifically, unlike a stateful network firewall which is – without additional software – unable to control network traffic regarding a specific application.
Sending spoofed Address Resolution Protocol (ARP) messages to manipulate the traffic flow between random machines under a local area network. This type of attack enables the operator to associate his Mac address with an IP address of a host in the network. He can then reroute traffic meant for that IP address through a malicious node, where it can be monitored, intercepted and deleted.
An encryption system in which two separate keys are used to encrypt and decrypt the data sent to ensure the secure transfer, also known as public key encryption. First, a user receives a public and private key pair from a legal certificate authority. Another user who wishes to send an encrypted message gets the intended recipient’s public key from a public directory. This key is used to encrypt the message and send it to the recipient. When the recipient receives the message, he decrypts it with his private key, which only he can access.
An attempt to alter, destroy, steal, expose or gain unauthorized access to an asset. There are two types or approaches: passive attacks, such as port scanning, and active attacks, such as DDoS. The attack vector is the path or means by which the attacker can perform the attack such as viruses, malicious emails, and compromised web pages. The attack mechanism is the method used to deliver the exploit, and may include a payload or container.
A method used to bypass the normal authentication process to gain access to a system. A programmer sometimes installs backdoors so that the program can be accessed for troubleshooting; however, attackers use backdoors to gain unauthorized access to a computer.
Banker which steals financial information, using keylogging to record the victim’s credentials as they are entered on a targeted bank webpage. Bancos can also supplement or replace a legitimate bank login page with a fake webpage. The Trojan is active primarily in Latin America, particularly in Brazil, and is spread mostly via phishing.
A banking Trojan gathers account information about customers from banking systems, e-payments systems or credit cards. Common methods used to steal this information include man-in-the-browser keylogging or form grabbing that retrieves credentials before they get to their intended destination.
Bash is a command processor, typically run in a text window, allowing the user to type commands which cause actions. Bash can also read commands from a file, called a script. Users direct the operation of the computer by entering commands as text for a command line interpreter to execute, or by creating text scripts of one or more such commands. Bash is a Unix shell that has been distributed widely as the shell for the GNU operating system and as a default shell on Linux and Mac OS X.
A form of digital currency that is created and held electronically. It was invented by Satoshi Nakamoto, and no authority controls the currency or prints new bills. New BitCoins are produced by active computers around the world, an action known as mining. Payments are transferred on a peer-to-peer basis, without an intermediary or a bank. As no bank account or any other personal account requiring private information is involved, Payment via BitCoin is fast and anonymous, and is often used for illegal business and communications. The amount of BitCoins held by a particular BitCoin address during a transaction is available, but the identity of the account owner remains concealed. BitCoins are a favorite currency for ransomware demands.
Full-disc encryption included in post Vista versions of Windows (Ultimate version) that helps protect a machine from offline attacks. By default, BitLocker uses AES algorithms in Cypher Block Chaining Mode (CBS). BitLocker is most efficient when installed on a computer equipped with TPM (Trusted Platform Module – a chip that stores cryptographic information). When the computer is turned on, the TPM releases the key that unlocks the encrypted partitions. If there is an attempt to remove the disk from the computer, BitLocker does not unlock the files and the data remains encrypted. BitLocker can also be used without TPM: the decryption keys are stored on an external flash disk, or with user authentication mode.
A deceptive user who attempts to break into a computer system or computer network. BlackHat hackers are often referred to as Crackers” by the members of the security and computers industries. Their goal is to steal, destroy, or modify data on the targeted system, leaving the network inaccessible for authorized users.
An access control mechanism which lets all entities pass except those explicitly singled out. A Blacklist contains different kinds of objects as email addresses, users, URLs, IP addresses, software, etc. Blacklists are set up to help prevent unwanted messages from entering a user’s inbox, unwanted programs from being used in a network, unwanted sites from being accessed by users etc. For example, a company can prevent employees from accessing a list of web sites.
A BootKit infects the Master Boot Record (MBR) or Volume Boot Record (VBR.) The MBR is called by the BIOS at start-up, before the activation of the operating system, and contains information on the file system. As soon as the MBR is called, the BootKit executes its code and gains access to the operating system and files at the kernel level. It can also bypass full volume encryption. Anti-virus and operating systems have difficulty detecting and deleting BootKits, as their files are located outside of the regular file system.
A botnet is a network of computers, usually controlled via a command and control (C&C) server, for illicit purposes such as DDoS attacks, mining Bitcoins, mail spam, etc. A single compromised computer in the network is referred to as a bot when it executes malware that has penetrated the system. Read more about Botnet.
Brute Force (Brute Force Attack)
A cryptanalytic attack that can be used against encrypted data, and is conducted mostly when other vulnerabilities cannot be exploited. The attacker tries a list of different passwords, words, or letters until he manages to break into the targeted system or account. A simple attack may use a dictionary of all words or commonly used passwords which are tried sequentially until access is gained. A complex attack tries every key combination until the correct password is found.
When a program writing data to a buffer exceeds the buffer’s limit and overwrites neighboring memory locations. This is a special case of memory safety violation, which is the basis of many software vulnerabilities and can be maliciously exploited. Buffer overflows can be triggered by inputs that are designed to execute code, or modify the way the program operates. These actions might result in unpredictable program behavior, including memory access errors, incorrect results, a crash, or a breach of system security as information stealing. Buffer overflows can be prevented by bounds checking of data written to a buffer.
A software bug is an error, flaw, failure, or fault in a computer program or system that causes it to produce an incorrect or unexpected result, or to behave in unintended ways. Some bugs have only a subtle effect on the program’s functionality, and may thus lie undetected for a long time. More serious bugs may cause the program to crash or freeze. Others qualify as security bugs and might for example enable a malicious user to bypass access controls in order to obtain unauthorized privileges.
Sophisticated Banking Trojan botnet which targets remote banking and payment systems. Carberp is designed to steal user credentials and monitor user browsing activities, and is based on modules, which can be downloaded separately to the victim machine. It is estimated that the botnet was coded by a group of highly skilled Russian actors. In 2013, the Carberp source code was leaked and made available for download on various forums.
A fake online profile or identity. For example, someone could create a fake profile on an online dating website to have online relationships with one or more people and ultimately extort money from them.
An offline ransomware, meaning that it does not need to communicate with its C&C server before encrypting files on an infected machine. It is spread mostly via malvertising campaigns which leverage exploit kits, but also through spam campaigns. It is operated by its author as a ransomware as-a-service; the author recruits affiliates to spread the malware for a share of the ransom payment.
Certificate (Certification), (Digital Certificate)
An electronic document that allows a person, computer or organization to exchange information securely over the Internet using the public key infrastructure (PKI). This document contains information about the key, the owner’s identity, and the digital signature of an entity that has verified that the certificate’s contents are correct. The Transport Layer Security (TLS, sometimes called by its older name SSL, Secure Sockets Layer) uses certificates to prevent an attacker from impersonating a secure website or other server. Certificates may also be used as a verification tool in different applications as email encryption and code signing.
A trusted entity that issues digital certificates. Although anyone who wishes can produce digital certificates and secure its own communications, most e-commerce websites use certificates issued by trusted and known certificate authorities. The longer a certificate authority is active, the more browsers and devices trust its certificates. The certificate authority is actually a third-party object trusted by both sides of the communication.
An algorithm for encrypting or encoding data. The cipher usually depends on a unique piece of information, called a key. A ciphertext is the result from encoding readable data with a cipher. Without knowledge of the key, it is extremely difficult, if not impossible, to decrypt the ciphertext into readable plaintext. Examples of well-known ciphers are Caesar, RSA and AES.
Malware campaign associated to a known Chinese APT group dubbed APT10 and aimed to gain network access and persistence for sensitive information gathering by targeting managed security service providers (MSSP), as an entry point to their customers networks. The malware is deployed based on remote access to the organization network, and the obtained access is leveraged by the attackers to collect sensitive data.
Downloader, used mainly to download ransomware to the victim machine. Cryptoload is usually sent within archive files as attachments in spam campaigns, and has been previously used to download Cryptowall ransomware, TeslaCrypt ransomware and Locky ransomware, as well as Fareit Info-stealer.
Ransomware that started as a Cryptolocker doppelgänger, but eventually surpassed it. After the takedown of Cryptolocker, CryptoWall became one of the most prominent ransomwares to date. CryptoWall is known for its use of AES encryption and for conducting its Command & Control communications over the Tor anonymous network. It is widely distributed via exploit kits, malvertising and phishing campaigns.
A cyber attack is a strike against a computer system, network, or internet-enabled application or device. Hackers use a variety of tools to launch attacks, including malware, ransomware, exploit kits, and other methods. Read more about Cyber Attack.
Cybersecurity refers to the use of network architecture, software, and other technologies to protect organizations and individuals from cyber attacks. The objective of cybersecurity is to prevent or mitigate harm to – or destruction of – computer networks, applications, devices, and data. Read more about Cybersecurity.
Data Loss Prevention (DLP)
Data loss or data leak prevention solution is a system that is designed to detect potential data breach / data ex-filtration transmissions and prevent them by monitoring, detecting and blocking sensitive data while in-use (endpoint actions), in-motion (network traffic), and at-rest (data storage). In data leakage incidents, sensitive data is disclosed to unauthorized personnel either by malicious intent or inadvertent mistake. Such sensitive data can come in the form of private or company information, intellectual property (IP), financial or patient information, credit-card data, and other information depending on the business and the industry.
Denial-of-service attack (DoS)
An attempt to make a single machine, web server or network resource unavailable to its intended users. The attack results in interrupted or suspended services of a host connected to the Internet. The most common type of DoS attack is the distributed denial-of-service (DDoS), in which there is more than one attack source and often thousands of unique IP addresses. The use of such a massive attack resource usually depends on a botnet network. Even though a DoS attack does not usually result in the theft of information, it can cost the targeted enterprise or person a great deal of time and money.
IRC-based Worm designed to allow remote code execution by its operator, as well as download additional malware to the infected system, with the primary motivation being to steal sensitive information and launch denial-of-service attacks. It install a user-mode rootkit to prevent viewing or tampering with its files and modifies the registry to ensure that it executes each time the system starts. It will send messages to all of the infected user’s contacts, or hijack an existing thread, to contain a link to the worm’s copy.
Malware which targets Windows operating system users. Dorvku collects system information and sends it to a remote server. It also collects sensitive information from targeted web browsers, and accepts commands to perform malicious activities on the infected system.
DoS Defense System
More focused on the problem than IPS, a DoS Defense System (DDS) is able to block connection-based DoS attacks and those with legitimate content but bad intent. A DDS can also address both protocol attacks (such as Teardrop and Ping of death) and rate-based attacks (such as ICMP floods and SYN floods).
Banking malware that leverages macros in Microsoft Office to infect systems. Once a computer is infected, Dridex attackers steal banking credentials and other personal information to gain access to the user’s financial records. It is spread through malicious spam e-mail with a Microsoft Word document attachment. Dridex first steals banking credentials and then attempts to generate fraudulent financial transactions.
An exploit (from the English verb to exploit, meaning “using something to one’s own advantage”) is a piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug, glitch or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic (usually computerized). Such behavior frequently includes things like gaining control of a computer system, allowing privilege escalation, or a denial-of-service attack.
Browser-hijacker that can be turned into a full-functioning malware downloader. It is capable of executing any code on the victim machines, resulting in a wide range of actions from stealing credentials to dropping additional malware.
User-mode Rootkit for Windows, can be used to hide files, processes and registry keys, and also implements a backdoor and port redirector that operates through TCP ports opened by existing services. This means it is not possible to find the hidden backdoor through traditional means.
Derived from combining the words ‘Hack’ and ‘Activism’, hacktivism is the act of hacking, or breaking into a computer system, for politically or socially motivated purposes. The individual who performs an act of hacktivism is said to be a hacktivist. Read more about Hacktivism.
Android malware which repackages legitimate apps and then released them to a third-party store. Its main function is displaying ads, however it is also able to gain access to key security details built into the OS, allowing an attacker to obtain sensitive user data.
Android malware that establishes a persistent rootkit on the device, installs fraudulent applications, and with slight modifications could enable additional malicious activity such as installing a key-logger, stealing credentials and bypassing encrypted email containers used by enterprises.
Intrusion Prevention Systems
Intrusion Prevention Systems (IPS), also known as Intrusion Detection and Prevention Systems (IDPS), are network security appliances that monitor network and/or system activities for malicious activity. The main functions of intrusion prevention systems are to identify malicious activity, log information about this activity, attempt to block/stop it, and report it. Read more about IPS.
Keylogger which is sold on various underground forums. iSpy captures passwords, collects passwords stored in web browsers and records webcams and Skype sessions. The malware is spread mainly via spam campaigns carrying malicious attachments.
Virus which targets the Windows platform. It modifies system files, collects private information from the infected host and redirects to compromised sites to spread additional malware. In addition, Jadtre provides backdoor access to infected hosts. Jadtre is usually spread by freeware or spam email campaigns and can propagate itself by infecting executable files accessible through network drives.
Ransomware which began being distributed by the Necrus botnet in May 2017, via spam emails containing a PDF attachment which contains an embedded DOCM file. As the malware first emerged, it was massively spread at an infection rate of approximately 10,000 emails sent per hour.
Dropper designed to install malware onto infected computer systems. Kazy can be used by criminals to install practically any kind of malware onto their victims’ machines including banking malware, info-stealers and spyware.
Also dubbed ZeusVM, KINS is a variant of the infamous Zeus Trojan. It is a banking Trojan that was offered for sale as a service on a closed Russian underground forums. The malware consists of a dropper and a variety of modules such as Remote Desktop Protocol module that allows bot managers to remotely access compromised machines. On 2015, the KINS builder and the source code of its management panel were leaked online.
Trojan that targets Windows users. The malware is designed to delete, block, modify, or copy data and disrupt computer or network performance. The malware masquerades as a legitimate file or software.
Ransomware which started its distribution in February 2016, and spreads mainly via spam emails containing a downloader disguised as an Word or Zip attachment, which then downloads and installs the malware that encrypts the user files.
A generic term for a number of different types of malicious code. Read more about Malware.
Mobile Remote Access Trojan (mRAT)
Mobile Remote Access Trojan is similar to Remote Access Trojan (RAT), malware that allows an attacker to remotely control an infected PC or “bot”. mRat attacks bypass two-step authentication and access SMS functions and the user’s contact list. mRat may be part of an APT-operated attack or a known virus attack. Known variants for this attack are OmniRAT and DroidJack.
Downloader, programmed to allow its operators to download and upload files to a victim’s computer in a way that is transparent to the victim. The malware can be delivered to users via spam campaigns or bundled with free program installers that are published on suspicious websites.
Botnet used to spread malware by spam emails containing a malicious attachment, mainly Ransomware and Banking Trojans such as the Locky ransomware, Jaff ransomware and Dridex banking malware.
Multipurpose bot, also known as Bayrob, that is used to collect passwords, modify system settings and download additional malware. It is usually spread via spam emails with the recipient address encoded in the binary, thus making each file unique.
A virus that uses code that mutates the program while keeping the original algorithm intact. That is, the code changes itself each time it runs, but the function will not change. Encryption is the most common method to hide code.
Worm that spreads itself by sending instant messages to contacts on Skype. It extracts personal user information from the machine and communicates with remote servers by using a Domain Generation Algorithms (DGA).
A banking Trojan designed to steal banking credentials, FTP passwords, session cookies and personal data. Upon infection, Ramnit also allows remote control when the machine is connected to the internet.
Ransomware is a type of malicious software that prevents the victims from accessing their documents, pictures, databases and other files by encrypting them and demanding a ransom to decrypt them back. A deadline is assigned for the ransom payment, and if the deadline passes, the ransom demand doubles or files are permanently locked. Ransomware is an ever-increasing threat worldwide, claiming a new victim every 10 seconds. Read more about Ransomware.
Malware used in a campaigns which targeted users in the Healthcare, Energy, Critical Manufacturing and Information Security sectors worldwide. The malware consists of an executable, a loader and a Remote Access Tool (RAT) which collects various types of information from the victim system, such as system architecture and privileges, and sends it to its Command & Control server.
RIG Exploit Kit
A rootkit is a type of malware designed to burrow deep into your computer, avoiding detection by security programs and users. For example, a rootkit might load before most of Windows, burying itself deep into the system and modifying system functions so that security programs can’t detect it. A rootkit might hide itself completely, preventing itself from showing up in the Windows task manager.
Android malware which uses a customized open-source root tool called “Root Assistant” to gain root access to Android devices, and maintains persistence by installing several APK files. The malware can than download executable files from remote servers and execute them on the infected device for various purposes, and steal sensitive user information.
Large-scale malvertising used to deliver various malicious websites and payloads such as scams, adware, exploit kits and ransomware. It can be used to attack any type of platform and operating system, and utilizes ad-blocker bypassing and fingerprinting in order to make sure it delivers the most relevant attack.
Virus that allows remote operations and downloads of additional malware to infected systems by its operator. Its main goal is to persist in a system and provide means for remote control and installing further malware.
Memory resident worm targeted to attack Microsoft SQL 2000. By propagating rapidly, the worm can cause a denial of service condition on affected targets.
A euphemism for non-technical or low-technology means – such as lies, impersonation, tricks, bribes, blackmail, and threats – used to attack information systems.
Attempt by an unauthorized entity to gain access to a system by posing as an authorized user.
Programming that is put in someone’s computer to secretly gather information about the user and relay it to advertisers or other interested parties.
A common code injection technique used to attack data driven web applications. The attack is performed on web pages with data insertion fields, on which user inserted data is not properly filtered and sanitized from SQL language syntax. Such web applications allow an attacker to execute undesirable SQL queries on a remote database, which could lead to exposure of sensitive data stored on the database, data modification, loss or corruption. With a successful SQL injection, the attacker can modify highly sensitive data such as account balance and planned transactions, medical test results and other medical information, and such.
A Trojan that steals the victim’s credentials using web-injects, activated as the users try to login to their bank website.
Information stealing Trojan which collects sensitive information and banking credentials from the infected host and sends this information to a remote server without user permission. Machines infected by Torpig also form a massive botnet
Ransomware that encrypts user documents, pictures and other type of files. Victims are requested to pay up to 4.1 Bitcoins (approximately US $1800) to the attackers to decrypt their files.
Modular Backdoor for Android which grants superuser privileges to downloaded malware, as helps it to get embedded into system processes. Triada has also been seen spoofing URLs loaded in the browser.
A computer program that appears to have a useful function, but also has a hidden and potentially malicious function that evades security mechanisms, sometimes by exploiting legitimate authorizations of a system entity that invokes the program. Read more about Trojan.
Content-control software, content filtering software, secure web gateways, censorware, Content Security and Control, web filtering software, content-censoring software, and content-blocking software are terms describing software designed to restrict or control the content a reader is authorized to access, especially when utilized to restrict material delivered over the Internet via the Web, e-mail, or other means. Content-control software determines what content will be available or perhaps more often what content will be blocked.
A hidden, self-replicating section of computer software, usually malicious logic, that propagates by infecting – i.e., inserting a copy of itself into and becoming part of – another program. A virus cannot run by itself; it requires that its host program be run to make the virus active. Read more about Virus.
In computer security, a vulnerability is a weakness which allows an attacker to reduce a system’s information assurance. Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness. In this frame, vulnerability is also known as the attack surface.
Ransomware which was spread in a large scale attack in May 2017 utilizing a Windows SMB exploit called EternalBlue in order to propagate within and between networks.
Backdoor that installs a rootkit on victim’s system, and hooks critical functions and system driver of the infected Windows system. It collects system information and sends the data to a remote server, from which it also receives further instruction. Winnti might inject malicious payload into various processes, and it has been reported that some variants of this Backdoor might be signed with a legitimate certificate.
A computer program that can run independently, can propagate a complete working version of itself onto other hosts on a network, and may consume computer resources destructively.
A compromised version of the iOS developer platform, Xcode. This unofficial version of Xcode was altered so that it injects malicious code into any app that was developed and compiled using it. The injected code sends app information to a Command & Control server, allowing the infected app to read the device clipboard.
iOS malware which targets Chinese users, and therefore displays different behaviors according to the device’s location in the world. The malware was able to bypass Apple’s security. Once installed on a device in China, the app uses social engineering to install two configuration profiles, based on which applications that did not go through Apple’s review, and may contain malicious code, can be downloaded to the infected device.
The “Day Zero” or “Zero Day” is the day a new vulnerability is made known. In some cases, a “zero day” exploit is referred to an exploit for which no patch is available yet. (“Day One” – day at which the patch is made available).
A sophisticated family of Banking Trojan that uses man-in-the-browser keystroke logging and form grabbing in order to steal banking information and victim accounts. Zeus targets popular operating systems such as Windows and Android and is usually distributed to end-users through social engineering tactics such drive-by downloads and phishing emails.
A zombie computer (often shortened as zombie) is a computer connected to the Internet that has been compromised by a hacker, a computer virus, or a trojan horse. Generally, a compromised machine is only one of many in a botnet, and will be used to perform malicious tasks of one sort or another under remote direction. Most owners of zombie computers are unaware that their system is being used in this way. Because the owner tends to be unaware, these computers are metaphorically compared to zombies.
Trojan that uses root privileges to download and install applications on the mobile phone without the user’s knowledge.