XPost: alt.comp.os.windows-10, alt.comp.os.windows-11   
   From: mariasophia@comprehension.com   
      
   Maria Sophia wrote:   
   > Most people don't realize how brain dead the Google Play Store automatic   
   > updates is. They just assume it covers all their apps, but it's not even   
   > close as we've tested it and it's essentially garbage compared to what a   
   > real auto updater for Android will do for you. But that's not on the PC.   
      
   I want to redirect this tangent since Theo found that the Aurora PC app was   
   not from the approved sources, even as it seems to work by all accounts.   
      
   Since I goofed with this premature PSA, it behooves me to explain and delve   
   deeper to understand what this Aurora-PC stuff is, and what it is not.   
      
   Just to be clear, what happened was three steps that led to this PSA:   
    1. I was researching an answer for Qihe regarding spoofing   
    2. So I wrote up that answer pointing him to Aurora's spoofing   
    3. In that research, I ran into the PC Aurora so I wrote this PSA   
      
   I should have researched further the PC Aurora, as I had simply "assumed"   
   it was from the official developers. It's not. It's not an official Aurora.   
      
   Apparently it works. According to the telegram support for the real Aurora.   
   For now.   
      
   But we can't rely on PC Aurora because we are unaware of its provenance.   
      
   Having said that, I searched for security research on this so-called   
   PC-Aurora, and, strangely, I can find none.   
      
   So far, I can find zero published security-researcher analyses, malware   
   reports, threat-intel writeups, CVEs, or forensic reports about   
   aurorastore.org.   
      
   No major malware labs, no independent analysts, no reverse-engineers, no   
   threat-intel feeds, and no OSINT researchers have published anything on it.   
      
   As far as I can determine in quick searches anyway, it's not listed in:   
    VirusTotal collections   
    Hybrid Analysis   
    AnyRun   
    Joe Sandbox   
    Intezer   
    Malpedia   
    Abuse.ch   
    URLHaus   
    ThreatFox   
    OpenPhish   
    PhishTank   
    AlienVault OTX   
    GreyNoise   
      
   I can't find anything in the public forums and blogs about it either.   
    Recorded Future (public feeds)   
    BleepingComputer forums   
    MalwareTips forums   
    Mastodon infosec circles   
    OSINT communities   
    StackExchange Security   
    Twitter infosec accounts   
    XDA Developers   
    r/Android   
    r/AndroidDev   
    r/Malware   
      
   Nor can I find security research papers on it:   
    No papers   
    No blog posts   
    No advisories   
    No CVEs   
    No vendor bulletins   
      
   There are no samples I found in public malware databases tagged with:   
    aurorastore.org   
    "Aurora Store PC"   
    "AuroraStorePC.exe"   
    "AuroraStoreSetup.exe"   
    "AuroraStore Windows"   
   If malware exists, it does not seem to have been submitted to any public   
   analysis platform listed above.   
      
   Yet I get this from uBlock-origin-protection on some browsers:   
     uBlock Origin has prevented the following page from loading:   
     https://aurorastore.org/aurora-store-pc/   
     Because of the following filter:   
     ||aurorastore.org^$document   
     Found in:  uBlock filters ¡V Badware risks   
     [_]Don't warn me again about this site   
      
   Looking that up, apparently when uBlock blocks a domain at the document   
   level ($document), it means:   
    a. The domain has been explicitly classified as a badware risk   
    b. The classification is intentional, not heuristic   
    c. The domain was added manually by a maintainer or via a trusted feed   
   But, apparently uBlock does not perform malware analysis.   
   It flags risk, not payload.   
      
   But things don't get flagged lightly, where some of the rules that u-Block   
   Origin apparently uses are these below which likely fit the PC-Aurora tool.   
    a. it impersonates a known project   
    b. it distributes software that does not match the official project   
    c. it uses deceptive branding   
    d. it has been reported as suspicious by multiple users   
      
   As far as I can tell, there is no public threat-intel record of   
   aurorastore.org being malware or phishing. However, this does not mean it's   
   safe, but only that it has not been analyzed or reported or that it was   
   analyzed and nothing bad was found (yet).   
      
   But it's clearly an impersonation of branding so it's not to be trusted.   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)