By Nathan Collier
Android.RoidSec has the package name “cn.phoneSync”, but an application name of “wifi signal Fix”. From a ‘Malware 101′ standpoint, you would think the creators would have a descriptive package name that matches the application name. Not so, in this case. So what is Android.RoidSec? It’s a nasty, malicious app that sits in the background (and avoids installing any launcher icon) while collecting all sorts of info-stealing goodness. Continue reading
By Cameron Palan and Nathan Collier
Recently, we discovered a new malicious Android application called Android.MouaBot. This malicious software is a bot contained within another basic app; in this case, a Chinese calculator application. Behind the scenes, it automatically sends an SMS message to an auto-reply number which replies back to the phone with a set of commands/keywords. This message is then parsed and the various plugins within the malicious packages are run or enabled.
By Nathan Collier
We have found a new threat we are calling Android.TechnoReaper. This malware has two parts: a downloader available on the Google Play Market and the spyware app it downloads. The downloaders are disguised as font installing apps, as seen below:
By Nathan Collier
When you’re a threat researcher, you are always on the look out for anything that looks ‘phishy’, even if it’s on your own personal time. Today, I opened my personal email to find this:
Although the email looked very convincing, I don’t bank with Smile Bank so I knew something was up. Smile Bank is an actual bank based in the UK. The bad guys used a spoofed email address to make it look like it came from the legit Smile Bank domain smile.co.uk. If someone did bank with Smile Bank, I can see how they could easily be tricked. It’s the “Click here to proceed” link that gives the bad guys away. The link goes to a page hosted by pier3.hk, which is a legitimate domain, but appears to be compromised with a simple HTM page that is a redirect to the real malicious site. The redirect sends you here:
Once filled in and submitted, it then sends you here:
When this page is filled in and submitted, it sends you to the legitimate Smile Bank site:
In the background, I captured the network traffic to discovery all the input I entered being sent in plain text to the malicious URL:
In comparison, I went to Smile Bank’s real login screen. It was identical except for the fact it didn’t accept my nonsense for inputs:
This trick could easily be done with any large bank. Make sure to always be suspicious of any email claiming to be from your bank that threatens your account has been locked and insists that you need to enter your account information. Also, if the link to enter your account information isn’t to the URL of the bank it claims to be from, you know it’s malicious.
By Nathan Collier
Earlier this year, the SMS Trojan Foncy was discovered targeting French-speaking Android Users. Now, we’ve come across a new Trojan targeting them using a similar SMS scam. The app pretends to be an app called BlackMart Alpha, which is already a little shady since it’s used to download apps that may otherwise cost money. This app is not found on Google Play and is not malicious in itself, but the fact that you can’t get it in the Google Play store makes it a prefect target for malware developers to make fake versions of it. Webroot detects this Trojan as Android.SMS.FakeB-Mart. It works by sending premium SMS messages to two different numbers (81211 and 81038), which have both been involved with scams that add a hefty Euro charge to the victim’s phone bill. In one case, someone was scammed out of €89.85 , or $110.49. Once the malicious app is installed, it looks like the legitimate BlackMart Alpha app, but doesn’t completely load. A pop-up box opens stating that it’s loading with a increasing percentage. This tricks the user into thinking the app is loading while it’s really sending premium SMS messages in the background.
The app deletes any incoming SMS messages from 81211 to hide any confirmation SMS messages.
Being tricked by this fake blackmarket app when trying to download pirated apps could end up being a lot more expensive than just paying for the app from a trusted app market. Another lesson to always install apps from trusted markets.
By Nathan Collier
Recently Webroot posted a blog about an app called “London Olympics Widget” which was found in a third party market that may need further clarification. This app is what we consider a Potentially Unwanted Application (PUA). PUAs are apps are not considered to be good, nor are they considered malware either. They are apps that walk a thin line and thus are in a grey area. The app in question was classified as a PUA because the of the advertisement SDK add-ons it contains. There are a lot of free apps out there that contain these advertisement SDK add-ons in order to create revenue, and that’s okay. It’s when these advertisement SDK add-ons are overly aggressive and display behaviors such as creating ad related home screen icons and bookmarks, accessing the contact list, and displaying ads in your notification bar that we call these PUAs. We detect these annoying apps in order to inform the user of its presence. Google has recently taken the same stance against these aggressive advertisements and has updated their Ad Policies to warn developers that this type of aggressive advertising will no longer be allowed in the market: Google Play Developer Program Policies
In the case of “London Olympics Widget”, it is a simple app that displays what events are going on in the Olympics on which days. Nothing wrong with that at all. The reason we have classified this as a Potentially Unwanted Application is because it is using the Olympics to draw people into installing their apps so they can make money on multiple aggressive advertisement SDK add-ons. It is the aggressive advertisement SDK add-ons that are requesting permissions to read contacts, look up device ids, and read SMS messages. Why do they want to read your SMS, collect your contacts and blast you with ads? Probably not to make your mobile experience better. Permissions are a scary thing, but just because an app has a permission to do something doesn’t necessarily mean it’s malicious. It’s the code within the app that uses these permissions that makes the determination of good or bad. Can “London Olympics Widget” read your contacts and read your SMS? Yes, but that doesn’t mean they are using the data collected in a malicious way. They are using the data to for advertisement reasons which isn’t considered blatantly malicious, but is considered something you may not want on your device which is why we detect it as a PUA.
As always, make sure you install apps from safe markets, and if it has more permissions than what you think it should, be cautious. Scanning with Webroot SecureAnywhere Mobile will detect PUAs and malware to make sure users stay ad annoyance free, and safe while using a mobile device.
London Olympic Widget with shortcuts added by aggressive advertisement SDK
Screen shot of app showing Olympic event on August 11th
Ads that popped up in notification bar
