By Nathan Collier
Android.RoidSec has the package name “cn.phoneSync”, but an application name of “wifi signal Fix”. From a ‘Malware 101′ standpoint, you would think the creators would have a descriptive package name that matches the application name. Not so, in this case. So what is Android.RoidSec? It’s a nasty, malicious app that sits in the background (and avoids installing any launcher icon) while collecting all sorts of info-stealing goodness. Continue reading
By Cameron Palan and Nathan Collier
Recently, we discovered a new malicious Android application called Android.MouaBot. This malicious software is a bot contained within another basic app; in this case, a Chinese calculator application. Behind the scenes, it automatically sends an SMS message to an auto-reply number which replies back to the phone with a set of commands/keywords. This message is then parsed and the various plugins within the malicious packages are run or enabled.
By Nathan Collier
We have found a new threat we are calling Android.TechnoReaper. This malware has two parts: a downloader available on the Google Play Market and the spyware app it downloads. The downloaders are disguised as font installing apps, as seen below:
By Dancho Danchev
Over the past year, we observed an increase in publicly available managed TDoS (Telephony Denial of Service) services. We attribute this increase to the achieved ‘malicious economies of scale’ on behalf of the cybercriminals operating them, as well as the overall availability of proprietary/public DIY phone ring/SMS-based TDoS tools.
What are cybercriminals up to in terms of TDoS attack tools? Let’s take a peek inside a recently released DIY SIP-based (Session Initiation Protocol) flood tool, which also has the capacity to validate any given set of phone numbers.
More details: Continue reading
By Dancho Danchev
Earlier this year we profiled a newly released mobile/phone number harvesting application, a common tool in the arsenal of mobile spammers, as well as vendors of mobile spam services. Since the practice is an inseparable part of the mobile spamming process, cybercriminals continue periodically releasing new mobile number harvesting applications, update their features, but most interestingly, continue exclusively targeting Russian users.
In this post, I’ll profile yet another DIY mobile number harvesting tool available on the underground marketplace since 2011, and emphasize on its most recent (2013) updated feature, namely, the use of proxies.
More details: Continue reading
On Wednesday, February 27th, Webroot’s Security Intelligence Director (Grayson Milbourne) and Senior Mobile Analyst (Armando Orozco) presented at the RSA Conference in San Francisco. Their topic, Android Malware Exposed – An In-depth Look at its Evolution, is an expansion on their previous year’s presentation, highlighting the severity of Android malware growth. Focusing on the history of operating system releases and the diversity across the market, as well at the threat vectors and behaviors in the evolution of Android malware, the team has established strong predictions for 2013. Continue reading
By Dancho Danchev
Have you ever received a blank call, and no one was on the other side of the line? What about a similar blank SMS received through your mobile carrier’s Mail2SMS gateway? There’s a high probability that it was a mobile spammer who’s automatically and efficiently verifying the validity of a recently harvested database of mobile numbers, with QA (Quality Assurance) in mind. These verified databases will be later on used as the foundation for a highly successful spam/scam/malicious software disseminating campaigns, thanks to the fact that the cybercriminals behind them will no longer be shooting into the dark. How do they do that? What kind of tools do they use?
Let’s find out by profiling a Russian DIY (do it yourself) software vendor, that’s been operating since 2011, and is currently offering a Session Initiation Protocol (SIP) based phone number verification tool, as well as USB-modem based phone number verification application.
More details:
The mobile landscape has boomed in the last couple of years mostly in part because of Android devices and social networking. This has opened the door for everyone to have access to a smartphone and have the cyber world at their fingertips. Smartphones have become an extension of us, and we now have our email, banking, social networking, television and internet on the go. We live in a world of instant access.
With this excitement and convenience, we may lose track something we take serious is our privacy and security. Looming in this mobile landscape are people who want benefit from our oversight and continuous usage. Continue reading
by Armando Orozco
Recently, two applications designed with malicious intent were discovered within the Google Play application store. The apps were built with a façade of being utility cleaners designed to help optimize Android-powered phones, but in reality, both apps had code built in designed to copy private files, including photos, and submit them to remote servers.
The applications, named SuperClean and DroidClean, did not stop there. Researchers also found that the malware was able to AutoRun on Windows PC devices when the phones were paired, and infect the main computer. The malware was designed to record audio through the computer’s microphone.
AutoRun has often been used as a method of infection, and Microsoft has since sent a security fix out to Windows XP/Vista/7 in order to disable the exploitable element. In some cases, however, the feature might have been re-enabled by the user for convenience or never changed through a backlog of updates.
An application such as this has not been seen in the past, and is showing the creative methods through which malware coders are attempting to break through a computer’s security. With the Android device acting as a Trojan horse for the infection, malicious code has the potential of bypassing established security parameters that typically keep endpoint users safe within their network.
While Webroot has classified the malicious apps, which have been removed from Google Play’s market, it goes to show that protective steps are necessary on all levels of devices to avoid an infection. Below, we will highlight the steps you can take to help stay protected from attacks like these.
Android Devices:
Webroot SecureAnywhere (PC users):
For all users, we recommend ensuring that AutoRun is disabled on your computer. Even though Microsoft rolled out updates to disable, it is possible it could be enabled. Finally, always ensure you scan USB and other connected devices for malware before storing data or using on other PCs.
For more information and to keep up with the conversation, head to our community: http://bit.ly/11RKiFa
Source: SecureList http://www.securelist.com/en/blog/805/Mobile_attacks
By Dancho Danchev
Over the past 24 hours, our sensor networks picked up an interesting website infection affecting a popular Bulgarian website for branded watches, which ultimately redirects and downloads premium rate SMS Android malware on the visiting user devices. The affected Bulgarian website is only the tip of the iceberg, based on the diversified portfolio of malicious domains known to have been launched by the same party that launched the original campaign.
More details:
