by Armando Orozco
We’ve been tracking rogue premium-sms Android apps for sometime now. Here’s an interesting site we came across offering a download of the Google Music application, but this one comes with a cost. This site serves up a premium-sms Trojan of the ransom variety. Targeting Russian speakers these Rogue’s, we call Android.FakeInst, offer to give access to the app but for a fee.
by Nathan Collier
Android.SMS.FakeInst is a Trojan that aims to do one thing — trick users into sending premium SMS messages by pretending to be an install for an app. Here’s how the scam works: The user sends three premium SMS messages in exchange for an app, but there is no guarantee that it will actually install anything after they already have your money. These malicious apps are getting harder and harder to discern as malicious as the look and feel of these apps get better through newer iterations. One variant of these Trojan apps, which comes from a known malicious site, looks better with each update. Let’s start with one of the first iterations of this variant.
The icon looks fairly convincing:
 |
by Nathan Collier
In our continued series of how Android malware authors continue adding functionality to their work we take a look at GoManag. First seen last year, targeting Chinese speakers, GoManag is a Trojan that installs as a service so it can run in the background, collects device information and downloads payloads. Its odd name comes from part of a URL it attempts to contact to.
Malicious GoManag app running in the background as the name “Google Search (Enhanced)”
By Nathan Collier
We’ve all seen software grow. We watch as our favorite software adds on new features and becomes better at what it does. Malware writers are no different, they want their software to have more features as well as steal even more information. PJApps is a good example of this. PJApps is a Trojan that’s been around for a while causing havoc by being bundled in legitimate applications found in alternative Android markets, it is capable of opening a backdoor, stealing data and blocking sms behind the scenes. In one variant of PJApps it requests the following permissions to steal information:
INTERNET
RECEIVE_SMS
SEND_SMS
READ_HISTORY_BOOKMARKS
WRITE_HISTORY_BOOKMARKS
INSTALL_PACKAGES
WRITE_EXTERNAL_STORAGE
READ_PHONE_STATE
Here’s some of things the older variants of PJApps stole:
-SIM Card Number
-Telephone Number
-IMSI Number
By Dancho Danchev
Which is the most targeted mobile operating system?
According to the recently released 2011 Mobile Threats Report from our partners at Juniper Networks, that’s the Android OS.
Key summary points from the report:
By Armando Orozco
Are Android phones susceptible to Trojans and other viruses just like computer? How can you make sure your phone doesn’t become infected and if it does, what can you do? Webroot mobile threat research analyst, Armando Orozco answers this question that was asked to our Webroot Threat Research team via Twitter.
By Armando Orozco
Be wary the next time you enter your passcode into your iPhone on the bus – someone could be shoulder surfing. In fact, a team of researchers from the University of North Carolina has developed a system to watch you pecking out characters on your phone, analyse the video, and produce a pretty accurate guess of what you were typing.
When people talk about key loggers, they’re usually thinking about malware that sits on a computer and surreptitiously monitors what keys people are pressing. But these university researchers are applying an entirely different approach to key logging. Instead of putting software on computers, they are investigating ways to monitor the text that people input into their mobile phones. They do it by taking video of your phone, either directly (over your shoulder or from the side), or simply by reading the reflections of your phone’s screen in your glasses.
The researchers developed a mechanism for looking at mobile phone screens using cheap, mobile videocameras. The cameras record video of people typing on ‘soft’ keyboards, such as those used by Apple’s iPhone. These keyboards commonly use ‘pop out’ animations, in which the key being pressed gets bigger when pressed, to confirm to the user that they have selected the right letter. The pop-out animation makes it easier to see which keys are being pressed in the video.
Mobile cameras have increased dramatically in quality lately, making them far more capable of capturing reflected keyboard images. These cameras are embedded in smartphones, of course, or if you wanted to get even techier, you could buy one of these.
By Armando Orozco
You’ve heard of the “perfect storm”? Well, there may be one brewing in Android-land. We just wrapped up a study that revealed holiday shopping is about to go mobile—in a big way. Turns out, over two times more shoppers plan to buy gifts on their mobile device this year. Over two times more?! It got me thinking…
We know that Android malware is on the rise. Even Android users themselves seem aware of it; our mobile study also found that 23 percent more Android users are concerned with the security of their information than iOS users. And although Google reported it was tightening access to its open source Android OS back in March, our researchers continually spot plenty of opportunities to capitalize on vulnerabilities because there’s still virtually no review process for new apps
It’s not hard to put two and two together.
As sleigh bells start ringing and shoppers reach for their mobile devices, I can just imagine cybercriminals licking their lips. We’ve seen two popular tactics for Android malware: gaining remote access to your device’s data and sending texts to premium numbers. Of course the end goal is the same for both routes: money, money, money. And what more profitable time to go after the pot of gold than during the busy gift-buying season?
But here’s one more thing to consider: We can’t single out Android devices, because malware isn’t the only risk. The portability of iOS-based smartphones and tablets means they can easily fall into the wrong person’s hands—and whatever data is on that device would go with it.
So before you hit the “mobile mall” on Black Friday, take a few simple steps to protect yourself and your data:
The bottom line: Be a savvy shopper, whether you’re on your Android at the airport or your computer at home. ‘Tis the season to shop safely.
Websites Hosting Android Trojans
By Armando Orozco and Nathan Collier
Rogue Android apps are making their way into alternative markets. Yes, we’ve seen some malicious apps trickle through and they can be elusive. But we’re now seeing markets that are only hosting malware. These rogues are of the premium rate SMS variety and request the user to send a bounty if they want the app. The interesting thing is that the websites they’re hosted on are very well put together and you can see that a great deal of time was put into creating them.
The Websites
Click for Full Size
These well-crafted websites follow a similar layout; they have device reviews, app descriptions with screenshots, QR Codes and FAQs. So far, we’ve only found these websites aimed at Russian users, with the web pages written in Russian. The descriptions are similar to those in the Android Market and the screenshots appear to be taken from the market. We are discovering that this network of SMS Trojans is fairly large. Continue reading
By Armando Orozco
A couple of days ago researchers for Android Police wrote about a security vulnerability in several HTC phones. The vulnerability lies with logging tools installed by HTC. These logging tools collect personal data like user accounts, email addresses, GPS info and SMS data. Having these tools logging users data is one thing but the fact that they are left unsecured and available to be exploited by a 3rd party app is a big blow to the device manufacturer. A 3rd party app would only need to request the INTERNET permission to gain access to the information collected by the tools. Why HTC has these tools in place hasn’t been answered, an answer they’ll have to provide to their customers at some point.
HTC’s public statement: “In our ongoing investigation into this recent claim, we have concluded that while this HTC software itself does no harm to customers data, there is a vulnerability that could potentially be exploited by a malicious third-party application. A third party malware app exploiting this or any other vulnerability would potentially be acting in violation of civil and criminal laws. So far, we have not learned of any customers being affected in this way and would like to prevent it by making sure all customers are aware of this potential vulnerability.”
The update will be sent over-the-air and users will receive a notification to install. No word on when the update will be available.
We all have a role to play in keeping our computing secure, but developers have a key role in that they need to ensure their applications are secure when it comes to customer’s data. This happens a lot, most recently with Skype, hopefully with more and more big name vendors being called out we’ll see developers tighten up their code.
Affected phones
EVO 4G
EVO 3D
Thunderbolt
EVO Sensation
MyTouch 4G slide
