Tag Archives: rogue

Beware of Fake Adobe Flash Apps

Posted on by

By Joe McManus

Last week Adobe announced that they would no longer be supporting Flash for Android. Adobe will be removing Flash from the Android Marketplace and users should be wary of fake Flash apps for their Android Devices.  Now to be fair to Adobe, they are not taking flash away from the Android platform but are focusing on the Adobe AIR cross platform runtime environment http://www.adobe.com/products/air.html. The reason Adobe is switching to AIR is to allow app developers to write one program for use on iOS and Android devices.

Let’s look at some of the fake Flash apps for Android that we have seen and what they do. This is just a small sampling; there are too many to highlight them all.

This first app we’ll look at is one of hundreds of premium SMS Trojans being distributed on third party markets that are fake installers for legitimate applications. What they really do is charge for what may or may not be a download of an already free app. The scam works when the user agrees to their ‘Terms’ and the app will send out three SMS messages containing SMS short codes that come with a fee. These messages go to a premium service setup by the malware author and will appear as charges on you phone bill. The charges vary depending on the user’s location but range around $8-12.

This has appeared many times as Flash Player 11, Flash Payer 10, FlashPlayer, etc. Webroot detects them as Android.FakeInst and has been tracking these type of fake installer for over a year; here, here and here.

Our next example is another scam of sorts. It doesn’t charge for anything but will install a bunch of aggressive advertising SDKs that are known to create ad-related notifications, shortcuts and bookmarks. This app requests 24 Android OS and device-specific permissions when, at most, it would need the INTERNET and WRITE_EXTERNAL_STORAGE permissions. The additional 22 permissions are for the ad SDKs. Webroot detects one of the ad SDKs bundled with the app as a Potentially Unwanted Application (PUA) and labels it  Android.Ads.Plankton.B.

Although it does download Adobe Flash for Android after agreeing to their License Agreement it does come with the cost of a bunch of other non-flash related stuff.

This final example is for an app that claims to be Flash Player but really installs an Adobe Flash Icon, that merely opens a browser window full of advertisements. These types of apps are annoying and really are meant to drive web traffic to sites so the developer can receive pay-per-click revenue, and in this case they deceive the customer into thinking they’re getting a known productive app. Like the previous example, this app isn’t malicious, but it’s more deceptive and doesn’t deliver on what it claims, for that Webroot detects Android.DreamStepFlash as a PUA.

Malicious and untrustworthy apps come in many different flavors, and as you can see, Adobe Flash is one that is used to lure unsuspecting users to install. Adobe will continue to release security updates for Adobe Flash and suggests you uninstall if your device is able to upgrade to Android 4.1.

Remember, always choose your apps wisely and download from a trusted source. Check reviews, research the developer and verify permissions requested before downloading.

Seen Ad Pop-up’s in Your Mobile Browser Lately?

Posted on by

by Armando Orozco

Today, one of our Webroot SecureAnywhere for Android users reported seeing ad redirections while browsing on his Android device. As we began investigating, we noticed that there were a lot of other mobile users seeing the same thing – yes, on their iPhones as well! We were also able to reproduce the behavior on our devices.

This appears to be a clever Ad redirection using JavaScript. The pop-ups are survey offers for free electronics like iPads and iPhones. The users are asked to complete a survey, at the end of which their email address and phone number is also recorded. I know we’ve all seen these pop-ups before, but we’re not used to seeing them in our mobile world.

These pop-ups are not related to any apps you may have installed – they are a result of how the web page was written. Web developers use “alert()” function in JavaScript, which displays a message box requesting response from a user. The advertisers utilize this method to display their ads.

We are still investigating this issue and hope to track down the advertisers responsible. There does not appear to be anything malicious about these pop-ups for the time being, but we are sure malware authors will employ this tactic soon. With the rash of Rogue Applications and the recent discovery of a Rogue AV app (blog coming soon), we can see how this method could be exploited with malicious intent. Again, these are not platform or application-specific behaviors.

To remedy these pop-ups, you can disable JavaScript in your browser settings.

Thanks to JohnDeth of our Webroot Community for bringing this to our attention.

“You Want To Pay For What!?”

Posted on by

by Nathan Collier

Recently we found new apps in alternative Chinese markets that we are considering a Potentially Unwanted Application (PUA).  We are calling these apps Android.PUA.SMS.QuickPay.  Lets look at a sample of this app.  The sample we will look at is an app called “Screen Detection” which is an app that helps find dead pixels on your screen by displaying the colors red, green, blue, black, and white making it easy to see the dead pixel in contrast to these colors.  Pretty simple app.  Within a few seconds of opening the app this message pops up:

“Activate the full version, charges 2 Yuan, sending an SMS, 2 /. Customer Service Phone :010 -84681340-8035”

This app has limited functionality before requesting a premium SMS be sent for the full version, and that limited functionality only lasts a few seconds.  If you do not agree to sending the premium SMS the app will just keep asking you to activate the full version whenever you click.  Once you agree to the message it turns on your Wifi if not already on (Okay, that’s a little fishy), and sends a premium text message.  After that the app works.  Two Yuan is about 32 US cents, so people may just pay the small fee instead of spending the time to find a free version; which with a simple app that only shows four different colors as it’s functionality you would think there is something out there in the Chinese android market that will do the same for free.

It may not seem like much, but two Yuan at a time these guys are making a fortune off of apps that should be free.  This is only one sample, there are several more very simple apps that we found that do various things, but all ask for a payment for it to function.  Although there are legitimate Android Box apps out there, these apps are different in that they have very limited functionality, are signed by a different developer, and exploits simple apps that should be free by requesting payment for full versions before you even have a chance to see what it does.

Remember to always download from apps from a trusted source and be weary of messages asking to pay money for the full version so quick on the draw.

Rogue APKs continue to find new homes

Posted on by

by Armando Orozco

We’ve been tracking rogue premium-sms Android apps for sometime now. Here’s an interesting site we came across offering a download of the Google Music application, but this one comes with a cost. This site serves up a premium-sms Trojan of the ransom variety. Targeting Russian speakers these Rogue’s, we call Android.FakeInst, offer to give access to the app but for a fee.

                          

Continue reading

I don’t think it means what you think it means…

Posted on by

Websites Hosting Android Trojans  

By Armando Orozco and  Nathan Collier

Rogue Android apps are making their way into alternative markets. Yes, we’ve seen some malicious apps trickle through and they can be elusive. But we’re now seeing markets that are only hosting malware. These rogues are of the premium rate SMS variety and request the user to send a bounty if they want the app. The interesting thing is that the websites they’re hosted on are very well put together and you can see that a great deal of time was put into creating them.

 The Websites

Click for Full Size

These well-crafted websites follow a similar layout; they have device reviews, app descriptions with screenshots, QR Codes and FAQs. So far, we’ve only found these websites aimed at Russian users, with the web pages written in Russian. The descriptions are similar to those in the Android Market and the screenshots appear to be taken from the market.  We are discovering that this network of SMS Trojans is fairly large. Continue reading

Our Twitter Q&A with Threat Research Director Jeff Horne

Posted on by

By Jeff Horne

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

On December 11, 2009, users of Twitter submitted questions to Webroot’s Director of Threat Research, Jeff Horne, as part of a live Q&A session. Webroot’s Twitter followers asked questions about connecting safely to the Internet while traveling during the holidays. A variety of questions came in live, with some others through direct messages in advance, and one non-twitter user asked a question via Webroot’s Facebook page. The interview was tracked using the #webroot hashtag, which has been omitted from the tweets to make them easier to read. We’ve posted a transcript of the Q&A on the following page.

Continue reading

Roman Polanski Arrest Spawns Headline-Hooking Rogues

Posted on by

By Andrew Brandt and Brenden Vaughan

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

20090928-polanski-fakealert-cropAs we’ve seen for the past several months, a celebrity ended up the top news story, which started a cascade of malware distributors racing to get their driveby pages to the top of search results. Today’s victim/subject is Roman Polanski, the renowned film director arrested on decades old charges of statutory rape. This kind of gossipy, tabloid headline is like candy for rogue antivirus distributors.

20090928-polanski-resultsWe began our search the minute we found out the news, and yes, within about half an hour of the story breaking, the pages began appearing in the search results on various engines. While some of the malicious pages were linked to search terms based on the name of the director, many also reference his victim, Samantha Geimer. The results redirect you into a fake virus scan page, which in turn leads you to a download of Windows PC Defender, a known rogue in the same vein as Antivirus 2010 and the other scam fantivirus tools so popular among Web criminals this year. Trojan-IM.Win32.Faker, indeed.

20090928-polanski-firewall-cropNot only does this rogue pretend to be an anti-malware tool, but it throws a monkey wrench into almost any existing protection, adding Image File Execution Options registry keys that prevent nearly all legitimate free and commercial antimalware tools from running. It also drops a Hosts file which prevents infected computers from contacting 12 payment processing domains associated with Antivirus 2010, and redirects all Google (including nearly 200 international Google domains), Yahoo, MSN, and Bing search results through a server belonging to search-gala.com, whose IP address is geolocated to an ISP in Brampton, Ontario, Canada (go Timberwolves!).

Not content to be a single-solution product, Windows PC Defender is a full faux-suite, offering completely fictitious desktop firewall results as well as antivirus. The rogue uses a modified copy of a free tool called Multi Password Recovery to extract your Windows license and display it in the firewall “alert,” presumably to raise the anxiety level of person who sees the “warning” message. The warning claims that “your computer is making an unauthorized personal data transfer” to an IP address assigned to NASA, which is currently not in use. Because everyone knows NASA wants your Windows license key, for, you know, space missions. amirite? Could an imaginary anti-phishing toolbar be around the corner? Who knows what’s next for these enterprising, though predictable, con artists.

Not to be outdone, distributors of black market drugs began using Twitter to spread ads as well, with an under-140-character tagline promising juicy Polanski-arrest news. We’ll keep an eye on the situation, but it’s probably best to steer clear of links to unfamiliar sites, especially those promising revealing or “previously undisclosed” pictures, movies, or other such nonsense.

wordpress blog stats

Drive-by Downloads Still Pack a Punch – If You Click

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

20090624_driveby_grumpy-sIn the course of surfing around, looking for ways to get infected, I stumbled upon a site that offers visitors downloads of key generators, cracks, and other ways to circumvent the process used by most legitimate software companies to prevent people who didn’t pay for the software from registering or using it.

And of course, I stumbled into a morass of malware.

Well, “stumbled” isn’t entirely accurate. The site is well-known to us as a host of drive-by downloads — it’s a site that uses browser exploits to infect your computer. But I went there anyway just to see what they’re driving-by with these days. Technically, the site didn’t burn us — it came from an advertising network, which loaded a script that bounced to three separate machines before landing my test PC in the hot seat. Cold comfort if your PC happens to get slammed with this junk.

Continue reading

May Threat Trend: Misleading Malware

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

20090608-fakealert_sThe latest data from our customers indicate that, at least in the month of May, we were blocking and removing some of the nastiest threats on the Web. Among the spies we took out, we hit Fakealerts and Rogue Security Products hard. These spies simply try to fool you into making purchases you otherwise wouldn’t. After taking a hiatus of several months, the makers of these types of malware appear to be making a comeback.

Simply put, a Fakealert is just a piece of adware. Unlike traditional ads, however, the ads a Fakealert pops up take on the appearance of official-looking error dialogs and Windows-esque warning messages — albeit, not always as poorly worded as the example shown here. Many present themselves as clones of the Windows Security Center control panel, or as those cartoon-voice-bubble popups from the System Tray.

Fakealerts push their particular brand of stale baloney on the unsuspecting public for one reason: They want to trick you into downloading and running a program that looks, for all intents and purposes, like a system utility or an antispyware or antivirus product. The program displays realistic-looking “scans” that “find” allegedly malicious files on your computer.

The joke of these “scans” is that they’re often no more than Flash animations. Because they run on any operating system that can display a Flash video, you can even get them to “scan” a Mac or Linux box, and “find” malicious files in parts of the filesystem that don’t even exist on those platforms. Oh well; you can’t blame a fraudster for trying.

Many of these threats are installed when users inadvertently click a popup message that warns the user that they need to run a file in order to load a missing video codec, or install an ActiveX control that supposedly will perform a “free scan” of a system. Sometimes the people behind these ads even put a fake “close box” in the upper right hand corner of the fakealert message, to trick you into clicking inside the active area of the ad window. If you see this kind of ad appear, hold down the Alt key on your keyboard while you press the F4 key — that will close the ad window without requiring you to click anywhere inside of it.

The bottom-line message to you is that while you should remain vigilant against potential frauds and scams, keeping your PC updated with the latest threat definitions is equally if not more important.

Stepping up to the Loserbar

Posted on by

fake google search result

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

Last year, we at Webroot (as well as many other people) saw a huge spike in two specific types of malware: Rogue antispyware products — the ineffective, deceptive kind — and the various tricks the companies that sell rogues use to trick you into downloading (and eventually buying) their bogus products, something we refer to, generally, as Fakealerts.

Here’s usually how the trick works: First, you’re fooled into browsing to a Web site which employs any of a number of tricks to install the Fakealert code onto your PC. The Fakealert then begins popping up messages warning you about some sort of infection in the System Tray, or in dialog boxes, and/or by opening browser windows to pages that look uncannily similar to control panels or dialog boxes used by Windows XP and/or Vista. Later, after you’ve been provided a smoke-and-mirrors “free scan” of your system (which, of course, reports all kinds of salacious and undesirable “detections”), you’re directed to a page where, for just $59 you can be rid of your spyware problems forever.

Yeah, right.

The tricks these guys employ get more creative with every new iteration. We’ve seen them drop hundreds of junk files on a hard drive, which are then “detected” as infections; install screensavers that look just like your computer is going through Blue Screen of Death convulsions; and run every dirty trick and cheap gimmick to get a sale.

So it came as no surprise when we encountered yet another Fakealert — we decided to call it Adware-Loserbar — that leads, eventually, to a rogue product. What set this one apart was its sheer gall — and a few new tricks we hadn’t seen before.

Continue reading