Video Screencast Help
Security Response
Showing posts tagged with Android
Showing posts in English
Roberto Sponchioni | 11 Sep 2013 10:08:58 GMT

Contributor: Lionel Payet

Back in June we discovered a malicious Android application that was holding user’s Android phones for ransom. This discovery confirmed earlier predictions that ransomware would evolve and arise on new platforms, such as mobile devices.


As part of our pre-emptive SMS spam domain identification, we have detected a recently-registered domain that is currently serving a new Android FakeAV app using ransomware social engineering.  Different hints led us to believe that this application is linked to, or coming from, the same authors behind Android.Fakedefender, which we blogged about back in June. Despite it using a new design and a different ransom payment method, this new variant still contains the older images in its package file....

Joji Hamada | 09 Sep 2013 23:57:03 GMT

For many of us around the globe, August may be a month to take a bit of a break from work and go on a summer holiday. In contrast, August appears to the busiest month of the year for the scammers developing Japanese one-click fraud apps. They have increased productivity to publish close to 1,000 fraudulent apps on Google Play during August. As a result, they have succeeded in tricking Android device owners into downloading the apps at least 8,500 times, according to statistic shown on the Google Play app pages. The actual figure is likely much higher and probably exceeds well over 10,000 downloads.


Figure 1. Daily publication count for August

The number of one-click fraud apps...

Symantec Security Response | 13 Aug 2013 23:47:38 GMT

There’s been a lot of confusion over the last few days, since announced that an Android component responsible for generating secure random numbers contained a critical weakness that rendered many Android bitcoin wallets vulnerable.

There are a number of different issues that seem to have come into play to make these bitcoin wallets vulnerable.

Bitcoin uses the ECDSA algorithm to ensure that funds can only be spent by their rightful owners. The algorithm requires a random number to compute an ECDSA signature, but if two different messages are signed with the same private key and the same random number, the private key can be derived. This is a known method of attacking the algorithm and was previously used to break the...

Joji Hamada | 08 Aug 2013 23:16:45 GMT

It is not uncommon to see social media accounts, specifically Twitter accounts, directing users to malicious sites such as the ones hosting Android.Opfake, an issue we blogged about last year. Recently, we discovered that the accounts of innocent users were being compromised to tweet these types of malicious links to their followers.

Compromised Twitter 1-3.png

Figure 1. Malicious tweets from compromised accounts

The series of compromised accounts appears to have started around the beginning of July and has affected users globally. A broad range of accounts have been compromised for...

Symantec Security Response | 30 Jul 2013 17:31:07 GMT


In a recent blog entry we covered how scammers continue to publish malicious apps on Google Play and how the Android app market is struggling to keep itself clean.

In many cases it is difficult to quickly identify any malicious intent of applications and in-depth analysis is often required to be truly safe—a challenge for Google Play’s publishing process to prevent malicious apps from slipping through.

Symantec Security Response has discovered 14 applications, all published by the same developer, that allow the developer to create connections to any website of their choosing...

Symantec Security Response | 23 Jul 2013 20:48:04 GMT

Earlier this month, we discussed the discovery of the Master Key vulnerability that allows attackers to inject malicious code into legitimate Android applications without invalidating the digital signature. We expected the vulnerability to be leveraged quickly due to ease of exploitation, and it has.

Norton Mobile Insight—our system for harvesting and automatically analyzing Android applications from hundreds of marketplaces—has discovered the first examples of the exploit being used in the wild. Symantec detects these applications as Android.Skullkey.

We found two applications infected by a malicious actor. They are legitimate applications distributed on Android marketplaces in China to help find and make doctor appointments.


Andrea Lelli | 16 Jul 2013 17:38:23 GMT

In a previous blog, we talked about the rise of remote access tools (RAT) written in Java that are capable of running on multiple operating systems. With the growing popularity of the Android operating system, it comes as no surprise that the Android OS is the latest target and is not immune to RATs. Since late last year, underground forums have been offering a free Android RAT known as AndroRAT (Android.Dandro). Now, unsurprisingly, the underground economy that caters to the needs of cybercriminals has created the first tools (called “binders”) that easily allow users to repackage and Trojanize legitimate Android applications with AndroRAT.



Symantec Security Response | 09 Jul 2013 21:13:15 GMT

A serious Android vulnerability, set to be disclosed at the Blackhat conference, has now been publicly disclosed. The vulnerability allows attackers to inject malicious code into legitimate apps without invalidating the digital signature.

Android applications must be digitally signed. This allows one to ensure the code within the app has not been tampered with and also assures the code was provided by the official publisher. Furthermore, Android utilizes an app-level permission system where each app must declare and receive permission to perform sensitive tasks. Digital signing prevents apps and their accompanying permissions from being hijacked.

This serious Android vulnerability allows an attacker to hide code within a legitimate application and use existing permissions to perform sensitive functions through those apps. Details of the vulnerability can now be found online and are extremely simple to implement.

Injecting malicious code into legitimate apps has...

Symantec Security Response | 02 Jul 2013 16:37:07 GMT

Keeping an app store free of malicious applications can be a hard task as we have discussed in our previous blogs. Fake or misleading applications, in particular, are often the hardest to spot because it is not always obvious whether they do what they claim to do.

Our automated systems flagged an egregious example of a misleading application that was posted to the Amazon Appstore for Android.

The application, named Password Wifi Hacker Plus, purports to crack passwords of nearby Wi-Fi networks. However, the application only pretends to do so and displays fake dialog boxes.

Figure. Password Wifi Hacker Plus fake dialog box.png


Symantec Security Response | 26 Jun 2013 23:05:46 GMT

Today we released a new version of Norton Mobile Security for Android devices that contains our new Norton Mobile Insight technology. Mobile Insight has analyzed over 4 million Android applications and processes tens of thousands of new applications every day. Through automatic and proprietary static and dynamic analysis techniques, Mobile Insight is able to automatically discover malicious applications, privacy risks, and potentially intrusive behavior. Further, Mobile Insight will tell you exactly what risky behavior an application will perform and give you specific, relevant, and actionable information.

The ability of Mobile Insight to automatically provide granular information on the behavior of any Android application even surprised us when we reviewed the most popular applications exhibiting privacy leaks. 

Of particular note, Mobile Insight automatically flagged the...