Video Screencast Help
Search Video Help Close Back
to help

Security Response

Showing posts tagged with Android
Showing posts in English
Android.Moghava: A Recipe for Mayhem
Irfan Asrar | 27 Feb 2012 19:33:30 GMT | 0 comments

When you know that the goal of a piece of code is to ultimately result in monetary gain for the author, analysis becomes a lot easier; it is a matter of just putting the pieces together until you can figure out how the payload is translated into tangible value. But take away the monetary gain element and, even if you are able to find out what makes something tick in minute detail, you are never quite sure what the final intent of the author was.

However, in the case of Android.Moghava, while there appears to be no monetary gain involved, I would describe it as a juvenile stunt with slight overtones of political satire.

From our analysis of an Iranian recipe app infected with this threat (distributed from a third party and not the Android market), the malware is embedded as an additional package called Moghava. Moghava in Farsi translates as “cardboard...

Read more
Revamped Fake Android Market for SMS Fraud
Joji Hamada | 10 Feb 2012 18:48:23 GMT | 0 comments

We have continued monitoring the massive campaign involving SMS Fraud on the mobile platform for a while now as new activities are constantly taking place. New domains are created practically every day and new variants are being released consistently. Most activities are not really noteworthy. However, we did discuss a recent development of interest regarding the APK malware using server-side polymorphism. And earlier this week, we came across a new type of site that is not technically interesting, but is worthy of a mention in order to warn people about the new activity.

A little while back, a fake Android Market was developed that hosted various Apps that were ultimately malware. As you can see below, the page looks slightly different from the official Android Market.

...
Read more
Android.Bmaster: A Million-Dollar Mobile Botnet
Cathal Mullaney | 08 Feb 2012 21:14:37 GMT | 0 comments

Thanks to Eric Chien for his assistance with this research.

Introduction

We recently came across a new piece of Android malware, first highlighted by NC State’s Xuxian Jiang, and began investigating the command-and-control (C&C) servers associated with the threat. The malware was discovered on a third party marketplace (not the Android Market) and is bundled with a legitimate application for configuring phone settings. Trojanized applications are a well known infection vector for Android malware, as they allow malware to be distributed while retaining the appearance of a legitimate application.

Analysis of these servers indicate the total number of infected devices connected to the botnet over its entire life span numbered in the hundreds of thousands. The number of infected devices able to generate revenue on any...

Read more
Server-side Polymorphic Android Applications
Symantec Security Response | 01 Feb 2012 23:53:57 GMT | 0 comments

For quite some time, we have observed the technique of server-side polymorphism being used to infect Windows computers around the world. What this means is that every time a file is downloaded, a unique version of the file is created in order to evade traditional signature-based detection. We are now seeing this same technique being used for malicious Android applications hosted on Russian websites. We detect all of these variants as Android.Opfake. The sites hosting Opfake include either links or buttons that can be used to download the malicious packages that are purporting to be free versions of popular Android software.

The applications morph themselves automatically in a few ways every time the threat is downloaded. In addition, manual modifications are also made every few days indicating that the malware authors are actively maintaining this malware family.

Opfake...

Read more
Are You Ready For Some Football?
Fred Gutierrez | 24 Jan 2012 19:11:40 GMT | 0 comments

Contributor: Masaki Suenaga

We certainly are! It is American football season and the Super Bowl is right around the corner. Apparently, so are the malware authors. It would not be the first time they took advantage of this sporting event. Back in 2007, the Dolphins (hosts for Super Bowl XLI) had their website compromised by links to malicious JavaScript. Several visitors looking up Super Bowl information on this site were hit with an exploit pack designed to attack their Web browsers and install hidden malware. Taking a page out of their playbook, Android malware authors this season bring us a fake version of the popular gaming franchise, Madden NFL 12. Being over 5 MB in size, it certainly looks like a game worth trying! Once installed, it will even display the following icon:

After the user launches the app, there is, unfortunately, no...

Read more
Smartphone App Used for One-Click Fraud in Japan
Joji Hamada | 12 Jan 2012 22:10:29 GMT | 0 comments

During the summer of 2011, one-click fraud targeting smartphones was discovered. One-click fraud has now become so common that doing a quick search for certain keywords on the Internet using a smartphone leads to a high possibility of coming across one of the scam sites. The typical attack simply attempts to trick users into registering for a paid service. Details of the users and their phones are displayed on the page in an attempt to convince them that the site owners may take legal actions if the user does not pay them a certain amount of money.  There were no malicious files involved. More details are available in this blog.

Now, in 2012, one-click fraud for smartphones has evolved  and begun to use applications.  File usage for the fraud is common on the Windows platform and has been used for years.  When users attempt to view a video on a computer, they...

Read more
The Day After the Year in Mobile Malware?
Irfan Asrar | 10 Jan 2012 16:13:58 GMT | 0 comments

2011 has seen some dramatic changes in the mobile landscape, with the ever-increasing growth rates in consumer adoption of smart phones. This has not gone on without getting the attention of the criminal fraternity, which has turned its attention to mobile malware. But what remains to be seen is if this trend moves beyond the stage of testing the waters to actually making a significant impact, reaching the scales we associate with threats for Windows. If the activities of the past week are any indicator, then 2012 is off to an interesting start. Another scam has come to our attention, this time targeting Android users in France, attempting to exploit the frenzy surrounding Carrier IQ.

From our analysis, Android.Qicsomos is a modified version of an open source project meant to detect Carrier IQ on a device, with additional code to dial a premium SMS number. On installation,...

Read more
More fraudware headaches for the Android Marketplace
Peter Coogan | 09 Jan 2012 14:59:33 GMT | 0 comments

Contributors: Conor Murray, Paul Mangan.

Fraudulent apps appearing on the official Android marketplace is an ongoing issue and one that we have blogged about in the past.  Today we received reports of yet more fraudulent apps capitalizing on popular game titles and masquerading as these games. In this case, the apps are published under the name "Stevens Creek Software".

During installation of the fraudulent app, only one permission request is made for full Internet access. In the past, we have seen fraudulent apps looking for numerous unnecessary permissions during installation that may alert the user of the risks involved in installing the app. With just one permission request required by this fraudware during installation, it may seem less of a risk to potential victims. Once installed on the...

Read more
Android Trojan Spreads Message of Revolution
Irfan Asrar | 19 Dec 2011 18:30:30 GMT | 0 comments

Hacktisivm, or as one blogger put it “Revolution 2.0”, is something I would describe as an activist agenda where there may be no visible monetary gain by the instigator. Instead the overall goal is to send a message or get a point across. Even though, on occasion, the message may be something many will sympathize with, this doesn’t mean it’s a victimless crime. In many cases, the cost of getting an agenda across may involve using resources (even people without consent).  An example of this emerged over the past weekend. For many across the Arab world, December 18, 2010, marked the birth of what is now come to be commonly known as “The Arab Spring”. Among the many online tools that are being used to coordinate, inform, and get the word out about protests, Symantec has discovered a Trojan mass-mailer/downloader embedded in an Android App.

The Trojan was...

Read more
SMS Fraud on the Android Market
Symantec Security Response | 13 Dec 2011 13:07:51 GMT | 0 comments

Thanks to Masaki Suenaga and Andy Xies for their analysis.

Following the tweet from our @threatintel Twitter account last night about malicious applications targeting users in European countries, Symantec Security Response has identified another group of fraudulent apps on the Android market, but this time under a different publisher ID. From our analysis the 11 newly discovered apps are published under the name “Miriada Production” and are identical to the apps published under the name “Logastrod”. These apps are capitalizing on popular game titles, and masquerade as these games, but in fact they just sends two texts to premium-rate, local SMS numbers in the country where the SIM card is registered. The app also prevents notifications from being displayed if the incoming text is from certain numbers.

Once notified of these apps by Symantec, Google acted promptly...

Read more