Anonymous Anonymous Claims Anonymous is Not Anonymous

December 28th, 2011, posted in F-Secure, English Italian Translations

You’ve probably heard about the stratfor.com hack by now. Anonymous claimed responsibility.

Then Anonymous denied being responsible.

pastebin.com/8yrwyNkt

But then today, “Anonymous” claimed that the earlier anonymously posted pastebin post wasn’t Anonymous, but was really Stratfor employees claiming to be Anonymous.

pastebin.com/4KeCkGUF

Wait… doesn’t Anonymous claim that “we are all Anonymous”? If that’s true, then maybe it was Anonymous after all.

Does anybody care anymore?

Appears the public doesn’t. Google’s instant results for “anonymous is” and “anonymous are” contain few compliments for the group.

In other news: Anonymous promised another data dump today.

pastebin.com/q5kXd7Fd

Pending denials by Anonymous of course.

Source: Anonymous Anonymous Claims Anonymous is Not Anonymous

read more 1 comment

Apply Security Online to Protect Yourself Offline

November 26th, 2011, posted in English Italian Translations, Trusteer

As part of this week’s ‘Get Safe Online’ campaign in the United Kingdom, Trusteer have issued a warning that fraudulent phone calls are increasing in popularity amongst the criminal community to commit ID theft and that everyone needs to be on their guard to avoid falling victim – on or offline. One possible use for these bogus ‘bank’ calls is to utilise personal identification information stolen using malware to give fraudsters credibility as they collect the missing information required to ‘pull off’ their scams.

The phenomenon of stealing data using one channel such as the web and using it in a different channel or context such as social engineering attacks is often overlooked. Trusteer has found that data collected by Man in the Browser attacks can be used for other purposes than automated transaction fraud. Defending against the new wave of hybrid attacks requires both technology to detect MitB malware and vigilance from the users of online services.

Traditional financial malware fraud starts off by identifying the targeted bank and learning how their online banking service functions. Once fraudsters understand the online banking flows and security processes, a fraudulent scheme is designed and the corresponding malware attack is configured (e.g. a MitB security training scam discussed in previous blog posts http://www.trusteer.com/blog). Lastly, bank clients are infected with the malware and fraud starts its execution sequence.

Other forms of financial malware fraud work in reverse – First malware is placed on victims’ machines and malware logs online activity and banking credentials, fraudsters use credential data fished from malware logs to access online banking sites and perpetrate fraud. Trusteer Research has even identified fraudsters selling Zeus malware logs in the open market – the going price is between 1$ to 60cents per 1GB.

However, the problem with this method is, in many cases, the data collected by the malware is insufficient to commit the actual fraud:

  • The one time password (OTP) authentication credentials originally collected are no longer valid
  • Banks require Transaction Signing to transfer money
  • Additional authentication data is required by the bank when logging in from a new IP address

‘Professional caller services can be used by fraudsters to obtain the missing data required to complete a successful online fraud. A forum advertisement, discovered by Trusteer, offers a phone service with professional callers, fluent in English and European languages, who can impersonate male and female, as well as old and young voices. As with any business the service states its regular ‘operating hours’ as available during American and European working hours. The price is a rather reasonable 10$ per call. These criminals were offering calls to private customers, banks, shops, post offices and any other organisations according to the customers’ specific requirements. They’ll even prepare the phone numbers to accept calls in case victims should want to call back for any reason. Trusteer’s additional security verification reveals that the group has been operational since 2009.

Although the actual caller’s scripts are not shared in the forum advertisement we can imagine scripts used to collect the missing data would look something like:

Step 1: Caller Establishing Credibility

The caller would use data collected by the malware to gain credibility, for example the caller will ask “Are you John Smith, living at their address, with credit card number ending in 2345?”

Step 2: Caller Collect Missing Data

Once the caller has established credibility, they will go on to collect:

a) The SMS OTP – for example “We have just sent you an SMS with an OTP so we can make sure you are John Smith, can you please read it for me?”

b) Collect any other additional authentication information, for example “For verification, can you please give me the last four digits of your SSN?”

c) They can even get the user to generate a transaction signing code with fraudulent payee and amount information, for example “We need to calibrate your transaction signing reader so could you please enter the following details online and then tell us what happens.”

While everyone’s attention is focused on protecting themselves in the ‘virtual’ world, they’re still very much at risk back here in the ‘real’ world. Fraudsters are turning to phone call services in an endeavour to trick people into disclosing their confidential information, sourcing professional callers to impersonate representatives from financial organisations. The sad truth is that it is actually far easier to perpetrate social engineering over the phone than many realise.

It’s rather disturbing how professional the group’s marketing is. It claims to have extensive experience working with bank customers, banks and shops. It even highlights their financial expertise, bragging that in the majority of cases they complete bank transfers and transactions.

For individuals, Trusteer advises they:

  • make sure to use up-to-date anti-malware solutions, especially any recommended by their bank, to prevent data theft in the first instance;
  • treat all unsolicited phone calls with caution, irrespective of any validation information the caller may offer;
  • use contact numbers provided by the bank, not the caller, to verify the authenticity of the contact.

Source: Apply Security Online to Protect Yourself Offline

read more no comments

World of Warcraft Confession Uncovers Teen Murderer

November 12th, 2011, posted in DFI News, English Italian Translations

World of Warcraft promo image A World of Warcraft confession as well as myriad other pieces of digital evidence allowed the Vancouver Island Major Crime Unit and the Royal Canadian Mounted Police to solve the murder of Kim Proctor, a Canadian high schooler whose burnt remains were found under a bridge.

For cases involving teens, the online world is “more valuable than ever,” says Corporal Darren Lagan, spokesperson for the British Columbia Island District R.C.M.P. “People tend to be freer online, especially young people—they don’t feel any repercussions or anyone watching.”

Kim’s supposed friends, Kruse Wellwood and Cameron Moffat, lured her to Kruse’s house where they bound, beat, and raped her before dumping the body. A text message sent from the site they disposed of the body served as crucial evidence.

Investigators monitored Facebook, including a public memorial page her family and friends set up in her honor, culling potential witnesses there as well as on other publicly available Facebook pages—none of which necessitated a warrant.

Soon, police had enough evidence to secure the necessary judicial authorization to monitor and analyze Kruse’s and Cam’s online activities. Keeping Kruse and Cam under close surveillance, the police bugged their homes, their cell phones, and even the gazebo where they hung out in the park. Through forensic analysis of the boys’ computers and cell phones, they dug up their Google and Wikipedia searches, as well as old transcripts of texts and instant messages. In total, the Tech Crimes Unit amassed the equivalent of 1.4 billion sheets of paper on the two.

When the boys were finally arrested, the two pleaded guilty to first-degree murder and indignity to human remains and were sentenced to life imprisonment with no possibility of parole for 10 years.

Source: Vanity Fair

Source: World of Warcraft Confession Uncovers Teen Murderer

read more no comments

SpyEye Changes Phone Numbers to Hijack Out of Band SMS

October 8th, 2011, posted in English Italian Translations, Trusteer

The Trusteer research team recently uncovered a stealth new attack carried out by the SpyEye Trojan that circumvents mobile SMS (short message service) security measures implemented by many banks. Using code we captured while protecting a Rapport user, we discovered a two-step web-based attack that allows fraudsters to change the mobile phone number in a victim’s online banking account and reroute SMS confirmation codes used to verify online transactions. This attack, when successful, enables the thieves to make transactions on the user’s account and confirm the transactions without the user’s knowledge.

Step 1

In the first step of the attack, SpyEye steals the victim’s online banking login details. This is standard operating procedure for financial malware like SpyEye, Zeus, and others. The fraudsters can now access the victim’s account without raising any red flags that would be picked up by fraud detection systems.

Step 2

In Step 2, SpyEye changes the victim’s phone number of record in the online banking application to one of several random attacker controlled numbers. In order to complete this operation the attacker needs the confirmation code which is sent by the bank to the customer’s original phone number. To steal this confirmation code the attacker uses the following social engineering scheme.

First, SpyEye injects a fraudulent page in the customer’s browser that appears to be from the online banking application. The fake page purports to introduce a new security system that is now “required” by the bank and for which customers must register. The page explains that under this new security process the customer will be assigned a unique telephone number and that they will receive a special SIM card via mail. Next, the user is instructed to enter the personal confirmation number they receive on their mobile telephone into the fake web page in order to complete the registration process for the new security system. This allows the criminals to steal the confirmation code they need to authorize changing the customer’s mobile number.

The following is a screen shot of the fraudulent page created by SpyEye that is presented to the customer (translated from Spanish to English):

Fraudulent page by Spyeye

Now the fraudsters can receive all future SMS transaction verification codes for the hijacked account via their own telephone network. This allows them to use the SMS confirmation system to divert funds from the customer’s account without their knowledge, while not triggering any fraud detection alarms.

Out-of-Band is not a Panacea

This latest SpyEye configuration demonstrates that out-of-band authentication (OOBA) systems, including SMS-based solutions, are not fool-proof. Using a combination of MITB (man in the browser injection) technology and social engineering, fraudsters are not only able to bypass OOBA but also buy themselves more time since the transactions have been verified and fly under the radar of fraud detection systems. The only way to defeat this new attack once a computer has been infected with SpyEye is using endpoint security that blocks MITB techniques. Without a layered approach to security, even the most sophisticated OOBA schemes can be made irrelevant under the right circumstances.

Source: SpyEye Changes Phone Numbers to Hijack Out of Band SMS

read more no comments

CAINE 2.5 SUPERNOVA Available

September 30th, 2011, posted in Computer forensics, Digital Forensics, English Italian Translations

CAINE (Computer Aided INvestigative Environment) is an open source tool that offers a complete forensic environment that is organized to integrate existing software tools as software modules and to provide a friendly graphical interface.

The main design objectives of CAINE are to guarantee the following:

  • an interoperable environment that supports the digital investigator during the four phases of the digital investigation
  • a user friendly graphical interface
  • a semi-automated compilation of the final report

CAINE includes scripts activated within the Nautilus Web browser designed to make examination of allocated files simple. Currently, the scripts can render many databases, internet histories, Windows registries, deleted files, and extract EXIF data to text files for easy examination. The Quick View tool automates this process by determining the file type and rendering with the appropriate tool.

The live preview Nautilus scripts also provide easy access to administrative functions, such as making an attached device writeable, dropping to the shell, or opening a Nautilus window with administrator privileges. The "Save as Evidence" script will write the selected file(s) to an "Evidence" folder on the desktop and create a text report about the file containing file metadata and an investigator comment, if desired.

A unique script, "Identify iPod Owner", is included in the toolset. This script will detect an attached and mounted iPod Device, display metadata about the device (current username, device serial number, etc.). The investigator has the option to search allocated media files and unallocated space for iTunes user information present in media purchased through the Apple iTunes store, i.e., Real Name and e-mail address.

For more information, visit www.caine-live.net/index.html

read more no comments

Mobile Malware: Why Fraudsters Are Two Steps Ahead

August 16th, 2011, posted in English Italian Translations, Trusteer

Bad news: Fraudsters have all the tools they need to effectively turn mobile malware into the biggest customer security problem we’ve ever seen. They are lacking just one thing – customer adoption. The number of users who bank online from their mobile devices is still relatively low. Additionally, transactions are not yet enabled for mobile devices on many banks’ websites. Since online fraud is mostly a big numbers game, attacking mobile bankers is not yet an effective fraud operation. But expect a change. In a year from now this is all going to look completely different as more users start banking from their mobile phone and fraudsters release their heavy guns.  Trusteer has just released figures predicting that within 12 to 24 months over 1 in 20 (5.6%) of all Android phones and iPads/iPhones could become infected by Mobile malware if fraudsters start integrating zero-day mobile vulnerabilities into leading exploit kits.

Fraudster’s Heaven: Google Android

Android’s security architecture is not currently up to the challenge. This is reflected mainly in the ease of generating powerful fraudulent applications and the ease of distributing these applications. Fraudsters can easily build applications that have access to sensitive operating system resources such as text messages, voice, location, and more. Users installing these applications do get a message with a list of resources the app is requesting access to but would usually ignore it as many applications request access to an extensive list of resources. Building a powerful fraudulent Android application that steals and abuses your identity and your bank account is almost trivial. Distributing these applications on the Android Market is even more trivial. There are no real controls around the submission process that could identify and prevent publishing malicious applications on these stores. Compared to Apple’s App Store, Android Market is the Wild West. You can’t always trust applications you download from it.

Fraudsters have already started to abuse this big security hole. Dozens of malicious applications have already been identified on the Android Market. Google has removed most of them but more keep coming. Trusteer has identified malicious applications on the Android Market which have stayed there for weeks before being taken off by Google. The average user will find it hard to locate this page which allows you to request Google to review and take down inappropriate applications from the Android Market. But don’t expect Google to react fast to anything you submit through this form. We used it a few times with no results. In order to take down an applications in Google Market we actually had to use contacts within Google which are not available to the average user. The process of identifying and removing malicious applications from the Android Market requires major improvements.

Most of the malicious applications which hit Android are not financial. However, in May this year we’ve seen the (already known) Man in the Mobile (MitMo) malware which has previously attacked Symbian, Blackberry, and Windows phones being ported to Android as well. This attack is designed to bypass banks’ SMS Out of Band (OOB) authentication and transaction verification processes. The proximity of this attack to the recent FFIEC guidance which advises banks to consider, among other, Out of Band to fight malware attacks is ironic. It demonstrates exactly why the fraudsters are two steps ahead.

For those of you who don’t know how OOB works here is a short description: The general idea is to fight malware that infects the user’s machine. Once the user browses to a bank’s website from a PC infected with financial malware such as Zeus or SpyEye, the malware takes over the web session and injects fraudulent transactions on behalf of the user. With OOB in place the bank sends a text message to the user’s pre-registered phone number. The message includes the transaction details and a verification code. The user needs to copy the verification code from the mobile device back to the browser on the PC. The assumption is that if the transaction was generated by malware the user will not complete the process and will not copy the confirmation code back to the browser and as a result the bank will not approve the transaction. The MitMo attack breaks this assumption by doing the following: Once the user gets infected and tries to access the bank’s website the malware kicks in and asks the user to download an authentication or security component onto their mobile device in order to complete the login process. The user wrongly assumes this message comes from the bank while in reality it comes from the malware. Once the user installs the malware on the mobile device the fraudsters control both the user’s PC and the user’s phone. Next the malware generates a fraudulent transaction on behalf of the user. The bank then sends a confirmation message to the user’s mobile device. The malware on the user’s device reads the confirmation message and sends it to the malware on the PC. It then deletes the confirmation message from the user’s mobile device so the user will not see it. The malware on the user’s PC enters the confirmation code and approves the transaction.

MitMo Attack Cycle

MitMo Attack Cycle

The Android malware that spread On May this year came in different flavors. One of the flavors was even using the Trusteer brand to gain users trust and convince them to download the application. The malware itself was used in conjunction with Zeus 2.1.0.10. The user was first infected with Zeus on their PC and then Zeus showed the message requesting the user to download the Android malware component.

 

MitMo fraudulent Android Application Abusing the Trusteer brand

MitMo fraudulent Android Application Abusing the Trusteer brand

People who had already downloaded Trusteer Rapport are protected from this type of attack.

Apple iOS is not as Secure as One May Think

iOS is the operating system of the iPhone, iPad, and iPod. With iOS malware, it’s a slightly different story. It’s not easy to create malicious applications that have access to device resources since iOS applies strict access control on applications. It’s also not easy to introduce malicious applications on the App Store as Apple conducts a manual review of each submitted application which allows them to detect abusing applications. However, there is a hole in this security architecture and it’s called jailbreaking. A jailbroken iOS device doesn’t enforce access control and basically allows any app to do whatever it wants on the device. Unfortunately many users jailbreak their devices as they want to run all sorts of applications that are not on the App Store. But what’s more unfortunate is that vulnerabilities in iOS could allow malicious websites to jailbreak a device and infect it with malware without the user’s consent or knowledge. Last week we saw a good example for that.

JailbreakMe.com published an exploit which allows the automated jailbreaking of iOS devices from a specially created Web site. PDF files that exploit this vulnerability are reportedly publicly available. Even clicking a crafted PDF document or surfing to a website with the PDF documents are sufficient to infect the mobile device with malware. Now the concept of malicious websites serving exploits to infect endpoint devices is well mastered by fraudsters. The notorious BlackHole exploit kit and other exploit kits such as Fragus and Neosploit provide automation of these processes. BlackHole is extremely dangerous and widely used as it is distributed for free. Millions of websites are being compromised to run these exploit kits.

When users browse to one of these compromised websites they get infected with malware. Note that fraudsters can use the same exploit kit to serve any piece of malware they choose. Once the authors of BlackHole add iOS vulnerabilities to their kit we’ll start seeing a quick increase in malware distribution on iOS devices. This recent vulnerability is not the first which allows fraudsters to compromise iOS devices and it won’t be the last. We’re looking at just the beginning of this problem. Fraudsters will continue to research iOS and discover more vulnerabilities which will allow them to compromise devices and commit fraud. I hope I’m wrong, but a year from now this can become so common that it will not even hit the news.

Conclusion

In the US alone 50% of mobile phones are smart phones with Android and iPhone being the clear market leaders. In April of this year Toronto-based Solutions Research Group survey among smartphone users showed that and 38% of them use a banking application. These two numbers are on constant increase and are just about to become big enough for fraudsters to start using their heavy guns. All the building blocks are in place: Fraudsters are researching iOS and Android for vulnerabilities, they have effective exploit kits which can automate this process, they have large scale operations which compromise websites and force them to distribute malware, and they have effective malware for mobile which can commit fraud. In my opinion, this all leads to one conclusion – we are about to face one of the worse security problems ever and it won’t be long before we do.

Anti-malware solutions for mobile phones are hardly the answer to this problem. These solutions are not much different than their PC counterparts. They’re based on scanning applications installed on the device against a list of known malicious applications. This type of solution cannot scale when the number of malicious applications explodes. As mobile malware numbers increase we’re about to face the very same problem we’re currently facing with desktop anti-virus solutions- low effectiveness.

A different solution that takes a different approach for mobile security is required – one that can protect these devices from getting infected to begin with and can protect mobile communication with banks from malware that may end up on the device. This concept which has been successfully used by Trusteer Rapport to protect 150 banks across the world is now available for the iOS and Android. Trusteer Mobile will be launched later this year together with a handful leading banks and is going to change the way banks and their customers think of mobile security.

Recommendations to secure mobile banking:

  1. Check rating, user reviews, and comments for each mobile application you download. Avoid low rated, new applications, and bad reviews.
  2. Carefully review the permission requested by Android applications when you install them. Applications that ask for access to text messages and other sensitive information should raise a red flag and further researched before you download it
  3. Have your PC protected with an online banking security software such as Trusteer Rapport, which you can download from your bank’s website. This software can break MitMo attacks by not allowing fraudsters control the web channel.
  4. Regularly install updates for your mobile device

 

Calculation of smart phone infection rates for zero day exploits

Trusteer statistics for June 2011 show that each day one out of 1500 users accesses a website which was infected with the BlackHole exploit kit.  Out of a million users 667 users will access the BlackHole exploit kit every day.  Assuming the BlackHole exploit kit incorporates a Zero Day vulnerability like the recent JailBreakMe vulnerability indicates 667 infected users a day per 1 million users.  Assuming it takes Apple or Google one week to fix the vulnerability and then it takes in average 2 weeks for users to update their mobile phone with a new release, indicates 21 days of exposure on average in which 14,000 user per million users will get infected with the Zero day attack.  Assuming 4 of these zero day exploits a year we’re looking at 56,000 infection a year per million users which is 5.6% – an extremely high number.

Source: Mobile Malware: Why Fraudsters Are Two Steps Ahead

read more no comments

Trojan:BASH/QHost.WB

August 1st, 2011, posted in F-Secure, English Italian Translations

We come across a fake FlashPlayer.pkg installer for Mac:

Once installed, the trojan add entries to the hosts file to hijack users visiting various Google sites (e.g., Google.com.tw, Google.com.tl, etc) to the IP address 91.224.160.26, which is located in Netherlands.

The server at the IP address displays a fake webpage designed to appear similar to the legitimate Google site.

As an example, this is what Google.com.tw looks like on a normal, uninfected system:

trojan_bash_qhost_wb_google_tw_clean (68k image)

In contrast, this is what Google.com.tw looks like on an infected system:

trojan_bash_qhost_wb_google_tw_infected_system (72k image)

When a search request is entered, the remote server returns a fake page that mimics a legitimate Google search results page.

Here’s a search request on the real Google.com.tw site on a clean system:

trojan_bash_qhost_wb_google_tw_clean_searches (169k image)

And here’s the same request on an infected system:

trojan_bash_qhost_wb_google_tw_infected_system_searches (250k image)

Even though the page looks fairly realistic, clicking on any of the links does not take the user to any other sites. Clicking on the links does however open new pop-up pages, which are all pulled from a separate remote server:

trojan_bash_qhost_wb_google_tw_infected_system_search_source (173k image)

At the time of writing, the pop-up pages aren’t displaying anything, though we presume they are ads of some sort. It appears that the remote server serving the pop-up pages is down.

The other remote server returning fake search requests appears to be still active.

We detect this trojan as Trojan:BASH/QHost.WB.

—–

Analysis by – Brod

Source: Trojan:BASH/QHost.WB

read more no comments

Hacking Apple Laptop Batteries

July 31st, 2011, posted in Bruce Schneier, English Italian Translations

Interesting:

Security researcher Charlie Miller, widely known for his work on Mac OS X and Apple’s iOS, has discovered an interesting method that enables him to completely disable the batteries on Apple laptops, making them permanently unusable, and perform a number of other unintended actions. The method, which involves accessing and sending instructions to the chip housed on smart batteries could also be used for more malicious purposes down the road.

[...]

What he found is that the batteries are shipped from the factory in a state called “sealed mode” and that there’s a four-byte password that’s required to change that. By analyzing a couple of updates that Apple had sent to fix problems in the batteries in the past, Miller found that password and was able to put the battery into “unsealed mode.”

From there, he could make a few small changes to the firmware, but not what he really wanted. So he poked around a bit more and found that a second password was required to move the battery into full access mode, which gave him the ability to make any changes he wished. That password is a default set at the factory and it’s not changed on laptops before they’re shipped. Once he had that, Miller found he could do a lot of interesting things with the battery.

“That lets you access it at the same level as the factory can,” he said. “You can read all the firmware, make changes to the code, do whatever you want. And those code changes will survive a reinstall of the OS, so you could imagine writing malware that could hide on the chip on the battery. You’d need a vulnerability in the OS or something that the battery could then attack, though.”

As components get smarter, they also get more vulnerable.

read more no comments

ShareMeNot

July 29th, 2011, posted in Bruce Schneier, English Italian Translations

ShareMeNot is a Firefox add-on for preventing tracking from third-party buttons (like the Facebook “Like” button or the Google “+1″ button) until the user actually chooses to interact with them. That is, ShareMeNot doesn’t disable/remove these buttons completely. Rather, it allows them to render on the page, but prevents the cookies from being sent until the user actually clicks on them, at which point ShareMeNot releases the cookies and the user gets the desired behavior (i.e., they can Like or +1 the page).

Source: ShareMeNot

read more no comments

On Android threats Spyware: Android/SndApps.A and Trojan:Android/SmsSpy.D.

July 18th, 2011, posted in F-Secure, English Italian Translations

Android malware seems to be all the rage at the moment. Here’s a few comments on a couple interesting side issues we’ve been discussing as we’ve seen them crop up during analyses.

First up: there was a recent report on suspicious applications found the official Android Market. The apps in question have since been taken off the Market, but our threat hunting team still come across them in forums and other such locations, usually promoted as ‘free apps’.

The applications themselves appear to be straightforward games. At some point however, it looks like additional services were added to the apps. The earlier versions didn’t ask for anything other than Internet access:

permissions_internet (104k image)

However the later versions get a bit more personal than that:

application_permissions (47k image)

new_permissions (169k image)

With the changes, the app is able to access various bits of information from the device: the carrier and country, the device’s ID, e-mail address and phone number.

services (92k image)

The information is sent out to a remote server.

An additional twist this app pulls is that it includes a little icon that when clicked, leads the user to other apps which presumably, they might like to try. The apps being promoted also appear to show the same suspicious behavior.

applications (66k image)

What was interesting is that both the earlier ‘unremarkable’ and later ‘suspect’ versions of the app appear to be from the same developers:

comparison (56k image)

It appears to be a case of questionable new behaviors being added at a later date to an existing app, and not a repackaged app with foreign malicious routines added. We’re still looking into various aspects of this; for now, based on the observed behavior, we detect these applications as Spyware:Android/SndApps.A.

This case is interesting to us as we see it as an evolution in Android application development, specifically ‘greyware’. This kind of behavior seems to bear out one of our earlier predictions, where an ‘established’ developer would be able to push out an update containing suspicious/unwanted/unethical routines, which may invade the user’s privacy.

The newly added routines could include obtaining user information that can be used for other purposes, like sending marketing advertisements or spam. At worst, the details may be sold to a third party. We would have no way of knowing what is being done with the information.

In another case even more recently, we’ve been discussing the odd behavior of another reported Android app, this time a trojan.

It didn’t make sense that the trojan intercepted an SMS message and then reported it to a loopback address:

smsspy_loopback (131k image)

From our investigation, it seems like this app might be a test program. We detect this as Trojan:Android/SmsSpy.C.

However, one of our threat hunters did find a file (SHA1: 7d8004b107979e159b307a885638e46fdcd54586) that appears to be more useful:

smsspy_link (160k image)

That looks more like the real deal. We detect this as Trojan:Android/SmsSpy.D.

—–

Analysis and post by: Zimry, Irene, Raulf and Leong

Source: On Android threats Spyware: Android/SndApps.A and Trojan:Android/SmsSpy.D

read more no comments
« Older Entries