Whatever Happened to Facebook Likejacking?

Back in 2010, Facebook likejacking (a social engineering technique of tricking people into posting a Facebook status update) was a trending problem. So, whatever happened to likejacking scams and spam? Well, Facebook beefed-up its security — and the trend significantly declined, at least when compared to peak 2010 numbers.

But you can’t keep a good spammer down. Can’t beat them? Join them.

Today, some of the same junk which was spread via likejacking… is now spread via Facebook Advertising.

Facebook Sponsors

The top middle thumbnail above is some kind of malformed egg. Typical click-bait.

The ad links to a Page with localized campaigns. Note the “Ca” and the “Fi”.

Cooking Lessons 101

The landing page uses an “app” trick to automatically redirect to a spam campaign:

Work from home scheme

We’re pretty sure such tricks are a violation of Facebook’s ToS. But so far, Facebook hasn’t reacted to the sample we sent them.


Some of the spam campaigns are not exactly “safe for work” depending on the source ads:

Jailbait ads

Also a concern: some of the ads appear to be linked to compromised websites. The spammers may not even be paying for these ads.

Are you judged by the company you keep?

That’s probably a question legitimate brands with a Facebook presence should be asking themselves.

Source: Whatever Happened to Facebook Likejacking?

Posted in F-Secure, English-Italian Translations and tagged , , , by with no comments yet.

Android Hack-Tool Steals PC Info

Yeh, one of our Security Response Analysts, came across an interesting report on a Chinese forum over the weekend about an Android app that basically turns the device into a hack-tool capable of stealing information from a connected Windows machine.

He managed to find a sample (Md5:283d16309a5a35a13f8fa4c5e1ae01b1) for further investigation. When executed, the sample (we detect it as Hack-Tool:Android/UsbCleaver.A) installs an app named USBCleaver on the device:

hacktool_android_usbcleaver_0 (53k image)

When the app is launched, it directs the user to download a ZIP file from a remote server:

hacktool_android_usbcleaver_1 (188k image)

Then unzips the downloaded file to the location /mnt/sdcard/usbcleaver/system folder. The files saved are essentially utilities used to retrieve specific pieces of information when the device is connected via USB to a Windows machine. Note: we detect most of the files with older detections.

The following details are grabbed from the connected PC machine:

 •   Browser passwords (Firefox, Chrome and IE)
 •  The PC’s Wi-Fi password
 •  The PC’s network information

The app gives the user the option of choosing what information they want to retrieve:

hacktool_android_usbcleaver_2 (178k image)

hacktool_android_usbcleaver_3 (196k image)

hacktool_android_usbcleaver_4 (185k image)

To run the utilities, the sample creates an autorun.inf and go.bat file at /mnt/sdcard. When the device is plugged into a Windows machine, the autorun script gets triggered, which then silently runs the go.bat file in the background, which in turn runs the specified files from the usbcleaver/system folder.

The collected details are stored on the device at /mnt/sdcard/usbcleaver/logs.The app’s user can click on the ‘Log Files’ button to view the information retrieved from the PC:

hacktool_android_usbcleaver_5 (186k image)

This isn’t the first Android trojan reported this year with PC-infecting capabilities, since that ‘distinction’ belongs to the trojan-spy apps family we detect as Sscul (listed in our Q1 2013 Mobile Threat Report).

Unlike the Sscul malware however, which is more focused on remote eavesdropping, USBCleaver seems to be designed to facilitate a targeted attack by gathering details that would be helpful in a later infiltration attempt.

Fortunately, the UsbCleaver’s Windows-infecting routine can be blocked by a simple measure that’s been standard security advice for the last couple years: disabling the Autorun by default (this is already standard on Windows 7 machines). An additional mitigating factor is that most older Windows systems need to have mobile drivers manually installed in order for this attack to work.

Analysis by – Yeh

Source: Android Hack-Tool Steals PC Info

Posted in F-Secure, English-Italian Translations and tagged , , , by with no comments yet.

ZeuS Ransomware Feature: win_unlock

Earlier today, while doing our daily data mining, we came across a new variant of ZeuS 2.x. It includes a new backdoor command called: win_unlock. Very interesting, turns out this slightly modified ZeuS 2.x includes a ransomware feature.

When this particular variant is executed, it opens Internet Explorer with a specific page (lex.creativesandboxs.com/locker/lock.php) and prevents the user from doing anything else with the infected system. The webpage that was opened presumably showed some type of extortion message, but it’s currently unavailable because the site is offline.

The most straightforward way to unlock the system is to simply delete the trojan. This can be a bit tricky since the trojan prevents doing anything with the infected system, luckily the locking itself can be easily disabled first.

Looking at the code that corresponds with a received win_unlock command, it’s clear the unlock information is stored to the registry.

ZeuS, ransom feature

Unlocking can therefore be performed quite easily with a registry editor:

  1. boot the system in safe mode
  2. add a new key named syscheck under HKEY_CURRENT_USER
  3. create a new DWORD value under the syscheck key
  4. set the name of the new DWORD value to Checked
  5. set the data for the Checked value to 1
  6. reboot

SHA1: 03f0c26c6ba77c05152a1e0cc8bc5657f0c83119

Analysis by — Mikko S. and Marko

Source: ZeuS Ransomware Feature: win_unlock

Posted in F-Secure, English-Italian Translations and tagged , , by with no comments yet.

Anonymous Anonymous Claims Anonymous is Not Anonymous

You’ve probably heard about the stratfor.com hack by now. Anonymous claimed responsibility.

Then Anonymous denied being responsible.


But then today, “Anonymous” claimed that the earlier anonymously posted pastebin post wasn’t Anonymous, but was really Stratfor employees claiming to be Anonymous.


Wait… doesn’t Anonymous claim that “we are all Anonymous”? If that’s true, then maybe it was Anonymous after all.

Does anybody care anymore?

Appears the public doesn’t. Google’s instant results for “anonymous is” and “anonymous are” contain few compliments for the group.

In other news: Anonymous promised another data dump today.


Pending denials by Anonymous of course.

Source: Anonymous Anonymous Claims Anonymous is Not Anonymous

Posted in F-Secure, English-Italian Translations and tagged , by with 1 comment.


We come across a fake FlashPlayer.pkg installer for Mac:

Once installed, the trojan add entries to the hosts file to hijack users visiting various Google sites (e.g., Google.com.tw, Google.com.tl, etc) to the IP address, which is located in Netherlands.

The server at the IP address displays a fake webpage designed to appear similar to the legitimate Google site.

As an example, this is what Google.com.tw looks like on a normal, uninfected system:

trojan_bash_qhost_wb_google_tw_clean (68k image)

In contrast, this is what Google.com.tw looks like on an infected system:

trojan_bash_qhost_wb_google_tw_infected_system (72k image)

When a search request is entered, the remote server returns a fake page that mimics a legitimate Google search results page.

Here’s a search request on the real Google.com.tw site on a clean system:

trojan_bash_qhost_wb_google_tw_clean_searches (169k image)

And here’s the same request on an infected system:

trojan_bash_qhost_wb_google_tw_infected_system_searches (250k image)

Even though the page looks fairly realistic, clicking on any of the links does not take the user to any other sites. Clicking on the links does however open new pop-up pages, which are all pulled from a separate remote server:

trojan_bash_qhost_wb_google_tw_infected_system_search_source (173k image)

At the time of writing, the pop-up pages aren’t displaying anything, though we presume they are ads of some sort. It appears that the remote server serving the pop-up pages is down.

The other remote server returning fake search requests appears to be still active.

We detect this trojan as Trojan:BASH/QHost.WB.


Analysis by – Brod

Source: Trojan:BASH/QHost.WB

Posted in F-Secure, English-Italian Translations and tagged by with no comments yet.

On Android threats Spyware: Android/SndApps.A and Trojan:Android/SmsSpy.D.

Android malware seems to be all the rage at the moment. Here’s a few comments on a couple interesting side issues we’ve been discussing as we’ve seen them crop up during analyses.

First up: there was a recent report on suspicious applications found the official Android Market. The apps in question have since been taken off the Market, but our threat hunting team still come across them in forums and other such locations, usually promoted as ‘free apps’.

The applications themselves appear to be straightforward games. At some point however, it looks like additional services were added to the apps. The earlier versions didn’t ask for anything other than Internet access:

permissions_internet (104k image)

However the later versions get a bit more personal than that:

application_permissions (47k image)

new_permissions (169k image)

With the changes, the app is able to access various bits of information from the device: the carrier and country, the device’s ID, e-mail address and phone number.

services (92k image)

The information is sent out to a remote server.

An additional twist this app pulls is that it includes a little icon that when clicked, leads the user to other apps which presumably, they might like to try. The apps being promoted also appear to show the same suspicious behavior.

applications (66k image)

What was interesting is that both the earlier ‘unremarkable’ and later ‘suspect’ versions of the app appear to be from the same developers:

comparison (56k image)

It appears to be a case of questionable new behaviors being added at a later date to an existing app, and not a repackaged app with foreign malicious routines added. We’re still looking into various aspects of this; for now, based on the observed behavior, we detect these applications as Spyware:Android/SndApps.A.

This case is interesting to us as we see it as an evolution in Android application development, specifically ‘greyware’. This kind of behavior seems to bear out one of our earlier predictions, where an ‘established’ developer would be able to push out an update containing suspicious/unwanted/unethical routines, which may invade the user’s privacy.

The newly added routines could include obtaining user information that can be used for other purposes, like sending marketing advertisements or spam. At worst, the details may be sold to a third party. We would have no way of knowing what is being done with the information.

In another case even more recently, we’ve been discussing the odd behavior of another reported Android app, this time a trojan.

It didn’t make sense that the trojan intercepted an SMS message and then reported it to a loopback address:

smsspy_loopback (131k image)

From our investigation, it seems like this app might be a test program. We detect this as Trojan:Android/SmsSpy.C.

However, one of our threat hunters did find a file (SHA1: 7d8004b107979e159b307a885638e46fdcd54586) that appears to be more useful:

smsspy_link (160k image)

That looks more like the real deal. We detect this as Trojan:Android/SmsSpy.D.


Analysis and post by: Zimry, Irene, Raulf and Leong

Source: On Android threats Spyware: Android/SndApps.A and Trojan:Android/SmsSpy.D

Posted in F-Secure, English-Italian Translations and tagged , , by with no comments yet.

Another Android malware utilizing a root exploit

Another Android malware utilizing the root exploit “Rage Against The Cage” has been found, and we detected it as Trojan:Android/DroidKungFu.A.

This new malware was embedded on a trojanized application that may require a root access in order to conceal itself. The infection occurs in two parts:

Infection: Part 1

The first part is the installation of a trojanized application that would gain root privilege and install the com.google.ssearch application. This application points to the Trojan:Android/DroidKungFu.A‘s service component that will start a service com.google.ssearch.Receiver. On the creation of this service, it will call the function getPermission() that will install an embedded APK.

droidkungfu_create (47k image)

droidkungfu_getpermission (56k image)

This will call for checkPermission() that will check if com.google.ssearch.apk is already existed. If not, it will install the “legacy” file, which is an APK file, to the “system/app” (the application folder).

droidkungfu_checkpermission (95k image)

Infection: Part 2

The second part deals with the main malware component, com.google.ssearch.apk. As we may recall, this component was also present in the trojanized application.

Here is a screenshot showing the com.google.ssearch.apk installed.

droidkungfu_screen (194k image)

The malware appears to have a backdoor functionality. Here are some of its capabilities that we have seen:

  • execDelete – execute command to delete a supplied file

  • execHomepage – execute a command to open a supplied homepage

  • execInstall – download and install a supplied APK

  • execOpenUrl – open a supplied URL

  • execStartApp – run or start a supplied application package

Trojan:Android/DroidKungFu.A can also obtain the following information and post it to a remote server:

  • imei – IMEI number

  • ostype – Build version release, e.g., 2.2

  • osapi – SDK version

  • mobile – users’ mobile number

  • mobilemodel – Phone model

  • netoperator – Network Operator

  • nettype – Type of Net Connectivity

  • managerid – hard-coded value which is “sp033”

  • sdmemory – SD card available memory

  • aliamemory – Phone available memory

Root is set to 1 as to signify with root, and these information are then sent to “http://search.gong[…].php.”

The malware obtains the commands from “http://search.gong[…].php” by posting in the “imei,” “managerid” and root value. It also reports the status of the commands on “http://search.gong[…].php” by posting in “imei,” “taskid,” “state” and “comment.”

Threat Solutions post by – Zimry

Source: Another Android malware utilizing a root exploit

Posted in F-Secure, English-Italian Translations and tagged , , by with no comments yet.

New DroidDream Variant Found on Android Phones

Android has become the main target for mobile malware.

Here’s “Hot Girls 1”, which was still yesterday available for download to your Android phone from Android Market:

hot girls 1

This application was originally harmless. However, a malicious developer called “Magic Photo Studio” downloaded the original application, modified it and re-uploaded it to Android Market.

As an end result, when installing “Hot Girls 1”, you might notice that it requires suspicious rights, especially for an application which is just supposed to show you pictures of, well, hot girls:

hot girls 1 hot girls 1

The malicious developer has inserted code that triggers when the phone receives a call.

hot girls 1

The added code will connect to a server and send details about the infected handset to the malware authors. So we’re talking about a mobile botnet.

Our Android security product F-Secure Mobile Security blocks this as a variant of the DroidDream trojan, with the detection name Trojan:Android/DroidDream.B.

Dozens of examples of infected applications have been found from Android Market, uploaded under such developer names as Magic Photo Studio, BeeGoo and Mango Studio. Google has now removed them from the Market.

Source: New DroidDream Variant Found on Android Phones

Posted in F-Secure, English-Italian Translations and tagged , , , , , by with no comments yet.

Phishing Sites Hosted on Google’s Servers

Google Docs allows users to create documents, spreadsheets, et cetera at google.com (hosted in Google’s cloud):


Spreadsheets can even contain functionality, such as forms, and these can be published to the whole world.

Unfortunately, that means we regularly see phishing sites via Google Docs spreadsheets and hosted on spreadsheets.google.com.

Here are some examples:




These are nasty attacks, as the phishing pages are hosted on the real google.com, complete with a valid SSL certificate.


While researching these, we ran into this Google spreadsheet form:


And for the life of us, we just can’t figure out if this is phishing or if it’s a valid page run by Google [see below for the answer].

Initially, the page obviously looks like phishing: it’s hosted on the public spreadsheets.google.com server where anyone can host forms. And it asks for your Google Voice number, your e-mail address and the secret PIN code.

But then, you can also find that apparent Google Employees are linking to the form.

So, we can’t figure it out. Can you?

Here’s the URL to the form:


If you can figure this one out, let us know via comments.

Updated to add: The consensus on Twitter seems to be that it’s a phishing site. The jury’s still out though.


Updated to add: We got contacted by a Google employee.

They informed us that, surprisingly, the questionable page is indeed the official Google form to request Google Voice account transfer. They also told us to remove all references to the form in this blog post. But I’m afraid we can’t do that.

Source: Phishing Sites Hosted on Google’s Servers

Posted in F-Secure and tagged , by with no comments yet.