android


Recently, we found a new Android rootnik malware which uses open-sourced Android root exploit tools and the MTK root scheme from the dashi root tool to gain root access on an Android device. The malware disguises itself as a file helper app and then uses very advanced anti-debug and anti-hook techniques to prevent it from being reverse engineered. It also uses a multidex scheme to load a secondary dex file. After successfully gaining root privileges on the device, the rootnik malware can perform several malicious behaviors, including app and ad... [Read More]
by RSS Kai Lu  |  Jan 26, 2017  |  Filed in: Security Research
Last month, we found a new android locker malware that launches ransomware, displays a locker screen on the device, and extorts the user to submit their bankcard info to unblock the device. The interesting twist on this ransomware variant is that it leverages the Google Cloud Messaging (GCM) platform, a push notification service for sending messages to registered clients, as part of its C2 infrastructure. It also uses AES encryption in the communication between the infected device and the C2 server. In this blog we provide a detailed analysis... [Read More]
by RSS Kai Lu  |  Jan 16, 2017  |  Filed in: Security Research
Summary We recently found an Android banking malware masquerading as an email app that targets several large German banks. This banking malware is designed to steal login credentials from 15 different mobile banking apps for German banks. It also has the ability to resist anti-virus mobile apps, as well as hinder 30 different anti-virus programs and prevent them from launching. Install the malware The malware masquerades as an email app. Once installed, its icon appears in the launcher, as shown below. Figure 1. Malware App Icon   Figure... [Read More]
by RSS Kai Lu  |  Nov 18, 2016  |  Filed in: Security Research
Active users of mobile banking apps should be aware of a new Android banking malware campaign targeting customers of large banks in the United States, Germany, France, Australia, Turkey, Poland, and Austria. This banking malware can steal login credentials from 94 different mobile banking apps. Due to its ability to intercept SMS communications, the malware is also able to bypass SMS-based two-factor authentication. Additionally, it also contains modules to target some popular social media apps. Install the malware The malware masquerades... [Read More]
by RSS Kai Lu  |  Nov 01, 2016  |  Filed in: Security Research
Google patched some Android security vulnerabilities in early August. One of them was a remote code execution vulnerability in Mediaserver (CVE-2016-3820), which was discovered by me. This vulnerability could enable an attacker using a specially crafted file to cause memory corruption during media file and data processing. This issue was rated as Critical by Google due to the possibility of remote code execution within the context of the Mediaserver process. The Mediaserver process has access to audio and video streams, as well as access to privileges... [Read More]
by RSS Kai Lu  |  Aug 17, 2016  |  Filed in: Security Research
At FortiGuard, we wouldn't let you down without an analysis of Pokémon Go. Is it safe to install? Can you go and hunt for Pokémon, or stay by a pokestop longing for pokeballs? While this article won't assist you in game strategy, I'll give you my first impressions analyzing the game. Versions There are two sorts of Pokémon applications: 1. The official versions, issued by Niantic. We will talk more about these later, but in brief, they are not malicious. 2. The hacked versions. These are... [Read More]
by RSS Axelle Apvrille  |  Aug 11, 2016  |  Filed in: Security Research
While inspecting the Pokémon Go application, I incidentally found information on ... Pokémon Go Plus. Basically, this is the Pokémon IoT: a connected wristband with a button (to throw a pokéball, for instance), a RGB LED, and vibration capability (e.g to notify of nearby Pokémon). The device is not yet released, and the software is still under development: as you can see below, versions 0.29.x corresponds to "BETA4". Implementation in version... [Read More]
by RSS Axelle Apvrille  |  Aug 11, 2016  |  Filed in: Security Research
Recently, we - i.e Giuseppe Pacelli (student at Eurecom), Matteo Bertolino (student at Eurecom) and their supervisors Ludovic Apvrille (Telecom ParisTech) and myself - had a closer look at a few Android samples infected with the Feiwo adware. This adware family is not new, but the instances we analyzed were still undetected by all anti-virus vendors last week, as far as we know. Besides aggressively serving ads to your mobile phone, this potentially unwanted application (PUA) posts your phone number and list of applications you installed... [Read More]
by RSS Axelle Apvrille  |  May 20, 2016  |  Filed in: Security Research
From time to time, AV analysts encounter "funny" Android malware or PUA: Riskware/Secretmimi!Android is one of those.  This riskware is a social app used to share secrets (gossip). The "fun" part is that you certainly should not use it if you expect them to remain secret ;) Besides using aggressive adkits such as Umeng, the application obviously does not know about HTTPS and posts everything in clear text. For example, when you register your birthday and gender are posted in the clear (see Figure... [Read More]
by RSS Axelle Apvrille  |  Apr 22, 2016  |  Filed in: Security Research
Google fixed a denial of service vulnerability in Minikin library (CVE-2016-2414) with the Android patches of this month. I reported this vulnerability to Google in early March, 2016 and Google confirmed it was a duplicated report of bug 26413177 which had been reported by another researcher in November, 2015. In this blog, we will provide an in-depth analysis of this vulnerability. It exists because the Minikin library fails to parse .TTF font files correctly. As a result, it could allow a local attacker... [Read More]
by RSS Kai Lu  |  Apr 13, 2016  |  Filed in: Security Research