android | Page 11


Yes, you have probably heard the news: a new variant of Spitmo - Zitmo/ZeuS's counterpart for SpyEye, which previously targeted Symbian phones only - has recently been spotted on Android. The scenario is the same as before: a victim, browsing on a PC infected with SpyEye, logs in her bank's website. SpyEye injects forms and elements directly into the webpages she is viewing, so as to lure her into installing a fake security application on her phone, thinking it's required by the bank. That application actually intercepts SMS messages - especially... [Read More]
by RSS Axelle Apvrille  |  Sep 16, 2011  |  Filed in: Security Research
This is a short update to our prior post concerning Zitmo on Android. Is this really Zitmo? This fake Trusteer malware shows several differences with prior Symbian variants, but, for simplicity (and because it's easy to remember), we call it Zitmo. This does not mean this variant was written by the same authors (no proof on that account, one way or another) nor that it has exactly the same technical functionalities or even, depending on naming policies, the same name among AV vendors, but what we mean is that this sample was propagated by ZeuS... [Read More]
by RSS Axelle Apvrille  |  Jul 18, 2011  |  Filed in: Security Research
Zitmo has been used by the ZeuS gang to defeat SMS-based banking two-factor authentication on Symbian, BlackBerry and Windows Mobile for a several months (see my ShmooCon slides). Lately, there's been an active discussion on technical forums regarding ZeuS targetting Android users. We finally managed to get our hands on the mobile sample the ZeuS PC trojans are propagating. Actually, it is not a new sample and has been detected under several names (Android.Trojan.SmsSpy.B, Trojan-Spy.AndroidOS.Smser.a, Andr/SMSRep-B), but it is far more scary when... [Read More]
by RSS Axelle Apvrille  |  Jul 08, 2011  |  Filed in: Security Research
Mark Balanza has spotted a new Android malware, Android/CruseWin.A!tr, which acts as an SMS relay. The malicious application is in contact with a remote C&C from which it gets an XML configuration file which contains the commands the C&C wishes the bot to perform. In particular, the XML send tag makes the infected mobile phone send an SMS to a specified phone number with a specified body. Then, this phone number is added to a list of phone numbers for which the malicious application must act as a relay: when the specified phone number... [Read More]
by RSS Axelle Apvrille  |  Jul 04, 2011  |  Filed in: Security Research
The Android malware DroidKungFu reports back to the following URLs: http://[REMOVED]fu-android.com:8511/search/rpty.php http://[REMOVED]fu-android.com:8511/search/getty.php http://[REMOVED]fu-android.com:8511/search/sayhi.php A whois on the corresponding IP address replies with the following most peculiar information: it looks like the IP address belongs to a mobile device (either a phone, or a tablet, or a computer with a 2G/3G connection...) of a well-known Chinese operator. Of course, we have immediately notified this operator. This is rather... [Read More]
by RSS Axelle Apvrille  |  Jun 16, 2011  |  Filed in: Security Research
As a "Crypto Girl" should, I wish to report that the latest Android malware, Android/DroidKungFu, uses AES encryption. It is certainly not the first time Android malware use cryptographic encryption - we have already seen use of DES in Android/Geinimi or Android/HongTouTou - but this would appear to be the first use of AES on Android (AES has already been reported in Symbian malware such as SymbOS/InSpirit). In Android/DroidKungFu, the malware uses AES to encrypt the two exploits it uses: CVE-2009-1185: packaged as gjsvro. located in the malware's... [Read More]
by RSS Axelle Apvrille  |  Jun 09, 2011  |  Filed in: Security Research
A few days ago, a new malware named Android/Smspacem.A!tr appeared for Android users. This malware trojans a legitimate (but controversial) application named the Holy F***ing Bible. Its malicious behavior only appeared on May 21-22 and resulted in changing the device's wallpaper and sends out anti-Christian joke SMS messages to all the user's phone contacts. The malware also reacts to a few commands: "health" (SMS command), "formula401" and "pacem" (Web service commands, obtained by polling a Web service on a Command & Control server). The actions... [Read More]
by RSS Axelle Apvrille  |  May 30, 2011  |  Filed in: Security Research
Some time ago, I bumped into a few Android applications which use Airpush. Airpush is an advertisement SDK developers can add to their application to generate some revenue: for every thousand ads displayed via their application, the developers gets a few dollars in return. In the case of Airpush, the ads are pushed in the mobile phone's system tray, i.e they do not appear in the application itself, but generally at system level. The ads stand higher chances of being read/clicked on, but many end-users complained this system was really too intrusive. See... [Read More]
by RSS Axelle Apvrille  |  May 17, 2011  |  Filed in: Security Research
Android devices continue to be the target of malware authors with Android/Fake10086.A!tr. AegisLab spotted this malicious Trojan in the wild in China and posted an interesting write-up on the matter. In brief, Android/Fake10086.A!tr looks like a handy hotel reservation application (e.g com.hotel apk), but in the background it communicates with a remote web server and blocks some incoming SMS messages. Most noticeably, Fake10086 blocks SMS messages coming from 10086, the customer service portal of a leading chinese telecom operator - presumably... [Read More]
by RSS Axelle Apvrille  |  Mar 10, 2011  |  Filed in: Security Research
We are pretty busy these days with malicious samples on Android. You probably haven't missed DroidDream (Android/DrdDream.A!tr) which trojaned several applications on the Android Market and several blog posts on the matter: Lookout explains how the malware was discovered, which applications it targets and whether you should be concerned or not. By the way, we thank them for sharing samples with us. AndroidPolice explains the malware uses the rageagainstthecage root exploit, and that malicious applications have been pulled out of the market Kaspersky... [Read More]
by RSS Axelle Apvrille  |  Mar 03, 2011  |  Filed in: Security Research