android | Page 11


It doesn't happen that often altogether that mobile malware specifically come from France and propagate in France. It however seems to be the case this time for an Android malware named Foncy - not that there should be any national pride in creating malware. Foncy has first been spotted by Denis Maslennikov. It is a dialer, i.e it sends SMS messages to premium numbers, without user's consent. It does not spread by itself: victims are infected when they download and install the malware, likely from an alternate marketplace. They probably just wanted... [Read More]
by RSS Axelle Apvrille  |  Dec 15, 2011  |  Filed in: Security Research
A few days ago, Jon Larimer and Jon Oberheide published a vulnerability for Android platforms < 2.3.6. David Maciejak and I were curious to run it on an Android phone. Result: it runs perfectly :( So, what is this to us? Well, it’s a new way to root Android phones running 2.3.4. We already had exploits for that on versions prior to 2.1 or 2.2. (uDev and rageinthecage exploits), or prior to 2.3.4, or 3.0 (gingerbreak/honeybomb), but nothing in between for 2.3.4/2.3.5. And because rooting a phone is particularly valued by malware... [Read More]
by RSS Axelle Apvrille  |  Nov 25, 2011  |  Filed in: Security Research
Much like Ninja Turtles, DroidKungFu now comes in different flavours (5 so far), discovered by Pr. Xuxian Jiang (and research team) and Lookout. If, like me, you are having difficulties keeping track of those variants, this post is for you :) The similarities and differences between all 5 variants are depicted below. The various blocks represent each variant, and their intersection shows how many methods they share exactly*. All variants share the same malicious commands (CMD box). They can download and install new package, start a program (called... [Read More]
by RSS Axelle Apvrille  |  Oct 26, 2011  |  Filed in: Security Research
Yes, you have probably heard the news: a new variant of Spitmo - Zitmo/ZeuS's counterpart for SpyEye, which previously targeted Symbian phones only - has recently been spotted on Android. The scenario is the same as before: a victim, browsing on a PC infected with SpyEye, logs in her bank's website. SpyEye injects forms and elements directly into the webpages she is viewing, so as to lure her into installing a fake security application on her phone, thinking it's required by the bank. That application actually intercepts SMS messages - especially... [Read More]
by RSS Axelle Apvrille  |  Sep 16, 2011  |  Filed in: Security Research
This is a short update to our prior post concerning Zitmo on Android. Is this really Zitmo? This fake Trusteer malware shows several differences with prior Symbian variants, but, for simplicity (and because it's easy to remember), we call it Zitmo. This does not mean this variant was written by the same authors (no proof on that account, one way or another) nor that it has exactly the same technical functionalities or even, depending on naming policies, the same name among AV vendors, but what we mean is that this sample was propagated by ZeuS... [Read More]
by RSS Axelle Apvrille  |  Jul 18, 2011  |  Filed in: Security Research
Zitmo has been used by the ZeuS gang to defeat SMS-based banking two-factor authentication on Symbian, BlackBerry and Windows Mobile for a several months (see my ShmooCon slides). Lately, there's been an active discussion on technical forums regarding ZeuS targetting Android users. We finally managed to get our hands on the mobile sample the ZeuS PC trojans are propagating. Actually, it is not a new sample and has been detected under several names (Android.Trojan.SmsSpy.B, Trojan-Spy.AndroidOS.Smser.a, Andr/SMSRep-B), but it is far more scary when... [Read More]
by RSS Axelle Apvrille  |  Jul 08, 2011  |  Filed in: Security Research
Mark Balanza has spotted a new Android malware, Android/CruseWin.A!tr, which acts as an SMS relay. The malicious application is in contact with a remote C&C from which it gets an XML configuration file which contains the commands the C&C wishes the bot to perform. In particular, the XML send tag makes the infected mobile phone send an SMS to a specified phone number with a specified body. Then, this phone number is added to a list of phone numbers for which the malicious application must act as a relay: when the specified phone number... [Read More]
by RSS Axelle Apvrille  |  Jul 04, 2011  |  Filed in: Security Research
The Android malware DroidKungFu reports back to the following URLs: http://[REMOVED]fu-android.com:8511/search/rpty.php http://[REMOVED]fu-android.com:8511/search/getty.php http://[REMOVED]fu-android.com:8511/search/sayhi.php A whois on the corresponding IP address replies with the following most peculiar information: it looks like the IP address belongs to a mobile device (either a phone, or a tablet, or a computer with a 2G/3G connection...) of a well-known Chinese operator. Of course, we have immediately notified this operator. This is rather... [Read More]
by RSS Axelle Apvrille  |  Jun 16, 2011  |  Filed in: Security Research
As a "Crypto Girl" should, I wish to report that the latest Android malware, Android/DroidKungFu, uses AES encryption. It is certainly not the first time Android malware use cryptographic encryption - we have already seen use of DES in Android/Geinimi or Android/HongTouTou - but this would appear to be the first use of AES on Android (AES has already been reported in Symbian malware such as SymbOS/InSpirit). In Android/DroidKungFu, the malware uses AES to encrypt the two exploits it uses: CVE-2009-1185: packaged as gjsvro. located in the malware's... [Read More]
by RSS Axelle Apvrille  |  Jun 09, 2011  |  Filed in: Security Research
A few days ago, a new malware named Android/Smspacem.A!tr appeared for Android users. This malware trojans a legitimate (but controversial) application named the Holy F***ing Bible. Its malicious behavior only appeared on May 21-22 and resulted in changing the device's wallpaper and sends out anti-Christian joke SMS messages to all the user's phone contacts. The malware also reacts to a few commands: "health" (SMS command), "formula401" and "pacem" (Web service commands, obtained by polling a Web service on a Command & Control server). The actions... [Read More]
by RSS Axelle Apvrille  |  May 30, 2011  |  Filed in: Security Research