malware' | Page 23


As explained in our previous post (DroidKungFu is getting smarter), DroidKungFu now comes in 7 different flavors. Here is an updated graph of their similarities. Just like our previous graph (Clarifying Android DroidKungFu variants), each block represents a variant, intersections showing how many similar methods are implemented*. All variants can download and install new packages, start an application (activity), open a URL in the browser and delete a package**. Although the F variant intentionally piggybacks legitimate applications that use... [Read More]
by RSS Karine de Ponteves  |  Jun 01, 2012  |  Filed in: Security Research
You ran all the scans, conducted all the tests and yep…you've got malware Last month, we detailed steps you could take in those critical and panic-filled moments when you realized that you might have clicked on a malicious link or opened an infected attachment, but weren’t quite sure you’d been infected. Now, in a follow-up, we'll note a few actions you can take in the event that malware was indeed installed on your computer. First, nothing substitutes for the expertise of an IT professional for an accurate assessment of your computer’s... [Read More]
by RSS Stefanie Hoffman  |  May 02, 2012  |  Filed in: Industry Trends
Much like Ninja Turtles, DroidKungFu now comes in different flavours (5 so far), discovered by Pr. Xuxian Jiang (and research team) and Lookout. If, like me, you are having difficulties keeping track of those variants, this post is for you :) The similarities and differences between all 5 variants are depicted below. The various blocks represent each variant, and their intersection shows how many methods they share exactly*. All variants share the same malicious commands (CMD box). They can download and install new package, start a program (called... [Read More]
by RSS Axelle Apvrille  |  Oct 26, 2011  |  Filed in: Security Research
QR code with a link to Riskware/Jifake!Android A long time ago, more than 2 years ago actually, I blogged about the dangers of QR codes: "virus gangs could use this technology to have the end-user follow malicious links or send messages to premium numbers" and, this is exactly what happened a few days ago, when Denis Maslennikov found a QR code leading to a mobile malware, named Jifake, that sends SMS messages to a premium number. I told you so, and I couldn't resist telling you ;) QR codes are very handy, but they're an incredible vector... [Read More]
by RSS Axelle Apvrille  |  Oct 03, 2011  |  Filed in: Security Research
This is a short update to our prior post concerning Zitmo on Android. Is this really Zitmo? This fake Trusteer malware shows several differences with prior Symbian variants, but, for simplicity (and because it's easy to remember), we call it Zitmo. This does not mean this variant was written by the same authors (no proof on that account, one way or another) nor that it has exactly the same technical functionalities or even, depending on naming policies, the same name among AV vendors, but what we mean is that this sample was propagated by ZeuS... [Read More]
by RSS Axelle Apvrille  |  Jul 18, 2011  |  Filed in: Security Research
Zitmo has been used by the ZeuS gang to defeat SMS-based banking two-factor authentication on Symbian, BlackBerry and Windows Mobile for a several months (see my ShmooCon slides). Lately, there's been an active discussion on technical forums regarding ZeuS targetting Android users. We finally managed to get our hands on the mobile sample the ZeuS PC trojans are propagating. Actually, it is not a new sample and has been detected under several names (Android.Trojan.SmsSpy.B, Trojan-Spy.AndroidOS.Smser.a, Andr/SMSRep-B), but it is far more scary when... [Read More]
by RSS Axelle Apvrille  |  Jul 08, 2011  |  Filed in: Security Research
Mark Balanza has spotted a new Android malware, Android/CruseWin.A!tr, which acts as an SMS relay. The malicious application is in contact with a remote C&C from which it gets an XML configuration file which contains the commands the C&C wishes the bot to perform. In particular, the XML send tag makes the infected mobile phone send an SMS to a specified phone number with a specified body. Then, this phone number is added to a list of phone numbers for which the malicious application must act as a relay: when the specified phone number... [Read More]
by RSS Axelle Apvrille  |  Jul 04, 2011  |  Filed in: Security Research
The Android malware DroidKungFu reports back to the following URLs: http://[REMOVED]fu-android.com:8511/search/rpty.php http://[REMOVED]fu-android.com:8511/search/getty.php http://[REMOVED]fu-android.com:8511/search/sayhi.php A whois on the corresponding IP address replies with the following most peculiar information: it looks like the IP address belongs to a mobile device (either a phone, or a tablet, or a computer with a 2G/3G connection...) of a well-known Chinese operator. Of course, we have immediately notified this operator. This is rather... [Read More]
by RSS Axelle Apvrille  |  Jun 16, 2011  |  Filed in: Security Research
As a "Crypto Girl" should, I wish to report that the latest Android malware, Android/DroidKungFu, uses AES encryption. It is certainly not the first time Android malware use cryptographic encryption - we have already seen use of DES in Android/Geinimi or Android/HongTouTou - but this would appear to be the first use of AES on Android (AES has already been reported in Symbian malware such as SymbOS/InSpirit). In Android/DroidKungFu, the malware uses AES to encrypt the two exploits it uses: CVE-2009-1185: packaged as gjsvro. located in the malware's... [Read More]
by RSS Axelle Apvrille  |  Jun 09, 2011  |  Filed in: Security Research
We often have requests on mobile malware statistics and although statistics are only an imperfect representation of reality, this is what we can share. Those statistics only concern malware which run on mobile phones (hybrid malware which run on a PC and send SMS do not count for instance) and the results are for malware families, i.e a group of samples which are 'similar' and, yes,unfortunately, this is quite subjective. Reminder: a family is then divided in several variants. An each individual malicious package is called a sample. we haven't... [Read More]
by RSS Axelle Apvrille  |  Mar 28, 2011  |  Filed in: Security Research