mobile


Ztorg, also known as Qysly, is one of those big families of Android malware. It first appeared in April 2015, and now has over 25 variants, some of which are still active in 2017. Yet, there aren't many technical descriptions for it - except for the initial Ztorg.A sample - so I decided to have a look at one of the newer variants, Android/Ztorg.AM!tr, that we detected on January 20, 2017. The sample poses a "Cool Video Player" and its malicious activity was so well hidden I initially thought I had run into... [Read More]
by RSS Axelle Apvrille  |  Mar 15, 2017  |  Filed in: Security Research
In the part 1 of this blog, we saw that Android/Ztorg.AM!tr silently downloads a remote encrypted APK, then installs it and launches a method named c() in the n.a.c.q class. In this blog post, we’ll investigate what this does. This is the method c() of n.a.c.q: This prints "world," then waits for 200 seconds before starting a thread named n.a.c.a. I'll spare you a few hops, but among the first things we notice is that the sample uses the same string obfuscation routine, except this time it is not... [Read More]
by RSS Axelle Apvrille  |  Mar 15, 2017  |  Filed in: Security Research
Recently, we found a new Android rootnik malware which uses open-sourced Android root exploit tools and the MTK root scheme from the dashi root tool to gain root access on an Android device. The malware disguises itself as a file helper app and then uses very advanced anti-debug and anti-hook techniques to prevent it from being reverse engineered. It also uses a multidex scheme to load a secondary dex file. After successfully gaining root privileges on the device, the rootnik malware can perform several malicious behaviors, including app and ad... [Read More]
by RSS Kai Lu  |  Jan 26, 2017  |  Filed in: Security Research
Pokémon Go’s rapid rise in popularity has attracted cybercriminals to leverage its hype for their malicious intents. So far, we have seen backdoored Pokémon Go apps, lockscreen apps, scareware apps, SMS spam,s as well as Windows ransomware. This time we have seen a new attack that takes aim at Pokémon Go users themselves, in the form of a fake Windows-based Pokémon Go Bot. A Pokémon Go Bot is an application that works as a fake Pokémon trainer in order to level up a user’s account without... [Read More]
by RSS Roland Dela Paz  |  Aug 24, 2016  |  Filed in: Security Research
At FortiGuard, we wouldn't let you down without an analysis of Pokémon Go. Is it safe to install? Can you go and hunt for Pokémon, or stay by a pokestop longing for pokeballs? While this article won't assist you in game strategy, I'll give you my first impressions analyzing the game. Versions There are two sorts of Pokémon applications: 1. The official versions, issued by Niantic. We will talk more about these later, but in brief, they are not malicious. 2. The hacked versions. These are... [Read More]
by RSS Axelle Apvrille  |  Aug 11, 2016  |  Filed in: Security Research
While inspecting the Pokémon Go application, I incidentally found information on ... Pokémon Go Plus. Basically, this is the Pokémon IoT: a connected wristband with a button (to throw a pokéball, for instance), a RGB LED, and vibration capability (e.g to notify of nearby Pokémon). The device is not yet released, and the software is still under development: as you can see below, versions 0.29.x corresponds to "BETA4". Implementation in version... [Read More]
by RSS Axelle Apvrille  |  Aug 11, 2016  |  Filed in: Security Research
Recently, we - i.e Giuseppe Pacelli (student at Eurecom), Matteo Bertolino (student at Eurecom) and their supervisors Ludovic Apvrille (Telecom ParisTech) and myself - had a closer look at a few Android samples infected with the Feiwo adware. This adware family is not new, but the instances we analyzed were still undetected by all anti-virus vendors last week, as far as we know. Besides aggressively serving ads to your mobile phone, this potentially unwanted application (PUA) posts your phone number and list of applications you installed... [Read More]
by RSS Axelle Apvrille  |  May 20, 2016  |  Filed in: Security Research
Google fixed a denial of service vulnerability in Minikin library (CVE-2016-2414) with the Android patches of this month. I reported this vulnerability to Google in early March, 2016 and Google confirmed it was a duplicated report of bug 26413177 which had been reported by another researcher in November, 2015. In this blog, we will provide an in-depth analysis of this vulnerability. It exists because the Minikin library fails to parse .TTF font files correctly. As a result, it could allow a local attacker... [Read More]
by RSS Kai Lu  |  Apr 13, 2016  |  Filed in: Security Research
Not surprisingly, mobile security ranks among the top challenges IT faces when it comes to protecting small and mid-sized businesses. What is surprising, however, is that only 16% of SMBs worldwide responding to a recent Techaisle survey say they’re prepared to deal with mobile security challenges. For some small businesses, this is constraining mobile adoption; for others, it's creating concerning security gaps. However, it also creates an opportunity for channel partners to step in and become trusted advisors. Right now, many MSPs... [Read More]
by RSS Esther Shein  |  Sep 24, 2015  |  Filed in: Industry Trends & News
For the second year in a row, BlackHat Asia was held in Singapore, at the end of March, in the luxury Marina Bay Sands hotel. As usual, the 2 days briefings were fully loaded of plenty of topics. 3 distinct tracks were offered, plus the business track (briefings sponsored by companies) and of course the technical Arsenal rooms. This year Fortinet had a booth, I was asked to help. We had a lot of great conversations with prospective customers and passerby generally interested in industry trends. I was also able to attend some briefings,... [Read More]
by RSS David Maciejak  |  Apr 02, 2015  |  Filed in: Industry Trends & News