mobile | Page 4


With the migration of most services to the cloud, some enterprising Android malware developers have decided to profit from this. Google provides a service known as Cloud to Device Messaging (C2DM) that allows developers to send messages from Google's servers to their applications on Android devices. Android/FakeInst.C!tr, a malware variant we came across recently, employs exactly this service to carry out its malicious activities. The variant is similar to other samples of the Android/FakeInst family that we have encountered. These samples pose... [Read More]
by RSS Ruchna Nigam  |  Jun 13, 2012  |  Filed in: Security Research
Denis Maslennikov reported a new SMS trojan, Android/Mania, which emanates from France. This malware hasn't any outstanding functionality - it silently sends SMS messages to a short number, something we only see too often in mobile malware - except it happens to clearly originate from France. As our European lab is based in France, we investigated it with particular interest. Thanks Denis for sharing. What we learned in a few points: All samples we got our hands on send 7 SMS messages to the same French short number 84242. This is a "SMS+" short... [Read More]
by RSS Axelle Apvrille  |  Jun 06, 2012  |  Filed in: Security Research
As explained in our previous post (DroidKungFu is getting smarter), DroidKungFu now comes in 7 different flavors. Here is an updated graph of their similarities. Just like our previous graph (Clarifying Android DroidKungFu variants), each block represents a variant, intersections showing how many similar methods are implemented*. All variants can download and install new packages, start an application (activity), open a URL in the browser and delete a package**. Although the F variant intentionally piggybacks legitimate applications that use... [Read More]
by RSS Karine de Ponteves  |  Jun 01, 2012  |  Filed in: Security Research
Mobile botnet Android/RootSmart (aka Bmaster) is making substantial amount of money from premium SMS numbers or services, according to Cathal Mullaney's discovery of a mobile botnet front-end: yes, we had told you so. Glance at Guillaume Lovet's paper at Virus Bulletin back in 2006, where he explains the business behind mobile botnets. His illustration is exactly what Android/RootSmart (aka Bmaster) does: Later, at SAR SSI in 2010, I re-insisted on the potential impact of such strategies: It's interesting to notice my estimate of... [Read More]
by RSS Axelle Apvrille  |  Apr 20, 2012  |  Filed in: Security Research
A few days ago, CarrierIQ published a 19-page report detailing their software and business. I read the 19 pages, and in case you were wondering, the statements of my previous blog post still stand, even more, they are confirmed so I have updated the FAQ with extra data. Some my comments on the report below. "The IQ Agent uploads diagnostic data once per day, at a time when the device is not being used" (page 4) This is hardly a defense to me. People do not like that their phone is being used without their consent, even if it is for good reasons. When... [Read More]
by RSS Axelle Apvrille  |  Dec 20, 2011  |  Filed in: Security Research
Q1- The basics. What is Carrier IQ? CarrierIQ is a controversial piece of code which was intentionally placed on several mobile phones by their vendors or carriers. It has the capability of monitoring and/or collecting various information - without user's consent. Q2- What is Carrier IQ exactly doing? Precisely, CarrierIQ (CIQ) has developed a series of hooks to monitor plenty of metrics such as: HT01: HTTP request URI AL15: browser's URL MG01: SMS recipient and SMS center MG03: SMS originator MG11: MMS version, sender, recipient and relay... [Read More]
by RSS Axelle Apvrille  |  Dec 13, 2011  |  Filed in: Security Research
QR code with a link to Riskware/Jifake!Android A long time ago, more than 2 years ago actually, I blogged about the dangers of QR codes: "virus gangs could use this technology to have the end-user follow malicious links or send messages to premium numbers" and, this is exactly what happened a few days ago, when Denis Maslennikov found a QR code leading to a mobile malware, named Jifake, that sends SMS messages to a premium number. I told you so, and I couldn't resist telling you ;) QR codes are very handy, but they're an incredible vector... [Read More]
by RSS Axelle Apvrille  |  Oct 03, 2011  |  Filed in: Security Research
This is a short update to our prior post concerning Zitmo on Android. Is this really Zitmo? This fake Trusteer malware shows several differences with prior Symbian variants, but, for simplicity (and because it's easy to remember), we call it Zitmo. This does not mean this variant was written by the same authors (no proof on that account, one way or another) nor that it has exactly the same technical functionalities or even, depending on naming policies, the same name among AV vendors, but what we mean is that this sample was propagated by ZeuS... [Read More]
by RSS Axelle Apvrille  |  Jul 18, 2011  |  Filed in: Security Research
Zitmo has been used by the ZeuS gang to defeat SMS-based banking two-factor authentication on Symbian, BlackBerry and Windows Mobile for a several months (see my ShmooCon slides). Lately, there's been an active discussion on technical forums regarding ZeuS targetting Android users. We finally managed to get our hands on the mobile sample the ZeuS PC trojans are propagating. Actually, it is not a new sample and has been detected under several names (Android.Trojan.SmsSpy.B, Trojan-Spy.AndroidOS.Smser.a, Andr/SMSRep-B), but it is far more scary when... [Read More]
by RSS Axelle Apvrille  |  Jul 08, 2011  |  Filed in: Security Research