There are already a couple of Android ransomware, but Android/Locker.CB!tr certainly is an interesting one. Smile! The malware is taking a picture of you   The malware claims it has detected "forbidden pornographic" pictures on your device, says it has reported it to the FBI and asks you to pay a fine of $500. To make the (fake) report appear even more scary, the malware displays your IP address and a picture of you. It says those were sent in the report to the FBI. Legend. Scare page of Android/Locker How did it... [Read More]
by RSS Axelle Apvrille  |  Aug 11, 2015  |  Filed in: Security Research
If you haven't had time to read Google's 44 page Android security report, this is a quick recap of what they say, and what we think about it. Globally, their report is consistent with our data, apart from a few glitches and a (not so surprising) trend to minimize security risks ;) Infection rate Google says: Less than 1% of all devices have Potentially Harmful Applications (PHA ~ malware + riskware + adware) Less than 0.15% of devices only downloading from Google Play had PHA FortiGuard: Having our products on the... [Read More]
by RSS Axelle Apvrille  |  Apr 17, 2015  |  Filed in: Industry Trends
[Read More]
by RSS Michael Perna  |  Oct 24, 2014  |  Filed in: Industry Trends
After drive-by download malware on a Spanish newspaper in February, another Spanish newspaper is hit by malicious advertisement served on its website. This time, reading the news gets you to scare advertisement and then to subscription to paid services. This occurs from the main page of the online newspaper. The following windows pop up automatically without clicking on any advertisement. At first, you get pop ups about an alleged infection (Figure 1) or suggestions to update an application (Figure 2). One way or another, those ads typically... [Read More]
by RSS Axelle Apvrille  |  Mar 14, 2014  |  Filed in: Security Research
It's everywhere in the news, and I couldn't resist trying to figure out how it works. I think I roughly found out but we'll have to wait for Karsten Nohl's presentation at BlackHat to see if I was right :) Getting ciphertexts Mobile phones are capable of receiving OTA (Over The Air) commands ('update', 'get status'...) in the form of SMS messages sent by their service provider. Fortunately, those messages support encryption and integrity checks. More specifically, the secure packet header specifies the algorithm and key set identifier to use... [Read More]
by RSS Axelle Apvrille  |  Jul 24, 2013  |  Filed in: Security Research
Recently I received this SMS on my mobile phone. Basically, it tells me I have to call back 018377xxxx to collect a parcel. As this phone number is not premium and I was indeed waiting for a parcel, I nearly fell in for the trick. Figure 1. SMS scam received on the phone. It says: "E-Relay Hello, your parcel Ref: M794610 is waiting for you since July 8th, 2013. More details at 018377xxxx" I guess that AV analysts get suspicious about everything, and I checked it on a search engine. I quickly found out that plenty of other victims were complaining... [Read More]
by RSS Axelle Apvrille  |  Jul 17, 2013  |  Filed in: Security Research
In a previous post, I mentioned the new scheme used by the author of Android/Fakemart to make money. Basically, the trick consisted of infecting phones to silently and automatically register to play an online quiz and then steal the winning prize. When the online quiz required a captcha, the malware would solve it with OCR. Yesterday, we learned that the author has been identified, a 20-year old man in Amiens, France. We know his fraud was active for a few months starting at the end of 2011. From the number of SMS messages to the author's lines... [Read More]
by RSS Axelle Apvrille  |  Oct 19, 2012  |  Filed in: Security Research
Another Android malware is currently in the wild in France, as we have recently discovered. This malware poses as a Flash Player installer and steals your incoming SMS messages by forwarding them to a remote server. We have named it Android/Fakelash.A!tr.spy. Contrary to many Android malware which are downloaded from underground or legitimate marketplaces (see here, here, here, here... ), this one is propagating via a link in a SMS. For example, the victim below complains he received an SMS from 10052 saying "For proper function of your device,... [Read More]
by RSS Axelle Apvrille  |  Sep 21, 2012  |  Filed in: Security Research
While going through our regular (and never-ending) supply of malicious Android samples, we came across an interesting variant a couple of days back. Like most Android Trojans these days, the piece of malware benefits by sending out SMS messages from the victim's phone, monitoring incoming SMS messages and selectively blocking certain messages. This particular variant, however, has earned itself a notorious reputation after having infected 500,000 Android users in China. The Trojan comes in the form of wallpaper application package files (APKs),... [Read More]
by RSS Ruchna Nigam  |  Sep 18, 2012  |  Filed in: Security Research
Recently, a new trojan named Android/Fakemart caught our attention as it is operating in France, where our EMEA labs are located. The malware poses as a Winamp Pro application or a Black Market application (Black Market is an alternative to Android's Google Play market) but has none of its functionalities. Instead, it sends SMS messages to premium phone numbers - at the victim's expense - and contacts a few remote servers. See details here. Sending SMS to premium phone numbers is a common method among mobile malware to make money. At one point... [Read More]
by RSS Axelle Apvrille  |  Sep 03, 2012  |  Filed in: Security Research