Yukihiro Okutomi – McAfee Blogs https://securingtomorrow.mcafee.com/blogs Securing Tomorrow. Today. Wed, 07 Aug 2019 16:10:58 +0000 en-US hourly 1 https://wordpress.org/?v=5.3.2 https://securingtomorrow.mcafee.com/wp-content/uploads/2018/11/cropped-favicon-32x32.png Yukihiro Okutomi – McAfee Blogs https://securingtomorrow.mcafee.com/blogs 32 32 MoqHao Related Android Spyware Targeting Japan and Korea Found on Google Play https://securingtomorrow.mcafee.com/blogs/other-blogs/mcafee-labs/moqhao-related-android-spyware-targeting-japan-and-korea-found-on-google-play/ https://securingtomorrow.mcafee.com/blogs/other-blogs/mcafee-labs/moqhao-related-android-spyware-targeting-japan-and-korea-found-on-google-play/#respond Wed, 07 Aug 2019 16:10:58 +0000 https://securingtomorrow.mcafee.com/?p=96248

The McAfee mobile research team has found a new type of Android malware for the MoqHao phishing campaign (a.k.a. XLoader and Roaming Mantis) targeting Korean and Japanese users. A series of attack campaigns are still active, mainly targeting Japanese users. The new spyware has very different payloads from the existing MoqHao samples. However, we found […]

The post MoqHao Related Android Spyware Targeting Japan and Korea Found on Google Play appeared first on McAfee Blogs.

]]>

The McAfee mobile research team has found a new type of Android malware for the MoqHao phishing campaign (a.k.a. XLoader and Roaming Mantis) targeting Korean and Japanese users. A series of attack campaigns are still active, mainly targeting Japanese users. The new spyware has very different payloads from the existing MoqHao samples. However, we found evidence of a connection between the distribution method used for the existing campaign and this new spyware. All the spyware we found this time pretends to be security applications targeting users in Japan and Korea. We discovered a phishing page related to DNS Hijacking attack, designed to trick the user into installing the new spyware, distributed on the Google Play store.

Fake Japanese Security Apps Distributed on Google Play

We found two fake Japanese security applications. The package names are com.jshop.test and com.jptest.tools2019. These packages were distributed on the Google Play store. The number of downloads of these applications was very low. Fortunately, the spyware apps had been immediately removed from the Google Play store, so we acquired the malicious bullets thanks to the Google Android Security team.

Figure 1. Fake security applications distributed on Google Play

This Japanese spyware has four command and control functions. Below is the server command list used with this spyware. The spyware attempts to collect device information like IMEI and phone number and steal SMS/MMS messages on the device. These malicious commands are sent from a push service of Tencent Push Notification Service.

Figure 2. Command registration into mCommandReceiver

Table 1. The command lists

*1 Not implemented correctly due to the difference from the functionality guessed from the command name

We believe that the cybercriminal included minimal spyware features to bypass Google’s security checks to distribute the spyware on the Google Play store, perhaps with the intention of adding additional functionality in future updates, once approved.

Fake Korean Police Apps

Following further investigation, we found other very similar samples to the above fake Japanese security applications, this time targeting Korean users. A fake Korean police application disguised itself as an anti-spyware application. It was distributed with a filename of cyber.apk on a host server in Taiwan (that host has previously been associated with malicious phishing domains impersonating famous Japanese companies). It used the official icon of the Korean police application and a package name containing ‘kpo’, along with references to com.kpo.scan and com.kpo.help, all of which relate to the Korean police.

Figure 3. This Korean police application icon was misappropriated

The Trojanized package was obfuscated by the Tencent packer to hide its malicious spyware payload. Unlike the existing samples used in the MoqHao campaign, where the C&C server address was simply embedded in the spyware application; MoqHao samples hide and access the control server address via Twitter accounts.

The malware has very similar spyware functionality to the fake Japanese security application. However, this one features many additional commands compared to the Japanese one. Interestingly, the Tencent Push Service is used to issue commands to the infected user.

Figure 4. Tencent Push Service

The code and table below show characteristics of the server command and content list.

Figure 5. Command registration into mCommandReceiver

Table 2. The command lists

*1 Seems to be under construction due to the difference from the functionality guessed from the command name

There are several interesting functions implemented in this spyware. To execute an automated phone call function on a default calling application, KAutoService class has an implementation to check content in the active window and automatically click the start call button.

Figure 6. KAutoSevice class clicks start button automatically in the active calling application

Another interesting function attempts to disable anti-spam call applications (e.g. whowho – Caller ID & Block), which warns users if it is suspicious in the case of incoming calls from an unknown number. The disable function of these call security applications in the spyware allows cyber criminals to make a call without arousing suspicion as no alert is issued from the anti-spam call apps, thus increasing the success of social engineering.

Figure 7. Disable anti-spam-call applications

Figure 8. Disable anti-spam-call applications

Table 3. List of disabled anti-spam call applications

Connection with Active MoqHao Campaigns

The malware characteristics and structures are very different from the existing MoqHao samples. We give special thanks to @ZeroCERT and @ninoseki, without who we could not have identified the connection to the active MoqHao attack and DNS hijacking campaigns. The server script on the phishing website hosting the fake Chrome application leads victims to a fake Japanese security application on the Google Play store (https://play.google.com/store/apps/details?id=com.jptest.tools2019) under specific browser conditions.

Figure 9. The server script redirects users to a fake security application on Google Play (Source: @ninoseki)

There is a strong correlation between both the fake Japanese and Korean applications we found this time. This malware has common spy commands and shares the same crash report key on a cloud service. Therefore, we concluded that both pieces of spyware are connected to the ongoing MoqHao campaigns.

Conclusion

We believe that the spyware aims to masquerade as a security application and perform spy activities, such as tracking device location and eavesdropping on call conversations. It is distributed via an official application store that many users trust. The attack campaign is still ongoing, and it now features a new Android spyware that has been created by the cybercriminals. McAfee is working with Japanese law enforcement agencies to help with the takedown of the attack campaign. To protect your privacy and keep your data from cyber-attacks, please do not install apps from outside of official application stores. Keep firmware up to date on your device and make sure to protect it from malicious apps by installing security software on it.

McAfee Mobile Security detects this threat as Android/SpyAgent and alerts mobile users if it is present, while protecting them from any data loss. For more information about McAfee Mobile Security, visit https://www.mcafeemobilesecurity.com

Appendix – IOCs

Table 4. Fake Japanese security application IOCs

Table 5. Fake Korean police application IOCs

The post MoqHao Related Android Spyware Targeting Japan and Korea Found on Google Play appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/other-blogs/mcafee-labs/moqhao-related-android-spyware-targeting-japan-and-korea-found-on-google-play/feed/ 0
MalBus: Popular South Korean Bus App Series in Google Play Found Dropping Malware After 5 Years of Development https://securingtomorrow.mcafee.com/blogs/other-blogs/mcafee-labs/malbus-popular-south-korean-bus-app-series-in-google-play-found-dropping-malware-after-5-years-of-development/ https://securingtomorrow.mcafee.com/blogs/other-blogs/mcafee-labs/malbus-popular-south-korean-bus-app-series-in-google-play-found-dropping-malware-after-5-years-of-development/#respond Mon, 04 Feb 2019 18:00:12 +0000 https://securingtomorrow.mcafee.com/?p=94034

McAfee’s Mobile Research team recently learned of a new malicious Android application masquerading as a plugin for a transportation application series developed by a South Korean developer. The series provides a range of information for each region of South Korea, such as bus stop locations, bus arrival times and so on. There are a total […]

The post MalBus: Popular South Korean Bus App Series in Google Play Found Dropping Malware After 5 Years of Development appeared first on McAfee Blogs.

]]>

McAfee’s Mobile Research team recently learned of a new malicious Android application masquerading as a plugin for a transportation application series developed by a South Korean developer. The series provides a range of information for each region of South Korea, such as bus stop locations, bus arrival times and so on. There are a total of four apps in the series, with three of them available from Google Play since 2013 and the other from around 2017. Currently, all four apps have been removed from Google Play while the fake plugin itself was never uploaded to the store. While analyzing the fake plugin, we were looking for initial downloaders and additional payloads – we discovered one specific version of each app in the series (uploaded at the same date) which was dropping malware onto the devices on which they were installed, explaining their removal from Google Play after 5 years of development.

Figure 1. Cached Google Play page of Daegu Bus application, one of the apps in series

When the malicious transportation app is installed, it downloads an additional payload from hacked web servers which includes the fake plugin we originally acquired. After the fake plugin is downloaded and installed, it does something completely different – it acts as a plugin of the transportation application and installs a trojan on the device, trying to phish users to input their Google account password and completely take control of the device. What is interesting is that the malware uses the native library to take over the device and also deletes the library to hide from detection. It uses names of popular South Korean services like Naver, KakaoTalk, Daum and SKT. According to our telemetry data, the number of infected devices was quite low, suggesting that the final payload was installed to only a small group of targets.

The Campaign

The following diagram explains the overall flow from malware distribution to device infection.

Figure 2. Device infection process

When the malicious version of the transportation app is installed, it checks whether the fake plugin is already installed and, if not, downloads from the server and installs it. After that, it downloads and executes an additional native trojan binary which is similar to the trojan which is dropped by the fake plugin. After everything is done, it connects with the C2 servers and handles received commands.

Initial Downloader

The following table shows information about the malicious version of each transportation app in the series. As the Google Play number of install stats shows, these apps have been downloaded on many devices.

Unlike the clean version of the app, the malicious version contains a native library named “libAudio3.0.so”.

Figure 3. Transportation app version with malicious native library embedded

In the BaseMainActivity class of the app, it loads the malicious library and calls startUpdate() and updateApplication().

Figure 4. Malicious library being loaded and executed in the app

startUpdate() checks whether the app is correctly installed by checking for the existence of a specific flag file named “background.png” and whether the fake plugin is installed already. If the device is not already infected, the fake plugin is downloaded from a hacked web server and installed after displaying a toast message to the victim. updateApplication() downloads a native binary from the same hacked server and dynamically loads it. The downloaded file (saved as libSound1.1.so) is then deleted after being loaded into memory and, finally, it executes an exported function which acts as a trojan. As previously explained, this file is similar to the file dropped by the fake plugin which is discussed later in this post.

Figure 5 Additional payload download servers

Fake Plugin

The fake plugin is downloaded from a hacked web server with file extension “.mov” to look like a media file. When it is installed and executed, it displays a toast message saying the plugin was successfully installed (in Korean) and calls a native function named playMovie(). The icon for the fake plugin soon disappears from the screen. The native function implemented in LibMovie.so, which is stored inside the asset folder, drops a malicious trojan to the current running app’s directory masquerading as libpng.2.1.so file. The dropped trojan is originally embedded in the LibMovie.so xor’ed, which is decoded at runtime. After giving permissions, the address of the exported function “Libfunc” in the dropped trojan is dynamically retrieved using dlsym(). The dropped binary in the filesystem is deleted to avoid detection and finally Libfunc is executed.

Figure 6 Toast message when malware is installed

In the other forked process, it tries to access the “naver.property” file on an installed SD Card, if there is one, and if it succeeds, it tries starting “.KaKaoTalk” activity which displays a Google phishing page (more on that in the next section) . The overall flow of the dropper is explained in the following diagram:

Figure 7. Execution flow of the dropper

Following is a snippet of a manifest file showing that “.KaKaoTalk” activity is exported.

Figure 8. Android Manifest defining “.KaKaoTalk” activity as exported

Phishing in JavaScript

KakaoTalk class opens a local HTML file, javapage.html, with the user’s email address registered on the infected device automatically set to log into their account.

Figure 9. KakaoTalk class loads malicious local html file

The victim’s email address is set to the local page through a JavaScript function setEmailAddress after the page is finished loading. A fake Korean Google login website is displayed:

Figure 10. The malicious JavaScript shows crafted Google login page with user account

We found the following attempts of exploitation of Google legitimate services by the malware author:

  • Steal victim’s Google account and password
  • Request password recovery for a specific account
  • Set recovery email address when creating new Google account

An interesting element of the phishing attack is that the malware authors tried to set their own email as the recovery address on Google’s legitimate services. For example, when a user clicks on the new Google account creation link in the phishing page, the crafted link is opened with the malware author’s email address as a parameter of RecoveryEmailAddress.

Figure 11. The crafted JavaScript attempts to set recovery email address for new Google account creation.

Fortunately for end users, none of the above malicious attempts are successful. The parameter with the malware author’s email address is simply ignored at the account creation stage.

Trojan

In addition to the Google phishing page, when “Libfunc” function of the trojan (dropped by the fake plugin or downloaded from the server) is executed, the mobile phone is totally compromised. It receives commands from the following hardcoded list of C2 servers. The main functionality of the trojan is implemented in a function called “doMainProc()”. Please note that there are a few variants of the trojanwith different functionality but, overall, they are pretty much the same.

Figure 12. Hardcoded list of C2 servers

The geolocation of hardcoded C2 servers lookslike the following:

Figure 13. Location of C2 Servers

Inside doMainProc(), the trojan receives commands from the C2 server and calls appropriate handlers. Part of the switch block below gives us an idea of what type of commands this trojan supports.

Figure 14. Subset of command handlers implemented in the dropped trojan.

As you can see, it has all the functionality that a normal trojan has. Downloading, uploading and deleting files on the device, leaking information to a remote server and so on. The following table explains supported C2 commands:

Figure 15. C2 Commands

Before entering the command handling loop, the trojan does some initialization, like sending device information files to the server and checking the UID of the device. Only after the UID checking returns a 1 does it enter the loop.

Figure 16 Servers connected before entering command loop

Among these commands, directory indexing in particular is important. The directory structure is saved in a file named “kakao.property” and while indexing the given path in the user device, it checks the file with specific keywords and if it matches, uploads the file to the remote upload server. These keywords are Korean and its translated English version is as per the following table:

Figure 17 Search file keywords

By looking at the keywords we can anticipate that the malware authors were looking for files related to the military, politics and so on. These files are uploaded to a separate server.

Figure 18 Keyword matching file upload server

Conclusion

Applications can easily trick users into installing them before then leaking sensitive information. Also, it is not uncommon to see malware sneaking onto the official Google Play store, making it hard for users to protect their devices. This malware has not been written for ordinary phishing attempts, but rather very targeted attacks, searching the victim’s devices for files related to the military and politics, likely trying to leak confidential information. Users should always install applications that they can fully trust even though they are downloaded from trusted sources.

McAfee Mobile Security detects this threat as Android/MalBus and alerts mobile users if it is present, while protecting them from any data loss. For more information about McAfee Mobile Security, visit https://www.mcafeemobilesecurity.com.

Hashes (SHA-256)

Initial Downloader (APK)
• 19162b063503105fdc1899f8f653b42d1ff4fcfcdf261f04467fad5f563c0270
• bed3e665d2b5fd53aab19b8a62035a5d9b169817adca8dfb158e3baf71140ceb
• 3252fbcee2d1aff76a9f18b858231adb741d4dc07e803f640dcbbab96db240f9
• e71dc11e8609f6fd84b7af78486b05a6f7a2c75ed49a46026e463e9f86877801

Fake Plugin (APK)
• ecb6603a8cd1354c9be236a3c3e7bf498576ee71f7c5d0a810cb77e1138139ec
• b8b5d82eb25815dd3685630af9e9b0938bccecb3a89ce0ad94324b12d25983f0

Trojan (additional payload)
• b9d9b2e39247744723f72f63888deb191eafa3ffa137a903a474eda5c0c335cf
• 12518eaa24d405debd014863112a3c00a652f3416df27c424310520a8f55b2ec
• 91f8c1f11227ee1d71f096fd97501c17a1361d71b81c3e16bcdabad52bfa5d9f
• 20e6391cf3598a517467cfbc5d327a7bb1248313983cba2b56fd01f8e88bb6b9

The post MalBus: Popular South Korean Bus App Series in Google Play Found Dropping Malware After 5 Years of Development appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/other-blogs/mcafee-labs/malbus-popular-south-korean-bus-app-series-in-google-play-found-dropping-malware-after-5-years-of-development/feed/ 0
Pirate Versions of Popular Apps Infiltrate Google Play via Virtualization https://securingtomorrow.mcafee.com/blogs/other-blogs/mcafee-labs/pirated-android-apps-abuse-virtualization-to-pose-as-legitimate/ https://securingtomorrow.mcafee.com/blogs/other-blogs/mcafee-labs/pirated-android-apps-abuse-virtualization-to-pose-as-legitimate/#respond Wed, 01 Nov 2017 13:00:59 +0000 https://securingtomorrow.mcafee.com/?p=81800 The McAfee Mobile Research team recently found pirated applications of popular apps distributed on the Google Play store. A pirated app is one distributed usually outside of the official store as a free version of a legitimate app. Paid legitimate applications are leading targets of pirated versions. In this case, however, we found pirated copies […]

The post Pirate Versions of Popular Apps Infiltrate Google Play via Virtualization appeared first on McAfee Blogs.

]]>
The McAfee Mobile Research team recently found pirated applications of popular apps distributed on the Google Play store. A pirated app is one distributed usually outside of the official store as a free version of a legitimate app. Paid legitimate applications are leading targets of pirated versions. In this case, however, we found pirated copies being distributed on the official market.

The four pirated apps we found are developed by AE-funStudios, which offers versions of the common tool and games Flashlight, Race Car, Gun Shoot, and Chess. The download numbers of these apps are between 10,000–100,000. We contacted Google about these pirated apps; they were promptly removed from the Google Play store.

How do we know these apps are pirated versions? Let’s look at their structure. The following screenshot shows the pirated version of Chess, com.chess.chessfree.chessboard.chessgame.free.

In this app, we find the file ttttt in the assets folder. The file has no extension, but the format is APK, and in this case is the legitimate app Chess Free from a different developer. The bogus filename is already suspicious.

The pirate app attempts to create a virtual space using the class VirtualCore, installing the legitimate app in the virtualization space, and running it after it launches.

The component com.lody.virtual is a piece of virtualization technology. The virtualization component VirtualApp is published on github as open source. Thus the component itself is not malicious. It is a similar technology to Instant App, introduced from Android 8.0 Oreo that provides a framework for running an application in a virtual space without installation. The component creates a virtual memory space in a local process, and loads and executes an APK file in the memory space.

The pirated app makes the legitimate app in the assets folder behave like a part of the application by using the virtualization component, without installing the legitimate app on the device. Using this framework, the malware author can generate a new Trojan without repackaging (disassembling an app, inserting malware code, and rebuilding it as new package).

However, the virtualization technique is not the perfect framework for all Android apps. Those with diversion protection and complex structures will not run in a virtual space. By applying app protection technology against repackaging, for example, we believe that the risk of a legitimate application being abused will become very low.

Let’s consider the intent of the pirated app’s author. In the following screenshot, it appears the author intends to earn income from mobile app advertisements. From our investigation, however, the current versions of these pirated apps have no mechanisms to display advertisements or to intercept the communications of the related legitimate apps to gain the revenue. Perhaps this feature is under development for future updates.

Another scenario is that the developer of the pirated apps might plan to sell the developer account to a criminal organization because, as one website points out, popular accounts such as those on Facebook and Instagram are traded at high prices in the black market just like banking accounts and personal identity information. The developer account could also be used for malware and spyware distribution. Each application affected by these four pirated apps is very popular, with the number of users between 1 million to 50 million. The pirated versions offer the same functionality as the legitimate apps to attract and retain users looking for original applications.

McAfee Mobile Security detects these pirated apps as Android/PUP.Pirates.C and protects user devices as well as the legitimate developers’ rights. To further protect yourself against pirated apps, download only recommended and popular apps on official app stores, and pay attention to suspicious traits such as odd app titles, user-unfriendly descriptions, low-quality screenshots, and poor user reviews. Also, verify that an app’s request for permissions is related to its functionality.

 

The post Pirate Versions of Popular Apps Infiltrate Google Play via Virtualization appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/other-blogs/mcafee-labs/pirated-android-apps-abuse-virtualization-to-pose-as-legitimate/feed/ 0
Turkish Instagram Password Stealers Found on Google Play https://securingtomorrow.mcafee.com/blogs/other-blogs/mcafee-labs/turkish-instagram-password-stealers-found-google-play/ https://securingtomorrow.mcafee.com/blogs/other-blogs/mcafee-labs/turkish-instagram-password-stealers-found-google-play/#respond Thu, 12 Jan 2017 22:48:55 +0000 https://securingtomorrow.mcafee.com/?p=67462 McAfee’s mobile malware research team has found several Instagram password stealers on the Google Play store. (Google has since removed the apps.) These malware are distributed as utilities and tools for analyzing access and automating the following of Instagram accounts. The main targets of the malware are Turkish Instagram users. The malware lead victims to […]

The post Turkish Instagram Password Stealers Found on Google Play appeared first on McAfee Blogs.

]]>
McAfee’s mobile malware research team has found several Instagram password stealers on the Google Play store. (Google has since removed the apps.) These malware are distributed as utilities and tools for analyzing access and automating the following of Instagram accounts. The main targets of the malware are Turkish Instagram users.

20161228-1
The malware lead victims to a phishing website that steals Instagram account passwords using the WebView component. As we see in the following screenshots, the design of the login page is very simple, so it is difficult for users to appreciate the difference between legitimate and fake.

20161228-2

The victim’s credentials are sent to the malware author as plain text. If the network connection is monitored (as is possible on a free Wi-Fi network), the account name and password are open to unknown persons.

20161228-3

Victims’ personal information may leak if they use the same passwords on other websites and social network services. Malware authors will attempt to log into other web services using the stolen accounts and passwords.

Instagram’s popularity makes it a target for attackers. McAfee recommends you install mobile security and password-management software, and not trust applications downloaded from unknown sources. McAfee Mobile Security detects this threat as Android/InstaZuna and alerts mobile users if it is present, while protecting them from any data loss. For more information about McAfee Mobile Security, visit http://www.mcafeemobilesecurity.com.

 

The post Turkish Instagram Password Stealers Found on Google Play appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/other-blogs/mcafee-labs/turkish-instagram-password-stealers-found-google-play/feed/ 0
Android Spyware Targets Security Job Seekers in Saudi Arabia https://securingtomorrow.mcafee.com/blogs/other-blogs/mcafee-labs/android-spyware-targets-security-job-seekers-in-saudi-arabia/ https://securingtomorrow.mcafee.com/blogs/other-blogs/mcafee-labs/android-spyware-targets-security-job-seekers-in-saudi-arabia/#respond Tue, 31 May 2016 16:08:21 +0000 https://blogs.mcafee.com/?p=50060 The Middle East is the new Wild West of mobile malware, especially for targeted attacks and intelligence gathering campaigns. During the past few years, McAfee Mobile Research has monitored and reported on several countries in the region and has found an alarming increase in campaigns using mobile malware for not only disruption and hacktivism but […]

The post Android Spyware Targets Security Job Seekers in Saudi Arabia appeared first on McAfee Blogs.

]]>
The Middle East is the new Wild West of mobile malware, especially for targeted attacks and intelligence gathering campaigns. During the past few years, McAfee Mobile Research has monitored and reported on several countries in the region and has found an alarming increase in campaigns using mobile malware for not only disruption and hacktivism but also for intelligence gathering. Today we shed light on a new campaign targeting Saudi Arabia.

We have identified a campaign that is working in tandem with a job site that offers work for security personal in government or military jobs.

20160527-website

The spyware, Android/ChatSpy, was distributed as a private chat application. It steals user contacts, SMS messages, and voice calls from infected devices and forwards them to the attacker’s server, which is in the same location as the job site.

20160527-icon

The motives behind the spyware author are not clear, but considering the jobs that were being advertised on the site, the implications should not be underestimated. The leaked information poses a serious security threat. We have reported this spyware campaign to the Computer Emergency Response Team in Saudi Arabia for additional investigation.

Let’s take a look at spyware’s behavior. After it runs, the spyware shows only a screen with the network carrier and user’s phone number information, nothing more.

20160527-screenshot

At the same time, the spyware runs in the background and gathers device information, contacts, browser history, SMS messages, and call logs on the infected device, and posts them to the attacker’s server. Then Then the spyware sends the message “New victim arrived” to notify the attacker of the infection and hides its application icon from the menu to prevent uninstallation and keep its spying activities secret.

20160527-code1

The spyware keeps monitoring incoming SMS messages and takes screenshots, and records incoming/outgoing voice calls in the background. This user-sensitive information is also posted to the attacker’s server. The server runs a MySQL database and collects the data from infected devices. How is the information used? Most likely in a subsequent targeted attack.

20160527-code2

Although the spyware works cleanly and quietly, the application code is of poor quality. The spyware has “spy” in the package name, and the hardcoded SMS message to the attacker has “victim” in plain text. The spyware uses an open-source “call-recorder-for-android,” found on GitHub, to implement the voice-call recording function. With such sloppy coding, the spyware must have been developed in a rush job by a “script kiddie.”

McAfee recommends you install mobile security software, and not trust applications downloaded from unknown sources. McAfee Mobile Security detects this threat as Android/ChatSpy and alerts mobile users if it is present, while protecting them from any data loss. For more information about McAfee Mobile Security, visit http://www.mcafeemobilesecurity.com.

SHA-256 hash of analyzed sample(s):

  • 7cbf61fbb31c26530cafb46282f5c90bc10fe5c724442b8d1a0b87a8125204cb
  • 4aef8d9a3c4cc1e66a6f2c6355ecc38d87d9c81bb2368f4ca07b2a02d2e4923b

Control server:

  • hxxp://ksa-sef[dot]com/Hack%20Mobaile/

The post Android Spyware Targets Security Job Seekers in Saudi Arabia appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/other-blogs/mcafee-labs/android-spyware-targets-security-job-seekers-in-saudi-arabia/feed/ 0
Amazon Gift Card Malware Spreading via SMS https://securingtomorrow.mcafee.com/blogs/other-blogs/mcafee-labs/amazon-gift-card-malware-spreading-via-sms/ https://securingtomorrow.mcafee.com/blogs/other-blogs/mcafee-labs/amazon-gift-card-malware-spreading-via-sms/#respond Tue, 03 Mar 2015 15:50:32 +0000 https://blogs.mcafee.com/?p=41700 McAfee Labs recently published its Hacking the Human OS report, which details a number of ways in which cybercriminals rely on victims’ trust in a particular brand or public authority to hand over information or allow their systems to become infected with malicious code. This week, the McAfee Labs team uncovered a new scam leveraging […]

The post Amazon Gift Card Malware Spreading via SMS appeared first on McAfee Blogs.

]]>
McAfee Labs recently published its Hacking the Human OS report, which details a number of ways in which cybercriminals rely on victims’ trust in a particular brand or public authority to hand over information or allow their systems to become infected with malicious code. This week, the McAfee Labs team uncovered a new scam leveraging user trust in the Amazon brand.

Amazon is one of the biggest online shopping markets. Recently, McAfee Labs team found new Android malware spreading via SMS (short message service) mascarading as an Amazon Rewards application. The SMS appears to come from your trusted contacts such as your family or friends who already have infected devices. Have you received an SMS (as below) offering an Amazon Gift Card from your family or friends by any chance?

image1

The SMS uses a shortened URL and leads users to a malicious website to download malware with the filename AmazonRewards.apk. Then the website attempts to make users rush to download the application by reducing the remaining number of Free Gift Cards—a sneaky tactic!

image2 image3

After installation, “Amazon Rewards” is registered on the Menu.

image5

The malware shows a survey website after it runs. It’s a good guess that the user can get an Amazon Gift Card by answering the survey, but that’s not the case. The survey and application offered by the malware are the legitimate advertisement and legitimate applications from the Google Play store. The malware author will get “reward” money from you when you answer the survey or install the application.

image6 image7

In addition, the malware sends SMS messages like the one above to all listed contacts, including your family and friends. As a result, the malware can spread widely and rapidly, and the malware author will get more money with each infection.

This SMS spreading method via contacts on infected devices will make this threat widespread in the mobile world, as we have already seen in China. So please do not install applications from untrusted sources, especially if they arrive in the form of an unexpected SMS message. Think before you click: If it’s too good to be true, it usually is! Your awareness will help slow the spread of such malware.

McAfee Mobile Security detects this Android threat as Android/Gazon and alerts mobile users if it is present, while protecting them from any data loss. For more information about McAfee Mobile Security, visit https://www.mcafeemobilesecurity.com.

 

The post Amazon Gift Card Malware Spreading via SMS appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/blogs/other-blogs/mcafee-labs/amazon-gift-card-malware-spreading-via-sms/feed/ 0