Ladies with few clothes tend to cause a lot of trouble on PCs – and now on Android devices too

Cross-posted from Surelist

The appearance of a new Android malware family is not that surprising at all today. Especially when we talk about SMS Trojans which are one of the most popular and oldest type of threats created for extracting money from users. A new family of SMS Trojans named Vidro appeared a few days ago but we’ve already collected a lot of APK files with very similar functionality. At the moment all the samples we have found target users only from Poland.

Spreading

Trojan-SMS.AndroidOS.Vidro is spread via porn sites. The mechanism is very similar to the way the very first Android malware (Trojan-SMS.AndroidOS.FakePlayer) spread. If the user visits a porn site with a desktop browser he will see something similar to this:

208193738

But if the potential victim somehow visits the same website using an Android device, a porn web site will be ‘optimized’ for the smartphone:

208193731

After clicking on the link ‘Watch Now’, the user will be redirected to the web site called ‘Vid4Droid’ (vid4droid.com) which suggests to the victim that they download ‘The new Sexvideo App’:

208193732

A click on the ‘Install’ button will redirect the victim to a page containing an automatic download start which contains instructions on‘how-to-install-our-super-porno-app’ with a reminder to allow an installation of applications from unknown sources:

208193733

Vidro description

After the installation of Vidro the following icon can be found in the main menu:

208193734

If the victim launches malware the first thing he’s going to see is the dialog box which invites him to agree with the terms and conditions.

208193735

But the ‘funny’ fact is that there’s no EULA and/or terms and conditions in the app. In other words, even if those conditions exist, there’s no possibility to read them. After clicking ‘Yes’ an SMS message to will be sent to a premium rate number. The premium rate number is 72908 (Polish) and the SMS text is PAY {unique sequence of ciphers and letters}. Each message cost 2 zl (0,5 Euro). We will discuss the SMS text later. Messages will be sent every 24 hours. All the data required for sending the expensive SMS is stored in the configuration file ‘setting.json’.

Vidro is also able to hide incoming SMS messages from specific numbers. We’ve seen already such functionality in Trojans like Foncy a Mania.

Besides sending expensive messages Vidro is able to:

  • Update the configuration file (which might contain a new premium rate number and SMS text) and update itself. For connecting to remote server the malware uses its own User-Agent string:“Mozilla/5.0 (Linux; U; {app_id}; {android_version}; de-ch; Vid4Droid) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30”.
  • Upload information about itself and the infected device to a remote server.

Content provider and affiliate network

If you google ‘72908’ (the premium rate number from Vidro) you can find a Polish forum which contains some complaints about this number.

208193736

Rough translation:

“How to remove ‘carmunity’ from 72908 number? Help me.”

“It’s probably some kind of virus, this SMS goes out from the phone, it’s better to disable it with your GSM provider, both outgoing and incoming.”

“I want to disable.”

Let’s take a deeper look at the malicious vid4droid.com domain. According to Robtex this domain is controlled by two name servers at carmunity.de; and the vid4droid.com mail server is handled at tecmedia.eu.

208193737

There is a number of hosts (like ‘sex-goes-mobile.biz’, ‘sexgoesmobile.biz’, ‘sexgoesmobil.com’ and similar) which share both name servers and mail servers with this domain. And if you visit one of these hosts you will be redirected to the web site sexgoesmobile.com.

Carmunity

Carmunity is a German content and service provider company, whose “portfolio offers an array of creative and technical solutions, enabling businesses to generate and apply their own portals in the mobile internet”. This quote was copied from the English version of their web site (carmunity.de).

208193739

Main page of Carmunity web site

Contact information contains the physical address of this company. According to this, Carmunity is located in Bremen, Mary-Astell-Str. 2. If you google this address you can find that another German company called Displayboy has the same physical address. What do we know about this organization? Well, here are some quotes from their web site displayboy.com (no German version, only English):

“Welcome to DisplayBoy – the leading provider for adult affiliate marketing in the mobile Internet.”

“Right now, between 5%-10% adult website users are surfing sites with mobile phones. With Displayboy you can convert your existing mobile traffic in a snap. It’s easy, simple and reliable.”

208193740

Do Carmunity and Displayboy have something in common? I think, yes 🙂 At least both companies are specialized in monetization of mobile traffic.

SexGoesMobile

As was mentioned above, some host names use the vid4droid.com domain name and mail servers. And if you try to visit one of them you’ll be redirected to sexgoesmobile.com. Here is a part of the main page of this web site:

208193741

Yes, it’s an affiliate network created for monetizing mobile adult traffic. And there are some curious things inside. Let’s see what’s going on there.

Many mobile affiliate networks (Russian ones at least) provide full access to various so-called ‘promotional tools’ to all participants. The SexGoesMobile affiliate network also offers various ‘promotional tools’. For example, you can create a mobile pay site using one of the existing templates:

208193742

Each template has its own domain name. And each affiliate who participates in SexGoesMobile has an ID. After choosing the template this affiliate is able to choose the target audience (‘mobile’ or ‘desktop’):

208193743

And finally an affiliate is able to generate a unique URL with his ID:

208193744

If the potential victim clicks on this unique link he will be redirected to the web site exgftube.mobi that contains fake video thumbnails. By clicking on one of this thumbnails the user will be redirected to the vid4droid.com web site where he will be invited to download vid4droid.apk file (Trojan-SMS.AndroidOS.Vidro). Do you remember the format of the SMS text in this malware? PAY {unique sequence of ciphers and letters}. This unique sequence of ciphers and letters will be generated on a remote malicious server based on the referrer (a unique URL with the ID of the affiliate). In other words, each affiliate ‘has’ his own SMS Trojan with unique SMS text.

Conclusion

The mobile malware industry and mobile malware services continue to evolve. A couple of years ago mobile affiliate networks were mostly Russian. Now we see that these affiliate networks appearing in other countries. Unfortunately, such networks have already become pretty effective and are an easy way to spread mobile malware and earn money illegally. And the ‘migration’ of affiliate networks will lead to new infections and huge money losses not only in Russia but in other countries as well.

Trojan "made in Germany" spies in Bahrain

h-Online: Citizenlab has released a detailed analysis of the activities of a trojan in which the experts conclude that the malware is most likely closely related to FinFisher, a commercial spyware tool developed by a company called Gamma International. The trojan targeted political activists in Bahrain and included sender names such as that of an Al Jazeera correspondent and subject lines like “Torture reports on Rabil Najaab”.

The attached .exe file, disguised as an image, disabled anti-virus software and installed a complete set of spyware programs on the recipient’s PC. The spyware proceeded to monitor, among other things, the victim’s Skype communications including conversations and file transfers. An analysis of the infected systems’ working memory repeatedly produced the “finspy” character string. This name is used by Gamma to advertise FinFisher modules.

image5The trojan even displayed images while launching its background activities
Source:
Citizenlab

The researchers say that the malware used a very special .exe packer whose signature was also recognised in another malware sample that is thought to be a demo version of the trojan. The malware communicated with servers such as tiger.gamma-international.de, whose domain is registered with Gamma International GmbH in Germany. Although the producers of FinFisher, Gamma International Ltd, officially operate from the UK, there is significant evidence that the software is being developed in Germany. The FinFisher surveillance tool has repeatedly attracted attention in connection with the monitoring of political activists by government agencies. Gamma International recently received a Big Brother Award for its activities.

http://h-online.com/-1652750

Fake Facebook Photo Notifications Contain Malware

Mashable: Sophos’s NakedSecurity blog outlined the threat on Wednesday. The company’s SophosLabs intercepted a “spammed-out email campaign” which was designed to spread malware. Sophos provided the following example:

facebook-malware-email

The blog notes that the email address above misspells “Facebook” as “Faceboook.” The link takes the user to a malicious iFrame script, which exposes the user’s computer to malware. However, within four seconds, the user’s browser is directed to a presumably innocent Facebook page like the one below to act as a smokescreen.

facebook-malware-page

The lab recommends checking the “Facebook” email addresses closely in emails and hover your mouse over the link, at which point you should see it doesn’t go to a Facebook page.

Have you been duped by a fake Facebook photo tag message? Let us know in the comments.

Madi Malware: Another Trojan Targets Organizations from the Middle East [Updated]

This article is copied from Softpedia:

Researchers from Symantec, Kaspersky and Seculert have all come across Madi (Madhi), a relatively new piece of malware that mainly targets organizations from the Middle East.

Madi-Malware-Another-Trojan-Targets-Organizations-from-the-Middle-East-2Before we take a look at Madi and compare it to other infamous Trojans such as Stuxnet, Duqu, or Flame, let’s take a quick look at its name.

According to Wikipedia, Mahdi is considered to be the redeemer of Islam who will rid the world of tyranny, injustice and wrongdoings.

So, will this malware be able to rule for seven, nine or nineteen years before the Day of Judgment as some prophecies say? Let’s see what the experts believe.

First observed in December 2011, Madi has mainly targeted computer systems from Iran, Israel, Saudi Arabia and Afghanistan, but also from other parts of the globe such as United States, New Zealand and Greece.

The organizations attacked with the aid of the Trojan include government agencies, financial houses, critical infrastructure engineering firms, oil companies, and think tanks.

After it’s installed on a device, Madi is able to take screenshots, record audio, retrieve disk structures, delete data, and update the backdoor. As expected, it also has keylogging functionality that allows it to collect all sorts of sensitive data.

While the locations of the targets indicate that this may be a state-sponsored campaign, other evidence found by Symantec leads researchers to believe that the attacks may actually be conducted by a “Farsi-speaking hacker with a broad agenda.”

However, there is something far more interesting about this virus. Unlike Flame, Duqu or Stuxnet – which leveraged zero-day exploits and other advanced techniques – Madi mainly relies on social engineering to infect machines.

The attacks start with enticing content such as news articles, religious images, controversial videos, and PowerPoint presentations that unleash the nasty Trojan.

So far, experts identified a number of 800 victims, communicating with four command and control servers.

Update 1: Iran: If the Madi cyber-strike was us it would’ve been another Stuxnet

Iran replied: “If this was a product of Iran it would be professional and at least as advanced as Stuxnet and Flame,” an English language editorial carried by the semi-official FARS news agency said.

‘Botnet’ sends out spam as malware spreads on Android phones: researcher

pt_948_6394_oMalware has been spreading on Android mobile phones that takes control of certain email accounts to create a “botnet” to send out spam, a security researcher says.

Microsoft security engineer Terry Zink says the malware has infected phones of users’ Yahoo email accounts to send out spam messages.

“We’ve all heard the rumors, but this is the first time I have seen it – a spammer has control of a botnet that lives on Android devices,” Zink said in a blog post on Tuesday.

“These devices log in to the user’s Yahoo Mail account and send spam.”

He said the phones appear to be located in Chile, Indonesia, Lebanon, Oman, Philippines, Russia, Saudi Arabia, Thailand, Ukraine and Venezuela.

“I’ve written in the past that Android has the most malware compared to other smartphone platforms, but your odds of downloading and installing a malicious Android app is pretty low if you get it from the Android Marketplace,” he said.

“But if you get it from some guy in a back alley on the internet, the odds go way up.”

He said users in the developed world “usually have better security practices and fewer malware infections than users in the developing world”.

“I am betting that the users of those phones downloaded some malicious Android app in order to avoid paying for a legitimate version and they got more than they bargained for,” Zink said.

“Either that or they acquired a rogue Yahoo Mail app.”

A report earlier this year by the security firm AV-Test found some Android downloaded malicious code after installation and said this is more common in the Google Android system than in the Apple ecosystem, which has stricter security policies.

Google has a security system known as Bouncer to scan for malware but some experts recommend additional protection for phones using the platform.

Source smh.com.au

Fake Skype app on Android is malware

ZDNet Wrote:

skypelogoA new piece of malware is trying to take advantage of Skype’s increasing popularity, especially on mobile devices. Cybercriminals have created a fake version of the Skype for Android app, designed to earn money from unsuspecting users. Trend Micro, which first discovered the malware, is calling this particular threat JAVA_SMSSEND.AB.

The Java in the name should not surprise you, given that Android apps are primarily developed in a custom version of the programming language. Thankfully, this is not a very good fake. The app in question only runs on older (pre Software Installation Script) Symbian phones or Android devices that allow execution of Java MIDlet.

The cybercriminals behind this scheme have set up fake websites advertising fake Skype apps. Most of the sites are hosted on Russian domains (.ru) but the fake apps themselves are hosted on Nigerien domains (.ne).

The reason this is not a good fake is that instead of an .apk file (the expected package file for Android apps), users are served up with a .jar (Java MIDlet). While the app poses as an installer for Skype, what it really does is install a piece of malware. The devil is in the details: in the background, the malicious app sends expensive international text messages to earn its creators revenue.

Android lets you download and install apps from anywhere. If you want the official version of an app, however, get it from the official Google Play store. Here is the official Skype link: play.google.com/store/apps/details?id=com.skype.raider.

Important: Today is your last chance to keep your internet connection

March8Internet_main_0227

Tomorrow, July 9th, the FBI will shutdown the DNS servers which allow the computers infected with this malware to use the Internet.

If you want to make sure you will keep your internet working, act today and check your computer to see if it’s infected by DNS Changer or not, here is a very easy to use tool: Tool available for those affected by the DNS-Changer

LinkedIn spam, exploits and Zeus: a deadly combination ?

Is this the perfect recipe for a cybercriminal ?:

  1. Hacking LinkedIn’s password (and possibly user-) database.
  2. Sending an email to all obtained email addresses, which is urging you to check your LinkedIn inbox as soon as possible.
  3. A user unawarely clicking on the link.
  4. An exploit gets loaded. Malware gets dropped. Malware gets executed.
  5. User’s computer is now a zombie (part of a botnet).

I would definitely say YES.
A reader of my blog contacted me today, he had received an email from LinkedIn which was looking phishy. We can verify that Step 1 is accomplished, by the simple fact that in the “To” and/or “CC” field of the email below, there are about ~100 email addresses. A quick look-up of a few of them on LinkedIn reveals the unconvenient truth…
Here’s the email in question:

ss

Subjects of this email might be:
“Relationship LinkedIn Mail‏”, “Communication LinkedIn Mail‏”, “Link LinkedIn Mail” or “Urgent LinkedIn Mail‏”. No doubt the subjects of this email will vary, and are not limited to these four.
Step 1 and step 2 of the cybercrook’s scheme are already fulfilled. Now he just has to wait until someone clicks on one of the links. Which brings us to point 3.
Suppose someone clicks on the link. What will happen exactly ? This depends on the version of these programs that may be installed on your computer:

  • Adobe Reader
  • Java

In some cases, your browser will crash. In other cases, the page will just appear to sit there and nothing happens. In unfortunate cases, the exploit will begin doing its work. As said before, a mixed flavor of Adobe & Java exploits are used.
In this case, we will review the specific Adobe exploit. We will check with Process Explorer what exactly is happening:

ss2

Continue Reading here: http://bartblaze.blogspot.com/2012/06/linkedin-spam-exploits-and-zeus-deadly.html

Microsoft revokes certificates used to sign the Flame trojan

windows updateAvira TechBlog Wrote:

Microsoft released Security Advisory 2718704 which revokes some certificated which apparently were used to sign the trojan Flame.

In a blog post, Microsoft explains how they discovered that some components of the malware have been signed by certificates that allow software to appear as if it was produced by Microsoft. The certificates issued by the Terminal Services licensing certification authority, which are intended to only be used for license server verification, were also used to sign code and make it look like as if it was originated from Microsoft.

We highly recommend that all users apply this update immediately.

Read the post here: http://techblog.avira.com/2012/06/04/microsoft-revokes-certificates-used-to-sign-the-flame-trojan/en/

To Install this update visit http://update.microsoft.com/microsoftupdate

Automated Skype calls and Fake Antiviruses

This is an old story back from September, 2011, but since recently I’ve seen users complaining about this, I want to share it again [Credit to NakedSecurity, SophoLabs]:

You may have received an automated call from a user who claim to be from Skype or somewhere which says:

“Attention: this is an automated computer system alert. Your computer protection service is not active. To activate computer protection, and repair your computer, go to [LINK]”

Indeed that’s a scam and visiting the link will lead to getting infected by Fake Antivirus (Scareware), the website claims that you are not properly protected – and it urges you to install its software (a steal at $19.95).

sos-1sos-2

To stop such calls in the future you can set your privacy options to only allow calls from your contacts:

Skype-Privacy

Here is a video that show an example of these calls:

<\/param><\/embed><\/object><\/div>“;” alt=””>