A few weeks ago, I discovered and Julia warned you about a fake AVAST application which was infecting smartphones. It was hidden behind adult apps and was pretty nasty. Here is some detailed information about it.
First of all, if you look for adult applications (also known as pleasure applications J ), you can find tons of them. Some apps, especially those offered on unofficial markets, are infected by malware; in the case of the fake AVAST app, it was ransomware. The same scenario commonly plays out – after installation when you play the application for the first time, you get infected and blocked from using your phone. The app asks for money to unblock you phone. That’s typical ransomware behavior.
The clues are easy to spot
You are looking for a adult application and run across something called AVASTME.NOW. What the hell is going on here, you might think? The fact that an adult app is named after the world’s most trusted antivirus might be your first clue that something is wrong. But you install the app, even though it’s a pretty weird name for an app designed for adults. Luckily, after the installation you get an icon on your device called Porn Hub, so you start to feel satisfied you actually got what you were looking for. So let’s play it!
But this satisfied feeling does not stay forever. After the first few clicks, the application announces your phone must be checked for viruses. That‘s the second big clue that something might be wrong. Normal applications do not check your phone for viruses. But you don‘t have any choice, so you continue. That’s when you see a fake avast! Mobile Security interface which is almost identical to the original.
Here comes a third clue for sharp-eyed users: All the detections you see on the screen use a different format than AVAST. But it‘s already too late to stop the app. In the next step, you are asked to pay $100 to clean up your phone. And your device is locked.
Sloppy, but effective
This ransomware is easily packed, and it’s apparent that the creators tried to do it as quickly as possible. Strings of detections don‘t have any kind of background, and it appears that it used randomly generated names from multiple antiviruses, as you see in the screenshot below. They were even too lazy to clean up unnecessary icons from the package, so you can find a picture of a cat in it (maybe it‘s the unhappy cat of some of the creators? ) Even though the app was sloppily done, the cybercrooks were successful and earned/stole large sums of money.
This is just one example of the many applications out there waiting to steal money from you. It doesn’t have to be for adults only; basically any application might be misused against you. That‘s why everyone should be a careful and download applications only from trusted sources. Because malware like this is increasing, it especially prudent to use some kind of antivirus protection. We suggest (the authentic) avast! Mobile Security, available from the Google Play store. It’s free! You never know when you will get something like this, so install it today on your Android device.
Today is unfortunately the last day of the Virus Bulletin 2013 conference, but it has definitely been memorable. Last night, a gala dinner was held that went on into the wee morning hours. During the dinner there was a classic performance from a dancing cabaret group and a delicious meal was served. And as continuing the tradition for VB conferences, after dinner all the participants moved to our avast! Beer Bar and attempt getting their results to a higher level.
Today’s speaking line-up was concentrated on sophisticated malware on the Windows platform, online threats, and botnets. The afternoon panel discussion was moderated by Pedram Amini, our new AVAST colleague who joined the team a few weeks ago with the acquisition of Jumpshot. The discussion was about cyberwar and what we as a security industry can do about it.
Finally, the most important information: In the first blog chronicling this event, we mentioned the 7th IT Security Table Football World Championship. I asked you to wish us luck, and now I thank you for that! It definitely helped us a lot! And here are the final results!
1. Gdata – Germany
2. Avast – Czech republic
3. Microsoft – USA
Hurray, we came in second! From such a big competition, it’s a great success for the avast! Virus Lab team, and one that we hope our colleagues (and our boss) will appreciate. For example, by buying a new football table for our office! To be ready to reclaim the AVAST honor at VB2014, we need to increase our practice time! (Next year, Gdata. Next year…)
We had a second day of VB 2013, and today can definitely be classified as an Android day. Most of the presentations from first three blocks were concentrated on Android threats, potential unwanted applications and Adkits. This gave a strong signal that everyone should take Android security very seriously. Every big antivirus vendor has their own Android security applications, but a main point for me personally was that we should cooperate and share information to fight malware effectively.
In the last presentation block of the day, there were two presenters: First was Milos Korenko with his presentation The Best Things in Life are Free. I have to admit that listening to Milos is really inspiring. His high level public speaking abilities combined with the fact that he was speaking about such a good company as Avast made it one of the best presentations of the day.
During Miloš’ speech there were two hidden surprises. First, we announced the winners of the beer competition from Virus Bulletin 2012 held in Dallas. The top three from VB2012 are:
1. Dmitry (McAfee)
2. Jiri Bracek (AVG)
3. Roman Kovac (ESET)
The second surprise was from my colleagues in the avast! Virus Lab, Jaromir Horejsi and Peter Kalnai. Milos finished his speech quite quickly so he could share his free time with our analysts. They presented Are Linux desktop systems threatened by Trojans? Their talk, based on a blog post Hand Of Thief threat, published at the end of August, extended some philosophical thoughts about a real potential for Linux Desktops.
The avast! Beer Bar is open again! On the first day of VB2013, we spent an evening socializing with other colleagues. You can check our website for the beer rankings and see which IT security company has the best score.
Virus Bulletin 2013 just started today and our company is participating in many ways! This conference is one of the biggest IT security conferences in the world which well known security companies can’t miss. And we are really proud to be there with more than 370 specialist from the security industry. We are a platinum sponsor, we have a few speakers here – but mainly we are the PROUD BEER SPONSORS for all participants.
Here is a quick review of the first day which was a pretty busy one! During the morning the conference started with a welcome speech from Virus Bulletin editor Helen Martin, and then the technical and corporate streams, represented by many speakers, began. We have one speaker from our company here today. It was Jindřich Kubec, with Eric Romang, presenting “Big bang theory of CVE-2012-4792” – a very successful presentation indeed. The main subject was forensics & detective model that describes the early development of the watering hole campaign which was mostly active from Dec. 2012 to Jan. 2013, targeting prominently energy industries, governments, non profit organizations and human rights websites. After the initial targeted attack, the vulnerability cooled sufficiently to allow its integration in different confidential or public exploit kits. They also dug into the past and showed that there had clearly been a connection with the previous Sept. 2012 watering hole attacks on industrial websites, and also with watering hole attacks through Twitter in May 2012. The earliest phases of the vulnerability, like the Big Bang, are subject to much speculation. They tried to observe the most distant things that a security researcher can see. The timeline of the attacks, together with the disclosure, detection and publication dates were shown. The code structure and changes were also analyzed, including the binary payloads – e.g. remote access tools.
I should also mention that there is an international IT security table football championship. And so far we have been successful! In the morning we won the first match against Sophos 6:1, 6:2 and second against Norman 6:0, 6:0. So cross your fingers and wish us luck for the next rounds. Stay tuned, we will definitely share more information in the next two days!
Yes! What a lucky day! I’ve just got a message that I won 2,000,000.00 British Pounds (2.4M EUR/3.1M USD), an Apple laptop, a T-shirt, and a cap emblazoned with a logo of The Free Lotto Company. Pretty awesome you might think, but appearances are deceptive. Unfortunately, this is just one of the ways bad guys try to get some of our money.
Well, I was thinking, it‘s worth a shot. So I decided to write to the email address and see what would happen. Actually, the hardest part was a making up a fake name for myself! You would never believe how rough this might be. In the end, I decided to call myself Robert Konmed.
Here’s how the conversation went down.
Me: Hello, I’ve got a winning message with information to contact your email address. How can I pick up my prize please? Thank you, Robert Konmed
Bad guys: Please find attached document for info to contact courier delivery company: EMAIL:firstname.lastname@example.org Regards Brian Calton
Me: Hello guys, I’m really excited about a winning prize. But would be possible to tell me how much I should prepare for a delivery company? And also I’m curious if there is possibility to charge delivery from my winning prize? Thank you & have a nice day! Best regards! Robert Konmed Read more…
It has been two or three months since I last blogged about Android malware. But that definitely doesn’t mean there aren’t any new threats. There are plenty! Here are two quick comparisons from the last two years: Growth of the malware problem of the platform in January 2012 compared with January 2013 is far from the ‘normal’ growth of other platforms. According to our statistics, it’s something around +850 percent! Add another year for an even more insane comparison – the growth from January 2011 to January 2013 gives us +3150 percent! The Android platform is definitely one of the most targeted malware platforms these days. But no worries, users of Avast! Free Mobile Security are safe. Read more…
Lots of smartphone users are still unaware of the actual risks arising from the use of smartphones based on operating systems, and they have a tendency to underestimate their security risks. Be honest, how many of you check if an application you install on your phone comes from a trusted source? Do you check which permissions the applications has? How many of you install applications that have “cool icons” and don’t check anything else?
I’ve asked a few people these questions, and was totally surprised by their answers! Even IT geeks don’t read permissions of applications and they just click and install whatever they find. What’s WORSE is that most of them think they are secured without any security application.
Do you remember my last article? We identified something very similar, also coming from blog and upload services such as 4shared. It’s really strange how many hijacked and infected applications are offered through those services.
One month ago, I pointed out a really nasty malware that pretends to be a Google Play app. I looked into what the creators of that malware have been doing for the last month. They definitely haven’t been lazy.
For the last two weeks, we saw more mutations of similar malware, with similar behavior. It sends numerous paid SMS messages to premium numbers without the user being aware of it. They try to pretend it is some kind of wanted application, but you obviously don’t want that.
This malware hide themselves under legitimate-sounding names like Flash Player, Talking Tom Cat, Kaspersky Lite, etc. But many of the apps have something in common: The package name is the same in hundreds of them. But don’t worry, all of them are detected.
My phone is infected! What can I do?
This leads me to the most important point of this blog post. For those who still believe they are fine without antivirus protection on their smartphone, there are a few steps to follow when you realize your phone is acting strangely.
1) Switch off GSM module or take out your SIM card immediately. (This should disconnect your phone from the mobile network and prevent losing your money.)
2) Restore your phone back to factory setup. (Malware should be removed, as well as all your data.)
3) Put your SIM card back, and you can use your phone again.
Is there a safer and easier way to protect my smartphone?
Luckily, yes. Malware that we meet comes mostly from untrusted sources. People often put the name of a wanted application in their browser and just click on the first URL that comes up. That practice is, of course, really dangerous. The viruses mentioned above come from file sharing servers such as 4shared.com, filestube.com, rapidshare.com, fake blogs, or from fake Android stores. Those file sharing servers are suspicious sources and one should not download applications from there. Even on Google Play you can find a dangerous application once in a while, so you should be cautious even when you look for applications there!
Here’s a quick example. When you search for popular games, for example, “Asphalt 6 adrenaline скачать бесплатно” (free download in Russian language) in one of the top pages on Google you will find a pretty nasty blog full of repacked games but with a small gift in the form of a malware.
My recommendation is to use an antivirus program on your phone – for example, avast! Free Mobile Security – and download applications from less dangerous sources – for example, Google Play, Amazon.com, etc.
Traditionally Avast! organizes Christmas party for employees and their closest ones. This year it was in Hard Rock Cafe in downtown Prague and we really enjoyed it. Avast! arranged live music represented by Queenie, a Queen cover band. And we have to admit, these guys were great! Even Freddie Mercury would have been definitely satisfied with their performance. But Avast! also caters to our youngest ones. Last week we had Saint Nicholas’ day in our offices in Prague. There were almost fifty kids, a clown, Saint Nicholas, angel and devil. I believe you can imagine how our offices looked like during this event. We decided to share this few precious moments with you, so you can feel the atmosphere. Hopefully you will enjoy it as much as we did.
Android is one of the fastest growing platforms in the world. In the second quarter of this year there were more than 300 million active Android devices. The increase is almost 900,000 of new devices per day and still rising. These days Android occupies more than 60% of the mobile devices market! By the way there is around 300,000 newborn children a day all around the world, and this number constantly decreases.
Hand in hand with this trend goes the rise of applications and viruses for this platform. In the past week we noticed one of them that was especially tricky. At first look, it’s trying to act like a regular Google Play application, but that’s just an illusion. It is a fake application which not only downloads other fraudulent application, but it is also able to send premium text messages without user’s knowledge
After the installation it replaces the original Google Play from the menu and just waits for a first start from the user.
Immediately after the first start you are asked to update the program and there your troubles continue “Critical update, install new version, click the continue”.
After this step follows another nasty download from this link shows up:
After the installation of second aplication, your phone turns into a money sucking machine. Without your knowledge it starts sending premium messages on paid numbers. Luckily we caught this threat and Avast! detects both samples as Android:OpFake-BV.
This file is easily accessible from more than thirty malware pages, which are made to resemble various markets and download pages! But no worries Avast! users are protected even if you accidentally visit these pages.
The content of VB 2011 programme provided an excellent amount of information from the security industry in the last three days. It came packed in an interesting and humorous way. Here is some more pictures from conference to present the atmosphere and we looking forward on next conference!