The World Cup in Brazil is just two weeks away, are you in the soccer spirit? The AVAST mobile malware team and I have tournament fever and have been downloading games and other soccer related apps from the Google Play store. We unfortunately noticed that some of the fun apps we downloaded weren’t as entertaining as we thought they would be…
AVAST detects fake soccer gaming app: Android:FakeViSport
Some of the Android gaming apps we downloaded primarily displayed ads instead of letting us play. Let me just point out a few from many. We were unable to play Corner Kick World Cup 2014 at all because it displayed nothing but a white screen, with ads popping up now and then. This app struck me as odd from the get go. When I checked the size of the app I noticed it was really tiny, less than 1MB. What kind of game can you expect from an app this size?! What is even more interesting is that the game is made by a developer called VinoSports. If you check the rest of his apps offered on Google Play they are all the same – just blank applications stuffed with advertisements.
This is unfortunately a quite common and sneaky way for developers to make some money. With applications like this, the only person who benefits from them are the developers. They may get some money if you actually click on the ads their apps display. We decided to block apps from VinoSports. From now on, they will be detected as Android:FakeViSport. They are fake applications in that they pretend to be something desirable, but they aren’t.
Some apps are in the gray zone
The second app I would like to mention is Fifa 2014 Free – World Cup. The app comes from a pretty big developer, “Top Game Kingdom LLC”, who has plenty of apps on Google Play and other stores. This however does not mean the app should be trusted. Fifa 2014 Free – World Cup, can be considered, at the very least, suspicious.
As for the app Football World Cup 14: The application’s installation package name doesn’t have anything to do with the name of the app itself. The app is called Football World Cup 14, yet its installation package is called “com.topgame.widereceiverfree”.Football World Cup 14, also known as “Widereceiverfree” requests access to information that has nothing to do with the app’s function, like location, call log, and to other accounts on the phone.
Weirdly enough the Football World Cup 14′s developer has even more applications on the market, most of them behave similarly. They pretend to be something different than what they really are. In the end you might get something that can be considered a game, a game with plenty of obstacles such as and with permissions that could easily misuse personal information.
Apps that display ads are not necessarily malicious. Plenty of apps, especially free apps, are funded by ads. They can, however, be annoying, particularly when they don’t go away and prevent you from using the app itself. Apps that access more information from your phone than they need to function seem harmless, especially since there is no visible evidence of this happening, but they can cause more harm than you may think.
We recommend you to take a closer look at the apps you download during tournament time, be it gaming apps, live streaming apps or apps that allow you to bet for your national team, to make sure you stay safe and as ad free as possible!
Things to look out for when downloading apps:
- Make sure you download from official apps markets. Many of our mobile malware samples come from unofficial app markets, only very few come from the official Google Play store.
- Download official apps you can trust. Google Play is an open and developer friendly platform, which is why it contains a plethora of apps. We totally understand why people are sometimes overwhelmed with all the apps they can choose from, we found over 125 vuvuzela apps on Play! We recommend users play it safe and download official apps from developers they can trust. Trusted developers appreciate their users, meaning they want to provide them with a quality product, not one that is flooded with apps. FIFA has a great live score/news appand EA Sports has an official FIFA gaming app.
- Compare app functionalities to the access they request. Some apps need access to certain data on your device, a map app needs access to your location so it can give you directions. App access requests start becoming suspicious when for example your vuvuzela app wants access to your location. Unless your new vuvuzela app uses your location to determine what country you are in to then play your country’s national anthem, why does it need to know your location? Always be cautious when giving apps access and make sure the requests make sense depending on what the app does. You don’t want to carelessly hand over sensitive information that could later be used against you.
- Read user comments. You can’t always trust what people write online, but if multiple people really appreciate or dislike an app you can get a good idea of whether or not you should download it based on the feedback they give.
Our mobile security app avast! Mobile Premium has an Ad Detector feature. Ad Detector finds out which apps are linked to ad networks and provides details of their tracking system, so you have a full overview of all the ad networks contained within your apps.
You can download avast! Mobile Security for free from Google Play or for additional features, like Ad Detector, you can download avast! Mobile Premium for $1.99 a month.
Today one of our colleagues came into our office and said, “Hey guys, I’ve been infected.” I thought to myself, yeah, how bad can this be? After a bit of digging we found the results were worth it; it turned out to be a really “interesting ” case of mobile redirected threats localized for each country.
All you need is one bad IP
The case was brought to us by Jakub Carda, a fellow AVAST employee who enjoys blogging in his free time. His WordPress site was compromised through a vulnerability in WordPress, more precisely OptimizePress. OptimizePress is a WordPress plugin that fully integrates itself into the WordPress CMS, helping bloggers optimize their blog’s design. A tiny mistake in the code of a file located in: lib/admin/media-upload.php made it possible for pretty much anyone to upload harmful content onto people’s WordPress sites, and plenty of websites have been compromised because of this.
Official app stores are the primary sources to finding and downloading apps. Experts advise users to stay within the official app stores as they are approved ecosystems, which are widely recognized as safe. But are these sources really trustworthy? Some experts, however, claim that “Android malware is non-existent and security companies just try to scare us. Keep calm and don‘t worry.“ So which is it?
We’ve already blogged about plenty of threats that sneak onto your device from trusted sources, but here we have a really fresh one, one that is still undetected by other security vendors. An Application called Cámara Visión Nocturna (package name: com.loriapps.nightcamera.apk), which is still available in the Google Play Store as I am writing this post, is something you definitely don’t want to have on your Android device.
Starting with the application’s permissions you might notice there are some unusual requests for an app that should be able to work only using your camera.
<uses-permission android:name=”android.permission.CAMERA” />
First of all, I would like to shift your attention a bit backwards. No worries! This is not a history lesson or something from the ancient past. Rather, I would like to share with you folks some Android statistics from the last two years. Hopefully, it will give you a better idea about which malware is spread around the most. By the way, if growth of Android malware was on the stock exchange and you had invested some money in it, you would have become a billionaire a few months ago. So let’s check out some graphs!
In the first graph you can see how many samples we have to process in our databases. It shows dates between 2010 through the end of 2013. Pretty nice growth, isn’t it? By the end of 2013, we had almost 800,000 unique suspicious Android samples which we had to process and cover in VPS updates.
In the second graph, you can see the TOP 10 detections of malware families we have seen during the last half of the year. The majority are fake applications or data stealing apps. This group of malware can really easily mess up your device. Data which is mined from these apps can be used against you. Last year, I blogged about a few examples which we saw infecting devices – but that was just a piece of a bigger pie.
What might be strange in the second graph is that four of the top ten have something to do with SMS sending. That means they are able to steal your money using SMS messages. That’s probably the most common way for mobile cybercrooks to quickly steal money. For malware programmers, it is really easy to access those parts in devices and send premium messages.
I hope that even skeptics will agree that protecting your device from malware threats is necessary these days. Try avast! Mobile Security for free.
Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun and contest information, please follow us on Facebook, Twitter and Google+. Business owners – check out our business products.
A few weeks ago, I discovered and Julia warned you about a fake AVAST application which was infecting smartphones. It was hidden behind adult apps and was pretty nasty. Here is some detailed information about it.
First of all, if you look for adult applications (also known as pleasure applications J ), you can find tons of them. Some apps, especially those offered on unofficial markets, are infected by malware; in the case of the fake AVAST app, it was ransomware. The same scenario commonly plays out – after installation when you play the application for the first time, you get infected and blocked from using your phone. The app asks for money to unblock you phone. That’s typical ransomware behavior.
The clues are easy to spot
You are looking for a adult application and run across something called AVASTME.NOW. What the hell is going on here, you might think? The fact that an adult app is named after the world’s most trusted antivirus might be your first clue that something is wrong. But you install the app, even though it’s a pretty weird name for an app designed for adults. Luckily, after the installation you get an icon on your device called Porn Hub, so you start to feel satisfied you actually got what you were looking for. So let’s play it!
But this satisfied feeling does not stay forever. After the first few clicks, the application announces your phone must be checked for viruses. That‘s the second big clue that something might be wrong. Normal applications do not check your phone for viruses. But you don‘t have any choice, so you continue. That’s when you see a fake avast! Mobile Security interface which is almost identical to the original.
Here comes a third clue for sharp-eyed users: All the detections you see on the screen use a different format than AVAST. But it‘s already too late to stop the app. In the next step, you are asked to pay $100 to clean up your phone. And your device is locked.
Sloppy, but effective
This ransomware is easily packed, and it’s apparent that the creators tried to do it as quickly as possible. Strings of detections don‘t have any kind of background, and it appears that it used randomly generated names from multiple antiviruses, as you see in the screenshot below. They were even too lazy to clean up unnecessary icons from the package, so you can find a picture of a cat in it (maybe it‘s the unhappy cat of some of the creators? :)) Even though the app was sloppily done, the cybercrooks were successful and earned/stole large sums of money.
This is just one example of the many applications out there waiting to steal money from you. It doesn’t have to be for adults only; basically any application might be misused against you. That‘s why everyone should be a careful and download applications only from trusted sources. Because malware like this is increasing, it especially prudent to use some kind of antivirus protection. We suggest (the authentic) avast! Mobile Security, available from the Google Play store. It’s free! You never know when you will get something like this, so install it today on your Android device.
Today is unfortunately the last day of the Virus Bulletin 2013 conference, but it has definitely been memorable. Last night, a gala dinner was held that went on into the wee morning hours. During the dinner there was a classic performance from a dancing cabaret group and a delicious meal was served. And as continuing the tradition for VB conferences, after dinner all the participants moved to our avast! Beer Bar and attempt getting their results to a higher level.
Today’s speaking line-up was concentrated on sophisticated malware on the Windows platform, online threats, and botnets. The afternoon panel discussion was moderated by Pedram Amini, our new AVAST colleague who joined the team a few weeks ago with the acquisition of Jumpshot. The discussion was about cyberwar and what we as a security industry can do about it.
Finally, the most important information: In the first blog chronicling this event, we mentioned the 7th IT Security Table Football World Championship. I asked you to wish us luck, and now I thank you for that! It definitely helped us a lot! And here are the final results!
1. Gdata – Germany
2. Avast – Czech republic
3. Microsoft – USA
Hurray, we came in second! From such a big competition, it’s a great success for the avast! Virus Lab team, and one that we hope our colleagues (and our boss) will appreciate. For example, by buying a new football table for our office! To be ready to reclaim the AVAST honor at VB2014, we need to increase our practice time! (Next year, Gdata. Next year…)
We had a second day of VB 2013, and today can definitely be classified as an Android day. Most of the presentations from first three blocks were concentrated on Android threats, potential unwanted applications and Adkits. This gave a strong signal that everyone should take Android security very seriously. Every big antivirus vendor has their own Android security applications, but a main point for me personally was that we should cooperate and share information to fight malware effectively.
In the last presentation block of the day, there were two presenters: First was Milos Korenko with his presentation The Best Things in Life are Free. I have to admit that listening to Milos is really inspiring. His high level public speaking abilities combined with the fact that he was speaking about such a good company as Avast made it one of the best presentations of the day.
During Miloš’ speech there were two hidden surprises. First, we announced the winners of the beer competition from Virus Bulletin 2012 held in Dallas. The top three from VB2012 are:
1. Dmitry (McAfee)
2. Jiri Bracek (AVG)
3. Roman Kovac (ESET)
The second surprise was from my colleagues in the avast! Virus Lab, Jaromir Horejsi and Peter Kalnai. Milos finished his speech quite quickly so he could share his free time with our analysts. They presented Are Linux desktop systems threatened by Trojans? Their talk, based on a blog post Hand Of Thief threat, published at the end of August, extended some philosophical thoughts about a real potential for Linux Desktops.
The avast! Beer Bar is open again! On the first day of VB2013, we spent an evening socializing with other colleagues. You can check our website for the beer rankings and see which IT security company has the best score.
Virus Bulletin 2013 just started today and our company is participating in many ways! This conference is one of the biggest IT security conferences in the world which well known security companies can’t miss. And we are really proud to be there with more than 370 specialist from the security industry. We are a platinum sponsor, we have a few speakers here – but mainly we are the PROUD BEER SPONSORS for all participants.
Here is a quick review of the first day which was a pretty busy one! During the morning the conference started with a welcome speech from Virus Bulletin editor Helen Martin, and then the technical and corporate streams, represented by many speakers, began. We have one speaker from our company here today. It was Jindřich Kubec, with Eric Romang, presenting “Big bang theory of CVE-2012-4792” – a very successful presentation indeed. The main subject was forensics & detective model that describes the early development of the watering hole campaign which was mostly active from Dec. 2012 to Jan. 2013, targeting prominently energy industries, governments, non profit organizations and human rights websites. After the initial targeted attack, the vulnerability cooled sufficiently to allow its integration in different confidential or public exploit kits. They also dug into the past and showed that there had clearly been a connection with the previous Sept. 2012 watering hole attacks on industrial websites, and also with watering hole attacks through Twitter in May 2012. The earliest phases of the vulnerability, like the Big Bang, are subject to much speculation. They tried to observe the most distant things that a security researcher can see. The timeline of the attacks, together with the disclosure, detection and publication dates were shown. The code structure and changes were also analyzed, including the binary payloads – e.g. remote access tools.
I should also mention that there is an international IT security table football championship. And so far we have been successful! In the morning we won the first match against Sophos 6:1, 6:2 and second against Norman 6:0, 6:0. So cross your fingers and wish us luck for the next rounds. Stay tuned, we will definitely share more information in the next two days!
Yes! What a lucky day! I’ve just got a message that I won 2,000,000.00 British Pounds (2.4M EUR/3.1M USD), an Apple laptop, a T-shirt, and a cap emblazoned with a logo of The Free Lotto Company. Pretty awesome you might think, but appearances are deceptive. Unfortunately, this is just one of the ways bad guys try to get some of our money.
Well, I was thinking, it‘s worth a shot. So I decided to write to the email address and see what would happen. Actually, the hardest part was a making up a fake name for myself! You would never believe how rough this might be. In the end, I decided to call myself Robert Konmed.
Here’s how the conversation went down.
Me: Hello, I’ve got a winning message with information to contact your email address. How can I pick up my prize please? Thank you, Robert Konmed
Bad guys: Please find attached document for info to contact courier delivery company: EMAIL:email@example.com Regards Brian Calton
Me: Hello guys, I’m really excited about a winning prize. But would be possible to tell me how much I should prepare for a delivery company? And also I’m curious if there is possibility to charge delivery from my winning prize? Thank you & have a nice day! Best regards! Robert Konmed Read more…
It has been two or three months since I last blogged about Android malware. But that definitely doesn’t mean there aren’t any new threats. There are plenty! Here are two quick comparisons from the last two years: Growth of the malware problem of the platform in January 2012 compared with January 2013 is far from the ‘normal’ growth of other platforms. According to our statistics, it’s something around +850 percent! Add another year for an even more insane comparison – the growth from January 2011 to January 2013 gives us +3150 percent! The Android platform is definitely one of the most targeted malware platforms these days. But no worries, users of Avast! Free Mobile Security are safe. Read more…