Malware authors like to play hide-and-seek. Hiding executable files inside PDFs and Microsoft Office documents then emailing them as attachments are nothing new, but sometimes one layer isn’t enough. This Avast Virus Lab analysis peels back the layers of a new threat.
Malware authors continually surprise us with their creativity. In an effort to trick banking customers into revealing the login credentials for their online account, cycbercrooks are using the trust people have in Microsoft Office to make them execute banking malware on their own computers. Here’s how it works:
Typically, spam emails contain executable files that can harm a victim’s computer and steal private information. In the layered version, they have PDFs or Microsoft Office documents attached that contain a malicious executable file. We recently found an email that had an added layer and decided to analyze the email.
The email, disguised as a financially-related message from a legitimate company, informed the recipient that an invoice was due and had a PDF file attached. Embedded inside the malicious PDF was a Microsoft Office document and simple java script that dropped and executed the DOC file.
Inside the DOC file we found malicious macro code, which users must activate, as the code is disabled by Microsoft Office by default. The code obfuscates DOC files by creating new documents with unique methods names, variable names, and URLs, making it difficult to detect the malicious files.
When we analyzed the malicious macro code, we found some hints that helped us with our analysis. In this sample it was a function called MICHEL.
We already knew this function would open the URL with the malicious file, and when we found this function in one of the modules, we were able to find the download path.
The address is stored as a GUADALUPE variable. The URL is unique for each sample and leads to the download of a malicious PE file.
The PE file would act as an information stealer, stealing login credentials from banking sites like
- Santander, whose principal market is in the Northeastern United States
- Ulster bank, based in Ireland
- From Google accounts
How to protect yourself from banking malware
Our number 1 recommendation is keep your security software updated. Avast streams hundreds of updates every day to your devices, so you will stay protected. For example, the executable file downloaded by the malicious Microsoft Office document belongs to a banker family evolved from infamous Zeus. This variant is also known as a Dridex Botnet. At the time of writing this post, the botnet is still active, but the malware itself is inactive. Avast detects it as Win32: Pierre-A.
Clever cybercrooks use social engineering to manipulate their victims. Use extreme caution when opening emails related to your finances until you can verify the legitimacy.
Samples related to this analysis:
Everyone from celebrities like Lena Dunham to Hugh Jackman are using the (currently) seventh most popular app available on Google Play: Dubsmash. Dubsmash is an app with more than 10 million Google Play installations that lets users choose a sound, record a video to go along with the sound and send their dub to their friends or social media channels. Dubsmash is not only widely popular amongst teens and celebs, but the app has also caught the attention of malware authors.
Avast recently discovered “Dubsmash 2” (with the package name “com.table.hockes”) on Google Play – and no, it was not the bigger and better version of the original app. The app is a so called “porn clicker” and was installed 100,000-500,000 times from the Google Play Store. We contacted Google when we discovered the rogue app and it was removed from the Play Store shortly thereafter. Once the app was installed there was no evidence of an app named “Dubsmash 2” on the user’s device, instead the app installed an app icon named “Setting IS”. This is a common trick malware authors use to make it harder for the user to figure out which app is causing problems. This should also be the user’s first clue that something shady is going on. The “Settings IS” icon looked very similar to the actual Android Settings icon (see screenshot below).
The app’s mischievous activities could be triggered by two actions. The first possible way was by simply launching the “Settings IS” app and the second, which occurred only if the user had not yet launched the app, was via the BroadcastReceiver component within the app. BroadcastReceiver observed the device’s Internet connectivity and if the BroadcastReceiver noticed the device was connected to the Internet, the app’s true functions would be triggered.
If the “Settings IS” app was opened by the user, the Google Play Store would launch to the actual “Dubsmash” app download page.
Once activated, the app sent an HTTP GET request to an encrypted URL. If the request returned a string containing the character “1” two services would begin to work: MyService and Streaming. Using this method the author could also effectively turn off the start of the services remotely.
The second service, the Streaming service, was fairly similar in structure to the MyService component in that it also scheduled a task to run every 60 seconds. The main difference to MyService, is that users could notice the Service tasks did not run secretly in the background. The task would check for changes in the device’s IP address or date. If either of them had changed, a video would launch in the device’s YouTube app. The YouTube app needed to be installed on the device for this to function properly. The video address was also obtained from an encrypted URL.
After decrypting and further examining the URLs and the video from YouTube, the Avast Virus Lab came to the conclusion that the malware most likely originated from Turkey. The developer’s name listed on Google Play and YouTube hint to this.
We suspect the app developer used the porn clicker method for financial gain. Through clicks on multiple ads within the porn sites, the app developer probably received pay-per-click earnings from advertisers who thought he was displaying their ads on websites for people to actually see.
Despite being undesirable, but basically harmless to the user and less sophisticated than other malware families such as Fobus or Simplocker, this app shows that although there are safeguards in place, undesirable apps that fool users can still slip into the Google Play store.
If you installed Dubsmash 2 (package name “com.table.hockes”), you can delete the app by going into Settings -> Apps -> find “Settings IS” and then uninstall the app.
The Avast Mobile Security application detects this threat as Android:Clicker. SHA-256 hash: de98363968182c27879aa6bdd9a499e30c6beffcc10371c90af2edc32350fac4
Thank you Nikolaos Chrysaidos for your help with the analysis
We’ve recently told you about Avast Battery Saver, an application which saves your Android’s power without hassle. It optimizes phone settings such as Internet connectivity, screen brightness, and timeout according to your needs. We’d now like to announce an exciting new feature of the app: Wi-Fi-based smart power profiles. These profiles are activated automatically based on designated local Wi-Fi networks that are detected. Users can now assign specific wireless networks to be used within their home or work smart profiles. Not only are Wi-Fi-based profiles more precise than GPS-based profiles, but they are also more efficient and require less energy to detect.
In contrast to other battery-saving applications, Avast Battery Saver learns about your daily routine and thus suggests the best smart profiles for your phone. It doesn’t require you to change your behavior or usage, nor does it affect voice calls, text messages, or the ring volume of your phone.
“Everyone needs more battery life for their mobile devices, but most battery savers shut down the wrong apps,” said Jude McColgan, Avast’s President of Mobile. “Avast Battery Saver learns which apps are most important to the user, and shuts down only those that are less used.”
Avast Battery Saver significantly improves battery life, saving up to 20% on one charge — and it’s free from the Google Play Store.
New Wi-Fi-based profiles have been added to make the app’s convenient features significantly more efficient
- Smart profiles activate automatically based on time, location, user-designated Wi-Fi networks and battery level.
- App consumption detects and permanently stops apps that drain too much battery life.
- Precise estimate of remaining battery life based on actual phone usage and historical data. Battery level is displayed in a percentage and time remaining in status bar notification.
- The application can turn off Wi-Fi when there are no known hotspots nearby.
- Your phone limits connections to the Internet to every 5, 10, 15 or 30 minutes, based on your current profile configuration, when its screen is turned off.
- Emergency mode is activated when your battery level is very low, and it turns off all functions that require significant energy, saving power for when you really need it (e.g. Wi-Fi, data connection, Bluetooth or GPS).
The app currently works with the following four profiles: Home, Work, Night, and Super-Saving Emergency Mode. You can easily access the list of profiles by clicking the “Smart Profiles” button on the app’s home screen. Avast Battery Saver is available for download in the Google Play Store.
Today is Earth Day. It’s a day that people, organizations, corporations, and governments around the world demonstrate their commitment to protect the Earth and help advance a sustainable future. Every action, no matter how small, counts - from eating less meat to recycling or composting to reducing your energy footprint; it all contributes to a cleaner, greener world now and in the future.
Avast users do their part to save the Earth
Since our minds are on all things green this Earth Day, we want to highlight a particular bunch of Avast customers. These Android users simply came to Avast to find a way to save some of their smartphone’s battery power. Little did they realize when they installed Avast Battery Saver on their Android device that together they were making a difference that even we were surprised about.
In the first month that Avast Battery Saver was available, 200,000 customers downloaded and actively used it on their Android phone or tablet. This infographic shows how that cumulative use added up to real energy savings.
Do your part for Earth Day, and save up to 20% battery power everyday! Install Avast Battery Saver for free from Google Play.
Luke Walling, GM of Avast for Business, had confidence in the Avast for Business product all along. But the explosion of new customers has surprised and delighted even him. ~Editor
Avast for Business is the industry’s first free, easy to use, cloud-managed security offering that protects small-to-medium-sized business (SMB) from cyber attacks and data breaches.
The new product has been available for two months, and already more than 75,000 SMB owners have enthusiastically selected Avast for Business to protect their companies.
The new, cloud-managed solution has specifically been adopted by IT consulting, education, and non-profit sectors. Early results also show a strong uptake in managed service providers, who make up 12 percent of Avast for Business’ total installed device count and 2.5 percent of its new users.
A reason for it’s booming success is because most start-ups, small businesses, schools, and nonprofit organizations lack the IT infrastructure to install costly and complex on-premise security solutions. Avast for Business provides the ideal solution. It’s easily scalable and managed from anywhere. Additionally, Avast for Business starts at a price everyone can afford: free, making it a natural fit for small-to-medium-sized businesses and organizations worldwide.
Avast for Business is free for as long as you want it and for an unlimited number of admins and devices. Protect your company with Avast for Business.
Would you rather trust the virus experts or your instincts?
Every day 140,000 people connect their USB flash drive or mobile phone to a computer, and get a warning from Avast about an infection called LNK:Jenxcus.
Which kind of person are you?
Many of them act on that information from their trusted Avast Antivirus security software and as a result, they scan their USB device for malware and they wipe it away. Crisis over.
But there is another group of people who keep this infection alive and active, because they refuse to believe it is a real or dangerous threat. In other words, because something has always been one way, they assume it can’t change, therefore Avast must be wrong.
As a result, they decide to turn off their antivirus shield and by doing so, they create an obstacle-free way for malware to enslave their computer and steal data or valuable computing time.
A perfectly good reason. Or is it?
One of the most frequent reasons people use for disabling shields and allowing malware to spread in their computer is
“I use this file all the time and it is safe.”
Another variation is,
“I created this file, it’s only a picture.”
Do you find this situation familiar? Are you guilty of over-riding the security software you installed to protect yourself?
If your answer is yes, then test your virus detection knowledge with the image below. There are two screenshots of a directory from a USB stick; one is infected and the other is clean. Can you tell the difference?
It’s difficult to tell, isn’t it?
The one on the left is infected. The most visible differences are on the icons, but there is another clue in the file types. Some files and directories on the left side changed their type into a shortcut. This happened because a malicious script installed itself onto a USB drive and replaced legitimate files with links. If the owner of the USB opens the directory Firm Accounting, for example, he executes malware that in the end opens the real Firm Accounting directory, so it looks like everything is normal. But it is not, because in the background all the computer’s drives are getting infected over and over again.
Avast detects LNK:Jenxcus and warns you.
The trick is; you have to heed the warning.
Source of infection
Except from other infected drives, this malware is downloaded onto your computer from hacked websites. The screenshot below shows an example of a hacked website waiting for random users with a vulnerable internet browser. Can you tell the difference this time?
If you answered no, you are absolutely right, because for the normal user there is no visible change. That is probably the reason for another frequent excuse before disabling the shields,
“I visit this page every day. It doesn’t have malware.”
That’s just not good enough, because the fact that the page is clean most of the time, does not mean it is not vulnerable to attacks. In fact most small and medium-sized business (SMB) pages have some exploitable vulnerability and when they get targeted by exploit kit authors, your best chance to stay safe are updated applications and active antivirus. With the shields ON!
If you are comfortable with computers, then you may want to clean this infection manually. Start with your computer and look for links (.lnk) and visual basic script (.vbs .vba .vbe) or batch files (.bat). Links usually point to this hidden script files so it is not hard to find them. If you wonder where the original files are, you can find this information in links too. They were not moved in most cases, just marked as hidden so they are not visible on computers with standard configuration. When you are sure all hard drives are clean, it is time to go through all your removable ones and go through the same procedure.
An easier way to clean an infection is by using a good cleaning tool. If you need help searching for such tool, visit our Avast forum and read what others do in your situation, or ask nicely for help from Evangelists, who dedicate their free time to helping users and researching security problems.
Suspect a false positive?
If you think it’s a false positive, do a little checking first. The Avast forum is a good place to start. You can read about LNK:Jenxcus, or you can start a new thread with your own question. If you are still convinced that you have a false positive, then please report it so the Avast Virus Lab can determine how/why it’s detected,. This video tells you how,
The Avast bi-weekly wrap-up is a quick summary of what was on the Avast blog for the last two weeks.
Spring has sprung and it’s time to clean the dust and grime away after a long winter. In a departure from our regular security-oriented blog posts, we share 10 spring cleaning tips to combat grime. Don’t forget you can also clean your mobile devices! But you barely have to lift a finger because Avast GrimeFighter Safe Clean will remove the grime from your Android mobile devices with the touch of a button. If only window washing were so easy!
Independent testing lab AV-TEST gave their coveted certification to our popular mobile security application, Avast Mobile Security. If you are still on the fence regarding protecting your Android smartphone then read How to find the best protection for your Android phone? Independent tests.
Many smartphone owners are more worried about losing their device then they are about becoming infected with malware. That’s why we created Avast Anti-Theft. Make sure you have the latest version of our free app so if your phone gets lost, you can track it via your My Avast account or using SMS notifications from your friend’s phone. Turned Android auto-updates off? Manually update Anti-Theft to stay protected. explains how you can use Avast Anti -Theft to recover your lost Android device.
The mobile development team released a handy little app called Avast Battery Saver. This free app from Google Play helps you save some battery power. But not just any app can do it. The blog post Fear and loathing on Google Play: An in-depth look at today’s battery saving and cleaning apps gives us the scoop on apps that promise to save battery life with task cleaning.
How to extend the life of your phone’s battery is a question that we all have when the juice starts running out. The Avast Battery Saver app can help save about 20% but there are other ways to save battery life. We give you the tips and also share the future of smartphone batteries.
The unsecured Wi-Fi hotspot at the local cafe can be bad news if thieves capture your login credentials. Android users with Avast Mobile Security have a built-in feature called Wi-Fi Security that warns them if any issues are detected. We are now seeking iOS beta testers for an app called Avast SecureMe that will include the same type of feature for iPhone users. Check our blog Wi-Fi Security feature foolproofs your network connections both in public and at home and scroll down to the bottom for the beta test sign up link.
Cybercrooks use a variety of attack vectors to reach their victims. Targeted spearphishing attacks use email messages to trick people into providing sensitive information while malicious apps for Android disguise themselves as innocent games. The scary ransomware locks up all your files and demands ransom for the key to unlock it – on both PCs and and mobile devices! Avast keeps you aware of cybercrooks latest tricks in Don’t take the bait: Beware of web attack techniques.
Wi-Fi Security is a feature that is available for Android users within the Avast Mobile Security app as well as within Avast SecureMe for iOS. The feature’s job is to scan Wi-Fi connections and notify you if it finds any security issues including routers with weak passwords, unsecured wireless networks, and routers with vulnerabilities that could be exploited by hackers.
While conducting user testing, we found that 22% of Avast Mobile Security users make use of the Wi-Fi Security feature, making it the 2nd most used feature within Avast Mobile Security.
“Avast SecureMe and Avast Mobile Security offer users a simple, one-touch solution to find and choose safe networks to protect themselves from the threat of stolen personal data,” said Jude McColgan.
Wi-Fi Security scan notifies you of any issues that are detected
From all the users who tested the Wi-Fi Security feature, more than 10% of the scans performed returned some kind of problem, such as the use of non-encrypted passwords or a router that is susceptible to security threats. The Wi-Fi Security feature currently performs checks for the following four key elements:
- Non-encrypted, unsecured wireless networks
- Networks with weak encryption
- Weak router passwords
- Routers with known security issues
What’s the risk that my personal data will be stolen?
If you use unsecured Wi-Fi when you log in to a banking site, for example, thieves can capture your log in credentials which can lead to identify theft. On unprotected Wi-Fi networks, thieves can also easily see emails, browsing history, and personal data if you do not use a secure or encrypted connection like a virtual private network (VPN). See our global Wi-Fi hacking experiment to see how widespread the threat really is.
Wi-Fi Security offers two solutions to defend against malware threats
After the Wi-Fi Security feature has scanned your device, you’re presented with two options:
1) Launch Avast SecureLine VPN
2) Click the ‘How to resolve’ button
The first of the two options is meant to be used when you’re connecting to public networks – it’s ideal for cafes, airports, or hotels. On the contrary, users should opt to resolve detected threats if they’re browsing at home using their own devices. When taking this route, you’re redirected to the Avast website in order to set up your router in accordance with our guidelines.
How do I get the Wi-Fi Security feature onto my device?
Avast SecureMe will soon be available in the iTunes Store. Before its widespread release, we will be conducting an invitation-only public beta test. Please sign up here, and the SecureMe team will contact you. If you have already downloaded Avast Mobile Security for Android then you’re all set to start using the Wi-Fi Security feature (you’ll find the “Wi-Fi Security” button on the app’s dashboard). For those yet to download Avast Mobile Security, it is available now from the Play Store.
If you have a smartphone, you are basically carrying around a pocket-sized laptop with a built-in camera and phone. Denser electronics have allowed for some powerful features to be built into a small package, but the weak link is the battery that runs it all. Battery energy has yet to match the quick growth of features on electronic devices.
Where does the juice go?
The power it takes to keep the device running all day depends upon what you do as well as your operating system, settings, and network (Wi-Fi, CDMA/GSM, 2G/3G/4G), but battery manufacturers say typical Lithium-ion (Li-ion) batteries provide up to ten hours talk time and up to 300 hours standby time.
Apps drain the battery. They sit in the background pinging servers, keeping track of where you are, and waiting for signals. Wi-Fi, Bluetooth, and GPS use power looking for routers and satellites or other Bluetooth devices. The display uses lots of power too, especially at full brightness and if you do graphic-intensive activities like play games.
The environment also has an impact on Li-ion batteries. They suffer from stress when exposed to temperatures above 30°C/86°F. This high heat accelerates capacity loss which cannot be restored. Likewise, cold can decrease electricity flow, making your device sluggish.
When do I need to replace my battery?
Conventional wisdom says you’ll probably need a new phone battery each year. Factors like charge and discharge cycles, exposure to high temperatures, and aging decrease performance over time. Manufacturers say the life of most Li-on range between 300 and 500 cycles. Beyond this lifespan, batteries gradually diminish below 50 percent of the original capacity.
If you notice that your battery depletes rapidly, fails to hold a full charge, or feels abnormally warm then most likely it’s time to replace your phone’s battery.
How to save battery life?
- Use Avast Battery Saver. Our free app from Google Play optimizes phone settings using ‘Smart profiles’ which activate automatically based on time, location, and battery level. This saves up to 20% on one charge.
- Avoid full discharges and charge the battery more often between uses.
- Limit exposure to extreme temperatures, especially heat. Don’t leave your phone in a hot car. Room temperature is best.
- Lower your screen brightness. You can experiment, but usually anywhere above 50% is still readable. Some phones let you set it to auto-adjust.
- Turn off vibrate, ringtones, and the flash on your camera.
- Keep apps updated. The updates often improve battery usage by making the apps more efficient.
- When in areas with no cell coverage, turn the device to airplane mode or even turn it off. Otherwise, the phone will continue to search for a signal and that eats battery.
- Limit graphics-intensive activities like gaming and watching videos.
- Turn off WiFi, Bluetooth, and GPS when you don’t need them.
Read more about Avast Battery Saver, Fear and loathing on Google Play: An in-depth look at today’s battery saving and cleaning apps.
The future of smartphone batteries
The race for a safe, cheap, long-lasting, energy-rich battery is on. With electric cars, wearable tech, and the Internet of Things running our households, inventors, scientists and business people are searching for the breakthrough that will change batteries forever. The next-generation of batteries may well be built with silicon-based electrodes, take advantage of the oxygen we breathe to recharge power cells, or be organic.
Just last week, a super-fast (1 minute!) chargeable aluminum-ion battery with a high-charge storage capacity developed at Stanford University was announced. This low cost, durable (it was able to withstand more than 7,500 cycles without any loss of capacity) battery is not ready to be mass produced, but it holds promise.
Until that time comes though, used the Avast Battery Saver free app to extend the life of your phone’s battery.
Avast Battery Saver quickly and easily helps you to save your Android’s battery life
Mobile devices are currently evolving at an exceptional rate. Processor speed, display quality and connectivity options have changed dramatically over the past few years. However, battery capacity still seems to be struggling to keep up with the evolving capacity needed to power the enormous amount of new processors and displays.
According to a recent survey answered by 20, 000 people, 60% of Android owners are not satisfied with their device’s battery life.
There are a huge amount of Android applications trying to solve that problem, yet most of them fail to do so. When examining the features available on these apps, it becomes easy to see why many of them haven’t achieved complete success.
Task-killing is the most popular feature available not only within many battery saving apps, but also within cleaners and phone boosters. It most likely originated in Windows’ desktop operating system. Since users had first become accustomed to closing programs on Windows when their PCs began to slow down, this behavior transferred over to mobile devices when the users began to use Android.
However, Android’s system works differently. Android aims to keep RAM full in order to switch between applications more quickly. If there is no free RAM left, Android kills less recent applications. Thus, there is no need for the user to shut down the apps manually. Furthermore, task-killing actually slows down devices because each time an app is shut down, its data must be loaded to RAM again.
Try it yourself
Here’s a small test that you can try: install a task-killer, RAM booster or battery saving app that “cleans” RAM. Click the main button (it’s usually called “Optimize” or “Boost”). You’ll see several apps killed. Then, wait for a few seconds and try it again. Nothing will happen, as you’ve just killed everything.
Now, uninstall or clear the data in the tested app. After you click the “Optimize” button again, almost all of the apps you’ve just killed are shown to be killed again. Looks strange, huh? It might appear that the “Optimize” button doesn’t do anything. In reality, it does kill applications. The trick is that many apps start directly after being killed using Android’s WakeLock feature. Apps with an “Optimize” button have a timer which prevents users from seeing that killed apps are running again after a few seconds. Because of this, there is no sense in using “Optimize”.
More info about task-killing can be found here:
How can I actually save my device’s battery life?
A couple main factors that contribute to saving battery is turning off certain features of your device including Wi-Fi and mobile data and limiting display brightness and timeout.
Avast now brings you Avast Battery Saver, an application which saves power without hassle. It optimizes phone settings such as Internet connectivity, screen brightness, and timeout according to your needs. Smart power profiles are activated automatically based on time, location, and battery level without sacrificing the activities you love most.
Avast Battery Saver also contains a powerful tool to solve the issue of apps draining your battery’s lifespan while not being used. You have the ability to see how much battery every app is draining and force stop any that you’re not currently using. Unlike task-killing, force-stopping is Android’s native solution to prevent apps from unnecessarily running in the background. Once force-stopped, an app will not run again until it’s next manually opened.
Ready to save? Download Avast Battery Saver for free on Google Play.