Although it’s possible to use third-party apps stores safely and securely, the fact that scams do still occur in a variety of app stores shouldn’t be ignored. On Sunday, a threat was discovered by a user who posted the issue on our forum. The scam, located within the Windows Phone Store, advertised three fraudulent versions of Avast Mobile Security. These fake apps not only include the Avast logo, but also feature actual screenshots from AMS in their image galleries. Our fast-acting team has since blocked the pages and has labeled them as malicious.
Fake AMS apps collect personal data and redirect users to adware
If downloaded, these fake versions of AMS found on the Windows Phone Store pose a risk to users’ security. Here’s how they work:
- New Avast security: This app includes three control buttons which show only advertisements. Even without actively clicking on the ads, the app redirects users to additional adware.
- Avast Antivirus Analysis: Claiming to “protect your phone from malware and theft”, this malicious app runs in the background of victims’ devices once downloaded and collects their data and location.
- Mobile Security & Antivirus – system 2: Simply put, this is a paid-for version of “New Avast security” that forcibly leads users to adware.
Earlier this week, security researchers unveiled a vulnerability that is believed to be the worst Android vulnerability yet discovered. The “Stagefright” bug exposes nearly 1 billion Android devices to malware. The vulnerability was found in “Stagefright”, an Android media library. Hackers can gain access to a device by exploiting the vulnerability and can then access contacts and other data, including photos and videos, and can access the device’s microphone and camera, and thus spy on you by recording sound and taking photos.
All devices running Android versions Froyo 2.2 to Lollipop 5.1.1 are affected, which are used by approximately 95% of all Android devices.
The scary part is that hackers only need your phone number to infect you. The malware is delivered via a multimedia message sent to any messenger app that can process MPEG4 video format – like an Android device’s native messaging app, Google Hangouts and WhatsApp. As these Android messaging apps auto-retrieve videos or audio content, the malicious code is executed without the user even doing anything – the vulnerability does not require the victim to open the message or to click on a link. This is unique, as mobile malware usually requires some action to be taken to infect the device. The malware could also be spread via link, which could be sent via email or shared on social networks, for example. This would, however, require user interaction, as the video would not load without the user opening a link. This exploit is extremely dangerous, because if abused via MMS, victims are not required to take any action and there are neither apparent nor visible effects. The attacker can execute the code and remove any signs that the device has been compromised, before victims are even aware that their device has been compromised.
A cybercriminal’s and dictator’s dream
Malware Writers Can’t Keep Their Hands Off Porn
In April, we reported on a porn clicker app that slipped into Google Play posing as the popular Dubsmash app. It seems that this malware has mutated and once again had a short-lived career on Google Play, this time hidden in various “gaming” apps.
For your viewing pleasure
The original form of this porn clicker ran completely hidden in the background, meaning victims did not even notice that anything was happening. This time, however, the authors made the porn a bit more visible to their victims.
The new mutation appeared on Google Play on July 14th and was included in five games, each of which was downloaded by 5,000-10,000 users. Fortunately, Google reacted quickly and has already taken down the games from the Play Store.
Once the app was downloaded, it did not really seem to do anything significant when opened by the user. However, once the unsuspecting victim opened his/her browser or other apps, the app began to run in the background and redirect the user to porn sites. Users may not have necessarily understood where these porn redirects were coming from, since it was only possible to stop them from happening once the app was killed.
A couple of days ago, a user posted a comment on our forum regarding apps harboring adware that can be found on Google Play. This didn’t seem like anything spectacular at the beginning, but once I took a closer look it turned out that this malware was a bit bigger than I initially thought. First of all, the apps are on Google Play, meaning that they have a huge target audience – in English speaking and other language regions as well. Second, the apps were already downloaded by millions of users and third, I was surprised that the adware lead to some legitimate companies.
The Durak card game app was the most widespread of the malicious apps with 5 – 10 million installations according to Google Play.
When you install Durak, it seems to be a completely normal and well working gaming app. This was the same for the other apps, which included an IQ test and a history app. This impression remains until you reboot your device and wait for a couple of days. After a week, you might start to feel there is something wrong with your device. Some of the apps wait up to 30 days until they show their true colors. After 30 days, I guess not many people would know which app is causing abnormal behavior on their phone, right?
Each time you unlock your device an ad is presented to you, warning you about a problem, e.g. that your device is infected, out of date or full of porn. This, of course, is a complete lie. You are then asked to take action, however, if you approve you get re-directed to harmful threats on fake pages, like dubious app stores and apps that attempt to send premium SMS behind your back or to apps that simply collect too much of your data for comfort while offering you no additional value.
An even bigger surprise was that users were sometimes directed to security apps on Google Play. These security apps are, of course, harmless, but would security providers really want to promote their apps via adware? Even if you install the security apps, the undesirable ads popping up on your phone don‘t stop. This kind of threat can be considered good social engineering. Most people won‘t be able to find the source of the problem and will face fake ads each time they unlock their device. I believe that most people will trust that there is a problem that can be solved with one of the apps advertised “solutions” and will follow the recommended steps, which may lead to an investment into unwanted apps from untrusted sources.
Avast Mobile Premium detects these apps, protecting its users from the annoying adware. Additionally, the apps’ descriptions should make users skeptical about the legitimacy of the apps. Both in English and in other languages such as German, were written poorly: “A card game called ‘Durak‘ – one of the most common and well known game“.
The apps‘ secure hash algorithm (SHA256) is the following: BDFBF9DE49E71331FFDFD04839B2B0810802F8C8BB9BE93B5A7E370958762836 9502DFC2D14C962CF1A1A9CDF01BD56416E60DAFC088BC54C177096D033410ED FCF88C8268A7AC97BF10C323EB2828E2025FEEA13CDC6554770E7591CDED462D
As a malware analyst, I find new pieces of malware day in and day out. In fact, I see so many new malware samples that it’s difficult for me to determine which pieces would be really interesting for the public. Today, however, I found something that immediately caught my attention and that I thought would be interesting to share.
The three URLs listed above are websites that offer mobile monetizing kits, which are advertising kits that developers can implement in their mobile apps. The goal for developers is to monetize from advertisements. If a user clicks on one of the ads delivered by one of the above listed providers, he may be lead to a malicious subdomain.
The most visited of the three URLs is Espabit. According to our statistics, we know that Espabit’s servers get around 150,000 views a day and nearly 100% of the views are from mobile devices. This may not seem like that much compared to the number of Android users there are in the world, but it is still a considerable number. Espabit is trying to position themselves as a world leader in advertising, and their website may appear innocent, but first impressions can be deceiving.
The most visited Espabit subdomain, with more than 400,000 views during the last few months, leads app users to pornographic sites via the ads displayed in their apps. The site displays a download offer for nasty apps (no pun intended) that have malicious behavior.
The above is just one example of the malicious links; there are many others hosted on the same server. The majority of the links lead to pornography or fake apps that all have one thing in common: They all steal money from innocent users.
How do they convince people to download their app? By posing as official Google Play apps. The apps are designed to look like they are from the official Google Play Store – tricking people into trusting the source. Since Android does not allow users to install apps from untrusted sources, the sites offer manuals in different languages, like English, Spanish, German, and French, explaining how to adjust Android’s settings so that users can install apps from untrusted sources, like these malicious apps. How considerate of them.
Now let’s take a deeper look at what the apps are capable of doing:
All of the “different” apps being offered by the three sites listed above are essentially the same in that they can steal personal information and send premium SMS. So far, we know about more than 40 of them stored on the websites’ servers. Most of the apps are stored under different links and, again, are offered in different languages (they want everyone to be able to “enjoy” their apps). The goal behind all of the apps is always the same: Steal money.
Some of the permissions the apps are granted when downloaded…
Once you open the apps, you get asked if you are 18 or older (they are not only considerate in that they offer their product in various languages, but they also have morals!).
After you click on “YES” you are asked to connect your device to the Internet. Once connected to the Internet your device automatically starts sending premium SMS, each costing $0.25 and sent three times a week. That’s all the app does! The amount stolen a week does not seem like much, but that may be done on purpose. People may not notice if their phone bill is $3.00 more than it was the month before and if they don’t realize that the app is stealing money from them and don’t delete the app it can cost them $36.00 a year.
This malware is actually not unique in terms of the technique it uses. However, collectively, the three websites have around 185,000 views daily, which is a lot considering there is malware stored on their servers. Not everyone is redirected to malware, but those who are, are being scammed. Considering that the most visited malicious subdomain had around 400,000 views in the last quarter, it tells us that a large number of those visitors were infected. This means these ad providers are making a nice sum of money and it’s not all from ad clicks and views.
Although many mobile carriers around the world block premium SMS, including major carriers in the U.S., Brazil, and the UK, this case should not be taken lightly. These malware authors use social engineering to circumvent Google’s security and target innocent app users via ads. Think of how many apps you use that display ads, then think of all the valuable information you have stored on your phone that could be abused.
All malicious apps we found and described here are detected by Avast as:
Some of SHA256:
Mobile malware analyst Filip Chytry looks into his crystal ball and predicts where cybercrooks are headed next.
The majority of mobile malware AVAST has in its database comes from unofficial app stores. As we wrote about in The Fine Line between Malicious and Innocent Apps, infiltrating official app markets like Google Play is rather difficult. Therefore, it is very likely that mobile malware authors will look for other ways to hack mobile devices, which contain a plethora of valuable and sensitive information.
App servers and base transceiver stations (BTS), which enable communication between mobile networks and devices, will most likely be targeted next by mobile hackers. Man-in-the-middle attacks via app servers mean that mobile hackers may redirect communication between mobile app users and the app’s server or infect app users’ by pushing malware onto user devices via the apps on their devices.
Mobile operators should be prepared for a BTS attack, as this may be possible in the near future. Not only would hackers be able to spread malware to mobile users via a BTS attack, but infected BTS could re-route all incoming mobile data.
Another possibility is that hackers could intercept communication between mobile users and app servers. Hackers could retrieve banking details if they intercept the communication between a user completing a transaction using a mobile banking app.
Mobile malware is in its infancy; at the moment comparable to a toddler. Mobile users, security providers, app markets, and mobile operators should brace themselves for the teenage version of mobile attacks.
AVAST will continue to be one step ahead of mobile malware authors, protecting avast! Mobile Security users from malware and other mobile security risks. Download avast! Mobile Security for free.
Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun and contest information, please follow us on Facebook, Twitter and Google+. Business owners – check out our business products.
Malware has increased on mobile devices 900% since 2011. As dramatic as that number is, as we explained in part 1 of this post, your Android device is unlikely to become infected with malicious malware.
Nowadays, cybercrooks use more subtle and insidious techniques to steal money and personal data from you.
We explained about PUPs and snoopy apps that want too much information from you. Here are a few more sneaky methods that you should be aware of:
Information hungry ads
App developers are not the only information hungry players in the app game. Ad kits can be found in 80% of free apps. Ads are used to monetize free apps, just like websites display ads to monetize. Unfortunately, not all ad networks play fair. Some ad networks collect and share your personal data.
At the beginning of the year Rovio, maker of Angry Birds, came under fire for allegedly sharing user information with the NSA. They, however, denied this and stated that Ad Networks used by “millions of commercial websites and mobile applications” leaked information to the U.S. intelligence agency.
avast! Mobile Premium, the premium version of avast! Mobile Security, includes an Ad Detector feature. This feature provides full details of an ad network’s capabilities. Ad network permissions are mixed in with the app’s permissions, so it is difficult to differentiate where certain information is being sent and who is accessing your device. App downloaders should therefore always review app permissions thoroughly, as app developers are not the only players on the app’s field.
Empty promise apps
There are apps on the market that are not after your personal data, but are more interested in deceiving you for financial gain. These apps trick people into downloading something different than what they advertised. There are various ways this can be done with various levels of severity.
The most innocent of them being seemingly normal apps that when downloaded only display ads, not even offering the service they advertised. We found apps like this around the time of the World Cup. Games like Corner Kick World Cup 2014 displayed a white screen with ads popping up now and then. This is not necessarily malicious, but frustrating and annoying for the user. If the app had been called Ad Roulette it would be acceptable, but app developers gain a small profit from advertisers when users click on ads displayed within their app. Displaying ads continuously boosts the likelihood that users will click on the ads, thus increasing the app developer’s profit.
More malicious and misleading apps warn people that their device is infected, deceiving them into downloading either an app to remove the “virus” on their device or in some cases downloading actual malware. AVAST discovered an adult app, available on an underground app market that forced users to “scan their device for viruses.”. Subsequently, the app displayed a fake version of avast! Mobile Security, which in reality was ransomware that locked victim’s out of their devices until they paid up.
Apps that gain users by offering a solution to remove non-existent infections, on the other hand, may offer a legitimate app, like a security or other category of app, but the tactic they use to gain users is deceitful and unethical.
Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun and contest information, please follow us on Facebook, Twitter, Google+ andInstagram. Business owners – check out our business products.
AVAST has more than 1 million mobile malware samples in its database, up 900,000 from 2011.
Yet the majority of mobile users seemingly have never been affected by mobile malware. Have you ever wondered why that is?
Unmistakably malicious malware, like ransomware or malware that is designed to send premium SMS behind users’ backs, is available on underground hacker forums. Yet truly malicious malware rarely hits the mass market, because they get blocked by security apps like avast! Mobile Security and are not tolerated on the Google Play Store. This protection saves the majority of mobile users from encountering malware, which is why mobile malware seems like a myth to many.
While it may take time for mobile malware authors to successfully circumvent official app market policies, there are less malicious ways app developers are taking advantage of app users. These app developers are taking advantage of the fine line between malicious and innocent apps, using sly tactics to go behind users’ backs.
PUPs – Potentially Unwanted Programs (not as in puppies)
Apps whose behavior blurs between malicious and innocent are classified by avast! Mobile Security as Potentially Unwanted Programs (PUPs). Apps classified as PUPs act innocently enough to be considered as not malicious, but contain undesirable characteristics, which can be boarder line malicious. Their features can be used maliciously, if the app developer chooses to do so.
Information hungry apps
App developers are allowed to request access to certain functionalities and data on your phone so their app can function properly. For example, a map app can request permission to access your location, to provide you with directions from your current location to your desired destination. Some app developers, however, take advantage of permissions by either requesting additional information or completely irrelevant access from what their app requires.
In March, I found an app that did just this, and at the time of its discovery, it was available on the Google Play Store. The app was called Camera Nocturna, a night vision app that requested much more than access to the phone’s camera. By accepting Camera Nocturna’s permissions, the app also gained access to contacts and the permission to write SMS, which it used to send premium SMS behind users’ backs. The app has since been removed from the Google Play Store.
Always use caution when downloading apps, and pay careful attention to the permissions the app requests. If the permissions don’t seem to match the app’s functionalities, don’t accept them. Google has recently changed the Android permissions section in the hopes of making app permission requests simpler. Despite this, app downloaders should remain cautious. The change by Google groups permissions into categories. This allows apps to receive new permissions automatically, without being explicitly granted permission by the user if the permission falls under the same category as a permission that was previously granted by the user.
Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun and contest information, please follow us on Facebook, Twitter, Google+ andInstagram. Business owners – check out our business products.
The World Cup in Brazil is just two weeks away, are you in the soccer spirit? The AVAST mobile malware team and I have tournament fever and have been downloading games and other soccer related apps from the Google Play store. We unfortunately noticed that some of the fun apps we downloaded weren’t as entertaining as we thought they would be…
AVAST detects fake soccer gaming app: Android:FakeViSport
Some of the Android gaming apps we downloaded primarily displayed ads instead of letting us play. Let me just point out a few from many. We were unable to play Corner Kick World Cup 2014 at all because it displayed nothing but a white screen, with ads popping up now and then. This app struck me as odd from the get go. When I checked the size of the app I noticed it was really tiny, less than 1MB. What kind of game can you expect from an app this size?! What is even more interesting is that the game is made by a developer called VinoSports. If you check the rest of his apps offered on Google Play they are all the same – just blank applications stuffed with advertisements.
This is unfortunately a quite common and sneaky way for developers to make some money. With applications like this, the only person who benefits from them are the developers. They may get some money if you actually click on the ads their apps display. We decided to block apps from VinoSports. From now on, they will be detected as Android:FakeViSport. They are fake applications in that they pretend to be something desirable, but they aren’t.
Some apps are in the gray zone
The second app I would like to mention is Fifa 2014 Free – World Cup. The app comes from a pretty big developer, “Top Game Kingdom LLC”, who has plenty of apps on Google Play and other stores. This however does not mean the app should be trusted. Fifa 2014 Free – World Cup, can be considered, at the very least, suspicious.
As for the app Football World Cup 14: The application’s installation package name doesn’t have anything to do with the name of the app itself. The app is called Football World Cup 14, yet its installation package is called “com.topgame.widereceiverfree”.Football World Cup 14, also known as “Widereceiverfree” requests access to information that has nothing to do with the app’s function, like location, call log, and to other accounts on the phone.
Weirdly enough the Football World Cup 14′s developer has even more applications on the market, most of them behave similarly. They pretend to be something different than what they really are. In the end you might get something that can be considered a game, a game with plenty of obstacles such as and with permissions that could easily misuse personal information.
Apps that display ads are not necessarily malicious. Plenty of apps, especially free apps, are funded by ads. They can, however, be annoying, particularly when they don’t go away and prevent you from using the app itself. Apps that access more information from your phone than they need to function seem harmless, especially since there is no visible evidence of this happening, but they can cause more harm than you may think.
We recommend you to take a closer look at the apps you download during tournament time, be it gaming apps, live streaming apps or apps that allow you to bet for your national team, to make sure you stay safe and as ad free as possible!
Things to look out for when downloading apps:
- Make sure you download from official apps markets. Many of our mobile malware samples come from unofficial app markets, only very few come from the official Google Play store.
- Download official apps you can trust. Google Play is an open and developer friendly platform, which is why it contains a plethora of apps. We totally understand why people are sometimes overwhelmed with all the apps they can choose from, we found over 125 vuvuzela apps on Play! We recommend users play it safe and download official apps from developers they can trust. Trusted developers appreciate their users, meaning they want to provide them with a quality product, not one that is flooded with apps. FIFA has a great live score/news appand EA Sports has an official FIFA gaming app.
- Compare app functionalities to the access they request. Some apps need access to certain data on your device, a map app needs access to your location so it can give you directions. App access requests start becoming suspicious when for example your vuvuzela app wants access to your location. Unless your new vuvuzela app uses your location to determine what country you are in to then play your country’s national anthem, why does it need to know your location? Always be cautious when giving apps access and make sure the requests make sense depending on what the app does. You don’t want to carelessly hand over sensitive information that could later be used against you.
- Read user comments. You can’t always trust what people write online, but if multiple people really appreciate or dislike an app you can get a good idea of whether or not you should download it based on the feedback they give.
Our mobile security app avast! Mobile Premium has an Ad Detector feature. Ad Detector finds out which apps are linked to ad networks and provides details of their tracking system, so you have a full overview of all the ad networks contained within your apps.
You can download avast! Mobile Security for free from Google Play or for additional features, like Ad Detector, you can download avast! Mobile Premium for $1.99 a month.
Today one of our colleagues came into our office and said, “Hey guys, I’ve been infected.” I thought to myself, yeah, how bad can this be? After a bit of digging we found the results were worth it; it turned out to be a really “interesting ” case of mobile redirected threats localized for each country.
All you need is one bad IP
The case was brought to us by Jakub Carda, a fellow AVAST employee who enjoys blogging in his free time. His WordPress site was compromised through a vulnerability in WordPress, more precisely OptimizePress. OptimizePress is a WordPress plugin that fully integrates itself into the WordPress CMS, helping bloggers optimize their blog’s design. A tiny mistake in the code of a file located in: lib/admin/media-upload.php made it possible for pretty much anyone to upload harmful content onto people’s WordPress sites, and plenty of websites have been compromised because of this.