Protecting over 230 million PCs, Macs, & Mobiles – more than any other antivirus


Author Archive
November 5th, 2015

DroidJack isn’t the only spying software out there: Avast discovers that OmniRat is currently being used and spread by criminals to gain full remote control of devices.

There’s more than one RAT

On Friday, I discovered OmniRat, a program similar to DroidJack. DroidJack is a program that facilitates remote spying and recently made news when European law enforcement agencies made arrests and raided the homes of suspects as part of an international malware investigation.

OmniRat and DroidJack are RATs (remote administration tools) that allow you to gain remote administrative control of any Android device. OmniRat can also give you remote control of any Windows, Linux or Mac device. Remote administrative control means that once the software is installed on the target device, you have full remote control of the device.

On their website, OmniRat lists all of the things you can do once you have control of an Android, which include: retrieving detailed information about services and processes running on the device, viewing and deleting browsing history, making calls or sending SMS to any number, recording audio, executing commands on the device and more.


Read more…

July 24th, 2015

Malware that Just Won’t Give Up on Google Play

A team of malware authors is playing a cat and mouse game with Google. The game goes like this: they upload their malware, Google Play quickly takes it down, they upload a new mutation and Google takes it down. Current status of the game: the malware is back on Google Play. So far, the malicious apps have infected hundreds of thousands of innocent victims.

In April, we discovered porn clicker malware on Google Play posing as the popular Dubsmash app.

Mutant malware

Two days ago, we reported that a mutation of the porn clicker malware, created by a Turkish group of malware authors, made its way back onto Google Play, but have since been removed from the Play Store.

Once the apps were downloaded they did not do anything significant when opened by the user, they just showed a static image. However, once the unsuspecting victim opened his/her browser or other apps, the app began to run in the background and redirect the user to porn sites. Users may not have necessarily understood where these porn redirects were coming from, since it was only possible to stop them from happening once the app was killed. Fellow security researchers at Eset reported that more apps with this mutation were on Google Play earlier this week. Eset also reported that the original form of the malware was uploaded to Google Play multiple times in May. Our findings combined with that from Eset, prove that these malware authors are extremely persistent and determined to make Google Play a permanent residency for their malware.

I’ll be back…

Read more…

Comments off
February 10th, 2015

Mobile Crypto-Ransomware Simplocker now on Steroids

In June 2014, we told you about mobile ransomware called Simplocker that actually encrypted files (before Simplocker, mobile ransomware only claimed to encrypt files to scare users into paying). Simplocker infected more than 20,000 unique users, locking Android devices and encrypting files located in the external storage. Then, it asked victims to pay a ransom in order to “free” the hijacked device. It was easy to decrypt the files affected by this variant of Simplocker, because the decryption key was hardcoded inside the malware and was not unique for each affected device.

Dangerous unique keys

keyBut now there is a new, more sophisticated variant of Simplocker in town that has already infected more than 5,000 unique users within days of being discovered. The reason why this variant is more dangerous than its predecessor is that it generates unique keys for each infected device, making it harder to decrypt infected devices.

To use an analogy, the original variant of Simplocker used a “master key” to lock devices, which made it possible for us to provide a “copy of the master key” (in the form of an app, Avast Ransomware Removal) to unlock already infected devices. The new variant however, locks each device with a “different key” which makes it impossible to provide a solution that can unlock each infected device, because that would require us to “make copies” of all the different “keys”.

Why would anybody install Simplocker?!

The reason why people install this new variant of Simplocker is because it goes undercover, meaning people don’t even realize that what they are installing is ransomware!

Fake Flash

Tricky Simplocker pretends to be a real app.


In this case, the new variant of Simplocker uses the alias “Flash Player” and hides in malicious ads that are hosted on shady sites. These ads mostly “alert” users that they need Flash Player installed in order to watch videos. When the ad is clicked on, the malicious app gets downloaded, notifying the user to install the alleged Flash Player app. Android, by default, blocks apps from unofficial markets from being installed, which is why users are notified that the install is being blocked for security reasons.
Device Admin Request


Users should listen to Android’s advice. However, users can go into their settings to deactivate the block and download apps from unknown sources. Once installed, a “Flash Player” app icon appears on the device and when it is opened the “Flash Player” requests the user grant it administrator rights, which is when the trouble really begins.

As soon as the app is granted administrator rights, the malware uses social engineering to deceive the user into paying ransom to unlock the device and decrypt the files it encrypted. The app claims to be the FBI, warning the user that they have found suspicious files, violating copyright laws demanding the user pay a $200 fine to decrypt their files.

device-2015-02-05-143216  FBI warning is an example of social engineering

What should I do if I have been infected?

We do NOT recommend you pay the ransom. Giving into these tactics makes malware authors believe they are succeeding and encourages them to continue.

If you have been infected by this new strain of Simplocker, back up the encrypted files by connecting your smartphone to your computer. This will not harm your computer, but you may have to wait until a solution to decrypt these files has been found. Then boot your phone into safe mode, go into the administrator settings and remove the malicious app and uninstall the app from the application manager.

Avast protects users against Simplocker

Avast Mobile Security protects users against both the old and new variant of Simplocker, the new variant is detected as: Android:Simplocker-AA.

A more technical look under the hood:

As the fake FBI warning is being shown to users, the malware continues working in the background, doing the following: Read more…

December 3rd, 2014

Is backing up your data the same as exposing it? In this case – Yes!

Losing contacts from your mobile phone is highly inconvenient. There’s seems to be a solution -  You can find them online! The catch? Your contacts are in a publicly accessible place.

1playstore photo


If you care for your privacy you should always be suspicious about “Cloud Backup” solutions you find in the Google Play Store. The solution that is being analyzed here backs up your personal contacts online. In public.

Upon starting the application, you will find a screen where you can put your mobile number and a password of your choice. Then you can upload your contacts in the cloud.


A brief analysis inside this application shows us how exactly it backs up your contacts in the cloud. The contacts are associated with the phone number that you have given in the previous step and they are sent through HTTP POST requests in a PHP page.


Further analysis through IP traffic capturing with Fiddler helped usdiscover the results in the pictures above; a page located online, for anyone to see, that contains thousands of un-encrypted entries of phone numbers and passwords. Using the info in the app you can retrieve personal private data (contacts) from another user.

4fiddlerinfo 5datafromserver

We found log in data inside those entries from countries like Greece, Brazil, and others

The Play Store page says that this app has been installed 50.000-100.000 times. This is a big number of installations for an application that doesn’t deliver the basic secure Android coding practices. The developer must use technologies like HTTPS, SSL and encryption on the data that are transferred through the web and stored in the server. Nogotofail is a useful network security testing tool designed by Google to “to help developers and security researchers spot and fix weak TLS/SSL connections and sensitive cleartext traffic on devices and applications in a flexible, scalable, powerful way.

6appinfoplaystore The application has been reported to Google without receiving any response.

Avast detects it as Android:DataExposed-B [PUP].

Samples (SHA-256):

F51803FD98C727F93E502C13C9A5FD759031CD2A5B5EF8FE71211A0AE7DEC78C 199DD6F3B452247FBCC7B467CB88C6B0486194BD3BA01586355BC32EFFE37FAB

May 7th, 2014

Fake government ransomware holding Android devices hostage

Ransomware, which has already made its rounds on Windows, is now increasingly targeting the Android operating system. A new piece of mobile malware claiming to be the government under the name Android: Koler-A is now targeting users.

We have full control of your phone – give us $300 and we’ll give it back

Obrázek 1-1

The ransomware is pushed automatically from fake porn sites visited by Android users via a malicious .apk file that appears in the form of an app. The innocent appearance of the app deceives users and is a powerful social engineering tactic used by malware developers to trick people into installing malicious apps. The form of delivery is not the only thing that makes the app suspicious and potentially dangerous, but the access it seeks are highly unusual and alarming. The ransomware requests full network access, permission to run at startup and permission to prevent the phone from sleeping. Once installed the granted access allows the ransomware to take control of the device. The full network access allows the malicious app to communicate over the web and download the ransom message that is shown on the captive device. The permission to run at startup and prevent the phone from sleeping fully lockdown the phone, preventing victims from escaping the ransom message.

The ransomware localizes fake government messages, depending on the users GPS location, accusing them of having viewed and downloaded inappropriate and illegal content. What does the ransomware do next? Demands ransom of course! The ransom to regain access to the device including all of its apps, which it claims are all encrypted, is set at around $300 and is to be paid through untraceable forms of payment such as MoneyPak.

avast! Mobile Security safeguards against ransomware

Both AVAST’s free and premium mobile security apps, avast! Mobile Security and avast! Mobile Premium, protect customers from falling for the devious apps containing ransomware. AVAST detects this ransomware under the name Android: Koler-A and blocks its execution.

We recommend that everyone be cautious when downloading apps, especially from unofficial app markets. We also urge users to not open any files that have been downloaded to their device without their consent. Always check what apps want to access and in addition to being cautious, we advise people download antivirus to protect their devices. This new ransomware appearing on Android is the perfect example of how malware is starting to move away from the PC environment and into our pockets and there are no signs of this slowing down.

Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news and product information, please follow us on Facebook, Twitter, Google+ and Instagram. Business owners – check out our business products.

Comments off
March 31st, 2014

The Gray-zone of malware detection in Android OS

Does the title of this blog post have a mysterious meaning? Not exactly.

In this first part about the gray-zone of Android malware detections, I will introduce the Android:SecApk, a detection regarding the protection that the App Shield (Bangcle) offers to Android applications (.apk). This detection has a big sample set that is still growing. Some SecApk wrapped samples that existed or still exist in the Google Play Store and third party stores, can be seen in the table below.


Name \ Info



\ PUP – An application to promote a specific movie. Potentially unwanted because of the extended permissions that was requested.

Current Status: Removed from Google Play



\PUP – A game that have potentially unwanted permissions that they can drive to loss of private personal info.



\PUP – A screensaver application that has permissions unrelated with the purpose of the app.



\Pup – This application is a tennis game. Potentially unwanted because of the extended permissions that was requested.



\Malware – This app steal personal data and SMS messages from the user.


The App Shield is an online service that, after a submission of an .apk, encrypts it and adds some layers of protection. The procedure of the encryption and protection of the apk will be discussed with more detail during the course of the second part of this blog post.

Starting with the submission process, a clean app named AvstTest.apk uploaded to the service. The exported .apk was renamed as AvstTest[SecApk].apk. In addition, apktool and dex2jar used accordingly to decode the .apk resources and convert the ‘.dex’ files to ‘.jar’.

Folder structure

  Read more…