Android Malware Xbot Spies on Text Messages
In the past few weeks, the Avast Mobile Security analysts have been focusing on Android malware which targets users in Russia and Eastern Europe. One of the families that caught our interest was the Xbot malware.
The name Xbot comes from the sample itself as the string Xbot was found in all variants of this malware. Xbot uses a variety of names and package names but this string was, with different levels of obfuscation, in every single file we analyzed so we decided to name the malware after it.
Xbot is not an app itself, but is included in different apps. We didn’t identify it in apps available on Google Play, but on local Russian markets like www.apk-server12.ru. Users in Eastern Europe use markets other than Google Play more than West European and U.S. users do, that might be one of the reasons why the cybercriminals chose this distribution channel. Xbot tries to hide behind apps that look like legit apps, like Google Play or the Opera Browser. It collects tons of permissions which allows it to spy on user’s SMS and the malware could potentially spy on people’s phone calls in the future, too. It also sends premium SMS behind the user’s back, so basically it is malicious through-and-through.
From the beginning of February we have seen 353 Unique Files with more than 2570 Unique Install GUIDs. These numbers are not the highest ones we’ve ever seen but still, it allows us, unfortunately, to see the potential of Android malware and social engineering.
The author hides a message
One interesting thing we discovered is that the malware author is not shy about expressing his anger with the antivirus companies who detect his masterpiece. Sometimes we find embedded messages addressed to Malware analytics. This one is quite strong. See if you can spot it: //9new StringBuilder (“FUCK_U_AV” )).append(“1″).toString();. Messages like this are nothing new in malware samples because security companies like Avast can really cut into the bad guys’ income from this type of malware.
The author tries to cover his tracks
As a part of anti-analysis protection, the author(s) try to obfuscate these samples to make them harder to read. But this protection is fairly simple, as it usually consists of adding additional junk characters which are excluded at runtime or the Proguard, which mangles the method names and file structure. Read more…
One small Android application shows lots of determination and persistence. Too bad it’s evil.
The year 2014 was significant with a huge rise in mobile malware. One of the families impacting our users was malware Fobus, also known as Podec. This malware poses as a more or less useful application, but for sure it won’t be what the user expects. This malware usually has two language versions, English and Russian, and applications seem to be generated automatically.
All that, and a bag of chips
From the permissions in the manifest, we can see that once Fobus is installed on the victim’s device it cannot only send SMS and call premium numbers, which may cost a lot of money, but it also works as Spyware and can steal personal data from the infected device. That’s a lot of bad stuff packed into one small application.
Next up is a bit more technical stuff. If you are really eager, skip to Me thinks that something is amiss section to see how it works. Read more…
avast! Virus Lab infographic shows how prolific and wide-spread Browser Ransomware attacks have been over the last three months.
During December I wrote about the tricks and tactics of Browser Ransomware. Browser Ransomware is malware that works in different types of browsers to prevent people from using their PCs. To get access back to their own PC, the victim of this malware must pay a ransom to unblock it. The key to success for this attack is its translations into many different languages, giving the cybercrooks a bigger pool of potential victims.
Today I would like to look back on Browser Ransomware attacks and share some data from our avast! CommunityIQ with you.
We detect Ransomware attacks using several different methods. The detections I checked were created January 30, 2014. I was really surprised at the huge impact this attack has had on AVAST users.
- In a little under 3 months, AVAST protected more than a half million unique users around the world from Ransomware attacks.
- In the past 6 weeks, AVAST users have unknowingly visited a site with Ransomware on it over 18 million times.
- During last 24 hours, AVAST stopped redirection from infected sites to sites hosting Ransomware for more than 18,000 unique users. Read more…
It’s not surprising that scared people are the most vulnerable to attacker’s traps, and there is no reason to think it will work differently with computer users. Using this psychology, cybercrooks show an unaware victim an alert page claiming to have found that banned pornography was viewed or stored on their computer. The message goes on to say their computer is blocked, all their data is encrypted, and they will be sent to court in 48 hours unless they pay a fine. This is basically how ‘Ransomware’ works – scare tactics with a convenient way to buy yourself out of the predicament at the end.
When we look closer at the scam, we find that the Ransomware is focused only on the victim’s browser and fortunately, not as they claim, on the data stored inside the victim’s computer. Here are several points that work together to scare the victim:
- The headline of the webpage: “FBI. ATTENTION! Your browser has been blocked…”. This is the part of the attack that tries to scare visitors as much as possible.
- The name of the page, “gov.cybercrimescenter.com”, tries to convince visitors they are on a legitimate website which belongs to the government.
- A countdown timer starts on 48 hours and counts down the time before “legal steps” starts.
These points try to rush panicked victims into paying the requested money as soon as possible without time to think. But it’s better to take a deep breath before reacting. You know you didn’t watch the movies mentioned on the page, and of course, you didn’t store illegal files. Do you really think that upon identifying a child pornographer, that the government will tell them to pay a small amount of money as a fine and let them go?
Several days ago we received a complaint about javascrpt.ru. After a bit of research, we found that it tries to mimic ajax.google.com and jquery, but the code is an obfuscated/packed redirector.
After removing two layers of obfuscation, we found a list of conditions checking visitors’ user Agent. From these conditions. we got a clue and focused on mobile devices.
Today, I received an email from one of my coworkers (yes, even careful employees of security vendors are in danger:) ). This email has more recipients and contains only one link, without any text or subject.
Fortunately, I am a really paranoid person about emails containing only a link to an unknown site. At this link, you can notice two really suspicious things: The directory is images and there’s a file called yahoo12.php. That should warn users to avoid clicking on this link.
The phishing scam creators are really getting creative. Of course one could question their targeting such in this case. Czech republic is known for our quite lenient view of laws and rules and – especially – the need to pay (or the lack of there off) of any fines especially when imposed by so called municipal police. Who would bother… Hence, an email urging to pay a fine is normally filed directly into the ‘round file’. Known as trash. Well in this case… there actually might be a good reason to look at this closely Read more…
Recently, we’ve noticed that there are too many legitimate domains popping up in our url filters with malware. At first we thought we had a huge false-positive (FP) problem, but after analysis we found a pattern.
All of the referring links came from the Russian Odnoklassniki server, which is a quite-popular Russian social network. Users of that network are getting fake messages with links to photos.
Not only users visiting high-risk sites need avast! protection, but also, for example, visitors of the well-known site samsungimaging.net (the Samsung SMART CAMERA blog) were able to notice that their avast! protected them from a threat.
Yesterday, on this site AVAST began to detect malicious Java content.
Social sites are great for people who want monetize theirs ideas. But sometimes these ideas are far more sinister.
Over the last few last weeks, researchers at the Avast antivirus labs in Prague have noticed new attack based on a combination of social sites, fake Flash Players and the promise of illicit videos of well-known Hollywood stars. Read more…