Mid January we informed you of a data-stealing piece of Android malware called Fobus. Back then Fobus mainly targeted our users in Eastern Europe and Russia. Now, Fobus is also targeting our users in the USA, United Kingdom, Germany, Spain and other countries around the world.
Fobus can cost its unaware victims a lot of money, because it sends premium SMS, makes calls without the victims’ knowledge and can steal private information. More concerning is that Fobus also includes hidden features that can remove critical device protections. The app tricks users into granting it full control of the device and that is when this nasty piece of malware really begins to do its work. You can find some more technical details and analysis of Fobus in our previous blog post from January.
Today, we decided to look back and check on some of the data we gathered from Fobus during the last six months. We weren’t surprised to find out that this malware family is still active and spreading, infecting unaware visitors of unofficial Android app stores and malicious websites.
The interesting part of this malware is the use of server-side polymorphism, which we suspected was being used back in January but could not confirm. We have now confirmed that server-side polymorphism is being used by analyzing some of the samples in our database. Most of these have not only randomly-generated package names, but it also seems that they have randomly-generated signing certificates.
Malware authors like to play hide-and-seek. Hiding executable files inside PDFs and Microsoft Office documents then emailing them as attachments are nothing new, but sometimes one layer isn’t enough. This Avast Virus Lab analysis peels back the layers of a new threat.
Malware authors continually surprise us with their creativity. In an effort to trick banking customers into revealing the login credentials for their online account, cycbercrooks are using the trust people have in Microsoft Office to make them execute banking malware on their own computers. Here’s how it works:
Typically, spam emails contain executable files that can harm a victim’s computer and steal private information. In the layered version, they have PDFs or Microsoft Office documents attached that contain a malicious executable file. We recently found an email that had an added layer and decided to analyze the email.
The email, disguised as a financially-related message from a legitimate company, informed the recipient that an invoice was due and had a PDF file attached. Embedded inside the malicious PDF was a Microsoft Office document and simple java script that dropped and executed the DOC file.
Inside the DOC file we found malicious macro code, which users must activate, as the code is disabled by Microsoft Office by default. The code obfuscates DOC files by creating new documents with unique methods names, variable names, and URLs, making it difficult to detect the malicious files.
When we analyzed the malicious macro code, we found some hints that helped us with our analysis. In this sample it was a function called MICHEL.
We already knew this function would open the URL with the malicious file, and when we found this function in one of the modules, we were able to find the download path.
The address is stored as a GUADALUPE variable. The URL is unique for each sample and leads to the download of a malicious PE file.
The PE file would act as an information stealer, stealing login credentials from banking sites like
- Santander, whose principal market is in the Northeastern United States
- Ulster bank, based in Ireland
- From Google accounts
How to protect yourself from banking malware
Our number 1 recommendation is keep your security software updated. Avast streams hundreds of updates every day to your devices, so you will stay protected. For example, the executable file downloaded by the malicious Microsoft Office document belongs to a banker family evolved from infamous Zeus. This variant is also known as a Dridex Botnet. At the time of writing this post, the botnet is still active, but the malware itself is inactive. Avast detects it as Win32: Pierre-A.
Clever cybercrooks use social engineering to manipulate their victims. Use extreme caution when opening emails related to your finances until you can verify the legitimacy.
Samples related to this analysis:
Android Malware Xbot Spies on Text Messages
In the past few weeks, the Avast Mobile Security analysts have been focusing on Android malware which targets users in Russia and Eastern Europe. One of the families that caught our interest was the Xbot malware.
The name Xbot comes from the sample itself as the string Xbot was found in all variants of this malware. Xbot uses a variety of names and package names but this string was, with different levels of obfuscation, in every single file we analyzed so we decided to name the malware after it.
Xbot is not an app itself, but is included in different apps. We didn’t identify it in apps available on Google Play, but on local Russian markets like www.apk-server12.ru. Users in Eastern Europe use markets other than Google Play more than West European and U.S. users do, that might be one of the reasons why the cybercriminals chose this distribution channel. Xbot tries to hide behind apps that look like legit apps, like Google Play or the Opera Browser. It collects tons of permissions which allows it to spy on user’s SMS and the malware could potentially spy on people’s phone calls in the future, too. It also sends premium SMS behind the user’s back, so basically it is malicious through-and-through.
From the beginning of February we have seen 353 Unique Files with more than 2570 Unique Install GUIDs. These numbers are not the highest ones we’ve ever seen but still, it allows us, unfortunately, to see the potential of Android malware and social engineering.
The author hides a message
One interesting thing we discovered is that the malware author is not shy about expressing his anger with the antivirus companies who detect his masterpiece. Sometimes we find embedded messages addressed to Malware analytics. This one is quite strong. See if you can spot it: //9new StringBuilder (“FUCK_U_AV” )).append(“1″).toString();. Messages like this are nothing new in malware samples because security companies like Avast can really cut into the bad guys’ income from this type of malware.
The author tries to cover his tracks
As a part of anti-analysis protection, the author(s) try to obfuscate these samples to make them harder to read. But this protection is fairly simple, as it usually consists of adding additional junk characters which are excluded at runtime or the Proguard, which mangles the method names and file structure. Read more…
One small Android application shows lots of determination and persistence. Too bad it’s evil.
The year 2014 was significant with a huge rise in mobile malware. One of the families impacting our users was malware Fobus, also known as Podec. This malware poses as a more or less useful application, but for sure it won’t be what the user expects. This malware usually has two language versions, English and Russian, and applications seem to be generated automatically.
All that, and a bag of chips
From the permissions in the manifest, we can see that once Fobus is installed on the victim’s device it cannot only send SMS and call premium numbers, which may cost a lot of money, but it also works as Spyware and can steal personal data from the infected device. That’s a lot of bad stuff packed into one small application.
Next up is a bit more technical stuff. If you are really eager, skip to Me thinks that something is amiss section to see how it works. Read more…
avast! Virus Lab infographic shows how prolific and wide-spread Browser Ransomware attacks have been over the last three months.
During December I wrote about the tricks and tactics of Browser Ransomware. Browser Ransomware is malware that works in different types of browsers to prevent people from using their PCs. To get access back to their own PC, the victim of this malware must pay a ransom to unblock it. The key to success for this attack is its translations into many different languages, giving the cybercrooks a bigger pool of potential victims.
Today I would like to look back on Browser Ransomware attacks and share some data from our avast! CommunityIQ with you.
We detect Ransomware attacks using several different methods. The detections I checked were created January 30, 2014. I was really surprised at the huge impact this attack has had on AVAST users.
- In a little under 3 months, AVAST protected more than a half million unique users around the world from Ransomware attacks.
- In the past 6 weeks, AVAST users have unknowingly visited a site with Ransomware on it over 18 million times.
- During last 24 hours, AVAST stopped redirection from infected sites to sites hosting Ransomware for more than 18,000 unique users. Read more…
It’s not surprising that scared people are the most vulnerable to attacker’s traps, and there is no reason to think it will work differently with computer users. Using this psychology, cybercrooks show an unaware victim an alert page claiming to have found that banned pornography was viewed or stored on their computer. The message goes on to say their computer is blocked, all their data is encrypted, and they will be sent to court in 48 hours unless they pay a fine. This is basically how ‘Ransomware’ works – scare tactics with a convenient way to buy yourself out of the predicament at the end.
When we look closer at the scam, we find that the Ransomware is focused only on the victim’s browser and fortunately, not as they claim, on the data stored inside the victim’s computer. Here are several points that work together to scare the victim:
- The headline of the webpage: “FBI. ATTENTION! Your browser has been blocked…”. This is the part of the attack that tries to scare visitors as much as possible.
- The name of the page, “gov.cybercrimescenter.com”, tries to convince visitors they are on a legitimate website which belongs to the government.
- A countdown timer starts on 48 hours and counts down the time before “legal steps” starts.
These points try to rush panicked victims into paying the requested money as soon as possible without time to think. But it’s better to take a deep breath before reacting. You know you didn’t watch the movies mentioned on the page, and of course, you didn’t store illegal files. Do you really think that upon identifying a child pornographer, that the government will tell them to pay a small amount of money as a fine and let them go?
Several days ago we received a complaint about javascrpt.ru. After a bit of research, we found that it tries to mimic ajax.google.com and jquery, but the code is an obfuscated/packed redirector.
After removing two layers of obfuscation, we found a list of conditions checking visitors’ user Agent. From these conditions. we got a clue and focused on mobile devices.
Today, I received an email from one of my coworkers (yes, even careful employees of security vendors are in danger:) ). This email has more recipients and contains only one link, without any text or subject.
Fortunately, I am a really paranoid person about emails containing only a link to an unknown site. At this link, you can notice two really suspicious things: The directory is images and there’s a file called yahoo12.php. That should warn users to avoid clicking on this link.
The phishing scam creators are really getting creative. Of course one could question their targeting such in this case. Czech republic is known for our quite lenient view of laws and rules and – especially – the need to pay (or the lack of there off) of any fines especially when imposed by so called municipal police. Who would bother… Hence, an email urging to pay a fine is normally filed directly into the ‘round file’. Known as trash. Well in this case… there actually might be a good reason to look at this closely Read more…
Recently, we’ve noticed that there are too many legitimate domains popping up in our url filters with malware. At first we thought we had a huge false-positive (FP) problem, but after analysis we found a pattern.
All of the referring links came from the Russian Odnoklassniki server, which is a quite-popular Russian social network. Users of that network are getting fake messages with links to photos.