Mid January we informed you of a data-stealing piece of Android malware called Fobus. Back then Fobus mainly targeted our users in Eastern Europe and Russia. Now, Fobus is also targeting our users in the USA, United Kingdom, Germany, Spain and other countries around the world.
Fobus can cost its unaware victims a lot of money, because it sends premium SMS, makes calls without the victims’ knowledge and can steal private information. More concerning is that Fobus also includes hidden features that can remove critical device protections. The app tricks users into granting it full control of the device and that is when this nasty piece of malware really begins to do its work. You can find some more technical details and analysis of Fobus in our previous blog post from January.
Today, we decided to look back and check on some of the data we gathered from Fobus during the last six months. We weren’t surprised to find out that this malware family is still active and spreading, infecting unaware visitors of unofficial Android app stores and malicious websites.
The interesting part of this malware is the use of server-side polymorphism, which we suspected was being used back in January but could not confirm. We have now confirmed that server-side polymorphism is being used by analyzing some of the samples in our database. Most of these have not only randomly-generated package names, but it also seems that they have randomly-generated signing certificates.
ASUS, the third largest consumer notebook vendor in the world, has selected Avast Mobile Security to be pre-loaded on its new line of Android powered tablets.
These tablets, called ZenPad, will be debuted at the upcoming Computex in Taiwan this June. The much anticipated 7-inch ZenPad 7 will give customers 12 months of Avast Mobile Security and allow free access to premium versions of Avast Backup and Avast Anti-theft.
Tomáš joined Avast in March 2014 as a Product Manager for Avast Mobile Security. Born in Čáslav, a small town in central Bohemia, he moved to Prague during high school with plans to study at the Police Academy of the Czech Republic. After a while, Tom decided he wanted to study and work in IT instead. After gaining experience while working at a successful Czech startup, taking on jobs as a freelancer and starting his own company focused on cloud document management, Tom joined Avast’s mobile team. In his free time, Tom enjoys climbing, cycling, writing and restoring his classic Škoda 1000 MB car.
1. What is Avast’s mobile team out to accomplish?
We’d like to become the most trusted mobile tools developer, allowing users to live their lives with their mobile devices safely and more easily.
2. Who or what helps you in coming up with new, creative ideas?
My colleagues are a huge inspiration to me. That’s one thing that I really enjoy about working at Avast – anyone and everyone can come up with new ideas to brainstorm. We are one big think tank.
3. What’s one thing that every user should know about his/her mobile device?
Users should be aware of the risks that mobile malware poses to their personal information and data. Although malware on mobile devices is less likely to break a user’s device than that of a PC, malicious apps can harvest and steal a lot of personal data. Even apps that aren’t malicious (often free apps) can access a lot of personal information. The more personal info that is shared, the more likely it is that a user’s privacy could become compromised.
4. What’s your favorite security tip?
Make sure to be careful when connecting to public Wi-Fi networks. Packet sniffing, or the monitoring of data traveling over a network, can be used to steal information and is very easy for hackers to carry out. It’s in your best interest to use a virtual private network (VPN) when connecting to unsecured networks.
5. Name one goal you’ve set for yourself at Avast.
I’d like to see Avast Mobile Security (AMS) become the most popular app that provides users with a straightforward, user-friendly overview of app permissions. AMS is an extremely versatile app with lots of potential, and I envision it serving as a true “guarding angel” for users, protecting them against mobile malware and allowing them to become familiar with the apps they use on a daily basis.
Avast’s mobile team recently held the second Avast Mobile Internal Conference (AMIC) in Prague, where the entire team came together to keep one another in the loop about the company’s apps and products, team activities, and goals for the department’s future. A series of lectures and interactive activities encouraged synergy and collaboration between product teams. In addition to everything that was accomplished at AMIC, the mobile team still managed to have quite a bit of fun at the conference. We’d like to congratulate the mobile department on this successful and productive event!
Mobile is attractive to cybercrooks
Our mobile phones are fantastic little devices — these days, they’re as powerful and can accomplish nearly all the things a regular computer can. While this is convenient for us, it also gives cybercrooks a relatively easy in-road to your private data and financial information. As 2015 rolls along, consumers continue to become more aware of mobile security options available to them, since they will increasingly use mobile apps that contain sensitive banking, financial, and personal health information.
Last year, more than 1 billion Android devices were shipped out to customers around the world. With Android winning the majority of the smartphone market, it offers a tempting target to malware authors. The average user is not especially concerned about being infected with a virus on their phone or tablet, but unfortunately, mobile malware is more than just a myth. Avast currently has more than one million samples of mobile malware in its database, with 2,850 new mobile threats being created every day by hackers.
Even if you think your chances of being infected with malware are low, we suggest that you go ahead and install a good mobile antivirus software. The great thing about Avast Mobile Security is that it’s free, so your investment is minimal – just a few minutes of setup and you’re ready to go.
Avast Mobile Security includes antivirus protection which scans your apps to see what they are doing, and a Web shield that scans URLs for malware or phishing. Malicious apps allow malware to enter your phone, so it’s good to have Avast on your side to detect when a bad one slips by on Google Play or another app store.
Avast Mobile Security did not commit any mistakes when tested with 1,932 legitimate apps from the Google Play Store and 981 legitimate apps from third party app stores. In addition, all this protection, according to AV-TEST, did not “impact the battery life”, or “slow down the device during normal usage”, and “does not generate too much traffic”.
To compare the choices of mobile antivirus software, you can look at the January 2015 “Mobile Security Test” conducted by the independent labs at AV-TEST. They looked at 31 popular Android security apps. Avast Mobile Security tops the list because it detected 100% of malicious apps without any impact on the battery life or slowing down of the device.
AMS Referral Program
In the latest update of Avast Mobile Security, we added a referral program, so you can recommend Avast Mobile Security to your friends and family. Not only can you recommend the best mobile security app available on Google Play, but you will be rewarded for doing so; you can earn up to three months of Avast Mobile Premium for free!
Here is how it works: For every five friends you send an SMS to recommending Avast, you get one free month of Avast Mobile Premium. Cool, huh?
There you have it — we’re huge fans of Avast Mobile Security, and we think you will be too. Download Avast Mobile Security for free on Google Play.
Android Malware Xbot Spies on Text Messages
In the past few weeks, the Avast Mobile Security analysts have been focusing on Android malware which targets users in Russia and Eastern Europe. One of the families that caught our interest was the Xbot malware.
The name Xbot comes from the sample itself as the string Xbot was found in all variants of this malware. Xbot uses a variety of names and package names but this string was, with different levels of obfuscation, in every single file we analyzed so we decided to name the malware after it.
Xbot is not an app itself, but is included in different apps. We didn’t identify it in apps available on Google Play, but on local Russian markets like www.apk-server12.ru. Users in Eastern Europe use markets other than Google Play more than West European and U.S. users do, that might be one of the reasons why the cybercriminals chose this distribution channel. Xbot tries to hide behind apps that look like legit apps, like Google Play or the Opera Browser. It collects tons of permissions which allows it to spy on user’s SMS and the malware could potentially spy on people’s phone calls in the future, too. It also sends premium SMS behind the user’s back, so basically it is malicious through-and-through.
From the beginning of February we have seen 353 Unique Files with more than 2570 Unique Install GUIDs. These numbers are not the highest ones we’ve ever seen but still, it allows us, unfortunately, to see the potential of Android malware and social engineering.
The author hides a message
One interesting thing we discovered is that the malware author is not shy about expressing his anger with the antivirus companies who detect his masterpiece. Sometimes we find embedded messages addressed to Malware analytics. This one is quite strong. See if you can spot it: //9new StringBuilder (“FUCK_U_AV” )).append(“1″).toString();. Messages like this are nothing new in malware samples because security companies like Avast can really cut into the bad guys’ income from this type of malware.
The author tries to cover his tracks
As a part of anti-analysis protection, the author(s) try to obfuscate these samples to make them harder to read. But this protection is fairly simple, as it usually consists of adding additional junk characters which are excluded at runtime or the Proguard, which mangles the method names and file structure. Read more…
Avast Mobile Security includes many handy anti-theft features that can help you locate your stolen or lost phone. You can wipe it remotely, it informs you if your SIM card has been stolen, and even allows you take pictures of the person who took your phone. Another cool feature of Avast Anti-Theft is the siren. I decided to test the siren with my friend, who had just downloaded Avast Mobile Security, to see how it could affect a phone thief.
What does the Avast Anti-Theft siren do?
The Avast Anti-Theft siren was developed by the Avast mobile team to be activated when you either lose your phone (even if it is misplaced in your room and on silent) or if it gets stolen. The siren continuously and loudly says the following, by default, when activated: “This device has been lost or stolen!”. In the advanced settings of Avast Mobile Security you can customize what message the siren will sound, if you do not want to use the pre-set message. You can do this under “Select Sound File” or “Record Siren Sound”.
The siren is designed to frighten phone thieves, or to warn people surrounding the thief that the phone might be in the hands of the wrong person. When the first siren cycle began, we tried to turn down the volume. However, the alarm would begin again at the loudest possible volume. We then decided to see what would happen if we took out the battery, this stopped the siren of course, but as soon as we put the battery back in, the siren started to go off again. To say the least, we agreed that it would effectively frustrate and annoy a thief too.
How to turn off the siren
After a minute of testing the app, we decided to turn off the siren using one of these two possible methods:
MyAvast: You can control your phone remotely via your MyAvast account. In your MyAvast account you can keep track of all your devices that have Avast products installed on them. From within your MyAvast account you send numerous Anti-Theft commands to your phone, including activating and deactivating the Anti-Theft siren. Once you are logged into your MyAvast account click on the name of the mobile device you want to control and then click on the siren symbol. From there you can send a command to turn the siren on and off.
SMS command: Using the Avast PIN you set up when you downloaded Avast Mobile Security, you can send SMS commands to your phone to remotely control it. To turn the siren off, text your Avast PIN followed by “SIREN OFF” to your phone.
Have fun checking out Avast Mobile Security’s cool and handy Anti-Theft features, but, please, use caution when testing the siren
A couple of days ago, a user posted a comment on our forum regarding apps harboring adware that can be found on Google Play. This didn’t seem like anything spectacular at the beginning, but once I took a closer look it turned out that this malware was a bit bigger than I initially thought. First of all, the apps are on Google Play, meaning that they have a huge target audience – in English speaking and other language regions as well. Second, the apps were already downloaded by millions of users and third, I was surprised that the adware lead to some legitimate companies.
The Durak card game app was the most widespread of the malicious apps with 5 – 10 million installations according to Google Play.
When you install Durak, it seems to be a completely normal and well working gaming app. This was the same for the other apps, which included an IQ test and a history app. This impression remains until you reboot your device and wait for a couple of days. After a week, you might start to feel there is something wrong with your device. Some of the apps wait up to 30 days until they show their true colors. After 30 days, I guess not many people would know which app is causing abnormal behavior on their phone, right?
Each time you unlock your device an ad is presented to you, warning you about a problem, e.g. that your device is infected, out of date or full of porn. This, of course, is a complete lie. You are then asked to take action, however, if you approve you get re-directed to harmful threats on fake pages, like dubious app stores and apps that attempt to send premium SMS behind your back or to apps that simply collect too much of your data for comfort while offering you no additional value.
An even bigger surprise was that users were sometimes directed to security apps on Google Play. These security apps are, of course, harmless, but would security providers really want to promote their apps via adware? Even if you install the security apps, the undesirable ads popping up on your phone don‘t stop. This kind of threat can be considered good social engineering. Most people won‘t be able to find the source of the problem and will face fake ads each time they unlock their device. I believe that most people will trust that there is a problem that can be solved with one of the apps advertised “solutions” and will follow the recommended steps, which may lead to an investment into unwanted apps from untrusted sources.
Avast Mobile Premium detects these apps, protecting its users from the annoying adware. Additionally, the apps’ descriptions should make users skeptical about the legitimacy of the apps. Both in English and in other languages such as German, were written poorly: “A card game called ‘Durak‘ – one of the most common and well known game“.
The apps‘ secure hash algorithm (SHA256) is the following: BDFBF9DE49E71331FFDFD04839B2B0810802F8C8BB9BE93B5A7E370958762836 9502DFC2D14C962CF1A1A9CDF01BD56416E60DAFC088BC54C177096D033410ED FCF88C8268A7AC97BF10C323EB2828E2025FEEA13CDC6554770E7591CDED462D
In November, we called on our awesome advanced mobile beta testers to test the latest version of Avast Mobile Security. We listened to their feedback carefully and are proud to announce that the latest version of Avast Mobile Security is now available to everyone!
What’s new in Avast Mobile Security?
First and foremost, we have completely redesigned the virus scanner, making it faster than ever (up to 50% faster!). Then we improved support for Intel-based devices, optimizing the virus scanner for the best performance possible.
Finally, we added a referral program, so you can recommend Avast Mobile Security to your friends and family. Not only can you recommend the best mobile security app available on Google Play, but you will be rewarded for doing so; you can earn up to three months of Avast Mobile Premium for free!
Here is how it works: For every five friends you send an SMS to recommending Avast, you get one free month of Avast Mobile Premium.
The new features in Avast Mobile Security are:
- A redesigned and faster than ever virus scanner (50% faster!)
- Improved support for Intel-based devices
- An awesome new referral program that rewards you for spreading the word about Avast Mobile Security!
How can I get the latest version of Avast Mobile Security?
If you don’t already have Avast Mobile Security, what are you waiting for?! Download it on Google Play now! Already have Avast Mobile Security? If you have enabled automatic updates in your Google Play settings, you are all set If you don’t have automatic updates enabled in your Google Play settings, you can visit our app on Google Play and upgrade manually!
Have fun using Avast Mobile Security – we look forward to hearing your feedback!
We would like to extend a special thanks to our beta testers, your feedback plays an extremely important role in developing our products!
That’s good advice for hosting a Super Bowl party, going to a job interview, or if you lose your phone.
Not being prepared could prove disastrous in all three of those examples, but most people would agree that losing their phone with all the contacts, text messages, photos, and other irreplaceable data is worse than forgetting the Doritos or not answering an interview question well.
If you happen to lose your Android smart phone or tablet, or if someone steals it from you, do not despair. Our clever, FREE app, Avast Anti-theft, will help you find your phone and even, catch the thief.
What is Avast Anti-Theft?
Avast Anti-Theft is a free standalone application designed for Android smart phones and tablets. It’s main purpose is to help you locate your lost or stolen mobile device, allowing you to track it on a map and control it remotely. Since Anti-Theft is a separate application from Avast Mobile Security & Antivirus, it is completely invisible when it is running so that thieves don’t even know it’s there.
This infographic explains what you can do with your phone if you discover that it’s missing.
Locate your device on a map
Remotely locate your phone via GPS, Wi-Fi, or mobile network – for maximum accuracy.
Remotely lock your phone
Remotely lock your phone to prevent access to your personal data and settings.
Activate a siren remotely
Activate a loud, customizable siren, which reverts to maximum volume if thieves try to silence it.
If you spring for the paid version of Avast Anti-Theft, you get some additional, powerful features.
Take a photo of a would-be thief
You can set your device to lock access and take a picture of the person attempting to unlock it after three failed tries.
Remote data retrieval from your device
Retrieve call logs, SMS messages, and other personal data from your phone.
Avast Anti-Theft is available on Google Play, where it can be downloaded for free.
Losing contacts from your mobile phone is highly inconvenient. There’s seems to be a solution - You can find them online! The catch? Your contacts are in a publicly accessible place.
If you care for your privacy you should always be suspicious about “Cloud Backup” solutions you find in the Google Play Store. The solution that is being analyzed here backs up your personal contacts online. In public.
Upon starting the application, you will find a screen where you can put your mobile number and a password of your choice. Then you can upload your contacts in the cloud.
A brief analysis inside this application shows us how exactly it backs up your contacts in the cloud. The contacts are associated with the phone number that you have given in the previous step and they are sent through HTTP POST requests in a PHP page.
Further analysis through IP traffic capturing with Fiddler helped usdiscover the results in the pictures above; a page located online, for anyone to see, that contains thousands of un-encrypted entries of phone numbers and passwords. Using the info in the app you can retrieve personal private data (contacts) from another user.
We found log in data inside those entries from countries like Greece, Brazil, and others
The Play Store page says that this app has been installed 50.000-100.000 times. This is a big number of installations for an application that doesn’t deliver the basic secure Android coding practices. The developer must use technologies like HTTPS, SSL and encryption on the data that are transferred through the web and stored in the server. Nogotofail is a useful network security testing tool designed by Google to “to help developers and security researchers spot and fix weak TLS/SSL connections and sensitive cleartext traffic on devices and applications in a flexible, scalable, powerful way.“
Avast detects it as Android:DataExposed-B [PUP].