Protecting over 230 million PCs, Macs, & Mobiles – more than any other antivirus

Archive

Posts Tagged ‘Google Play’
April 24th, 2015

Porn clicker app slipped into Google Play imitating popular Dubsmash app

Everyone from celebrities like Lena Dunham to Hugh Jackman are using the (currently) seventh most popular app available on Google Play: Dubsmash. Dubsmash is an app with more than 10 million Google Play installations that lets users choose a sound, record a video to go along with the sound and send their dub to their friends or social media channels. Dubsmash is not only widely popular amongst teens and celebs, but the app has also caught the attention of malware authors.

Avast finds porn clicker app named Dubsmash 2 on Google Play

Google removed the rouge app after Avast notified them

Avast recently discovered “Dubsmash 2” (with the package name “com.table.hockes”) on Google Play – and no, it was not the bigger and better version of the original app. The app is a so called “porn clicker” and was installed 100,000-500,000 times from the Google Play Store. We contacted Google when we discovered the rogue app and it was removed from the Play Store shortly thereafter. Once the app was installed there was no evidence of an app named “Dubsmash 2” on the user’s device, instead the app installed an app icon named “Setting IS”. This is a common trick malware authors use to make it harder for the user to figure out which app is causing problems. This should also be the user’s first clue that something shady is going on. The “Settings IS” icon looked very similar to the actual Android Settings icon (see screenshot below).

The app’s mischievous activities could be triggered by two actions. The first possible way was by simply launching the “Settings IS” app and the second, which occurred only if the user had not yet launched the app, was via the BroadcastReceiver component within the app. BroadcastReceiver observed the device’s Internet connectivity and  if the BroadcastReceiver noticed the device was connected to the Internet, the app’s true functions would be triggered.

If the “Settings IS” app was opened by the user, the Google Play Store would launch to the actual “Dubsmash” app download page.

Porn clicker "Settings IS"

The rogue icon looked very similar to the Android Settings icon

Once activated, the app sent an HTTP GET request to an encrypted URL. If the request returned a string containing the character “1”  two services would begin to work: MyService and Streaming. Using this method the author could also effectively turn off the start of the services remotely.

The MyService service began by deleting the “Settings IS” app icon from the device’s main menu and scheduled a task to run every 60 seconds in the background of the device, meaning the user never realized that anything was happening. The task would download a list of links to various porn sites from an encrypted URL stored within the app, along with JavaScript execution code. One of the porn links from the list would be launched in the browser and after ten seconds, the JavaScript code (also downloaded from an encrypted URL) was executed, clicking further links within the porn site. In the case seen in the picture below, the function opened a random link from the web page.

Porn links app opened

The developer probably made money on pay-per-click ads.

The second service, the Streaming service, was fairly similar in structure to the MyService component in that it also scheduled a task to run every 60 seconds. The main difference to MyService, is that users could notice the Service tasks did not run secretly in the background. The task would check for changes in the device’s IP address or date. If either of them had changed, a video would launch in the device’s YouTube app. The YouTube app needed to be installed on the device for this to function properly. The video address was also obtained from an encrypted URL.

code_screen_1

The encrypted URLs used by the app

After decrypting and further examining the URLs and the video from YouTube, the Avast Virus Lab came to the conclusion that the malware most likely originated from Turkey. The developer’s name listed on Google Play and YouTube hint to this.

We suspect the app developer used the porn clicker method for financial gain. Through clicks on multiple ads within the porn sites, the app developer probably received pay-per-click earnings from advertisers who thought he was displaying their ads on websites for people to actually see.

Despite being undesirable, but basically harmless to the user and less sophisticated than other malware families such as Fobus or Simplocker, this app shows that although there are safeguards in place, undesirable apps that fool users can still slip into the Google Play store.

If you installed Dubsmash 2 (package name “com.table.hockes”), you can delete the app by going into Settings -> Apps -> find “Settings IS” and then uninstall the app.

The Avast Mobile Security application detects this threat as Android:Clicker. SHA-256 hash: de98363968182c27879aa6bdd9a499e30c6beffcc10371c90af2edc32350fac4

Thank you Nikolaos Chrysaidos for your help with the analysis :)

April 13th, 2015

Avast Mobile Security: What’s not to love?

Mobile is attractive to cybercrooks

Our mobile phones are fantastic little devices — these days, they’re as powerful and can accomplish nearly all the things a regular computer can. While this is convenient for us, it also gives cybercrooks a relatively easy in-road to your private data and financial information. As 2015 rolls along, consumers continue to become more aware of mobile security options available to them, since they will increasingly use mobile apps that contain sensitive banking, financial, and personal health information.

Last year, more than 1 billion Android devices were shipped out to customers around the world. With Android winning the majority of the smartphone market, it offers a tempting target to malware authors. The average user is not especially concerned about being infected with a virus on their phone or tablet, but unfortunately, mobile malware is more than just a myth. Avast currently has more than one million samples of mobile malware in its database, with 2,850 new mobile threats being created every day by hackers.

Even if you think your chances of being infected with malware are low, we suggest that you go ahead and install a good mobile antivirus software. The great thing about Avast Mobile Security is that it’s free, so your investment is minimal – just a few minutes of setup and you’re ready to go.

Avast Mobile Security includes antivirus protection which scans your apps to see what they are doing, and a Web shield that scans URLs for malware or phishing. Malicious apps allow malware to enter your phone, so it’s good to have Avast on your side to detect when a bad one slips by on Google Play or another app store.

Avast Mobile Security is a top-rated mobile security app.

When taking a look at Avast Mobile Security’s features, it’s easy to see why it’s a top-rated mobile security app.

AV-TEST All-Stars

Avast Mobile Security did not commit any mistakes when tested with 1,932 legitimate apps from the Google Play Store and 981 legitimate apps from third party app stores. In addition, all this protection, according to AV-TEST, did not “impact the battery life”, or “slow down the device during normal usage”, and “does not generate too much traffic”.

To compare the choices of mobile antivirus software, you can look at the January 2015 “Mobile Security Test” conducted by the independent labs at AV-TEST. They looked at 31 popular Android security apps. Avast Mobile Security tops the list because it detected 100% of malicious apps without any impact on the battery life or slowing down of the device.

AMS Referral Program

In the latest update of Avast Mobile Security, we added a referral program, so you can recommend Avast Mobile Security to your friends and family. Not only can you recommend the best mobile security app available on Google Play, but you will be rewarded for doing so; you can earn up to three months of Avast Mobile Premium for free!

Here is how it works: For every five friends you send an SMS to recommending Avast, you get one free month of Avast Mobile Premium. Cool, huh?

There you have it — we’re huge fans of Avast Mobile Security, and we think you will be too. Download Avast Mobile Security for free on Google Play.

 

February 24th, 2015

Are you as smart as your smartphone?

Smart phone

How do I find my apps on this thing?

Not too many years ago we had phones that only made calls. Smartphones are the newest generation of phones that bring a lot of possibilities right to our fingers through the apps specifically designed for them. We all got used to the Windows (or Mac) world, but now we are witnessing a revolution from “standard” programs and some specialized tools to a world where every common thing can be done by our smartphones. Sometimes it seems, that the device is smarter than we are!

But can it protect itself from the increasing number of threats?

You’ll find a lot of articles on the Internet which state that security companies exaggerate the need for mobile security and antivirus protection. You’ll read that Google Play and the new security technologies of Android Lollipop are the only things necessary for security. I could post many examples of such (bad) tips, but I don’t want to waste your time or mine.

Do you use only Google Play as your app source?

A common (and wise) security tip is to stick with Google Play for downloading apps. This is good advice despite the fact that we see here in the Avast blog that Google Play fails to detect some apps as malware. Look for our mobile malware senior virus analyst Filip Chytry’s articles. He continuously discovers holes in Google Play security.

However, what if you want apps that have been banned from Google Play? No, I’m not talking about (just) adult apps. Google banned anti-ad apps, for instance. So where is a safe place to get them? The answer is simple: outside of Google Play. The Amazon Appstore for Android is quickly increasing the possibilities.

Do you think that clean apps can’t become bad ones?

Clean apps can become bad ones, and with the new Google Play permission scheme, you may not even notice. This makes updating your apps (another very common and wise hint) an additional complication.

As the apps we love can turn against us, the best tip of all is that you install a mobile security app that helps you know what it being added to your phone.  Avast Mobile Security updates its virus database very often to detect the latest threats and allows you to install securely all the apps you love.

This makes you smarter than your smartphone! ;-)

 

February 3rd, 2015

Apps on Google Play Pose As Games and Infect Millions of Users with Adware

A couple of days ago, a user posted a comment on our forum regarding apps harboring adware that can be found on Google Play. This didn’t seem like anything spectacular at the beginning, but once I took a closer look it turned out that this malware was a bit bigger than I initially thought. First of all, the apps are on Google Play, meaning that they have a huge target audience – in English speaking and other language regions as well. Second, the apps were already downloaded by millions of users and third, I was surprised that the adware lead to some legitimate companies.

Durak App Google Play The Durak card game app was the most widespread of the malicious apps with 5 – 10 million installations according to Google Play.

Durak interface
When you install Durak, it seems to be a completely normal and well working gaming app. This was the same for the other apps, which included an IQ test and a history app. This impression remains until you reboot your device and wait for a couple of days. After a week, you might start to feel there is something wrong with your device. Some of the apps wait up to 30 days until they show their true colors. After 30 days, I guess not many people would know which app is causing abnormal behavior on their phone, right? :)

Threats detected malcious appsEach time you unlock your device an ad is presented to you, warning you about a problem, e.g. that your device is infected, out of date or full of porn. This, of course, is a complete lie. You are then asked to take action, however, if you approve you get re-directed to harmful threats on fake pages, like dubious app stores and apps that attempt to send premium SMS behind your back or to apps that simply collect too much of your data for comfort while offering you no additional value.

An even bigger surprise was that users were sometimes directed to security apps on Google Play. These security apps are, of course, harmless, but would security providers really want to promote their apps via adware? Even if you install the security apps, the undesirable ads popping up on your phone don‘t stop. This kind of threat can be considered good social engineering. Most people won‘t be able to find the source of the problem and will face fake ads each time they unlock their device. I believe that most people will trust that there is a problem that can be solved with one of the apps advertised “solutions” and will follow the recommended steps, which may lead to an investment into unwanted apps from untrusted sources.

Avast Mobile Premium detects these apps, protecting its users from the annoying adware. Additionally, the apps’ descriptions should make users skeptical about the legitimacy of the apps.  Both in English and in other languages such as German, were written poorly: “A card game called ‘Durak‘ – one of the most common and well known game“.

The apps‘ secure hash algorithm (SHA256) is the following: BDFBF9DE49E71331FFDFD04839B2B0810802F8C8BB9BE93B5A7E370958762836 9502DFC2D14C962CF1A1A9CDF01BD56416E60DAFC088BC54C177096D033410ED FCF88C8268A7AC97BF10C323EB2828E2025FEEA13CDC6554770E7591CDED462D

December 12th, 2014

Mobile advertising firms spread malware by posing as official Google Play apps

As a malware analyst, I find new pieces of malware day in and day out. In fact, I see so many new malware samples that it’s difficult for me to determine which pieces would be really interesting for the public. Today, however, I found something that immediately caught my attention and that I thought would be interesting to share.

Mobilelinks

The three URLs listed above are websites that offer mobile monetizing kits, which are advertising kits that developers can implement in their mobile apps. The goal for developers is to monetize from advertisements. If a user clicks on one of the ads delivered by one of the above listed providers, he may be lead to a malicious subdomain.

The most visited of the three URLs is Espabit. According to our statistics, we know that Espabit’s servers get around 150,000 views a day and nearly 100% of the views are from mobile devices. This may not seem like that much compared to the number of Android users there are in the world, but it is still a considerable number. Espabit is trying to position themselves as a world leader in advertising, and their website may appear innocent, but first impressions can be deceiving.

 

espabit

The most visited Espabit subdomain, with more than 400,000 views during the last few months, leads app users to pornographic sites via the ads displayed in their apps. The site displays a download offer for nasty apps (no pun intended) that have malicious behavior.

image

 

The above is just one example of the malicious links; there are many others hosted on the same server. The majority of the links lead to pornography or fake apps that all have one thing in common: They all steal money from innocent users.

How do they convince people to download their app? By posing as official Google Play apps. The apps are designed to look like they are from the official Google Play Store – tricking people into trusting the source. Since Android does not allow users to install apps from untrusted sources, the sites offer manuals in different languages, like English, Spanish, German, and French, explaining how to adjust Android’s settings so that users can install apps from untrusted sources, like these malicious apps. How considerate of them.

image_1

 

Now let’s take a deeper look at what the apps are capable of doing:

All of the “different” apps being offered by the three sites listed above are essentially the same in that they can steal personal information and send premium SMS. So far, we know about more than 40 of them stored on the websites’ servers. Most of the apps are stored under different links and, again, are offered in different languages (they want everyone to be able to “enjoy” their apps). The goal behind all of the apps is always the same: Steal money.

apps code1

 

 

 

 

Some of the permissions the apps are granted when downloaded…

apps code2

 

Once you open the apps, you get asked if you are 18 or older (they are not only considerate in that they offer their product in various languages, but they also have morals!).

sexyface

 

 

sexyface2

 

After you click on “YES” you are asked to connect your device to the Internet. Once connected to the Internet your device automatically starts sending premium SMS, each costing $0.25 and sent three times a week. That’s all the app does! The amount stolen a week does not seem like much, but that may be done on purpose. People may not notice if their phone bill is $3.00 more than it was the month before and if they don’t realize that the app is stealing money from them and don’t delete the app it can cost them $36.00 a year.

This malware is actually not unique in terms of the technique it uses. However, collectively, the three websites have around 185,000 views daily, which is a lot considering there is malware stored on their servers. Not everyone is redirected to malware, but those who are, are being scammed. Considering that the most visited malicious subdomain had around 400,000 views in the last quarter, it tells us that a large number of those visitors were infected. This means these ad providers are making a nice sum of money and it’s not all from ad clicks and views.

Although many mobile carriers around the world block premium SMS, including major carriers in the U.S., Brazil, and the UK, this case should not be taken lightly. These malware authors use social engineering to circumvent Google’s security and target innocent app users via ads. Think of how many apps you use that display ads, then think of all the valuable information you have stored on your phone that could be abused.

All malicious apps we found and described here are detected by Avast as:

Android:Erop-AG [Trj]
Android:Erop-AJ [Trj]|
Android:Erop-AS [Trj]

Some of SHA256:
DBEA83D04B6151A634B93289150CA1611D11F142EA3C17451454B25086EE0AEF
87AC7645F41744B722CEFC204A6473FD68756D8B2731A4BF82EBAED03BCF3C9B

Comments off
October 29th, 2014

Look-alike Avast Online Security extension deceives users

We have been recently notified about a suspicious browser extension for Google Chrome. Suspicious because it was called “Avast Free Antivirus 2014″, while our browser extension is actually called Avast Online Security. You can see the fake extension along with our official ones in the printscreens from the Chrome Web Store.

chrome_web_store_hl

The extension looks professional featuring printscreens of the PC version of Avast 2014 and a good rating of 4 stars. It is so well-done that it may trick users to install it – and indeed almost 2,000 users fell for this.

fake_extension

After installing, the only thing that is added is the little icon between the search bar and options button, as can be seen on the printscreen above, where the extension is already installed.

Viewing the extension code reveals that it is surprisingly lightweight. It merely opens a new tab with a predefined URL when the Avast icon is clicked.

code

The website, fortunately, is not malicious at all, so there is nothing harmful to the user, other than deceiving them with a false sense of security. The author of the extension created many more extensions, each leading to a different landing page on the same domain. The only comfort we received from this malicious extension, was that our extension was the most downloaded one! That confirms to us that our service is valued (and needed!).

developers_apps

To get the authentic Avast Online Security app for your browser, please visit us on the Chrome Web Store.

Avast Software’s security applications for PC, Mac, and Android are trusted by more than 200-million people and businesses. Please follow us on FacebookTwitter and Google+.

June 18th, 2014

Google Play Store changes opens door to cybercrooks

mobile appsLast week, Google upgraded the Android app section of its store and introduced a new way for users to manage permissions. Google claims it will be easier  for users to understand and that users will pay more attention to app permissions. The new interface has a cleaner look and the common user can now install apps more quickly. But does this simplicity come with a price?

Android controls the security and the amount of access every app is granted by using “permissions”. Each action has to ask the operating system for permission to take a new action. In older versions, when an app update asked for new actions or requested additional permissions, Google Play would notify the user prompting them to explicitly accept or deny the new action. Even if the user had automatic updates set, in the cases of new permissions being asked, the user would need to manually perform the update. Even if the user wasn’t exactly sure what they were giving permission for, at least the user was aware and could make the decision themselves. Security was preserved.

Everything is different now

Everything changed last week.

Individual permissions, which could range from important to trivial, are now joined into 13 groups, including a catch-all called “Other”. Now the user has to accept a “new group” change. This means that if you have already allowed certain permissions within a group, then any other permission within that group will automatically be allowed. For example, an app that could access your calendar can now also read your contacts. If you set a meeting and have invited people by email, the app will be able to use the calendar to send emails to them, even without your consent!  Read more…

Comments off
March 7th, 2014

Google Play: Whats the newest threat on the official Android market?

Official app stores are the primary sources to finding and downloading apps. Experts advise users to stay within the official app stores as they are approved ecosystems, which are widely recognized as safe. But are these sources really trustworthy? Some experts, however, claim that “Android malware is non-existent and security companies just try to scare us. Keep calm and don‘t worry.“ So which is it?

We’ve already blogged about plenty of threats that sneak onto your device from trusted sources, but here we have a really fresh one, one that  is still undetected by other security vendors. An Application called Cámara Visión Nocturna (package name: com.loriapps.nightcamera.apk), which is still available in the Google Play Store as I am writing this post, is something you definitely don’t want to have on your Android device.

Blg1

Starting with the application’s permissions you might notice there are some unusual requests for an app that should be able to work only using your camera.

    <uses-permission android:name=”android.permission.CAMERA” />

Read more…

August 23rd, 2013

Win a Nexus device from AVAST and Android Police!

Android Police postsm

To celebrate the new version of our top-rated avast! Mobile Security along with the new avast! Mobile Premium, AVAST and Android Police are giving away 9 new Nexus devices. You have one week to enter the contest to win one of these great Android phones or tablets:

Getting your name in the hat is easy – just go to the AVAST/Android Police contest page and answer a simple question:

What do you value most about your phone? 

This can be a tricky question, so here are some examples of good answers:

  • The device itself
  • Photos
  • Contacts
  • Videos
  • Emails
  • Text Messages
  • …etc.

The International Mega Giveaway will run for one week and end at midnight (PST) on August 31st. Visit Android Police now to enter!

How to download avast! Mobile Premium

avast! Mobile Security and avast! Mobile Backup are FREE downloads in the Google Play store and can be used stand-alone as free versions or be upgraded to avast! Mobile Premium for access to all premium features. avast! Mobile Premium is available for $1.99 per month or $14.99 per year. Download and install on your Android device now.

Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun, and contest information, please follow us on FacebookTwitterGoogle+ and Instagram.

January 24th, 2013

What’s that new game on Google play? Oh, it’s malware again!

playA few months ago, Google announced a new feature in Android. Version 4.2 Jelly Bean has an integrated real-time app scan which should be able to check if applications you install are clean or malicious. But is this enough? Sleazy Android app developers continue to sneak their fake apps by the Google Play gatekeepers. These guys rip off popular apps in an attempt to fool unsuspecting users.

“In the start of this week, Google released a few applications from a developer called GILBERT8332 which pretend they are legitimate applications. Between these applications you can find quite common games such as The Sims 3, Asphalt 6, Ninjago Lego and so on. And compared to original developers they are free,” said Filip Chytrý, a researcher from Avast Virus Lab.

The common result of downloading a bogus app is that personal information like your email address and mobile phone number are stolen and you are served an unending stream of spam and unwelcome offers.

Chytrý warns, “When you download them and install in your android device you will be surprised. All of them are malware. They all start quite innocently with a license agreement of AirPush advert. (AirPush is a advert system which allows to show advertisement in notification bar of your Android device.)”

2

“And then the funny parts come up. The Game will ask you if you want to change your main page in browser and put a search icon on desktop. Even if you decline, it’s too late. Your browser is already changed for another search page and your device is filled with uncomfortable adverts and as a bonus, the device will send  personal information to a third party,” said Chytrý.

top apps

Block fake apps

avast! Free Mobile Security blocks fake apps and our new signature targeting protects you against
malware distributed with them. Our popular anti-virus/anti-theft app for Android stops downloads of fake apps and games, so you won’t be duped.

“All of these apps use multiple advert services, steal your personal data and they even are hidden under different creators. But don’t worry. Avast detects all of the mentioned applications as Android:FakeInst-DL, and urls of fake searchers are blocked also,” said Chytrý.

Get avast! Free Mobile Security for your Android device from Google Play. Please add a review and share with your friends if you like it! :-)