A team of malware authors is playing a cat and mouse game with Google. The game goes like this: they upload their malware, Google Play quickly takes it down, they upload a new mutation and Google takes it down. Current status of the game: the malware is back on Google Play. So far, the malicious apps have infected hundreds of thousands of innocent victims.
In April, we discovered porn clicker malware on Google Play posing as the popular Dubsmash app.
Two days ago, we reported that a mutation of the porn clicker malware, created by a Turkish group of malware authors, made its way back onto Google Play, but have since been removed from the Play Store.
Once the apps were downloaded they did not do anything significant when opened by the user, they just showed a static image. However, once the unsuspecting victim opened his/her browser or other apps, the app began to run in the background and redirect the user to porn sites. Users may not have necessarily understood where these porn redirects were coming from, since it was only possible to stop them from happening once the app was killed. Fellow security researchers at Eset reported that more apps with this mutation were on Google Play earlier this week. Eset also reported that the original form of the malware was uploaded to Google Play multiple times in May. Our findings combined with that from Eset, prove that these malware authors are extremely persistent and determined to make Google Play a permanent residency for their malware.
I’ll be back…
Malware Writers Can’t Keep Their Hands Off Porn
In April, we reported on a porn clicker app that slipped into Google Play posing as the popular Dubsmash app. It seems that this malware has mutated and once again had a short-lived career on Google Play, this time hidden in various “gaming” apps.
For your viewing pleasure
The original form of this porn clicker ran completely hidden in the background, meaning victims did not even notice that anything was happening. This time, however, the authors made the porn a bit more visible to their victims.
The new mutation appeared on Google Play on July 14th and was included in five games, each of which was downloaded by 5,000-10,000 users. Fortunately, Google reacted quickly and has already taken down the games from the Play Store.
Once the app was downloaded, it did not really seem to do anything significant when opened by the user. However, once the unsuspecting victim opened his/her browser or other apps, the app began to run in the background and redirect the user to porn sites. Users may not have necessarily understood where these porn redirects were coming from, since it was only possible to stop them from happening once the app was killed.
Over time, we’ve noticed the presence of some fairly heated user debates disputing the necessity of security or antivirus apps for Android devices. This could have been sparked by our recent post which argues that you can’t always rely on the security of Google Play or because of the myth that antivirus companies create viruses to sell more software.
Certain security gurus claim that if users stick to downloading and purchasing apps using only the Google Play Store, nothing bad will happen to their devices. However, we found that this line of thinking is not 100% correct, as was demonstrated through the discovery of a rogue Dubsmash app or in the infamous case of apps on Google Play posing as games and infecting millions of users with adware. Despite these findings, there are some users who still feel that they’re safe whenever using Google Play. This feeling of false security could have negative consequences; for example, when your data or financial information is stolen or when you have to resort to resetting your device in order to cleanse it of malware.
So, we know we can’t rely on the Google Play Store all the time, but are third-party stores more secure? Of course not. In this case, how is it still possible that it’s not a problem to use third-party stores? First of all, it’s necessary to point out that there are certain legitimate and clean third-party stores, such as Amazon and FDroid. At the same time, there are tons of shady stores and even more black market .apk files promising to deliver you the latest features of a cracked app.
Everyone from celebrities like Lena Dunham to Hugh Jackman are using the (currently) seventh most popular app available on Google Play: Dubsmash. Dubsmash is an app with more than 10 million Google Play installations that lets users choose a sound, record a video to go along with the sound and send their dub to their friends or social media channels. Dubsmash is not only widely popular amongst teens and celebs, but the app has also caught the attention of malware authors.
Avast recently discovered “Dubsmash 2” (with the package name “com.table.hockes”) on Google Play – and no, it was not the bigger and better version of the original app. The app is a so called “porn clicker” and was installed 100,000-500,000 times from the Google Play Store. We contacted Google when we discovered the rogue app and it was removed from the Play Store shortly thereafter. Once the app was installed there was no evidence of an app named “Dubsmash 2” on the user’s device, instead the app installed an app icon named “Setting IS”. This is a common trick malware authors use to make it harder for the user to figure out which app is causing problems. This should also be the user’s first clue that something shady is going on. The “Settings IS” icon looked very similar to the actual Android Settings icon (see screenshot below).
The app’s mischievous activities could be triggered by two actions. The first possible way was by simply launching the “Settings IS” app and the second, which occurred only if the user had not yet launched the app, was via the BroadcastReceiver component within the app. BroadcastReceiver observed the device’s Internet connectivity and if the BroadcastReceiver noticed the device was connected to the Internet, the app’s true functions would be triggered.
If the “Settings IS” app was opened by the user, the Google Play Store would launch to the actual “Dubsmash” app download page.
Once activated, the app sent an HTTP GET request to an encrypted URL. If the request returned a string containing the character “1” two services would begin to work: MyService and Streaming. Using this method the author could also effectively turn off the start of the services remotely.
The second service, the Streaming service, was fairly similar in structure to the MyService component in that it also scheduled a task to run every 60 seconds. The main difference to MyService, is that users could notice the Service tasks did not run secretly in the background. The task would check for changes in the device’s IP address or date. If either of them had changed, a video would launch in the device’s YouTube app. The YouTube app needed to be installed on the device for this to function properly. The video address was also obtained from an encrypted URL.
After decrypting and further examining the URLs and the video from YouTube, the Avast Virus Lab came to the conclusion that the malware most likely originated from Turkey. The developer’s name listed on Google Play and YouTube hint to this.
We suspect the app developer used the porn clicker method for financial gain. Through clicks on multiple ads within the porn sites, the app developer probably received pay-per-click earnings from advertisers who thought he was displaying their ads on websites for people to actually see.
Despite being undesirable, but basically harmless to the user and less sophisticated than other malware families such as Fobus or Simplocker, this app shows that although there are safeguards in place, undesirable apps that fool users can still slip into the Google Play store.
If you installed Dubsmash 2 (package name “com.table.hockes”), you can delete the app by going into Settings -> Apps -> find “Settings IS” and then uninstall the app.
The Avast Mobile Security application detects this threat as Android:Clicker. SHA-256 hash: de98363968182c27879aa6bdd9a499e30c6beffcc10371c90af2edc32350fac4
Thank you Nikolaos Chrysaidos for your help with the analysis
Mobile is attractive to cybercrooks
Our mobile phones are fantastic little devices — these days, they’re as powerful and can accomplish nearly all the things a regular computer can. While this is convenient for us, it also gives cybercrooks a relatively easy in-road to your private data and financial information. As 2015 rolls along, consumers continue to become more aware of mobile security options available to them, since they will increasingly use mobile apps that contain sensitive banking, financial, and personal health information.
Last year, more than 1 billion Android devices were shipped out to customers around the world. With Android winning the majority of the smartphone market, it offers a tempting target to malware authors. The average user is not especially concerned about being infected with a virus on their phone or tablet, but unfortunately, mobile malware is more than just a myth. Avast currently has more than one million samples of mobile malware in its database, with 2,850 new mobile threats being created every day by hackers.
Even if you think your chances of being infected with malware are low, we suggest that you go ahead and install a good mobile antivirus software. The great thing about Avast Mobile Security is that it’s free, so your investment is minimal – just a few minutes of setup and you’re ready to go.
Avast Mobile Security includes antivirus protection which scans your apps to see what they are doing, and a Web shield that scans URLs for malware or phishing. Malicious apps allow malware to enter your phone, so it’s good to have Avast on your side to detect when a bad one slips by on Google Play or another app store.
Avast Mobile Security did not commit any mistakes when tested with 1,932 legitimate apps from the Google Play Store and 981 legitimate apps from third party app stores. In addition, all this protection, according to AV-TEST, did not “impact the battery life”, or “slow down the device during normal usage”, and “does not generate too much traffic”.
To compare the choices of mobile antivirus software, you can look at the January 2015 “Mobile Security Test” conducted by the independent labs at AV-TEST. They looked at 31 popular Android security apps. Avast Mobile Security tops the list because it detected 100% of malicious apps without any impact on the battery life or slowing down of the device.
AMS Referral Program
In the latest update of Avast Mobile Security, we added a referral program, so you can recommend Avast Mobile Security to your friends and family. Not only can you recommend the best mobile security app available on Google Play, but you will be rewarded for doing so; you can earn up to three months of Avast Mobile Premium for free!
Here is how it works: For every five friends you send an SMS to recommending Avast, you get one free month of Avast Mobile Premium. Cool, huh?
There you have it — we’re huge fans of Avast Mobile Security, and we think you will be too. Download Avast Mobile Security for free on Google Play.
Not too many years ago we had phones that only made calls. Smartphones are the newest generation of phones that bring a lot of possibilities right to our fingers through the apps specifically designed for them. We all got used to the Windows (or Mac) world, but now we are witnessing a revolution from “standard” programs and some specialized tools to a world where every common thing can be done by our smartphones. Sometimes it seems, that the device is smarter than we are!
But can it protect itself from the increasing number of threats?
You’ll find a lot of articles on the Internet which state that security companies exaggerate the need for mobile security and antivirus protection. You’ll read that Google Play and the new security technologies of Android Lollipop are the only things necessary for security. I could post many examples of such (bad) tips, but I don’t want to waste your time or mine.
Do you use only Google Play as your app source?
A common (and wise) security tip is to stick with Google Play for downloading apps. This is good advice despite the fact that we see here in the Avast blog that Google Play fails to detect some apps as malware. Look for our mobile malware senior virus analyst Filip Chytry’s articles. He continuously discovers holes in Google Play security.
However, what if you want apps that have been banned from Google Play? No, I’m not talking about (just) adult apps. Google banned anti-ad apps, for instance. So where is a safe place to get them? The answer is simple: outside of Google Play. The Amazon Appstore for Android is quickly increasing the possibilities.
Do you think that clean apps can’t become bad ones?
Clean apps can become bad ones, and with the new Google Play permission scheme, you may not even notice. This makes updating your apps (another very common and wise hint) an additional complication.
As the apps we love can turn against us, the best tip of all is that you install a mobile security app that helps you know what it being added to your phone. Avast Mobile Security updates its virus database very often to detect the latest threats and allows you to install securely all the apps you love.
This makes you smarter than your smartphone!
A couple of days ago, a user posted a comment on our forum regarding apps harboring adware that can be found on Google Play. This didn’t seem like anything spectacular at the beginning, but once I took a closer look it turned out that this malware was a bit bigger than I initially thought. First of all, the apps are on Google Play, meaning that they have a huge target audience – in English speaking and other language regions as well. Second, the apps were already downloaded by millions of users and third, I was surprised that the adware lead to some legitimate companies.
The Durak card game app was the most widespread of the malicious apps with 5 – 10 million installations according to Google Play.
When you install Durak, it seems to be a completely normal and well working gaming app. This was the same for the other apps, which included an IQ test and a history app. This impression remains until you reboot your device and wait for a couple of days. After a week, you might start to feel there is something wrong with your device. Some of the apps wait up to 30 days until they show their true colors. After 30 days, I guess not many people would know which app is causing abnormal behavior on their phone, right?
Each time you unlock your device an ad is presented to you, warning you about a problem, e.g. that your device is infected, out of date or full of porn. This, of course, is a complete lie. You are then asked to take action, however, if you approve you get re-directed to harmful threats on fake pages, like dubious app stores and apps that attempt to send premium SMS behind your back or to apps that simply collect too much of your data for comfort while offering you no additional value.
An even bigger surprise was that users were sometimes directed to security apps on Google Play. These security apps are, of course, harmless, but would security providers really want to promote their apps via adware? Even if you install the security apps, the undesirable ads popping up on your phone don‘t stop. This kind of threat can be considered good social engineering. Most people won‘t be able to find the source of the problem and will face fake ads each time they unlock their device. I believe that most people will trust that there is a problem that can be solved with one of the apps advertised “solutions” and will follow the recommended steps, which may lead to an investment into unwanted apps from untrusted sources.
Avast Mobile Premium detects these apps, protecting its users from the annoying adware. Additionally, the apps’ descriptions should make users skeptical about the legitimacy of the apps. Both in English and in other languages such as German, were written poorly: “A card game called ‘Durak‘ – one of the most common and well known game“.
The apps‘ secure hash algorithm (SHA256) is the following: BDFBF9DE49E71331FFDFD04839B2B0810802F8C8BB9BE93B5A7E370958762836 9502DFC2D14C962CF1A1A9CDF01BD56416E60DAFC088BC54C177096D033410ED FCF88C8268A7AC97BF10C323EB2828E2025FEEA13CDC6554770E7591CDED462D
As a malware analyst, I find new pieces of malware day in and day out. In fact, I see so many new malware samples that it’s difficult for me to determine which pieces would be really interesting for the public. Today, however, I found something that immediately caught my attention and that I thought would be interesting to share.
The three URLs listed above are websites that offer mobile monetizing kits, which are advertising kits that developers can implement in their mobile apps. The goal for developers is to monetize from advertisements. If a user clicks on one of the ads delivered by one of the above listed providers, he may be lead to a malicious subdomain.
The most visited of the three URLs is Espabit. According to our statistics, we know that Espabit’s servers get around 150,000 views a day and nearly 100% of the views are from mobile devices. This may not seem like that much compared to the number of Android users there are in the world, but it is still a considerable number. Espabit is trying to position themselves as a world leader in advertising, and their website may appear innocent, but first impressions can be deceiving.
The most visited Espabit subdomain, with more than 400,000 views during the last few months, leads app users to pornographic sites via the ads displayed in their apps. The site displays a download offer for nasty apps (no pun intended) that have malicious behavior.
The above is just one example of the malicious links; there are many others hosted on the same server. The majority of the links lead to pornography or fake apps that all have one thing in common: They all steal money from innocent users.
How do they convince people to download their app? By posing as official Google Play apps. The apps are designed to look like they are from the official Google Play Store – tricking people into trusting the source. Since Android does not allow users to install apps from untrusted sources, the sites offer manuals in different languages, like English, Spanish, German, and French, explaining how to adjust Android’s settings so that users can install apps from untrusted sources, like these malicious apps. How considerate of them.
Now let’s take a deeper look at what the apps are capable of doing:
All of the “different” apps being offered by the three sites listed above are essentially the same in that they can steal personal information and send premium SMS. So far, we know about more than 40 of them stored on the websites’ servers. Most of the apps are stored under different links and, again, are offered in different languages (they want everyone to be able to “enjoy” their apps). The goal behind all of the apps is always the same: Steal money.
Some of the permissions the apps are granted when downloaded…
Once you open the apps, you get asked if you are 18 or older (they are not only considerate in that they offer their product in various languages, but they also have morals!).
After you click on “YES” you are asked to connect your device to the Internet. Once connected to the Internet your device automatically starts sending premium SMS, each costing $0.25 and sent three times a week. That’s all the app does! The amount stolen a week does not seem like much, but that may be done on purpose. People may not notice if their phone bill is $3.00 more than it was the month before and if they don’t realize that the app is stealing money from them and don’t delete the app it can cost them $36.00 a year.
This malware is actually not unique in terms of the technique it uses. However, collectively, the three websites have around 185,000 views daily, which is a lot considering there is malware stored on their servers. Not everyone is redirected to malware, but those who are, are being scammed. Considering that the most visited malicious subdomain had around 400,000 views in the last quarter, it tells us that a large number of those visitors were infected. This means these ad providers are making a nice sum of money and it’s not all from ad clicks and views.
Although many mobile carriers around the world block premium SMS, including major carriers in the U.S., Brazil, and the UK, this case should not be taken lightly. These malware authors use social engineering to circumvent Google’s security and target innocent app users via ads. Think of how many apps you use that display ads, then think of all the valuable information you have stored on your phone that could be abused.
All malicious apps we found and described here are detected by Avast as:
Some of SHA256:
We have been recently notified about a suspicious browser extension for Google Chrome. Suspicious because it was called “Avast Free Antivirus 2014″, while our browser extension is actually called Avast Online Security. You can see the fake extension along with our official ones in the printscreens from the Chrome Web Store.
The extension looks professional featuring printscreens of the PC version of Avast 2014 and a good rating of 4 stars. It is so well-done that it may trick users to install it – and indeed almost 2,000 users fell for this.
After installing, the only thing that is added is the little icon between the search bar and options button, as can be seen on the printscreen above, where the extension is already installed.
Viewing the extension code reveals that it is surprisingly lightweight. It merely opens a new tab with a predefined URL when the Avast icon is clicked.
The website, fortunately, is not malicious at all, so there is nothing harmful to the user, other than deceiving them with a false sense of security. The author of the extension created many more extensions, each leading to a different landing page on the same domain. The only comfort we received from this malicious extension, was that our extension was the most downloaded one! That confirms to us that our service is valued (and needed!).
To get the authentic Avast Online Security app for your browser, please visit us on the Chrome Web Store.
Last week, Google upgraded the Android app section of its store and introduced a new way for users to manage permissions. Google claims it will be easier for users to understand and that users will pay more attention to app permissions. The new interface has a cleaner look and the common user can now install apps more quickly. But does this simplicity come with a price?
Android controls the security and the amount of access every app is granted by using “permissions”. Each action has to ask the operating system for permission to take a new action. In older versions, when an app update asked for new actions or requested additional permissions, Google Play would notify the user prompting them to explicitly accept or deny the new action. Even if the user had automatic updates set, in the cases of new permissions being asked, the user would need to manually perform the update. Even if the user wasn’t exactly sure what they were giving permission for, at least the user was aware and could make the decision themselves. Security was preserved.
Everything is different now
Everything changed last week.
Individual permissions, which could range from important to trivial, are now joined into 13 groups, including a catch-all called “Other”. Now the user has to accept a “new group” change. This means that if you have already allowed certain permissions within a group, then any other permission within that group will automatically be allowed. For example, an app that could access your calendar can now also read your contacts. If you set a meeting and have invited people by email, the app will be able to use the calendar to send emails to them, even without your consent! Read more…