Tag Archives: Android corner

Avast

Avast Launches Memory Saving Cleaner App for Android

Leave a comment

Today, Avast announced the launch of Avast GrimeFighter at the Mobile World Congress in Barcelona. The new application helps Android users free extra memory on their devices with just a few taps so they can save the data that matters to them while enjoying a faster, smoother performance on their devices. 

GrimeFighterHow Avast GrimeFighter works

Avast GrimeFighter begins by scanning all applications on an Android device, identifying unimportant or unnecessary data that could be eliminated without damaging applications’ functionalities. Using GrimeFighter’s easy-to-use interface, users can choose from two modes that allow them to eliminate excess files with ease: Safe Cleaner and Advanced Cleaner. Safe Cleaner is a customizable scanner that quickly identifies unimportant data for instant, one-tap removal. Advanced Cleaner runs in parallel to Safe Cleaner, mapping all of the device’s storage and creating a simple overview of all files and applications that take up space. Advanced Cleaner locates inflated or unused applications and arranges them by file type, size, usage, or name, so users can permanently remove the files and free up storage space.

In addition to cleaning up unwanted data, Avast GrimeFighter helps maximize storage capacity by syncing with personal cloud storage accounts so users can manage their device’s storage without having to delete valuable data. Users can drag files to the cloud icon and GrimeFighter will instantly transfer them to a safe folder in the cloud. Avast GrimeFighter is currently compatible with Dropbox and can assist users in setting up a Dropbox account. Additional popular cloud storage solutions will be added soon.

How does excess data get accumulated?

Bits and pieces of data accumulate on your device, whether you are aware of it or not. GrimeFighter helps you locate excess data that you wouldn’t typically be able to find, such as data left over from initiated app downloads, residual data, thumbnails, and app caches. Popular apps, like Facebook and Instagram, also create excess data on your device as they inflate from their original download size when used regularly. Avast tested some of the most popular Android apps and found that their size can grow exponentially during one week of heavy usage:

                                                                         install size:          additional data accumulated:

1)    Facebook                      36.7MB                        153MB

2)    Flipboard                    12.6MB                        71.1MB

3)    Google Maps            23.21MB                       68.8MB

Avast GrimeFighter will help the more than one billion Android users free up anywhere from 500MB to 1GB of storage per device to enjoy faster performance and is available for download on Google Play.  

Avast

New Avast SecureMe app protects iOS and Android users from Wi-Fi Hacking

Leave a comment

Avast mobile security experts launched a new app today at the Mobile World Congress in Barcelona.

Avast booth at MWC15

Avast launches SecureMe app for iOS and Android at Mobile World Congress 2015

Avast SecureMe is the world’s first application that gives iPhone and iPad users a tool to protect their devices and personal data when they connect to Wi-Fi networks. The free app automatically locates Wi-Fi networks and tells users which of them are safe. Since many users connect without knowing the status of the Wi-Fi network – whether it’s protected or not – Avast SecureMe will create a secure connection in order to keep them safe.

“Public Wi-Fi and unsecured routers have become prime targets for hackers, which presents new risks for smartphones and tablets – even iOS devices aren’t immune,” said Jude McColgan, President of Mobile at Avast.

Avast SecureMe will be available in a invitation-only public beta test within the next few weeks. Check back on our blog, Facebook, and Google+ for more information on signing up coming soon.

The app notifies you if it finds security issues

Avast SecureMe includes a feature called Wi-Fi Security. (This feature is also available for Android users within the Avast Mobile Security app available on Google Play.) People who use open Wi-Fi in public areas such as airports, hotels, or cafes will find this helpful. This feature’s job is to scan Wi-Fi connections and notify you if it finds any security issues including routers with weak passwords, unsecured wireless networks, and routers with vulnerabilities that could be exploited by hackers.

“Avast SecureMe and Avast Mobile Security offer users a simple, one-touch solution to find and choose safe networks to protect themselves from the threat of stolen personal data,” said McColgan.

What’s the risk that my personal data will be stolen?

If you use unsecured Wi-Fi when you log in to a banking site, for example, thieves can capture your log in credentials which can lead to identify theft. On unprotected Wi-Fi networks, thieves can also easily see emails, browsing history, and personal data if you do not use a secure or encrypted connection like a virtual private network (VPN). See our global Wi-Fi hacking experiment to see how widespread the threat really is.

Avast SecureMe checks the security of Wi-Fi networks.
Avast SecureMe notifies you of security problems.
Avast SecureMe is a simple way to find and choose safe networks.

The SecureMe app includes a VPN to protect your privacy

Avast SecureMe features a VPN to secure your connections while you conduct online tasks you want to remain private, especially checking emails, doing your online banking, and even visiting your favorite social network sites. Avast SecureMe automatically connects to the secure VPN when it detects that you have connected to a public Wi-Fi making all transferred data invisible to prying eyes. For convenience, you can disable the protection for Wi-Fi connections you trust, like your home network.

Avast SecureMe for iOS will be available soon in the iTunes Store. Before it’s widespread release, we will conduct an invitation-only public beta test, so check back on our blog, Facebook, and Google+ for more information on signing up.

The Wi-Fi Security feature is now also included in the Avast Mobile Security app for Android, available on Google Play.

Avast

Avast study exposes global Wi-Fi browsing activity

Leave a comment

The use of open, unprotected Wi-Fi networks has become increasingly popular across the globe. Whether you’re traveling around a new city and rely on public Wi-Fi networks to get around or you’re at your favorite coffee shop and connect to its Wi-Fi, you’re left in a vulnerable situation when it comes to protecting your data. Just as you lock the door of your house when you leave, you should also use a security app if using public Wi-Fi.

Couple taking selfie

Using unsecured Wi-Fi can easily expose photos and other personal information to hackers.

 

Avast’s hack experiment examines browsing habits of people across the globe

The Avast team recently undertook a global hacking experiment, where our mobile security experts traveled to cities in the United States, Europe, and Asia to observe the public Wi-Fi activity in nine major metropolitan areas. Our experiment revealed that most mobile users aren’t taking adequate steps to protect their data and privacy from cybercriminals. In the U.S., the Avast mobile experts visited Chicago, New York, and San Francisco; in Europe, they visited Barcelona, Berlin, and London; and in Asia, they traveled to Hong Kong, Seoul, and Taipei. Each of our experts was equipped with a laptop and a Wi-Fi adapter with the ability to monitor the Wi-Fi traffic in the area. For this purpose, we developed a proprietary app, monitoring the wireless traffic at 2.4 GHz frequency. It’s important to mention that there are commercial Wi-Fi monitoring apps like this available in the market that are easy-to-use, and available for free.

wifi experiment Bundestag

In front of the German Bundestag, Berlin: On public Wi-Fi, log in details can easily be monitored.

The study revealed that users in Asia are the most prone to attacks. Users in San Francisco and Barcelona were most likely to take steps to protect their browsing, and users in Europe were also conscious about using secure connections. While mobile users in Asia were most likely to join open networks, Europeans and Americans were slightly less so; in Seoul, 99 out of 100 users joined unsecured networks, compared with just 80 out of 100 in Barcelona.

1)      Seoul: 99 out of 100

2)      Hong Kong: 98 out of 100

3)      Taipei: 97 out of 100

4)      Chicago: 96 out of 100

5)      New York: 91 out of 100

6)      Berlin: 88 out of 100

7)      London: 83 out of 100

8)      Barcelona: 80 out of 100

9)      San Francisco: 80 out of 100

Our experiment shed light on the fact that a significant portion of mobile users browse primarily on unsecured HTTP sites.  Ninety-seven percent of users in Asia connect to open, unprotected Wi-Fi networks. Seven out of ten password-protected routers use weak encryption methods, making it simple for them to be hacked. Nearly one half of the web traffic in Asia takes place on unprotected HTTP sites, compared with one third U.S. traffic and roughly one quarter of European traffic. This can most likely be attributed to the fact that there are more websites in Europe and the U.S. that use the HTTPS protocol than in Asia.

So, how much of your browsing activity can actually be monitored?

Because HTTP traffic is unprotected, our team was able to view all of the users’ browsing activity, including domain and page history, searches, personal log in information, videos, emails, and comments. Before the start of any communication, there is always a communication with the domain name server (DNS). This communication is not encrypted in most cases, so on open Wi-Fi it is possible for anybody to see which domains a user visits. This means, for example, that somebody who browses products on eBay or Amazon and is not logged in can be followed around. Also, it is visible if people read articles on nytimes.com or CNN.com, and users who perform searches on Bing.com, or who visit certain adult video streaming sites can be monitored.

Beware of weak encryption

The majority of Wi-Fi hotspots were protected, but we found that often their encryption methods were weak and could be easily hacked. Using WEP encryption can be nearly as risky as forgoing password-protection altogether, as users tend to feel safer entering their personal information, but their data can still be accessed.

San Francisco and Berlin had the lowest percentage of weakly encrypted hotspots, while more than half of password-protected hotspots in London and New York and nearly three quarter of the Asian hotspots were vulnerable to attack.

1)      Seoul: 70.1%

2)      Taipei: 70.0%

3)      Hong Kong: 68.5%

4)      London: 54.5%

5)      New York: 54.4%

6)      Chicago: 45.9%

7)      Barcelona: 39.5%

8)      Berlin: 35.1%

9)      San Francisco: 30.1%

Our goal is not to discourage you from visiting HTTP sites, but instead, encourage you to protect yourself on public Wi-Fi. If you install protection that allows a secure Internet connection while accessing public networks, public Wi-Fi is harmless. But when you go unprotected, hackers can follow your way around the Internet. Even if the user accesses a HTTPS site, the domain visited is still visible to hackers.

 

 

Avast

Avast at Mobile World Congress 2015

Leave a comment
MWC2015

Stop by for a visit with Avast; booth 5K29.

New mobile apps, a live Wi-Fi hack, results of a global Wi-Fi experiment, a demonstration of mobile malware, and Avast mobile experts can all be found at Avast’s booth (hall 5 stand 5K29) at this year’s Mobile World Congress in Barcelona.

Open Wi-Fi Risks and Live Demonstration

Connecting to public Wi-Fi networks at airports, hotels, or cafes has become common practice for people around the world. Many users are, however, unaware that their sensitive data is visible to hackers if they don’t use protection. This data includes emails, messages, passwords and browsing history – information you don’t necessarily want the guy sipping the latte next to you at the cafe to see. Avast experts traveled to different cities across the U.S., as well as Europe and Asia, to find out how much information is openly shared via public Wi-Fi. They found that one-third of browsing traffic in New York City, San Francisco and Chicago is openly visible for hackers.

At the Congress, Avast will conduct a Wi-Fi hack demonstration. The demonstration will allow visitors to see, first hand, what a hacker can access if they don’t use protection. Participants can connect to Avast’s (password protected) Wi-Fi network to browse and send messages as they normally would when connected to open Wi-Fi. To demonstrate how this information would look through the eyes of a hacker, their activities will be displayed on a screen at the Avast stand.

Mobile Malware and Simplocker Demonstration

Mobile malware is often perceived as a myth, yet Avast currently has more than one million samples of mobile malware in its database. Avast recently discovered a new variant of the mobile ransomware, Simplocker, which will also be demonstrated during the Congress. Visitors can see how the malware disguises itself, behaves, and will learn how they can protect themselves.

Introducing Avast’s New Suite of Apps

Avast will be introducing a suite of new apps at this year’s Mobile World Congress, including productivity and security apps for Android and iOS. Avast GrimeFighter and Avast Battery Saver address two of the most common complaints for Android users: storage concerns and battery life. Avast GrimeFighter helps users free extra storage on their devices by identifying unimportant data for one-tap removal, while Avast Battery Saver extends battery life up to 24 hours by learning the user’s behavior and optimizing features to preserve battery power.

Avast SecureMe is a dual solution app that helps iOS users identify secure Wi-Fi connections and protect personal data while using public Wi-Fi connections.

Wi-Fi Security, a feature available in Avast SecureMe, and coming soon to Avast Mobile Security for Android, prevents users from falling victim to Domain Name Server (DNS) hijacking by exposing vulnerabilities in routers they want to connect to.

We look forward to meeting you!

If you are attending this year’s Mobile World Congress, feel free to stop by the Avast booth to speak with Avast experts, learn more results from Avast’s global Wi-Fi experiment, see Avast’s new mobile apps and participate in the Wi-Fi demonstration. If you aren’t attending, make sure to check our blog, follow us on Twitter and Instagram, and like us on Facebook for updates during the Congress!

Note to media: If you would like to set up a meeting with Avast, please email [email protected].

 

Avast

Are you as smart as your smartphone?

Leave a comment
Smart phone

How do I find my apps on this thing?

Not too many years ago we had phones that only made calls. Smartphones are the newest generation of phones that bring a lot of possibilities right to our fingers through the apps specifically designed for them. We all got used to the Windows (or Mac) world, but now we are witnessing a revolution from “standard” programs and some specialized tools to a world where every common thing can be done by our smartphones. Sometimes it seems, that the device is smarter than we are!

But can it protect itself from the increasing number of threats?

You’ll find a lot of articles on the Internet which state that security companies exaggerate the need for mobile security and antivirus protection. You’ll read that Google Play and the new security technologies of Android Lollipop are the only things necessary for security. I could post many examples of such (bad) tips, but I don’t want to waste your time or mine.

Do you use only Google Play as your app source?

A common (and wise) security tip is to stick with Google Play for downloading apps. This is good advice despite the fact that we see here in the Avast blog that Google Play fails to detect some apps as malware. Look for our mobile malware senior virus analyst Filip Chytry’s articles. He continuously discovers holes in Google Play security.

However, what if you want apps that have been banned from Google Play? No, I’m not talking about (just) adult apps. Google banned anti-ad apps, for instance. So where is a safe place to get them? The answer is simple: outside of Google Play. The Amazon Appstore for Android is quickly increasing the possibilities.

Do you think that clean apps can’t become bad ones?

Clean apps can become bad ones, and with the new Google Play permission scheme, you may not even notice. This makes updating your apps (another very common and wise hint) an additional complication.

As the apps we love can turn against us, the best tip of all is that you install a mobile security app that helps you know what it being added to your phone.  Avast Mobile Security updates its virus database very often to detect the latest threats and allows you to install securely all the apps you love.

This makes you smarter than your smartphone! ;-)

 

Avast

Americans willingly risk privacy and identity on open Wi-Fi

Leave a comment

Is the convenience of open Wi-Fi worth the risk of identity theft? Most Americans think so.

In a recent survey, we found that only 6% of Americans protect their data by using a virtual private network (VPN) when using public Wi-Fi with their smartphone or tablet.  That leaves a whopping 94% unprotected. Why is this?

Do people not know the risks of using unsecured public Wi-Fi?

Is avoiding data overages or the convenience of no password more important than the data on their devices?

Are they not aware that there is protection available?

Are they scared they won’t understand how to use VPN because of the technical sounding name?

The truth about open, public Wi-Fi

The truth is that using unprotected Wi-Fi networks could end up costing you your privacy and identity when you use them without protection like Virtual Private Network (VPN) software. This is because unsecured networks, those are the ones that do not require registration or a password, give cybercrooks easy access to sensitive personal information.

“As mobile cloud storage becomes more popular and the quest for free Wi-Fi continues to grow, open networks that require no passwords place unprotected consumers at great risk of compromising sensitive personal data,” said Jude McColgan, president of mobile at Avast.

“The majority of Americans don’t realize that all the personal information on their mobile devices becomes defenseless over public Wi-Fi if used without protection. These networks create an easy entry point for hackers to attack millions of American consumers on a daily basis.”

WiFi survey blog

Avast can protect you and it’s not hard or expensive

“Unfortunately hacking isn’t a complicated process – there are tools available online that anyone can easily use to steal personal data,” says Ondrej Vlček, Chief Operating Officer at Avast. “Avast SecureLine VPN allows users to browse the web anonymously and safely, especially while using open Wi-Fi.”

Avast SecureLine VPN protects your Internet connections with military-grade encryption and hides your IP address. If that sounds like mumbo-jumbo to you, what it means is that essentially our VPN protection makes your device invisible to cybercriminals. In addition to that, using the VPN hides your browsing history, so no one can monitor your behavior online. We assure you, it’s as easy as can be to use.

Avast SecureLine VPN is available for Android phones and tablets on Google Play and for iOS devices in the Apple App Store. We also have VPN available for Windows PCs.

Avast

Is logging into your smartphone, websites, or apps with a fingerprint secure?

Leave a comment
Fingerprint authentication

Fingerprint authentication is not as safe as you would think

Just because logging in with you finger is convenient doesn’t mean it’s the best method to use.

Some days ago we told you about increasing your security on sites and in services by using two-factor authentication. More and more services are using this two-factor log in method. They require that you use “something you know” like a PIN or a password, “something you have” like a token app in your smartphone, and even “something you are” like your fingerprints, for instance.

Many top smartphones – starting with iPhone 5s and newer Androids – are moving to fingerprint authentication technology. That means you can unlock your phone using your finger. It’s more convenient than typing a PIN or password because you always have your finger with you (we hope!).  And you would think that it is more secure than using a gesture or pattern to unlock it.

Unfortunately, it’s not. Here’s why:

The authentication process requires that a site or a service (or your smartphone) could recognize you for a thing you know: A PIN or a password. This information must be stored in the service server (or hardware) and it must be matched, i.e., the combination of two pieces (generally username and password) must match to allow access to the right person.

Both you and the service must know this secret combination. But that’s the problem; nowadays, a lot of sites and services have been compromised and pairs of username/passwords have been hacked and sold on the black market.

But what about using your fingerprint? It’s the same scenario.  The information about your finger and the technology to match your fingerprint is stored in servers. If they are hacked, your exact, and only, information would be in their hands.

It gets worse.

You can change your credentials to log into a site or service, but you can’t just change your finger! Well, most of us have 9 more chances after the first one is compromised, but still –  there are more than just 10 services you want to use. You can change your passwords indefinitely, you can use a stronger password, you can use a password generation service –  you’ve got the idea… But you don’t have that many choices with your fingerprint.

It gets even worse.

Everything you touch reveals you. You’re publishing your own secret.

Can you imagine banks or stores letting you use your fingerprint to gain access to your account without even a card? Coincidentally, just hours ago a news report was published saying the Royal Bank of Scotland and MasterCard recently made announcements regarding fingerprint authentication services. They announced that customers can log into the banks’ mobile banking app using their fingerprint. It’s interesting that this article says 16- to 24- years olds are driving this decision because

they want to avoid security slowing down the process of making a payment, with 64% of those surveyed saying they found existing security irritating.

This decision by major banks does not give us confidence in the security of the younger generation and their bank accounts. We venture to wonder about the police with their databases full of prints. What could be done with millions of fingerprints stored by the government?

By the end of last year, young researchers from the Chaos Computer Club showed that your fingerprints could be obtained by photos of your hands and from anything you touched. See the full presentation in this YouTube video. If you have the curiosity to see all the video, you’ll see that using your iris could also be simulated with high quality printed photos. At 30:40 starts the iPhone fingerprint hacking. They took 2 days to develop the method and presented it in a few minutes. Amazing and scary.

Here’s another video with a quick summary of the research.

How to make yourself and your phone more secure

This blog is a source of great information. Earlier this month, we shared 14 easy things you can do right now to make your devices more secure. Please read 14 easy tips to protect your smartphones and tablets – Part I and Part II.

As always, make sure your Android device is protected with Avast Mobile Security. Install Avast Mobile Security and Antivirus from the Google Play store, https://play.google.com/store/apps/details?id=com.Avast.android.mobilesecurity

Avast

Angry Android hacker hides Xbot malware in popular application icons

Leave a comment

Android Malware Xbot Spies on Text Messages

In the past few weeks, the Avast Mobile Security analysts have been focusing on Android malware which targets users in Russia and Eastern Europe. One of the families that caught our interest was the Xbot malware.

The name Xbot comes from the sample itself as the string Xbot was found in all variants of this malware. Xbot uses a variety of names and package names but this string was, with different levels of obfuscation, in every single file we analyzed so we decided to name the malware after it.

Xbot is not an app itself, but is included in different apps. We didn’t identify it in apps available on Google Play, but on local Russian markets like www.apk-server12.ru. Users in Eastern Europe use markets other than Google Play more than West European and U.S. users do, that might be one of the reasons why the cybercriminals chose this distribution channel. Xbot tries to hide behind apps that look like legit apps, like Google Play or the Opera Browser. It collects tons of permissions which allows it to spy on user’s SMS and the malware could potentially spy on people’s phone calls in the future, too. It also sends premium SMS behind the user’s back, so basically it is malicious through-and-through.

From the beginning of February we have seen 353 Unique Files with more than 2570 Unique Install GUIDs. These numbers are not the highest ones we’ve ever seen but still, it allows us, unfortunately, to see the potential of Android malware and social engineering.

The author hides a message

One interesting thing we discovered is that the malware author is not shy about expressing his anger with the antivirus companies who detect his masterpiece. Sometimes we find embedded messages addressed to Malware analytics. This one is quite strong. See if you can spot it:  //9new StringBuilder (“FUCK_U_AV” )).append(“1″).toString();.  Messages like this are nothing new in malware samples because security companies like Avast can really cut into the bad guys’ income from this type of malware.

Message

The author tries to cover his tracks

As a part of anti-analysis protection, the author(s) try to obfuscate these samples to make them harder to read. But this protection is fairly simple, as it usually consists of adding additional junk characters which are excluded at runtime or the Proguard, which mangles the method names and file structure.

The samples we analyzed contain two different packages. One package contains only a single class, which works as a sort of Settings holder and contains the URL to connect to, additional APK name (possibly with extended functionality) and local preference settings.

  • The connection URL is mostly gibberish and varies in samples we analyzed. It is used as a C&C server and also as data storage of information about the infected device.
  • The second string is a name of additional APK which is downloaded and stored in /mnt/sdcard/.

The second package contains the larger part of the functionality. This package shows us three distinct and important functionalities of this malware.

  • The first one is a function responsible for checking if the additional APK exists on /mnt/sdcard/ which allows the malware to download it in case this APK doesn’t exists.
  • The second function monitors incoming SMS for keywords, and based on those can capture and store the received messages to the server where it can be misused by the attacker.
  • The third function is the ability to send SMS messages from the compromised device to any number the author(s) of malware wants. These numbers are usually premium numbers whose profit is paid back to the bad guys.

On the next picture you can see all permissions requested by the malware.

Permissions

As you can see the malware requests permission to RECEIVE_BOOT_COMPLETED which allows the malware to be persistent on the compromised device, i.e. the malware automatically restarts with the restart of the device.

The author attempts to hide the malware

The malicious app tries to be stealthy. It uses a few tricks to fool the user into running it. First, by analyzing the sample set of this family, we were able to identify the misuse of some well-known application icons, such as Android Market, Opera browser, Minecraft or even Google Play.

Once the user runs the application he is presented with an Activity that contains a single string – “Application successfully installed”, always only in Russian “Приложение успешно установлено”.

Meanwhile, the application hides its icon from the launcher so that the user cannot find it anymore. Thankfully, it’s not as sophisticated as the Fobus family we were writing about a few weeks back, so the user can actually find it and remove it from the device by using the standard Android uninstall dialog, but honestly, who remembers all the apps they’ve installed? And even if you did, who on earth would want to uninstall Google Play, Opera or another similar app? ;-)

Applications

As we mentioned before, the self-protection mechanism this malware uses is to hide it’s icon from the launcher. This is done by employing the PackageManager to set the componentEnabledSetting to DISABLED. As you can see in the picture below.

HideIcon

The author controls the malware via C&C

Xbot malware is controlled by the author(s) through a C&C server. The server addresses are probably randomly created domains and these C&C servers allow the attacker to command the malware to start spying on the device, send SMS and download additional content on the affected device. In the next picture you can see that the communication with the C&C server uses URL parameters to send the data and a php script to process them.

C&Cserver

Based on the answer from the C&C server malware can take different actions.

One of them is that the malware can download URL content to the affected device. This URL is provided from the C&C server to the Xbot.

URL content

When content is downloaded it can be started by Xbot. On the next picture you can see the code responsible for running upee.apk which is probably downloaded through the code in the previous picture.

UpeeLaunch

Another possible course of action is that the Xbot can start spying on the infected device. It captures all received SMSs and searches for keywords in them.

PDU

If the keywords are detected, it can upload the chosen SMS to the server using a save_message.php script.

SaveSMS

The author plans for the future

We have noticed some evolution of this particular malware already. Up until now, however, the evolution has been mainly in terms of obfuscation, restructuring the code and resources. Now, though, we expect some further evolution. During the analysis, we noticed a function which seemingly doesn’t have any purpose at the moment, but may be misused in the future. This function can be, after proper implementation, used for spying on incoming calls. The containing class’s name – ICREC – is a suggestion of that as well – Incoming Call RECorder. But this is not the only thing which shows there will be probably some evolution, we also found that gettaks.php which is used for contacting the C&C server contains more fields than are being currently used.

Call recording

A sample of C&C URLs we’ve encountered:

XbotURLs
Evogen_detection

Avast makes the author really mad

One reason we find messages embedded in the code of Android malware, is because we are so successful at detecting and blocking it. Avast protects those using Avast Mobile Security against the variants of  Xbot malware. If you have not protected your Android device, please install Avast Mobile Security and Antivirus from the Google Play store.

 

Acknowledgement

Thanks to my colleague, Ondřej David, for cooperation on this analysis.

Source

Here are some samples connected with the analysis:

040F94A3D129091C972DB197042AF5F8FCF4C469B898E9F3B535CFA27B484062

2E58701986AFA87FD55B31AE3E92AF8A18CA4832753C84EA3545CEB48BB7B1A7

 

 

Avast

How to choose the best mobile security protection

Leave a comment

There are two noteworthy risks associated with owning a smartphone or a tablet. The first one is malware and the second is loss. You need to protect yourself against both, and these days there are plenty of choices for each. Some are free security apps and some are paid-for solutions.

Protect your smartphone or tablet with mobile antivirus software

Last year more than 1 billion Android devices were shipped out to customers around the world. With Android winning the majority of the smartphone market, it offers a tempting target to malware authors. I have read in some publications that the average users need not worry about being infected with a virus on their phone or tablet, but with 2,850 new mobile threats being created every day by hackers the odds are getting worse.

Even if you think your chances are low, we suggest that you go ahead and install a good mobile antivirus software. The great thing about Avast Mobile Security is that it’s free, so your investment is minimal – just a few minutes of setup and you’re done.

Avast Mobile Security includes antivirus protection which scans your apps to see what they are doing, and a Web shield that scans URLs for malware or phishing. Malicious apps allow malware to enter your phone, so it’s good to have Avast on your side to detect when a bad one slips by on Google Play or another app store.

Avast Mobile Security gives Android users 100% protection against malicious apps.

Avast Mobile Security gives Android users 100% protection against malicious apps.

To compare the choices of mobile antivirus software, you can look at the January 2015 “Mobile Security Test” conducted by the independent labs at AV-TEST. They looked at 31 popular Android security apps. Avast Mobile Security tops the list because it detected 100% of malicious apps without any impact on the battery life or slowing down of the device.

Install Avast Mobile Security and Antivirus from the Google Play store.

Protect your smartphone or tablet against loss or theft

Hackers aren’t the only risk – theft or loss of your device is more probable. In a famous stat from 2 years ago, Norton figured that 113 phones were lost or stolen every minute at the tune of $7 million a day! With all the personal and maybe even company data you have stored, losing your phone could be devastating.

You can protect your device and the data on it by following some easy tips and installing Avast Anti-theft. Avast Anti-theft is an app that you can download with Avast Mobile Security for free. The anti-theft feature is hidden from thieves and allows you to remotely control your smartphone using SMS or via your MyAvast account. You can back up personal data and track your phone or sound an alarm if it’s lost or stolen.

Install Avast Anti-theft from the Google Play store.

Avast

Mobile Crypto-Ransomware Simplocker now on Steroids

Leave a comment

In June 2014, we told you about mobile ransomware called Simplocker that actually encrypted files (before Simplocker, mobile ransomware only claimed to encrypt files to scare users into paying). Simplocker infected more than 20,000 unique users, locking Android devices and encrypting files located in the external storage. Then, it asked victims to pay a ransom in order to “free” the hijacked device. It was easy to decrypt the files affected by this variant of Simplocker, because the decryption key was hardcoded inside the malware and was not unique for each affected device.

Dangerous unique keys

keyBut now there is a new, more sophisticated variant of Simplocker in town that has already infected more than 5,000 unique users within days of being discovered. The reason why this variant is more dangerous than its predecessor is that it generates unique keys for each infected device, making it harder to decrypt infected devices.

To use an analogy, the original variant of Simplocker used a “master key” to lock devices, which made it possible for us to provide a “copy of the master key” (in the form of an app, Avast Ransomware Removal) to unlock already infected devices. The new variant however, locks each device with a “different key” which makes it impossible to provide a solution that can unlock each infected device, because that would require us to “make copies” of all the different “keys”.

Why would anybody install Simplocker?!

The reason why people install this new variant of Simplocker is because it goes undercover, meaning people don’t even realize that what they are installing is ransomware!

Fake Flash

Tricky Simplocker pretends to be a real app.

 

In this case, the new variant of Simplocker uses the alias “Flash Player” and hides in malicious ads that are hosted on shady sites. These ads mostly “alert” users that they need Flash Player installed in order to watch videos. When the ad is clicked on, the malicious app gets downloaded, notifying the user to install the alleged Flash Player app. Android, by default, blocks apps from unofficial markets from being installed, which is why users are notified that the install is being blocked for security reasons.
Device Admin Request

 

Users should listen to Android’s advice. However, users can go into their settings to deactivate the block and download apps from unknown sources. Once installed, a “Flash Player” app icon appears on the device and when it is opened the “Flash Player” requests the user grant it administrator rights, which is when the trouble really begins.

As soon as the app is granted administrator rights, the malware uses social engineering to deceive the user into paying ransom to unlock the device and decrypt the files it encrypted. The app claims to be the FBI, warning the user that they have found suspicious files, violating copyright laws demanding the user pay a $200 fine to decrypt their files.

device-2015-02-05-143216  FBI warning is an example of social engineering

What should I do if I have been infected?

We do NOT recommend you pay the ransom. Giving into these tactics makes malware authors believe they are succeeding and encourages them to continue.

If you have been infected by this new strain of Simplocker, back up the encrypted files by connecting your smartphone to your computer. This will not harm your computer, but you may have to wait until a solution to decrypt these files has been found. Then boot your phone into safe mode, go into the administrator settings and remove the malicious app and uninstall the app from the application manager.

Avast protects users against Simplocker

Avast Mobile Security protects users against both the old and new variant of Simplocker, the new variant is detected as: Android:Simplocker-AA.

A more technical look under the hood:

As the fake FBI warning is being shown to users, the malware continues working in the background, doing the following:

    • The malware decrypts the internal configuration in order to get information like C&C (command and control) commands, the extensions to encrypt, and which users should communicate through Jabber to get the private configuration.
2015-02-05_17-26-17

Internal Config

  • The malware communicates to the server every 60 minutes. Upon the first communication with the server it sends data like: BUILD_ID, AFFILIATE_ID, IMEI, OS, OperatorName, PhoneNumber, and Country to identify the device. Furthermore it checks whether the files have been encrypted or not. Also if a voucher has been entered, it sends back the type and the code. All the data that gets sent back to the server is formatted as: Base64 ( CRC(data) + MalwareEncryption(data) )
  • The data that is received by the server (private config) is saved into file <name>.properties in the root external storage folder of the device.

Command and Control (C&C)

The malware communicates with the C&C server through the XMPP protocol and Jabber.

graphserver

Communication with the C&C

The malware opens the connection in one of the JIDs (Jabber IDs) that can be found in the internal config (ex. [email protected]:LarXrEc6WK2 ).
2015-02-05_13-20-34

The connection is established  to the domain server (xmpp.jp)., then uses the username (timoftei) and the password (LarXrEc6WK2) to authorize itself. After authorization it tries to get the buddy list (roster) of the user. Each of the buddies are compared with the internal list, from internal config, in order to find the “master JID”, possibly the one user that will send back the data (private config) to the malware. After this process, the data is parsed and saved into the file <name>.properties  in the root external storage folder of the device.

After the retrieval of the private config the malware starts encrypting files.

SHA-256 Hash List:

  • 4A0677D94DD4683AC45D64C278B6E77424579433398CA9005C50A43FBBD6C8C2
  • 8E9561215E1ACE91F93B4FAD30DA6F368A9E743D3BE59EA34061ECA8EBAB1F33
  • 93FE7B9212E669BCF443F82303B41444CFE53ACEF8AC3A9F276C0FD2F7E6F123