Tag Archives: premium sms

Can my mobile phone be attacked by malware?

Mobile malware is a growing threat.

Banking, shopping, email. We do things on our phones that used to only be done on our desktop PC. Hackers know valuable data is stored on people’s phones, and they increasingly find new ways to attack mobile users.

smartphones

These devices have information on them that is valuable to hackers

The most common mobile threats are adware packaged as fun gaming apps that provide little value and spams users with ads. SMS attacks are malware which sends unauthorized premium SMS or makes premium-service phone calls. This results in a large monthly bill for the user and a significant source of revenue for cybercrooks.

The most aggressive malware is mobile ransomware. Simplocker was the first Android ransomware to encrypt user files, and now there are thousands of variations that make it nearly impossible to recover the encrypted data on a smartphone.

Privacy is an issue with vulnerabilities such as Certifi-gate and Stagefright, both of which can be exploited to spy on users. Certifi-gate put approximately 50 percent of Android users at risk, and Stagefright made nearly 1 billion Android devices vulnerable to spyware.

Avast protects mobile devices from malware

Avast Mobile Security for Android scans mobile devices and secures them against infected files, phishing, malware, and spyware.  The app provides people with the most advanced mobile malware protection available, now even faster with Avast’s leading cloud scanning engine. Install Avast Mobile Security for free!

Avast protects from unsecure Wi-Fi networks

Because cybercrooks take advantage of unsecure routers and Wi-Fi hotspots, we added Wi-Fi Security which notifies the user when connecting to an unsecure router. The user quickly identifies the security level of Wi-Fi hotspots and can evaluate the risks and decide whether to disconnect or use a VPN instead.

Avast protects user privacy

Privacy concerns range from permission-hungry apps to nosy children. Avast Mobile Security’s Privacy Advisor informs the user about what data apps have access to and ad networks included within apps. To defend their personal data against prying eyes, users can now lock an unlimited number of apps on their device using the App Locking feature.

Avast Mobile Security is available for free in the Google Play Store.

Visit Avast at Mobile World Congress

If you are attending Mobile World Congress in Barcelona, February 22 – 25, please visit Avast to see the app in hall 8.1, booth H65.

Android malware Fobus now targeting users in the U.S., Germany and Spain

Mid January we informed you of a data-stealing piece of Android malware called Fobus. Back then Fobus mainly targeted our users in Eastern Europe and Russia. Now, Fobus is also targeting our users in the USA, United Kingdom, Germany, Spain and other countries around the world.

Fobus can cost its unaware victims a lot of money, because it sends premium SMS, makes calls without the victims’ knowledge and can steal private information. More concerning is that Fobus also includes hidden features that can remove critical device protections. The app tricks users into granting it full control of the device and that is when this nasty piece of malware really begins to do its work. You can find some more technical details and analysis of Fobus in our previous blog post from January.

Today, we decided to look back and check on some of the data we gathered from Fobus during the last six months. We weren’t surprised to find out that this malware family is still active and spreading, infecting unaware visitors of unofficial Android app stores and malicious websites.

The interesting part of this malware is the use of server-side polymorphism, which we suspected was being used back in January but could not confirm. We have now confirmed that server-side polymorphism is being used by analyzing some of the samples in our database. Most of these have not only randomly-generated package names, but it also seems that they have randomly-generated signing certificates.

Number of users who have encountered Fobus

Number of users who have encountered Fobus

Geographical reach expanded from the East to the West

Previously, we predicted that we would probably see a steady growth in the number of encounters users have with this malicious application. A review of the results, however, beats all of our predictions. At the beginning, this malware mainly targeted mobile users in Russian speaking countries. As our detections got smarter and we discovered new mutations of Fobus, we discovered that many other countries are affected as well. Now Fobus, although it still mainly targets users in Eastern Europe and Russia, is also targeting our users in the USA, Germany, United Kingdom, Spain, and other countries around the world.

The above graph shows the number of unique users (user IDs) encountering Fobus per day. The graph is also geologically divided by country codes as reported by the users’ connection location.

Number of times users encountered Fobus by country (as of July 21, 2015):

  • Russia: 87,730
  • Germany: 25,030
  • Spain: 12,140
  • USA: 10,270
  • UK:  6,260
  • Italy: 5,910

There are two great leaps visible in the graph, which mark the days when new versions of Fobus were discovered and new detections protecting our users were released. These three detections seem to be particularly effective at their task. The high impact in countries outside of Russia and English speaking regions, which can be seen in the graph, is a little surprising. Especially considering that the malware typically is only in Russian and English and even the English version contains some strings in Russian. Seems like the authors were too lazy to translate their own app properly…

World map showing the percentage of users who encountered Fobus

World map showing the percentage of users who encountered Fobus

An app, built just for you

Now, let’s dig into the analysis. We will look at the certificates used to sign some of the Fobus samples. We already mentioned the problems connected with generating unique applications for each victim (server-side polymorphism). This does not only apply to rebuilding, repackaging and obfuscating each instance of the app itself, but also extends to their signing certificates. To back this up, we analyzed around 4,000 samples and data and inspected the usage of these certificates. We verified that each build of the malicious app is typically seen by one user only, even though its signing certificate can be used to sign multiple apps. Virtually all of the samples we have are very low prevalent, meaning that different users only very rarely see an app instance multiple times. As for the signing certificates, we believe that they are being regenerated on a timely basis. We were able to pick a few examples of such certificates from our statistics.

certs_may_28certs_may_30

 

 

 

 

 

 

 

 

 

 

As you can see from the screenshots above, these certificates are dated the 28th and 30th May 2015 and the time differences in the beginning of the validity period between these certificates are in the order of minutes, sometimes even seconds. We have also found some samples that have certificates with randomly generated credentials altogether.

certs_random

The above provided screenshot is an example of such randomly generated certificates.

To conclude, we would like to encourage you to think twice about the apps you install on your phone. Especially if the apps you download are from third party stores and unknown sources. If you download apps from the Google Play Store you’re on the safe side. Requiring nonstandard permissions – especially permissions that don’t seem necessary for the app to properly function – may be a sign that something fishy going on. You should be very suspicious of an app that requests device administrator access and think twice before downloading it.

Acknowledgement

Special thanks to my colleague, Ondřej David, for cooperation on this analysis.

Angry Android hacker hides Xbot malware in popular application icons

Android Malware Xbot Spies on Text Messages

In the past few weeks, the Avast Mobile Security analysts have been focusing on Android malware which targets users in Russia and Eastern Europe. One of the families that caught our interest was the Xbot malware.

The name Xbot comes from the sample itself as the string Xbot was found in all variants of this malware. Xbot uses a variety of names and package names but this string was, with different levels of obfuscation, in every single file we analyzed so we decided to name the malware after it.

Xbot is not an app itself, but is included in different apps. We didn’t identify it in apps available on Google Play, but on local Russian markets like www.apk-server12.ru. Users in Eastern Europe use markets other than Google Play more than West European and U.S. users do, that might be one of the reasons why the cybercriminals chose this distribution channel. Xbot tries to hide behind apps that look like legit apps, like Google Play or the Opera Browser. It collects tons of permissions which allows it to spy on user’s SMS and the malware could potentially spy on people’s phone calls in the future, too. It also sends premium SMS behind the user’s back, so basically it is malicious through-and-through.

From the beginning of February we have seen 353 Unique Files with more than 2570 Unique Install GUIDs. These numbers are not the highest ones we’ve ever seen but still, it allows us, unfortunately, to see the potential of Android malware and social engineering.

The author hides a message

One interesting thing we discovered is that the malware author is not shy about expressing his anger with the antivirus companies who detect his masterpiece. Sometimes we find embedded messages addressed to Malware analytics. This one is quite strong. See if you can spot it:  //9new StringBuilder (“FUCK_U_AV” )).append(“1″).toString();.  Messages like this are nothing new in malware samples because security companies like Avast can really cut into the bad guys’ income from this type of malware.

Message

The author tries to cover his tracks

As a part of anti-analysis protection, the author(s) try to obfuscate these samples to make them harder to read. But this protection is fairly simple, as it usually consists of adding additional junk characters which are excluded at runtime or the Proguard, which mangles the method names and file structure.

The samples we analyzed contain two different packages. One package contains only a single class, which works as a sort of Settings holder and contains the URL to connect to, additional APK name (possibly with extended functionality) and local preference settings.

  • The connection URL is mostly gibberish and varies in samples we analyzed. It is used as a C&C server and also as data storage of information about the infected device.
  • The second string is a name of additional APK which is downloaded and stored in /mnt/sdcard/.

The second package contains the larger part of the functionality. This package shows us three distinct and important functionalities of this malware.

  • The first one is a function responsible for checking if the additional APK exists on /mnt/sdcard/ which allows the malware to download it in case this APK doesn’t exists.
  • The second function monitors incoming SMS for keywords, and based on those can capture and store the received messages to the server where it can be misused by the attacker.
  • The third function is the ability to send SMS messages from the compromised device to any number the author(s) of malware wants. These numbers are usually premium numbers whose profit is paid back to the bad guys.

On the next picture you can see all permissions requested by the malware.

Permissions

As you can see the malware requests permission to RECEIVE_BOOT_COMPLETED which allows the malware to be persistent on the compromised device, i.e. the malware automatically restarts with the restart of the device.

The author attempts to hide the malware

The malicious app tries to be stealthy. It uses a few tricks to fool the user into running it. First, by analyzing the sample set of this family, we were able to identify the misuse of some well-known application icons, such as Android Market, Opera browser, Minecraft or even Google Play.

Once the user runs the application he is presented with an Activity that contains a single string – “Application successfully installed”, always only in Russian “Приложение успешно установлено”.

Meanwhile, the application hides its icon from the launcher so that the user cannot find it anymore. Thankfully, it’s not as sophisticated as the Fobus family we were writing about a few weeks back, so the user can actually find it and remove it from the device by using the standard Android uninstall dialog, but honestly, who remembers all the apps they’ve installed? And even if you did, who on earth would want to uninstall Google Play, Opera or another similar app? ;-)

Applications

As we mentioned before, the self-protection mechanism this malware uses is to hide it’s icon from the launcher. This is done by employing the PackageManager to set the componentEnabledSetting to DISABLED. As you can see in the picture below.

HideIcon

The author controls the malware via C&C

Xbot malware is controlled by the author(s) through a C&C server. The server addresses are probably randomly created domains and these C&C servers allow the attacker to command the malware to start spying on the device, send SMS and download additional content on the affected device. In the next picture you can see that the communication with the C&C server uses URL parameters to send the data and a php script to process them.

C&Cserver

Based on the answer from the C&C server malware can take different actions.

One of them is that the malware can download URL content to the affected device. This URL is provided from the C&C server to the Xbot.

URL content

When content is downloaded it can be started by Xbot. On the next picture you can see the code responsible for running upee.apk which is probably downloaded through the code in the previous picture.

UpeeLaunch

Another possible course of action is that the Xbot can start spying on the infected device. It captures all received SMSs and searches for keywords in them.

PDU

If the keywords are detected, it can upload the chosen SMS to the server using a save_message.php script.

SaveSMS

The author plans for the future

We have noticed some evolution of this particular malware already. Up until now, however, the evolution has been mainly in terms of obfuscation, restructuring the code and resources. Now, though, we expect some further evolution. During the analysis, we noticed a function which seemingly doesn’t have any purpose at the moment, but may be misused in the future. This function can be, after proper implementation, used for spying on incoming calls. The containing class’s name – ICREC – is a suggestion of that as well – Incoming Call RECorder. But this is not the only thing which shows there will be probably some evolution, we also found that gettaks.php which is used for contacting the C&C server contains more fields than are being currently used.

Call recording

A sample of C&C URLs we’ve encountered:

XbotURLs
Evogen_detection

Avast makes the author really mad

One reason we find messages embedded in the code of Android malware, is because we are so successful at detecting and blocking it. Avast protects those using Avast Mobile Security against the variants of  Xbot malware. If you have not protected your Android device, please install Avast Mobile Security and Antivirus from the Google Play store.

 

Acknowledgement

Thanks to my colleague, Ondřej David, for cooperation on this analysis.

Source

Here are some samples connected with the analysis:

040F94A3D129091C972DB197042AF5F8FCF4C469B898E9F3B535CFA27B484062

2E58701986AFA87FD55B31AE3E92AF8A18CA4832753C84EA3545CEB48BB7B1A7

 

 

Fobus, the sneaky little thief that could

One small Android application shows lots of determination and persistence. Too bad it’s evil.

Mobile malware, Fobus, acts like this famous little engine. "I think I can, I think I can!"

Mobile malware, Fobus, acts like this famous little engine. “I think I can, I think I can!”

 

The year 2014 was significant with a huge rise in mobile malware. One of the families impacting our users was malware Fobus, also known as Podec. This malware poses as a more or less useful application, but for sure it won’t be what the user expects. This malware usually has two language versions, English and Russian, and applications seem to be generated automatically.

All that, and a bag of chips

From the permissions in the manifest, we can see that once Fobus is installed on the victim’s device it cannot only send SMS and call premium numbers, which may cost a lot of money, but it also works as  Spyware and can steal personal data from the infected device. That’s a lot of bad stuff packed into one small application.

Permission

Next up is a bit more technical stuff. If you are really eager, skip to Me thinks that something is amiss section to see how it works.

Inspecting the manifest file provides the clues of the automatic modification of the application files. As you can see in the following picture, service names are randomly generated. Going through samples in our database we were able to identify some similarities, which helped us categorize this malware as the Fobus family.

Service

The manifest also includes several receivers which are indicators that the malware is able to spy on the device.  It can also protect itself against uninstallation.

This receiver provides persistence of Fobus.

Boot

These receivers are able to check the outgoing calls and received SMS.

Call SMS
The receiver pictured here helps to protect the malware against removal.

Admin

Me thinks that something is amiss

During installation, the Fobus permissions already show that something might not be in order. But, we all know, that most people fly through this step without much thought.

device-2015-01-13-094436 device-2015-01-13-094428 device-2015-01-13-094352

The Great Pretender

Fobus pretends to be an Ad Block but permissions to make phone calls, send messages, system tools, and services that cost money should not really be needed for an Ad Block application,  nor for most legitimate applications. That is,  unless you hope it will block unsolicited calls and marketing SMSs. Our advice: The user should always take great care when an application requires these types of permissions and try to link them to the expected app functionality. Inadequate permission requirements are often the first indicator of something fishy.

When the user accepts all these permissions nevertheless, Fobus installs as any other application would.

device-2015-01-13-094455 device-2015-01-13-094521

Here comes trouble!

The real trouble, however, begins when the user runs this application and grants Fobus device administrator privileges.

device-2015-01-13-094553 device-2015-01-13-094603

Once the user activates the device administrator, the application icon disappears from the device.

device-2015-01-13-094628

But in fact, Fobus is still in the device and starts doing what it was build for – SPYING on the device! The user is not able to Stop or Uninstall this application by standard means. Why? Because they gave permission for the app to do all these things in the previously accepted device administrator policy!

device-2015-01-13-094658 device-2015-01-13-094704

Well, just deactivate the device administrator and uninstall this application… That shouldn’t be so hard, right? But it is! The application is easily visible in the device administrator along with the deactivation button. So what is the problem?

device-2015-01-13-094721

Blink and you’ll miss it…

The sneaky Fobus has a receiver which checks for calls on device_admin_disable_request. The moment the user tries to deactivate the device administrator, this receiver catches the request and forces the device to lock the screen with a call to the Lock Now function. This function prevents the user from confirming the deactivation.

Afterwards, the application attempts to relock the screen with any unlock attempt. The confirmation box is visible for just a moment before the application forces the lock screen, however the user will never be able to confirm it in time because the device is not able to capture the user click on screen. The screen locking usually lasts for a while until the confirmation box simply disappears. Sometimes users are required to push one of the hardware buttons on their device to activate the screen. When they finally manage to unlock the device the application is still there and happily running. By now, the person who installed this sneaky little thief, is not a happy camper.

device-2015-01-13-094726

Empty threats

Should the user have lightening-fast reflexes and be able to get past the locking screen mechanism, the authors have another trick up their sleeves. This time, they try to scare the users from disabling the device administrator privilege by threatening to perform a full factory reset.

device-2015-01-13-121013

Fobus shows the user a fake warning about a full factory reset during which the user will lose all data stored on their device. “Heavens, NO!”, most users will say, as they choose the cancel button. But when user is brave and pushes the OK button,  the device administrator privilege will be successfully removed and theuser will also able to uninstall the malicious application from the mobile device.

This is a pretty strong uninstall prevention, isn’t it?

It can be very difficult to circumvent this type of protection, especially, since the application cannot be uninstalled by any other means, like ADB or the safe-mode. In ADB, the uninstalling operation finishes as failure and even though the safe-mode disables user-installed applications, in this case the malicious application is still protected by the device administrator privileges and therefore cannot be uninstalled.

How to remove this persistent malware

Affected victims can use third party software to remove this malicious application from their mobile device or actually perform the suggested factory reset.

The removal itself is a two-phase process.

First, you need to deactivate the device administrator privilege.

device-2015-01-13-120918 device-2015-01-13-120944 device-2015-01-13-121024

Then,  uninstall Fobus itself.

device-2015-01-13-121316 device-2015-01-13-121326

The little malware that could…

What makes the Fobus so special is not that it can spy on victims devices, send SMSs,  or call on premium numbers; there are loads of malicious apps that can do that. Just like The Little Engine That Could, Fobus never gives up.  Usually users are able to remove bad apps from their devices easily by themselves by simply uninstalling them. Fobus, though, doesn’t give up so easily, it’s strong removal protection can frustrate even the most experienced users.

Acknowledgement

Thanks to my colleague, Ondřej David, for cooperation on this analysis.

The Litttle Engine That Could image is from Hero Wikia.

Source

Here is a sample connected with the analysis

 

011a379b3f81dbfb4f6fb4f5c80b5ba4cf9f0677f0ee30c3a8d41711ade2d226