Tag Archives: Technology

Avira

Digital Certificates – How helpful are they?

Leave a comment

Digital Certificates contain some or all of the following information (not all of these attributes have to be specified):

  • Program Name: Name of the software.
  • Publisher Link: Link to the software developer / company.
  • More Info Link: Additional link to a specified area.
  • Signer Serial Number: Contains the serial number of the signer (in Hex-Code).
  • Signer Issuer Name: Name of the signer who certificated the software.
  • Signer Subject Name: Name of the company which created the software.
  • Timestamp Serial Number: Timestamp when the serial number was created (in Hex-Code).
  • Timestamp Issuer Name: Company name of the signer with the specific timestamp of certification.
  • Timestamp Subject Name: Company name of the signer with an additional timestamp.
  • Date: Date when the software was created.

This is what a certificate looks like in a debugger view:

certificates_01

Below you can see the same certificate as before but in the general MS Windows overview:

aviraThings are changing though: Since malware authors have found ways to steal or fake digital certificates, one can never be really sure if a file with a valid certificate is legit or not.

Suspicion: How can I find out if a digital certificate is trustworthy?

  • First of all, the certificate should be valid and not expired. Anything else could be seen as suspicious, although not reliably so, for example an old tool might indeed have an expired but actually valid certificate.
  • Another very easy way would be to compare if the software which was e.g. downloaded has the same name as declared in its signature. If that’s not the case, it is possible that the certificate was stolen or faked.
  • It is also always good to see if the certificate contains a countersignature. In some cases, it could be a sign for malware if this information is missing.
  • An additional quick web search often brings more information about the reputation and trust-level of a certificate issuer or their software.

Also, it is necessary to know if a signature is still valid or expired. This might bring additional value to the classification, although when working with adware, one often encounters valid signatures.

The other way around: Classifying files based on digital certificates

On the other hand, adware vendors also use certificates to make sure their files are theirs. We, as an Antivirus company, can use this to our advantage. It enables us to classify files being suspicious of Adware or other possibly unwanted applications in a very simple manner.

If it is known that a certain adware type is always certified by the same certificate issuer, we can classify this issuer as potentially adware-related. Any new unknown file that is also signed by this issuer, now also is considered to be potentially adware-related. This works for all other prefixes as well, like APPL, PUA etc.

Obviously, this way of classification is not highly secure, but it gives us the opportunity to quickly find and easily filter certain amounts of files for further analysis and creating detections.

Let’s take a look at an example:
This is a valid certificate of a known adware vendor of the PUA/InstallCore family. Starting here, digital digestwe can gather that most of the files which have “Digital Digest Pty Ltd” as the certificate issuer are part of the same adware family. A simple google search confirms it and verifies the fact that said issuer is at least suspicious to a certain amount.

Several departments within the Avira Protection Lab (e.g. the engine team and protection QA) act as additional sources for suspicious certificate names. Anyone who processes a lot of files and sees any similarities in the certificates is providing the virus lab with the information needed to make a classification. This cross-department communication has proven very useful in the past and has led to many synergy effects.

Back on topic, the same vendor could use different names for the signatures, as shown here:

Click image for full size

Conclusion

Certificates are very powerful as an analysis instrument. They cannot and will not replace conventional detection creation though; being simple ASCII-Text based makes them not 100% reliable. But as a quick and easy addition they serve their purpose well.

The post Digital Certificates – How helpful are they? appeared first on Avira Blog.

Avast

Is logging into your smartphone, websites, or apps with a fingerprint secure?

Leave a comment
Fingerprint authentication

Fingerprint authentication is not as safe as you would think

Just because logging in with you finger is convenient doesn’t mean it’s the best method to use.

Some days ago we told you about increasing your security on sites and in services by using two-factor authentication. More and more services are using this two-factor log in method. They require that you use “something you know” like a PIN or a password, “something you have” like a token app in your smartphone, and even “something you are” like your fingerprints, for instance.

Many top smartphones – starting with iPhone 5s and newer Androids – are moving to fingerprint authentication technology. That means you can unlock your phone using your finger. It’s more convenient than typing a PIN or password because you always have your finger with you (we hope!).  And you would think that it is more secure than using a gesture or pattern to unlock it.

Unfortunately, it’s not. Here’s why:

The authentication process requires that a site or a service (or your smartphone) could recognize you for a thing you know: A PIN or a password. This information must be stored in the service server (or hardware) and it must be matched, i.e., the combination of two pieces (generally username and password) must match to allow access to the right person.

Both you and the service must know this secret combination. But that’s the problem; nowadays, a lot of sites and services have been compromised and pairs of username/passwords have been hacked and sold on the black market.

But what about using your fingerprint? It’s the same scenario.  The information about your finger and the technology to match your fingerprint is stored in servers. If they are hacked, your exact, and only, information would be in their hands.

It gets worse.

You can change your credentials to log into a site or service, but you can’t just change your finger! Well, most of us have 9 more chances after the first one is compromised, but still –  there are more than just 10 services you want to use. You can change your passwords indefinitely, you can use a stronger password, you can use a password generation service –  you’ve got the idea… But you don’t have that many choices with your fingerprint.

It gets even worse.

Everything you touch reveals you. You’re publishing your own secret.

Can you imagine banks or stores letting you use your fingerprint to gain access to your account without even a card? Coincidentally, just hours ago a news report was published saying the Royal Bank of Scotland and MasterCard recently made announcements regarding fingerprint authentication services. They announced that customers can log into the banks’ mobile banking app using their fingerprint. It’s interesting that this article says 16- to 24- years olds are driving this decision because

they want to avoid security slowing down the process of making a payment, with 64% of those surveyed saying they found existing security irritating.

This decision by major banks does not give us confidence in the security of the younger generation and their bank accounts. We venture to wonder about the police with their databases full of prints. What could be done with millions of fingerprints stored by the government?

By the end of last year, young researchers from the Chaos Computer Club showed that your fingerprints could be obtained by photos of your hands and from anything you touched. See the full presentation in this YouTube video. If you have the curiosity to see all the video, you’ll see that using your iris could also be simulated with high quality printed photos. At 30:40 starts the iPhone fingerprint hacking. They took 2 days to develop the method and presented it in a few minutes. Amazing and scary.

Here’s another video with a quick summary of the research.

How to make yourself and your phone more secure

This blog is a source of great information. Earlier this month, we shared 14 easy things you can do right now to make your devices more secure. Please read 14 easy tips to protect your smartphones and tablets – Part I and Part II.

As always, make sure your Android device is protected with Avast Mobile Security. Install Avast Mobile Security and Antivirus from the Google Play store, https://play.google.com/store/apps/details?id=com.Avast.android.mobilesecurity

Avira

Couchdoop: Couchbase Meets Apache Hadoop

Leave a comment

Sneak Peak:

Couchdoop is a Couchbase connector for Apache Hadoop, developed by Avira on CDH, that allows for easy, parallel data transfer between Couchbase and Hadoop storage engines. It includes a command-line tool, for simple tasks and prototyping, as well as a MapReduce library, for those who want to use Couchdoop directly in MapReduce jobs. Couchdoop works natively with CDH 5.x.
Couchdoop can help you:

  • Import documents from Couchbase to Hadoop storage (HDFS or Apache HBase)
  • Export documents from Hadoop storage to Couchbase
  • Batch-update existing Couchbase documents
  • Query Couchbase views to import only specific documents (daily imports for example)
  • Easily control performance by adjusting the degree of parallelism via MapReduce

In the remainder of this post, you’ll learn the main features of Couchdoop and explore a demo application .

Why Couchdoop?

In many Big Data applications, data is transferred from an “operational” tier containing a key-value store to an “analytical” tier containing Hadoop via Apache Flume or a queuing service such as Apache Kafka or Rabbit MQ. However, this approach is not always possible or efficient, such as when the events themselves are highly related (like a shopping session with several clicks and views) and could be conveniently grouped before being pushed to Hadoop. In those cases where Couchbase serves as the operational tier, Couchdoop’s import feature comes in handy. Conversely, you can use Couchdoop’s export feature to move data computed with Hadoop into Couchbase for use in real-time applications.

The data collected by the operational tier can be imported in the analytical tier where traditionally it will be stored in HDFS. By using the tools provided by CDH, the data could be processed and enhanced for various use cases. One use case is ad hoc querying, which allows business people to query the data in real time using  Impala. Another use case is improving user experience by using machine-learning algorithms to adapt the application to users’ needs. For this use case, both MapReduce and Apache Spark, which are included in CDH, can be used. (Spark comes with its own machine-learning library, MLlib.) Apache Mahout offers time-proved algorithms written in MapReduce as well as newer and faster implementations written in Spark. The outcome of the machine-learning algorithms can be exported to the operational tier using Couchdoop”.

Read the whole article here.

The post Couchdoop: Couchbase Meets Apache Hadoop appeared first on Avira Blog.

Avira

Making purchases with security in mind

Leave a comment

For other shoppers, a lot of thought may go into the purchasing process. Price is certainly something to consider, but features, design, and reliability are also other factors that many consumers will look at before they make their final decision. With that said, one area that many people forget to think about when buying a new computer or electronic device is security.

With so many stories about hacks and malware in the news today, it’s easy to see why security should also be considered with any tech purchase. After all, a security problem can turn an otherwise satisfying purchase into a nightmare.

Because of this, when it comes to security, the first thing to do is understand what kinds of security features are included on board. Are there options to customize the security settings? How extensive are they?

Outside of the hardware itself, what options are there to install third-party security software? In addition to knowing this, it’s also important to know which third-party options will work best for you and the way that you use the hardware.

While the previously mentioned items would be considered before making the purchase, attention to security doesn’t end once the hardware has been paid for. From the moment the new device is first turned on, make sure that you customize the security settings and install the necessary security applications before doing anything else. The last thing you want to do is forget to take these steps and then pay for it later. Additionally, beyond just the first steps, security should continue to be something that you check in on throughout the life of the device.

Are you going to start making security a part of your checklist when buying computers and other devices?

The post Making purchases with security in mind appeared first on Avira Blog.

Avira

Is Lack of Security Holding Back Mobile Wallets?

Leave a comment

Yet the uptake of mobile wallets to pay for offline goods is significantly lower – Javelin Strategy Research found that mobile POS (Point of Sale) proximity payments made up just 0.01 percent of total retail volume.

So people will use a mobile device to shop at Amazon, but not to pay for items right in front of them. Is the lack of security holding back the adoption of mobile wallets?

Apple’s Apple Pay is now pre-installed on iPhone 6 and 6+ devices, and is accepted in 220,000 stores and by dozens of major banks. Lagging behind, Google Wallet is accepted by 158 of the top online retailers as well as scores of offline merchants such as coffee houses and grocery stores (source: Internet Retailer). Softcard (Isis Wallet) rolled out a pilot in mid-2012 that attracted even fewer users. All three of these mobile wallet solutions use the NFC (Near Field Communication) chip in the mobile device to communicate to the POS system that accepts payment. Security is obviously compromised if the phone were to be stolen, but hackers can also intercept the NFC transmission and capture the wallet information without even touching the device.

To add an extra layer of security, mobile wallet designers are requiring some type of additional authentication to complete a payment transaction. One of the secure authentication methods that is gaining traction is biometric authentication — like a finger-print reader. Biometric identification techniques also include facial recognition, voice recognition, and the most sci-fi of all, eye-scan recognition. Biometric identification is by its nature unique and difficult to copy or steal — unlike knowledge-based identification such as passwords and PIN codes.

Although biometric authentication technology has been available for many years, it took the launch of Apple iPhone’s finger print reader in 2013 to bring the technology mainstream. Now other mobile device makers including HTC and Samsung are including finger print readers as well. Uniform standards are beginning to take shape in order to allow a payments ecosystem to form around these authentication methods and to bring down the costs for merchants to accept them.

If mobile payment methods are made sufficiently secure, mobile wallets may ultimately find adoption far beyond purchases at the café. A secure (and easy) authentication method for mobile wallets would allow them to be used for electronic ticketing like bus fares and parking garages, for larger purchases like home furnishing, and even for official government IDs like driver licenses and passports.

Solving the security challenge will allow mobile wallets and mobile payment apps to finally flourish.

The post Is Lack of Security Holding Back Mobile Wallets? appeared first on Avira Blog.

Avira

Mobile App Developers Unwittingly Aid Criminals

Leave a comment

In turn, app developers eager to earn revenues from their hard work find it lucrative to collect as much data from their users as possible in order to offer more ad targeting data, and they can find many convenient ‘mobile monetizing kits’ to handle all the in-app ad publishing details for them.

Unfortunately, both of these practices can cause app developers unwittingly to become a mule for corrupt ad networks and privacy exploits.

Collecting too much information is a privacy risk

Collecting more information from users than is necessary just to have more data to offer to advertisers is not necessarily a good strategy. A recent study published by the Information Commissioner’s Office (ICO) in the UK found that 49% of app users decided not to download an app due to privacy concerns.

If scaring off half of your potential downloads isn’t reason enough to reconsider your app privacy policies, consider the privacy risks and negative publicity. The ICO study was part of a global survey of 1,211 mobile apps, sponsored by the Global Privacy Enforcement Network (GPEN), which enlisted 26 privacy regulators from around the world. The much-publicized conclusion of the survey was that 85% of all apps fail to properly explain what data they are collecting and how they are using it, and that 31% of apps request an “excessive number of permissions to access personal information.”

The numbers and negative attention will only get worse, as privacy groups and media continue to increase their scrutiny of data collection practices.

Corrupt ad networks imperil you and your users

Unbeknownst to many mobile app developers, their ad networks may be engaging in aggressive practices with their users and where the network has been compromised, even installing malware on their phones. Examples include:

  • Directing users to pornographic websites and/or fake app download sites
  • Reading users’ address book contacts and sending outbound emails or calendar event requests
  • Deleting or defacing users’ USB storage accounts connected to the phone
  • Dialing out to revenue-generating numbers or sending premium SMS messages
  • Automatically authorizing in-app purchases

Other technical deficiencies in your mobile app code – such as failing to properly check SSL / TLS certificates or inter-app injection flaws – let hackers exploit your users directly.

With ad-funded mobile apps, the ad network is the data controller technically responsible for stopping malvertisments and other corruptions. But the app developer carries the responsibility to collect only as much user data as needed, to protect that data from exfiltration, and to do background checks of the ad publishing networks being used. Otherwise the mobile app developer may become an unwitting aid to criminals.

The post Mobile App Developers Unwittingly Aid Criminals appeared first on Avira Blog.

Avast

How to access accounts protected by two-factor authentication if you lose your phone

Leave a comment

howto asian guy newQuestion of the week: I use two-factor authentication when logging into my accounts to keep them safe, but what happens if I lose my phone? Can I still access my accounts?

Security-minded individuals know the benefits of using two-factor authentication to keep their online accounts safe. For those of you who are not familiar with it, two-factor authentication is a security process which uses a combination of two different components, like something that you know, a master password or PIN, for instance, and something that you possess, like a token which can generate a number code or, more conveniently, your smartphone.

Using these two things in combination can provide unique identification when entering a site because you provide the password as well as a one-time use security code generated by your security token.  If someone learns your password, your accounts are still protected because they need the security code too. Two-factor authentication can reduce the incidence of identity theft and phishing, and we suggest the use of it.

Google Authenticator

Google Authenticator gives you a security token to use with your own password.

There are a number of authenticator apps made for Android smartphones. For example, Google Authenticator lets you use a security code and your own password for sites and services like Facebook, Dropbox, Evernote, and WordPress. The app creates a link between your account and your device.

I lost my phone. How do I access my accounts?

If you are so security-minded that you use two-factor authentication to begin with, then you have probably taken precautions before you lose your phone. The majority of authenticator services allow a way to recover your access and remove the authorized device from your account. That is, if you change your mobile device, then you can disable the two-factor authentication from your account before doing so. Most commonly, you would use backup codes, send the codes via SMS to a trusted backup phone, or use a trusted computer. Sometimes, the service providers take several business days to verify your identity and, if possible, grant you access again.

But, if you failed to plan ahead and you lose your phone or if you buy a new smartphone without disabling the account, to use two-factor authentication again, you’ll need to install an authenticator app on your new device. The old device and the old backup codes won’t work anymore. Some of the sites you have synced to may also have their own procedure, for example, Dropbox.

Recently, an app is making the use of this security measure much more convenient. Authy is an app that manages your two-factor accounts on Android devices, iPhones, and even your PC. Any of these devices could be used to generate tokens and sync with each other. One authorized device could de-authorize a stolen one. A master password could block the access to Authy in these multiple devices and your settings are all kept encrypted locally. Neither Authy’s developers nor hackers would be able to access the tokens.

Anti-theftMaybe this complex recovery process is what does not make two-factor authentication omnipresent. But, after all, you just need to take a few precautions to increase your security a lot.

What to do before your smartphone is lost

Of course, it’s better not to lose your devices and for this, you should install and configure Avast Anti-Theft, which can help you find a lost device and even recover a stolen one with its tracking features. It can be downloaded and used for free from the Google Play Store.

Avira

Wi-Fi Protected Setup is a security risk

Leave a comment

Wi-Fi security

a Wi-Fi connection
Using Wi-Fi to connect to the Internet is certainly handy.

a secure Wi-Fi connection
However, it’s very important to make sure that the connection is secure.

a compromised Wi-Fi connection

Here are a few reminders to prevent someone to crack your connection and penetrate your network:

  • use WPA2 (WEP can be broken in a few seconds)
  • use a long password (to make attacks harder)
  • don’t use a standard SSID (to prevent pre-attacks)

So to be secure, each of your guest would have to enter a long password on his smartphone, tablet, which can be seen as inconvenient …

WPS

wpsTo make it easier, Wi-Fi Protected Setup (WPS) was introduced.

There are two different ways to connect to a WPS-enabled router:

  • push a special button on the router
  • enter a PIN that is written on the back:

wps_barcode

So what could go wrong ?
The PIN is not visible from outside, and the button is not reachable. Everything seems fine.

Weaknesses

the PIN is not so strong

First, it looks like the PIN is 8 characters, but it’s actually made of two independent parts, that are checked one after the other: so you just have to find the first one, then the second one. It’s making attacks much faster.

the PIN is not always random

Most implementations don’t respect strictly the standard: to prevent the WPS PIN to be easily guessed, it should be entirely random. However, to simplify manufacturing, it’s often derived from the MAC, which is available to anyone nearby. Many of this derivation algorithm have been identified, so an attacker just needs to come within connection range to your router, get its MAC, use a script to get the WPS PIN, and that’s it!

Randomness is hard

Another important part of the WPS protocol is the communicating devices have to exchange random numbers. Sadly, producing correct random numbers is not trivial, especially on cheap devices.

a dice with two '1' face

If the router internally behaves like a dice where all faces are not different, or a dice that can’t give the same number twice in a row, then this can be abused:

  1. by knowing how the random numbers are generated
  2. grab the initial random numbers exchanged during the communication
  3. determine the next numbers to be generated
  4. generate the next internal values and connect to the Wi-Fi, even if the WPS PIN is unknown!

This attack is very strong, as it requires no brute force at all: just connect on the first try.

Luckily, it depends on the router model.
Sadly, many routers from different brands use internally the same vulnerable system.

Conclusion

Wi-Fi Protected Setup is a security risk – disable it now (it if you can) !

For more details, check Dominique Bongard‘s presentation.

The post Wi-Fi Protected Setup is a security risk appeared first on Avira Blog.

AVG

The dangers of relying on our smart devices

Leave a comment

As consumers, we continually hear about the ‘Internet of things’ and the positive changes that will come from our always connected world.

I recently read an article in the San Jose Mercury news that talks about the devices we are all expected to acquire that will make many of our life decisions for us, whether an automated butler, health gadget, thermostat or a driverless car.

It made me contemplate the amount of connectivity we already have in our lives and how it is set to increase. How much is enough? Can we have too many smart devices?

Let’s consider a potential scenario from the not too distant future:

Awoken at the optimal moment in your sleep pattern by your wearable tracker,  you are recommended a light breakfast that includes juice with added vitamin D due to your lower than normal levels.

While having breakfast, the news is reported to you by a service that selects what it thinks you will want to know.

The weather app recommends dressing cooler today as sunshine is forecast. Your driverless sends an alert that, based on traffic conditions, the optimal time to get on the freeway would be in 10 minutes time. It then alerts the household heating system to shut down as you are going to be leaving.

The first two hours of your day are led by suggestions made by gadgets and where the information you are offered has been pre-selected.

Facebook like

 

Some mornings this guidance might seem the perfect way to start the day. To me though, it seems like we are at risk of surrendering control to the devices of the future.

Our connected gadgets and services are being controlled or fed information that, of course, is open to manipulation by people and companies out to exploit our willingness to be led rather than to explore.

“We need to temper our reliance on technology and connected services, even though they can help make life easier”.

We need to keep our reliance on technology in check and connected services, even though they can help make life easier.

Imagine a life without open choice, where all options available have been preselected for you. It is starting to sound like the Truman Show.

Take an everyday task such as selecting a movie for the family to watch. On a busy workday, a recommendation made by a streaming company might be useful, but if I did not sit and browse for myself every now and again, I would miss things that I might also like.

Exploring the options for myself allows me to find things that would not have been on my list of recommendations and might just surprise me.

I love my gadgets and I don’t want to come across as negative. However, there’s a lot to be said for exploring.

I would encourage everyone to find some time in their busy schedule to go gadget free and try something new. You never know what you might discover.

Avast

Fobus, the sneaky little thief that could

Leave a comment

One small Android application shows lots of determination and persistence. Too bad it’s evil.

Mobile malware, Fobus, acts like this famous little engine. "I think I can, I think I can!"

Mobile malware, Fobus, acts like this famous little engine. “I think I can, I think I can!”

 

The year 2014 was significant with a huge rise in mobile malware. One of the families impacting our users was malware Fobus, also known as Podec. This malware poses as a more or less useful application, but for sure it won’t be what the user expects. This malware usually has two language versions, English and Russian, and applications seem to be generated automatically.

All that, and a bag of chips

From the permissions in the manifest, we can see that once Fobus is installed on the victim’s device it cannot only send SMS and call premium numbers, which may cost a lot of money, but it also works as  Spyware and can steal personal data from the infected device. That’s a lot of bad stuff packed into one small application.

Permission

Next up is a bit more technical stuff. If you are really eager, skip to Me thinks that something is amiss section to see how it works.

Inspecting the manifest file provides the clues of the automatic modification of the application files. As you can see in the following picture, service names are randomly generated. Going through samples in our database we were able to identify some similarities, which helped us categorize this malware as the Fobus family.

Service

The manifest also includes several receivers which are indicators that the malware is able to spy on the device.  It can also protect itself against uninstallation.

This receiver provides persistence of Fobus.

Boot

These receivers are able to check the outgoing calls and received SMS.

Call SMS
The receiver pictured here helps to protect the malware against removal.

Admin

Me thinks that something is amiss

During installation, the Fobus permissions already show that something might not be in order. But, we all know, that most people fly through this step without much thought.

device-2015-01-13-094436 device-2015-01-13-094428 device-2015-01-13-094352

The Great Pretender

Fobus pretends to be an Ad Block but permissions to make phone calls, send messages, system tools, and services that cost money should not really be needed for an Ad Block application,  nor for most legitimate applications. That is,  unless you hope it will block unsolicited calls and marketing SMSs. Our advice: The user should always take great care when an application requires these types of permissions and try to link them to the expected app functionality. Inadequate permission requirements are often the first indicator of something fishy.

When the user accepts all these permissions nevertheless, Fobus installs as any other application would.

device-2015-01-13-094455 device-2015-01-13-094521

Here comes trouble!

The real trouble, however, begins when the user runs this application and grants Fobus device administrator privileges.

device-2015-01-13-094553 device-2015-01-13-094603

Once the user activates the device administrator, the application icon disappears from the device.

device-2015-01-13-094628

But in fact, Fobus is still in the device and starts doing what it was build for – SPYING on the device! The user is not able to Stop or Uninstall this application by standard means. Why? Because they gave permission for the app to do all these things in the previously accepted device administrator policy!

device-2015-01-13-094658 device-2015-01-13-094704

Well, just deactivate the device administrator and uninstall this application… That shouldn’t be so hard, right? But it is! The application is easily visible in the device administrator along with the deactivation button. So what is the problem?

device-2015-01-13-094721

Blink and you’ll miss it…

The sneaky Fobus has a receiver which checks for calls on device_admin_disable_request. The moment the user tries to deactivate the device administrator, this receiver catches the request and forces the device to lock the screen with a call to the Lock Now function. This function prevents the user from confirming the deactivation.

Afterwards, the application attempts to relock the screen with any unlock attempt. The confirmation box is visible for just a moment before the application forces the lock screen, however the user will never be able to confirm it in time because the device is not able to capture the user click on screen. The screen locking usually lasts for a while until the confirmation box simply disappears. Sometimes users are required to push one of the hardware buttons on their device to activate the screen. When they finally manage to unlock the device the application is still there and happily running. By now, the person who installed this sneaky little thief, is not a happy camper.

device-2015-01-13-094726

Empty threats

Should the user have lightening-fast reflexes and be able to get past the locking screen mechanism, the authors have another trick up their sleeves. This time, they try to scare the users from disabling the device administrator privilege by threatening to perform a full factory reset.

device-2015-01-13-121013

Fobus shows the user a fake warning about a full factory reset during which the user will lose all data stored on their device. “Heavens, NO!”, most users will say, as they choose the cancel button. But when user is brave and pushes the OK button,  the device administrator privilege will be successfully removed and theuser will also able to uninstall the malicious application from the mobile device.

This is a pretty strong uninstall prevention, isn’t it?

It can be very difficult to circumvent this type of protection, especially, since the application cannot be uninstalled by any other means, like ADB or the safe-mode. In ADB, the uninstalling operation finishes as failure and even though the safe-mode disables user-installed applications, in this case the malicious application is still protected by the device administrator privileges and therefore cannot be uninstalled.

How to remove this persistent malware

Affected victims can use third party software to remove this malicious application from their mobile device or actually perform the suggested factory reset.

The removal itself is a two-phase process.

First, you need to deactivate the device administrator privilege.

device-2015-01-13-120918 device-2015-01-13-120944 device-2015-01-13-121024

Then,  uninstall Fobus itself.

device-2015-01-13-121316 device-2015-01-13-121326

The little malware that could…

What makes the Fobus so special is not that it can spy on victims devices, send SMSs,  or call on premium numbers; there are loads of malicious apps that can do that. Just like The Little Engine That Could, Fobus never gives up.  Usually users are able to remove bad apps from their devices easily by themselves by simply uninstalling them. Fobus, though, doesn’t give up so easily, it’s strong removal protection can frustrate even the most experienced users.

Acknowledgement

Thanks to my colleague, Ondřej David, for cooperation on this analysis.

The Litttle Engine That Could image is from Hero Wikia.

Source

Here is a sample connected with the analysis

 

011a379b3f81dbfb4f6fb4f5c80b5ba4cf9f0677f0ee30c3a8d41711ade2d226