Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    July 2012
    S M T W T F S
    « Jun   Aug »
  • Email Subscription

  • About Us

    Archive for July 17th, 2012

    We spotted a family of Android malware that downloads apps and paid media files without users’ consent, leaving victims with unwanted charges. These are Trojanized versions of the legitimate weather forecast tool GoWeather and are detected by Trend Micro as ANDROIDOS_TROJMMARKETPLAY.

    During our research, we acquired three samples of this malware family. One of the samples (detected as ANDROIDOS_TROJMMARKETPLAY.B) appeared to be in a beta build in comparison to the other samples. We found a lot of test information and codes in it, some of which gave clues as to the possible perpetrator behind it.

    Android Malware Leave Victims with Unwanted Charges

    Let’s now focus on the sample that we suspect to be a beta build. Once installed, ANDROIDOS_TROJMMARKETPLAY.B changes the access point name (APN) to CMWAP which enables the device to log in automatically to the third-party app store M-Market. Users who login for the first time are prompted with a charge pop-up window. The malware then closes this window and opens a page on M-Market to find and download paid apps or media. This routine leaves victims to be charged for apps and media that they did not intentionally download.

    Typically, users should receive a verification SMS from M-Market and are required to reply with a verification code. In this instance, however, the malware intercepts and replies to the SMS so that victims won’t suspect anything. For the CAPTCHA image, the malware downloads the image and sends it to a remote server to decode. The decode server’s domain name is in the configuration file yk-static.config. There are several other configurations in the file, including a phone number which is used to send SMS. The domain name filed is used to store the decode server’s domain.

    We also observed notable changes in ANDROIDOS_TROJMMARKETPLAY.B. In comparison to another malware sample of the same family (detected as ANDROIDOS_TROJMMARKETPLAY.A), this beta build has a feature to update itself. Its method in intercepting and replying to verification SMS is also different. The .B variant uses a database, while the .A variant uses a file to store the verification code. Moreover, .A has a code used to find paid media files.

    Beta Build Android Malware Reveals Details of Cybercriminal

    We concluded that ANDROIDOS_TROJMMARKETPLAY.B is a beta build because we found a test code and some information about the malicious user behind this malware. There was even a private IP address in the URL as well as test functions, which included the send SMS feature. From this function, we found the following phone numbers:

    • {BLOCKED}32046
    • {BLOCKED}56246
    • {BLOCKED}30884

    Since the malware was used for a test, these phone numbers must have been employed by the cybercriminal. We also found that these numbers pointed to Guangdong Guangzhou Province, China, but this was not enough proof that the perpetrators were based in the said location. Another interesting aspect we saw in the code was the word “yunkong”, which appeared many times and is probably the name of a particular individual/entity/organization behind this malware.

    The number {BLOCKED}56246 is still being used by the cybercriminals to receive and initialize SMS. By monitoring these numbers, we can find more information about the perpetrator.

    For the meantime, users are strongly advised to be cautious when downloading apps from third-party app stores as this may lead to malware infection. Trend Micro protects Android mobile users from this threat via Trend Micro Mobile Security Personal Edition, which detects malware disguised as apps. To know more about how to protect your Android devices from being infected, you may refer to the following Digital Life e-guides:

    Posted in Malware, Mobile | Comments Off on Android Malware Family Downloads Paid Media and Apps

    World of Warcraft: Mists of Pandaria is the fourth expansion for the massively multiplayer online role-playing game (MMORPG) World of Warcraft. It was first unveiled to the public last October 2011 during the BlizzCon 2011 conference in Anaheim, California.

    TrendLabs researchers started seeing increased phishing activity inside World of Warcraft after Blizzard started the closed beta testing for Mists of Pandaria last March 2012.

    In these new rounds of phishing attempts, scammers are trying to abuse the WoW’s in-game mail system. In this phishing attempt, the malicious URLs are sent via in-game mail and are received by players in their in-game mailboxes.

    In this phishing try, the scammer entices would-be victims to join the Mist of Pandaria beta testing and win an exclusive in-game item, the Dragon Turtle Mount, by visiting and registering in their website. The Dragon Turtle Mount was previously announced by Blizzard as the racial mount for the Pandarens, the new additional playable character race available in the Mist of Pandaria expansion.

    The phishing URL in the in-game email goes to a phishing website that closely resembles the actual website. The phishing URL tried to add some credibility by adding the string Mist of Pandaria abbreviation (MOP) to the domain name.

    If unsuspecting users input their credentials it will definitely result to account theft. is the central account management for all Blizzard games like World of Warcraft, Starcraft 2, and Diablo III.

    In contrast to what we discussed in our previous World of Warcraft post, we observed that recent scamming attempts seem to be targeted at low level characters and not high level or level-capped (Level 85) ones. This may be part of the scam detection avoidance strategy of the bad guys, as high level characters may have more awareness to this security issue as they have spent more time in the game.

    We analyzed the malicious domain further and found some great discovery: The same server also hosts other phishing sites targeting World of Warcraft players:

    • http://{BLOCKED}
    • http://{BLOCKED}
    • http://for{BLOCKED}
    • http://for{BLOCKED}
    • http://{BLOCKED}

    The newly discovered malicious websites are using Mist of Pandaria, World of Warcraft, and their corresponding abbreviations in their URLs.

    Trend Micro users need not worry about these threats, as they are protected from these World of Warcraft phishing attacks via the Trend Micro™ Smart Protection Network™, which blocks access to the phishing websites.

    It is interesting to note that some of the phishing websites were registered just days after Blizzard announced that Mist of Pandaria will be the next World of Warcraft expansion. This clearly shows that the bad guys are up to date and are always in the lookout for events and opportunities to expand their nefarious schemes.

    Blizzard on their part have stepped up their security measures. They have published a dedicated security page to help users understand their security commitment; raise awareness on different types of account thefts, highlight a gamer’s security checklist, and a step by step guide on what to do when users suspect that their account is being compromised.

    Blizzard also promoted their authenticator (available as an app for iOS and Android devices, and as a keychain fob) by giving away an exclusive World of Warcraft Corehound pet to users availing the authentication services.

    We also advice our readers, casual and hardcore gamers alike to view our latest Security and Gaming e-Guide to get helpful tips to help secure their online game experience.

    Thanks to Paul Pajares for additional technical details.

    Posted in Bad Sites | Comments Off on World of Warcraft Scams: Mist of Pandaria, Free Mounts and Phishing Galore


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice