Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2012
    S M T W T F S
    « Aug   Oct »
  • Email Subscription

  • About Us

    Archive for September 4th, 2012


    Some of the apps discussed in this blog entry were developed with an older adware SDK that did not contain opt-in provisions, particularly regarding the ability to collect information and display ads outside of the original app. The adware SDK has since been updated to this capability to comply with Google’s developer policies; apps that use this newer version are no longer considered high-risk.

    More details about this change can be found in our December 2012 Monthly Mobile Review: The Hidden Risk Behind Mobile Ad Networks.

    Our monitoring of popular Android app stores during the latter weeks of August revealed that the number of apps detected as ANDROIDOS_PLANKTON variants has increased rapidly.

    ANDROIDOS_PLANKTON was initially uncovered by North Carolina State University two months ago and was noted for its capability to download payloads and execute commands from a remote user. The discovery was also dubbed “largest Android malware outbreak ever” because of the millions of apps that contained dubious code similar to PLANKTON. During our research, the presence of this malware grew in Google Play between August 19 – 25.

    Another notable trend we saw in our monitoring is the fact that the number of adware disguised as normal apps has increased. Adware are known to display multiple ads on an infected device to possibly generate profit for its developers. The most number of adware available on these websites were ANDROIDOS_ADWIZP, ANDROIDOS_AIRPUSH, ANDROIDOS_ADSWO, ANDROIDOS_LEADBOLT.

    Trend Micro customers are now protected from these, as the Trend Micro Mobile Security for Android detects these malicious apps. It prevents installation of these malicious apps on mobile devices.

    Malware disguised as Android apps are not fading from the threat landscape anytime soon. For their part, users should always be cautious before downloading apps. Being informed about the reputation of the app and its developers can come a long way when it comes to securing your mobile devices.

    To know more about how to secure your devices, you may refer to the following Digital Life e-Guides:

    Coming Soon: The TrendLabs Security Intelligence Blog will be the new Malware Blog

    Posted in Mobile | Comments Off on More Adware and PLANKTON Variants Seen in App Stores

    This is part of a series of blog posts discussing the Chinese underground. The previous parts may be found here:

    The full paper can be found here.

    The fourth and final value chain is focused on the creation of tools and the training of would-be hackers. Without tools and trained personnel, any underground community is bound to collapse sooner rather than later.

    The basic structure can be seen below:

    There are three basic parts of this particular value chain. Some blackhats focus on looking for software vulnerabilities and creating exploits for these vulnerabilities. These are then sold in online marketplaces, where other blackhats can use these for their own purposes.

    Other blackhats focus on creating and developing attack tools and malware. In addition to writing the tools, some blackhats work to ensure that these tools cannot be detected by antivirus software. The end products – Trojan horses, attack tools, and other malware – are similarly traded in online marketplaces, and sold to other cybercriminals to be used for purposes, such as those outlined in the earlier blog entries.

    The Chinese underground possesses clear mechanisms for training new members of the community. In many cases, there is even a clear master-apprentice methodology in training inexperienced members, who then gain further experience (and profit) by taking part in other cybercrime schemes. Alternately, training materials for self-study are also created and sold.


    Broadly speaking, blackhat activities are called “hackers’ jobs” (heike renwu, 黑客任务), with the cybercriminals referring to themselves as “hackers” (heike, 黑客). Experienced members interested in teaching their knowledge will post ads saying they are “seeking an apprentice” (shoutu, 收徒). Conversely, new members looking for a coach will post ads saying they are “seeking for master” (baishi, 拜师).

    Trojan horses (muma, 木马) are frequently shortened to just “horse” (ma, 马) in the underground. Trojan writers are called muma zuozhe (木马作者). AV software evasion is known miansha (免杀).


    The case of the “blandness” Trojan gang, arrested in 2009, highlights the importance of this particular aspect of the Chinese underground – as well as its scale.

    The malware in this case was created by two of those arrested, who go by the names Lu and Zeng, both residents of Shenzhen. From June 2007 to August 2008, the pair wrote Trojans that stole the login credentials from more than 40 online games. At the same time, Zeng was looking for a partner who could help sell these tools to other individuals. In February 2008, he found a partner: a certain Yan, who named the Trojans the “blandness horse” (温柔马) series.

    By the time Lu and Zeng were arrested, they had developed 28 different variants that stole a total of 5.3 million login credentials. Each pocketed 645,000 renminbi, or more than 100,000 US dollars. Yan took in 310,000 renminbi, or slightly under 50,000 dollars. The three ringleaders, along with 11 other defendants, were eventually sentenced to three years in prison, with an additional six months in probation.

    Coming Soon: The TrendLabs Security Intelligence Blog will be the new Malware Blog

    Posted in Malware | Comments Off on The Chinese Underground, Part 5: Blackhat Techniques, Tools, and Training


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice