Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2012
    S M T W T F S
    « Aug   Oct »
  • Email Subscription

  • About Us

    Archive for September 12th, 2012

    We were alerted in July 2012 about malicious apps that we detect as ANDROIDOS_CONTACTS.E. We investigated the related spam, which arrives on the mobile device. What is noteworthy about this threat is that the spam were distributed not only to smartphones, but also to feature phones as well.

    This indicates that the spammers may have carried out indiscriminate attacks targeting the email addresses provided by telecommunication carriers.

    In Japan, this carrier email address is popular among mobile users since this email address can be accessed on both mobile devices and systems. Also, each telecommunications carrier provides a service that blocks spam mails. This feature may have resulted to users being complacent when it comes to the security of their carrier email addresses.

    Spammers understand users’ tendency to be too trusting, thus they distributed these spam to carrier email addresses to increase their attack’s success.

    So far, we can categorize the URLs in these spam into three types:

    • URLs that directly lead to download an APK package of Android app
    • URLs that lead to a malicious web page disguised as a legitimate app market store
    • Shortened URLs

    Let’s focus on the 3rd type of URL. When users click the shortened URL, they are lead to a webpage set up by the spammer or their partners. In this scenario, it is possible that it may either lead to the downloading an APK package or to a web page disguised as a legitimate app store.

    Why do spammers leverage this shortened URL service? Users find it difficult to double check the complete URL based on the shortened URL, thus the higher rate of users inadvertently clicking a malicious link. Furthermore, some shortened URL services can count user clicks in real-time. So if a particular link had less clicks, spammers can use a different shortened link which had more clicks in their future spam run.

    Now, let’s focus on those URLs that lead users to a spoofed app store. We found the app “Power Charge”, also detected as ANDROIDOS_CONTACTS.E, which is supposedly an app that charges by using solar light.

    Read the rest of this entry »

    Posted in Mobile | Comments Off on Spam Trick Users to Download ANDROIDOS_CONTACTS.E

    Trend Micro and CSIS have released a joint white paper about the Tinba information-stealing malware. The paper contains a thorough technical analysis of the malware itself, as well as the architecture of its infrastructure, and its ties to other illegal activities.

    What is Tinba?

    Tinba got its name from its extraordinarily small size – its code is approximately 20 kilobytes in size, a remarkably small number for banking malware. Tinba is a combination of the words tiny and banker; the same malware is also known as Tinybanker and Zusy.

    Tinba is delivered onto user systems via the Blackhole exploit kit, and is aimed primarily at users in Turkey. We estimate that there are more than 60,000 users affected by Tinba in Turkey.

    The capabilities of this malware are broadly similar to other similarly sophisticated info-stealing malware families. Using web injects, it steals the login information from websites, particularly those located in Turkey. Some targets such as Facebook, GMX, Google, and Microsoft are hardcoded into the code of Tinba itself and are universally targeted by Tinba. Other institutions are targeted based on downloaded configuration files; frequent targets include key government portals and Turkish banks/financial institutions.

    Tinba’s Infrastructure

    The researchers looked into the command-and-control infrastructure of the Tinba samples to gather more information about this particular attack. By examining information from WHOIS and DNS records, as well as site hosting information, they found that:

    • Tinba is linked to other activities such as money mules, shady Web hosting, pornographic sites, and other information-stealing malware.
    • Tinba’s infrastructure is located in Russia and Lithuania;
    • The scale of the connections suggests that this was not the work of one or two individuals, but instead a large, well-organized gang.

    The full details of our findings are contained in our paper The Turkish Incident, which we encourage everyone to read. You can also read CSIS’s blog on this paper over on their site.

    Coming Soon: The TrendLabs Security Intelligence Blog will be the new Malware Blog

    Posted in Bad Sites, Malware | Comments Off on The Tinba/Tinybanker Malware


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice