Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    July 2013
    S M T W T F S
    « Jun   Aug »
  • Email Subscription

  • About Us

    Archive for July 23rd, 2013

    The original Plants vs. Zombies game enjoyed a lot of popularity back then when PopCap Studios released it on the iOS in 2010, and on the Android in 2011. Now, with the approaching release of its sequel (soft-launched in New Zealand and Australia), cybercriminals have already begun taking advantage of the hype.

    The first trickle of threats came at around July 16, 2013. We discovered a survey scam website, hosted by Blogger, and linked from a YouTube video page. The website was found to be a typical survey scam with no malware tied to its bait.



    More PvZ2-related threats popped up in our radar after that. Up to July 22, we discovered no less than seven of them in Google Play alone, either as a fake app download or a ‘downloader’ for the app itself. One of them was detected to be a fake app that pushed malicious ads to the user. This is detected as ANDROIDOS_FAKEZOMB.A. We expect to find more in the coming days.



    Google has been commendably quick in handling the threats found in Google Play, however. As of this writing, all of the fake apps have been stricken from the site itself, and the fake ‘developers’ offering them up for download suspended. Similar scams and frauds have also been found to be suspended within 24 hours of being put up in the app market.

    The existence of these threats and the social engineering behind them is nothing new – we’ve reported incidents such as these in the past, with them targeting games like Candy Crush, Bad Piggies and Temple Run. But what’s to take note here are the patterns emerging with each fake app download scam we see in Google Play.  These are:

    • The usage of popular, up-and-coming sequels to high-profile game apps already available in the iOS App Store but not yet in Google Play
    • The fake apps asking for 5-star ratings and reviews before they could be ‘played’
    • The fake apps are free of charge, in contrast to the legitimate apps which cost money

    The first two are self-explanatory – they are designed to make the app more attractive for users to download. The third could also be considered as a similar tactic, but there is another  reason for this – and that’s due to app developers needing to register a Google Wallet account first before they can set their app as a paid app, a compulsory rule in Google Play’s set of policies and agreements. This could be construed as cybercriminals trying to avoid having their fraudulent developer accounts to be traced back to them.

    This could mean that Google could possibly make the Google Wallet registration compulsory for all developers wishing to release apps on Google Play. This can serve as identification and proof of legitimacy for legitimate developers, and also a deterrent to cybercriminals.

    Android may still be plagued with malware, but Google is certainly stepping up their efforts in helping combat its continuous rise. However, users should not become complacent, as the safety of their mobile devices is their main responsibility as owners. The standard rules of safe app downloading still applies – only download from verified first-party sources. Avoid sideloading or downloading from suspicious ‘developers’ or unauthorized parties.

    For more information about the latest on mobile threat and security, you may visit Mobile Threat Information Hub. Trend Micro Mobile Security Personal Edition also provides protection for your Android device by detecting malicious and high-risk apps.

     Additional analysis by Paul Pajares, Karla Agregado, Veo Zhang and Yang Yang

    Posted in Bad Sites, Malware, Mobile | Comments Off on Cybercriminals Capitalize on Plants vs. Zombies 2 Hype

    As more and more users entrust parts of their digital lives to the cloud, they’re increasingly running into a problem: it doesn’t always last forever. More specifically, cloud services that people have relied upon are just like any other business: they can close their doors.

    Just in the past few weeks, here are some cloud services that have shut down or drastically changed their offerings:

    But some changes to these services resulted to significant “birth pains”. Take for example MySpace, which has been rolling out new features for some time and relaunched a new branding last June. Some commended this relaunch, but its remaining loyal users became upset as this restart deleted their content.

    The rapid pace of innovation when it comes to mobile and cloud services means that, unfortunately, services which fail to succeed and become profitable quickly shut down as well – even if they have many users who depend on them. So, what can you, as a user do, to minimize the risk if this does happen to you?

    There’s not much you can do about services that use data that isn’t yours (like, say, video and music streaming services). However, for your own data – like documents, pictures, and news feeds – there are steps you can take.

    Remember the traditional 3-2-1 rule about backups: at least three copies, in at least two different media, with at least one copy off-site. Storing your data in the cloud fulfills the last two requirements, but it also means that you should keep copies of your data outside of any particular service’s own closed cloud.

    This means, for example, storing a copy of your movies and pictures on your device (or even another cloud service). For every cloud service you use, the procedure would be different, but the concept is the same: make sure your data exists in some form outside of any app or service’s own servers.

    Preparing for a cloud service going offline may seem like an extreme precaution. Aside from a service going completely away, there are many other scenarios where you’d like to access data in a cloud offline: you’re in a location with non-existent/insecure/expensive Internet access, or the service goes down due to maintenance and/or a security breach.

    For cloud services provider, it is best if they announce any major changes (or shutdown) months ahead. The recent shutdown of Google Reader was a good example of effective announcement, as it resulted to minimal effect to the users (other than searching for an alternative service, of course). The MySpace gaffe, unfortunately, shows that changes or improvements can turn awry.

    The underlying fact: “going to the cloud” is not an excuse to manage your data poorly. You still have to be responsible for your data and avoid putting all your eggs in one basket. For more information on how to protect your data in the cloud, you may read our Digital Lifestyle E-Guide Keeping Your Cloud Data in Check.

    Posted in Social | 1 TrackBack »

    When attacks against companies are described, frequently the targets are said to be either individual end users or large enterprises. Many targets of cybercrime, however, are small businesses. In this post, we’ll look at how small business in Taiwan are attacked and what lessons others can take from these events.

    Many small businesses in Taiwan run their Web server from inside their own networks, without much awareness about how to secure them properly. They’re primarily concerned with running their business, which makes their insecure servers a prime target for attacks.

    Let’s look at a recent case which is a good example of how these attacks work. On May 30, our assistance was requested after an unidentified company (which we’ll call Company A) was hit by denial of service attacks that interrupted access to their servers.

    What we found was another problem entirely. We found that their web server had been compromised, using a vulnerability in their web server. Because, as noted earlier, this web server also had access to Company A’s internal network, the attackers had taken control over the company’s Active Directory servers as well. We were also able to confirm that at least two separate attackers were at work: one was active before April 24, the other after that date.

    Figure 1. Timeline of Attacks

    The behavior of this threat was not particularly unusual – these behaviors are all commonplace when a network has been breached. In addition, the attackers keep adding tools through their backdoors continuously.

    Many businesses would simply reinstall and rebuild their systems so they can get back to work, but this wouldn’t solve the problem. Because the root of the problem – the vulnerable and insecure web server – has not been addressed, the attacker can simply go ahead and plant backdoors into the target’s networks again and again.

    Figure 2: Continuing attacks

    There are many ways to plant backdoors onto a network. One can use either remote access tools (legitimate or otherwise), vulnerabilities, and embedded scripts (for starters). Many of these can be difficult to detect and remove. In this case, we even found that uploaded images (for user avatars) could be used to inject scripts that the web server would then run.

    This attack was made possible because of some rather insecure procedures that some SMBs use. Hosting a web server within your own network exposes a business to serious risks (as happened here). It’s much safer for a small business to use some sort of managed hosting for their sites.

    However, on one level, this insecurity is understandable. Businesses see the opportunities of new technology, but are often blind to the security risks. They feel the need to compete with larger enterprises when it comes to the tools they use – but don’t have the resources to match their competitors. Efficiency and cost-effectiveness are the order of the day – and, unfortunately, security can fall by the wayside.

    While the specific lessons of this attack may only apply to some businesses, the larger is lesson is clear: tempting as technological improvements can be, security has to be considered as well. It’s dangerous – and irresponsible – to put in place new tools without considering how they can be secured. Otherwise, businesses expose themselves to being compromised repeatedly.



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice