Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    April 2014
    S M T W T F S
    « Mar   May »
  • Email Subscription

  • About Us

    Archive for April 4th, 2014

    Note: The author of the entry has been changed to Chengkai Tao.

    We’ve recently discovered a design flaw in Android devices that allows fake apps to hijack legitimate app updates, thus enabling the fake app to steal the information stored by the targeted legitimate app. The flaw lies in a common practice for mobile users in China: using an external storage device (such as an SD card) to store downloaded Android application package (APK) files.

    China-based users commonly update their apps directly — without relying on Google Play or any 3rd party app stores. This is done through an in-app updating function, wherein vendors roll out the app update by asking users to download an APK file and launch it. The problem, however, does not lie in this process,  but on where the APK file is stored.

    Android-based devices often have small internal storage, with options for large external storage. Taking the APK file sizes into consideration, the SD card has become a popular location for temporarily saving the downloaded APK files.

    In our research, we’ve found that using external storage devices like SD cards to save downloaded APK files for updating apps leaves apps prone to tampering. For example, a malicious app may be able to hijack an app update in order to launch a different version — one that is controlled by an attacker. This presents a big risk especially if the app being targeted is one that handles critical information, such as an online banking app.

    The Security Trade-off

    Direct app updates may seem convenient as users get updates as soon as they are available. However, this incident only proves that there could be a trade-off in terms of security. As this scenario proves, bad guys can take advantage of the lack of security checks to unleash threats.

    App sites can prove some level of protection. For example, Google Play handles the distribution of updates of apps made available in the site. Google can check if the update is legitimate or not, via certificate checks. However, not all app sites are made equal (in terms of security). Third-party app sites may not be as stringent with security checks compared to official app stores. In fact, third-party sites are often used by cybercriminals to host malicious and high-risk apps.

    Users are encouraged to download apps from official app sites or stores when possible. If these sites are unavailable, users must exercise additional caution when downloading apps. Each app must be scrutinized before being downloaded and install. Permissions can give users an idea if an app is asking for more access than it needs. Using a device’s built-in security features and installing a security solution can significantly increase a device’s security against these types of threats.

    We have already contacted Google about this concern.

    With additional analysis by Harry Ding.

    Posted in Malware, Mobile | Comments Off on Android App Update Flaw Affects China-Based Users

    In 2013, the malware UPATRE was noted as one of the top malware seen attached to spammed messages. The malware was also notorious for downloading other malware, including ZeuS and ransomware, particularly its more sophisticated form, Cryptolocker. This was enough reason to believe that the UPATRE threat is constantly advancing its techniques–this time, by using multiple levels of attachments.

    Spam within spam

    We took note of the new UPATRE malware technique when our research brought us to a spammed message that imitates emails from known banks such as Lloyds Bank and Wells Fargo. The “spam within spam” technique was already notable in itself, as the .MSG file contained another .MSG file attached–only this time, the attached file actually contains the UPATRE variant, which we detect as TROJ_UPATRE.YYKE.

    Figure 1. An email from “Lloyds Bank” contains a .MSG attachment

    Figure 2. Opening the .MSG attachment reveals a malicious .ZIP file

    Based on our analysis, TROJ_UPATRE.YYKE downloads its ZBOT tandem, detected as TSPY_ZBOT.YYKE. This ZBOT variant then drops a NECURS variant detected as RTKT_NECURS.RBC.

    The NECURS malware is notable for its final payload of disabling computers’ security features, putting computers at serious risk for further infections. It gained notoriety in 2012 for its kernel-level rootkit and backdoor capabilities. It is important to note that we are now seeing an increase of this malware, which can be attributed to UPATRE/ZBOT being distributed as attachments to spammed messages.

    Evolution of UPATRE

    UPATRE was first seen arriving as an archived file attachment of spammed messages in October of last year, after the fall of the Blackhole Exploit Kit. Once opened, it triggers an infection chain involving ZBOT and CRILOCK malware.

    A month after that, cybercriminals soon upped the ante by using password-protected archives as email attachments. The email includes the password as well as instructions on how to use the contents of the attachment. The use of passwords is highly notable as it adds a sense of legitimacy and importance to the message.

    UPATRE’s evolution is proof that threats will find new ways and techniques to get past security solutions. Users should always be on their guard when dealing with unknown or unfamiliar emails, sites, or files. These could very well lead to threats. Practicing safety habits like using a security solution or double-checking links and attachments can help users protect their computers and their data from threats.

    Special mention to Chloe Ordonia for finding this new spam technique, and to Jaime Reyes for analyzing this malware.

    Posted in Malware, Spam | 1 TrackBack »


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice