Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    July 2014
    S M T W T F S
    « Jun   Aug »
  • Email Subscription

  • About Us

    Archive for July, 2014

    Protecting data has always been one of the most important aspects of our digital life. Given the amount of activity done on smartphones, this is especially rings true for smartphones. While users may use the built-in privacy and security settings of their devices, others take it a step further and employ security and privacy protection apps.

    One of the ways to protect smartphone data is by using “file locker” apps. As the name implies, these apps can be used as storage for sensitive data. The apps store the data away from prying eyes, often using encryption and passwords for additional security.

    But how effective are these apps in protecting your data? Is it safe to assume that these apps will live up to their promise and offer the level of security that our data needs? Unfortunately, we analyzed the more popular ones in Google Play and found that these apps fail to deliver what they promise.

    The apps we analyzed are the following:


    As of posting, we have informed the developers of the said apps as well as Google.

    Tip Calculator in Disguise

    File Hide Pro claims to hide files “in seconds!” It even disguises itself as a tip calculator for an additional layer of privacy. However, we have learned that the only “protection” this app offers is renaming files to begin with a “.”

    Figure 1 shows that the only difference after the action “hide” is performed is the renaming of the file.

    Figure 1. File name of images before and after the “hide” function is performed

    The application creates a file located in sdcard/.hermit/.hermit_restore.hider as an index. These files are found in the SD card and these files are world-readable, meaning, they are readable by any application in the system. In fact, these “hidden” files can be browsed using a file explorer. Malicious apps and users could also use /.hermit_restore.hider as a clue to find and read the so-called hidden files.

    Figure 2. Contents of “.hermit_restore.hider”

    Hidden Files in a Readable Database

    File Locker “hides” a user’s files by moving them to the fixed folder /sdcard/ .MySecurityData/dont_remove/. Unfortunately, the location of the hidden files and the original files are stored in a SQLite3 database. Both the database and the hidden files are located in the SD card and they are world-readable.

    “Secure” Wallet for Banking Information

    Folder Lock, meanwhile, tries to distinguish itself from other applications by offering a secured “wallet” for information such as credit card numbers, passwords, and other banking/business-related information. Analysis shows that rather than be encrypted, the data in the “wallet” is stored in cleartext in a world-readable path. Other “hidden” files are stored in fixed path folders without any encryption.

    Figure 3. Sample data in the “wallet” function

    Figure 4. Sample data is stored in cleartext

    Encryption Without Protection

    The app App Lock we analyzed actually does what it advertises—it encrypts files. But does this mean a user’s files are safe? As it turns out, they aren’t.

    The application encrypts files using a fixed, self-defined algorithm. Unfortunately, cybercriminals can easily implement the decryption algorithm by decompiling the .APK file. This means that there really is no difference between the data that is encrypted and data stored in cleartext.

    Figure 5. Files are locked with the sample password “123”

    Figure 6. The decrypted locked files with the password displayed

    It’s worth noting that the use of passwords is pretty moot for this app. The set password is simply encrypted and saved in the last block of each encrypted files. In short, the password is treated as just another file to be stored. Once the files are decrypted, both the files and the passwords are revealed.Ideally, the password would prevent other people from accessing the files, even if they know the decryption process.

    Protecting Your Data

    Of course, the initial issue here is the fact that these apps don’t work as they claim. However, the bigger issue is that files are potentially at risk for data theft or leakage. One common detail we’ve noticed with these apps is that the data can be accessed by other apps and accounts. This means that even non-malicious apps can access these files.

    The issue is further compounded by the fact that these apps are very popular. One app alone has reached the 50 million download mark while others have also reached millions of downloads.  Users must be discerning when downloading apps. App reviews can help a person check if an app truly works as its claims. For apps concerning security, it’s best to download apps from known security vendors.

    But more than selecting the right apps, perhaps another way of securing data is to remember that apps are not the end-all, be-all solution to protecting your privacy. Users should employ other privacy features and solutions to protect their data from prying eyes. For example, they could store their files and make back-up copies in a different, secure location via Trend Micro Safe Sync.

    Another way to protect sensitive data is to actually limit the amount of data stored in mobile devices. Given the amount and variety of activities performed on mobile devices, it seems unavoidable to store some form of sensitive data. However, keeping the amount of stored data to the barest minimum will make it easier for users to keep track of it. After all, it’s easier to keep track of data stored in five apps than say, twenty apps. Less data could mean fewer privacy problems.


    Recently, I learnt that attackers compromised Gizmodo’s Brazilian regional site. The attackers were able to modify the Gizmodo main page to add a script which redirected them to another compromised website. This second compromised site was hosted in Sweden, and used a .se domain name. The attackers also uploaded a web shell onto this site (the site hosted in Sweden) to keep control of this server.

    Opening the compromised site loads a malicious URL, which contains a fake Adobe Flash download page in Portuguese:

    Figure 1. Fake Flash download page

    This file is actually a backdoor detected as BKDR_GRAFTOR.GHR. (It should also be noted that the current Flash Player version is, a far cry from the version advertised on this page.)

    This backdoor was actually hosted on Google Drive; trying to download it now gives a message that it has reached the download limit.

    Figure 2. Google Drive message

    We can see that attackers used a legitimate service in order to trick users into thinking that the downloaded file was not malicious. Based on our investigation, another website – this one belonging to a logistics firm – was compromised in a similar way. Both Gizmodo and this logistics firm’s site were hosted on UOL, the biggest ISP and content provider in Brazil. We are currently investigating if a vulnerability was used in order to penetrate the web servers.

    Gizmodo Brazil was notified of this threat and immediately removed the compromised code from their servers. In addition, we have notified Google about the malicious file hosted on Google Drive so it can be deleted as well. Trend Micro products already block the various aspects of this threat.

    Update as of 11:25 PM, July 30, 2014

    The hash involved in this attack is :

    • cd9efd3652b69be841c2929ec87f3108571bf285

    Update as of 1:40 PM, August 4, 2014

    The detection BKDR_GRAFTOR.GHR has  been renamed to  BKDR_QULKONWI.GHR.

    Posted in Malware | Comments Off on Gizmodo Brazil Compromised, Leads to Backdoor

    One of the recent triumphs against cybercrime is the disruption of the activities of the Gameover ZeuS botnet. Perhaps what makes this more significant is that one major threat was also affected—the notorious CryptoLocker malware.

    However, this disruption hasn’t deterred cybercriminals from using file-encrypting ransomware. In fact, we saw new crypto-ransomware variants that use new methods of encryption and evasion.

    Cryptoblocker and its Encryption Technique

    Just like other ransomware variants, the Cryptoblocker malware, detected as TROJ_CRYPTFILE.SM, will encrypt files for a specific amount. However, this particular variant has certain restrictions. For one, it will not infect files larger than 100MB in size. Additionally, it will also skip files found the folders C:\\WINDOWS, C:\\PROGRAM FILES, and C:\PROGRAM FILES (X86).

    And unlike other ransomware variants, Cryptoblocker will not drop any text files instructing the victim on how to decrypt the files. Rather, it displays the dialog box below. Entering a transaction ID in the text box will trigger a message stating that the “transaction was sent and will be verified soon.”

    Figure 1. Dialog box

    Another distinction is that its encryption routine. This malware does not use CryptoAPIs, a marked difference from other ransomware. CryptoAPIs are used to make RSA keys, which were not used with this particular malware. This is an interesting detail considering RSA keys would make decrypting files more difficult. Instead, we found that  the advanced encryption standard (AES) is found in the malware code.

    A closer look also reveals that the compiler notes were still intact upon unpacking the code. This is highly interesting as compiler notes are usually removed. This is because this information could be used by security researchers to detect (and thereby block) files from the malware writer. The presence of the compiler notes would suggest that perhaps the bad guy behind Cryptoblocker is new to the creation of ransomware.

    Based on feedback from the Trend Micro Smart Protection Network, the US is the top affected country, followed by France and Japan. Spain and Italy round up the top five affected countries.

    Figure 2. Countries affected by Cryptoblocker

    Critroni and the Use of Tor

    The Tor network has gained a lot of attention due to its association with cybercrime. Cybercriminals have been using the network to mask their malicious activity and hide from law enforcement agencies.

    We recently came across one variant, detected as TROJ_CRYPCTB.A and known as Critroni or Curve-Tor-Bitcoin (CTB) Locker, which uses Tor to mask its command-and-control (C&C) communications. After encrypting the files of the affected machine, the malware changes the computer’s wallpaper to the image below:

    Figure 3. Wallpaper displayed

    It also displays a ransom message. Users must pay the ransom in Bitcoins before the set deadline is done. Otherwise, all the files will permanently remain encrypted.

    Figure 4. Ransom message

    According senior threats researcher Jamz Yaneza, this malware uses the elliptic curve cryptography in comparison to using RSA or AES. To put this into context, the Bitcoin ecosystem relies on one elliptic curve cryptographic schemes, the Elliptic Curve Digital Signature Algorithm (ECDSA).

    This isn’t the first time we have seen ransomware take advantage of the anonymity offered by the Tor network. In the last weeks of 2013, ransomware variants called Cryptorbit asked their victims to use the Tor browser (a browser pre-configured for Tor) for ransom payment. We also came across Android ransomware that uses Tor for its C&C communications.

    BAT_CRYPTOR.A Uses Legitimate Apps

    Last June, we reported about POSHCODER, a ransomware variant that abuses the Windows PowerShell feature to encrypt files. We recently spotted yet another ransomware that, like POSHCODER, uses legitimate apps for its encryption routine.

    Detected as BAT_CRYPTOR.A,   this variant uses the GNU Privacy Guard application to encrypt files.  However, based on our analysis, the malware will still execute its encryption routines even if the system does not have GnuPG. As part of its infection chain, the dropper malware will drop a copy of GnuPG to use for encryption. The said routine is written in batch file.

    The malware will delete the %appdata%/gnupg/*, which is the directory wherein generated keys are saved. It will then generate new keys using Two keys will be generated, one public (pubring.gpg) and the other, private (secring.gpg).

    The public key pubring.gpg will be used to encrypt the files on the system. The private key, which can decrypt the files, is left on the affected system. However, this key is also encrypted (using the key, making encryption difficult. The newly-encrypted private key will be renamed to KEY.PRIVATE.

    BAT_CRYPTOR.A renames encrypted files with the file name {file name and extension}.paycrypt@gmail_com. In the ransom note, users are instructed to contact an email address for details on how to decrypt their files.

    The Importance of Caution

    These ransomware variants prove that despite significant takedowns, cybercriminals will continue to find ways to victimize users. Users should remain cautious when dealing with unfamiliar files, emails, or URL links. While it might be tempting to pay the ransom for encrypted files, there is no guarantee that the cybercriminals will decrypt the ransomed files. Users can read other security practices the blog entry, Dealing with CryptoLocker.

    With additional insights from Romeo Dela Cruz, Joselito Dela Cruz, Don Ladores, and Cklaudioney Mesa.

    Update as of Aug 1, 2014, 05:33 PM. PDT:

    The hashes involved in this attack is :


    Posted in Malware | Comments Off on New Crypto-Ransomware Emerge in the Wild

    Alipay is a popular third-party payment platform in China that is operated by Alibaba, one of the biggest Internet companies in China. We recently found two vulnerabilities in their Android app that could be exploited by an attacker to carry out phishing attacks to steal Alipay credentials.  We disclosed the said vulnerabilities to Alipay; they acknowledged the issue and provided updates to their users earlier this month which fixed this vulnerability.  Version 8.2 and newer of the Alipay app no longer contain this vulnerability. We urge all users of the Alipay app to check if they still have the vulnerable version and update to the latest version (if needed).

    First vulnerability: Exported activity

    Android applications have several important components, one of which is Activities. This has an important attribute, android:exported. If this attribute is set as “true”, every application installed on the same device can call this activity. Developers should take care so that their exported activities are not abused.

    We found that the official Android app for Alipay was vulnerable to exactly this kind of exploitation. This particular activity can be used to add an Alipay passport (known as Alipass). An attacker, using a specially created Alipass, can use this activity  to create an Alipass login display. This can be used to lead the user to a phishing page or to display a QR code. Before the activity is launched, the user will be asked to enter the Alipay unlock pattern, which makes the user believe the login really is from Alipay.

    Figure 1. Phishing URL delivered by activity

    Vulnerability #2: Malicious permission

    We discussed earlier how permissions can also be exploited by permission preemption. In this attack, a malicious app is installed before the target application which grants the target application’s customized permission and access the components protected by the permission

    Alipay’s app defined the permission to protect the component This component is used by the Alipay app to receive messages from the Alipay server. One particular message is the a message informing the user that an update for their app is present.

    After a malicious app is granted the PUSHSERVICE permission, an attacker can simply construct a message and send it to the RecvMsgIntentService to push an update notification to user.

    Figure 2. Test notification exploiting vulnerability

    Figure 3. Notification asking to install a malicious app.

    Once the user has accepted the update, another application will be downloaded and installed. The URL where this download app will come from is controlled by the attacker as well. Combined with the recently uncovered Android launcher vulnerability, we can hijack the Alipay’s shortcut and launch the faked Alipay to get user’s account.

    Android’s exported activities are not the last mobile operating system feature that might be thought of as a security risk. For example, iOS allegedly contained a backdoor – before it later emerged that this was simply a diagnostic tool. Real or not, mobile OS features can become security threats down the road if developers do not use these in a secure manner.

    Posted in Mobile, Vulnerabilities | Comments Off on Vulnerabilities in Alipay Android App Fixed

    Summertime has become synonymous with blockbuster movies. Unfortunately, these movies have become a go-to social engineering lure used by cybercriminals.

    Just like in previous years, Trend Micro engineers searched for possible threats related to movies released during the summer. This year, 22 Jump Street was the top movie used for social engineering. Transformers: Age of Extinction and Maleficent ranked second and third, respectively. Where are these supposed streaming sites advertised? Tumblr ranks first, followed by WordPress and Blogspot.

    Figure 1. Commonly used summer movie titles

    Figure 2. Sites used to advertise online streaming sites

    The US ranks first among the countries which accessed the movie-related URLs, followed by Australia and India.

    Figure 3. Countries which visited the streaming sites

    Suspicious Streaming Sites

    Users can encounter these streaming sites by using choice keywords on the mentioned sites. For example, we tried looking for a streaming site for the movie How to Train Your Dragon 2 on social media and came across a page on Facebook.

    Figure 4. Facebook page advertising the movie

    The Facebook page features a post that contains a shortened link to the streaming site. Clicking the Play button on the page redirects the user to yet another page.

    Figure 5. Redirected page

    The user is encouraged to download a specific video player in order to watch the movie. However, the installer/downloaded file has been detected as adware, specifically ADW_BRANTALL.

    Figure 6. “Video player” file being downloaded into the computer

    The Possible Adware-Malware Connection

    We found that this particular variant of ADW_BRANTALL can download unnecessary files, applications, and browser extensions into the system.

    Other ADW_BRANTALL variants are  known to push malware, specifically MEVADE/SEFNIT malware to computers. MEVADE malware is known for its click fraud and Bitcoin mining routines. A Trend Micro research paper, On the Actors Behind MEVADE/SEFNIT, speaks at length about this adware-malware connection. Note, however that this particular sample is not related to the ADW_BRANTALL that downloads MEVADE/SEFNIT as discussed in the said paper.

    While it might be tempting to watch the latest and upcoming movies for free, users should remember that so-called copies made available online are often fakes or scams. Worse, these could be malware in disguise. It’s best to ignore temptation and just watch movies at the cinema.

    Users need not to worry about such threats since Trend Micro Titanium™ Security protects systems from malicious links by highlighting these (URLS) thus preventing them (users) from clicking it  in social networking sites, instant messages, and email.

    As of posting, Trend Micro has informed Facebook about this incident and they already disabled accounts involved in these scams.

    With analysis from Sylvia Lascano and Maela Angeles

    Posted in Bad Sites, Malware | Comments Off on 22 Jump Street, Transformers Are Top Movie Lures for Summer


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice