Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    July 2014
    S M T W T F S
    « Jun   Aug »
  • Email Subscription

  • About Us

    Archive for July 24th, 2014

    The security of the Android platform is based on its sandbox and permission protection mechanism, which isolates each app and restricts how processes can communicate with each other. However, because it is designed to be open to include other open source projects like Linux and OpenSSL, it can inherit many features as well as vulnerabilities.

    This means that the protection of the sandbox cannot cover every aspect of the system, and threats to Android still remain. Open ports are one potential source of vulnerabilities, and we recently found a new vulnerability in the app of a Chinese deals site, Meituan, that highlighted this problem.

    Earlier this year, Heartbleed was a notable example; apps with their own vulnerable OpenSSL library to create TLS/SSL connections are at risk of leaking local memory information. Similarly, any vulnerability in an app or external module may affect the security of the entire system.

    Linux is also a potential source of vulnerabilities. Because Android is based on the Linux kernel and still uses many native Linux APIs, Linux vulnerabilities may affect Android as well. For example, CVE-2014-3153 was used by root exploit tools like TowelRoot. Another example was CVE-2014-0196.

    Network protocol implementations in Linux are also facing security challenges. Vulnerabilities seen this year in the Linux TCP/IP stack included CVE-2014-0100CVE-2014-2523 also affected Android as well. These vulnerabilities, if exploited, put users at risk, as an attacker would be able to exploit their machine remotely.

    Android systems that insecurely use these network protocols may also have vulnerabilities. CVE-2011-3918 was a vulnerability in the zygote process, which allowed an attacker to launch a local denial of service via a malicious app. The cause was the developer used the socket protocol without setting the right permissions. Similar vulnerabilities include CVE-2011-1823, CVE-2013-4777, CVE-2013-5933. Developers need to be aware of  of the security risks when using these protocols, as there can be serious consequences resulting from their mistakes.

    User installed apps may increase this risk as well. Look at the following screenshot:

    Figure 1. Apps with open ports

    The screenshot shows how many apps listen on an open TCP port, which means the device is exposed online without the benefit of a firewall. What if an app was built by a developer who wasn’t aware of the security issues? Even well-known software applications have their share of network-related vulnerabilities. As it stands, it would be better to have a firewall of some kind to protect Android users, but that is not part of the mobile OS today.

    These kind of vulnerabilities do exist on Android.  We found a vulnerability in the Android app of Meituan, a Chinese site similar to Groupon. It affects versions of the Meituan app below 4.6.0. Vulnerable versions of this app listen on TCP port 9517, which allows the app to receive messages from a server. However, because it does not authenticate the sender, any machine on the Internet can trigger a command on the phone.

    The code snippet responsible for the vulnerability is below:

    Figure 2. Vulnerable app code

    It parses the received TCP data in a certain format and then sends android.intent.action.VIEW with the “intent” in the received data. Using this vulnerability, an attacker can send large numbers of messages using your phone to a fraudulent number, or open phishing websites.

    If your Android version is older than 4.0.4, the USSD vulnerability may also be triggered by this problem. This means that your phone may even be remotely wiped by an attacker!

    We are looking forward to enhancements to Android security like SELinux, Storage Access Framework, and Device Administration. However, there are still many unprotected parts of the Android system. These network vulnerabilities will be a significant problem moving forward.

    We disclosed this vulnerability to Meituan on June 3 of this year, and the vendor confirmed it to us on the same day. A fix was issued to users two days later on June 5, with version 4.6.1 of the app. Trend Micro and Meituan worked together on the solution, and we mutually agreed to disclose details of this vulnerability at this time.

    Posted in Mobile, Vulnerabilities | Comments Off on Open Socket Poses Risks To Android Security Model

    Ever since the mobile boom, smartphones have become an integral part of our lives, enough that they’ve become virtually indispensable in today’s fast-paced world. Not only do they serve to connect us to our friends and loved ones wherever they may be, but they also allow us to do our daily tasks and chores all with a single tap of a screen. We’ve formed such an unbreakable relationship with our smartphones that cybercriminals have included them in their list of targets to attack for monetary gain. For better or for worse, smartphones have become an important part of our daily toolset for life.

    From the way the winds of change are blowing, however, it seems that smartphones are about to become a bigger part of our lives, and that’s with the Internet of Everything involved. With the unveiling of iOS 8, Apple also revealed HomeKit, an app service that will help the user manage third-party IoE-enabled devices in their home. With HomeKit, users will be able to group certain devices by the rooms they’re installed in, and set parameters/controls unique to each ‘room’ grouping. This allows for users to be able to modify settings easily, either in a room-to-room basis or more granular. As of this writing, Google has yet to come up with their equivalent, but we can be sure to see it in the coming days.

    With this development, we can already see how it’s going to be quite the next big thing, in terms of overall convenience and cool factor. What’s more convenient – and honestly, exciting – about controlling the myriad elements in your home with the gadget you do nearly everything on? Scenarios like your refrigerator texting you while you’re outdoors, reminding you that you’re low on eggs – or remotely turning off an appliance you suddenly remembered only after leaving your home – has universal appeal, and smartphone makers are trying to get us to that future.

    But that’s only one side of the coin. The other side, unfortunately, is that introducing the smartphone to your automated home ecosystem may not be the most secure of decisions. This is because the many security pitfalls of the platform – that we’ve talked about at length in this blog – may carry over to the IoE-enabled devices in your home, and thus make you vulnerable to cybercriminal attacks. A cybercriminal hacking into your phone to subscribe you to premium services? Already done. A cybercriminal hacking into your security system THROUGH your phone, deactivating it so they can rob you blind? Very possible!

    This is the gist of our latest Mobile Monthly Report, titled “Mobile Security and the Internet of Everything: The Smartphone Remote Hub Problem”. We explore just what the ramifications are, security-wise, in making your smartphone the ‘remote hub’ or ‘universal remote’ of the automated home network. We also look into what early adopters can do to help protect themselves, in case they have already done the deed. We also have June’ mobile malware and adware stats for our readers to peruse.

    Smartphones may be the end-all and be-all in convenience, but with how they’re hot in the eyes of cybercriminals, we need to apply them carefully. You can check out the latest MMR here.

    Posted in Internet of Things, Mobile | Comments Off on The Role of Smartphones in the Internet of Everything

    In the first half of the year, the spam volume increased by 60% compared to the data last 1H 2013.  We can attribute these to several factors:  the prevalence of DOWNAD and the steady boom of malware-related emails with spam-sending capabilities (such as MYTOB). Prevalent threats like UPATRE and ZeuS/ZBOT also employed spam as its infection vectors to deliver their payload. In our 2013 review of the spam landscape, we predicted that spam will still be used to distribute malware.  This remains to be true.


    Figure 1. Spam volume for Q2, 2014

    Spam Attacks Target German Users

    Almost 83% of all spam analyzed are written in English and the other 17% are non-English languages.  The top non-English language used in spam is German followed by Japanese.  We spotted spam attacks written in German that led to control panel malware (CPL). CPL malware initially affected Brazilian users earlier this year. Moreover, towards the later part of 2Q 2014, we saw the emergence of EMOTET, a banking malware that supposedly sniff network activity to steal user data.  Similarly, it arrives via email messages that purport as shipping invoices and bank transfers.  Based on our investigation, certain banks in Germany are included in the list of monitored websites for this threat.


    Figure 2. Top5 language used in spam mails

    The curious case of image and salad spam

    Based on our honeypot sources, the top three spam types are malware-related (20%), health-related (16%), and commercial and stock spam (11%). We also saw a surge of stock spam in the last six months.  One spam sample we spotted is a stock trading spam that informs users about trading tips that could help them get rich quickly. In terms of spam techniques, we observed that before salad words or random gibberish words are incorporated in HTML but now they are in the message body together with news clips to make it appear legitimate and to bypass spam filters.  In addition, spammers are also combining not so new techniques like the use of newsclip with image spam instead of just plain image. This is done to avoid detection of spam filters.

    Top Spam Types-01

    Figure 3. Top spam categories

    New and recycle spam tactics and techniques

    Newsworthy events, movies, and issues remain to be effective social engineering lures to trick users into opening spam emails, which possibly can lead to data theft and system information. KULUOZ, a malware distributed by the Asprox botnet takes a different turn and steals news headlines from CNN and BBC news and placed these news snippets in the email body.  We observed that they copy part of the news article together with the headline so as to bypass spam filters. The Thai Coup incident is one the many notable news leveraged by these spam campaigns.  Apart from stealing headlines, this specific KULUOZ spam run employs its usual tactic of using shipping notification templates.

    Another trend we observed is the abuse of popular file storage platform like Dropbox to host malware.   Last May, we noticed that UPATRE-related spam utilized a Dropbox link, not only as part of its social engineering lure but also to download the malicious files.  When users clicked the URL, they will point to a Dropbox link where they download UPATRE, a malware known for downloading information stealers ZeuS. The ZeuS variant that UPATRE downloads, also downloads another malware NECURS.  In other samples we gathered, the Dropbox link is embedded in the message body but points to Canadian pharmacy websites.  We also spotted a spammed message that abused CUBBY, another file hosting service similar to Dropbox. However, this particular spam run leads to a BANKER variant instead.

    Spam and its Impact in the Threat Landscape

    Based on our honeypot data, the number of malware related emails increased by 22 percent.  In our previous blog post, we tackled that more than 40 percent of malware related spam mails can be attributed to machines infected by DOWNAD in Q2. Although DOWNAD or Conficker emerged as early as 2008, it remains to be a prevalent threat today.  In fact, it is one of the top three malware that affects enterprises and SMBs.

    UPATRE takes the lead as the top malware distributed via spam mails, followed by TSPY_ZBOT and BKDR_KULUOZ. UPATRE constitutes more than 33% of total malspam volume. However, towards June, we’re seeing a decline in the number of spam campaigns related to this malware.  ZeuS ranks as one of the top sources of malspam and most malware propagated via spam.

    KULUOZ downloads malware like FAKEAV and ZACCESS and can possibly turn infected systems to spam distributors.  Last April, KULUOZ took advantage of the tragic news on MV Seoul maritime accident.

    Top Malware from Spam 2-02

    Figure 4. Top10 malware from spam mails


    Figure 5. TROJ_UPATRE VS. Total malspam

    Spam Towards the Second Half of 2014

    Spam remains to be a crucial arsenal of cybercriminals in proliferating their malicious activities. We predict that in the second half of the year, the volume of spam will continue to increase. Cybercriminals may leverage upcoming holidays and events in the next quarters just like in previous years thus contributing to the spiking number of its volume.

    We’ll also continue to see spam being employed as malware carriers. Furthermore, we observed that newly created domains spread via email are increasing. This is probably due to the domain generation algorithm capabilities of spam sending malware like DOWNAD. It can affect the volume of spam since one domain can be seen in a number of spam emails already.

    Update as of July 22, 2014, 11:00 P.M. PDT:

    We have updated Figures 2 and 4 to make the numbers presented more clearer.

    Posted in Malware, Spam | Comments Off on 1H 2014 Spam Attacks and Trends


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice