Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    July 2014
    S M T W T F S
    « Jun   Aug »
     12345
    6789101112
    13141516171819
    20212223242526
    2728293031  
  • Email Subscription

  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Archive for July 29th, 2014




    Alipay is a popular third-party payment platform in China that is operated by Alibaba, one of the biggest Internet companies in China. We recently found two vulnerabilities in their Android app that could be exploited by an attacker to carry out phishing attacks to steal Alipay credentials.  We disclosed the said vulnerabilities to Alipay; they acknowledged the issue and provided updates to their users earlier this month which fixed this vulnerability.  Version 8.2 and newer of the Alipay app no longer contain this vulnerability. We urge all users of the Alipay app to check if they still have the vulnerable version and update to the latest version (if needed).

    First vulnerability: Exported activity

    Android applications have several important components, one of which is Activities. This has an important attribute, android:exported. If this attribute is set as “true”, every application installed on the same device can call this activity. Developers should take care so that their exported activities are not abused.

    We found that the official Android app for Alipay was vulnerable to exactly this kind of exploitation. This particular activity can be used to add an Alipay passport (known as Alipass). An attacker, using a specially created Alipass, can use this activity  to create an Alipass login display. This can be used to lead the user to a phishing page or to display a QR code. Before the activity is launched, the user will be asked to enter the Alipay unlock pattern, which makes the user believe the login really is from Alipay.

    Figure 1. Phishing URL delivered by activity

    Vulnerability #2: Malicious permission

    We discussed earlier how permissions can also be exploited by permission preemption. In this attack, a malicious app is installed before the target application which grants the target application’s customized permission and access the components protected by the permission

    Alipay’s app defined the permission com.alipay.mobile.push.permission.PUSHSERVICE to protect the component com.alipay.mobile.push.integration.RecvMsgIntentService. This component is used by the Alipay app to receive messages from the Alipay server. One particular message is the a message informing the user that an update for their app is present.

    After a malicious app is granted the PUSHSERVICE permission, an attacker can simply construct a message and send it to the RecvMsgIntentService to push an update notification to user.

    Figure 2. Test notification exploiting vulnerability

    Figure 3. Notification asking to install a malicious app.

    Once the user has accepted the update, another application will be downloaded and installed. The URL where this download app will come from is controlled by the attacker as well. Combined with the recently uncovered Android launcher vulnerability, we can hijack the Alipay’s shortcut and launch the faked Alipay to get user’s account.

    Android’s exported activities are not the last mobile operating system feature that might be thought of as a security risk. For example, iOS allegedly contained a backdoor – before it later emerged that this was simply a diagnostic tool. Real or not, mobile OS features can become security threats down the road if developers do not use these in a secure manner.

     
    Posted in Mobile, Vulnerabilities | Comments Off



    Summertime has become synonymous with blockbuster movies. Unfortunately, these movies have become a go-to social engineering lure used by cybercriminals.

    Just like in previous years, Trend Micro engineers searched for possible threats related to movies released during the summer. This year, 22 Jump Street was the top movie used for social engineering. Transformers: Age of Extinction and Maleficent ranked second and third, respectively. Where are these supposed streaming sites advertised? Tumblr ranks first, followed by WordPress and Blogspot.

    Figure 1. Commonly used summer movie titles

    Figure 2. Sites used to advertise online streaming sites

    The US ranks first among the countries which accessed the movie-related URLs, followed by Australia and India.

    Figure 3. Countries which visited the streaming sites

    Suspicious Streaming Sites

    Users can encounter these streaming sites by using choice keywords on the mentioned sites. For example, we tried looking for a streaming site for the movie How to Train Your Dragon 2 on social media and came across a page on Facebook.

    Figure 4. Facebook page advertising the movie

    The Facebook page features a post that contains a shortened link to the streaming site. Clicking the Play button on the page redirects the user to yet another page.

    Figure 5. Redirected page

    The user is encouraged to download a specific video player in order to watch the movie. However, the installer/downloaded file has been detected as adware, specifically ADW_BRANTALL.

    Figure 6. “Video player” file being downloaded into the computer

    The Possible Adware-Malware Connection

    We found that this particular variant of ADW_BRANTALL can download unnecessary files, applications, and browser extensions into the system.

    Other ADW_BRANTALL variants are  known to push malware, specifically MEVADE/SEFNIT malware to computers. MEVADE malware is known for its click fraud and Bitcoin mining routines. A Trend Micro research paper, On the Actors Behind MEVADE/SEFNIT, speaks at length about this adware-malware connection. Note, however that this particular sample is not related to the ADW_BRANTALL that downloads MEVADE/SEFNIT as discussed in the said paper.

    While it might be tempting to watch the latest and upcoming movies for free, users should remember that so-called copies made available online are often fakes or scams. Worse, these could be malware in disguise. It’s best to ignore temptation and just watch movies at the cinema.

    Users need not to worry about such threats since Trend Micro Titanium™ Security protects systems from malicious links by highlighting these (URLS) thus preventing them (users) from clicking it  in social networking sites, instant messages, and email.

    As of posting, Trend Micro has informed Facebook about this incident and they already disabled accounts involved in these scams.

    With analysis from Sylvia Lascano and Maela Angeles

     
    Posted in Bad Sites, Malware | Comments Off


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice