Last April 23 – 25, I attended the seventh Counter eCrime Operations Summit (CeCOS VII) initiated by the Anti-Phishing Working Group (APWG). This year, the conference was held in Buenos Aires, Argentina. Security experts from Japan, Paraguay, Brazil, North America, Russia, and India flew to the South American city to discuss about the developments in the cybercrime arena. Together with 8 other participants from Japan, I arrived in Buenos Aires after a 38-hour flight. However, the talks and the level of energy in the conference definitely made the whole trip worth it.

Overall, CeCOS featured 23 sessions divided into eight tracks, including two panel discussions. Aside from attending interesting talks, I also participated as a speaker at the event.

I was very much interested in attending two talks: the National Field Reports and Mobile Attack Sessions. The National Field report particularly intrigued me, as it argues that the threat landscape of a particular country is a reflection of what’s happening globally.

By now, it’s pretty much established that the mobile platform is the latest cybercrime battlefield, so I think it’s crucial to know what’s happening in the mobile threat front.

As I mentioned earlier, I also participated as a speaker. As the representative of the anti-phishing council of Japan (CAPJ), I gave the talk Finding the Banking Trojan in Eastern Asia.

Speaking at CeCOS VII

Japanese-language phishing emails were first spotted in 2004 and since then, these mails have poured in and caused serious damage. As technology developed, these emails took more subtle forms, which made detection more difficult. In addition, instead of direct links to phishing sites or a malicious attachment, phishing sites instead contain links to compromised sites that eventually lead users to malicious sites that contain exploit kits.

As we all know, attackers are already expanding their threats to other platforms, particularly mobile. Thus, I presented my analysis of ANDROIDOS_CHEST, which targets Android OS and was reportedly found affecting South Korea. Users would receive text messages offering free coupons for either movie tickets, fast food, or coffee if the user downloaded an app, which was actually ANDROIDOS_CHEST.

The malware monitors and gathers text messages in order to defeat two-factor authentication done via text messaging. ANDROIDOS_CHEST then sends the gathered messages to the attacker.

The most important question though is, how can users protect themselves from the threats of phishing? The CAPJ has these tips:

1. Keep your computer safe.
2. Beware of suspicious emails.
3. Access and bookmark legitimate URLS.

Another helpful advice is to always keep your systems updated with the latest security patches for your system. As Banking Trojans are usually delivered through exploit kits (by way of phishimg emails), users are protected from exploits that target old vulnerabilities.

Trend Micro provides tools and technologies that help protect users against security breaches and data theft. Trend Micro DirectPass manages your passwords so that using and remembering unique passwords for multiple accounts is no longer difficult. Trend Micro Mobile Security protects against threats like ANDROIDOS_CHEST that are on mobile devices. The Smart Protection Network provides both email and web reputation, blocking these threats before they arrive on user systems.

We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

In this part 3 as the last entry, I will report the result of our investigation on app-related battery consumption issue and its reality.

Android Apps’ Battery Consumption Issue

According to Trend Micro research, almost 47% of smartphone users in Japan are bothered by their device’s battery longevity.

Dubbed “PC on your palm” the smartphone’s design puts prime on portability, which inadvertently leads to battery resource issues. Previously, traditional feature phone devices did not have this concern, as their manufacturing companies were directly responsible for overall development and quality assurance of device’s components e.g. from device’s operating system up to its apps.

With smartphones, users can install third-party apps that are less dependent on the devices and their respective manufacturers. On the positive side, this brought changes to the apps market, in which new players can now participate and release their own apps. In turn, this made the app market dynamic and new apps are regularly introduced.

The downside, however, is that app development is not aligned with smartphone devices and their operating systems, making quality assurance more complicated and fragmented. Because anyone can join this market, even individuals with insufficient technical knowledge can easily release an app. This could be a reason why “potentially unwanted apps” consume too much device resource.

Resource Consumption Used by Free Android Apps

Sampling the top 200 apps (both general apps and game apps) among free apps on Google Play, for August 31, 2012, Trend Micro examined their resource consumption using Trend Micro Mobile App Reputation (MAR). The details of the sampled data are as follows:

Measuring battery consumption is not an easy task since it is determined by complex combination of apps and hardware. In MAR’s investigation, we created three levels of battery consumption using various combinations of factors such as network bandwidth, memory consumption, hardware used, etc.

Read the rest of this entry »

This is the second in a series of blog posts describing the mobile threat landscape in Japan. The first one may be found here. 

Smartphone users in Japan are able to download a wide variety of apps, many of which are either inexpensive or free. Not all of these actually meet what users expect in terms of features, and some even introduce risks that users may not fully understand. In this blog entry, I will report the privacy risks caused by certain apps that we have looked into.

The Ad Delivery Cycle for “Free” Apps

As mentioned in the first entry, we define those apps that demonstrate the following routines without user consent as high-risk apps (referred as “ego apps” in Japan):

• Displaying pop-up ads
• Getting the user’s private information

One reason these apps are significantly increasing lately is the way that ads are sold in Japan.

As you can see in this graph, these ad agents/networks provide software development kits (SDKs) for app developers. By inserting the SDK-provided code into their apps, app developers can have ads appear inside their apps. They would then earn money from how many ads are viewed and/or clicked. This revenue allows the developer to charge little or no money for his app.
Read the rest of this entry »

Smartphone users in Japan are able to download a wide variety of apps, many of which are either inexpensive or free. Not all of these actually meet what users expect in terms of features, and some of these even introduce risks that users may not fully understand. In this series of blog posts, I will try to show how to evaluate the risks of these apps, focusing on the threats usually seen in Japan. In the first of the three blog entries,  I will examine the current situation of info-stealing apps targeting Japanese users.

What is an “Ego App”?

Some apps have unwanted routines which we consider high-risk; for example some violate the user’s privacy by accessing the user’s personal information. Frequently, this is done by apps which display ads (i.e., adware). (In Japanese English, these are referred to as “ego apps.”) Examples of routines that may cause an app to be classified as such include:

• Consuming system resources
• Displaying pop-up advertising
• Violating the user’s privacy

Users who continue to use these apps may encounter unexpected behavior, and may suffer problems without any notice. These apps have both been getting plenty of attention lately.  We will discuss the case of aggressive mobile adware in part 2 of this series of blog posts.

Law enforcement actions

On October 30, 2012, several police agencies in Japan arrested a number of suspects for violating the newly implemented cybercrime law. The Japan National Police Agency announced the arrest of five suspects, including an IT company executive for creating malicious apps. (Trend Micro detects these as ANDROIDOS_DOUGALEK variants and are known as  ”the movie virus.”) In another case, the Kyoto Prefectural Police together with its Fushimi Police Station announced the arrest of one company executive who allegedly created the malicious apps Longer Battery Life, Signal Improvement, Sma Solar, Power Charge, or Solar Charge. We detect these as ANDROIDOS_CONTACTS variants.

In both of these incidents, the suspects targeted smartphone users in Japan. We hope that these arrests will act as an effective deterrent to these kind of cybercrimes. In this entry, I will look at the apps used in these attacks.

Read the rest of this entry »

My previous post discussed how certain spam messages can lead to the downloading of malicious apps detected as ANDROIDOS_CONTACTS.E. This time around, we focused on the app’s routines and how the people behind this threat possibly profit.

My analysis focused particularly on the app “Solar Change”. This Android app (detected as ANDROIDOS_CONTACTS.E) was found to gather contact information such as email address from the infected device. The perpetrators behind apps may then pedal these gathered data to potential attackers and spammers.

When users install the app, it shows the list of permissions that it requests. However, a closer look into these permissions reveal that the app also request for the contact details and list of accounts stored in the device.

Read the rest of this entry »