Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    October 2014
    S M T W T F S
    « Sep    
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Noriaki Hayashi (Senior Threat Researcher)

    Smartphone users in Japan are able to download a wide variety of apps, many of which are either inexpensive or free. Not all of these actually meet what users expect in terms of features, and some of these even introduce risks that users may not fully understand. In this series of blog posts, I will try to show how to evaluate the risks of these apps, focusing on the threats usually seen in Japan. In the first of the three blog entries,  I will examine the current situation of info-stealing apps targeting Japanese users.

    What is an “Ego App”?

    Some apps have unwanted routines which we consider high-risk; for example some violate the user’s privacy by accessing the user’s personal information. Frequently, this is done by apps which display ads (i.e., adware). (In Japanese English, these are referred to as “ego apps.”) Examples of routines that may cause an app to be classified as such include:

    • Consuming system resources
    • Displaying pop-up advertising
    • Violating the user’s privacy

    Users who continue to use these apps may encounter unexpected behavior, and may suffer problems without any notice. These apps have both been getting plenty of attention lately.  We will discuss the case of aggressive mobile adware in part 2 of this series of blog posts.

    Law enforcement actions

    On October 30, 2012, several police agencies in Japan arrested a number of suspects for violating the newly implemented cybercrime law. The Japan National Police Agency announced the arrest of five suspects, including an IT company executive for creating malicious apps. (Trend Micro detects these as ANDROIDOS_DOUGALEK variants and are known as  “the movie virus.”) In another case, the Kyoto Prefectural Police together with its Fushimi Police Station announced the arrest of one company executive who allegedly created the malicious apps Longer Battery Life, Signal Improvement, Sma Solar, Power Charge, or Solar Charge. We detect these as ANDROIDOS_CONTACTS variants.

    In both of these incidents, the suspects targeted smartphone users in Japan. We hope that these arrests will act as an effective deterrent to these kind of cybercrimes. In this entry, I will look at the apps used in these attacks.

    Read the rest of this entry »


    My previous post discussed how certain spam messages can lead to the downloading of malicious apps detected as ANDROIDOS_CONTACTS.E. This time around, we focused on the app’s routines and how the people behind this threat possibly profit.

    My analysis focused particularly on the app “Solar Change”. This Android app (detected as ANDROIDOS_CONTACTS.E) was found to gather contact information such as email address from the infected device. The perpetrators behind apps may then pedal these gathered data to potential attackers and spammers.

    When users install the app, it shows the list of permissions that it requests. However, a closer look into these permissions reveal that the app also request for the contact details and list of accounts stored in the device.

    Read the rest of this entry »


    We were alerted in July 2012 about malicious apps that we detect as ANDROIDOS_CONTACTS.E. We investigated the related spam, which arrives on the mobile device. What is noteworthy about this threat is that the spam were distributed not only to smartphones, but also to feature phones as well.

    This indicates that the spammers may have carried out indiscriminate attacks targeting the email addresses provided by telecommunication carriers.

    In Japan, this carrier email address is popular among mobile users since this email address can be accessed on both mobile devices and systems. Also, each telecommunications carrier provides a service that blocks spam mails. This feature may have resulted to users being complacent when it comes to the security of their carrier email addresses.

    Spammers understand users’ tendency to be too trusting, thus they distributed these spam to carrier email addresses to increase their attack’s success.

    So far, we can categorize the URLs in these spam into three types:

    • URLs that directly lead to download an APK package of Android app
    • URLs that lead to a malicious web page disguised as a legitimate app market store
    • Shortened URLs

    Let’s focus on the 3rd type of URL. When users click the shortened URL, they are lead to a webpage set up by the spammer or their partners. In this scenario, it is possible that it may either lead to the downloading an APK package or to a web page disguised as a legitimate app store.

    Why do spammers leverage this shortened URL service? Users find it difficult to double check the complete URL based on the shortened URL, thus the higher rate of users inadvertently clicking a malicious link. Furthermore, some shortened URL services can count user clicks in real-time. So if a particular link had less clicks, spammers can use a different shortened link which had more clicks in their future spam run.

    Now, let’s focus on those URLs that lead users to a spoofed app store. We found the app “Power Charge”, also detected as ANDROIDOS_CONTACTS.E, which is supposedly an app that charges by using solar light.

    Read the rest of this entry »

    Posted in Mobile | Comments Off

    We found a spam mail written in Japanese leveraging the Olympics to sell illegal products. We fully expected this event to be used by cybercriminals to profit. It appears that among the first to strike are sellers of B-CAS cards for TVs, which are supposed to allow the users to watch the Olympics without paying.

    These spammed messages – which have the subject line オリンピック全日程が見放題 (translated as Free access to all Olympic games in English) – have a link which leads to websites selling the illegal B-CAS card. The message itself says that normally, you have to pay more than 400,000 Japanese yen (more than 5,000 US dollars) per year in order to watch premium channels. Instead, the (illegal) B-CAS cards allow you to watch these channels for free.

    The website of these illegal cards describes these cards as “miracle cards” in Japanese:

    The order form – which asks the user for their name, email address, number of cards to be bought, shipping address, and contact information – does not use HTTPS, which all reputable vendors use to secure the transaction from possible interception. Not only is the site selling illegal goods, it’s set up in an insecure manner for any online commerce site.

    We have identified the server as being located in Hong Kong because of its IP address. Other landing pages for sites also selling B-CAS cards are located on this server as well.

    Here are some of the malicious URLs that we found on the server:

    • http://www.{BLOCKED}.com/
    • http://www.{BLOCKED}
    • http://www.{BLOCKED}
    • http://www.{BLOCKED}
    • http://www.{BLOCKED}
    • http://www.{BLOCKED}
    • http://www.{BLOCKED}
    • http://www.{BLOCKED}
    • http://www.{BLOCKED}
    • http://www.{BLOCKED}
    • http://www.{BLOCKED}
    • http://www.{BLOCKED}
    • http://www.{BLOCKED}
    • http://www.{BLOCKED}
    • http://www.{BLOCKED}
    • http://www.{BLOCKED}
    • http://www.{BLOCKED}
    • http://www.{BLOCKED}

    Note that the above URLs are all hosted on a single IP. The following diagram shows the relationship between the various sites and this single IP address, as well as the overall infection chain:

    The Trend Micro™ Smart Protection Network™ protects users from this threat by preventing the spammed messages from even reaching users’ inboxes via the Email Reputation Service. It also blocks access to malicious sites via the Web Reputation Service. We have blocked more than 2,500 attempts from Japanese users to access these sites for the last 30 days.

    We advise users to not purchase anything from these sites, as they could face criminal prosecution for merely buying these devices. Recently, the Kyoto Prefectural Police announced they had arrested both buyers and sellers of illegal B-CAS cards.

    With the Olympics only days away from starting, we expect other threats related to this event soon. Here are some blog entries and Web Attack entries that discuss similar threats:

    Web Attack Entries

    Malware Blog entries

    For complete information on the latest Olympic-themed threats—including quizzes and safety guides, you can visit Race to Security, the Trend Micro security guide to major sporting events such as the Olympics, by clicking the banner below:

    Related posts:

    Posted in Bad Sites | Comments Off

    In the past we’ve reported about one-click billing fraud schemes starting to target smartphone users. The scheme, as its name suggests, tricks a victim into registering and paying for a certain service after being falsely led to a specific website. The past attack we saw involved a website wherein target victims were asked to pay for a certain amount in order to prevent their information from being sent to an adult site.

    We’ve found a similar scheme, but this time it specifically targets Android users through a malicious app.

    The attack is triggered by a blog site that features videos showing gamers playing. The said blog, called “Game Dunga”, has changed its domain three times in the past. In the previous versions, there were a lot of links leading to the game-playing videos (not only adult content). The current one, however, (the third generation) includes links leading to only adult contents.

    Trying to view any of the videos triggers a pop-up asking the user to download a malicious app detected as ANDROIDOS_FAKETIMER.A. ANDROIDOS_FAKETIMER.A gets the Android user account information, and sends them as to a certain URL as parameters for the following methods:

    • getAccounts() method – to acquire Gmail account information managed by the affected users’ devices.
    • getDeviceID() method – to acquire the SIM information of the affected devices
    • getLine1Number() method – to acquire the mobile number of the affected devices.

    The information gathered by these methods is sent to the cybercriminals.

    ANDROIDOS_FAKETIMER.A also displays a pop-up window that shows the message “We haven’t received your payment. Therefore, based on our policy, we will have to charge you if you have not paid yet.”

    ANDROIDOS_FAKETIMER.A also displays the information it stole in order to build credibility for it self, and better convince the victim to pay the amount.

    App usage for this one-click billing fraud gives the scheme a level of persistence that was not evident before. In past schemes, the routines were mostly executed through a malicious website, and closing the browser would stop the attack. For this, however, since the one responsible for the routines is an app installed in the device, the prompts asking for the user to pay are shown repeatedly. We studied the code and found that the pop-up is set to show every 5 minutes.

    Should users encounter a similar site, they are advised to leave the site immediately and not click any links to avoid getting victimized. Smart Protection Network already blocks the related URL via our Web Reputation technology and detects the malicious application.

    For more information on other mobile threats, as well as tips on how to keep one’s device safe, please check our Mobile Threat Information Hub.



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice