Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    August 2014
    S M T W T F S
    « Jul    
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Paul Pajares (Fraud Analyst)

    Just a word of caution those who will update their systems with the recent Java zero-day security patch: make sure to get it from a reliable source or else face the possibility of a malware infection.

    Oracle has recently released its fix to the much talked-about Java zero-day (CVE-2012-3174) incident though with lukewarm reception from certain sectors, which include the US Department of Homeland Security. However, we encountered a malware under the veil of a Java update.

    We were alerted to reports of a malware that poses as Java Update 11 created by an unknown publisher. The said fake update in question is javaupdate11.jar (detected as JAVA_DLOADER.NTW), which contains javaupdate11.class that downloads and executes malicious files up1.exe and up2.exe (both detected as BKDR_ANDROM.NTW). Once executed, this backdoor connects to a remote server that enables a possible attacker to take control of the infected system. Users can get this fake update by visiting the malicious website, {BLOCKED}


    Read the rest of this entry »


    Ease is the main reason why users are going online for their purchases, especially during the holiday season. While convenient, online shopping poses risks to users’ login credentials and personally identifiable information (PII), as cybercriminals can easily craft phishing attacks that lead to data theft.

    Using Trend Micro Smart Protection Network™ and other proprietary tools, we identified the top created phishing sites for December 2012. Below is a graph of created spoofed sites limited to 50 popular brand names.

    Based from the information we’ve gathered, the e-commerce site PayPal was the most targeted institution, with 18,947 spoofed sites under its belt, followed closely by the American bank Wells Fargo. Users who are tricked into visiting spoofed PayPal sites may lead to their systems being infected by TROJ_QHOST.EQ. So far, the malware has infected systems from Taiwan, Thailand and the United States (US). As you can see below, the top 10 most spoofed sites are composed of either banks or well-known credit card companies.

    Company name/websites Number of created phishing websites
    PayPal 18947
    Wells Fargo 2049
    Visa 1661
    Citibank 1628
    Bank of America 1477
    Mastercard 986
    Chase 656
    Bancolombia 369
    Natwest 324
    Cielo 310

    Read the rest of this entry »

    Posted in Mobile, Spam | Comments Off

    It’s a pig-eat-pig world out there – at least on the mobile app threat front. Right after reports of malicious Bad Piggies on Google Chrome Web Store circulated, we found that certain developers also released their own, albeit rogue versions of the said gaming app.

    On the heels of Bad Piggies‘ launch last month, we saw rogue versions of the game on specific web pages hosted on Russian domains. However, these versions are not affiliated at all with the game. Based on our analysis, these apps are verified as malicious, specifically premium service abusers, which send SMS messages without user consent and leaves users with unnecessary charges.

    Slicing Through Malicious Bad Piggies Version

    During our research, we used the keyword “Bad Piggies” and encountered 48 Russian domains. Among these sites is piggies-{BLOCKED}, which appears as an app download page.

    The said site offers the said app on different platforms. Instead of the actual Bad Piggies app, users instead download a malicious .APK file detected as ANDROIDOS_FAKEINST.A. Once installed, it creates a shortcut on the device’s homepage and sends SMS messages to specific numbers. As mentioned, these messages are sent without user consent and may cost users to pay extra for something they didn’t authorize.

    Read the rest of this entry »

    Posted in Mobile | Comments Off


    Some of the apps discussed in this blog entry were developed with an older adware SDK that did not contain opt-in provisions, particularly regarding the ability to collect information and display ads outside of the original app. The adware SDK has since been updated to this capability to comply with Google’s developer policies; apps that use this newer version are no longer considered high-risk.

    More details about this change can be found in our December 2012 Monthly Mobile Review: The Hidden Risk Behind Mobile Ad Networks.

    We uncovered four Android mobile apps on Google Play and certain third-party app stores, which when installed, gain access to specific device information that can be used without users’ consent and may lead to data leakage. One of these apps was already removed from Google Play but remain available on third-party ones. These apps are crafted to take advantage of the upcoming 2012 US Presidential Election and its two candidates, Mitt Romney and Barack Obama. Users can download these apps for free.

    The first app called “Obama vs Romney”, an ANDROIDOS_AIRPUSH variant found to connect to, a mobile ad network site. The app’s description page also indicates that it may contain ad notifications. We found that this app has more than 300 downloads from third party stores and an estimated 500-1000 downloads from Google Play so far.

    This app was designed as a polling service in which users can choose between the two candidates. It is supposed to display an overall result of the poll immediately. However, during our testing, it ends up showing the message “you probably want to start clicking as soon as possible”. This particular app also displays potentially annoying ads served from that are displayed outside of the app itself.

    It also contains ACCESS_COARSE_LOCATION among others, that can access information that includes the device’s GPS location.

    Read the rest of this entry »

    Posted in Mobile | Comments Off

    We were alerted to a scam that is currently found on Facebook. It’s worth noting that this scam uses the mobile messaging app WhatsApp. Users may encounter this scam via Facebook notification requests or contacts’ “Likes”.

    The scam takes off like a typical scam: users are redirected to a fake WhatsApp Facebook page that requires users’ permissions. Once app permission request is granted, it displays other Facebook users, usually victims’ own contacts, who are supposedly using the WhatsApp app.

    Interestingly, users are lead to a user’s agreement page that appears to target mobile users. The page contains icons of different mobile device OS to appear legitimate.

    When users agree and gives permission to the said app, they are then lead to different pages, which vary depending on the victim’s location. For users located in countries such as the United States, Australia, New Zealand, Germany, and Great Britian, they are lead to a fake Starbucks giftcard page. Those who are not located in any of these countries are lead to a different page containing an image.

    We have previously reported fake Android app pages that spoof popular mobile apps like Instagram, Farm Frenzy, and Angry Birds Space. But this new scam suggests that it won’t be long before we see links to fake Android apps spreading on Facebook.

    Trend Micro protects users from this threat via the Smart Protection Network™, preventing access to the site survey scams. Because of its more than 900 million users, Facebook is a natural target of scams such as this incident. To know more on how to protect yourself from these threats, in particular survey scams, you may read our FAQ entry Survey Scams Aimed at Social Networking Netizens.

    Update as of August 23, 2012 10:47 AM, PST

    We also spotted an app in Facebook named Whatsapp Messenger, which can access a user’s friends’ contact information. Upon checking, it leads to another fake app named Temple Run V.2 for Facebook. When the user clicks on play, it automatically sends requests to the affected Facebook user’s friends list, thus spreading the scam. Trend Micro already blocks this threat.

    Coming Soon: The TrendLabs Security Intelligence Blog will be the new Malware Blog



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice