Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    Author Archive - Veo Zhang (Mobile Threats Analyst)

    Following news that iOS devices are at risk of spyware related to the Hacking Team, the saga continues into the Android sphere. We found that among the leaked files is the code for Hacking Team’s open-source malware suite RCSAndroid (Remote Control System Android), which was sold by the company as a tool for monitoring targets. (Researchers have been aware of this suite as early as 2014.)

    The RCSAndroid code can be considered one of the most professionally developed and sophisticated Android malware ever exposed. The leak of its code provides cybercriminals with a new weaponized resource for enhancing their surveillance operations.

    Based on the leaked code, the RCSAndroid app can do the following intrusive routines to spy on targets:

    • Capture screenshots using the “screencap” command and framebuffer direct reading
    • Monitor clipboard content
    • Collect passwords for Wi-Fi networks and online acco;.unts, including Skype, Facebook, Twitter, Google, WhatsApp, Mail, and LinkedIn
    • Record using the microphone
    • Collect SMS, MMS, and Gmail messages
    • Record location
    • Gather device information
    • Capture photos using the front and back cameras
    • Collect contacts and decode messages from IM accounts, including Facebook Messenger, WhatsApp, Skype, Viber, Line, WeChat, Hangouts, Telegram, and BlackBerry Messenger.
    • Capture real-time voice calls in any network or app by hooking into the “mediaserver” system service

    RCSAndroid in the Wild

    Our analysis reveals that this RCSAndroid (AndroidOS_RCSAgent.HRX) has been in the wild since 2012. Traces of its previous uses in the wild were found inside the configuration file:

    • It was configured to use a Command-and-control (C&C) server in the United States; however, the server was bought from a host service provider and is now unavailable.

    Figure 1. C&C host in configuration file

    • It was configured to activate via SMS sent from a Czech Republic number. Attackers can send SMS with certain messages to activate the agent and trigger corresponding action. This can also define what kind of evidences to collect.

    Figure 2. Czech phone number in configuration file

    • Based on emails leaked in the dump, a number of Czech firms appear to be in business with the Hacking team, including a major IT partner in the Olympic Games.

    Figure 3. Upgrading support for a Czech customer

    Dropping Cluster Bombs

    RCSAndroid is a threat that works like a cluster bomb in that it deploys multiple dangerous exploits and uses various techniques to easily infect Android devices. While analyzing the code, we found that the whole system consists of four critical components, as follows:

    1. penetration solutions, ways to get inside the device, either via SMS/email or a legitimate app
    2. low-level native code, advanced exploits and spy tools beyond Android’s security framework
    3. high-level Java agent – the app’s malicious APK
    4. command-and-control (C&C) servers, used to remotely send/receive malicious commands

    Attackers use two methods to get targets to download RCSAndroid.

    The first method is to send a specially crafted URL to the target via SMS or email. The URL will trigger exploits for arbitrary memory read (CVE-2012-2825) and heap buffer overflow (CVE-2012-2871) vulnerabilities in the default browsers of Android versions 4.0 Ice Cream Sandwich to 4.3 Jelly Bean, allowing another local privilege escalation exploit to execute. When root privilege is gained, a shell backdoor and malicious RCSAndroid agent APK file will be installed

    Figure 4. Remote exploits demonstrated for customers in leaked mails

    The second method is to use a stealthy backdoor app such as ANDROIDOS_HTBENEWS.A, which was designed to bypass Google Play.

    The role of ANDROIDOS_HTBENEWS.A and the malicious APK mentioned in the first method is to exploit a local privilege escalation vulnerability in Android devices. Hacking Team has been known to use both CVE-2014-3153 and CVE-2013-6282 in their attacks. The said exploits will root the device and install a shell backdoor.

    Figure 5. Commands list of shell backdoor

    The shell backdoor then installs the RCSAndroid agent. This agent has two core modules, the Evidence Collector and the Event Action Trigger.

    • The Evidence Collector module is responsible for the spying routines outlined above. One of its most notable routines is capturing voice calls in real time by hooking into the “mediaserver” system service. The basic idea is to hook the voice call process in mediaserver.
      • Take voice call playback process for example. The mediaserver will first builds a new unique track, start to play the track, loop play all audio buffer, then finally stop the playback. The raw wave audio buffer frame can be dumped in the getNextBuffer() function. With the help of the open-source Android Dynamic Binary Instrumentation Toolkit and root privilege, it is possible to intercept any function execution.

    Figure 6. Timing in voice call playback to hook

    • The Event Action Trigger module triggers malicious actions based on certain events. These events can be based on time, charging or battery status, location, connectivity, running apps, focused app, SIM card status, SMS received with keywords, and screen turning on.
      • According to the configuration pattern, these actions are registered to certain events:
        1. Sync configuration data, upgrade modules, and download new payload (This uses transport protocol ZProtocol encrypted by AES/CBC/PKCS5Padding algorithm to communicate with the C&C server.)
        2. Upload and purge collected evidence
        3. Destroy device by resetting locking password
        4. Execute shell commands
        5. Send SMS with defined content or location
        6. Disable network
        7. Disable root
        8. Uninstall bot

    To avoid detection and removal of the agent app in the device memory, the RCSAndroid suite also detects emulators or sandboxes, obfuscates code using DexGuard, uses ELF string obfuscator, and adjusts the OOM (out-of-memory) value. Interestingly, one unused feature of the app is its ability to manipulate data in the Android package manager to add and remove permissions and components as well as hide the app icon.


    Popular mobile platforms like Android are common targets for organized or commercialized monitoring operations. Attackers know that rooting devices via malware exploits is an effective means to control devices and gather information from them. In a root broken device, security is a fairy tale.

    Take note of the following best practices to prevent this threat from getting in your device:

    • Disable app installations from unknown, third-party sources.
    • Constantly update your Android devices to the latest version to help prevent exploits, especially in the case of RCSAndroid which can affect only up to version 4.4.4 KitKat. Note, however, that based on the leak mail from a customer inquiry, Hacking Team was in the process of developing exploits for Android 5.0 Lollipop.
    • Install a mobile security solution to secure your device from threats.

    The leaked RCSAndroid code is a commercial weapon now in the wild. Mobile users are called on to be on top of this news and be on guard for signs of monitoring. Some indicators may come in the form of peculiar behavior such as unexpected rebooting, finding unfamiliar apps installed, or instant messaging apps suddenly freezing.

    Should a device become infected, this backdoor cannot be removed without root privilege. Users may be required the help of their device manufacturer to get support for firmware flashing.

    Trend Micro offers security for Android mobile devices through Mobile Security for Android™ to protect against these types of attacks. Find out more about the 7 Android Security Hacks You Need to Do Right Now to keep your mobile data safe.

    Update as of July 23, 2015 1:00 AM PDT (UTC-7)

    We have added a link to a previous report discussing this threat.

    Timeline of posts related to the Hacking Team

    July 5 The Italian company Hacking Team was hacked, with more than 400GB of confidential company data made available to the public.
    July 7

    Three exploits – two for Flash Player and one for the Windows kernel—were initially found in the information dump. One of these [CVE-2015-5119] was a Flash zero-day.

    The Windows kernel vulnerability (CVE-2015-2387) existed in the open type font manager module (ATMFD.dll) and can be exploited to bypass the sandbox mitigation mechanism.

    The Flash zero-day exploit (CVE-2015-5119) was added into the Angler Exploit Kit and Nuclear Exploit Pack. It was also used in limited attacks in Korea and Japan.

    July 11 Two new Flash zero-day vulnerabilities, CVE-2015-5122 and CVE-2015-5123, were found in the hacking team dump.
    July 13 Further analysis of the hacking team dump revealed that the company used UEFI BIOS rootkit to keep their Remote Control System (RCS) agent installed in their targets’ systems.
    July 14 A new zero-day vulnerability (CVE-2015-2425) was found in Internet Explorer.
    July 16 On the mobile front, a fake news app designed to bypass Google Play was discovered.
    July 20 A new zero-day vulnerability (CVE-2015-2426) was found in Windows, which Microsoft fixed in an out-of-band patch.
    July 21 Analysis of the RCSAndroid spying tool revealed that Hacking Team can listen to calls and roots devices to get in.
    July 28 A recent campaign compromised Taiwan and Hong Kong sites to deliver Flash exploits related to Hacking Team.


    Posted in Mobile |

    A new breed of cybercriminals has surfaced in China. They are bolder and more reckless than their more experienced veteran counterparts. All born in the 90s, these neophytes are not afraid to get caught, carelessly leaving a trail of traceable contact details online. They find and share readily available code and use those to make their own malware. It’s these same teens that are causing a surge in mobile ransomware in the Chinese underground market.

    A younger mobile ransomware landscape

    These young cybercriminals’ reckless foray into cybercrime was probably emboldened by the weak enforcement of existing local laws and—highly likely—teen bravado.

    We first noticed these cybercriminal upstarts while monitoring a particular Android ransomware, ANDROIDOS_JIANMO.HAT. This variant makes it impossible for a user to access his device since it locks the screen, restricting any kind of user activity.

    Going underground, we found that there are more than a thousand variants of this malware. About 250 of these contained information about the malware creator, including their contact details and their ages, which range from 16 to 21.

    Figure 1. QQ (Chinese messenging service) account profiles of the the malware creators, including age (last row)

    Examining these variants, it became apparent that they all came from a single source code that was widely distributed in underground forums. In the image below, we can see the two versions of the ransomware lock screen. The original version on the left has text fields with jokes. The modified version on the right contains the information ransomware victims can use to contact their extortionist. In this case, the extortionist left a QQ group account.

    Figure 2. The malware on the right contains a message (in red) that coyly states “If you want to unlock it, do not contact QQ group account [number]”

    It’s possible that the original was simply a prototype since it didn’t contain any information regarding payment. But after the code was distributed in the underground, it became the foundation for ransomware variants. All that was left for the teen cybercriminals to was to input their contact details.

    Currently, these cybercriminals are demanding payments that range from US$5-10. While it might seem cheap compared to other ransomware variants, it’s highly possible that they can demand for more in the future. It’s also possible that they don’t demand as much since they have a lot of victims.

    Spreading the infection

    As we’ve previously noted, the Chinese cybercriminal underground offers several training services.  So-called masters can train interested apprentices so they can pass on their knowledge hacking and the like. These teens follow the same setup. On top of their ransomware activities, they also offer tutorial services.

    Figure 3. Forum post advertising malware tutorials

    These cybercriminals rely on two methods to distribute their malware. First, they lurk in public forums, looking for posts about app recommendations. Should anyone request for app recommendations, they’d proceed with posting links pointing to the malware. These malware tutors can also make their apprentices distribute the malware in lieu of a “tuition fee.”

    Figure 4. Distributing malware through app recommendations

    We looked into some individuals who have entered into this type of venture. The first is one of the earliest recorded makers of the JIANMO malware, a 19-year old teen from China. From the JIANMO malware, he has since moved on to other ransomware.  This newer malware of his, detected as ANDROIDOS_BZY.HBT, offers more features like a device administrator lock, effectively controlling the device. The victims will only receive a text message with unlocking details once they pay. We have noticed hundreds of online posts asking for help clean it.

    Figure 5. QQ profile of 19-year old ransomware creator, containing a signature that says “providing remote unlock support” (top) and his latest malware, disguised as “Android Performance Booster” (bottom)

    We found another malware creator with a similar business. This creator heads a group of apprentices that he tutors and uses for distributing malware. The figure below is the QQ profile of the group. It contains information like the fact that the group is based in Xi’an, China. It also contains a breakdown of information regarding its members. For example, 79% of the members are male, 6% are in Xi’an, and 62% of the members were born in the 90s.

    Figure 6. “Study group” for malware creation and distribution, where 62% of the members were born in the 90s

    Figure 7. Malware shared internally by the group

    Information made available and accessible

    As we mentioned earlier, these cybercriminals aren’t truly concerned with covering their tracks. They often use their IM accounts like those for QQ to contact their victims. These QQ accounts are usually their personal ones, meaning anyone can find out their real identities. Of course, it would be all too easy to fake the information posted on their QQ profiles. But given that we have seen young people involved in other cybercrime operations, having 19 year-old cybercriminals is highly plausible.

    We were even able to gain access to the email account used in the mobile ransomware we detect as ANDROIDOS_GREYWOLF.HBT. This ransomware was made by the creator of the “study group” just mentioned. It pretends to be a love declaration app, designed to lure users into downloading and running the malware. It generates random serial number and unlock keys pair, and sends them back to the creator’s email. We were able to do so because the creator embedded both the email account and the password in the malware.

    Figure 8. Ransomware serial number and unlock code sent from victims’ device

    Figure 9. Sample transaction email with a victim

    Furthermore, these cybercriminals favor payments made via Alipay, WeChat, and bank transfers. This is a marked departure from the current trend of using cryptocurrency to cover any illegal activity.

    Security practices

    Since the start of the year, we have seen more than 20 new mobile ransomware families, with one malware now having 1,000+ versions and offshoots. For users, this translates to a bigger probability of encountering ransomware while online.

    To ensure that your downloaded apps are legitimate and not malware, you should only rely on official app stores and developers’ websites. Asking for app recommendations in forums is fine, so long as you don’t click on provided links. It’s better to search for the app itself than rely on a link posted by a stranger.

    Before downloading any app, double check its developer and be very meticulous of the app reviews to verify apps’ legitimacy. On-device security solutions like Trend Micro Mobile Security can add a layer of protection against threats like these.

    With additional insight from Lion Gu.

    Here are the SHA1 hashes related to the mobile malware reported above:


    • 6828d9e301b190c5bbf7b6c92627ebf45a898f0f
    • b2c1b0738fbfb21c1905322d434c5958be889e73
    • c600fc7b3828f2dbbbac46a290390a50c0c605f9
    • d0af92d32f35ea6ce10bbab5e350cbccc1360f86


    • 007830d17abf70b4e5d2194f3aa1a628cb4a70f2
    • f3c1cf6b96c1eb92f43dda545575d2b4a15af6a7


    • 3d0e995d4a795ab4c59b4285f62c4c4585c11fa6
    • 4da1062ededceb523a886690515b48167b608753
    • 65c66561ad8b5c719d6a9b6df6d9025048a8057b
    Posted in Malware, Mobile |

    Recently, we have noticed large numbers of repackaged Android apps showing up in Chinese app stores. While these apps pretend to be “free”, in the end they cost the users time and money: they are either shown various ads or they are subscribed to various premium SMS numbers. (Note that these apps were not found in the official Google Play store.)

    Two channels are at work here. First, foreign apps that have been localized or repackaged by Chinese companies and used for various schemes. Secondly, paid/premium apps can be repackaged by pirates to produce a “free” version that contains ads or other added code. In either case, there is a risk that the repackaged code may be malicious.

    In the first case, local Chinese companies have been contracted by the original developers to localize apps for the Chinese market. This includes translation, as well as changing payment methods to those used in the Chinese market. However, unscrupulous companies may add their own code at this stage to add advertisements and collect money from users via SMS numbers.

    These advertisements collect the user’s location, phone model, and other installed apps without explicitly getting the user’s permission. The apps may also be designed so that in some circumstances, users may “accidentally” click on the button which sends an SMS payment. Payment notices may also be intercepted, as seen in the following code:

    Figure 1. Code intercepting payment notice text messages

    In the second case, pirates (either individuals or companies) crack paid apps, add their code, and distribute them via major Chinese app stores. Using commercials and fake downloads, these repackaged apps reach the top lists of these app stores, with millions of downloads.

    Figure 2. repackaged version of Minecraft with 52 thousand downloads per week

    These apps contain display multiple advertisements when they are launched, and trying to close them just leads to download another app with even more advertisements. We even found spyware pushed as a security app; this particular app required root privileges and a result it is not easy to remove. (The screenshot below shows an ad for one of these spyware apps.)

    Figure 3. Ads at app startup that lead to other risky apps

    Figure 4. App permissions requested by app installed by ad in Figure 3

    Apps being used to promote various scams are also a widespread problem. This malicious app repackaged the original Monument Valley game with an advertisement library; in addition it randomly pushes scams messages to users, which lead them to further phone scams.

    Figure 5. repackaged Monument Valley, with 520 thousand downloads

    This app displays advertisements via system notifications that leads to a website at hxxp:// This site contains offers for the user to purchase iPhones and other mobile devices for approximately $100 cash on delivery. The user is asked to enter his name, phone number, and shipping address. There is at least one known case where the victim was later called and asked to pay a “prepaid shipping fee.”

    Acquiring this personal information is the goal of this scam. which is detected as ANDROIDOS_SCAMAD.HBT. The user is at risk of receiving more fraudulent calls, unless they change their phone number.

    Figure 6. App notification for iPhones being sold

    Figure 7. Website gathering user information

    The above screenshot shows some of the items for sale (different variants of the iPhone 5S); the next three fields are where the user would enter their personal information before clicking one of the buttons below, which would submit the information to the attacker.

    The malicious apps in this post are mostly gathered from the top app lists of some major Chinese app stores. These top lists contain many repackaged apps, which pose serious risks to users. Users – particularly those in China – should be careful about downloading these apps. Last year, we discussed the threats of repackaged apps in a white paper titled Fake Apps: Feigning LegitimacyTrend Micro Mobile Security protects users against these threats by scanning apps that are installed onto the device.

    Posted in Malware, Mobile | Comments Off on “Free” Apps In Chinese App Stores Put Users At Risk

    We recently encountered a high-risk Android app detected as ANDROIDOS_STIP.A in Chile. This app, found distributed through forums and blogs, can be used to hack into the user’s RFID bus transit card to recharge the credits. What is the mechanism behind this, and what is the security risk of RFID payment cards in general?

    Paying via RFID cards is becoming more popular nowadays as more mobile devices add NFC support. Banks, merchants or public services issue RFID cards to their customers with prepaid credits.

    Note: The malware samples discussed below were not obtained from the Google Play Store.

    Security Issues with RFID Cards

    Because it is widely used, it’s no surprise that that RFID cards have become targeted by attacks. Take for instance the recent Tarjeta bip! card hacking incident in Chile. These cards are MIFARE-based smartcards; MIFARE refers to a family of chips widely used in contactless smart cards and proximity cards.


    Figure 1. MIFARE devices

    Looking at the code of the Android app, we found that if it runs on a device equipped with NFC it can read and write to these cards.  The malicious app writes predefined data onto the card, raising the user’s balance to 10,000 Chilean pesos (approximately 15 US dollars). This particular trick will only work with this particular fare card, since it relies on the format of the card in question.

    Read the rest of this entry »

    Posted in Mobile | 1 TrackBack »

    Recently, it has been reported that apps downloaded via third-party app stores in South Korea have resulted in more than 20,000 smartphones being infected with malicious apps. Note that none of these apps were found on the official Google Play store.

    The apps involved in this attack are detected as ANDROIDOS_KRBOT.HRX. We decided to look further into this slew of infections.

    Identifying Who’s Responsible

    The cybercriminals behind these attacks are active members of underground forums involving pirated apps. Frequently, these are cracked versions of top gaming apps. These criminals collecting these cracked apps and repackage them with malicious code, and redistribute them.

    The attackers distribute these apps via various Bittorrent sites, forums, and various third-party stores.

    Figure 1.Malicious app posts in underground forums

    Figure 1. Posts for pirated app in underground forum

    Figure 2. Malicious app in Google Drive

    Figure 2. Pirated app hosted on Google Drive

    Figure 3. Malicious app found in torrent websites

    Figure 3. Pirated app found in torrent websites

    Once the malicious app is run, it starts a background service, which connects to predefined mail servers.


    Figure 4. Hidden bot service

    Our investigation revealed that some of the email accounts were deserted, suggesting that this attack was no longer ongoing.


    Figure 5. Deserted email accounts

    However, new variants of this malware family are still being encountered. We soon learned that some variants have been updated with new email accounts, which were still active. These email accounts received encrypted commands from a sender with the name “Res Sou.”

    igure 5. Encrypted control code in mail inbox

    Figure 6. Encrypted control code in mail inbox

    The code in the mail can be decrypted into a socket server, http://{BLOCKED}dapp[.]ocry[.]com:50080/php/download.php:55555, and an HTTP server, http://{BLOCKED}dapp[.]ocry[.]com:50080/php/download.php. The socket server is used by the bot to get remote commands.

    The commands are as follows:

    “register” Register to remote server
    “request_call_log” Request call log record
    “request_contact” Request contacts list
    “request_file_list” Request to list files in device storage
    “request_create_new_dir” Request to create new directory in device storage
    “request_file_upload” Request to upload files in device storage
    “request_file_download” Request to download files into device storage
    “request_item_delete” Request to delete files in device storage
    “request_calendar_event” Request to upload calendar events
    “request_del_message” Request to delete SMS message.
    “request_send_message” Request to upload SMS message.
    “request_send_all_message” Request to upload all SMS message.
    “request_endcontrol” End remote control

    Collected data are stored in /data/data/[package name]/sent_data.db. Files are meanwhile uploaded and downloaded via the HTTP server.

    Tracking Recent Activities

    From recent activities of the email accounts, we learned that the mail account was created with a Japanese IP address, and signed in from different parts of Japan. It’s likely that the cybercriminal used Japan-based proxies to hide his tracks.

    Figure 7. Recent activities of the malicious mail account

    Figure 7. Recent activities of the malicious mail account

    The domain for the command-and-control server used a dynamic DNS service, with the actual server located in Kuala Lumpur, Malaysia. We found a legitimate website hosted on this server. Further investigation revealed that normal web service is not available, with no replies from the company owning the site. This suggests that this particular server might have been compromised to serve as a C&C server.

    The victims’ information was then sent to the following IP addresses:

    • 101[.]99[.]65[.]100
    • 85[.]214[.]211.47

    The servers at these addresses are located in Malaysia and Germany, respectively.

    Reviving the Bot

    We have found evidence that in addition to South Korean users, this app is now targeting Chinese users as well. We found posts in one of the biggest Chinese app forums with links to one of these pirated apps. This means that the attacks are no longer limited to South Korean users.



    Figures 8 and 9. Variants targeting Chinese users

    While the number of downloads may still be low, the fact that this was seen in Chinese forums means that the cybercriminals are expanding their net of potential victims. We advise users to avoid downloading apps from third-party app stores and to rely only on official app stores.

    We detect variants of this malware family as ANDROIDOS_KRBOT.HRX. Trend Micro Mobile Security products use the Smart Protection Network to block all related threats. We advise users to install security software in their mobile devices to secure it from malicious apps and threats.

    Posted in Malware, Mobile | Comments Off on Following the Trail of South Korean Mobile Malware


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice