Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    July 2015
    S M T W T F S
    « Jun    
  • Email Subscription

  • About Us

    Author Archive - Veo Zhang (Mobile Threats Analyst)

    A new breed of cybercriminals has surfaced in China. They are bolder and more reckless than their more experienced veteran counterparts. All born in the 90s, these neophytes are not afraid to get caught, carelessly leaving a trail of traceable contact details online. They find and share readily available code and use those to make their own malware. It’s these same teens that are causing a surge in mobile ransomware in the Chinese underground market.

    A younger mobile ransomware landscape

    These young cybercriminals’ reckless foray into cybercrime was probably emboldened by the weak enforcement of existing local laws and—highly likely—teen bravado.

    We first noticed these cybercriminal upstarts while monitoring a particular Android ransomware, ANDROIDOS_JIANMO.HAT. This variant makes it impossible for a user to access his device since it locks the screen, restricting any kind of user activity.

    Going underground, we found that there are more than a thousand variants of this malware. About 250 of these contained information about the malware creator, including their contact details and their ages, which range from 16 to 21.

    Figure 1. QQ (Chinese messenging service) account profiles of the the malware creators, including age (last row)

    Examining these variants, it became apparent that they all came from a single source code that was widely distributed in underground forums. In the image below, we can see the two versions of the ransomware lock screen. The original version on the left has text fields with jokes. The modified version on the right contains the information ransomware victims can use to contact their extortionist. In this case, the extortionist left a QQ group account.

    Figure 2. The malware on the right contains a message (in red) that coyly states “If you want to unlock it, do not contact QQ group account [number]”

    It’s possible that the original was simply a prototype since it didn’t contain any information regarding payment. But after the code was distributed in the underground, it became the foundation for ransomware variants. All that was left for the teen cybercriminals to was to input their contact details.

    Currently, these cybercriminals are demanding payments that range from US$5-10. While it might seem cheap compared to other ransomware variants, it’s highly possible that they can demand for more in the future. It’s also possible that they don’t demand as much since they have a lot of victims.

    Spreading the infection

    As we’ve previously noted, the Chinese cybercriminal underground offers several training services.  So-called masters can train interested apprentices so they can pass on their knowledge hacking and the like. These teens follow the same setup. On top of their ransomware activities, they also offer tutorial services.

    Figure 3. Forum post advertising malware tutorials

    These cybercriminals rely on two methods to distribute their malware. First, they lurk in public forums, looking for posts about app recommendations. Should anyone request for app recommendations, they’d proceed with posting links pointing to the malware. These malware tutors can also make their apprentices distribute the malware in lieu of a “tuition fee.”

    Figure 4. Distributing malware through app recommendations

    We looked into some individuals who have entered into this type of venture. The first is one of the earliest recorded makers of the JIANMO malware, a 19-year old teen from China. From the JIANMO malware, he has since moved on to other ransomware.  This newer malware of his, detected as ANDROIDOS_BZY.HBT, offers more features like a device administrator lock, effectively controlling the device. The victims will only receive a text message with unlocking details once they pay. We have noticed hundreds of online posts asking for help clean it.

    Figure 5. QQ profile of 19-year old ransomware creator, containing a signature that says “providing remote unlock support” (top) and his latest malware, disguised as “Android Performance Booster” (bottom)

    We found another malware creator with a similar business. This creator heads a group of apprentices that he tutors and uses for distributing malware. The figure below is the QQ profile of the group. It contains information like the fact that the group is based in Xi’an, China. It also contains a breakdown of information regarding its members. For example, 79% of the members are male, 6% are in Xi’an, and 62% of the members were born in the 90s.

    Figure 6. “Study group” for malware creation and distribution, where 62% of the members were born in the 90s

    Figure 7. Malware shared internally by the group

    Information made available and accessible

    As we mentioned earlier, these cybercriminals aren’t truly concerned with covering their tracks. They often use their IM accounts like those for QQ to contact their victims. These QQ accounts are usually their personal ones, meaning anyone can find out their real identities. Of course, it would be all too easy to fake the information posted on their QQ profiles. But given that we have seen young people involved in other cybercrime operations, having 19 year-old cybercriminals is highly plausible.

    We were even able to gain access to the email account used in the mobile ransomware we detect as ANDROIDOS_GREYWOLF.HBT. This ransomware was made by the creator of the “study group” just mentioned. It pretends to be a love declaration app, designed to lure users into downloading and running the malware. It generates random serial number and unlock keys pair, and sends them back to the creator’s email. We were able to do so because the creator embedded both the email account and the password in the malware.

    Figure 8. Ransomware serial number and unlock code sent from victims’ device

    Figure 9. Sample transaction email with a victim

    Furthermore, these cybercriminals favor payments made via Alipay, WeChat, and bank transfers. This is a marked departure from the current trend of using cryptocurrency to cover any illegal activity.

    Security practices

    Since the start of the year, we have seen more than 20 new mobile ransomware families, with one malware now having 1,000+ versions and offshoots. For users, this translates to a bigger probability of encountering ransomware while online.

    To ensure that your downloaded apps are legitimate and not malware, you should only rely on official app stores and developers’ websites. Asking for app recommendations in forums is fine, so long as you don’t click on provided links. It’s better to search for the app itself than rely on a link posted by a stranger.

    Before downloading any app, double check its developer and be very meticulous of the app reviews to verify apps’ legitimacy. On-device security solutions like Trend Micro Mobile Security can add a layer of protection against threats like these.

    With additional insight from Lion Gu.

    Here are the SHA1 hashes related to the mobile malware reported above:


    • 6828d9e301b190c5bbf7b6c92627ebf45a898f0f
    • b2c1b0738fbfb21c1905322d434c5958be889e73
    • c600fc7b3828f2dbbbac46a290390a50c0c605f9
    • d0af92d32f35ea6ce10bbab5e350cbccc1360f86


    • 007830d17abf70b4e5d2194f3aa1a628cb4a70f2
    • f3c1cf6b96c1eb92f43dda545575d2b4a15af6a7


    • 3d0e995d4a795ab4c59b4285f62c4c4585c11fa6
    • 4da1062ededceb523a886690515b48167b608753
    • 65c66561ad8b5c719d6a9b6df6d9025048a8057b
    Posted in Malware, Mobile |

    Recently, we have noticed large numbers of repackaged Android apps showing up in Chinese app stores. While these apps pretend to be “free”, in the end they cost the users time and money: they are either shown various ads or they are subscribed to various premium SMS numbers. (Note that these apps were not found in the official Google Play store.)

    Two channels are at work here. First, foreign apps that have been localized or repackaged by Chinese companies and used for various schemes. Secondly, paid/premium apps can be repackaged by pirates to produce a “free” version that contains ads or other added code. In either case, there is a risk that the repackaged code may be malicious.

    In the first case, local Chinese companies have been contracted by the original developers to localize apps for the Chinese market. This includes translation, as well as changing payment methods to those used in the Chinese market. However, unscrupulous companies may add their own code at this stage to add advertisements and collect money from users via SMS numbers.

    These advertisements collect the user’s location, phone model, and other installed apps without explicitly getting the user’s permission. The apps may also be designed so that in some circumstances, users may “accidentally” click on the button which sends an SMS payment. Payment notices may also be intercepted, as seen in the following code:

    Figure 1. Code intercepting payment notice text messages

    In the second case, pirates (either individuals or companies) crack paid apps, add their code, and distribute them via major Chinese app stores. Using commercials and fake downloads, these repackaged apps reach the top lists of these app stores, with millions of downloads.

    Figure 2. repackaged version of Minecraft with 52 thousand downloads per week

    These apps contain display multiple advertisements when they are launched, and trying to close them just leads to download another app with even more advertisements. We even found spyware pushed as a security app; this particular app required root privileges and a result it is not easy to remove. (The screenshot below shows an ad for one of these spyware apps.)

    Figure 3. Ads at app startup that lead to other risky apps

    Figure 4. App permissions requested by app installed by ad in Figure 3

    Apps being used to promote various scams are also a widespread problem. This malicious app repackaged the original Monument Valley game with an advertisement library; in addition it randomly pushes scams messages to users, which lead them to further phone scams.

    Figure 5. repackaged Monument Valley, with 520 thousand downloads

    This app displays advertisements via system notifications that leads to a website at hxxp:// This site contains offers for the user to purchase iPhones and other mobile devices for approximately $100 cash on delivery. The user is asked to enter his name, phone number, and shipping address. There is at least one known case where the victim was later called and asked to pay a “prepaid shipping fee.”

    Acquiring this personal information is the goal of this scam. which is detected as ANDROIDOS_SCAMAD.HBT. The user is at risk of receiving more fraudulent calls, unless they change their phone number.

    Figure 6. App notification for iPhones being sold

    Figure 7. Website gathering user information

    The above screenshot shows some of the items for sale (different variants of the iPhone 5S); the next three fields are where the user would enter their personal information before clicking one of the buttons below, which would submit the information to the attacker.

    The malicious apps in this post are mostly gathered from the top app lists of some major Chinese app stores. These top lists contain many repackaged apps, which pose serious risks to users. Users – particularly those in China – should be careful about downloading these apps. Last year, we discussed the threats of repackaged apps in a white paper titled Fake Apps: Feigning LegitimacyTrend Micro Mobile Security protects users against these threats by scanning apps that are installed onto the device.

    Posted in Malware, Mobile | Comments Off on “Free” Apps In Chinese App Stores Put Users At Risk

    We recently encountered a high-risk Android app detected as ANDROIDOS_STIP.A in Chile. This app, found distributed through forums and blogs, can be used to hack into the user’s RFID bus transit card to recharge the credits. What is the mechanism behind this, and what is the security risk of RFID payment cards in general?

    Paying via RFID cards is becoming more popular nowadays as more mobile devices add NFC support. Banks, merchants or public services issue RFID cards to their customers with prepaid credits.

    Note: The malware samples discussed below were not obtained from the Google Play Store.

    Security Issues with RFID Cards

    Because it is widely used, it’s no surprise that that RFID cards have become targeted by attacks. Take for instance the recent Tarjeta bip! card hacking incident in Chile. These cards are MIFARE-based smartcards; MIFARE refers to a family of chips widely used in contactless smart cards and proximity cards.


    Figure 1. MIFARE devices

    Looking at the code of the Android app, we found that if it runs on a device equipped with NFC it can read and write to these cards.  The malicious app writes predefined data onto the card, raising the user’s balance to 10,000 Chilean pesos (approximately 15 US dollars). This particular trick will only work with this particular fare card, since it relies on the format of the card in question.

    Read the rest of this entry »

    Posted in Mobile | 1 TrackBack »

    Recently, it has been reported that apps downloaded via third-party app stores in South Korea have resulted in more than 20,000 smartphones being infected with malicious apps. Note that none of these apps were found on the official Google Play store.

    The apps involved in this attack are detected as ANDROIDOS_KRBOT.HRX. We decided to look further into this slew of infections.

    Identifying Who’s Responsible

    The cybercriminals behind these attacks are active members of underground forums involving pirated apps. Frequently, these are cracked versions of top gaming apps. These criminals collecting these cracked apps and repackage them with malicious code, and redistribute them.

    The attackers distribute these apps via various Bittorrent sites, forums, and various third-party stores.

    Figure 1.Malicious app posts in underground forums

    Figure 1. Posts for pirated app in underground forum

    Figure 2. Malicious app in Google Drive

    Figure 2. Pirated app hosted on Google Drive

    Figure 3. Malicious app found in torrent websites

    Figure 3. Pirated app found in torrent websites

    Once the malicious app is run, it starts a background service, which connects to predefined mail servers.


    Figure 4. Hidden bot service

    Our investigation revealed that some of the email accounts were deserted, suggesting that this attack was no longer ongoing.


    Figure 5. Deserted email accounts

    However, new variants of this malware family are still being encountered. We soon learned that some variants have been updated with new email accounts, which were still active. These email accounts received encrypted commands from a sender with the name “Res Sou.”

    igure 5. Encrypted control code in mail inbox

    Figure 6. Encrypted control code in mail inbox

    The code in the mail can be decrypted into a socket server, http://{BLOCKED}dapp[.]ocry[.]com:50080/php/download.php:55555, and an HTTP server, http://{BLOCKED}dapp[.]ocry[.]com:50080/php/download.php. The socket server is used by the bot to get remote commands.

    The commands are as follows:

    “register” Register to remote server
    “request_call_log” Request call log record
    “request_contact” Request contacts list
    “request_file_list” Request to list files in device storage
    “request_create_new_dir” Request to create new directory in device storage
    “request_file_upload” Request to upload files in device storage
    “request_file_download” Request to download files into device storage
    “request_item_delete” Request to delete files in device storage
    “request_calendar_event” Request to upload calendar events
    “request_del_message” Request to delete SMS message.
    “request_send_message” Request to upload SMS message.
    “request_send_all_message” Request to upload all SMS message.
    “request_endcontrol” End remote control

    Collected data are stored in /data/data/[package name]/sent_data.db. Files are meanwhile uploaded and downloaded via the HTTP server.

    Tracking Recent Activities

    From recent activities of the email accounts, we learned that the mail account was created with a Japanese IP address, and signed in from different parts of Japan. It’s likely that the cybercriminal used Japan-based proxies to hide his tracks.

    Figure 7. Recent activities of the malicious mail account

    Figure 7. Recent activities of the malicious mail account

    The domain for the command-and-control server used a dynamic DNS service, with the actual server located in Kuala Lumpur, Malaysia. We found a legitimate website hosted on this server. Further investigation revealed that normal web service is not available, with no replies from the company owning the site. This suggests that this particular server might have been compromised to serve as a C&C server.

    The victims’ information was then sent to the following IP addresses:

    • 101[.]99[.]65[.]100
    • 85[.]214[.]211.47

    The servers at these addresses are located in Malaysia and Germany, respectively.

    Reviving the Bot

    We have found evidence that in addition to South Korean users, this app is now targeting Chinese users as well. We found posts in one of the biggest Chinese app forums with links to one of these pirated apps. This means that the attacks are no longer limited to South Korean users.



    Figures 8 and 9. Variants targeting Chinese users

    While the number of downloads may still be low, the fact that this was seen in Chinese forums means that the cybercriminals are expanding their net of potential victims. We advise users to avoid downloading apps from third-party app stores and to rely only on official app stores.

    We detect variants of this malware family as ANDROIDOS_KRBOT.HRX. Trend Micro Mobile Security products use the Smart Protection Network to block all related threats. We advise users to install security software in their mobile devices to secure it from malicious apps and threats.

    Posted in Malware, Mobile | Comments Off on Following the Trail of South Korean Mobile Malware

    The security of the Android platform is based on its sandbox and permission protection mechanism, which isolates each app and restricts how processes can communicate with each other. However, because it is designed to be open to include other open source projects like Linux and OpenSSL, it can inherit many features as well as vulnerabilities.

    This means that the protection of the sandbox cannot cover every aspect of the system, and threats to Android still remain. Open ports are one potential source of vulnerabilities, and we recently found a new vulnerability in the app of a Chinese deals site, Meituan, that highlighted this problem.

    Earlier this year, Heartbleed was a notable example; apps with their own vulnerable OpenSSL library to create TLS/SSL connections are at risk of leaking local memory information. Similarly, any vulnerability in an app or external module may affect the security of the entire system.

    Linux is also a potential source of vulnerabilities. Because Android is based on the Linux kernel and still uses many native Linux APIs, Linux vulnerabilities may affect Android as well. For example, CVE-2014-3153 was used by root exploit tools like TowelRoot. Another example was CVE-2014-0196.

    Network protocol implementations in Linux are also facing security challenges. Vulnerabilities seen this year in the Linux TCP/IP stack included CVE-2014-0100CVE-2014-2523 also affected Android as well. These vulnerabilities, if exploited, put users at risk, as an attacker would be able to exploit their machine remotely.

    Android systems that insecurely use these network protocols may also have vulnerabilities. CVE-2011-3918 was a vulnerability in the zygote process, which allowed an attacker to launch a local denial of service via a malicious app. The cause was the developer used the socket protocol without setting the right permissions. Similar vulnerabilities include CVE-2011-1823, CVE-2013-4777, CVE-2013-5933. Developers need to be aware of  of the security risks when using these protocols, as there can be serious consequences resulting from their mistakes.

    User installed apps may increase this risk as well. Look at the following screenshot:

    Figure 1. Apps with open ports

    The screenshot shows how many apps listen on an open TCP port, which means the device is exposed online without the benefit of a firewall. What if an app was built by a developer who wasn’t aware of the security issues? Even well-known software applications have their share of network-related vulnerabilities. As it stands, it would be better to have a firewall of some kind to protect Android users, but that is not part of the mobile OS today.

    These kind of vulnerabilities do exist on Android.  We found a vulnerability in the Android app of Meituan, a Chinese site similar to Groupon. It affects versions of the Meituan app below 4.6.0. Vulnerable versions of this app listen on TCP port 9517, which allows the app to receive messages from a server. However, because it does not authenticate the sender, any machine on the Internet can trigger a command on the phone.

    The code snippet responsible for the vulnerability is below:

    Figure 2. Vulnerable app code

    It parses the received TCP data in a certain format and then sends android.intent.action.VIEW with the “intent” in the received data. Using this vulnerability, an attacker can send large numbers of messages using your phone to a fraudulent number, or open phishing websites.

    If your Android version is older than 4.0.4, the USSD vulnerability may also be triggered by this problem. This means that your phone may even be remotely wiped by an attacker!

    We are looking forward to enhancements to Android security like SELinux, Storage Access Framework, and Device Administration. However, there are still many unprotected parts of the Android system. These network vulnerabilities will be a significant problem moving forward.

    We disclosed this vulnerability to Meituan on June 3 of this year, and the vendor confirmed it to us on the same day. A fix was issued to users two days later on June 5, with version 4.6.1 of the app. Trend Micro and Meituan worked together on the solution, and we mutually agreed to disclose details of this vulnerability at this time.

    Posted in Mobile, Vulnerabilities | Comments Off on Open Socket Poses Risks To Android Security Model


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice