Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    Author Archive - Weichao Sun (Mobile Threats Analyst)

    A key part of Anrdoid’s access control policies are permissions. To access certain resources on an Android device, applications need to request and be granted specific permissions. However, beyond those permissions specified by the operations system, an app can define its own customized permissions. Generally, this is done to protect an app’s own functions or data.

    Custom permissions like these are usually defined at either the “signature” or “signatureOrSystem” protection levels. These are defined in the Android Open Source Project (AOSP) documentation as:

    signature A permission that the system grants only if the requesting application is signed with the same certificate as the application that declared the permission. If the certificates match, the system automatically grants the permission without notifying the user or asking for the user’s explicit approval.
    signatureOrSystem A permission that the system grants only to applications that are in the Android system image or that are signed with the same certificate as the application that declared the permission. Please avoid using this option, as the signature protection level should be sufficient for most needs and works regardless of exactly where applications are installed. The signatureOrSystem permission is used for certain special situations where multiple vendors have applications built into a system image and need to share specific features explicitly because they are being built together.

    This made Android developers believe that only system applications or applications with the same signature (probably created by the same developer) can access these permissions. Because of this, additional access control may not have been implemented. That is not the case, however.

    The Android operating system keeps track of these custom permissions using only their names. Once a permission is defined, other apps cannot modify them. Suppose that a well-known app “A” defined the permission permission-A with a signature protection level in order to protect its own data. However, let’s suppose that before installing A, the user has installed a malicious app B. If B is designed to steal information from the legitimate app A, it would create permission-A before “A” has a chance to create it, and then application “B” can be granted permission-A . Once application “A” installed, “B” will have the permission to read the protected data of application “A”.

    We have found almost 10,000 apps that are at risk to this vulnerability. We are not disclosing which apps are immediately vulnerable, but a quick check we did of vulnerable apps include:

    • A popular online store leaks its online browsing history.
    • A popular chat app leaks the user’s in-app purchases.
    • A popular social network can have fake messages inserted via its app.

    Developers should not rely exclusively on the protection levels when their Activities/Receivers/Services/Providers are accessed. Several functions such as getCallingUid and getCallingPackage are provided by the operating system, and can be used to identify any apps requesting the above and implement access control as needed.

    We have informed Google’s Android security team about this issue.

    With additional analysis from Veo Zhang

    Posted in Mobile, Vulnerabilities | Comments Off on Android Custom Permissions Leak User Data

    App developers often include ads on their applications to increase revenue. These ads feature enticing titles or blurbs to surge more user hits. Typically, clicking these ads either prompt users to download an app or be redirected to a web page. However, cybercriminals who never run out of new ways to spread their deeds, could also use this as a venue to steal user information.

    We recently spotted a fraudulent website which is pushed by ads found in multiple Android apps. (Some of these apps were downloaded from the Google Play store, while others were found from third-party stores.) These ads use popular brands as hooks like “iPhone 5” and “Samsung Galaxy Note II” and supposedly selling these items for a ridiculously low price. Once users click the ad, it will lead them to a website which shows many means to buy the said phones.

    Figure 1. Ad for Samsung Galaxy Note II


    Figure 2. Ad for iPhone 5

    In reality, these sites are just scam sites that try to defraud users out of their money. They do not actually sell the devices they are promoting.

    Figure 3. Fraudulent website advertising Samsung Galaxy Note II

    Figure 4. Fraud website with iPhone 5 ad

    These ads are being delivered by a large, mainstream ad network, which claims to be used by more than 90,000 apps. While this attack is currently limited to Chinese users, because of the large number of apps on this particular ad network it is possible that similar attacks will be delivered to other users in the future.

    Last March, we blogged about Google’s decision to remove apps that block ads and the potential risks this may pose on unsuspecting users. No doubt the insufficient audit of ads on the Android platform may lead to more fraud, phishing attacks or even malware distribution. We recommend ad providers to provide more powerful audit mechanisms to protect users from attacks leveraging ads.

    Trend Micro protects users from this attack by blocking the said malicious website. We also advise Android users to be cautious in clicking ads on their devices as this may potentially lead to information and identity theft. For better protection of your devices, users should also be wary of other mobile threats like malicious URLs and mobile phishing sites.

    We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

    Posted in Bad Sites, Mobile | Comments Off on Mobile Ads Pushed by Android Apps Lead to Scam Sites

    We spotted a family of Android malware that downloads apps and paid media files without users’ consent, leaving victims with unwanted charges. These are Trojanized versions of the legitimate weather forecast tool GoWeather and are detected by Trend Micro as ANDROIDOS_TROJMMARKETPLAY.

    During our research, we acquired three samples of this malware family. One of the samples (detected as ANDROIDOS_TROJMMARKETPLAY.B) appeared to be in a beta build in comparison to the other samples. We found a lot of test information and codes in it, some of which gave clues as to the possible perpetrator behind it.

    Android Malware Leave Victims with Unwanted Charges

    Let’s now focus on the sample that we suspect to be a beta build. Once installed, ANDROIDOS_TROJMMARKETPLAY.B changes the access point name (APN) to CMWAP which enables the device to log in automatically to the third-party app store M-Market. Users who login for the first time are prompted with a charge pop-up window. The malware then closes this window and opens a page on M-Market to find and download paid apps or media. This routine leaves victims to be charged for apps and media that they did not intentionally download.

    Typically, users should receive a verification SMS from M-Market and are required to reply with a verification code. In this instance, however, the malware intercepts and replies to the SMS so that victims won’t suspect anything. For the CAPTCHA image, the malware downloads the image and sends it to a remote server to decode. The decode server’s domain name is in the configuration file yk-static.config. There are several other configurations in the file, including a phone number which is used to send SMS. The domain name filed is used to store the decode server’s domain.

    We also observed notable changes in ANDROIDOS_TROJMMARKETPLAY.B. In comparison to another malware sample of the same family (detected as ANDROIDOS_TROJMMARKETPLAY.A), this beta build has a feature to update itself. Its method in intercepting and replying to verification SMS is also different. The .B variant uses a database, while the .A variant uses a file to store the verification code. Moreover, .A has a code used to find paid media files.

    Beta Build Android Malware Reveals Details of Cybercriminal

    We concluded that ANDROIDOS_TROJMMARKETPLAY.B is a beta build because we found a test code and some information about the malicious user behind this malware. There was even a private IP address in the URL as well as test functions, which included the send SMS feature. From this function, we found the following phone numbers:

    • {BLOCKED}32046
    • {BLOCKED}56246
    • {BLOCKED}30884

    Since the malware was used for a test, these phone numbers must have been employed by the cybercriminal. We also found that these numbers pointed to Guangdong Guangzhou Province, China, but this was not enough proof that the perpetrators were based in the said location. Another interesting aspect we saw in the code was the word “yunkong”, which appeared many times and is probably the name of a particular individual/entity/organization behind this malware.

    The number {BLOCKED}56246 is still being used by the cybercriminals to receive and initialize SMS. By monitoring these numbers, we can find more information about the perpetrator.

    For the meantime, users are strongly advised to be cautious when downloading apps from third-party app stores as this may lead to malware infection. Trend Micro protects Android mobile users from this threat via Trend Micro Mobile Security Personal Edition, which detects malware disguised as apps. To know more about how to protect your Android devices from being infected, you may refer to the following Digital Life e-guides:

    Posted in Malware, Mobile | Comments Off on Android Malware Family Downloads Paid Media and Apps

    Just days after reports of a supposed Android botnet spam run surfaced, we found a Yahoo! Android app vulnerability, which when exploited, allows an attacker to send spammed messages using the compromised Yahoo! account.

    First Spam Run via Android Botnet?

    Last week, several messages were found peddling fake pharma sites or contain links leading to phishing sites. What made this spam different, however, was the use of the “Sent from Yahoo! Mail on Android” in the message signature and the “androidMobile” value mentioned in the Message-ID field. Based on reports, the IP addresses indicated in these messages were assigned to network operators and were located in developing countries.

    Given these evidences, some experts surmised that the spammers may have used Android devices compromised with malicious apps. Google, however, refuted that the spam were sent from an Android botnet, stating that the spammers behind this may have used infected PCs and fake mobile signature in an attempt to bypass email filters.

    Just recently, another possible scenario was proposed. Certain security researchers theorized the possibility of spammers taking advantage of a Yahoo! Android app vulnerability to compromise a mobile device and spam users with messages.

    Spammers May Exploit Yahoo! Mail Android Vulnerability

    Regardless of how these messages were sent, attackers exploiting a Yahoo! Android vulnerability to compromise a Yahoo! Mail account and send spam is a possibility. In fact, we recently uncovered a vulnerability in Yahoo! Android mail client, which can allow an attacker to gain access to a user’s Yahoo! Mail cookie. This bug stems from the communication between Yahoo! mail server and Yahoo! Android mail client. By gaining this cookie, the attacker can use the compromised Yahoo! Mail account to send specially-crafted messages. The said bug also enables an attacker to gain access to user’s inbox and messages.

    Currently, we are coordinating with Yahoo! about this particular bug. We will also be posting a separate blog entry for our technical analysis of the vulnerability.

    However spammed messages are sent, users should still be wary of spam as they pose certain risk. Users who click the links are lead to fake pharmaceutical sites offering bogus products or phishing pages asking users to divulge sensitive information. Thus, users must never download or click links contained in dubious-looking messages.

    Trend Micro protects users from this threat via Smart Protection Network™, which blocks these messages. Mobile users can benefit from Trend Micro Mobile Security Personal Edition, which detects malicious Android apps.

    Android users must avoid downloading apps from third-party app stores, as this increases the risk of downloading malware disguised as Android apps. To know more about how to protect your devices, you may read the following Digital Life e-Guides specific to Android users.

    Posted in Mobile, Social, Vulnerabilities | Comments Off on Yahoo! Android App Vulnerability May Allow Spamming

    Early this month, we reported about a technique used by an Android malware detected as ANDROIDOS_BOTPANDA.A, which involved modifications to the affected device that make the malware hard to remove. To help affected users, we’ve released a special tool that reverts modifications done by ANDROIDOS_BOTPANDA.A, and ultimately removes the said malware from the system. The said tool, called the BotPanda Cleaner, is now available for download in Google Play.

    48 Utility Apps Contain libvadgo

    Upon further probing, we’ve found 55 malicious files packaged as 48 separate utility apps that contain libvadgo, 28 of which are still available online. Users may typically encounter these on third-party app stores and can be downloaded for free. Based on the estimated number of downloads, these apps have at least 31,000 downloads so far.

    Below are some of these apps repackaged with the malicious library file:

    App Name Package Name
    FMR Memory Cleaner
    SuperSU eu.chainfire.newsupersu
    Move2SD Enabler com.iozhu.zyl
    Squats com.northpark.newsquats
    无线探测器 net.szym.barnacle
    Sit Ups
    Screenshot UX com.nyzv.shotux


    Once installed, these apps function properly and do not overtly exhibit any unusual behavior to users. In reality, these are Trojanized apps modified to include malicious code and libvadgo, repackaged and then distributed by malicious developers.

    ANDROIDOS_BOTPANDA Noteworthy Behavior

    To make removal and cleanup difficult, ANDROIDOS_BOTPANDA.A replaces files, hooks important system commands, and kills certain processes in the infected device. What’s more, the malicious behavior is low level, different from most mobile malware that use Android SDK. In the near future, it is likely that we might see more malicious and Trojanized apps employing this trick, making analysis problematic for security researchers.

    ANDROIDOS_BOTPANDA.A through libvadgo, communicates with malicious C&C servers controlled by possible malicious users. This enables the remote user to perform commands onto the device without the user’s knowledge, which includes stealing information.

    Based on our analysis, the malware was found to run on rooted device. By running on rooted device, the malware and malicious user easily gain root privileges to an infected device. The diagram below gives an overview of the noteworthy behavior of ANDROIDOS_BOTPANDA.A.

    For mobile devices already installed with ANDROIDOS_BOTPANDA.A, merely detecting and deleting the Trojanized app may not address the changes already done by the malware.

    Trend Micro Fix Tool for ANDROIDOS_BOTPANDA.A

    Trend Micro has released a fix tool called BotPanda Cleaner to remove the excess files and restore modifications created by ANDROIDOS_BOTPANDA.A. This fix tool specifically runs on Android OS devices, particularly on Android 2.3 and Android 4.0. It needs root privilege in order to properly reverse the effects of the malware, which runs only when the device is rooted. On its own, the tool will not root the device.

    To be more specific, this tool performs the following:

    1. Scans all files under every package install directory to find file libvadgo
    2. Checks whether system files were modified by the malware
    3. Checks existence of other files generated by the malware
    4. Shows the result to user based on the above 3 steps
    5. Advises user to choose Delete to remove the infected apps and files and reboot the device after clean up.

    If user clicks the Delete button:

    1. Removes all files generated by virus under /system/bin/ and /system/lib
    2. Removes all apps that contain libvadgo.
    3. Recovers two files modified by the virus /system/bin/svc and /system/build.prop

    As an added precaution, users are advised to be cautious before downloading any app, specially those coming from third-party app stores. To help users decide what’s safe, Mobile Security Personal Edition detects apps that contain this malicious lib file.

    To know more about how to enjoy your mobille devices safely and securely, you may refer to our comprehensive Digital Life e-guides below:

    Below is our infographic about the current Android OS threat landscape.

    Posted in Malware, Mobile | Comments Off on Trend Micro Releases Fix Tool for Malicious Library File Found on 48 Utility Apps


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice