Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    July 2014
    S M T W T F S
    « Jun    
  • About Us

    Repackaged applications, which are a category of fake applications, play a crucial role in the proliferation of mobile malware. Like fake apps, repackaged apps use social engineering tactics, displaying similar user interface (UI), icon, package names and app labels as the legitimate/official version of the apps they spoofed. This is done to trick users into downloading fake apps and consequently, generating profit.

    Based on the research, nearly 80% of the top 50 free apps found in Google Play have bogus versions. These apps can range from business, media and video, and games. In addition, more than half of fake apps today are tagged as ‘high-risk’ and ‘malicious’ due to the risk it pose to the users.

    figure 1-01
    Figure 1. Free apps with and without fake versions that were available in Google Play

    Several third-party app stores distribute repackaged apps, some of which are even Trojanized apps or apps that have been modified to add malicious code. Some samples include FAKEBANK, premium abusers, and Trojanized game apps. Cybercriminals add mobile ad software development kits (SDKs) in their bogus apps so as to generate income by pushing advertisements. Furthermore, they also change the mobile ad SDKs of legitimate apps just so they can get the earnings instead of the original developers. Another means of ‘trojanizing’ an app is by inserting malicious code into classes.dex file, which can introduce risks like malware infection and data theft.

    Because of the security risks that repackaged apps pose to users, it is advisable for these app stores to include rules and audit mechanism to control the propagation of fake/repacked apps.  Google Play has implemented a rule preventing apps which are similar in terms of code and physical appearance with an already existing app.

    In the past, we discussed how repackaged apps leverage the popularity of mobile apps with Flappy Bird as a case sample in our monthly mobile review. In our research paper, Fake Apps: Feigning Legitimacy, we provided an in-depth discussion on repackaged apps, its risks to users, and ways which they can secure their mobile devices.

    With additional analysis by Symphony Luo

    Update as of July 17, 2014, 9:08 A.M. PDT:

    Note that the fake apps samples we gathered are from third party sources and none was found in Google Play.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    While wearable personal technology may be the most “public” face of the Internet of Everything, the most widespread use of it may be in smart meters.

    What is a smart meter, exactly? It’s a meter for utilities (electricity, gas, or water) that records the consumption of the utility in question, and transmits it to the utility provider via some sort of two-way communication method. (Examples of these methods include a wireless mesh network, power line networking, or a connection to the user’s own Internet service.) Unlike simple home monitors, smart meters can collect data for remote reporting to the utility.

    One smart meter in isolation has limited uses. However, if the majority of meters in an area are now “smart”, the utility is able to reap large benefits. With the added information provided by large numbers of smart meters, a utility can adjust their services as needed to improve the efficiency, reliability, costs, and sustainability of their services.

    Deployment and Usage

    Some may think that smart meters are more theoretical than anything else. However, they are already in widespread use in some countries, and it is easy to see how in the next few years they will become even more widespread.

    Let me talk about the part of the world I know – Europe. For example, the former Italian electric monopoly, Enel, has rolled out smart meters to almost all of its 36 million customers. In addition, Enel has deployed a remote management system known as Telegestore, which allows the utility to carry out actions via the smart meter that would otherwise require a physical visit. 330 million meter readings and over a million other operations were carried out remotely, making this easier for both customers and Enel. Enel also owns 92% of the Spanish utility firm Endesa, and is rolling out similar products in that market.

    Italy and Spain are not the only countries in Europe leading the way in smart meter adoption. Other countries identified by the European Union as being “dynamic movers” in smart meters include Estonia, Finland, France, Ireland, Malta, the Netherlands, Norway, Portugal, Sweden, and the United Kingdom. In these countries, regulators and utilities are both making the necessary steps to move forward with smart meter adoption.

    Technical Standards and Risks

    There are a diverse number of industry groups and protocols that are promoting smart meter technology. In part, this is a reflection of the varying ways that smart meters are deployed and used: for different applications, different technology may be needed. However, this also means that there a wide variety of technical standards used in smart meters.

    Other such niche devices – such as home automation equipment and Internet routers – have proven to have serious security risks. It’s one thing to have, say, a light switch have some sort of vulnerability. It’s another thing for utility meters and controls to have vulnerabilities. Smart meters and smart grids have not yet been fully tested and vetted for potential security risks; we have to consider the potential scenarios if these devices are proven to have flaws – as some of them inevitably well.

    The video below highlights some of these potential scenarios. In future blog posts, we will look into some of these scenarios in some detail and discuss the circumstances that can lead into these issues.

    You can read parts 2 and 3 of this blog series here:

    For more information on the security risks and how to secure smart devices, visit our Internet of Everything hub which contains our materials that discuss this emerging field.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    We have been dealing with targeted attacks and know that there is no single technology that can practicably defend an organization’s network against these high-impact campaigns. This is sad, true, but it does mean there are ways to harness security technologies like sandboxing and heuristic scanning so that they work together to protect as a stronger whole.

    The use of heuristics and sandboxing as complementary technologies that cover each other’s weaknesses serves as an effective and efficient way in identifying unknown threats at the earliest time possible. Heuristic scanning employs a rule-based system in order to quickly identify possibly malicious files. Its effectiveness relies heavily on how the rules are defined. Sandboxing, on the other hand, is a method to safely execute a suspicious file in a protected environment, usually VM, in order to see what it will do, without infecting the host.

    Efficiency and Accuracy

    In practice, heuristic scanning acts as a filter before sending a file to the sandbox. Doing so can reduce cost and increase system capacity. Heuristic scanning can also determine a file’s file type and, if your two technologies are working together. For example, heuristic scanning can tell the sandbox that a certain Office file is Word 2003, Word 2007, or Word 1.0. Therefore the sandbox can execute the file in the appropriate/expected environment.

    Furthermore, even if a company has enough resources to sandbox every single file under all possible conditions, there are malware that can tell that it is being run in a sandbox and thus not exhibit any malicious routine. An IT admin’s best bet is to have detected this file earlier via heuristic scanning first, for better detection coverage.

    Solution Versus Zero-days

    As mentioned before, the effectiveness of heuristics plus sandboxing relies heavily on the defined heuristic rules. These rules need to be forward-looking enough to recognize previously unknown threats, but also specific enough so as to avoid false alarms.

    One good way to check for the effectivity of these rules is to see how well the rules fare against zero-day exploits. By nature, zero-day exploits are malware using unpatched vulnerabilities but with similar exploitation techniques. If sufficiently “smart”, heuristic rules will be able to catch them.

    Even years-old heuristic rules in the Trend Micro Advanced Threat Scan Engine, for instance, have been able to detect recent zero-days:

    1. CVE-2014-0515 in May, 2014 was detected by a rule developed in 2014 – HEUR_SWFJIT.B
    2. CVE-2014-1761 in April, 2014 was detected by a rule developed in 2012 — HEUR_RTFEXP.A/HEUR_RTFMALFORM.
    3. CVE-2014-0496 in February, 2014 was detected by a rule developed in 2010 — HEUR_PDFEXP.A
    4. CVE-2013-3346 in November, 2013 was detected by a rule developed in 2010 — HEUR_PDFEXP.A

    Aim for Early Detection

     Assume compromise: enterprises should understand by now that the later they are able to catch onto an on-going targeted attack campaign, the more difficult it is to mitigate the damage or even to detect the attack. Therefore, early detection must be first priority for network defenders, and a layered protection will go a long way.

    Additional insights and analysis by Shih-hao Weng and Sunsa Lue.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Sporting events are getting more and more connected, and the just-concluded World Cup is no exception. Brazilian telecom provider Oi made sure that no expense was spared in ‘connecting’ the World Cup , and even claimed that this year’s event is in fact the most connected in the history of the World Cup.

    Oi claims that they provided connections to all twelve host stadiums across Brazil, resulting with 32 terabytes of data being generated by the media, sponsors, volunteers and FIFA officials in just ten days.  More than 152,000 unique devices (smartphones, tablets and laptops) have been connected to the public Wi-Fi networks installed in the host stadiums.

    Online users all over the world looked for news and updates about the World Cup and made themselves targets for cybercriminals and their socially-engineered threats. Public Wi-Fi networks may keep sports fans online, but their insecurity may lead to them being hacked and their personal information being siphoned.

    World Cup-themed threats have popped up left and right, from phishing websites to spam to malicious mobile apps. One particular phishing scheme managed to snare more than 3,000 users in a span of 72 hours. Most of the victims came from connected countries such as the US (19%) , Japan (14%), Germany(12%) and France (9%).

    Figure 1. Phishing website targeting World Cup fans

    Figure 2. Phishing site victim count

    This message lured users into handing over their login details using a fake US$200 prize, as well as a legitimate promo with a hefty cash prize. The promo itself was themed to take advantage of the World Cupand this in itself may have resulted in such a large amount of victims in a small amount of time.

    We’re not saying that sporting events becoming more and more connected is inherently a bad thing. However, being connected in this day and age without being secure IS inviting trouble. While telecom providers can help, the ultimate responsibility of being secure is on users. They must protect themselves so that at the end of the event, they’re left with fond memories and souvenirsnot malware infections that will result in depleted bank accounts and compromised devices.

    In order to help drive this message homeof sports fans looking after themselves in terms of online securitywe decided to run a survey on our Race to Security website and see just the kind of sports fans our visitors and readers mostly are. From there, we figured out the most common type of fan among our readers, and how they should secure themselves. We’ve also made sure to include tips for everyone to take heed of no matter what kind of fan they are. To find out the results and more information about protecting yourself during sport events, check our latest infographic, What The Race To Security Survey Says.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    11:56 am (UTC-7)   |    by


    Monitoring the cybercriminal underground sometimes leads us down some interesting paths. We recently encountered a cybercriminal posting in a Russian underground forum which led to the discovery of more than 136,000 stolen credit card credentials.

    Help in all the wrong places

    The trail started with the following post on a Russian underground forum.

    Figure 1. Post in underground forum (click to enlarge)

    The post from user acmpassagens asking for help with the well-known Virtual Skimmer point-of-sale (PoS) malware family was not particularly unusual. However, two things stood out: first of all, the post, despite being written in Russian, was not written by a native speaker. The sentence construction did not look right. The poster also claimed that he had access to more than 400 PoS terminals in gas stations and shops… in Brazil. This was a user from Brazil asking questions in a Russian underground forum.

    As part of his post, acmpassagens left both his e-mail address ( and Skype address (acmpassagens). Together with his username, one can follow some of this person’s other online activities. For example, on an official Microsoft forum, he replied to a question about credit card readers with a post offering to sell software:

    Figure 2. Post on Microsoft Developer Network (MSDN)

    Videos related to card-skimming contained his e-mail address so curious viewers who wanted to “join the business” could contact him directly as well.

    Figure 3. Youtube video

    However, initially there didn’t appear to be anything online that could help us uncover the identity of acmpassagens. We were able to obtain some of the e-mail addresses he used, as well as two of his Skype accounts: acmpassagens and _brenosk815

    However, just before we were about to set this case aside, diligent Google searching led to an incredible jackpot: an account used by acmpassagens on the online file storage service 4shared. Moreover, all of the contents of his account – all 1GB of it – were open for anybody with Internet access to see, without the need for a user name or password.

    Figures 4 and 5. Publicly available 4shared account

    What was in this account?

    The files in the 4shared account contained what appeared to be a log of the cybercrime activities that acmpassagens had carried out. It contained malware, phishing templates, and various documents with what appeared to be the personal information of cybercriminals, accomplices, and victims.

    First, who is acmpassagens? According to the account, he is a Brazilian national named Breno Franco. He describes himself as a “businessman”, with an official address in Salvador, the eighth most populous city in Brazil. There were also multiple pictures of himself on the account:

    Figure 6. Picture of Breno Franco

    Mr. Franco used multiple addresses to communicate with others:


    In addition to this, there was ample information relating to Mr. Franco’s money mules. We found various documents including Visa card slips and printouts of bank account statements.

    Figure 7. Scanned identity card

    Some of these documents may not be authentic. However, there also appeared to be private information of these mules, including scans of passports and official Brazilian identity cards (see above). It is hard to determine if these documents belong to actual people or whether the passports are fakes, since we also found Photoshop files for fake passports in 4shared. In addition, there was a recording of a VoIP call between a mule and Mr. Franco:

    Figure 8. Recorded VoIP call

    What about Mr. Franco’s cybercrime haul? In the account, we found what appeared to be 136,000 credit card numbers stored for future usage.

    Table 1. Stolen cards

    More than 107,000 of these numbers are for Visa, and more than 20,000 for MasterCard, with other networks picking up the small remainder. Visa is an official FIFA Partner, which may explain why Visa customers were frequent victims.

    The 4shared account also contained the tools that Mr. Franco may have used to carry out his attacks. There was PoS malware belonging to the Virtual Skimmer and BlackPOS families, which may have been used to carry out the attacks that Mr. Franco described in some of his posts.

    Aside from the above malicious tools, there were two other files useful in processing stolen card information. One was a file used to generate credit cards with stolen valid credit card numbers. The other is used to verify card numbers and is known as T3ST4D0R C0D3R (CC VALIDA). (Legitimate software has been abused by cybercriminals for the latter role.)

    There were also templates for various phishing sites stored inside the 4shared account. Some of these sites had been found in the wild very recently. These phishing sites took advantage of the ongoing World Cup:

    Figure 9. Phishing site

    One of these phishing templates was uploaded to the compromised site of a Brazilian restaurant and shop. The files on the said site can be grouped into two: files from around 2011, when the legitimate site was last created/modified, and 2014, when Mr. Franco took control of the site and used it to host his phishing page.


    In the past, the cybercriminal underground has operated in distinct groups. There was separate Russian underground communities, Latin American underground communities, etc. That is no longer the case: cybercriminals are now crossing borders and combining the various tools and resources available to them.

    As cybercriminals become increasingly able to work together, attacks will become truly global. Trend Micro will continue to work closely with, and support and share information with law enforcement whenever possible to bring cybercriminals to justice.


    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice