5:01 am (UTC-7) | by Veo Zhang (Mobile Threats Analyst)
The 2014 FIFA World Cup in Brazil is all but underway, and the fervor of such a prestigious and newsworthy event is already setting competing nations’ populations on fire. Unfortunately, cybercriminals are getting into the mood too.
Besides recently flooding the internet with phishing scams and the taking down two Brazilian government sites by hacktivists (the Sao Paulo Military Police website and the official World Cup 2014 Brazil website), cybercriminals are also targeting the mobile scene with scads of World Cup-themed mobile malware – more than 375 of them already at last count. We found these malicious apps lurking in unauthorized/third party app download stores, just waiting for users to install them on their mobile devices.
Upon analysis, we found that the bulk of the malware in question are variants of prevalent mobile malware families.
One of the malware families detected is ANDROIDOS_OPFAKE.CTD family. This particular family first appeared in May, 2013, passing itself off as fake clones of popular apps. Its malicious routines included subscribing the user to premium services, leaking user-critical information (such as contact list/messages) as well as install malicious links and shortcuts on the mobile device home screen. In just one year, the number of detected ANDROIDOS_OPFAKE.CTD variants reached 100,000, faking 14,707 apps.
We also discovered that that the remote server the apps connect to has 66 different domains, with each domain spoofing famous websites like MtGox.com.
Figure 1 and 2: Fake World Cup game apps
Figure 3. Fake game app premium service abuse notification
SMS filtering and theft
Another malware family we detected leveraging World Cup fever is the ANDROIDOS_SMSSTEALER.HBT family. Variants of this family share similar methods of fraud and fakery with OPFAKE, with one exception: they can connect to their remote C&C server to receive and execute commands, some of which being adding an SMS filter (to block/conceal certain incoming messages), sending SMS, and installing new malware.
Figures 4 and 5. More fake World Cup game apps
Analyzing its C&C servers, we found 76 domains, all of them registered to a Tanasov Hennadiy. We also found that the C&C servers in question were also used to host third-party app download websites, where most apps are repacked with advertisements and information theft routines.
Figure 6. C&C domain registrant name and address
Figure 7. List of hosted malicious apps/files
Premium Service Abuse
We also found that the Trojan mentioned in our previous blog is also part of the cybercriminals’ World Cup arsenal, with a new variant we detect as ANDROIDOS_OPFAKE.HTG. A typical Premium Service Abuser, affected users find themselves charged with exorbitant premium service fees that they never themselves purchased.
Figure 8. Fake World Cup game app/PSA
Slot Game Swindling
Finally, we found a malicious World Cup slot game app that we detect as ANDROIDOS_MASNU.HNT. Its malicious routines include filtering user payment confirmation messages, so that users may not notice the real amount of money they’ve been paying when playing this game, and thus spend more without restraint.
Figure 9. Malicious World Cup slot game app
Some football betting apps have also been found leaking information without user notification, as well as blatant security risks in their micropayment process. We advise users to be very careful with their financial and personal information when using these apps (or not to use them at all).
Besides these malware, we also found quite a few high-risk apps also themed after the World Cup. Most, if not all, sport some sort of information theft routine, as well as pushing ad notifications/unwanted app advertisements.
While it may be a fact of life that big sporting events like these will inevitably have some sort of cybercriminal attack or campaign following close behind, being a victim of them isn’t. Users are reminded not to download anything from third party app download sites, and to utilize mobile security solutions (such as our own Trend Micro Mobile Security) in order to keep their mobile devices secure.
Readers can be assured that we will continuously monitor these World Cup-related threats and publish news updates as we get them. Check out this blog as well as our Race to Security website for all the latest news regarding this particular topic.
Share this article