Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    October 2014
    S M T W T F S
    « Sep    
     1234
    567891011
    12131415161718
    19202122232425
    262728293031  
  • About Us

    The 2014 FIFA World Cup in Brazil is all but underway, and the fervor of such a prestigious and newsworthy event is already setting competing nations’ populations on fire. Unfortunately, cybercriminals are getting into the mood too.

    Besides recently flooding the internet with phishing scams and the taking down two Brazilian government sites by hacktivists (the Sao Paulo Military Police website  and the official World Cup 2014 Brazil website), cybercriminals are also targeting the mobile scene with scads of World Cup-themed mobile malware  - more than 375 of them already at last count. We found these malicious apps lurking in unauthorized/third party app download stores, just waiting for users to install them on their mobile devices.

    Upon analysis, we found that the bulk of the malware in question are variants of prevalent mobile malware families.

    App Fakery

    One of the malware families detected is ANDROIDOS_OPFAKE.CTD  family. This particular family  first appeared in May, 2013, passing itself off as fake clones of popular apps. Its malicious routines included subscribing the user to premium services, leaking user-critical information (such as contact list/messages) as well as install malicious links and shortcuts on the mobile device home screen. In just one year, the number of detected ANDROIDOS_OPFAKE.CTD variants reached 100,000, faking 14,707  apps.

    We also discovered that that the remote server the apps connect to has 66 different domains, with each domain spoofing famous websites like MtGox.com.

     

    Figure 1 and 2: Fake World Cup game apps

    Figure 3. Fake game app premium service abuse notification

     SMS filtering and theft

    Another malware family we detected leveraging World Cup fever is the ANDROIDOS_SMSSTEALER.HBT family. Variants of this family share similar methods of fraud and fakery with OPFAKE, with one exception: they can connect to their remote C&C server to receive and execute commands, some of which being adding an SMS filter (to block/conceal certain incoming messages), sending SMS, and installing new malware.

     

    Figures 4 and 5. More fake World Cup game apps

    Analyzing its C&C servers, we found 76 domains, all of them registered to a Tanasov Hennadiy. We also found that the C&C servers in question were also used to host third-party app download websites, where most apps are repacked with advertisements and information theft routines.

    Figure 6. C&C domain registrant name and address

    Figure 7. List of hosted malicious apps/files

     Premium Service Abuse

    We also found that the Trojan mentioned in our previous blog  is also part of the cybercriminals’ World Cup arsenal, with a new variant we detect as ANDROIDOS_OPFAKE.HTG. A typical Premium Service Abuser, affected users find themselves charged with exorbitant premium service fees that they never themselves purchased.

    Figure 8. Fake World Cup game app/PSA

    Slot Game Swindling

    Finally, we found a malicious World Cup slot game app that we detect as ANDROIDOS_MASNU.HNT. Its malicious routines include filtering user payment confirmation messages, so that users may not notice the real amount of money they’ve been paying when playing this game, and thus spend more without restraint.

    Figure 9. Malicious World Cup slot game app

    Some football betting apps have also been found leaking information without user notification, as well as blatant security risks in their micropayment process. We advise users to be very careful with their financial and personal information when using these apps (or not to use them at all).

    Besides these malware, we also found quite a few high-risk apps also themed after the World Cup. Most, if not all, sport some sort of information theft routine, as well as pushing ad notifications/unwanted app advertisements.

    While it may be a fact of life that big sporting events like these will inevitably have some sort of cybercriminal attack or campaign following close behind, being a victim of them isn’t. Users are reminded not to download anything from third party app download sites, and to utilize mobile security solutions (such as our own Trend Micro Mobile Security) in order to keep their mobile devices secure.

    Readers can be assured that we will continuously monitor these World Cup-related threats and publish news updates as we get them. Check out this blog as well as our Race to Security website for all the latest news regarding this particular topic.

     





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon




    Comments are closed.



     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice