Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    March 2013
    S M T W T F S
    « Feb   Apr »
  • Email Subscription

  • About Us

    Archive for March, 2013

    Recently, it was reported that Google was unilaterally removing all ad-blocking apps from the official Google Play store. Later on, the developers of the excised apps confirmed this, adding that according to Google their apps had been removed for violating the Developer Distribution Agreement that all Android developers must agree to.

    In an ideal world, one could take Google’s move to be a positive one. The exact language says:

    You agree that you will not engage in any activity with the Market, including the development or distribution of Products, that interferes with, disrupts, damages, or accesses in an unauthorized manner the devices, servers, networks, or other properties or services of any third party including, but not limited to, Android users, Google or any mobile network operator.

    Emphasis is ours. The apps in question do break the agreement; Google is within its rights to remove the apps.

    The trouble is we don’t live in an ideal world. The rather significant number of apps and websites with aggressive ads annoyed users and created this problem. Some of these may even behave maliciously and try to subscribe the user to premium services. Many users are already wary of how ad networks track them, and are tired of seeing ads wherever they go online. Simply put, users don’t always trust ad networks and act accordingly to protect themselves.

    Read the rest of this entry »

    Posted in Mobile | 1 TrackBack »

    A few weeks ago, a couple of colleagues and I attended the annual RSA Conference in San Francisco. My colleagues have already offered their detailed descriptions of the event; instead I’ll discuss the broader themes I saw at the event.

    Contrasting atmopsheres

    The exhibit floors were cheery – almost festive, in fact – with loud chatter, freebies, and buffets. Vendor booths offered an attraction that ranged from contests, to illusions, to arcade games. Even the keynotes on the first day started with a band singing We are the Champions and We Will Rock You.The mood in the track sessions and keynote lectures was completely different. Discussions there focused on offensive security touched on various aspects including legal concerns, requirements in skill sets, possible moral/ethical issues, and challenges in determining attribution. Sessions on cloud computing mentioned concerns on compliance and data protection, determining standards for cloud service provider partnerships, and managing risks, behavior, and organizational culture.

    Some keynote sessions took a more contemplative note. Wikipedia’s Jimmy Wales shared the role of the Internet in democracy; former Secretary of State Condoleeza Rice noted that traditional ways of defending one’s self from an attack does not work especially with the current cybercrime landscape, the developments of the Internet and cloud computing.

    Breaking down (big data) and building (one’s intelligence)

    Among the themes highlighted during Arthur Coviello’s Big Data Redefines Security discourse was that big data is here and a big contributor is the increasing number of devices connecting to the Internet. However, information from big data can also be used by adversaries against individuals, organizations, or even nation-states.  Organizations need to understand ow to act and not react to skewed information or FUD. This brought to mind the slew of APT campaigns discovered last year and how our researchers have called for organizations to begin focusing on threat intelligence and building a custom-defense strategy to deal with these threats.

    Read the rest of this entry »

    Posted in Malware, Targeted Attacks | Comments Off on RSA Conference 2013: A Newcomer’s Perspective

    What is the difference between cybercrime and a “cyber war”?

    There are different elements of an attack that help us understand this: the targets, the threat actors behind it, as well as the tools used. But I think one of the most important aspects, something that drives all the other aspects, is also the answer to the question I posed earlier: intent.

    I believe this difference in intent matters because it defines the threat itself. There are a lot of reports on different kinds of organizations being successfully victimized by targeted attacks, and it has become so overwhelming to the point that it has obscured our view of what kind of threats we’re dealing with. And though knowing the intent might not be able to help us stop an attack, it can enable us assess if we are a potential target.

    Cyber war or Cybercrime?

    For example, when a threat actor from country A conducts a targeted attack against several companies in country B, does it count as cyber war, or cybercrime? The answer, again, depends on the intent.

    Cyber war, as Raimund Genes also said in his 2013 predictions, refer to politically motivated attacks that may destroy data or even cause physical damage to infrastructure of a specific country. So in my example above, if the goal of the attack is to destroy the companies’ data or their infrastructure with a political intent, it may be considered an act of cyber war.

    However, if the attack is conducted in order to steal information from the companies with a pure financial intent, then it should be considered a form of cybercrime. Most of the cybercrime schemes we’ve seen in the past aimed to affect as many individual users as possible, but the cybercriminals have found a bigger and better target in companies.

    Read the rest of this entry »



    Some of the apps discussed in this blog entry were developed with an older adware SDK that did not contain opt-in provisions, particularly regarding the ability to collect information and display ads outside of the original app. The adware SDK has since been updated to this capability to comply with Google’s developer policies; apps that use this newer version are no longer considered high-risk.

    More details about this change can be found in our December 2012 Monthly Mobile Review: The Hidden Risk Behind Mobile Ad Networks.

    As expected, shady developers are now taking advantage of Candy Crush, one of the hottest gaming apps in both social networks and Android.

    Recently, Candy Crush grabbed the top spot from FarmVille 2 as the most popular gaming app on Facebook. This boost in popularity, however, has its perils. In particular, Candy Crush’s popularity made it the perfect target for dubious developers and cybercriminals who want to lure and profit from fans of the game – similar to what happened with other popular mobile apps and games like Instagram, Bad Piggies, and Temple Run in the past.

    In a development that surprised no one, we discovered fake Candy Crush apps online, proving that cybercriminals are indeed hoping to capitalize on the game’s current trending status. These apps contain code for the Leadbolt and Airpush ad networks; apps containing said code were some of the most prevalent found last year. (We detect these as  ANDROIDOS_LEADBLT.HRY and ANDROIDOS_AIRPUSH.HRXV.)

    Figure 1. Screenshot and notification of fake app

    While not inherently malicious, adware can be abused by cybercriminals for their own gains. Adware not only uses aggressive advertising tactics such as persistent notifications, but also collects information about the user. This could be construed as a violation of the user’s privacy.

    Read the rest of this entry »


    Industrial Control System (ICS)/SCADA systems have been the talk of the security community for the last three or more years due to Stuxnet, Duqu, and other similar noteworthy attacks. While the importance and lack of security around ICS systems are well documented and widely known, I’ve been researching Internet-facing ICS/SCADA systems, who’s really attacking them, and why. Recently, I spoke at BlackHat Europe about the same research and wrote a research paper to share my findings.

    Without knowing if Internet-facing SCADA systems were attacked, I developed a honeypot architecture that would emulate several types of SCADA and ICS devices mimicking those commonly found on these systems. The honeypots included traditional vulnerabilities found across the same or similar systems, showcasing a very realistic honeypot environment.

    The findings include real-world attacks from several countries with varying attack attempts.


    Figure 1. Percentage of attacks per country

    Read the rest of this entry »

    Posted in Exploits, Vulnerabilities | Comments Off on Who Is Really Attacking Your ICS Devices?


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice