Note:

Some of the apps discussed in this blog entry were developed with an older adware SDK that did not contain opt-in provisions, particularly regarding the ability to collect information and display ads outside of the original app. The adware SDK has since been updated to this capability to comply with Google’s developer policies; apps that use this newer version are no longer considered high-risk.

More details about this change can be found in our December 2012 Monthly Mobile Review: The Hidden Risk Behind Mobile Ad Networks.

With three months to spare before the year ends, our prediction that mobile threats, specifically malware and high-risk apps reaching the 1 million mark has finally come true.

In our 2Q Security Roundup for the year, we noted that more than 700 thousand malicious and risky apps were found in the wild. This impressive number plus the continuous popularity of the platform among users lead us to predict that 2013 would be the year when Android malware reaches 1 million.

Figure 1. Growth in malicious/risky Android apps

Our Mobile App Reputation data indicates that there are now 1 million mobile malware (such as premium service abusers) and high-risk apps (apps that aggressively serve ads that lead to dubious sites). Among the 1 million questionable apps we found, 75% perform outright malicious routines, while 25% exhibits dubious routines, which include adware.

Premium Service Abusers, Adware Among Top Mobile Threats

Malware families such as FAKEINST (34%) and OPFAKE (30%) were the top mobile malware. FAKEINST malware are typically disguised as legitimate apps. They are also premium service abusers, which sends unauthorized text messages to certain numbers and register users to costly services. One high-profile incident involving FAKEINST is the fake Bad Piggies versions, which we found right after the game’s release.

Figure 2. Top Mobile Malware Family

The OPFAKE malware is similar to FAKEINST, particularly in mimicking legitimate apps. However, a variant (ANDROIDOS_OPFAKE.CTD) showed a different side of the malware, as it was found to open an .HTML file that asks users to download a possibly malicious file. Aside from sending messages to certain numbers and registering users to costly services, premium service abusers pose other risks to users. Our recent infographic shows the other dangers of installing this type of mobile malware.

On the high-risk apps front, ARPUSH and LEADBLT lead the pack, gathering 33% and 27% of the total number, respectively. Both are known adware and infostealers, collecting device-related data such as OS information, GPS location, IMEI etc.

Figure 3. Top High-risk Apps Family

The threat to mobile devices, however, is not limited rogue versions of popular apps and adware. Threat actors are also pouncing on mobile users’ banking transactions, with the likes of FAKEBANK and FAKETOKEN malware threatening users. Details about these malware can be found in our recent report A Look At Mobile Banking Threats.

To keep your devices safe, it is important to treat your devices like your PC counterparts specially when it comes to security. Be wary of downloading apps and make sure to read the comments section and developer details. Trend Micro protects users from mobile malware and high-risk apps via Trend Micro Mobile Security App. Our Mobile Threat Hub also provides helpful information about mobile threats  and security tips for your smartphones, tablets and other gadgets.

With analysis from Trend Micro Mobile Response Team

Online banking is one of the many tasks that have been made more convenient by mobile technology. Now, users can purchase products and/or services, pay their bills and manage their finances from anywhere, and anytime. However, there are threats against mobile banking exist, which need to be addressed and secured against.

Some of these threats include:

• Mobile phishing – malicious mobile websites that pass themselves off as login websites of legitimate organizations, such as banks and social networks. These are designed to trick users into entering their login information. So far, in this quarter, nearly half of all mobile phishing websites spoof financial services websites.
• Malicious apps – Apps that contain malicious routines, such as stealing information from the device they’ve been installed on. These are usually found either in third-party app stores or malicious websites, and frequently passed off as legitimate apps.
• Trojanized apps – Legitimate apps that have been turned into malicious apps. These are more dangerous because to the end user, they are completely indistinguishable from the real app. Because of this, the malicious app – and its routines – could be running for a long time, long before the user even suspects anything.

Figure 1. Distribution of types of mobile phishing pages in Q3 2013 to date

While banks are taking steps to reduce losses due to mobile banking, in the end users – both individuals and businesses – must take steps to protect themselves. Users should be familiar with their bank’s mobile banking procedures, in order to more easily spot things that are “off” and could indicate an attack. In general, too, good computing habits will help keep users secure.

Businesses need to understand and educate their staff about the risks related to online banking, so that the bottom line is not at risk from these threats. This may include guidelines on whether employees can/should use mobile banking from personal devices. In addition, businesses should work together with their bank to look into possible procedures and steps to reduce known risks.

For more information about mobile banking and how to secure it, we have recently released the latest edition of our Monthly Mobile Report titled Security in Mobile Banking, as well as an e-guide. These discuss the basics of mobile banking, and how they should be secured.

In targeted attacks, during the lateral movement stage attacks try to gain access to other computers on the same local area network (LAN). One useful tool to achieve this is ARP spoofing, which can be used to carry out a variety of attacks to steal information as well as plant backdoors on other machines. We recently came across a tool that automates ARP attacks, as well as using these kinds of attacks to inject IFRAMEs into websites, deliver fake software updates, and disrupt SSL connections.

ARP Spoofing

Hacking tools that automate ARP attacks are fairly common, so we well not delve too deep into all aspects. The tool can scan for live hosts on the LAN, which are then saved in an encrypted file. These IP addresses can then become the targets of ARP spoofing attacks.

For starters, this tool can be used to  intercept network traffic and extract login credentials of network services. This particular tool that we saw, which we also detect as HKTL_ARPSPOOF , supports a variety of protocols. It has ability to steal the credentials from a wide variety of protocols, such as: FTP, HTTP, IMAP, NetBIOS, POP3, SMB, and SMTP.

For these protocols, the tool scans the network traffic to extract user names and passwords. These are then saved in an encrypted file, which the attacker can upload at their discretion. Because users frequently use the same password across different accounts, these credentials might be used across a wide variety of services, not just the ones they were captured off.

In addition to this, this tool is also capable of carrying out man-in-the-middle attacks against TLS/SSL traffic. If users are not wary and ignore warnings about invalid certificates, any credentials sent to sites that use TLS/SSL, instead of being “secure”, can be captured and used by an attacker. Many high-profile sites already force the usage of TLS/SSL when users attempt to log into their services.

IFRAME Injection

This malware can also inject IFRAMEs into sites the user visits. It monitors the system’s HTTP traffic and injects an invisible IFRAME whenever possible. The results – as gathered in our testing – can be seen below.

Figure 1. Injected IFRAME

In this case, a (non-malicious) IFRAME was injected into the default web site of the HTTP server. An attacker could use this “feature” to send users to a malicious URL, where they can host a page with malicious code to exploit various vulnerabilities on the user’s system.

Fake Update Package

We constantly warn users to always ensure their software is up to date to help protect themselves. However, this tool exploits that to push malware to other users. This tool is also capable of using ARP spoofing to trick the system into thinking that an update for Windows Media Encoder 9 is being offered to the user; however this file is actually malicious.

Figure 2. Fake update code

Possible Target

One function of this tool offers a potential clue as to the identity of the persons responsible for it. A portion of the code is specifically targeted at users of the Central Tibetan Administration, which relies on Google Apps to provide email for its users.

Figure 3. Code for specific target

Conclusion

The capabilities of this tool highlight the effectivity of ARP spoofing to steal information, particularly login credentials. These can be very useful in conducting lateral movement.

IT administrators should consider retiring old, unencrypted protocols in favor of newer, encrypted ones, as these resist attack better than their predecessors. However, user training should also emphasize the importance of listening to alerts about invalid certificates, as these can indicate serious security problems.

There is one truly remarkable aspect about the social media services that people take for granted: they don’t ask their users for anything. You can talk with as many friends, take as many selfies, post as many status messages, all without paying anything.

That may be true at face value, but that’s not really true. It’s said that “if you’re not paying for it, you’re the product.” In the world of social media, that’s definitely true. Social media companies all need to pay the bills (and more); the most common way of doing so is by selling ads.

More than selling ads, these ads are targeted – based on what you do, say, and share on these sites. The social networks will even try to sell this as a feature, hailing these as “relevant” ads.

Is my personal information being sold?

Not really. The information that social networks hold about any user is far too valuable to be sold off. That information is why social media companies are worth billions of dollars. What the information is used for is to allow advertisers and marketers to target users with remarkable specificity.

For example, an advertiser who wants to sell car accessories may choose exactly who they want to show their ads to: it can be something along the lines of males of a specific age group, who already “likes” certain car makes, etcetera. (Purely out of coincidence, this week a gathering of advertisers and marketers is being held in New York as part of Advertising Week.)

Note that in theory, all of this information is anonymized. In practice, this means that your name is not attached to the information. However, depending on how much information you give about yourself – and what privacy settings you used – someone might be able to identify you anyway.

In the future, not only could your data be used to customize your ads – you yourself could be used in advertising. Under proposed policy changes your name and picture can be used for advertising within Facebook as well – without you giving your direct consent. So, for example, if you “like” a certain brand, they can use your picture in their Facebook.

Yes, I want my ads to be relevant to me. I don’t mind brands that I like letting others know that I like them.

Some users may actually welcome these developments. Others, however, will be more skeptical. Some may even consider it equivalent to stalking, while others will just find it “creepy”.

Others may object at this point - hang on, I didn’t agree to this! As a matter of fact, you did. By merely agreeing to use any social media site, you agree to their terms. If, unfortunately, due to the network effect you need to use a social network to stay in touch with others… you’re basically out of luck.

Whatever the case, this is something that people should be mindful about. Social media sites will use your data to profit – and not necessarily by “selling” your information. You may not be paying with money, but you’re paying with your information.

There are two things users can do. First, be careful about what you do share: social media sites can’t profit off what they don’t have. Secondly, if privacy controls and opts-out exist – use them. You may not always have a choice to protect your information, but if you do, use them – in order to send a message about how you value your information.

Of course, if you’re on social media, the sites themselves are not the only potential parties you may want to protect your data from. Other users and third-party apps are on this list. To learn how to use the privacy features of social networks to your full advantage, you can consult our digital life e-guide, How to Protect Your Privacy on Social Media.

Data exfiltration is the unauthorized transfer of sensitive information from a target’s network to a location which a threat actor controls. Because data routinely moves in and out of networked enterprises, data exfiltration can closely resemble normal network traffic, making detection of exfiltration attempts challenging for IT security groups.

Figure 1. Targeted Attack Campaign Diagram

Related Costs of Exfiltrated Data

The costs of cyber-espionage to a target organization is only clear after the fact. Risk calculators typically consider the up-front expenses of breach discovery: incident response activities, crisis management, and compliance-related penalties.

Losing competitive advantage in the event that proprietary information is sold to a rival company can threaten the survival of a business enterprise on a broader scale. The “loss” represents not only the research and development expenses to refine a product, but also the sales opportunities and market leadership lost.

Furthermore, as exemplified in the Shadow Network attacks, the attackers were able to lift out documents classified as Secret, Confidential and Restricted. Documents tagged as such, when exposed publicly, may endanger national security. For instance, restricted documents have to do with data involving the design, creation, and use of nuclear materials or weapons.

Varied Means of Exfiltrating Data

While the impact of targeted attacks is noticable, the effort to siphon data from inside an infiltrated network is not.

We recently released a report about a targeted attack campaign that used EvilGrab, where threat actors put in place backdoors that can capture keystrokes, as well as video and audio of the system’s environment, using attached audio microphones and video cameras. These features are part and parcel of any remote access Trojan worth its salt. As with typical data exfiltration activities, these stolen information can then be uploaded to a remote server to be accessed by the threat actor.

One way is to use the built-in file transfer capabilities of remote access Trojans, which are malware that allow a remote user to have full control of a compromised system. Remote access Trojans or other attack tools like them will probably already be in use anyway, because the earlier stage in a targeted attack would require real-time communication and control by the attacker of the compromised system.

Attackers can abuse legitimate Windows features as well. For instance, attackers can abuse WMI (Windows Management Instrumentation) to monitor and capture recently opened files. The attacker can use FTP or HTTP to send the file/s in order to trick the IT admin analyzing network traffic that the communication is legitimate. Alternatively, the attacker can use Tor to mask location and traffic.

Our researchers predict that in the future, attackers may focus on not only stealing data but on modifying data, turning the main theme of targeted attacks from espionage into sabotage. Our recently published primer on Data Exfiltration: How Threat Actors Steal Your Data goes into detail about the kinds of tools and techniques threat actors use in this component of targeted attack campaigns.

The primer is actually the 5th of the series of primers we’ve developed, all discussing the different stages of an APT. To check the others, click the corresponding thumbnail below: