Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2013
    S M T W T F S
    « Aug   Oct »
  • Email Subscription

  • About Us

    Archive for September, 2013

    The existence of fake mobile apps poses privacy and financial risks to users of the mobile web. As experts figure out the dangers of the consumerization and the lack of security of mobile devices, fake apps continue to grow.

    Fake apps usually ride on the popularity of legitimate apps—for example, recently fake emails said that users had received voice mail from WhatsApp. These fake messages try to trick users to download them onto their mobile devices, from which they usually perform a combination of these malicious routines:

    • send text messages to premium-rate numbers,
    • steal data,
    • control device for botnet operations,
    • alter default text and background,
    • lock device,
    • send GPS location, and more.

    Russia, a Big Fake Apps Player

    Recent Trend Micro research on SMS fraud found that fake apps that abuse premium mobile services have their roots in Russia and are expanding from there. Russia is the top target for premium service abusers in part because there are few standard app stores in the country, which makes third-party app stores popular.

    Figure 1. Countries most affected by SMS fraud

    Cybercriminals will continue to broaden their coverage to other countries and regions. Given the lucrative ways that mobile devices can be abused, it is highly likely that many cybercriminals will move to mobile platforms as their primary income source. This month’s mobile review talks about why searching for popular apps is becoming dangerous – thanks to fake apps.

    Inside a Premium Service Abuse Infection

    Fake apps that abuse premium mobile services go through a series of stages before enrolling a user without their consent. Our infographic The High Cost of Premium Service Abusers conveniently explains the four stages of a premium service abuse infection and why downloading these apps is just the first of a list of concerns.

    Posted in Bad Sites, Malware, Mobile | Comments Off on Connecting the Dots: Fake Apps, Russia, and the Mobile Web

    During last week’s Apple iPhone announcement, one of the standout features that was mentioned was the 5s’s fingerprint sensor, called Touch ID. With this technology, iPhone users can substitute the use of passwords to unlock the home screen and verify purchases in iTunes and App Store.

    Substitute is the operative word. Technology like Touch ID may well become a good added layer for securing accounts against hackers and even malware, but it will be a very long time before we can forgo all passwords entirely.

    From a security standpoint, Touch ID looks good on paper that hopefully also translates in the real world (hands-on demos are mostly positive, but we’ll see more once iPhone 5s rolls out in December). Biometrics is not new, and we’ve seen in the past how Play-Dohs can trick fingerprint sensors. The iPhone 5s will not even be the first phone to introduce fingerprint scanning, which shows that technologies like these need to be implemented properly, especially when being introduced to oft-demanding consumer market.

    Exception Rather Than The Rule

    It should also be said that technologies like these are more of the exception rather than the rule. Granted, other services may well be thinking of their own ways to address the “password problem.” For instance, a day prior to the Apple event, a Google executive was quoted as saying that “passwords are done” and that they are finding ways to innovate. Until such time that these innovations become mainstream (and hopefully standardized), users will still have to log on to their accounts by using passwords.

    We should also consider the fact that most users have more than one device to access online accounts, and these devices have their own hardware specifications. Touch ID may work well in purchasing songs via iPhone—and maybe soon in other Apple products, but if you’re going to have to access iTunes via PC, you still need your password.

    Passwords are Still Key, But Manage Them Properly

    The bottom line here is that passwords are still an important security aspect on everyone’s digital life. Granted, managing them can be a tedious task—length and complexity are needed now more than ever, especially now that even long passphrases can be brute forced. Secure computing habits, password managers like Trend Micro DirectPass, and even the built-in security features of mobile phones and other devices (yes, like the upcoming Touch ID) can help.

    To know more on how to secure your passwords across multiple devices, check out our latest Digital Life e-Guide below:


    For further reading:


    Posted in Bad Sites | Comments Off on Fingerprint Scans, Passwords, and Managing Online Accounts

    In our 2Q Security Roundup, we noted the resurgence of online banking malware, in particular the increase of ZeuS/ZBOT variants during the quarter. While ZeuS/ZBOT has been around for some times, its prevalence shows that it is still a big threat to end users today.

    For the month of August, 23% of spam with malicious attachments were found carrying ZeuS/ZBOT variants, while 19% served FAREIT variants.

    ZeuS/ZBOT variants also had the distinction of being the most distributed malware by IPs related to spam botnets. It is also associated with various worm families that can spread itself or other malware families via email. A system infected with ZeuS/ZBOT may be infected about five other worm variants like WORM_MYDOOM, WORM_VB, and WORM_BAGLE.

    Figure 1. Malware families spread by spam

    Compared to others, the majority of spam carrying either ZeuS/ZBOT or FAREIT looked more like legitimate messages, and were likely to supposedly come from well-known brands or companies.

    Figure 2. Sample FAREIT spam

    Figure 3. Sample ZeuS/ZBOT spam

    Once installed, Zeus/ZBOT variants are known to monitor users’ browsing behavior pertaining to visits to specific online banking sites. If users visit these sites and try to login using their credentials, the malware inject additional field for users to fill out and then steal these information. Cybercriminals can then use these stolen data to either initiate unauthorized transactions or sell in the underground market.

    FAREIT is another data-stealing malware that gathers emails and FTP login credentials. This malware can also download other malware variants, including Zeus/ZBOT. Previously, we saw a UK tax-themed spam that delivers a FAREIT variant, which also downloads a ZBOT malware.

    Trend Micro blocks the spammed messages and detects the malware cited in this blog post. It is important for end users to know how to tell apart legitimate email from spam, particularly those that use well-known brands as a social engineering lures. Best computing practices, such as being wary of attachments from unverified email, can come a long way when it comes to protecting your system and information.

    Posted in Malware, Spam | Comments Off on ZeuS/ZBOT: Most Distributed Malware by Spam in August

    Mobile threats can arrive via different methods. We have discussed at length the presence of malware in third-party app stores and even official app stores. We have also mentioned malware via text messages. We recently found one that took advantage of yet another method: spam.

    We encountered samples of spammed messages that were supposedly WhatsApp notifications. The message says that the user has received new voicemail. The message tries to make it more believable by including details such as the time and length of the call.

    Figure 1. Fake WhatsApp email 

    On a PC, once you click on the “play” button, you will be sent to a malicious site. This new site warns you that your browser is outdated and needs to be updated. Should you click the download button, malware will be downloaded onto your computer.

    Figure 2. Download site with malware on Windows systems

    However, it would seem like PCs were something of an afterthought. On a Windows PC, the site will download browser_update_installer.jar, detected as J2ME_SMSSEND.AF – which is a Java file for the mobile version. It is not a particularly well-suited file for a desktop.

    On Android and iOS devices, it’s clear that mobile was  considered the primary  platfrom for this threat. On Android the malicious site will download browser_update_installer.apk, detected as ANDROIDOS_OPFAKE.CTD. The downloaded file is disguised as a browser named “Browser 6.5”. Once started, the .html file shown as Figure 3 opens. If a user mistakenly click the Agree button, this malicious app will send text messages to specific phone numbers. The malware will also try to convince you to download another app onto your device.

    Figure 3. Screenshot of app posing as “Browser 6.5”

    Apple users are not spared from this attack. Should an iOS user click on the “play” button, the screen will show a progress bar while downloading an app. However, because iOS devices (by default) can only install apps from the App Store, no app is actually installed. However, on jailbroken devices, this may pose a risk.

    Figure 4. Download site on iOS site

    We mentioned in our 2Q Security Roundup that OPFAKE was one of the most prevalent Android malware families and that Premium Service Abusers were the most common type of mobile threat encountered. It looks like Q3 will not be different. The paper Fake Apps, Russia, and the Mobile Web also discussed the risks from these PSAs. This threat also highlights how some cybercriminals have gone mobile; this threat was focused on mobile devices, with non-smartphones being an afterthought. Users need to recognize this and protect themselves accordingly.

    With the additional analysis by Chloe Ordonia and Ruby Santos

    Posted in Malware, Mobile | Comments Off on Spam Leads to Multi-Platform Mobile Threat

    Much of the current discussions surrounding the growing—and inevitable—trend of consumerization are focused on the impact of bring-your-own device (BYOD) and managing the growing diversity of mobile devices. However, another aspect that IT administrators and even business owners should not forget to consider are the other consumer-oriented technologies and services employees may have access to in the workplace.

    Like BYOD, the benefits that come along with consumer technologies like instant messaging applications, social networking sites also bring about certain risks to corporate data. For one, these “consumerized” applications have had their fair share of threats that exploited their capabilities for cybercriminals’ and other threat actors’ gain.

    What Goes In, What Goes Out

    Recently, a backdoor was discovered to be attempting to compromise thousands of WordPress blogs through a brute-force attack. This poses a risk to organizations that may be using this blogging platform for corporate communications.

    Last week’s discovery of the Citadel botnet’s resurgence in Japan can be another example. According to our researchers, the recent campaign was found to be targeting customers of banking and financial institutions that are only native in Japan, specifically those with webmail accounts. This “localized” tactic is notable in itself. If put in the context of, say, a Japanese employee accessing his or her GMail account in the office and accidentally setting off a data-stealing malware in the corporate network, then the repercussions can increase exponentially.

    But beyond malware, web threats, and other attacks that will attempt to go inside the organizations’ perimeters and get access to information, the risks these consumer applications can bring may also come in the data they can bring out. As predicted, we have seen cybercriminals abuse legitimate services to carry out their attacks. The VERNOT malware is an example of such an attack: it abuses a popular (and consumer-friendly) cloud storage service to send whatever data it gathers from an infected machine.

    In addition, some businesses may have strong perimeter defense, but may not have the adequate technologies or capabilities to monitor data packets passing through “normal” Web traffic these applications use. Thus, system IT administrators may be blind to employees who are (un)wittingly disclosing information about the company through their personal emails or instant messaging conversations.

    Balancing Freedom and Control

    Organizations need to find a balance between providing enough freedom for their employees and maintaining visibility and control to their data, wherever and however they are accessed. Having a solid plan to embrace consumerization in all its technological aspects—device, software, platform, etc.—is the first step to do so. More importantly, clear and well-thought-out policies (which should include strong employee awareness programs), as well as the proper technologies and solutions to identify and protect the most critical corporate data, should also be put in place.

    To know more about managing data in consumer applications and services, check out our latest primer and infographic:

    Posted in Mobile, Social | Comments Off on Corporate Data on Consumer Applications: Striking a Balance


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice