Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    Author Archive - Peter Yan (Mobile Security Engineer)

    Repackaged applications, which are a category of fake applications, play a crucial role in the proliferation of mobile malware. Like fake apps, repackaged apps use social engineering tactics, displaying similar user interface (UI), icon, package names and app labels as the legitimate/official version of the apps they spoofed. This is done to trick users into downloading fake apps and consequently, generating profit.

    Based on the research, nearly 80% of the top 50 free apps found in Google Play have bogus versions. These apps can range from business, media and video, and games. In addition, more than half of fake apps today are tagged as ‘high-risk’ and ‘malicious’ due to the risk it pose to the users.

    figure 1-01
    Figure 1. Breakdown of free apps available in Google Play with and without fake versions 

    Several third-party app stores distribute repackaged apps, some of which are even Trojanized apps or apps that have been modified to add malicious code. Some samples include FAKEBANK, premium abusers, and Trojanized game apps. Cybercriminals add mobile ad software development kits (SDKs) in their bogus apps so as to generate income by pushing advertisements. Furthermore, they also change the mobile ad SDKs of legitimate apps just so they can get the earnings instead of the original developers. Another means of ‘trojanizing’ an app is by inserting malicious code into classes.dex file, which can introduce risks like malware infection and data theft.

    Because of the security risks that repackaged apps pose to users, it is advisable for these app stores to include rules and audit mechanism to control the propagation of fake/repacked apps.  Google Play has implemented a rule preventing apps which are similar in terms of code and physical appearance with an already existing app.

    In the past, we discussed how repackaged apps leverage the popularity of mobile apps with Flappy Bird as a case sample in our monthly mobile review. In our research paper, Fake Apps: Feigning Legitimacy, we provided an in-depth discussion on repackaged apps, its risks to users, and ways which they can secure their mobile devices.

    With additional analysis by Symphony Luo

    Update as of July 17, 2014, 9:08 A.M. PDT:

    Note that the fake apps samples we gathered are from third party sources and none was found in Google Play.

    Posted in Malware, Mobile | Comments Off on A Look at Repackaged Apps and their Effect on the Mobile Threat Landscape

    Mobile threats can arrive via different methods. We have discussed at length the presence of malware in third-party app stores and even official app stores. We have also mentioned malware via text messages. We recently found one that took advantage of yet another method: spam.

    We encountered samples of spammed messages that were supposedly WhatsApp notifications. The message says that the user has received new voicemail. The message tries to make it more believable by including details such as the time and length of the call.

    Figure 1. Fake WhatsApp email 

    On a PC, once you click on the “play” button, you will be sent to a malicious site. This new site warns you that your browser is outdated and needs to be updated. Should you click the download button, malware will be downloaded onto your computer.

    Figure 2. Download site with malware on Windows systems

    However, it would seem like PCs were something of an afterthought. On a Windows PC, the site will download browser_update_installer.jar, detected as J2ME_SMSSEND.AF – which is a Java file for the mobile version. It is not a particularly well-suited file for a desktop.

    On Android and iOS devices, it’s clear that mobile was  considered the primary  platfrom for this threat. On Android the malicious site will download browser_update_installer.apk, detected as ANDROIDOS_OPFAKE.CTD. The downloaded file is disguised as a browser named “Browser 6.5”. Once started, the .html file shown as Figure 3 opens. If a user mistakenly click the Agree button, this malicious app will send text messages to specific phone numbers. The malware will also try to convince you to download another app onto your device.

    Figure 3. Screenshot of app posing as “Browser 6.5”

    Apple users are not spared from this attack. Should an iOS user click on the “play” button, the screen will show a progress bar while downloading an app. However, because iOS devices (by default) can only install apps from the App Store, no app is actually installed. However, on jailbroken devices, this may pose a risk.

    Figure 4. Download site on iOS site

    We mentioned in our 2Q Security Roundup that OPFAKE was one of the most prevalent Android malware families and that Premium Service Abusers were the most common type of mobile threat encountered. It looks like Q3 will not be different. The paper Fake Apps, Russia, and the Mobile Web also discussed the risks from these PSAs. This threat also highlights how some cybercriminals have gone mobile; this threat was focused on mobile devices, with non-smartphones being an afterthought. Users need to recognize this and protect themselves accordingly.

    With the additional analysis by Chloe Ordonia and Ruby Santos

    Posted in Malware, Mobile | Comments Off on Spam Leads to Multi-Platform Mobile Threat

    Early this month we blogged about the master key Android vulnerability – a vulnerability that allows cybercriminals to ‘update’ legitimate apps already installed in the user’s device and insert malicious code into them. We’ve been on the lookout to find threats that take advantage of it ever since, and we discovered one that targets users of the NH Bank online banking app.

    NH Nonghyup Bank is one of South Korea’s biggest financial institutions. Their online banking app is in high circulation among mobile device owners, having been installed from five to ten million times.

    Cybercriminals took advantage of the app’s popularity by offering a downloadable update for the app on third party app download websites. This update is of course malicious. It utilizes the master key Android vulnerability to insert a malicious file into the app, thus ‘trojanizing’ it.

    The inserted malicious file, classes.dex has a smaller file size at 205 kb, than the legitimate version.

    The cybercriminals responsible also offered an already trojanized version of the legitimate app, in case the user does not have the banking app installed on their device yet. Running the app triggers the display a spoofed page, one that asks the user to input their account information.

    The page displayed when the user executes the trojanized app.

     Should the user comply, their information would be sent to a remote malicious server controlled by the cybercriminal.

    This particular finding shows just how dangerous the abuse of the master key vulnerability is to Android users. The fact that it was used to “trojanize” a banking app makes the risk comparable to the online banking threats we know today, as it poses not just the risk of personal information leakage, but financial loss as well.

    Furthermore, since it involves the tampering of an app that is already in the device, the effect might not be at all noticeable to the user until it is too late.

    Users are advised to  download apps or app updates only from trusted sources, preferably from official sources or app stores. Trend Micro customers are protected from this threat via our Trend Micro Mobile Security App, as it can detect apps that abuse the master key vulnerability.

    Posted in Bad Sites, Malware, Mobile | Comments Off on Master Key Android Vulnerability Used to Trojanize Banking App


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice