Category Archives: iTunes

Mobile Malcoders Pay to (Google) Play

An explosion in malware targeting Android users is being fueled in part by a budding market for mobile malcode creation kits, as well as a brisk market for hijacked or fraudulent developer accounts at Google Play that can be used to disguise malware as legitimate apps for sale.

An Underweb ad for Perkele

An Underweb ad for Perkele

I recently encountered an Android malware developer on a semi-private Underweb forum who was actively buying up verified developer accounts at Google Play for $100 apiece. Google charges just $25 for Android developers who wish to sell their applications through the Google Play marketplace, but it also requires the accounts to be approved and tied to a specific domain. The buyer in this case is offering $100 for sellers willing to part with an active, verified Play account that  is tied to a dedicated server.

Unsurprisingly, this particular entrepreneur also sells an Android SMS malware package that targets customers of Citibank, HSBC and ING, as well as 66 other financial institutions in Australia, France, India, Italy, Germany, New Zealand, Singapore, Spain, Switzerland and Turkey (the complete list is here). The targeted banks offer text messages as a form of multi-factor authentication, and this bot is designed to intercept all incoming SMS messages on infected Android phones.

This bot kit — dubbed “Perkele” by a malcoder who goes by the same nickname (‘perkele’ is a Finnish curse word for “devil” or “damn”) — does not appear to be terribly diabolical or sophisticated as modern mobile malware goes. Still, judging from the number and reputation of forum buyers who endorsed Perkele’s malware, it appears quite popular and to perform as advertised.

Perkele is designed to work in tandem with PC malware “Web injects,” malcode components that can modify bank Web sites as displayed in the victim’s browser. When the victim goes to log in to their bank account at their PC, the malware Web inject informs the victim that in order to complete the second, mobile authentication portion of the login process, the user will need to install a special security certificate on their phone. The victim is then prompted to enter their mobile number, and is sent an SMS or HTTP link to download the mobile malware.

perkeleillustrationOnce the victim has installed the mobile “security” app and verified it with a special supplied code, the app sends an SMS back to the malware kit’s license holder. Perkele also supports the removal of the mobile bot via SMS. Customers can purchase a single-use application that targets one specific financial institution for $1,000; the malware author also sells a “universal kit” for $15,000, which appears to be an SMS malware builder that allows an unlimited number of builds targeting all supported banks.

Of course, there are far more sophisticated mobile malware threats in circulation than anything Perkele could help dream up. Many variants of the cross-platform ZeuS-in-the-Mobile or Zitmo malware have emerged, but they are designed to work in tandem with a specific PC malware strain (ZeuS). What makes Perkele interesting is that is it can essentially be loaded as an add-on by virtually any financial malware family that supports Web injects.

Other recent mobile malware samples identified by Russian security firm Kaspersky make Perkele look like a child’s plaything. In particular, the company identified a new Android bot that masquerades as a “cleaner” app meant to free memory for Google’s operating system but which actually wreaks havoc on your smartphone in the background and on Microsoft’s operating system when it’s connected to a PC. Some of the features of this malware include the ability to turn on the microphone on the victim’s PC, enable Wi-Fi on the phone, and snarf all of the data from the phone’s memory card.

Say what you will about Apple‘s “closed” or “vetted” iTunes store for iPhone apps, but it seems to do a comparatively stupendous job of keeping out malicious apps.  Last year, malware on smartphones increased more than 780 percent over 2011, according to a Kaspersky report released last month. The company found that 99 percent of the mobile malware targeted Android devices. During 2011, an average of 800 new types of malicious programs were discovered every month, and this figure rose in 2012 to 6,300 programs. The largest category of mobile malware last year was SMS trojans that hid in fake apps and links, and could drain bank accounts.

Fortunately, a modicum of common sense and impulse control can keep most Android users out of trouble. Take a moment to read and comprehend an app’s permissions before you install it. Also, make sure you download apps that are scanned through Bouncer (Google’s internal malware scanner). Finally, do a bit of due diligence before installing an app: Would you randomly grab some Windows program and install it without learning something about its reputation, how long it had been around, etc? Hopefully, no. Treat your phone with the same respect, or it may one day soon no longer belong to you.

Online Market for Pre-Owned Digital Music Hangs in the Balance

The future of a one-of-a-kind website enabling the online sale of pre-owned digital-music files is in the hands of a federal judge.

ReDigi, which opened in October, provides account holders with a platform to buy and sell used MP3s that were purchased lawfully through iTunes. The platform’s technology does not support other music.

Among other points, the case weighs the so-called first-sale doctrine, the legal theory that people in lawful possession of copyright material have the right to sell it.

A federal judge sided with that principle in 2008, when it debunked UMG Recordings’ claim that it retained perpetual ownership of promotional CDs it releases before an album’s debut. Last year, however, a different court ruled against now-defunct online service Zediva, which streamed movies to customers via DVDs that Zediva had purchased.

In the ReDigi case, Capitol Records sued the Massachusetts-based startup last month in New York federal court. Claiming ReDigi was liable for contributing to copyright infringement, the label is demanding U.S. District Judge Richard Sullivan immediately order ReDigi to remove Capitol-owned material, and to also award damages of up to $150,000 per track against the startup.

A ruling could come any day.

Larry Rudolph, the 15-employee company’s chief technology officer, seemed confident of the outcome.

“We let others sit around biting their nails,” he said in an e-mail.

Capitol appears equally as confident. It told Judge Sullivan that ReDigi is not the “equivalent of a used record store,” as ReDigi claims.

“ReDigi is actually a clearinghouse for copyright infringement and a business model built on widespread, unauthorized copying of sound recordings owned by plaintiff and others. Plaintiff brings this lawsuit to halt defendant’s ongoing infringement of plaintiff’s copyrighted works and to recover damages for the harm caused by defendant’s activities,”(.pdf) Capitol attorney Richard Mandel wrote.

ReDigi explained to Sullivan in court papers that its undisclosed number of account holders have a right to upload their purchased iTunes files into ReDigi’s cloud. And when a file is sold to another ReDigi account holder, no copy is made. What’s more, because of ReDigi’s technology, the original uploaded file that is sold cannot be accessed by the seller any more through ReDigi or via the seller’s iTunes account.

“ReDigi’s structure ensures that no copies of an Eligible File are made when one ReDigi user sells an Eligible File stored in the user’s Cloud Locker to another ReDigi user through the ReDigi Marketplace,” its attorney, Ray Beckerman, wrote in a court filing. (.pdf)  ”When such a file is purchased by another user, the file pointer associating the Eligible File with the seller’s Cloud Locker is modified to associate the file with the purchaser’s Cloud Locker. In such a transaction only the pointer is changed; the Eligible File remains in the same location in the ReDigi Cloud and is not copied.”

Beckerman, in a telephone interview, said ReDigi does everything it can to block the unauthorized duplication of files in the ReDigi marketplace. Beckerman added that ReDigi’s technology cannot stop customers from file sharing or copying iTunes music purchases before they had uploaded them to the service.

“You can’t stop the world from committing copyright infringement,” he said. “But it’s impossible to infringe through ReDigi.”

Prices for songs vary on ReDigi, with some files having asking prices as high as 87 cents. The company, which earns up to 15 percent per sale, also offers cloud-storage music streaming.

iTunes 10.5 released to fix 79 vulnerabilties on Windows, OS X to follow

Apple released iTunes 10.5 today to fix 79 vulnerabilities for Windows users and introduce support for iCloud, wireless syncing and iOS 5 compatibility.

Massachusetts Attorney General to investigate iTunes fraud

Massachusetts Attorney General Martha Coakley stated this week that her office will begin an investigation targeting Apple Computers. She is looking into whether Apple is in compliance with her state’s data breach notification laws related to fraud occurring on the iTunes store. Read more…

Twitter spammers entice clicks with free iTunes gift cards

In the past we’ve seen iTunes gift card scams spread via Facebook, and fake iTunes Gift Card certificates containing malware spammed out to email inboxes, but today the thing to look out for is iTunes Gift Card spam on Twitter.

Here are some typical messages:

iTunes gift card spam tweets

i have got,get yrs free iTunes Gift Card giveaway today [LINK]

wow,iTunes Gift Card got just today free lol [LINK]

awesome lol,today got iTunes Gift Card [LINK]

Your Chance to choose Your Best iTunes Gift Card [LINK]

Find out how to get a iTunes Gift Card! [LINK]

All of the Twitter accounts I’ve seen sending out these messages, have a profile picture of a young woman (sometimes wearing skimpy clothes or a bikini – one has to wonder where they’re going to stash their iPod).

And, on closer examination, it appears that these Twitter users have been created purely for the purposes of spamming out these tweets, interspersed with the occasional random quote or saying.

So, what happens if you click on the link? Well, you visit a website which firstly attempts to work out where in the world you are. I’m writing this from the UK, and it decided to relay my web browser to a dating website for men who want to meet young Russian women.

Russian dating website

No sign of any free iTunes gift cards there, you’ll notice. Clearly the spammers are just using the lure of a free iTunes gift card to entice unsuspecting Twitter users into visiting their sites.

if you click on a link offering you a free iTunes Gift Card and end up with a Russian bride, you’re definitely doing something wrong.

It’s unlikely you’re in the market for a Russian bride, but even if you are – I wouldn’t recommend clicking on the links. They could just as easily take you to a webpage containing malware, or a site which attempts to phish your passwords from you.

Instead, report any users who you see spewing out messages like this as spammers. That means they won’t be able to bother you in future, and Twitter will investigate whether their account should be deleted.

Report Twitter spammer

Of course, it’s easy to create a brand new account on Twitter – so the spam problem on Twitter is unlikely to disappear anytime soon.

If you want to be kept up-to-date on the latest security threats on Twitter and elsewhere on the net, follow me on Twitter.


Twitter spammers entice clicks with free iTunes gift cards

Hat-tip: Thanks to Naked Security reader @Chasapple for first making me aware of this spam campaign.

Copyright © 2014. Powered by WordPress & Romangie Theme.