Megaupload’s Kim Dotcom Offers to Surrender to the FBI, at a Price

Photo: Kim Dotcom

Kim Dotcom and his Megaupload associates are seeking to break the legal impasse between him and the FBI, by offering to fly to the United States without an extradition hearing in New Zealand.

In return, Dotcom demands a fair trial guarantee and return of money to support their families and to pay legal fees which are thought to be in the millions of dollars after several months of court battles.

Dotcom and seven top employees of MegaUpload are charged by U.S. authorities with operating a criminal conspiracy to violate copyright laws that netted over $500 million in ads and subscription fees. The feds seized MegaUpload’s domains and servers, as well as Dotcom’s bank accounts and fancy cars in January.

The ever-provocative Dotcom tweeted Wednesday: “Hey DOJ, we will go to the US. No need for extradition. We want bail, funds unfrozen for lawyers & living expenses.”

The German filesharing tycoon and his co-accused have a legal team comprising 25 lawyers in four countries working on their individual cases as well as that of Megaupload the company. According to Megaupload’s U.S. lead lawyer, Ira Rothken, none of the legal team has been paid yet.

But Rothken would not confirm or deny if a deal was in the making, telling Wired, “We will not comment one way or another on the involving private discussions between counsel or whether such discussions even occurred.”

On Tuesday, Dotcom was told that the extradition hearing for him and Finn Batato, Bram van der Kolk and Mathias Ortmann had been postponed until March 2013. It was originally scheduled to take place on August 7 this year.

Speaking to the New Zealand Herald, Dotcom says he hasn’t been able to pay any of his legal costs.

“They just want to hang me out to dry and wait until there is no support left,” Dotcom is quoted as saying.

Due to the twists and turns in the Megaupload case that include the New Zealand police illegally executing searches and seizures with invalid warrants, the legal process has become convoluted and is expected to take a long time to resolve.

Judge David Harvey who ordered the FBI to produce the evidence it holds on Dotcom and associates wrote in a court minute Tuesday the New Zealand Crown lawyers are likely to go to the Court of Appeal if the High Court upholds his ruling. Harvey adds that the appeal could go all the way to the New Zealand Supreme Court.

Having made the offer, however, Dotcom says the FBI will never agree to the deal as it can’t win the case against him and Megaupload and knows this already.

Android Apps Get Hit with the Evil Twin Routine Part 2: Play It Again Spam

If you have not heard of this term yet, I guarantee you will in the months to come. The term is market spam. This is not a new term or an issue that affects one or two app stores; this is a systemic problem that impacts app stores at large, where spammers focus on getting around rules and screening processes of the app stores with the goal of making a quick buck. The goal of most market spam is to get to a mass audience in the shortest time possible and to prolong its presence on a device. Regardless of how it is done, the long term effect is monetary gains for the rogue publisher at some cost to the end user.

To increase the revenue earning potential, the app developer has to maximize the length of time that they have access to a user device. There are several strategies to achieve this, which include:

  • Keep an app on a device for as long as possible.
  • Get several apps from the same developer to transit through a device as a result of suggestive download recommendations. Many apps (particularly free ones) often suggest further downloads of other apps from the same developer. Essentially this has the same effect as an extended stay from a single app.

Without strategies to extend the life of the app on the device, the window of opportunity for a market spammer to make serious money is short-lived.

To better understand the effects of these strategies, let’s look at an example of two incidents recently identified. The incidents involved two different apps using two different publisher IDs. Both were published around the same date on Google Play (June 23 or 24). The first app was a traditional smash-and-grab type malware—a Trojan that sends SMS messages to premium rate numbers. We detect it as Android.Dropdialer. The second was a pirated emulator and ROM combination file that was Trojanized using several advertising SDKs, as well as additional functionalities to carry out the strategies mentioned earlier. We detect this second Trojan as Android.Fakeapp.


Coincidentally, both apps use the same theme of a popular game as the bait to lure users into downloading the app. Before being revoked from the app store, both apps achieved substantial download counts— between 50,000 to 100,000. Looking at which app has the potential to earn the most revenue, Android.Dropdialer appears to be an obvious choice but, in this case, the obvious choice is an incorrect one.

This becomes apparent after delving deeper into Android.Fakeapp. After installation, Android.Fakeapp would display a notification to the user to download other apps from the same market spammer. This causes the number of apps on devices using the same underlying revenue generation functionality to grow.

A review of the past activities of the rogue market spammer behind Android.Fakeapp shows that since mid-May this is their fifth attempt to publish the same app using a new publisher ID each time. Despite the fact that the apps were immediately suspended on Google Play, our telemetry data has shown that the constant stream of new downloads resulting from users tapping on the download suggestions in the app, has resulted in a steadily growing user base.


The functionality of Android.Fakeapp is summarized as follows:

  • 70 percent of the app code is devoted to a combination of multiple advertising SDKs which remove or disregard any user consent requirements. There are also additional functionalities to display app suggestions for download and install.
  • 10 percent of the app code is devoted to a notification module.
  • 10 percent of the app code is devoted to a social spamming module.
  • 10 percent of the app code makes up the core (yep, that's all), which is what the user believes was installed.



Symantec has been tracking quite a few of these cases this year. The case involving Android.Fakeapp shows signs of incremental evolution in the attacks resulting from trial-and-error efforts by the publisher who has made attempts to test for weakness in app market screening processes. Apps able to pass app market screenings are released onto the unsuspecting public. The key success factor for market spammers is to translate best practices they have learned into a pseudo framework as quickly as possible.

It should come as no surprise that several high profile threat families discovered last year such as Android.Rootcager or Droid Dreams are text book examples of market spammers at work. Typical practices include not only using multiple apps, but also using multiple publisher IDs to spread the risk. Despite the fact that Android.Lightdd, the follow-up to Android.Rootcager, was also distributed by spammers on Google Play, it did not gain as much traction as its predecessor. In many ways this threat was ahead of its time as it embodies many of the techniques that are in fashion with market spammers, notably the decrease in the use of root exploits.

To be continued in Part 3.

Android.Dropdialer Identified on Google Play

Symantec has identified a new malware posted to the official Google Play market. The threats were posted as two popular titles, one as “Super Mario Bros.” and the other was packaged as “GTA 3 Moscow City”. Both were posted to Google Play on June 24 and since then have generated in the range of 50,000  to 100,000 downloads.


What is most interesting about this Trojan is the fact that the threat managed to stay on Google Play for such a long time, clocking up some serious download figures before being discovered. Our suspicion is that this was probably due to the remote payload employed by this Trojan.

This is a technique I had discussed in a blog just about a year ago, whereby the author of a malicious app would break it up into separate, staged payloads in order to avoid detection of anomalies during the automated QA screening process. In the case of Android.Dropdialer, the first stage was posted on Google Play. Once installed, it would download an additional package, hosted on Dropbox, called ‘Activator.apk’.

Figure 2. Dispersed payload process of mobile threat

This additional package sends SMS messages to a premium-rate number. An interesting feature of the secondary payload is that it prompts to uninstall itself after sending out the premium SMS messages—an obvious attempt at hiding the true intent of the malicious app. The premium SMS is targeting Eastern Europe.


We would like to thank Android Security for immediately revoking the threat after we notified them of this discovery.

Gone in 3 Minutes: Keyless BMWs a Boon to Hacker Thieves

You’ve recently spent $64,000 on your flash new BMW with keyless entry. But when you wake up one morning, you discover, in a different kind of flash, that it’s gone, stolen by hacker thieves who used the car’s keyless feature to pinch your luxury ride.

This is the reality for a growing number of BMW owners in the United Kingdom who have recently become victim to a spate of thefts, thanks to a couple of security vulnerabilities in the car’s systems. One BMW owner posted a surveillance video of the thieves taking off in the night with his car (see the video above).

The owner, who posted the video at, suspects the thieves broke the glass to access the BMW’s on-board diagnostics port (OBD) in the footwell of the car, then used a special device to obtain the car’s unique key fob digital ID and reprogram a blank key fob to start the car. It took less than 3 minutes to accomplish the feat. (That said, despite their sophistication, the thieves were, comically, unable to thwart the surveillance cameras, though they tried.)

Below is a video showing how a key fob can be programmed to start a BMW.

Jalopnik reports that BMW thieves are likely exploiting a gap in the car’s internal ultrasonic sensor system to avoid tripping its alarm when they access the car.

But there’s another security flaw in play. The OBD system doesn’t require a password to access it and program a key fob. According to Jalopnik, this is a requirement in Europe so that non-franchised mechanics and garages can read the car’s digital diagnostic data.

BMW told Jalopnik that the problem is industrywide and not unique to its cars.

“We are aware of recent claims that criminal gangs are targeting premium vehicles from a variety of manufacturers,” the company said in a statement. “This is an area under investigation. We have a constant dialogue with police forces to understand any patterns which may emerge. This data is used to enhance our defence systems accordingly. Currently BMW Group products meet or exceed all global legislative criteria concerning vehicle security.”