Variety of Android Threats Extends Around the World

As the most popular mobile platform, Android has grown exponentially in recent years, increasing the market for new developers to show their skills with novel applications. However, not all developers have the best intentions in mind; some take advantage of the popularity of Android to develop malicious applications. In this blog we will show the most important threats of the year and which countries are the most vulnerable targets.

The top ten detections for each month this year include scams that pose as legitimate applications, steal information from infected devices, send SMS messages to premium phone numbers, try to gain root privilege on infected devices, or display malicious adware.

In January this year, users in more than 100 countries were affected by one or more of these threats. The number of countries has been increasing ever since then, with the discovery of new and more complex malware such as Obad. Although the number of infections per country might change from one month to the next, the most affected countries usually remain the same, as you can see from the following pie charts.

jan-feb-DanielaRamirez

 

march-april-DanielaRamirez

We see a similar story for Android malware. One of the leading families, despite being one of the oldest, is FakeInstaller. It is one of the most prevalent families in Russia and other former Soviet republics. The GinMaster family, which appears in Trojanized applications and steals sensitive information, prevails in China.

fakeinst-DanielaRamirez

FakeInstaller prevalence in most-affected countries.

Other threats include adware modules such as FakeRun or AdwoLeaker, which have a large presence in the United States, India, and Japan.

Another common Android threat is malware that sends SMS messages to premium-rate phone numbers. These often do not pretend to be popular games or app installers like FakeInstaller; they can be wallpaper apps or battery saver apps that bleed money from victims. This type of threat is present throughout the world, especially in the United States, Spain, the United Kingdom, and Singapore, as well as in China, Hong Kong, Japan, and Taiwan.

Don’t assume you are safe if your country has not been mentioned in this blog. We have found at least one threat in every country. Do not download applications from unknown sources and make sure you have installed a reliable mobile security solution to protect your devices from these threats.

MIT Website Running on Very Outdated Version of Apache HTTP Server

When it comes to website security even institutions that you would think would be among the best able to able to protect themselves get hacked. In January the Massachusetts Institute of Technology’s (MIT) website was hacked on multiple occasions. While that seems surprising itself, what is more surprising is that more than six months after that happened MIT is still not taking care of the security of their website.

With our Server Details web browser extension you can see that MIT is using an outdated version of the Apache HTTP Server to run their website:
MIT's Website is Running on Apache 1.3.41The version they are using is not just a little out date. Support for Apache HTTP Server 1.3 ended back in February of 2010, so MIT should have upgraded to a newer version three and half years ago.

What does it say that even after getting hacked multiple times a major institution is not taking the security of their website seriously?

Android Fake AV Hosted in Google Code Targets South Koreans

During the last two years we have observed the accelerated discovery of Android malware by the security industry. Malware authors today often create and distribute fake “antimalware” apps that simulate the scan of files on a device. These fake apps report fake threats (and sometimes make the device unusable). The goal is to get victims to pay for the “full version” of the software to eliminate the nonexistent infections.

However, not all “fake AV” threats pursue monetary gain directly by scaring users with fake threats or denying access to the infected devices. Sometimes malware authors use the good reputation of legitimate security software to trick users into installing malware that executes commands sent by a remote control server to perform tasks in the background–such as stealing sensitive information from infected devices and sending SMS messages without the users’ consent.

Recently the McAfee Mobile Research team has received a new type of Android fake AV that targets South Korean users. The malware pretends to be the security software V3 Mobile Plus:

CASTILLO_App_Icon

Icon used by the malware.

When the application executes for the first time, a fake system scan shows fake information such as the current file being scanned–basically a string in the code–the number of files scanned at that moment (13,887 in the following screenshot) and a simulated progress bar:

CASTILLO_Scan_in_progress

Fake system scan.

After a few seconds the fake scan finishes and the following summary is presented to the user: One malware found (already removed) and 19,266 files (always the same number) were analyzed.

CASTILLO_After_Scan_Message

Fake system scan summary.

After the user clicks the button “확인,” the app closes itself and the icon that was present when the app was installed disappears from the main menu, making the user believe that the app was uninstalled. In fact, the icon is merely hidden and a service starts in the background. The service will register the infected device with control server by sending encoded sensitive information of the infected device such as the phone number and network operator:

CASTILLO_PhoneNumber_NetworkOP_Captions

Malware registering the infected device.

After that the malware constantly checks for new tasks to be executed remotely. These include sending SMS messages with parameters (number and content) from the remote server; this feature can be abused to send premium-rate messages. In addition to this functionality, the malware will silently intercept all incoming SMS messages to send the sender’s encoded phone number and content to a remote server:

CASTILLO_SMS_Leaked_Captions

SMS leaked.

This Android malware was found in a Google code project, and it’s not the first time we’ve seen that. However, in this particular Google code project (which has already been removed) Android malware was joined by Windows malware:

CASTILLO_Malware_GoogleCode

Android and Windows malware in a Google code project.

McAfee Mobile Security detects the Android threat as Android/FakeAhnAV.A and the Windows threats are detected by McAfee VirusScan/Total Protection as BackDoor-DKA, Generic BackDoor.u, Generic Dropper.i, and Generic BackDoor.abf.

Outbrain Website Running Outdated and Insecure Version of WordPress

Yesterday a number of major news websites were attacked due to a breach at Outbrain, a provider of widgets that display content recommendations. While the breach of Outbrain utilized social engineering, it is clear that Outbrain isn’t properly handling security of their systems, as they don’t even take basic security measures with their own website. One of the basic security measures is keeping software running a website up to date, which Outbrain hasn’t been doing:

Outbrain is Running WordPress 3.3.2

Not only is that version over a year out of date, but they have failed to apply four updates that included security fixes (3.4.1, 3.4.2, 3.5.1, and 3.5.2). The release announcement for 3.5.2 included the warning:

This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

Considering how easy it is to update WordPress, their customers should be worrying about what other things they are also failing to do.