Banned Chinese Qvod Lives on in Malicious Fakes

Qvod used to be a popular video player and developer in China. Due to piracy allegations and a threatened fine, the company went out of business in 2014. In spite of this, we have recently seen a number of malicious fake versions of Qvod.

One common feature of these malicious apps is to disguise their own icons to appear as the Qvod player or to use pornographic icons to attract users to install them. These apps contain a variety of malicious behaviors, including collecting user information, sending SMS that deduct payments, blocking legitimate SMS, pushing other apps (including malicious apps), and forcing users to activate the device manager.

These malicious apps are found mainly through forums, illegal video sites, and IM groups. They carry app names such as “midnight Qvod player,” “16-year-old-girl night player,” “midnight video player,” and “adult theater player.”



Examples of malicious fake Qvod apps.

After the victim installs and runs one of these malicious apps, it forces the user to activate the device manager. If the user attempts to cancel, the app occupies the entire screen, effectively requiring the user to activate the device manager. If the victim does not comply, they cannot use the phone. If the user does activate the device manager, the malware will respond to any attempt to delete the app by forcing a return to the desktop. Thus victims cannot follow the normal steps to uninstall the app.


Forcing the user to activate the device manager.

Next the malware attempts to trick victims to pay while in the background collecting user information and upload it to the server. It also downloads other apps and install them.


Example of an automatic app download in the background.


How to uninstall 

These malicious apps cannot be uninstalled by normal means. Use the following steps to regain control.

First, we need to prevent the malicious app from locking the screen during the uninstall operation.

Code to prevent locking the screen.

Then use the following method to place the deactivate device manager window on top.

Code to detect whether the device manger window is on top and to switch it to the top position.

Finally, you must switch the uninstall window to the top position to uninstall the app. You can also accomplish this step via the Android Debug Bridge utility, using the ADB uninstall command to remove the malicious app.

Code to switch the uninstall window to the top.

If you encounter a highly resistant variant of the malware, the preceding method may not work. You will have to restore the factory settings, or root the system, and then use ADB to connect to the phone and delete the malicious files.

McAfee Mobile Security detects this threat as Android/KboVedio and prevents mobile users from downloading this app.





The post Banned Chinese Qvod Lives on in Malicious Fakes appeared first on McAfee Blogs.

New Mexico Becomes 48th State To Enact Data Breach Notification Law

On April 6, 2017, New Mexico became the 48th state to enact a data breach notification law, leaving Alabama and South Dakota as the only two states without such a law. The New Mexico law goes into effect June 16, 2017.

Who Is Covered? Defining “Personal Identifying Information”

The new law applies to any “person that owns or licenses elements that include personal identifying information of a New Mexico resident[.]” The definition of “personal identifying information” largely tracks the definitions adopted by sister states, and includes an individual’s first name or first initial and last name in combination with one or more of the following data elements, when such data elements “are not protected through encryption or redaction or otherwise rendered unreadable or unusable:”

  • social security number;
  • driver’s license number;
  • government-issued identification number;
  • account number, credit card number or debit card number in combination with any required security code, access code or password that would permit access to a person’s financial account; or
  • biometric data.

Biometric data is defined under the new law to mean a record generated by automatic measurements of an identified individual’s fingerprints, voice print, iris or retina patterns, facial characteristics or hand geometry that is used to “uniquely and durably authenticate an individual’s identity when the individual accesses a physical location, device, system or account[.]” “[E]ncrypted” is defined under the new statute to mean “rendered unusable, unreadable or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security[.]” And “personal identifying information” does not mean information that is “lawfully obtained from publicly available sources or from federal, state or local government records lawfully made available to the general public[.]”

When Is Notification Required?

Defining “Security Breach”

Notification is required under the new law when the “personal identifying information” of a “New Mexico resident” is “reasonably believed to have been subject to a security breach.” The phrase “security breach” is defined under the statute to mean the “unauthorized acquisition of unencrypted computerized data, or of encrypted computerized data and the confidential process or key used to decrypt the encrypted computerized data, that compromises the security, confidentiality or integrity of personal identifying information maintained by a person.” The phrase “security breach” does not include the good-faith acquisition of personal identifying information by an employee or agent of a person for a “legitimate business purpose of the person[,]” so long as the personal identifying information is not subject to further unauthorized disclosure.

45 Day Window

Notice under the new law must be made “in the most expedient time possible, but no later” than 45 calendar days “following discovery of the security breach[.]” Notification may be delayed, however, if a law enforcement agency determines that the notification will impede a criminal investigation, or “as necessary to determine the scope of the security breach and restore the integrity, security and confidentiality of the data system.”

Investigation Defense / Risk Of Harm

Notification is not required if “after an appropriate investigation, the person determines that the security breach does not give rise to a significant risk of identity theft or fraud.”

What Is Required In The Notice?

If notice is required, the new law provides specific content requirements, including:

  • The name and contact information of the notifying person;
  • A list of the types of personal identifying information that are reasonably believed to have been the subject of a security breach, if known;
  • The date of the security breach, the estimated date of the breach or the range of dates within which the security breach occurred, if known;
  • A general description of the security breach incident;
  • The toll-free telephone numbers and addresses of the major consumer reporting agencies;
  • Advice that directs the recipient to review personal account statements and credit reports, as applicable, to detect errors resulting from the security breach; and
  • Advice that informs the recipient of the notification of the recipient’s rights pursuant to the federal Fair Credit Reporting Act.

Are There Exemptions?

Yes. The new law does not apply to covered persons subject to the federal Gramm-Leach-Bliley Act or the federal Health Insurance Portability and Accountability Act of 1996.

Do The Attorney General And Credit Reporting Agencies Require Notification?

Yes. If notice goes out to more than 1,000 New Mexico residents “as a result of a single security breach” the covered person must “notify the office of the attorney general and major consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 U.S.C. Section 1681a(p)[.]” Such notice must be made “in the most expedient time possible,” but no later than the same time that notice goes out to the impacted resident – 45 calendar days. Such notice must “notify the attorney general of the number of New Mexico residents that received notification” and “shall provide a copy of the notification that was sent to affected residents within” 45 calendar days “following discovery of the security breach[.]”

Is There A Private Right Of Action?

No. The new law only allows for an enforcement action brought by the attorney general. And in such cases, the attorney general may seek injunctive or compensatory relief. If the court determines the person violated the new law “knowingly or recklessly,” the court may also impose a civil penalty of the greater of $25,000 or, in the case of failed notification, $10.00 per instance of failed notification up to a maximum of $150,000.

5 Takeaways

  1. Encryption is key. The new law contains a safe harbor provision for encrypted data, so long as the encryption key is not compromised. The new law does not describe the specific encryption method required, as opposed to Tennessee’s new revisions.
  2. Investigation is key. Conducting an adequate and thorough investigation at the outset of a breach is critical under the new law. Conducting such an investigation will provide for extra time to complete notification, if required. It will also allow for non-notice if the investigation determines the security breach “does not give rise to a significant risk of identity theft or fraud.”
  3. Consider involving law enforcement. It may seem counterintuitive, but involving law enforcement early in a data breach case may provide extra time on notification. The federal government, and particularly the FBI and DHS, also actively encourage private business to reach out in the case of a data breach. In the case of 1,000 impacted New Mexico residents, however, notice to the New Mexico attorney general is required.
  4. Time is of the essence. The new law provides a 45 calendar day window to effectuate notice to both residents and law enforcement, when required. That means investigations need to be undertaken immediately, and without delay.

The Dentons Privacy and Cybersecurity Group is prepared to help you and your business navigate this new law, address your encryption issues, and help conduct the required investigations necessary once breach occurs.