Unwanted Apps in Google Play Pose as Fake AV

In recent years one of the most prevalent malware threats for PCs (and lately Mac users) is fake-antivirus software, which pretends to be a legitimate security program. Its real purpose is to charge victims a fee to remove a nonexistent threat. The same threat has now been ported to mobile devices. In some cases we see the same or similar behavior: getting revenue from users via SMS messages to a premium-rate number or malware that poses as security software to encourage users to install a malicious app (such as Android/Zitmo.F).

Recently 17 suspicious applications, uploaded by the developer thasnimola, were found in the official Google Play market:

Most of them use a shield as an icon to show that they could be related to “protection” software but some of them also use non-AV names and descriptions with popular keywords like “free,” “Video Downloader,” “Call recorder,” and “sms” to attract users’ attention and encourage the installation of the app. One interesting app is Top Free, which claims “Fast and lightweight malicious app protection for your phone.” Looking at this one further, it is clear that Top Free pretends to be AV software because it uses the screenshots of legitimate AV software as its own:

Some of them also use an “Antivirus FREE” banner on the app’s web page:

However, unlike fake-antivirus software threats for PCs and Macs, these applications do not gain revenue from users by detecting nonexistent Android malware. Instead, these apps make money using a more legitimate method: advertisements. All the suspicious apps were created using the same free online service used to create the Android/DIYDoS hack tool. For this reason the behavior is nearly same: When the application is executed, a WebView component shows the contents of a URL that is stored in an XML file inside the res/raw folder:

One difference between these apps and Android/DIYDoS is that these include an advertisement module–provided by the online service–that creates the applications which send sensitive device information (IMEI, GPS coordinates) to a remote server:

Here is the complete list of the unwanted applications that we reported to Google:

App Name Package Installs (Google Play)
love sms com.wDictionarye 100-500
jokes com.wcopywap2 100-500
video convertor com.whackmanmobisms 100-500
send free sms com.wPhotoscapeyy 100-500
sms sender com.wcopywap6 100-500
top free com.wcopywap4 100-500
friendship sms com.wvideodown2 100-500
hissam sms collections com.wcall 100-500
top free sms com.wcopywap5 10-50
sms free com.wSpokenEnglisheee 10-50
free message sender com.wcopywapphoto 10-50
shayaries com.wTabla 1-5
sms com.whissamsmscollections 1-5
sms collections com.wChromea 1-5
free call recorder com.wfreecallrecorder N/A
youtube video downloader com.wvideo9 N/A
free sms com.whissamsmscollections2 N/A


All of these have already been removed from Google Play. If you have enabled  detection for potentially unwanted programs (PUPs, our default setting), then McAfee Mobile Security for Android will detect these apps as Android/DIYAds.

Variant of Mac Flashback Malware Making the Rounds

Unless you have been living under a nondigital rock recently, you have probably heard of the Flashback Trojan, which attacks Macs. Around April 4 we saw reports of more than 500,000 infections by this malware. Further, McAfee Labs has recently come across a new variant making the rounds. This is no surprise: Whenever a piece of malware or attack is successful, we are bound to encounter copies and variations.

A key thing to remember is that this is a Trojan. Unlike viruses, Trojans do not self-replicate. They are spread manually, often under the guise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels often include email, malicious web pages, Internet Relay Chat (IRC), peer-to-peer networks, and other means. As of this writing, this Trojan is targeted at vulnerable Java plug-ins related to the CVE-2012-0507 vulnerability. When a user visits a compromised page, it often uses an iframe tag that redirects the user to another malicious page, where the actual exploit is triggered by the malicious Java applet.

OSX/Flashfake (the official detection name) is dropped by malicious Java applets that exploit CVE-2012-0507. On execution, the malware prompts the unsuspecting victim for the administrator password. Regardless whether the user inputs the password, the malware attempts to infect the system; entering the password only changes the method of infection.

The Trojan may arrive as the PKG file comadobefp.pkg and comes disguised as a Flash player installer:

It prompts the user for administrative rights:

Once the malware package is successfully installed, it tries to make contact with its remote sites to download any necessary configuration files:

Another characteristic of this malware is that it checks whether a firewall is installed on the target system. If one is found, it will remove the installation. (Other versions of Flashback are delivered via the sinkhole exploit.)

Infected users unwittingly download a variety of fake-AV packages. To avoid that fate, make sure you are running the latest security software on an up-to-date system, use a browser plug-in to block the execution of scripts and iframes, and use safe-browsing add-ons that help you avoid unwanted or suspicious websites.

My thanks go out to colleagues David Beveridge, Abhishek Karnik, and Kevin Beets for letting me pass along their analysis!

‘Hacktivity 2011′ Keynote Examines 25 Years of Malware

In September, I had the pleasure of giving the keynote speech at “Hacktivity 2011″ in Budapest, Hungary. I was very excited to see the large audience, about 1,000 visitors, among them very serious and well-known security professionals, instructors, and security enthusiasts. It was also exciting for me because I made the presentation in my native Hungarian. I very much enjoyed the conference and was able to meet a lot of talented young security researchers.

The presentation was translated during the talk and the speech is also available in English. Do not be surprised by the fact that the introduction will be made by a male voice, followed by several translators in real time who had to put complex security terms in plain English, while I talked very fast!

The presentation covers several important developments and the history of the last 25 years of computer malware. It has been an exiting journey for me to dedicate a large part of my life to the problems of computer threats. The presentation also details industry control system attacks, their history, Stuxnet, and recent interesting fake AV and rootkit developments. Many of the techniques were not publicly discussed prior to my talk. Enjoy!

The English version:

And for those of you who would like to listen in Hungarian, the talk is available here:

Hacktivity 2011 – Szőr Péter: Küzdelem a kártékony kódok ellen

Pay-per-Install Malware Tries New Business Model

In an age in which money is king, I was surprised to discover this week a new forum that offers many malware for free. I found a post, below, as well as various announcements on the Net that call this site a botnet paradise.

Curious, I attempted to register. After a one-day wait, I was able to reach the packages. This forum was just created and was open to registration for seven days (from September 9 to 15). After this date it will become private, according to a decision taken by a majority of its subscribers.

For now, most of the posts are from the site administrator and a few global moderators. Initial topics unconcerned with sales are just copied from other blogs (recent or old) without any credit for the authors. In the sellers areas, the most interesting offers appear in the next image.

People searching for pay-per-install offers are directed to statsbusiness.net and Best AV. Statsbusiness seems to be the new label for InstallConverter, an old affiliate platform analyzed in depth by Kevin Stevens at BlackHat 2010. Statsbusiness requires an invitation code to join. This code is freely given in a post.

It shouldn’t be necessary to introduce Best AV. In July, international law enforcement struck hard at the underground scareware (fake AV) market. Best AV disconnected its site from the web after explaining it was “impossible to pay advertisers on time and in full.” Now we find Best AV appearing at a new URL, showing the business is continuing.

The pay-per-install forum sponsors services that will install malware for a price. Many countries are available, though not Russia and some others in Eastern Europe. The four offers I quoted (in the image) refer to installation services whose websites were recently unavailable. I suspect all these services reach a unique group that is engaged in designing a new business model they hope will be more discreet.

Pay-per-install businesses can be temporarily compromised by welcome law enforcement action, but the crooks will always find a way to return.