South Korean Bank Customers targeted by Android Malware


A Mobile software company Cheetah Mobile has identified a malicious piece of Android malware that replaces the legitimate banking apps with fake versions.

According to the Cheetah Mobile report, the Trojan disguises itself as popular game or application on third party android application markets in Korea and tricks users into installing the app.

Once it is installed, the Trojan searches for the official online banking applications of south Korean Banks including Nong Hyup Bank, Sinhan Bank, Woori, Kookmin, Hana N Bank, Busan Bank and Korean Federation of Community Credit Cooperatives.

If one of these banking apps is found to be installed on the victim's device, the malware displays an alert saying that the banking app needs to be updated.  Once the update is approved,  the legitimate banking app will be replaced with the fake one.

The fake version then asks victims to enter the password to their security certificate(which is required by the South Korean government in order to access many online services).

The app then asks victims to provide their bank account number, passwords and bank security number.

At the end, the malware simply displays a fake error message informing victims that there is no Internet connection.  The malware then deletes itself from the device.

"With the information that they stole, the hackers can apply for a new certificate, which they then use to freely access the victim's bank account."says Cheetah Mobile.

The company said more than 3,000 devices have been infected in the last week alone.

Be careful when You Browse Adult contents in your Android phone

CryptoLocker Ransomware which is so far making trouble for Desktop users by scaring them into pay a fine to unlock their locked hard devices is now started to target Android users.

BitDefender have identified a new mobile version of the Ransomware which is being sold by the same group responsible for the Desktop version of Ransomware malware.

The malware dubbed as 'Android.Trojan. Koler.A' is being served to the mobile devices, when the users are browsing certain adult content websites.

The malware disguise itself as badoink, a video player that needs to be installed to get premium access to porn and tricks users into installing the app.

Once installed, the malware finds the location of victims and shows a fake warning message in their local language.

"Attention! Your Phone has been blocked up for safety reasons listed below.  All the action peformed on this phone are fixed.  All your files are encrypted.  Conducted Audio and Video" The fake message reads.

The warning message informs the victims that their files have been encrypted and they have to pay $300 ransom in order to unlock their device. 

But, No Need to Panic ! The files stored on the device are not actually encrypted as the warning message claims.  By pressing Home button, you can return to Home screen. You will have 5 seconds to Uninstall the app from your device.

Safe Mode to Remove the malicious app:
This malicious app is Not Sophisticated one, you can uninstall the app by booting the device in Safe Mode.

"The group behind this exploit is falsely and egregiously using the BaDoink
brand and logo, a brand that adult consumers have trusted for 8 years, to
spread this Ransomware."In an email sent to EHN, the company behind the legitimate version of Badoink, has clarified that they've nothing to do with this ransomware.

New Android malware 'Samsapo' spreads via Text Messages

If you get a SMS from your friend asking "is this your photo?" with a link, will you open the link or not? We want a honest answer.  Most of the people will do click the link.

If you do so, your device might get infected by a new type of Android worm!

Malware analyst from security firm ESET have discovered an interesting piece of malware, called "Android/Samsapo.A" that spreads via Text messages.

So far, the malware appears to be targeting Russian users.  Once your device is infected with this worm, it will attempt to send SMS with a malware-link to your contact list in an attempt to infect your friends.

Cyber Criminals use the old social engineering trick to lure users into install the malware.  It sends a message that says "is this your photo" in Russian language(Это твои фото?) with a link to Android application package(APK).

The malware is capable of downloading additional malicious files.  It is also capable of stealing phone numbers, text messages, personal data, device info from the infected device.  It doesn't stop with spying, it also register the victim's number to premium-rate services.  So, the victims will lose money. 

Bitcoin-Mining android malware found on Google Play Store

No matter how much Security mechanism Google try to implement to keep the malware from getting placed in Google Play store, Cyber Criminals are still able to upload their malicious apps.

We recently learned a 'fake' android anti-virus application found on Play Store and tricked more than 10,000 users into buying it.  But, Google which doesn't want to lose its reputation gave refund and $5 promo credit to those individuals scammed by this app.

Now, Researchers from Security firm LookOut have spotted another set of malicious apps on Google's Play store which turns the infected devices into a distributed bitcoin mining system.

Dubbed as 'BadLepricon', the malware disguise itself as a Live wallpaper app for android.  These five malicious apps had been downloaded between 100-500 times before Google removed them.

It seems like cybercriminals' interest in using the infected android devices to mine cryptocurrencies is increasing day by day.

Last month, LookOut reported that CoinKrypt malware hijacked mobile phones in order to use it to generate digital currency.  Few days back, TrendMicro also discovered a Java RAT which is capable of abusing the android devices to mine Litecoin.

New variant of Java RAT can use your Android device to mine Litecoin

A new variant of old Java RAT "UNRECOM" is being distributed via spam emails, detected by TrendMicro.

One such spam mail is pretending to be from American Express, informs recipients that their account have been suspended due to suspicious activity.

"Attached to this mail is your statement with the irregular activities highlighted. Please fill in the required information in the form also attached, this is required for us to continue to offer you service in a safe and risk free environment" The spam mail reads.

The attachment is none other than the Java Remote Access Trojan.


So, What is New ?
We aware this Java RAT can run on multiple platforms.  Now, it is capable of running on Android Devices. It has also Litecoin-mining plugin.  Other than that, it can capture screenshots and display messages.

In addition, the malware has also APK binder component, means it can be used to take legitimate android apps and turn them into malware.

Android malware iBanking helps attackers to hack Facebook account

An attacker can't hack a facebook account which has enabled two-step authentication, even if he know the username and password.  But, if you think Two-Step authentication is enough to keep your faebook account safe from hackers, Think Again!

Cyber criminals have started to use Android Banking Trojan "iBanking" to bypass Facebook's two-factor verification.

iBanking is malicious android application capable of intercepting SMS messages, forwarding incoming voice calls to any number and record victim's voice using mic.

Recently, RSA noted the release of source code for the iBanking trojan.  This source code leak helped other cyber criminals to customize this trojan according to their needs.

ESET reports that a customized iBanking malware targeting Facebook users is being delivered via a new variant of Computer Banking Trojan Qadars 

When a system is infected with Qadars Trojan, it will show a message when user is logging into Facebook telling them "Facebook introduces new extra safety protection system" and instructs them to install an android app.  This app will help cybercriminals to intercept SMS so that they can bypass the Facebook's two-factor verification.

"The way iBanking is installed on the user’s mobile is quite common, but it is the first time we have seen such a mobile application targeting Facebook users for account fraud." Researchers said.

Android malware steals money from QIWI Wallets

Cyber criminals are continually finding new ways to earn money using infected devices.  We aware of SMS Trojans that earn money by sending out premium-rated messages from the infected android devices.

Experts at Kaspersky have recently spotted a new Android Trojan that not only send SMSs to premium-rate numbers but also steals money from QIWI electronic wallet.

Visa QIWI Wallet is electronic payment service can be used to pay for goods and services around the world, receive payments, and transfer money.

Once installed on a device, the malware, dubbed as 'Waller', attempts to communicate with Command and control (C& C) server located at playerhome.info and awaits further commands.

Malware is capable of checking the balance of infected phone by sending SMS to mobile network operator and intercepts the reply, send SMS, open web pages, download and install other malware.  It is also capable of updating itself and send SMS to victim's contact list.

This trojan also checks the balance in the QIWI Wallet by sending an SMS to 7494.  The response messages is intercepted by the trojan and forwarded to the cyber criminals.  If there is money in the Wallet, the malware will send message to 7494 with attacker's wallet number and the amount to be transferred.

The Trojan is being distributed via SMS spam and cybercriminal's site disguising as various applications.

Pileup flaw: Android updates can be exploited by malware to gain permissions

Upgrading an operating system patches the security holes in the previous versions.  However, researchers found a bug in upgrading process of Android itself, which can be exploited by malicious apps.

A team of researchers from Indiana University and Microsoft have published a paper explains a new critical security bugs which are referred as "Pileup flaws".  The vulnerability exists in Package Management Service (PMS) of Android.

When a user upgrades android to the latest version, a malicious app with few or no permission in the old version can exploit this vulnerability to update itself with new set of permissions.

An attacker can exploit this vulnerability to steal sensitive information from the compromised device, change security configurations and also prevent installation of critical system services.

Researchers say they have confirmed the presence of security hole on all official android versions as well as 3,000 customized android versions.

Researchers also have developed a new service called 'SecUp' which is capable of detecting the malicious apps designed to exploit PileUp vulnerabilities.

Dendroid, a new Android malware toolkit

Number of malware for Android platform is increasing day by day.  Cybercriminals trying to sell android-malware toolkit to others.  The first Android Remote admin tool is AndroRAT which is believed to first ever malware APK binder.

Symantec researchers have come to know another android malware toolkit called "Dendroid" is being sold in the underground forums.

A cybercriminal going by online handle "soccer" in the underground forum is selling this HTTP based RAT which is said to be having many malicious features.

The toolkit is able to create malicious apk file capable of 'deleting call logs', 'call to any number', 'open webpages', 'record calls', 'intercept sms', 'take and upload photos&videos', 'dos attack'.

Researchers say the cybercriminal also offer 24/7 support for this RAT.  Others can buy this toolkit by paying $300 through crypto currencies such as Bitcoins, Litecoins.

Experts have mentioned that this RAT has some link with the previous AndroRAT saying "the author of the Dendroid APK binder included with this package had assistance writing this APK binder from the author of the original AndroRAT APK binder.   "

Android SMS malware hosted on Google Play infects 1.2 Million users


Experts often suggest to download android apps only from Google Play to avoid malware infection.  But, it doesn't mean that we can trust all of the apps hosted on Google.  

Security researchers from Panda security has found more than five malicious apps being hosted on Google play.

The apps in question appear to be targeting users in Spain.  Name of the apps are in Spanish: “Peinados Fáciles” (Easy Hairdos), “Dietas para Reducir el Abdomen” (Abs Diets), “Rutinas Ejercicios para el Gym” (Workout Routines) and “Cupcakes Recetas” (Cupcake Recipes).

The apps obtain phone number of the infected device from WhatsApp and uses it to sign the victim up to a premium rated SMS subscription services.

Researchers say that each of these apps have been downloaded by between 50k and 100k users. It means that between 300k and 1.2 Million users might have affected this malware.

“The truth is that fraudsters are making insane amounts of money from these premium services. A conservative estimate of, let’s say, €20 paid by each user would result in a huge sum of 6 to 24 million euros stolen from victims”, said Luis Corrons, Technical Director of PandaLabs.

Android malware delivered via windows, when debugging-mode enabled

Be careful if you are connecting your android device to others computers! 
A New windows-based malware installs malicious application in debugging-mode enabled android devices.

Usually, malware applications get installed in your device, only if you have changed the default security settings to allow apps from third-party app stores.  But, Malware analysts at Sophos say a malware still can reach your device, even if you have not enabled so-called "off-market" apps.

When you have enabled USB debugging mode,  you can install apps directly from your windows machine.  A new windows-based malware appears to be taking advantage of this facility.

The malware first register itself as a system service and downloads a configuration file "iconfig.txt".  The iconfig.txt file contains the list of exe files to be downloaded in the infected machine.

"Samsung.exe, LG.exe, AdbWinApi.dll, AdbWinUsbApi.dll, aadpt.exe, adb.exe, AV-cdk.apk, ok.bat" are the files downloaded by the malware.

The "ok.bat" is a batch file that runs "C:\Users\Yourname> adb install AV-cdk.apk" in your command prompt, results in the malicious apk file getting installed in your android device.

The name of apk file sounds like it is pretending to be an Antivirus, but once installed, the app disguise itself as "Google Play store".

Researchers suggest to turn it off the Android Debugging option, when you don't need it.

Android Malware HeHe steals messages and Intercepts phone calls


Security Researchers from FireEye Labs have discovered six variants of a new Android malware dubbed as "Android.HeHe" which is capable of stealing SMS and intercepting phone calls.

The malware is being distributed as a security update for the Android OS. Once it infects a device, it communicates with the command and control(C&C) server and monitoring incoming SMS.

Phone details including IMEI, IMSI(International mobile Subscriber Identity), phone number, OS version, model of the phone are being transfered to the C&C server.

It also checks whether the IMSI code is null so that it can determine whether it is being executed in Emulator or in real device(Emulators don't have IMSI code).

The C&C server responds to the device with a list of phone numbers. If the infected device receives SMS or phone call from one of these numbers, the threat intercepts the message or call.

Text messages from one of these numbers are captured and stored in the attacker's server. Any phone calls from these numbers are silenced and rejected.

Fake Minecraft Android App sold at cheap price contains virus code


A fake version of Android app "Minecraft - Pocket Edition" is found to be hosted on third-party marketplaces which contains a malware code.

These kind of fake and malicious version of apps are usually available for free.  However, cyber criminals made some exception for this app which is being sold for half of the actual price of the original app.

PC Magazine reports that F-Secure researchers have discovered a trojanized version of the Minecraft PE asking users to pay 2.50 Euros- the original app costs5.49 Euros.

The cyber criminals didn't stop by just scamming with fake version, they also added malicious code.  It will send SMS to premium rated phone numbers and sign up victims to expensive services.

Researchers have noticed that this malicious app is using a hacking tool called "Smalihook" to bypass "an authentication routine that causes it to fail to run if it does a certificate verification check and doesn't find the correct certificate". 

The good news is that it is only hosted in some third-party app stores but not in the official Google Play store.  This is one more example why you should never trust third party app stores, always download apps from Google Play.

One of the largest Android Botnet 'MisoSMS' steals messages

Security researchers from FireEye have uncovered one of the largest Android botnet which they dubbed as "MisoSMS".  The botnet is said to have been used in at least 64 spyware campaigns.

According to the report, the malware disguised as an "Android settings" application used for adminstrative tasks.

 The threat is designed to steal messages from victims and emails the messages to a Command and control(C&C) server located in china.

 the most of the infected devices are from Korea.  The cybercriminals behind this botnet logged into the server from Korea, China and few other locations in order to read the stolen messages.

FireEye said they are collaborating with the Koran law enforcement and Chinese webmail vendor in a effort to disrupt this botnet.

New variant of Mouabad malware can make phone calls from Your Android Mobile

We already aware that there are android malware which are capable of making money for cyber criminals by sending SMS to premium rated numbers.

A New variant of Android mobile malware 'Mouabad' spotted by Lookout allows cyber criminals to make phone calls from infected devices without user intervention.

The malware is cleverly designed to avoid detection, it attempts to make phone calls only when the device is locked. When the victim unlocks the devices, it ends the call.

However, it can be easily detected by looking at the call histories, as the malware is not designed to delete the call logs.

Fortunately, the malware only works on android older than version 3.1. So, those who have the latest android version need not to worry.