Friday, September 20, 2013

Fake AV Malware Hits the Android

Mobile Defender - the last line of protection

Having studied malware delivered by spam for the past seven years, it is a fairly rare event for me to be amazed by something new, but that is exactly what happened today thanks to a new finding by Brendan Griffin, the lead author of Malcovery's Today's Top Threats report.

In yesterday's report, Malcovery customers were informed of a prevalent spam email that used the subject lines:

  • Voice Message Notification
  • 1 New Voicemail(s)
  • 2 New Voicemail(s)
  • 3 New Voicemail(s)
  • 4 New Voicemail(s)
  • 5 New Voicemail(s)
  • 6 New Voicemail(s)
When the spam messages from this campaign are rendered in an HTML mail viewer, the received message looks like this:

For a Windows user who clicks on the link, the malware calculates a location and drops a .zip file to the visitor with a name appropriate for thier location. For example, in yesterday's T3 Report, Brendan documented the behavior of a file he received from "bhaktapurtravel.com.np" that was named "VoiceMail_Birmingham_(205)4581400.zip".

At the time of Brendan's review, only 6 of 48 Antivirus vendors detected the .zip file as malicious according to this VirusTotal Report for zip.

The unpacked file, which used an icon displaying a musical note on a sheet of paper, fared little better, with only 7 of 48 detections as shown in this Virus Total Report for exe.

Twenty-four hours later, that detection is up to 21 of 48 detections, with several vendors (AntiVir, DrWeb, Microsoft) calling the malware "Kuluoz" while BitDefender, EmSoft, and F-Secure prefer the name "Symmi".

Android Version?

Given that the email message was claiming to be from an Android application called "WhatsApp", Brendan revisited the link, using a User-Agent string that would be commonly associated with an Android-based browser.

Instead of receiving an .exe file, when using the Android emulation mode, Malcovery received *AND INSTALLED* a file called "WhatsApp.apk". Examining the code, Brendan found bilingual messages in Russian and English that seemed to be indicating that various malware packages had been found on his phone. Here's one example, that seems to claim the presence of Downad/Conficker:

The Android malware, which had the MD5: 5290df867914473426b82233567c03af, was much better detected by AV engines ...

At first glance, that seems quite encouraging! But think about it more. What possible good does it do you to have AVG, ESET, F-Secure, Kaspersky, and Trend Micro telling you that this APK file is hostile? You certainly aren't running any of their Anti-virus products on your Android phone, are you?

Brendan decided it was time to put this malware into a true Android phone, and received some shocking results, shown below!

First, the Android App pretends to scan your phone for malware . . .

And then, it asks you for your credit card information in order to buy the "Mobile Defender" application to protect your phone!

We were amused by the "Lifetime Software License" which offers a 60% discount. I wonder how many years they expect us to live to calculate that discount! Hopefully they are referring to the lifetime of their malware, rather than us or our phone!

Historical FakeAV Scams

We certainly have been talking about Fake AV for a long time! Here are some of our previous articles on the subject, dating all the way back to 2008 -- but this Fake AV on Android Phones was a first for us, especially in such a prominent spam campaign!

FTC Moves against Fake AntiVirus ScareWare Companies - Dec 2008
Conficker Fears Spread Fake AV - April 2009
Fake Twitter, Linked In, and ScribD pages lead to Fake AV - June 2009
Fake AV in the News - April 2010
MasterCard Spam leads to Fake AV - July 2011

Sites seen in spam with either "info.php" or "app.php" malware links

Each of the sites below was found in spam in the Malcovery Spam Data Mine, either with an "app.php" path, such as "/app.php?message=7nof02WSsCV044njNqRS+F1mNBPcaaHD7u7VE/2vY7c=" or an "info.php" path such as "/app.php?message=NaZNY1tYTjYL5u0C/rimmNLlnDKRleqTEBJme/hthH4="

We believe that each of the sites below was compromised to allow the criminals to insert the "app.php" or "info.php" file on their system.

At this time, we are unsure whether the "localization" seen on the Windows version of this malware is based on geolocation of the infected computer's IP address, or whether the parameter passed in the URL contains an encoding of the user's location. Every URL observed had a unique string in the "message=" portion.

countmachine
countmachinecountmachine
24 babytoysbaby.com4 coffsdentalcentre.com.au
22 bhaktapurtravel.com.np4 admingo.ru
22 tsypa.ru4 5100429.ru
19 manchesterbuddhistcentre.org.uk4 skupina-lira.si
18 koshergiftsuk.com4 planeta-avtomat.ru
17 casperscomputers.com4 personalcarephysio.ca
17 mywebby.ru4 iperidrosi.org
16 ifuneral.it4 dxixisport.com
16 tk-galaktika.ru4 guru27.ru
15 mdou321.ru4 holenefesh.com
14 thaiecom.net4 zag.com.ua
14 thenewdabbs.com4 yildizotel.com.tr
14 locweld.com4 shinyvsem.ru
14 gourmetschlitten.com4 dr-nonna.ru
14 sadafmirza.com4 niessing-gladbeck.de
14 serov1.com4 uwes-futterkiste.de
14 growlerscraftbeerandales.com4 boat-plastic.ru
13 globalpeat.com4 morterablanca.com
13 dj220w.ru4 co-co-mail.net
12 improvisera.net4 vizazh.zp.ua
12 www.raspinawin.com4 verfassungsschutz-bw.de
12 srivivekananda.com4 darkmatta.com
12 amicidelcuore.info4 www.kip26.ru
12 shop-rakushki.ru3 veerbootkobus.nl
11 rkbtservice.ru3 fehoozy.com
11 djvakcina.com3 juhatanninen.com
11 muzikosfabrikas.lt3 artedangi.com
10 ikarplus.com3 truesouthmanagement.com
10 katrinfil.ru3 paternocalabro.it
10 ladwig-gmbh.de3 tennissimo.be
10 profnastil-sm.ru3 westsaitama.com
10 cateringjaipur.com3 venoras.com
10 clockcards.ie3 netbook.com.ua
10 lichtenauer-fv.de3 einstalacje.pl
10 mrsergio.com3 kovka1.ru
10 gseo.it3 piotrkozak.com
10 mirvshkatulke.ru3 momks.org
10 albecoperu.com3 tcpredatorsbaseball.com
9 dimater.com3 autovaza.net
9 dezibelmusik.de3 surya.org
9 goldnart.ru3 fiskr.ru
9 rickhelpt.nl3 piediplomacy.com
9 designmakers.kz3 dis-travel.ru
9 crazyparty.com.pl3 sportsbettingonlineusa.net
9 tc.CastineLLC.com3 dmitriy-vasilchuk.com
9 gustavblome.de3 craftyfolks.net
9 autopialighting.com3 cityglobal.ru
9 eckkaluga.ru3 isuzu.loader.com.ua
9 redmangoindo.com3 isa-scouts.de
9 olimpodelbenessere.it3 www.michael-roos.net
9 mazdaparts.su3 www.ninja-ninja.com
9 lexbox.am3 net2day.tk
8 pennerimperium.de3 maov.info
8 yakitoriya-mo.ru3 elmetsystem.pl
8 dush80-svao.ru3 tischlerei-klemm.de
8 mastersonpr.com3 such-spinne.de
8 slocis.com3 pts.kovrov.ru
8 art52.ru3 thundermistpowerboats.com
8 tva.ru3 sungatov.ru
8 frescomeble.pl3 harald-rupp.com
8 darkstudio.net3 shermes.biz
8 orbitmotion.com3 auronzo.it
8 cam.shaksha.ru3 yakrus.com
8 www.chelyabreduktor.com3 gogreenbravo.com
8 everyday24h.de3 tengritel.kz
8 www.auxtribusindiennes.com3 sewretro.com
7 dialoguetrust.net3 oilhelp.info
7 magavilla.com3 bdlmachines.com
7 structuredsettlementsannuities.com3 cypresshomecareinc.com
7 brainseal.com3 yalublutebyazhizn.ru
7 bareli.co.il3 specialistdental.com.au
7 colorpaco.com3 trivenidigital.com
7 kasutin.ru3 englishteam.ru
7 www.myinnerpc.com2 e-nt.de
7 fasthotel.ru2 cargor.net
7 whiteys.co.uk2 ingredientspring.com
7 smsa.pt2 cthmail.de
7 granitderi.com.tr2 corpstroy.ru
7 ntsysteme.de2 heartwood.com
7 artisan-co.ru2 na-derevnu-dedu.ru
7 mosobladvokatura.ru2 swanseacity.co.uk
7 gamez.com.ua2 mdou104.ru
7 sentabilisim.com2 assistantinukraine.com
7 tufts.biz2 wowbestservers.com
6 angelomasotti.it2 arsenalyar.ru
6 tripdogs.com2 velvet-sound.ru
6 ciarko.by2 intimdosug38.ru
6 big-cock.biz2 supertouch.co.in
6 softrace.no2 chemycards.com
6 haugesund-toppidrettsgymnas.no2 cebuhomesville.com
6 samedaystationery.co.uk2 leaderscenter.com
6 tadaphotography.com2 rolandward.co.uk
6 dyffryn.org2 ignologics.com
6 hochseilgarten-springe.de2 zarco-sic.com
6 bagnaradiromagna.net2 etarlo.ru
6 sitallsmolensk.ru2 bigpk.ru
6 humtata.de2 ofis-v-nikolaeve.com
6 tiarahlds.com2 ravolna.ru
6 allpress.biz2 pyora68.net
6 zdrowieonly.ovh.org2 poster.ua
6 webasto-ufa.ru2 scottishtaxifinance.co.uk
6 custers.ru2 formularmaker.com
6 hansobermeier.de2 ais-stroi.ru
6 ziehdichauskunft.com2 bluereefwatersports.com
6 venetamalaysia.com2 fundigital.org
6 cathedralcityestates.co.uk2 avminho.pt
6 paminklaizidiniai.lt2 pechatiboom.ru
6 mbuhgalter.ru2 filtrum-safari.ru
6 shilvi.com2 aquatechperu.com
6 orderschering.com2 butik-koles.ru
5 mouvsoch185.ru2 visumconsulting.com
5 zenxual.com2 warehouseboxing.com
5 michael-roos.net2 elviras-tischdeko.de
5 easywebmexico.com2 homemoney.ru
5 agapy.com2 mar-kant.nl
5 marsperformance.ru2 eeesolution.com
5 muzacikunovice.cz2 microfi.co.uk
5 andyxator.ru1 neps.ru
5 bahfuture.org1 christel-gekeler.de
5 cfgb.fr1 open-63.ru
5 golazvezda.ru1 hardmetalunderground.com
5 mapradio.org1 nickparton.com
5 therabrands.com1 dieschrauba.at
5 goetzke-krottelbach.de1 gardi.eu
5 paleorecip.es1 vivasan-forum.ru
5 rus-futbolka.ru1 aki-kowalstwo.pl
5 lcc.org.au1 dotmatt.com
5 stolk.de1 wesselinkgmbh.de
5 mikemetcalfe.ca1 turfirma-yaroslavl.ru
5 nbvf.nl1 positivelynaked.com
5 juszczyn.eu1 barkersofwindsor.co.uk
5 izumrudny.org1 assignmentwriting.co.uk
5 myinnerpc.com1 manfred-konrad.de
5 burtonbrothers.net1 frenken-adviesburo.nl
5 asesoriacontableperu.com1 alumdeco.ru
5 dustycatwriter.com1 pawsathome.ca
5 coolpcgames.co.uk1 demonic3d.com
5 wallmountainweb.com1 computing4schools.co.uk
5 airspill.com1 visibus.ru
5 schweitzers.com1 nazike.com
5 cond.ru1 vitapool.ru
5 trimeducation.com1 eventlocation-kiel.de
5 bfphotography.eu1 radio-kabyle.com
5 meter-online.info1 stkiliansnsmullagh.ie
5 organocontinuo.com1 spentec.ca
5 damsit.com1 gsp35.ru
5 ahkrc.org1 shkolaimperatritsy.ru
5 tc.castinellc.com1 cdrv.ru
5 muralzbyjean.com1 altaicompass.com
5 gubo.com1 pototype.com
4 paulhughestransport.com1 line-message.net
4 koo-doo.ru1 sad-natali.ru
4 louisedenson.com1 gie-expo.com
4 mcmillandefense.com1 lkmining.com
4 avionstudio.com1 sonyfoto.com.pt
4 permanentmakeup-soest.de1 schulezorneding.de
4 rogerclarkejohnson.com1 angelkeeper.ru
4 solovy.ru1 enlightenpro.com
4 simoneliebst.de1 burim.by
4 georgysphoto.ru1 pp73.ru
4 initsiativa.com1 avitrade.ru
4 mephics.co.tz1 centik.de
4 pax-sancta.de1 nevertoolatebook.com
4 physiotherapie-kies.de1 alyes.nl
4 idollighting.com1 romchik.com
4 semeylib.kz1 towi69.de
4 foundationforhealthaction.org1 eplater.co.uk
4 ekimenko.net1 intal.net.ua
4 mikroeta.lt1 radio-germanija.de
4 contact.com.vn1 manjitubhi.com
4 yu7.ru1 carrahar.co.uk
4 srmarketers.com1 arenda-t.ru
4 supercarsofmoscow.ru1 torbeta.com
4 greaterbaycomputer.com1 ventoz.ru
1 babysun-volga.ru