Tuesday, January 22, 2013

Leadbolt Adware in Fraudulent "Cracked" apps.


A good article from GFI Labs shows the danger in downloading Android apps that advertise as being Cracked. Another review by Threatpost gives more information as well. The samples that can be found at getwapi[dot]com is just one of many apps that advertise cracks for paid software. You have to be very careful downloading stuff off alternate markets as  lot of "cracked" software can lead to stuff much more dangerous then just adware.  PJAPPS, which are valid software with malicious code added, can cost money and cause significant data loss.




After searching the site myself for a sample of the "cracked" software, I found that they where hosting apps on 4shared and it looks like they removed all of the fraudulent apps from the above GFI article.

"'MB Notifications for Facebook.apk' is unavailable. This file is no longer available because it's identical to file banned because of claim."

Luckily for me I managed to snag a copy before they where all removed. You can download the copy here. If you take a look at its Virus Total results you can see that it is LeadBolt adware. Leadbot, like most adware programs leaks data and can cause a massive drain on the battery of a device at the same time as hijacking ads and pushing new ads. Getting multiple copies of these apps running at the same time can cause a lot of confusion and be very annoying. Too many copies of this type of advertising and the android device will crash or become corrupt.

 I don't think that we will see the last of apps like this as already a sister site called runamux[dot]net has already been created and is hosting similar apps.  The best way is to not become infected with malware is to refrain from downloading potentially stolen apps from alternate sources. However, if you are going to "play" outside the confines of official markets like Google Play or Amazon, remember to download and protect your device with an antivirus mobile suite. Check out my blog post here for a few ideas or scroll to the bottom of the site for a list of free ones from Amazon.


Stay safe out there
-R`/4N

Wednesday, January 16, 2013

Android.Troj.mdk AKA Android.ksapp

There's a lot press and scare tactics that originated from an article at threatpost today.  After reading the article and the translated article straight from China, I decided to take a look for some samples myself.  After scouring the internet, I got a few samples to check out, and I found that this is nothing more then a new variation of Ksapp. Ksapp is a bot-net that can be used to download new programs or launch a DDOS attack from Android devices and is bundled with hacked legitimate applications and spammed out to the alternate Chinese markets.

This new one is not that much different, except the C&C servers have changed and it downloads a secondary hidden program in-case you delete the first one.

The new C&C servers can be found at:
hxxp://wap.juliu[dot]net/control.html?
hxxp://app.looking3g[dot]com:30125/serv?

Also, you can download the secondary APK at:

hxxp://app.looking3g[dot]com:30211/t/dha.so


(please note these are live UNCENSORED links and may not be active forever.)

So, remember to always use known safe markets and download and install a mobile Antivirus.  It looks like for this one ESET is the only one detecting it as of now.

Stay safe out there -R`/4N

Thursday, January 10, 2013

Sorta Fake Anti Virus "Android Armour"

A post Today on Sophos Caught my attention and I decided to take a look at this myself. So, I went to the website, http://androidarmour.com/, to invastigate further. This is one big scam and I don't think it will take too long for most to catch on. As it stands now it looks like only Sophos and Eset detect these, but I doubt it wont be long before they all do. Just like the article said it deep scans every file on your device by sending each one over to Virus Total, a FREE scanning site by the way, then it charges you 99 cents a week for a service which you could do for free.  While this could be beneficial it sets your phone up to all kind of weird things like deletion of false positives by any of the numerous scanners on Virus Total, some of which are specialized to the needs of a few corporations.  But what the Sophos article didn't explain in-depth is that it also sets you up to have your private info leaked all over the internet.
 
What Virus Total does, which by the way is owned by Google, is publicly scan a file against all active virus scanners in it's database.  It also saves all files submitted in a massive "malware" database for "private" use by security professionals. So, you just got those naked pics for your boyfriend or girlfriend and saved them on your phone with "Android Armour" installed, or even worse (yes worse then that!!!) you saved an earnings report to work on at lunch or you used your phone with a credit card machine to pay your bills. So, now all of those files are now owned by Virus Total, Google, and every other security company or professional that pays Virus Total for access to downloads.  I hope you don't mind a bunch of geeks in an office somewhere goggling over your girls naked chest while your leaked earnings report causes stocks to plummet and your credit card info is being used to make a purchase at Macy's. While that's an extreme example, any company that claims to be a security company and an anti-malware company needs to tell you what they do with your data if they take it all.

So... they are just sending data to another security company, one owned by Google, non the less and this still could be beneficial and very time saving to have my files scanned against every major AV company there is, right? No, what Sophos either field to mention or didn't notice is that your personal information is also being tracked and sent to an advertiser at https://mixpanel.com/.  Check out what mixpanel does in this mashable article.

To check out this APK yourself, you can download it from here.  This is an uncensored link diretly to the malware page, so don't actually install it on your device. It can be a real pain to uninstall as it requires admin privileges. Don't worry about the animation, it's all for show, and whatever you do, don't pay for the service. The service is an "opt-out" where you get billed then have to reduce to the free one within a certain amount of time and the only way to stop billing is...

“Your AndroidArmour.com Premium Account will continue in effect unless and until you cancel your premium Account or we terminate it. You must cancel your Premium Account before it renews each month, as applicable, in order to avoid billing of the next month’s to your credit card. If you wish to cancel your Premium Account you may do so by calling Customer Support: 1-800-910-6786.”


Stay safe out there
-R`/4N

Remember to stay safe and stay protected out there.
You can get all the best security software for your Android, PC, or anything else at Amazon for cheap.