Thursday, April 25, 2013

Fake Google Market Forces Premium Sign-Up



     A blog post by ThreatTrack Security showed an example of another fake Google market.  This has been done so much in the past that it's easy to look past these threats.  I posted about fake markets in the past here and here. However, the apps located on this one has changed up the rules a tiny bit.  Instead of just sending a few premium SMS texts and being done with it, these sign you up to a daily service fee of 9.99 rubles a day. That's about 32 cents a day in U.S.dollar.  Over the course of a month or a year this will add up, especially if going unnoticed.

   As always the end user only receives apps that he or she would have received for free on the real Play Market or the Amazon App Market. Of course even Google can't keep all malware of it's market.  With the recent release of the BadNews Trojan on Google Play, even after all of the safeguards where put into place,  it shows that it is good practice to keep an updated Anti-Virus app installed.

The Fake Google Market can be found at: hxxp://play-android-markt.com/. (Live Link to Malware)

A bad app download Example (Live Malware):  hxxp://app.play-android-markt.com/files/get?filename=it.android.demi.elettronica&scheme=app&projectId=5585&namespace=wapcash&applicationName=ElectroDroid&url=http://androsportal.com&image=http://play-android-markt.com/play-android-markt.com/0/ru/images/icon_9010550421218012627_2.png&icon=http://play-android-markt.com/play-android-markt.com/0/ru/images/icon_9010550421218012627_1.png&size=509&theme=

The VirusTotal of the example can be found: here.

Stay safe out there
 -R`/4N

Monday, April 22, 2013

Android BadNews


      After checking out an Android malware sample listed by Lookout as Trojan:Android/BadNews, I found a lot of contention in the security community as to whether this is a Trojan or just adware gone bad.  The supposed command and control server at hxxp://androways.com is linked to the Russian Android adware company hxxp://mobidisplay.net. It looks like this ad company sends downloads to the installed Android device and one of them happened to be linked to some Android spyware. Check out the Virus Total link below to see that some Anti Virus list this as adware while others list this as a Trojan.  Either way these where on the Google Play store and could have been downloaded without the need to go to alternate markets.  The sample I studied specifically can be found here: hxxp://files2.freesoft.ru/rep/711324/live.photo.sharonstone.apk.

This is a good example for why it is necessary to have some sort of Anti Virus or analysis software on your Android device.

The original Post by Lookout here:
https://blog.lookout.com/blog/2013/04/19/the-bearer-of-badnews-malware-google-play/

Two Samples can be found here:
http://contagiominidump.blogspot.com/2013/04/badnews-android-adwaremalware-network.html

More samples can still be found in the wild here:
hxxp://freesoft.ru/?author=18604  (Russian Alternate market -- Malware Links)

Virus Total:
https://www.virustotal.com/en/file/9134ba9ce3e2a343de5abb986f04fa925a7032b5a842757d562afe3de0644a40/analysis/1366644359/


Stay safe out there
-R`/4N

Wednesday, April 10, 2013

NVISO ApkScan


A new free APK analyzer entered the market in the last few weeks. http://apkscan.nviso.be/ does an epic job of dynamically analyzing an Android app and returning useful information for determining whether an app is safe or not.



I submitted a sample called Tank.apk (a known malware) and it came back with this:
http://apkscan.nviso.be/report/show/a7f9f6ec9edb19ae708369ec24e26d94
As you can see it came back with useful results including a list of websites it hits. This is still just in beta version and promises more dynamic analysis in the future. I would recommend using this over other free competitors on the market just for it's speed and ease of use alone.


Stay safe out there
-R`/4N