Mobile Threat Report Q3 2012

MOBILE
THREAT
REPORT
Q3 2012
Mobile Threat Report Q3 2012

F-Secure Labs
At the F-Secure Response Labs in Helsinki, Finland, and Kuala
Lumpur, Malaysia, security experts work around the clock to
ensure our customers are protected from the latest online
threats.
Round-the-clock response work takes place in three shifts,
one of which is handled in Helsinki, and two in Kuala Lumpur.
At any given moment, F-Secure Response Labs staff is on top
of the worldwide security situation, ensuring that sudden
virus and malware outbreaks are dealt with promptly and
effectively.
Protection around the clock
Response Labs work is assisted by a host of automatic
systems that track worldwide threat occurences in real
time, collecting and analyzing hundreds of thousands of
data samples per day. Criminals who make use of virus and
malware to profit from these attacks are constantly at work
on new threats. This situation demands around the clock
vigilance on our part to ensure that our customers are
protected.
Mobile Threat Report Q3 2012
3
abstract
THIS REPORT DISCUSSES THE MOBILE THREAT LANDSCAPE AS SEEN IN THE third QUARTER OF 2012, AND INCLUDES
STATISTICS AND DETAILS OF THE MOBILE THREATS THAT F-SECURE RESPONSE LABS HAVE SEEN AND ANALYZED
DURING THAT PERIOD. The data presented in this report was last updated on 30 September 2012.
Contents
abstract 3
2012 Mobile Landscape Calendar 5
Executive Summary 6
Figure 1: Number of Android Samples Received, Q3 2012 8
Latest threats in the last three months 9
Figure 2: New Mobile Threats Families and Variants Received Per Quarter, 10
2011-2012 10
Figure 3: Mobile Threats By Platform, 2011-2012 11
Figure 4: Top-20 Mobile Threats By Variant Count Per Platform, 2007-Present 12
Potentially unwanted software 13
Hack-Tool:Android/Penetho.A 14
Hack-Tool:Android/Whapsni.A 14
Monitoring-Tool:Android/AccuTrack.A 14
Monitoring-Tool:Android/Cobbler.A 15
Monitoring-Tool:Android/SMSWatcher.A 16
Riskware:Android/DroidCoupon.A 17
Riskware:Android/Fidall.A, Riskware:iOS/Fidall.A 17
Riskware:Android/SeaWeed.A 18
Figure 5: Mobile Threats By Type, Q3 2012 19
Spyware 20
Adware:Android/AdWo.A 21
Adware:Android/Maxit.A 21
Spyware:SymbOS/Fafespy.A 21
Figure 6: Profit- vs Not Profit-Motivated Threats Per Quarter, 2011-2012 22
Figure 7: Profit- vs Not Profit-Motivated Threats By Platform, Q3 2012 22
Mobile Threat Report Q3 2012
4
Malware 23
Trojan:Android/AckPosts.A 24
Trojan:Android/AppleService.A 24
Trojan:Android/DropDialer.A 24
Trojan:Android/FireLeaker.A 25
Trojan:Android/FjCon.A 25
Trojan:Android/IconoSys.A 26
Trojan:Android/LuckyCat.A 28
Trojan:Android/Maistealer.A 29
Trojan:Android/MarketPay.A 29
Trojan:Android/NandroBox.A 30
Trojan:Android/PopWeb.A 30
Trojan:Android/SmsSend.A, and variant B and C 30
Trojan:Android/SmsZombie.A 31
Trojan:Android/Sumzand.A, and variant B 31
Trojan:Android/Vdloader.A 32
Trojan:Android/Vidro.A 32
Trojan:Blackberry/Zitmo.A 33
Trojan:SymbOS/FakePatch.A 33
Trojan:SymbOS/Foliur.A 33
Trojan:SymbOS/HRU.A 33
Trojan:SymbOS/Impler.A 33
Trojan:SymbOS/KillTrust.A 33
Trojan:SymbOS/Nokan.A, and variant B 34
Trojan:SymbOS/PlugGamer.A 34
Trojan:SymbOS/Ropitor.A 34
Trojan:SymbOS/Shilespy.A 34
Trojan-Downloader:Android/Morepak.A 34
Trojan-Spy:WinCE/FinSpy.A, Trojan-Spy:iOS/FinSpy.A,
Trojan-Spy:SymbOS/FinSpy.A, Monitoring-Tool:Android/FinSpy.C 35
New variants of already known families 36
Figure 8: Top-10 Android Detection Hits, Q3 2012 37
Figure 9: Breakdown of Heuristic Detection, Q3 2012 37
Table 1: Top Android Malware, Riskware and Spyware, Q3 2012 38
Mobile Threat Report Q3 2012
5
2012 Mobile Landscape Calendar
13
8
20
14
21
4
10 10
17
JAN feb mar apr may jun jul aug sep
FinSpy found on
multiple platforms
Google Bouncer
introduced to Play Store
Nokia halts almost all
Symbian development
Drive-by malware
found on Android
SMS-trojans
found on J2ME
Zitmo found on
Blackberry
Fidall found
on iOS
Android 4.1
(Jellybean) released
iOS 6 and iPhone
5 launched
Symbian Belle
refresh rolls out
New families/variants on Android
New families/variants on Symbian
6
7
1
4
8
13
6
5
3
Threat Statistics notable events
Android
Blackberry
iOS
J2ME
Windows Mobile
Symbian
NOTE : The threat statistics used in the calendar are made up of families and variants instead of unique files. For instance, if
two samples are detected as Trojan:Android/GinMaster.A, they will only be counted as one in the statistics.
Mobile Threat Report Q3 2012
6
SYMBIAN
Despite Android’s dominance in the mobile threat landscape, the Symbian malware
scene is far from dead. 21 new families and variants were discovered in the third quarter
of 2012, a 17% increase compared to the second quarter.
A typical Symbian malware is a trojan that mimics a system update or a legitimate
application. The object-capability model used in Symbian devices presents some
loopholes that can be exploited. For example, the same set of capabilities required
by a legitimate action game may be similar to that required by an application that can
download and install new software from the Internet. A malware author can capitalize
on these similar capabilities to present a malware as a harmless, coveted program that
sneakily carries out its activities without arousing the user’s suspicion.
Most of the Symbian malware originates in China and are distributed for the purpose of
making a profit. Most of these (for example, Fakepatch.A and Foliur.A) are involved in
SMS-sending activities. The SMS messages are usually sent to premium rate numbers
or those associated with SMS-based services. Malware authors and distributers can
easily turn an infection into profit by taking advantage of a ‘built-in’ billing mechanism
for these SMS services; the malware simply sends out SMS messages that silently sign
up the device owner for a premium subscription service, incurring charges the user’s
account.
Another profit-generating method involve the malware emulating a user’s behaviour
and enabling WAP services on the device, which are then billed through the mobile
service operator. These malware, such as PlugGamer.A, are capable of acting as
scripted bots, silently playing a regular, albeit simple browser-based online game over
the WAP service.
Despite the continuing activity on the Symbian malware scene, the Symbian platform
itself saw a significant blow to its future, as Nokia confirmed in September that the
once popular operating system has now been put in “maintenance mode”, with the
only major update this year being a refresh or feature pack that was rolled out in
August to certain devices running the current Nokia (formerly Symbian) Belle release.
Market-wise, shipment of Symbian smartphones reportedly fell by 62.9% in Q2 and
Symbian now accounts for only 4.4% of the global smartphone market. Despite the
lack of activity in platform development and use however, Symbian malware is still
likely to be active for some time to come as many users, particularly in developing
countries, continue to use existing Symbian-based handsets.
Android
As expected, Android malware continues to dominate the mobile threat landscape
with a whopping 51,447 unique samples detected in the third quarter (see Figure 1 on
page 8). The increase in samples occurred even after Google introduced Bouncer, an
additional layer of security on the Android Play Store - the renamed Android Market -
that scans new and existing apps and developer accounts for malicious activity. Google
has claimed that this additional security resulted in a 40% drop in malicious apps
being offered. Though researchers have demonstrated in technology conferences
that Bouncer protection could be circumvented, it seems somewhat unlikely that this
could be the reason for the increase in malicious samples.
Executive Summary
“...In Q2, China
officially surpassed
the United States as
the largest market for
smartphones... ”
Mobile Threat Report Q3 2012
7
The surge may better be attributed as a natural consequence of the continued high
growth in Android smartphone adoption this quarter, particularly in regions such
as China and Russia. In fact, in Q2, China officially surpassed the United States as
the largest market for smartphones, with Android handsets accounting 81% of that
market.
These expanding markets have also been notable for the proliferation of less-secure
third-party apps markets, which are popular with users for various reasons. This factor
may also account for the increasing number of malicious samples seen this quarter.
Of this number, we discovered 42 new families and new variants of existing families.
Unlike the driveby malware found earlier this year (see the Q2 Mobile Threat Report),
the majority of the new Android threats seen this quarter have been designed to
generate profit from SMS sending activities or by harvesting information found on the
infected device.
Platform-wise, the other notable event this quarter is the release of the 4.1 update,
dubbed Jellybean, which included a number of exploit mitigation features as part of
an ongoing effort to improve security on the platform.
others
The third quarter also saw a new variant of Zitmo (mobile version of the Zeus malware)
that targets Blackberry devices. An earlier variant was discovered back in 2010, and
used JAD file format. The new one is now using COD file format but its purpose
remains the same, which is to steal the mobile Transaction Authentication Number
(mTAN) sent by banks to their customers. The mTAN is sent via an SMS message and is
used to validate an online transaction. Without the number, the transaction cannot be
completed. The Zitmo malware intercepts the SMS messages containing mTans and
forwards them to a remote server.
Aside from Zitmo for Blackberry, the FinSpy trojan was the other notable discovery in
the third quarter of 2012. This trojan was made available on multiple mobile platforms
- Android, Symbian, iOS, and Windows Mobile. FinSpy can take screenshots of an
infected device, record keyboard strokes, intercept Skype communications, track
device location, and monitor SMS and call activities on the device.
FinSpy is the mobile version of FinFisher, a trojan commercially produced by a UK-based
software company and marketed as a surveillance product for desktop computers.
There has been reports of FinFisher being used against citizens of Egypt, Bahrain, and
Turkmenistan. Due to its alleged role in political espionage, the trojan has been of
concern to non-governmental organizations such as Privacy International.
Apart from the unusual case of FinSpy, the only other notable case on the iOS platform
this quarter was Fidall, an app that essentially sends contacts from the device to a
remote server, then sends spam SMS messages to the contacts with a download link
for the application. The app is also available on Android.
As a final note, the iOS platform itself was also updated this quarter to iOS 6, which
included fixes for many (reportedly 197) vulnerabilities found, the majority of them
related to the Webkit web browsing component.
“The third quarter also
saw a new variant of
Zitmo (mobile version
of the Zeus malware)
that targets Blackberry
devices.”
Mobile Threat Report Q3 2012
8
51,447
3,063
5,033
Q1 2012 Q2 2012 Q3 2012
17+69+14+A
8,735
JULY
69+17+14+A 35,592
august
14+17+69+A
7,1 20
september
Figure 1: Number of Android Samples Received, Q3 2012
NOTE : The threat statistics used in Figure 1 are made up of the number of unique Android application package files (APKs).
Latest
threats in
the last
three
months
Mobile Threat Report Q3 2012
10
Figure 2: New Mobile Threats Families and Variants Received Per Quarter,
2011-2012
NOTE : The threat statistics used in Figure 2 are made up of families and variants instead of unique files. For instance, if two
samples are detected as Trojan:Android/GinMaster.A, they will only be counted as one in the statistics.
2 2
10
20
30
40
50
60
33+3334 25+252525 33+3334 50+50 25+252525 33+3334 100
50+50
10
23
52
36
37
40
42
6
12
21
19
14
18
21
1
0
Q1 2011 Q2 2011 Q3 2011 Q4 2011 Q1 2012 Q2 2012 Q3 2012
1
0 0 0 0 0 0
0 0 0 0 0 0
0
0
1
4
0
0 0
1
0 0
1
70
80
74
17
35
60 60
51
67
90 J2ME
Windows Mobile
Symbian
iOS
Android
Blackberry
all threats
Mobile Threat Report Q3 2012
11
65+3+1+31+AAndroid, 65%
Symbian, 31.2%
Windows Mobile, 1.1%
J2ME, 2.7%
Q1–Q4
2011
65Q1–Q3 +129A
2012
Symbian, 29.8%
Android, 66.8%
Blackberry, 0.6%
iOS, 1.1%
J2ME, 1.1%
Windows Mobile, 0.6%
Figure 3: Mobile Threats By Platform, 2011-2012
NOTE : The threat statistics used in Figure 3 are based on the number of families and variants instead of unique files. For
instance, if two samples are detected as Trojan:Android/GinMaster.A, they will only be counted as one in the statistics.
Mobile Threat Report Q3 2012
12
Figure 4: Top-20 Mobile Threats By Variant Count Per Platform,
2007-Present
NOTE : The threat statistics used in Figure 4 are made up of families and variants instead of unique files. For instance, if two
samples are detected as Trojan:Android/GinMaster.A, they will only be counted as one in the statistics.
FakeInst
Mobler
SmsAnywhere
OpFake
Commwarrior
Redoc
DroidKungFu
Flexispy
MerogoSMS
Boxer
Flocker
JiFake
Zhaomiao
Cyppy
BopSmiley
DroidRooter
Konov
Beselo
DroidDream
SmsSpy
Yorservi
Yxe
16
14
13
6 + 1 + 1 + 3
10
10
9
2 + 1 + 6
9
5 + 3
8
8
8
7
5 + 2
7
6
5
5
5
5
4 + 1
Windows Mobile
Symbian
Android
J2ME
Potentially
unwanted
software
We consider the following
program as potentially unwanted
software, which refers to
programs that may be considered
undesirable or intrusive by a user
if used in a questionable manner.
Mobile Threat Report Q3 2012
14
Hack-Tool:Android/Penetho.A
Penetho.A is a penetration testing application that utilizes a well-known vulnerability
in the Thomson/Speedtouch router. It generates a password for the WiFi router using
the Service Set Identification (SSID).
Penetho.A’s icon (left), and WiFi confirmation (right)
Hack-Tool:Android/Whapsni.A
Whapsni.A is a tool that can sniff out WhatsApp packets over a shared network. For
example, when connected to a shared WiFi, it may be able to intercept WhatsApp
chat data packets being sent to and from other devices connected to the network.
These packets may contain private information, enabling Whapsni.A to read private
messages and view contact information associated with the WhatsApp account on
those devices.
NOTE : For additional reading on WhatsApp’s security issues, please refer to the article
‘WhatsApp is broken, really broken’ (http://www.fileperms.org/whatsapp-is-brokenreally-
broken/).
Monitoring-Tool:Android/AccuTrack.A
AccuTrack.A is an application that tracks down the GPS location of the device on
which it was installed. While not malicious in itself, it introduces a potential risk for
misuse with malicious intent.
WhatsApp: A cross-platform mobile
messaging application that allows the users
to exchange messages over an Internet
connection, thus avoiding SMS charges.
Mobile Threat Report Q3 2012
15
AccuTrack.A’s icon (left), and settings option (right)
Monitoring-Tool:Android/Cobbler.A
Cobbler.A allows a user to define specific SMS messages that can later be used to
perform these actions from a remote location:
• Wipe the SD card’s contents
• Wipe everything found on the device
• Retrieve the device’s location
Cobber.A’s icon (left), and requested permissions (right)
Mobile Threat Report Q3 2012
16
Screenshots of Cobbler.A while running on a device
Monitoring-Tool:Android/SMSW atcher.A
SMSWatcher.A is a commercial monitoring tool advertised as being for parents who
are interested in monitoring their children’s SMS activities.
Mobile Threat Report Q3 2012
17
Riskware:Android/DroidCoupon.A
When DroidCoupon.A is installed on a device, users risk having their device
information leaked to unauthorized parties. The application may leak the following
information:
• International Mobile Equipment Identity (IMEI) number
• International Mobile Subscriber Identity (IMSI ) number
• Package version
• Package name
• Channel
Screenshots of DroidCoupon.A
Riskware:Android/Fidall.A, Riskware:iOS/Fidall.A
Distributed under the name Find and Call, this program first requests the user to
register by providing their email address. It then searches for e-mails, addresses,
and phone numbers from the user’s contact list. This information is then synced
with a remote server. Once synced, the server will send an SMS message containing
a link to download the application to the contacts—essentially, SMS spam. The SMS
messages reportedly contains the user’s phone number in the ‘From’ field.
Mobile Threat Report Q3 2012
18
Fidall.A’s icon (left) and request for the user to provide email address (right)
Another issue concerning Fidall.A is that the data transmitted between the device
and the remote server is in plain text, which easily exposes the content if intercepted
by another party.
The app is also fully capable of syncing with the contacts from the user’s e-mail,
Facebook, and Skype accounts. The app’s website also reportedly allowed users
enter their social network and online payment merchant details.
At the time of writing, both the Apple App Store and Google Play Store have removed
the app. This incident marks the first time the Apple App Store has had to remove a
trojan from its market.
Riskware:Android/SeaWeed.A
Once installed, SeaWeed.A initiates an application purchase by sending out an SMS
message with the content ‘341#102366#34101’ to the number 1065880004. It then
monitors all incoming messages, looking for a specific reply. Once the replying
message arrived, it will intercept this message and display the content as a dialog
box. This dialog box essentially asks the user to confirm the purchase; without the
confirmation, the transaction will not proceed. Additionally, SeaWeed.A forwards the
device’s IMSI number and other important details to a remote server.
Mobile Threat Report Q3 2012
19
Figure 5: Mobile Threats By Type, Q3 2012
NOTE : The threat statistics used in Figure 5 are made up of families and variants instead of unique files. For instance, if two
samples are detected as Trojan:Android/GinMaster.A, they will only be counted as one in the statistics.
3+3+6+8+70+2+5+v Adware
3%
Hack-Tool
3%
Monitoring-
Tool
6%
Riskware
7.5%
Spyware
3%
Trojan
71.5%
Trojan-
Downloader
1.5%
Trojan-Spy
4.5%
Spyware
Programs categorized as
spyware secretly collect
information about a user’s
browsing habits, search
strings, site preferences and
preferred applications. This
collected information is
either sent out to another
party or stored locally.
Mobile Threat Report Q3 2012
21
Adware:Android/AdWo.A
AdWo.A is an advertising module that displays intrusive ads and collects private
information, such as the device’s IMEI number.
Adware:Android/Maxit.A
Maxit.A is an SMS-based marketing module that provides SMS advertisements and
other extra services. An application containing this module will gather the following
information from the device it was installed on:
• International Mobile Equipment Identity (IMEI) number
• International Mobile Subscriber Identity (IMSI ) number
• Phone number
• Operating system version
• Operator name
• Operator code
• Operator ISO
• SIM country code
• SIM operator
• SIM serial number
• SDK version
• SDK number
• Device release date
• Device model
• Device manufacturer
• Device product
• Device brand
• Device language setting
The gathered information is then stored in a location that is accessible to the
application developer, as provided by the advertising service.
Spyware:SymbOS/Fafespy.A
Fafespy.A is a spyware application developed by Killer Mobile.
Mobile Threat Report Q3 2012
22
Figure 6: Profit- vs Not Profit-Motivated Threats Per Quarter, 2011-2012
Figure 7: Profit- vs Not Profit-Motivated Threats By Platform, Q3 2012
20
22
Android
P NP
1 0
blackberry
P NP
0
2
ios
P NP
0 1
Windows Mobile
P NP
14
7
symbian
P NP NP = not profit motivated
P = profit motivated
28
37
35
29
39
18
13 6
20
37
33
17
22
39
Q1 2011
Q2 2011
Q3 2011
Q4 2011
Q1 2012
Q2 2012
Q3 2012
profit-motivated Not profit-motivated
NOTE : The threat statistics used in Figure 6 and Figure 7 are made up of families and variants instead of unique files. For
instance, if two samples are detected as Trojan:Android/GinMaster.A, they will only be counted as one in the statistics.
Malware
Programs categorized as
malware are generally
considered to pose a
significant security risk to
the user’s system and/or
information.
Malicious actions carried out
by these programs include
(but are not limited to)
installing hidden objects as
well as hiding the objects
from the user, creating new
malicious objects, damaging
or altering any data without
authorization, and stealing
any data or access credentials.
Mobile Threat Report Q3 2012
24
Trojan:Android/AckPosts.A
AckPosts.A collects information from the contact list, and forwards the details to a
remote address.
AckPosts.A’s icon (left), and screenshot (right)
Trojan:Android/AppleService.A
AppleService.A is distributed via a trojanized application, where it is repackaged
in another application that seems legitimate. When executed, it collects user
information and details on other installed application on the device. This information
is then forwarded to a remote server.
AppleService.A also connects to two other remote servers, from which it downloads
other malicious applications to be installed on the infected device.
Trojan:Android/DropDialer.A
During installation, DropDialer.A displays a message asking the user to agree to
certain terms and conditions.
EULA presented during the installation process
Mobile Threat Report Q3 2012
25
This action will trigger an SMS message to be sent to 3170. After that, the user is
presented with an option to switch the screensaver to a theme based on the video
game Grand Theft Auto 4. Different themes are also available, as indicated by the
package names.
DropDialer.A’s icon (left), and GTA-themed screen saver (right)
Trojan:Android/FireLeaker.A
FireLeaker.A accesses contacts information on the device on which it was installed. It
later collects and forwards these details to a remote server.
Trojan:Android/FjCon.A
FjCon.A is signed with a key trusted by common custom ROM builds, allowing it to
obtain permissions that are usually not needed in typical applications. For example,
the INSTALL_PACKAGES and DELETE_PACKAGES allows it to remotely install an
application or package onto the device without the user noticing.
FjCon.A’s icon (left), and screenshot (right)
FjCon.A also monitors SMS messages, looking specifically for those coming from
10658166. Messages with these contents in the body will be blocked:
• 83589523
• 客服
• 资费
• 1.00元
Custom ROM: A standalone version
of an operating system that has been
customized in certain ways.
Mobile Threat Report Q3 2012
26
• 2.00元
• 元/条
• 元/次
• 1元
• 2元
• 网游
Snippet of code that instructs FjCon.A to install applications onto the device
Trojan:Android/IconoSys.A
IconoSys.A is distributed under various application names—My Pony’s Birthday
Countdown, My Twitter Pics, Blonde Jokes, SMS W!sh, etc.—but all leads to the same
registration page.
IconoSys.A distributed as My Twitter Pics
Mobile Threat Report Q3 2012
27
IconoSys.A distributed as My Pony’s Birthday Countdown
During the registration, users are asked to provide several information which may be
leaked to other unintended recipients. The information that users provide include:
• Device manufacturer
• Device model
• Email address
• International Mobile Equipment Identity (IMEI) number
• Package version
• Phone number
• User’s age
• User’s gender
• User’s name
Screenshots of IconoSys.A during registration
Trojan:Android/LoveSpy.A
LoveSpy.A is a program that claims to be an anti-virus application, but is actually a spying
tool. It monitors SMS and call activities on the device and later forwards the log to a
remote server. Logged information include:
• Content of SMS
• Date of call or SMS
• Duration of call
• GPS location
• International Mobile Equipment Identity (IMEI) number
• Name
• Phone number
• Type of call
Mobile Threat Report Q3 2012
28
Since it receives commands via SMS, LoveSpy.A will intercept these messages, as
displaying them to the user bring attention to its suspicious activities. It specifically
looks for those that begin with the following strings, as they translate to certain
actions:
• SCL – send call log
• IME – send device’s IMEI number
• REG – register device through the application
• SM L – send SMS log
• CMB – make a call back to the sender’s number
• SYC P – send user’s location
• SYF P – send user’s location
Screenshot of LoveSpy.A on a device
Trojan:Android/LuckyCat.A
LuckyCat.A may be connected to an advanced persistent threat (APT) campaign
that shares the same name. The Luckycat campaign targets the Indian and Japanese
military research institutions; Chinese hackers were believed to be responsible
behind this campaign.
LuckyCat.A’s icon (left), and screenshot (right)
APT: Advanced persistent threat.
Commonly refers to cyber espionage
committed by a group (e.g. nation state)
interested in gathering intelligence.
Mobile Threat Report Q3 2012
29
LuckyCat.A exhibits remote access trojan (RAT) capabilities, and connects to a
command and control (C&C) server that will further instruct the malware to perform
these actions:
• Browse directory in the device
• Download file from the device
• Upload file to the device
• Send information to the C&C server
NOTE : For additional reading on the Luckycat APT campaign, please refer to the article
titled ‘Luckycat’ APT Campaign Building Android Malware (http://www.darkreading.
com/mobile-security/167901113/security/attacks-breaches/240004623/luckycat-aptcampaign-
building-android-malware.html).
Trojan:Android/Maistealer.A
Maistealer.A collects the user’s contact names and their email addresses. This
information is stored in /sdcard/addresscap/list.log, and later uploaded to a remote
site.
Maistealer.A’s icon (left), and screenshots (middle and right)
Trojan:Android/MarketPay.A
MarketPay.A is distributed via a trojanized application, using a package named com.
mediawoz.gotq.apk. When installed on a device, it automatically places orders to
purchase applications from the Chinese mobile market (10086.cn) without the user’s
consent.
This malware also collects the device’s associated phone number and IMEI number,
and forwards this information to a remote server.
MarketPay.A’s icon
Mobile Threat Report Q3 2012
30
Trojan:Android/NandroBox.A
When launched, NandroBox.A displays a page that notifies the user of a list of terms
and conditions. Once the user has clicked Confirm, it sends out the device’s IMEI
number and other information to a remote site in XML format.
Screenshots of NandroBox.A
Next, it sends an SMS message to 1065800815747, with content that follows this
format: XXX, game_id, version, 0, channel. To cover its tracks, the malware will
intercept all messages from the aforementioned number.
Details for the SMS message that NandroBox.A is instructed to send
Trojan:Android/PopWeb.A
PopWeb.A harvests device information, and forwards the them to a remote location.
Harvested information includes:
• Email
• Location
• Phone number
• SIM serial number
• WiFi MAC address
Trojan:Android/SmsSend.A, and variant B and C
SmsSend.A is a version of another malware called OpFake. It reaps profit by sending
the message ‘gf bigfun 281 fnuXW9Ey5’ to these numbers: 9993, 9994, and 9995.
SmsSend.C operates in the same way SmsSend.A does, but uses a different display
image, message content and recipient numbers. When executed, it displays images
of nude women and sends out the message ‘galve 328 SjhFaG1IK’ to the following
numbers: 6008, 6006, 6152, and 6952.
Mobile Threat Report Q3 2012
31
Screenshot of SmsSend.A’s in action
Trojan:Android/SmsZombie.A
SmsZombie.A drops a malicious component to a live wallpaper application on the
device, featuring various images of women. The malware then creates a file named
phone.xml and proceeds to collect user information and banking-related data that
can be found on the device. The collected data are later sent via an SMS message to
the number 13093632006.
Screenshot of SmsZombie.A
Trojan:Android/Sumzand.A, and variant B
During execution, Sumzand.A displays an image of a battery power meter that
appears to gauge the battery performance.
Mobile Threat Report Q3 2012
32
Sumzand.A’s icon (left), and screenshot (right)
In the background, what actually happens is that Sumzand.A is collecting details
such as phone numbers from the contact list, and forward them to a remote server.
These numbers may later be used in SMS spam campaign or sold to other interested
parties.
Trojan:Android/Vdloader.A
Vdloader.A collects device information such as the IMEI and IMSI number and
forwards the details to a remote address. It is also capable of downloading and
installing APK files, and sending out SMS messages.
Vdloader.A’s icon
Trojan:Android/Vidro.A
Vidro.A presents the user with a list of terms and conditions during the installation
process. Once the user clicks Yes to these conditions, it connects to and downloads
content from a remote site.
Vidro.A’s icon (left), and screenshot (right)
It will also connect to another remote address, and try to update itself. This
will trigger an SMS message with the content ‘‘PAY 1d489fa9-4a8e-4877-ab0d-
6a56830ed8b0’ to be sent to 72908.
Mobile Threat Report Q3 2012
33
Trojan:Blackberry/Zitmo.A
Back in 2010, we reported about a Zitmo (mobile version of the Zeus malware) attack
on Blackberry devices. Now there is a new variant, which uses the COD file format.
Its purpose remains the same—it monitors incoming SMS messages for those
containing a mobile Transaction Authentication Number (mTan), which are sent by
banks to their customers in order to complete an online banking transaction. The
malware instead forwards the SMS messages to a remote server.
NOTE : The previous Zitmo attack on Blackberry devices were reported in the blog
post titled ‘Zeus Variants Targeting Mobile Banking’ (http://www.f-secure.com/weblog/
archives/00002037.html).
Trojan:SymbOS/FakePatch.A
FakePatch.A profits by sending SMS messages to premium rate numbers and leaving
the user to pay for the charges incurred. It also terminates any antivirus-related
processes to avoid detection.
Trojan:SymbOS/Foliur.A
Once installed, Foliur.A proceeds to download and install new programs onto the
device. Aside from that, its other activities include sending out SMS messages to
premium rate numbers and killing off anti-virus processes to avoid detection.
Trojan:SymbOS/HRU .A
To protect itself, HRU.A kills off any process belonging to a security product. If the
user attempts to uninstall it, the program terminates its own installer process to
prevent uninstallation. HRU.A’s activities are triggered by an Ogg Vorbis recognizer.
Trojan:SymbOS/Impler.A
Impler.A is a program that contains references to several online games. It quietly
downloads and installs new programs onto the device without the user’s consent.
When the user attempts to uninstall Impler.A, it will kill off the installer process to
block the uninstallation.
Trojan:SymbOS/KillTrust.A
KillTrust.A temporarily modifies the system settings so that it can install untrusted
programs onto the device without the user noticing. It will also kill off the installer
process and some other processes.
mTAN: Mobile Transaction Authentication
Number. This number is used to
authenticate an online banking transaction.
Ogg Vorbis: A non-proprietary audio
compression format used to store and play
digital music.
Mobile Threat Report Q3 2012
34
Trojan:SymbOS/Nokan.A, and variant B
Nokan.A downloads and installs other programs onto the device without the user’s
consent. It also terminates the installer process when an attempt to uninstall the
application is made.
Trojan:SymbOS/PlugGamer.A
PlugGamer.A contains a lot of similarities with the AndroGamer malware first seen in
Q2 2012. It downloads and installs new programs onto the device, and forwards the
device information to a remote server.
Trojan:SymbOS/Ropitor.A
Ropitor.A downloads configuration files and software from a remote host and silently
installs them onto the device. It is also capable of removing software from the device
based on the downloaded configuration files.
Trojan:SymbOS/Shilespy.A
Once installed on a device, Shilespy.A performs the following activities:
• Connects to a remote host
• Monitors and sends out SMS messages
• Installs new software onto the device
• Dials and sends DTMF commands over the voice line
Trojan-Downloader:Android/Morepak.A
Morepak.A is packaged inside a trojanized application and includes an advertising
component. Once installed, it connects to a remote location, then proceeds to
download malicious files onto the device.
Morepak.A’s icon
DTMF: Dual-Tone Multi-Frequency
signaling, used for telecommunication
signaling between a phone and the
switching center.
Trojan:SymbOS/AndroGamer.A: This trojan
appears to be playing an online or WAP
game in the background. It is capable of
downloading and installing programs onto
the device, and forwards information to a
remote server.
—p.23, Q2 2012 Mobile Threat Report
Mobile Threat Report Q3 2012
35
Trojan-Spy:WinCE/FinSpy.A, Trojan-Spy:iOS/
FinSpy.A, Trojan-Spy:SymbOS/FinSpy.A, Monitoring-
Tool:Android/FinSpy.C
FinSpy.A is the mobile version of the FinFisher surveillance software, a commercial
trojan manufactured by the UK-based security company Gamma International. This
threat was released on multiple platforms—Android, iOS, Symbian and Windows
Mobile. It is used to remotely monitor the device and is capable of performing these
tasks:
• Taking screenshots
• Recording keyboard strokes
• Intercepting Skype communications
• Tracking a device’s location
• Monitoring SMS messages and phone calls
NOTE : For additional reading on FinFisher, please refer to (https://www.
privacyinternational.org/finfisherreport/).
Related Labs Weblog
post
Egypt, FinFisher Intrusion Tools
and Ethics
http://www.f-secure.com/weblog/
archives/00002114.html
New
variants
of already
known
families
THE FOLLOWING IS A LIST OF
NEW VARIANTS OF EXISTING
MALWARE FAMILIES. THEIR
FUNCTIONALITY IS NOT
SIGNIFICANTLY DIFFERENT
COMPARED TO THE
EARLIER VARIANTS
DESCRIBED
IN PREVIOUS
REPORTS.
»» Monitoring-Tool:Android/FinSpy.C
»» Riskware:Android/PremiumSMS .E
»» Spyware:SymbOS/Flexispy.M
»» Trojan:Android/EuropaSMS .C
»» Trojan:Android/FakeInst.P, and variant Q and R
»» Trojan:Android/FakeLogo.D
»» Trojan:Android/FakeUpdates.B
»» Trojan:Android/Gamex.B
»» Trojan:Android/GoldDream.C
»» Trojan:Android/OpFake.J
»» Trojan:SymbOS/AndroGamer.C
»» Trojan:SymbOS/Kensoyk.B
»» Trojan:SymbOS/MapUp.D
»» Trojan:SymbOS/MulGamer.B
»» Trojan:SymbOS/RandomTrack.B
»» Trojan:SymbOS/SivCaller.B, and variant C
»» Trojan:SymbOS/Zhaomiao.H
Mobile Threat Report Q3 2012
37
Boxer.C
Heuristic
Ropin.A
Counterclank.A
RuFailedSMS .A
AdWo.A
Gappusin.A
FakeInst.L
Kmin.A
Kmin.C
12,471
9,874
2,936
6,867
2,289 2,265
2,023
1,221
1,103 1,047
Figure 8: Top-10 Android Detection Hits, Q3 2012
82+18+A Riskware
8,138
malware
1,736
Figure 9: Breakdown of Heuristic Detection, Q3 2012
NOTE : The threat statistics used in Figure 8 and Figure 9 are made up of the number of unique Android application package
files (APKs).
Heuristic
Detection Total
= 9,874
Mobile Threat Report Q3 2012
38
detection COUNT
Trojan:Android/Boxer.C 12471
Trojan:Android/RuFailedSMS.A 2289
Trojan:Android/FakeInst.L 1221
Trojan:Android/Kmin.A 1103
Trojan:Android/Kmin.C 1047
Trojan:Android/FakeInst.E 937
Trojan:Android/OpFake.E 672
Trojan:Android/JiFake.F 604
Trojan:Android/SMStado.A 550
Trojan:Android/FakeInst.A 418
Trojan:Android/Ginmaster.B 363
Trojan:Android/GoldDream.C 336
Trojan:Android/FakeInst.K 336
Trojan:Android/DroidKungFu.C 316
Trojan:Android/OpFake.F 313
Trojan:Android/FakeNotify.A 265
Trojan:Android/BaseBridge.A 235
Trojan:Android/Ginmaster.D 193
Trojan:Android/Ginmaster.C 153
Trojan:Android/AutoSPSubscribe.A 140
Trojan:Android/Ginmaster.A 118
Trojan:Android/DroidKungFu.F 116
Trojan:Android/BaseBridge.D 91
Trojan:Android/Geinimi.D 84
Trojan:Android/FjCon.A ** 82
Trojan:Android/Frogonal.A 79
Trojan:Android/FakeBattScar.B 78
Trojan:Android/Kmin.B 76
Trojan:Android/DroidDream.D 74
Trojan:Android/FakeBattScar.A 64
Top-30 Malware
Table 1: Top Android Malware, Riskware and Spyware, Q3 2012
NOTE : The threat statistics used in Table 1 are made up of the number of unique Android application package files (APKs).
** New family or new variant discovered in Q3 2012
detection COUNT
Adware:Android/Ropin.A 6867
Application:Android/Counterclank.A 2936
Adware:Android/AdWo.A ** 2265
Adware:Android/Gappusin.A 2023
Application:Android/FakeApp.C 409
Spyware:Android/EWalls.A 84
Riskware:Android/Boxer.D 75
Exploit:Android/DroidRooter.B 63
Exploit:Android/DroidRooter.A 60
Riskware:Android/MobileTX.A 36
Spyware:Android/SndApps.A 32
Monitoring-Tool:Android/SpyTrack.B 25
Application:Android/Steveware.A 24
Hack-Tool:Android/DroidRooter.B 24
Monitoring-Tool:Android/MobileSpy.C 21
Hack-Tool:Android/DroidRooter.H 20
Exploit:Android/DroidRooter.C 17
Hack-Tool:Android/DroidRooter.A 15
Monitoring-Tool:Android/Spyoo.A 15
Exploit:Android/GBFM.A 14
Monitoring-Tool:Android/MobileMonitor.A 13
Adware:Android/Mobsqueeze.A 11
Exploit:Android/DroidRooter.E 9
Hack-Tool:Android/TattooHack.A 9
Monitoring-Tool:Android/MobileTracker.A 9
Monitoring-Tool:Android/KidLogger.B 7
Monitoring-Tool:Android/SpyBubble.B 7
Riskware:Android/QPlus.A 6
Monitoring-Tool:Android/MobiSmsSpy.A 6
Hack-Tool:Android/DroidRooter.E 5
Top-30 Riskware and Spyware
Mobile Threat Report Q3 2012
39
f-SEcure mobile security
F-Secure Mobile Security effectively protects
your mobile device, smartphone or tablet, from
all common mobile threats. It guards against
loss and theft, protects your children online
with powerful parental control functions,
keeps your device free of malware and lets you
browse the web safely.
Find out more:
http://www.f-secure.com/web/home_global/mobile-security
Purchase F-Secure Mobile Security:
https://shop.f-secure.com/cgi-bin/shop/?ID=FSMAV
Protecting
the
Irreplaceable
This document was previously released under controlled
distribution, intended only for selected recipients.
Document made public since: 5 November 2012
F-Secure proprietary materials. © F-Secure Corporation 2012.
All rights reserved.
F-Secure and F-Secure symbols are registered trademarks
of F-Secure Corporation and F-Secure names and symbols/
logos are either trademark or registered trademark of
F-Secure Corporation.
Protecting the irreplaceable | f-secure.com