This week only. Pastebin PRO Accounts Christmas Special! Don't miss out!Want more features on Pastebin? Sign Up, it's FREE!
Guest

Mobile Threat Report Q3 2012

By: a guest on Nov 5th, 2012  |  syntax: None  |  size: 39.11 KB  |  views: 88  |  expires: Never
download  |  raw  |  embed  |  report abuse  |  print
Text below is selected. Please press Ctrl+C to copy to your clipboard. (⌘+C on Mac)
  1. MOBILE
  2. THREAT
  3. REPORT
  4. Q3 2012
  5. Mobile Threat Report Q3 2012
  6.  
  7. F-Secure Labs
  8. At the F-Secure Response Labs in Helsinki, Finland, and Kuala
  9. Lumpur, Malaysia, security experts work around the clock to
  10. ensure our customers are protected from the latest online
  11. threats.
  12. Round-the-clock response work takes place in three shifts,
  13. one of which is handled in Helsinki, and two in Kuala Lumpur.
  14. At any given moment, F-Secure Response Labs staff is on top
  15. of the worldwide security situation, ensuring that sudden
  16. virus and malware outbreaks are dealt with promptly and
  17. effectively.
  18. Protection around the clock
  19. Response Labs work is assisted by a host of automatic
  20. systems that track worldwide threat occurences in real
  21. time, collecting and analyzing hundreds of thousands of
  22. data samples per day. Criminals who make use of virus and
  23. malware to profit from these attacks are constantly at work
  24. on new threats. This situation demands around the clock
  25. vigilance on our part to ensure that our customers are
  26. protected.
  27. Mobile Threat Report Q3 2012
  28. 3
  29. abstract
  30. THIS REPORT DISCUSSES THE MOBILE THREAT LANDSCAPE AS SEEN IN THE third QUARTER OF 2012, AND INCLUDES
  31. STATISTICS AND DETAILS OF THE MOBILE THREATS THAT F-SECURE RESPONSE LABS HAVE SEEN AND ANALYZED
  32. DURING THAT PERIOD. The data presented in this report was last updated on 30 September 2012.
  33. Contents
  34. abstract 3
  35. 2012 Mobile Landscape Calendar 5
  36. Executive Summary 6
  37. Figure 1: Number of Android Samples Received, Q3 2012 8
  38. Latest threats in the last three months 9
  39. Figure 2: New Mobile Threats Families and Variants Received Per Quarter, 10
  40. 2011-2012 10
  41. Figure 3: Mobile Threats By Platform, 2011-2012 11
  42. Figure 4: Top-20 Mobile Threats By Variant Count Per Platform, 2007-Present 12
  43. Potentially unwanted software 13
  44. Hack-Tool:Android/Penetho.A 14
  45. Hack-Tool:Android/Whapsni.A 14
  46. Monitoring-Tool:Android/AccuTrack.A 14
  47. Monitoring-Tool:Android/Cobbler.A 15
  48. Monitoring-Tool:Android/SMSWatcher.A 16
  49. Riskware:Android/DroidCoupon.A 17
  50. Riskware:Android/Fidall.A, Riskware:iOS/Fidall.A 17
  51. Riskware:Android/SeaWeed.A 18
  52. Figure 5: Mobile Threats By Type, Q3 2012 19
  53. Spyware 20
  54. Adware:Android/AdWo.A 21
  55. Adware:Android/Maxit.A 21
  56. Spyware:SymbOS/Fafespy.A 21
  57. Figure 6: Profit- vs Not Profit-Motivated Threats Per Quarter, 2011-2012 22
  58. Figure 7: Profit- vs Not Profit-Motivated Threats By Platform, Q3 2012 22
  59. Mobile Threat Report Q3 2012
  60. 4
  61. Malware 23
  62. Trojan:Android/AckPosts.A 24
  63. Trojan:Android/AppleService.A 24
  64. Trojan:Android/DropDialer.A 24
  65. Trojan:Android/FireLeaker.A 25
  66. Trojan:Android/FjCon.A 25
  67. Trojan:Android/IconoSys.A 26
  68. Trojan:Android/LuckyCat.A 28
  69. Trojan:Android/Maistealer.A 29
  70. Trojan:Android/MarketPay.A 29
  71. Trojan:Android/NandroBox.A 30
  72. Trojan:Android/PopWeb.A 30
  73. Trojan:Android/SmsSend.A, and variant B and C 30
  74. Trojan:Android/SmsZombie.A 31
  75. Trojan:Android/Sumzand.A, and variant B 31
  76. Trojan:Android/Vdloader.A 32
  77. Trojan:Android/Vidro.A 32
  78. Trojan:Blackberry/Zitmo.A 33
  79. Trojan:SymbOS/FakePatch.A 33
  80. Trojan:SymbOS/Foliur.A 33
  81. Trojan:SymbOS/HRU.A 33
  82. Trojan:SymbOS/Impler.A 33
  83. Trojan:SymbOS/KillTrust.A 33
  84. Trojan:SymbOS/Nokan.A, and variant B 34
  85. Trojan:SymbOS/PlugGamer.A 34
  86. Trojan:SymbOS/Ropitor.A 34
  87. Trojan:SymbOS/Shilespy.A 34
  88. Trojan-Downloader:Android/Morepak.A 34
  89. Trojan-Spy:WinCE/FinSpy.A, Trojan-Spy:iOS/FinSpy.A,
  90. Trojan-Spy:SymbOS/FinSpy.A, Monitoring-Tool:Android/FinSpy.C 35
  91. New variants of already known families 36
  92. Figure 8: Top-10 Android Detection Hits, Q3 2012 37
  93. Figure 9: Breakdown of Heuristic Detection, Q3 2012 37
  94. Table 1: Top Android Malware, Riskware and Spyware, Q3 2012 38
  95. Mobile Threat Report Q3 2012
  96. 5
  97. 2012 Mobile Landscape Calendar
  98. 13
  99. 8
  100. 20
  101. 14
  102. 21
  103. 4
  104. 10 10
  105. 17
  106. JAN feb mar apr may jun jul aug sep
  107. FinSpy found on
  108. multiple platforms
  109. Google Bouncer
  110. introduced to Play Store
  111. Nokia halts almost all
  112. Symbian development
  113. Drive-by malware
  114. found on Android
  115. SMS-trojans
  116. found on J2ME
  117. Zitmo found on
  118. Blackberry
  119. Fidall found
  120. on iOS
  121. Android 4.1
  122. (Jellybean) released
  123. iOS 6 and iPhone
  124. 5 launched
  125. Symbian Belle
  126. refresh rolls out
  127. New families/variants on Android
  128. New families/variants on Symbian
  129. 6
  130. 7
  131. 1
  132. 4
  133. 8
  134. 13
  135. 6
  136. 5
  137. 3
  138. Threat Statistics notable events
  139. Android
  140. Blackberry
  141. iOS
  142. J2ME
  143. Windows Mobile
  144. Symbian
  145. NOTE : The threat statistics used in the calendar are made up of families and variants instead of unique files. For instance, if
  146. two samples are detected as Trojan:Android/GinMaster.A, they will only be counted as one in the statistics.
  147. Mobile Threat Report Q3 2012
  148. 6
  149. SYMBIAN
  150. Despite Android’s dominance in the mobile threat landscape, the Symbian malware
  151. scene is far from dead. 21 new families and variants were discovered in the third quarter
  152. of 2012, a 17% increase compared to the second quarter.
  153. A typical Symbian malware is a trojan that mimics a system update or a legitimate
  154. application. The object-capability model used in Symbian devices presents some
  155. loopholes that can be exploited. For example, the same set of capabilities required
  156. by a legitimate action game may be similar to that required by an application that can
  157. download and install new software from the Internet. A malware author can capitalize
  158. on these similar capabilities to present a malware as a harmless, coveted program that
  159. sneakily carries out its activities without arousing the user’s suspicion.
  160. Most of the Symbian malware originates in China and are distributed for the purpose of
  161. making a profit. Most of these (for example, Fakepatch.A and Foliur.A) are involved in
  162. SMS-sending activities. The SMS messages are usually sent to premium rate numbers
  163. or those associated with SMS-based services. Malware authors and distributers can
  164. easily turn an infection into profit by taking advantage of a ‘built-in’ billing mechanism
  165. for these SMS services; the malware simply sends out SMS messages that silently sign
  166. up the device owner for a premium subscription service, incurring charges the user’s
  167. account.
  168. Another profit-generating method involve the malware emulating a user’s behaviour
  169. and enabling WAP services on the device, which are then billed through the mobile
  170. service operator. These malware, such as PlugGamer.A, are capable of acting as
  171. scripted bots, silently playing a regular, albeit simple browser-based online game over
  172. the WAP service.
  173. Despite the continuing activity on the Symbian malware scene, the Symbian platform
  174. itself saw a significant blow to its future, as Nokia confirmed in September that the
  175. once popular operating system has now been put in “maintenance mode”, with the
  176. only major update this year being a refresh or feature pack that was rolled out in
  177. August to certain devices running the current Nokia (formerly Symbian) Belle release.
  178. Market-wise, shipment of Symbian smartphones reportedly fell by 62.9% in Q2 and
  179. Symbian now accounts for only 4.4% of the global smartphone market. Despite the
  180. lack of activity in platform development and use however, Symbian malware is still
  181. likely to be active for some time to come as many users, particularly in developing
  182. countries, continue to use existing Symbian-based handsets.
  183. Android
  184. As expected, Android malware continues to dominate the mobile threat landscape
  185. with a whopping 51,447 unique samples detected in the third quarter (see Figure 1 on
  186. page 8). The increase in samples occurred even after Google introduced Bouncer, an
  187. additional layer of security on the Android Play Store - the renamed Android Market -
  188. that scans new and existing apps and developer accounts for malicious activity. Google
  189. has claimed that this additional security resulted in a 40% drop in malicious apps
  190. being offered. Though researchers have demonstrated in technology conferences
  191. that Bouncer protection could be circumvented, it seems somewhat unlikely that this
  192. could be the reason for the increase in malicious samples.
  193. Executive Summary
  194. “...In Q2, China
  195. officially surpassed
  196. the United States as
  197. the largest market for
  198. smartphones... ”
  199. Mobile Threat Report Q3 2012
  200. 7
  201. The surge may better be attributed as a natural consequence of the continued high
  202. growth in Android smartphone adoption this quarter, particularly in regions such
  203. as China and Russia. In fact, in Q2, China officially surpassed the United States as
  204. the largest market for smartphones, with Android handsets accounting 81% of that
  205. market.
  206. These expanding markets have also been notable for the proliferation of less-secure
  207. third-party apps markets, which are popular with users for various reasons. This factor
  208. may also account for the increasing number of malicious samples seen this quarter.
  209. Of this number, we discovered 42 new families and new variants of existing families.
  210. Unlike the driveby malware found earlier this year (see the Q2 Mobile Threat Report),
  211. the majority of the new Android threats seen this quarter have been designed to
  212. generate profit from SMS sending activities or by harvesting information found on the
  213. infected device.
  214. Platform-wise, the other notable event this quarter is the release of the 4.1 update,
  215. dubbed Jellybean, which included a number of exploit mitigation features as part of
  216. an ongoing effort to improve security on the platform.
  217. others
  218. The third quarter also saw a new variant of Zitmo (mobile version of the Zeus malware)
  219. that targets Blackberry devices. An earlier variant was discovered back in 2010, and
  220. used JAD file format. The new one is now using COD file format but its purpose
  221. remains the same, which is to steal the mobile Transaction Authentication Number
  222. (mTAN) sent by banks to their customers. The mTAN is sent via an SMS message and is
  223. used to validate an online transaction. Without the number, the transaction cannot be
  224. completed. The Zitmo malware intercepts the SMS messages containing mTans and
  225. forwards them to a remote server.
  226. Aside from Zitmo for Blackberry, the FinSpy trojan was the other notable discovery in
  227. the third quarter of 2012. This trojan was made available on multiple mobile platforms
  228. - Android, Symbian, iOS, and Windows Mobile. FinSpy can take screenshots of an
  229. infected device, record keyboard strokes, intercept Skype communications, track
  230. device location, and monitor SMS and call activities on the device.
  231. FinSpy is the mobile version of FinFisher, a trojan commercially produced by a UK-based
  232. software company and marketed as a surveillance product for desktop computers.
  233. There has been reports of FinFisher being used against citizens of Egypt, Bahrain, and
  234. Turkmenistan. Due to its alleged role in political espionage, the trojan has been of
  235. concern to non-governmental organizations such as Privacy International.
  236. Apart from the unusual case of FinSpy, the only other notable case on the iOS platform
  237. this quarter was Fidall, an app that essentially sends contacts from the device to a
  238. remote server, then sends spam SMS messages to the contacts with a download link
  239. for the application. The app is also available on Android.
  240. As a final note, the iOS platform itself was also updated this quarter to iOS 6, which
  241. included fixes for many (reportedly 197) vulnerabilities found, the majority of them
  242. related to the Webkit web browsing component.
  243. “The third quarter also
  244. saw a new variant of
  245. Zitmo (mobile version
  246. of the Zeus malware)
  247. that targets Blackberry
  248. devices.”
  249. Mobile Threat Report Q3 2012
  250. 8
  251. 51,447
  252. 3,063
  253. 5,033
  254. Q1 2012 Q2 2012 Q3 2012
  255. 17+69+14+A
  256. 8,735
  257. JULY
  258. 69+17+14+A 35,592
  259. august
  260. 14+17+69+A
  261. 7,1 20
  262. september
  263. Figure 1: Number of Android Samples Received, Q3 2012
  264. NOTE : The threat statistics used in Figure 1 are made up of the number of unique Android application package files (APKs).
  265. Latest
  266. threats in
  267. the last
  268. three
  269. months
  270. Mobile Threat Report Q3 2012
  271. 10
  272. Figure 2: New Mobile Threats Families and Variants Received Per Quarter,
  273. 2011-2012
  274. NOTE : The threat statistics used in Figure 2 are made up of families and variants instead of unique files. For instance, if two
  275. samples are detected as Trojan:Android/GinMaster.A, they will only be counted as one in the statistics.
  276. 2 2
  277. 10
  278. 20
  279. 30
  280. 40
  281. 50
  282. 60
  283. 33+3334 25+252525 33+3334 50+50 25+252525 33+3334 100
  284. 50+50
  285. 10
  286. 23
  287. 52
  288. 36
  289. 37
  290. 40
  291. 42
  292. 6
  293. 12
  294. 21
  295. 19
  296. 14
  297. 18
  298. 21
  299. 1
  300. 0
  301. Q1 2011 Q2 2011 Q3 2011 Q4 2011 Q1 2012 Q2 2012 Q3 2012
  302. 1
  303. 0 0 0 0 0 0
  304. 0 0 0 0 0 0
  305. 0
  306. 0
  307. 1
  308. 4
  309. 0
  310. 0 0
  311. 1
  312. 0 0
  313. 1
  314. 70
  315. 80
  316. 74
  317. 17
  318. 35
  319. 60 60
  320. 51
  321. 67
  322. 90 J2ME
  323. Windows Mobile
  324. Symbian
  325. iOS
  326. Android
  327. Blackberry
  328. all threats
  329. Mobile Threat Report Q3 2012
  330. 11
  331. 65+3+1+31+AAndroid, 65%
  332. Symbian, 31.2%
  333. Windows Mobile, 1.1%
  334. J2ME, 2.7%
  335. Q1–Q4
  336. 2011
  337. 65Q1–Q3 +129A
  338. 2012
  339. Symbian, 29.8%
  340. Android, 66.8%
  341. Blackberry, 0.6%
  342. iOS, 1.1%
  343. J2ME, 1.1%
  344. Windows Mobile, 0.6%
  345. Figure 3: Mobile Threats By Platform, 2011-2012
  346. NOTE : The threat statistics used in Figure 3 are based on the number of families and variants instead of unique files. For
  347. instance, if two samples are detected as Trojan:Android/GinMaster.A, they will only be counted as one in the statistics.
  348. Mobile Threat Report Q3 2012
  349. 12
  350. Figure 4: Top-20 Mobile Threats By Variant Count Per Platform,
  351. 2007-Present
  352. NOTE : The threat statistics used in Figure 4 are made up of families and variants instead of unique files. For instance, if two
  353. samples are detected as Trojan:Android/GinMaster.A, they will only be counted as one in the statistics.
  354. FakeInst
  355. Mobler
  356. SmsAnywhere
  357. OpFake
  358. Commwarrior
  359. Redoc
  360. DroidKungFu
  361. Flexispy
  362. MerogoSMS
  363. Boxer
  364. Flocker
  365. JiFake
  366. Zhaomiao
  367. Cyppy
  368. BopSmiley
  369. DroidRooter
  370. Konov
  371. Beselo
  372. DroidDream
  373. SmsSpy
  374. Yorservi
  375. Yxe
  376. 16
  377. 14
  378. 13
  379. 6 + 1 + 1 + 3
  380. 10
  381. 10
  382. 9
  383. 2 + 1 + 6
  384. 9
  385. 5 + 3
  386. 8
  387. 8
  388. 8
  389. 7
  390. 5 + 2
  391. 7
  392. 6
  393. 5
  394. 5
  395. 5
  396. 5
  397. 4 + 1
  398. Windows Mobile
  399. Symbian
  400. Android
  401. J2ME
  402. Potentially
  403. unwanted
  404. software
  405. We consider the following
  406. program as potentially unwanted
  407. software, which refers to
  408. programs that may be considered
  409. undesirable or intrusive by a user
  410. if used in a questionable manner.
  411. Mobile Threat Report Q3 2012
  412. 14
  413. Hack-Tool:Android/Penetho.A
  414. Penetho.A is a penetration testing application that utilizes a well-known vulnerability
  415. in the Thomson/Speedtouch router. It generates a password for the WiFi router using
  416. the Service Set Identification (SSID).
  417. Penetho.A’s icon (left), and WiFi confirmation (right)
  418. Hack-Tool:Android/Whapsni.A
  419. Whapsni.A is a tool that can sniff out WhatsApp packets over a shared network. For
  420. example, when connected to a shared WiFi, it may be able to intercept WhatsApp
  421. chat data packets being sent to and from other devices connected to the network.
  422. These packets may contain private information, enabling Whapsni.A to read private
  423. messages and view contact information associated with the WhatsApp account on
  424. those devices.
  425. NOTE : For additional reading on WhatsApp’s security issues, please refer to the article
  426. ‘WhatsApp is broken, really broken’ (http://www.fileperms.org/whatsapp-is-brokenreally-
  427. broken/).
  428. Monitoring-Tool:Android/AccuTrack.A
  429. AccuTrack.A is an application that tracks down the GPS location of the device on
  430. which it was installed. While not malicious in itself, it introduces a potential risk for
  431. misuse with malicious intent.
  432. WhatsApp: A cross-platform mobile
  433. messaging application that allows the users
  434. to exchange messages over an Internet
  435. connection, thus avoiding SMS charges.
  436. Mobile Threat Report Q3 2012
  437. 15
  438. AccuTrack.A’s icon (left), and settings option (right)
  439. Monitoring-Tool:Android/Cobbler.A
  440. Cobbler.A allows a user to define specific SMS messages that can later be used to
  441. perform these actions from a remote location:
  442. • Wipe the SD card’s contents
  443. • Wipe everything found on the device
  444. • Retrieve the device’s location
  445. Cobber.A’s icon (left), and requested permissions (right)
  446. Mobile Threat Report Q3 2012
  447. 16
  448. Screenshots of Cobbler.A while running on a device
  449. Monitoring-Tool:Android/SMSW atcher.A
  450. SMSWatcher.A is a commercial monitoring tool advertised as being for parents who
  451. are interested in monitoring their children’s SMS activities.
  452. Mobile Threat Report Q3 2012
  453. 17
  454. Riskware:Android/DroidCoupon.A
  455. When DroidCoupon.A is installed on a device, users risk having their device
  456. information leaked to unauthorized parties. The application may leak the following
  457. information:
  458. • International Mobile Equipment Identity (IMEI) number
  459. • International Mobile Subscriber Identity (IMSI ) number
  460. • Package version
  461. • Package name
  462. • Channel
  463. Screenshots of DroidCoupon.A
  464. Riskware:Android/Fidall.A, Riskware:iOS/Fidall.A
  465. Distributed under the name Find and Call, this program first requests the user to
  466. register by providing their email address. It then searches for e-mails, addresses,
  467. and phone numbers from the user’s contact list. This information is then synced
  468. with a remote server. Once synced, the server will send an SMS message containing
  469. a link to download the application to the contacts—essentially, SMS spam. The SMS
  470. messages reportedly contains the user’s phone number in the ‘From’ field.
  471. Mobile Threat Report Q3 2012
  472. 18
  473. Fidall.A’s icon (left) and request for the user to provide email address (right)
  474. Another issue concerning Fidall.A is that the data transmitted between the device
  475. and the remote server is in plain text, which easily exposes the content if intercepted
  476. by another party.
  477. The app is also fully capable of syncing with the contacts from the user’s e-mail,
  478. Facebook, and Skype accounts. The app’s website also reportedly allowed users
  479. enter their social network and online payment merchant details.
  480. At the time of writing, both the Apple App Store and Google Play Store have removed
  481. the app. This incident marks the first time the Apple App Store has had to remove a
  482. trojan from its market.
  483. Riskware:Android/SeaWeed.A
  484. Once installed, SeaWeed.A initiates an application purchase by sending out an SMS
  485. message with the content ‘341#102366#34101’ to the number 1065880004. It then
  486. monitors all incoming messages, looking for a specific reply. Once the replying
  487. message arrived, it will intercept this message and display the content as a dialog
  488. box. This dialog box essentially asks the user to confirm the purchase; without the
  489. confirmation, the transaction will not proceed. Additionally, SeaWeed.A forwards the
  490. device’s IMSI number and other important details to a remote server.
  491. Mobile Threat Report Q3 2012
  492. 19
  493. Figure 5: Mobile Threats By Type, Q3 2012
  494. NOTE : The threat statistics used in Figure 5 are made up of families and variants instead of unique files. For instance, if two
  495. samples are detected as Trojan:Android/GinMaster.A, they will only be counted as one in the statistics.
  496. 3+3+6+8+70+2+5+v Adware
  497. 3%
  498. Hack-Tool
  499. 3%
  500. Monitoring-
  501. Tool
  502. 6%
  503. Riskware
  504. 7.5%
  505. Spyware
  506. 3%
  507. Trojan
  508. 71.5%
  509. Trojan-
  510. Downloader
  511. 1.5%
  512. Trojan-Spy
  513. 4.5%
  514. Spyware
  515. Programs categorized as
  516. spyware secretly collect
  517. information about a user’s
  518. browsing habits, search
  519. strings, site preferences and
  520. preferred applications. This
  521. collected information is
  522. either sent out to another
  523. party or stored locally.
  524. Mobile Threat Report Q3 2012
  525. 21
  526. Adware:Android/AdWo.A
  527. AdWo.A is an advertising module that displays intrusive ads and collects private
  528. information, such as the device’s IMEI number.
  529. Adware:Android/Maxit.A
  530. Maxit.A is an SMS-based marketing module that provides SMS advertisements and
  531. other extra services. An application containing this module will gather the following
  532. information from the device it was installed on:
  533. • International Mobile Equipment Identity (IMEI) number
  534. • International Mobile Subscriber Identity (IMSI ) number
  535. • Phone number
  536. • Operating system version
  537. • Operator name
  538. • Operator code
  539. • Operator ISO
  540. • SIM country code
  541. • SIM operator
  542. • SIM serial number
  543. • SDK version
  544. • SDK number
  545. • Device release date
  546. • Device model
  547. • Device manufacturer
  548. • Device product
  549. • Device brand
  550. • Device language setting
  551. The gathered information is then stored in a location that is accessible to the
  552. application developer, as provided by the advertising service.
  553. Spyware:SymbOS/Fafespy.A
  554. Fafespy.A is a spyware application developed by Killer Mobile.
  555. Mobile Threat Report Q3 2012
  556. 22
  557. Figure 6: Profit- vs Not Profit-Motivated Threats Per Quarter, 2011-2012
  558. Figure 7: Profit- vs Not Profit-Motivated Threats By Platform, Q3 2012
  559. 20
  560. 22
  561. Android
  562. P NP
  563. 1 0
  564. blackberry
  565. P NP
  566. 0
  567. 2
  568. ios
  569. P NP
  570. 0 1
  571. Windows Mobile
  572. P NP
  573. 14
  574. 7
  575. symbian
  576. P NP NP = not profit motivated
  577. P = profit motivated
  578. 28
  579. 37
  580. 35
  581. 29
  582. 39
  583. 18
  584. 13 6
  585. 20
  586. 37
  587. 33
  588. 17
  589. 22
  590. 39
  591. Q1 2011
  592. Q2 2011
  593. Q3 2011
  594. Q4 2011
  595. Q1 2012
  596. Q2 2012
  597. Q3 2012
  598. profit-motivated Not profit-motivated
  599. NOTE : The threat statistics used in Figure 6 and Figure 7 are made up of families and variants instead of unique files. For
  600. instance, if two samples are detected as Trojan:Android/GinMaster.A, they will only be counted as one in the statistics.
  601. Malware
  602. Programs categorized as
  603. malware are generally
  604. considered to pose a
  605. significant security risk to
  606. the user’s system and/or
  607. information.
  608. Malicious actions carried out
  609. by these programs include
  610. (but are not limited to)
  611. installing hidden objects as
  612. well as hiding the objects
  613. from the user, creating new
  614. malicious objects, damaging
  615. or altering any data without
  616. authorization, and stealing
  617. any data or access credentials.
  618. Mobile Threat Report Q3 2012
  619. 24
  620. Trojan:Android/AckPosts.A
  621. AckPosts.A collects information from the contact list, and forwards the details to a
  622. remote address.
  623. AckPosts.A’s icon (left), and screenshot (right)
  624. Trojan:Android/AppleService.A
  625. AppleService.A is distributed via a trojanized application, where it is repackaged
  626. in another application that seems legitimate. When executed, it collects user
  627. information and details on other installed application on the device. This information
  628. is then forwarded to a remote server.
  629. AppleService.A also connects to two other remote servers, from which it downloads
  630. other malicious applications to be installed on the infected device.
  631. Trojan:Android/DropDialer.A
  632. During installation, DropDialer.A displays a message asking the user to agree to
  633. certain terms and conditions.
  634. EULA presented during the installation process
  635. Mobile Threat Report Q3 2012
  636. 25
  637. This action will trigger an SMS message to be sent to 3170. After that, the user is
  638. presented with an option to switch the screensaver to a theme based on the video
  639. game Grand Theft Auto 4. Different themes are also available, as indicated by the
  640. package names.
  641. DropDialer.A’s icon (left), and GTA-themed screen saver (right)
  642. Trojan:Android/FireLeaker.A
  643. FireLeaker.A accesses contacts information on the device on which it was installed. It
  644. later collects and forwards these details to a remote server.
  645. Trojan:Android/FjCon.A
  646. FjCon.A is signed with a key trusted by common custom ROM builds, allowing it to
  647. obtain permissions that are usually not needed in typical applications. For example,
  648. the INSTALL_PACKAGES and DELETE_PACKAGES allows it to remotely install an
  649. application or package onto the device without the user noticing.
  650. FjCon.A’s icon (left), and screenshot (right)
  651. FjCon.A also monitors SMS messages, looking specifically for those coming from
  652. 10658166. Messages with these contents in the body will be blocked:
  653. • 83589523
  654. • 客服
  655. • 资费
  656. • 1.00元
  657. Custom ROM: A standalone version
  658. of an operating system that has been
  659. customized in certain ways.
  660. Mobile Threat Report Q3 2012
  661. 26
  662. • 2.00元
  663. • 元/条
  664. • 元/次
  665. • 1元
  666. • 2元
  667. • 网游
  668. Snippet of code that instructs FjCon.A to install applications onto the device
  669. Trojan:Android/IconoSys.A
  670. IconoSys.A is distributed under various application names—My Pony’s Birthday
  671. Countdown, My Twitter Pics, Blonde Jokes, SMS W!sh, etc.—but all leads to the same
  672. registration page.
  673. IconoSys.A distributed as My Twitter Pics
  674. Mobile Threat Report Q3 2012
  675. 27
  676. IconoSys.A distributed as My Pony’s Birthday Countdown
  677. During the registration, users are asked to provide several information which may be
  678. leaked to other unintended recipients. The information that users provide include:
  679. • Device manufacturer
  680. • Device model
  681. • Email address
  682. • International Mobile Equipment Identity (IMEI) number
  683. • Package version
  684. • Phone number
  685. • User’s age
  686. • User’s gender
  687. • User’s name
  688. Screenshots of IconoSys.A during registration
  689. Trojan:Android/LoveSpy.A
  690. LoveSpy.A is a program that claims to be an anti-virus application, but is actually a spying
  691. tool. It monitors SMS and call activities on the device and later forwards the log to a
  692. remote server. Logged information include:
  693. • Content of SMS
  694. • Date of call or SMS
  695. • Duration of call
  696. • GPS location
  697. • International Mobile Equipment Identity (IMEI) number
  698. • Name
  699. • Phone number
  700. • Type of call
  701. Mobile Threat Report Q3 2012
  702. 28
  703. Since it receives commands via SMS, LoveSpy.A will intercept these messages, as
  704. displaying them to the user bring attention to its suspicious activities. It specifically
  705. looks for those that begin with the following strings, as they translate to certain
  706. actions:
  707. • SCL – send call log
  708. • IME – send device’s IMEI number
  709. • REG – register device through the application
  710. • SM L – send SMS log
  711. • CMB – make a call back to the sender’s number
  712. • SYC P – send user’s location
  713. • SYF P – send user’s location
  714. Screenshot of LoveSpy.A on a device
  715. Trojan:Android/LuckyCat.A
  716. LuckyCat.A may be connected to an advanced persistent threat (APT) campaign
  717. that shares the same name. The Luckycat campaign targets the Indian and Japanese
  718. military research institutions; Chinese hackers were believed to be responsible
  719. behind this campaign.
  720. LuckyCat.A’s icon (left), and screenshot (right)
  721. APT: Advanced persistent threat.
  722. Commonly refers to cyber espionage
  723. committed by a group (e.g. nation state)
  724. interested in gathering intelligence.
  725. Mobile Threat Report Q3 2012
  726. 29
  727. LuckyCat.A exhibits remote access trojan (RAT) capabilities, and connects to a
  728. command and control (C&C) server that will further instruct the malware to perform
  729. these actions:
  730. • Browse directory in the device
  731. • Download file from the device
  732. • Upload file to the device
  733. • Send information to the C&C server
  734. NOTE : For additional reading on the Luckycat APT campaign, please refer to the article
  735. titled ‘Luckycat’ APT Campaign Building Android Malware (http://www.darkreading.
  736. com/mobile-security/167901113/security/attacks-breaches/240004623/luckycat-aptcampaign-
  737. building-android-malware.html).
  738. Trojan:Android/Maistealer.A
  739. Maistealer.A collects the user’s contact names and their email addresses. This
  740. information is stored in /sdcard/addresscap/list.log, and later uploaded to a remote
  741. site.
  742. Maistealer.A’s icon (left), and screenshots (middle and right)
  743. Trojan:Android/MarketPay.A
  744. MarketPay.A is distributed via a trojanized application, using a package named com.
  745. mediawoz.gotq.apk. When installed on a device, it automatically places orders to
  746. purchase applications from the Chinese mobile market (10086.cn) without the user’s
  747. consent.
  748. This malware also collects the device’s associated phone number and IMEI number,
  749. and forwards this information to a remote server.
  750. MarketPay.A’s icon
  751. Mobile Threat Report Q3 2012
  752. 30
  753. Trojan:Android/NandroBox.A
  754. When launched, NandroBox.A displays a page that notifies the user of a list of terms
  755. and conditions. Once the user has clicked Confirm, it sends out the device’s IMEI
  756. number and other information to a remote site in XML format.
  757. Screenshots of NandroBox.A
  758. Next, it sends an SMS message to 1065800815747, with content that follows this
  759. format: XXX, game_id, version, 0, channel. To cover its tracks, the malware will
  760. intercept all messages from the aforementioned number.
  761. Details for the SMS message that NandroBox.A is instructed to send
  762. Trojan:Android/PopWeb.A
  763. PopWeb.A harvests device information, and forwards the them to a remote location.
  764. Harvested information includes:
  765. • Email
  766. • Location
  767. • Phone number
  768. • SIM serial number
  769. • WiFi MAC address
  770. Trojan:Android/SmsSend.A, and variant B and C
  771. SmsSend.A is a version of another malware called OpFake. It reaps profit by sending
  772. the message ‘gf bigfun 281 fnuXW9Ey5’ to these numbers: 9993, 9994, and 9995.
  773. SmsSend.C operates in the same way SmsSend.A does, but uses a different display
  774. image, message content and recipient numbers. When executed, it displays images
  775. of nude women and sends out the message ‘galve 328 SjhFaG1IK’ to the following
  776. numbers: 6008, 6006, 6152, and 6952.
  777. Mobile Threat Report Q3 2012
  778. 31
  779. Screenshot of SmsSend.A’s in action
  780. Trojan:Android/SmsZombie.A
  781. SmsZombie.A drops a malicious component to a live wallpaper application on the
  782. device, featuring various images of women. The malware then creates a file named
  783. phone.xml and proceeds to collect user information and banking-related data that
  784. can be found on the device. The collected data are later sent via an SMS message to
  785. the number 13093632006.
  786. Screenshot of SmsZombie.A
  787. Trojan:Android/Sumzand.A, and variant B
  788. During execution, Sumzand.A displays an image of a battery power meter that
  789. appears to gauge the battery performance.
  790. Mobile Threat Report Q3 2012
  791. 32
  792. Sumzand.A’s icon (left), and screenshot (right)
  793. In the background, what actually happens is that Sumzand.A is collecting details
  794. such as phone numbers from the contact list, and forward them to a remote server.
  795. These numbers may later be used in SMS spam campaign or sold to other interested
  796. parties.
  797. Trojan:Android/Vdloader.A
  798. Vdloader.A collects device information such as the IMEI and IMSI number and
  799. forwards the details to a remote address. It is also capable of downloading and
  800. installing APK files, and sending out SMS messages.
  801. Vdloader.A’s icon
  802. Trojan:Android/Vidro.A
  803. Vidro.A presents the user with a list of terms and conditions during the installation
  804. process. Once the user clicks Yes to these conditions, it connects to and downloads
  805. content from a remote site.
  806. Vidro.A’s icon (left), and screenshot (right)
  807. It will also connect to another remote address, and try to update itself. This
  808. will trigger an SMS message with the content ‘‘PAY 1d489fa9-4a8e-4877-ab0d-
  809. 6a56830ed8b0’ to be sent to 72908.
  810. Mobile Threat Report Q3 2012
  811. 33
  812. Trojan:Blackberry/Zitmo.A
  813. Back in 2010, we reported about a Zitmo (mobile version of the Zeus malware) attack
  814. on Blackberry devices. Now there is a new variant, which uses the COD file format.
  815. Its purpose remains the same—it monitors incoming SMS messages for those
  816. containing a mobile Transaction Authentication Number (mTan), which are sent by
  817. banks to their customers in order to complete an online banking transaction. The
  818. malware instead forwards the SMS messages to a remote server.
  819. NOTE : The previous Zitmo attack on Blackberry devices were reported in the blog
  820. post titled ‘Zeus Variants Targeting Mobile Banking’ (http://www.f-secure.com/weblog/
  821. archives/00002037.html).
  822. Trojan:SymbOS/FakePatch.A
  823. FakePatch.A profits by sending SMS messages to premium rate numbers and leaving
  824. the user to pay for the charges incurred. It also terminates any antivirus-related
  825. processes to avoid detection.
  826. Trojan:SymbOS/Foliur.A
  827. Once installed, Foliur.A proceeds to download and install new programs onto the
  828. device. Aside from that, its other activities include sending out SMS messages to
  829. premium rate numbers and killing off anti-virus processes to avoid detection.
  830. Trojan:SymbOS/HRU .A
  831. To protect itself, HRU.A kills off any process belonging to a security product. If the
  832. user attempts to uninstall it, the program terminates its own installer process to
  833. prevent uninstallation. HRU.A’s activities are triggered by an Ogg Vorbis recognizer.
  834. Trojan:SymbOS/Impler.A
  835. Impler.A is a program that contains references to several online games. It quietly
  836. downloads and installs new programs onto the device without the user’s consent.
  837. When the user attempts to uninstall Impler.A, it will kill off the installer process to
  838. block the uninstallation.
  839. Trojan:SymbOS/KillTrust.A
  840. KillTrust.A temporarily modifies the system settings so that it can install untrusted
  841. programs onto the device without the user noticing. It will also kill off the installer
  842. process and some other processes.
  843. mTAN: Mobile Transaction Authentication
  844. Number. This number is used to
  845. authenticate an online banking transaction.
  846. Ogg Vorbis: A non-proprietary audio
  847. compression format used to store and play
  848. digital music.
  849. Mobile Threat Report Q3 2012
  850. 34
  851. Trojan:SymbOS/Nokan.A, and variant B
  852. Nokan.A downloads and installs other programs onto the device without the user’s
  853. consent. It also terminates the installer process when an attempt to uninstall the
  854. application is made.
  855. Trojan:SymbOS/PlugGamer.A
  856. PlugGamer.A contains a lot of similarities with the AndroGamer malware first seen in
  857. Q2 2012. It downloads and installs new programs onto the device, and forwards the
  858. device information to a remote server.
  859. Trojan:SymbOS/Ropitor.A
  860. Ropitor.A downloads configuration files and software from a remote host and silently
  861. installs them onto the device. It is also capable of removing software from the device
  862. based on the downloaded configuration files.
  863. Trojan:SymbOS/Shilespy.A
  864. Once installed on a device, Shilespy.A performs the following activities:
  865. • Connects to a remote host
  866. • Monitors and sends out SMS messages
  867. • Installs new software onto the device
  868. • Dials and sends DTMF commands over the voice line
  869. Trojan-Downloader:Android/Morepak.A
  870. Morepak.A is packaged inside a trojanized application and includes an advertising
  871. component. Once installed, it connects to a remote location, then proceeds to
  872. download malicious files onto the device.
  873. Morepak.A’s icon
  874. DTMF: Dual-Tone Multi-Frequency
  875. signaling, used for telecommunication
  876. signaling between a phone and the
  877. switching center.
  878. Trojan:SymbOS/AndroGamer.A: This trojan
  879. appears to be playing an online or WAP
  880. game in the background. It is capable of
  881. downloading and installing programs onto
  882. the device, and forwards information to a
  883. remote server.
  884. —p.23, Q2 2012 Mobile Threat Report
  885. Mobile Threat Report Q3 2012
  886. 35
  887. Trojan-Spy:WinCE/FinSpy.A, Trojan-Spy:iOS/
  888. FinSpy.A, Trojan-Spy:SymbOS/FinSpy.A, Monitoring-
  889. Tool:Android/FinSpy.C
  890. FinSpy.A is the mobile version of the FinFisher surveillance software, a commercial
  891. trojan manufactured by the UK-based security company Gamma International. This
  892. threat was released on multiple platforms—Android, iOS, Symbian and Windows
  893. Mobile. It is used to remotely monitor the device and is capable of performing these
  894. tasks:
  895. • Taking screenshots
  896. • Recording keyboard strokes
  897. • Intercepting Skype communications
  898. • Tracking a device’s location
  899. • Monitoring SMS messages and phone calls
  900. NOTE : For additional reading on FinFisher, please refer to (https://www.
  901. privacyinternational.org/finfisherreport/).
  902. Related Labs Weblog
  903. post
  904. Egypt, FinFisher Intrusion Tools
  905. and Ethics
  906. http://www.f-secure.com/weblog/
  907. archives/00002114.html
  908. New
  909. variants
  910. of already
  911. known
  912. families
  913. THE FOLLOWING IS A LIST OF
  914. NEW VARIANTS OF EXISTING
  915. MALWARE FAMILIES. THEIR
  916. FUNCTIONALITY IS NOT
  917. SIGNIFICANTLY DIFFERENT
  918. COMPARED TO THE
  919. EARLIER VARIANTS
  920. DESCRIBED
  921. IN PREVIOUS
  922. REPORTS.
  923. »» Monitoring-Tool:Android/FinSpy.C
  924. »» Riskware:Android/PremiumSMS .E
  925. »» Spyware:SymbOS/Flexispy.M
  926. »» Trojan:Android/EuropaSMS .C
  927. »» Trojan:Android/FakeInst.P, and variant Q and R
  928. »» Trojan:Android/FakeLogo.D
  929. »» Trojan:Android/FakeUpdates.B
  930. »» Trojan:Android/Gamex.B
  931. »» Trojan:Android/GoldDream.C
  932. »» Trojan:Android/OpFake.J
  933. »» Trojan:SymbOS/AndroGamer.C
  934. »» Trojan:SymbOS/Kensoyk.B
  935. »» Trojan:SymbOS/MapUp.D
  936. »» Trojan:SymbOS/MulGamer.B
  937. »» Trojan:SymbOS/RandomTrack.B
  938. »» Trojan:SymbOS/SivCaller.B, and variant C
  939. »» Trojan:SymbOS/Zhaomiao.H
  940. Mobile Threat Report Q3 2012
  941. 37
  942. Boxer.C
  943. Heuristic
  944. Ropin.A
  945. Counterclank.A
  946. RuFailedSMS .A
  947. AdWo.A
  948. Gappusin.A
  949. FakeInst.L
  950. Kmin.A
  951. Kmin.C
  952. 12,471
  953. 9,874
  954. 2,936
  955. 6,867
  956. 2,289 2,265
  957. 2,023
  958. 1,221
  959. 1,103 1,047
  960. Figure 8: Top-10 Android Detection Hits, Q3 2012
  961. 82+18+A Riskware
  962. 8,138
  963. malware
  964. 1,736
  965. Figure 9: Breakdown of Heuristic Detection, Q3 2012
  966. NOTE : The threat statistics used in Figure 8 and Figure 9 are made up of the number of unique Android application package
  967. files (APKs).
  968. Heuristic
  969. Detection Total
  970. = 9,874
  971. Mobile Threat Report Q3 2012
  972. 38
  973. detection COUNT
  974. Trojan:Android/Boxer.C 12471
  975. Trojan:Android/RuFailedSMS.A 2289
  976. Trojan:Android/FakeInst.L 1221
  977. Trojan:Android/Kmin.A 1103
  978. Trojan:Android/Kmin.C 1047
  979. Trojan:Android/FakeInst.E 937
  980. Trojan:Android/OpFake.E 672
  981. Trojan:Android/JiFake.F 604
  982. Trojan:Android/SMStado.A 550
  983. Trojan:Android/FakeInst.A 418
  984. Trojan:Android/Ginmaster.B 363
  985. Trojan:Android/GoldDream.C 336
  986. Trojan:Android/FakeInst.K 336
  987. Trojan:Android/DroidKungFu.C 316
  988. Trojan:Android/OpFake.F 313
  989. Trojan:Android/FakeNotify.A 265
  990. Trojan:Android/BaseBridge.A 235
  991. Trojan:Android/Ginmaster.D 193
  992. Trojan:Android/Ginmaster.C 153
  993. Trojan:Android/AutoSPSubscribe.A 140
  994. Trojan:Android/Ginmaster.A 118
  995. Trojan:Android/DroidKungFu.F 116
  996. Trojan:Android/BaseBridge.D 91
  997. Trojan:Android/Geinimi.D 84
  998. Trojan:Android/FjCon.A ** 82
  999. Trojan:Android/Frogonal.A 79
  1000. Trojan:Android/FakeBattScar.B 78
  1001. Trojan:Android/Kmin.B 76
  1002. Trojan:Android/DroidDream.D 74
  1003. Trojan:Android/FakeBattScar.A 64
  1004. Top-30 Malware
  1005. Table 1: Top Android Malware, Riskware and Spyware, Q3 2012
  1006. NOTE : The threat statistics used in Table 1 are made up of the number of unique Android application package files (APKs).
  1007. ** New family or new variant discovered in Q3 2012
  1008. detection COUNT
  1009. Adware:Android/Ropin.A 6867
  1010. Application:Android/Counterclank.A 2936
  1011. Adware:Android/AdWo.A ** 2265
  1012. Adware:Android/Gappusin.A 2023
  1013. Application:Android/FakeApp.C 409
  1014. Spyware:Android/EWalls.A 84
  1015. Riskware:Android/Boxer.D 75
  1016. Exploit:Android/DroidRooter.B 63
  1017. Exploit:Android/DroidRooter.A 60
  1018. Riskware:Android/MobileTX.A 36
  1019. Spyware:Android/SndApps.A 32
  1020. Monitoring-Tool:Android/SpyTrack.B 25
  1021. Application:Android/Steveware.A 24
  1022. Hack-Tool:Android/DroidRooter.B 24
  1023. Monitoring-Tool:Android/MobileSpy.C 21
  1024. Hack-Tool:Android/DroidRooter.H 20
  1025. Exploit:Android/DroidRooter.C 17
  1026. Hack-Tool:Android/DroidRooter.A 15
  1027. Monitoring-Tool:Android/Spyoo.A 15
  1028. Exploit:Android/GBFM.A 14
  1029. Monitoring-Tool:Android/MobileMonitor.A 13
  1030. Adware:Android/Mobsqueeze.A 11
  1031. Exploit:Android/DroidRooter.E 9
  1032. Hack-Tool:Android/TattooHack.A 9
  1033. Monitoring-Tool:Android/MobileTracker.A 9
  1034. Monitoring-Tool:Android/KidLogger.B 7
  1035. Monitoring-Tool:Android/SpyBubble.B 7
  1036. Riskware:Android/QPlus.A 6
  1037. Monitoring-Tool:Android/MobiSmsSpy.A 6
  1038. Hack-Tool:Android/DroidRooter.E 5
  1039. Top-30 Riskware and Spyware
  1040. Mobile Threat Report Q3 2012
  1041. 39
  1042. f-SEcure mobile security
  1043. F-Secure Mobile Security effectively protects
  1044. your mobile device, smartphone or tablet, from
  1045. all common mobile threats. It guards against
  1046. loss and theft, protects your children online
  1047. with powerful parental control functions,
  1048. keeps your device free of malware and lets you
  1049. browse the web safely.
  1050. Find out more:
  1051. http://www.f-secure.com/web/home_global/mobile-security
  1052. Purchase F-Secure Mobile Security:
  1053. https://shop.f-secure.com/cgi-bin/shop/?ID=FSMAV
  1054. Protecting
  1055. the
  1056. Irreplaceable
  1057. This document was previously released under controlled
  1058. distribution, intended only for selected recipients.
  1059. Document made public since: 5 November 2012
  1060. F-Secure proprietary materials. © F-Secure Corporation 2012.
  1061. All rights reserved.
  1062. F-Secure and F-Secure symbols are registered trademarks
  1063. of F-Secure Corporation and F-Secure names and symbols/
  1064. logos are either trademark or registered trademark of
  1065. F-Secure Corporation.
  1066. Protecting the irreplaceable | f-secure.com
clone this paste RAW Paste Data