NotCompatible Android Malware: First-known Android Drive-By Download Attack

On May 2nd 2012, Lookout reported the first known incident where compromised websites are being used to serve malicious apps to Android users.

"NotCompatible is a new Android trojan that appears to serve as a simple TCP relay / proxy while posing as a system update. This threat does not currently appear to cause any direct harm to a target device, but could potentially be used to gain illicit access to private networks by turning an infected Android device into a proxy." - Lookout

Some of the compromised sites that we have seen have the following injected hidden Iframes:

Unsuspecting mobile users browsing hacked sites are tricked into installing NotCompatible while it masquerades itself as a system update (downloaded file named Update.apk).

Luckily, Android users that have the 'Unknown Sources' application setting turned off are not affected by this attack.

Android Malware Dougalek Steals Contact Information

Dougalek is a mobile malware that runs on Android devices. It downloads and plays movie clips from a predetermined remote website while stealing information in the background.

The mobile malware requests the following permissions:

INTERNET - Allows applications to open network sockets.
READ_CONTACTS - Allows an application to read the user's contacts data.
READ_PHONE_STATE - Allows read only access to phone state.

Dougalek Permissions

Looking at the requested permissions, this kind of gives the mobile malware away by requesting more permissions than what it is trying to portray.

Dougalek Installed on the Android Device

Upon execution, Dougalek collects information from the compromised Android device and sends the stolen information to:

hxxp://depot.bulks.jp/get[random].php

Dougalek Stealing Contact Information

It also attempts to download and play a video from:

hxxp://depot.bulks.jp/movie/movie[random].mp4

Meanwhile the affected user only sees this on the screen:

Dougalek stealing information in the background

Google's Project Glass

image courtesy of wired.com

Google has recently unveiled Project Glass.

The idea is that it's going to be a kind of an augmented-reality device that provides google services via a sort of slim eyewear.

It sounds kind of cool to be able to take photos of what you are exactly looking at, and immediately share it to your friends, access maps, and all that kind of stuff. 

But knowing that Google is an ad company, this technology will bring the ads straight into our eyeballs.

The potential applications for this kind of technology is endless, but there is one thing that I am sure of: the cyber criminals are looking forward to it too.

Watch the Project Glass Youtube video here:

Fake IRS Income Tax Appeal Rejection Notice

Fake IRS Income Tax Appeal Rejection Notice

Your income tax appeal has been declined!

Unsuspecting users who receive this fake notification via email telling them that their income tax appeal has been rejected are being lured into opening and executing malicious email attachments.

The cyber criminals are using scare tactics together with legitimate-looking rejection email notifications:

Sample message below:

Dear Chief Account Officer,

Hereby you are notified that your Income Tax Refund Appeal id# has been REJECTED. If you believe the IRS did not properly estimate your case due to a misunderstanding of the facts, be prepared to provide additional information. You can obtain the rejection details and re-submit your appeal by using the instructions in the attachment.

Internal Revenue Service

Telephone Assistance for Businesses:

Toll-Free, 1-800-829-4933

Hours of Operation: Monday Friday, 7:00 a.m. 7:00 p.m. your local time (Alaska & Hawaii follow Pacific Time).

The attachment is an html file containing an obfuscated malicious script.

Successfully deobfuscating the script yields an embedded IFrame which connects to a remote host:

The hidden IFrame has been seen to connect to these URLs:

hxxp://djhasjhjdllaloks.ru:8080/images/aublbzdni.php

hxxp://rusifhasdiuhfs.su:8080/images/aublbzdni.php

We advise our readers to beware when opening email attachments like these.

Ensure that the latest security patches and updates are applied to your computer, and keep your security software up-to-date.

Exploiting Google

SEO : Search Engine Optimization.

No, it's not another buzz word. It's a technique used by malware authors to propagate their malware. They use one of the most respected search engines today (Google) to make their way into the user's machine. Piggybacking on a prestigious, and highly trusted search engine is an efficient and effective way to reach out to billions of users worldwide.

Rogue AVs usually use this method. They create fraudulent sites (site A) which redirects to another site (site B) which in turn downloads Rogue AVs into the system. The malware industry makes sure that Site A gets a hit during Google search by targeting search queries that are sensational or new, for example, the Haiti earthquake.

In light of this, users are advised to be vigilant when accessing sites. When even Google is used as a medium by malwares, blind trust on returned links is unacceptable.

Virus.Virut takes the spotlight

In this era of spywares, file infectors have little exposure left. But nevertheless, they are still a challenge to antimalware engineers. Years ago, the names Nimda and CIH were famous in both the malware and antimalware industry. These past few years, the spotlight is on Virut.

Last year we saw an influx of Virus.Virut infected samples. Virus.Virut is, in my opinion, one of the best viruses in a while. Despite the fact that viruses are harmful, I cannot help but admire the work done to create such a virus.

Virut is a polymorphic file infector. What makes Virut different is the fact that it employs all known infection routines: Entry-Point Obscuring, appending, prepending, cavity. Not only does it employ all these techniques, it can combine them (e.g. EPO appending, EPO + cavity + appending, cavity + appending). It also has decryption layers, the algorithm of which can change from ADD/ SUB/ XOR, etc. Both detection and analysis pose as a challenge, but is one that the antimalware industry has met head-on.

xoxo

Disasterware strikes again, as they call it!

The magnitude 6.4 earthquake does not only rattle Taiwan but even the internet users as well. It is another opportunity for Malware writers to poison returned results from searches about this disaster. It now became a constant attack every time there is major news, earthquake, tsunami or any other event that would call the attention of the people. It seems now it guarantees every news has equivalent virus site. This abused infection vector by fake AVs serve as a warning.

Once unsuspecting users click the malicious site, it will be redirected to fake AV online scan page and shows different annoying pop-ups warning the user that his system is infected and vulnerable to attacks. This might lead the user to download and install the Rogue Antispyware such as Security Antivirus. They have used multiple malicious domain names to prevent them to be easily identified. This infection routine is the same with other reports as you might have read from the previous blogs. But despite of awareness campaign, there are still an increasing number of victims fallen to this scam and worst, lost their money.

I have seen few malicious searched results which start with comma (,) and dash (-) such as above screen shot and from this blog. It is advisable to prevent from visiting these kinds of searched results. Internet users should be very careful in picking which sites to read the latest news. It is much better to read from reputable sources.