Tag Archives: Android

AV-Test Report: malware/threat statistics

AV-Test offers an interesting aggregation of 2016/2017 malware statistics in its Security Report here. Its observations on ransomware may be of particular interest to readers of this blog (how are you both?) The reports points out that:

There is no indication based on proliferation statistics that 2016 was also the “year of ransomware“. Comprising not even 1% of the overall share of malware for Windows, the blackmail Trojans appear to be more of a marginal phenomenon.

But as John Leyden remarks for The Register:

The mode of action and damage created by file-encrypting trojans makes them a much greater threat than implied by a consideration of the numbers…

Looking at the growth in malware for specific platforms, AV-Test notes a decrease in numbers for malware attacking Windows users. (Security vendors needn’t worry: there’s still plenty to go round…)

On the other hand, the report says of macOS malware that ‘With an increase rate of over 370% compared to the previous year, it is no exaggeration to speak of explosive growth.’ Of Android, it says that ‘the number of new threats … has doubled compared to the previous year.’

Of course, there’s much more in this 24-page report. To give you some idea of what, here’s the ToC:

  • The AV-TEST Security Report 2
  • WINDOWS Security Status 5
  • macOS Security Status 10
  • ANDROID Security Status 13
  • INTERNET THREATS Security Status 16
  • IoT Security Status 19
  • Test Statistics 22

David Harley

Lockdroid’s text-to-speech unlocking

Catalin Cimpanu, for Bleeping Computer, details Lockdroid’s novel use of TTS functions as part of the post-payment unlocking process: Android Ransomware Asks Victims to Speak Unlock Code. Based on a report from Symantec that I haven’t seen yet.

Lockdroid’s current campaigns appear to be focused on China, but that doesn’t mean its innovations won’t be seen elsewhere. Symantec’s Dinesh Venkatesan noted implementation bugs and that it might be possible for a victim to recover the unlock code from the phone.

David Harley

LG TV ransomware revisited

In case you were wondering what happened as regards the story I previously blogged here – Smart TV Hit by Android Ransomware – it appears that LG has decided after all to make the reset instructions for the TV public rather than requiring an LG engineer to perform the task for only twice the price of a new set… Note that this was an old model running Android, not a newer model running WebOS.

Catch-up story by David Bisson (following up on his earlier story for Metacompliance) for Graham Cluley’s blog: How to remove ransomware from your LG Smart TV – And the ransomware devs go home empty-handed!

The article quotes The Register’s article here, which details the instructions, but also links to a video on YouTube by Darren Cauthon – who originally flagged the problem – demonstrating the process.

[Also posted at Mac Virus]

David Harley

 

Android Screenlockers using pseudorandomized passcode

While I’ve been occupying various workfree zones for the past few weeks, ransomware has evidently not gone away. Older versions of screenlockers often labelled  Android.Lockscreen denied Android users access to their own devices by locking the screen using a hardcoded passcode, which could be found by reverse engineering. However, as Dinesh Venkatesan reports for Symantec:

New variants of Android.Lockscreen are using pseudorandom passcodes to prevent victims from unlocking devices without paying the ransom.

Symantec’s article: Android.Lockscreen ransomware now using pseudorandom numbers – The latest Android.Lockscreen variants are using new techniques to improve their chances of obtaining ransom money.

Commentary by David Bisson for Tripwire.

David Harley

Pokémon beGOne – malware exploiting a popular craze

[Also published on the Mac Virus blog, which also addresses smartphone security issues]

Not quite ransomware (though there is a suggestion that it may happen), but but my ESET Lukas Stefanko describes a fake lockscreen app that takes advantage of the currently prevalent obsession with Pokémon GO to install malware. The app locks the screen, forcing the user to reboot. The reboot may only be possible by removing and replacing the battery, or by using the Android Device Manager. After reboot, the hidden app uses the device to engage in click fraud, generating revenue for the criminals behind it by clicking on advertisements.  He observes:

This is the first observation of lockscreen functionality being successfully used in a fake app that landed on Google Play. It is important to note that from there it just takes one small step to add a ransom message and create the first lockscreen ransomware on Google Play.

In fact, it would also require some other steps to enable the operators to collect ransom, but the point is well taken. It’s an obvious enough step that I’m sure has already occurred to some ransomware bottom-feeders. And it’s all to easy for a relatively simple scam to take advantage of a popular craze.

Clicking on porn advertisements isn’t the only payload Lukas mentions: the article is also decorated with screenshots of scareware pop-ups and fake notifications of prizes.

The ESET article is here: Pokémon GO hype: First lockscreen tries to catch the trend

Somewhat-related recent articles from ESET:

Other blogs are available. 🙂

David Harley

FLocker: Android Ransomware meets IoT

An article for Trend Micro by Echo Duan illustrates one of the complications of having an operating system that works on and connects all kinds of otherwise disparate objects: FLocker Mobile Ransomware Crosses to Smart TV.

Of course, embedded versions of operating systems such as other versions of Linux, Windows and so on, are not in themselves novel. FLocker, however, seems to lock smart TVs as well as Android phones, as long as they’re not located in one of a number of Eastern European countries. It claims to be levying a fine on behalf of a law enforcement agency. Apparently another of these agencies that prefers its fines paid in iTunes gift cards. As Zeljka Zorz points out for Help Net Security, this doesn’t say much for the credibility of the criminals, but if your device and data have become unavailable to you, knowing that they’re criminals and not the police doesn’t help much.

While the malware locks the screen, Trend tells us that the C&C server collects ‘data such as device information, phone number, contacts, real time location, and other information. These data are encrypted with a hardcoded AES key and encoded in base64.’

Unsurprisingly, Trend’s advice is to contact the device vendor for help with a locked TV, but the article also advises that victims might also be able to remove the malware if they can enable ADB debugging. How practical this would be for the average TV user, I don’t know.

Back in November 2015 Candid Wueest wrote for Symantec on How my TV got infected with ransomware and what you can learn from it, subtitled “A look at some of the possible ways your new smart TV could be the subject of cyberattacks.” Clearly, this particular aspect of the IoT issue has moved beyond proof of concept.

If cited this before, but it’s worth doing again. Camilo Gutierrez, one of my colleagues at ESET (security researcher at the Latin America office) notes that:

… if the necessary precautions are not taken by manufacturers and users, there is nothing to prevent an attacker from seizing control of a device’s functionality and demanding money to return control. Perhaps this is not a threat we expect to see much of in the near future, but we shouldn’t lose sight of it if we are to avoid serious problems later.

Just as I was about to post this, I noticed additional commentary by David Bisson for Graham Cluley’s blog. He notes that there’s an interesting resemblance between FLocker’s interface and the earlier ‘police’ ransomware he calls Cyber.Police.

David Harley

Music-Loving Android.Locker Ransomware

Help Net flagged an interesting instance of an exploit kit delivering Android.Locker ransomware to Android users – Exploit kit targets Android devices, delivers ransomware.

Bluecoat researchers happened across the ransomware – Towelroot and Leaked Hacking Team Exploits Used to Deliver “Dogspectus” Ransomware to Android Devices – when

…a test Android device in a lab environment was hit with the ransomware when an advertisement containing hostile Javascript loaded from a Web page.

Like some older ransomware, the self-labelled Cyber.Police doesn’t encrypt files: it simply locks the device, and demands that the victims pay a $200 fine in the form of two $100 iTunes gift cards. Bizarre, considering that the malware claims to represent an ‘American national security agency’ in true ‘FBI/Police virus’ fashion, though it’s hard to imagine that any of its victims believe it to be official. (However, there are plenty of places you can resell or exchange gift cards for something other than music.) Bluecoat calls it Dogspectus (presumably connected with the malware’s internal name net.prospectus?) but other companies name it as a variant of the Android.Locker family.

While VirusTotal isn’t really intended or usable as a cast-iron way to track the security industry’s response to a threat, it may be worth noting that while quite a few companies detect the .apk, detection for the Towelroot exploit executable is much sparser.

Further commentary:

David Harley

Jailbreaking: not just an AppleJackHack

John Leyden has reported that the Motorola Droid has been rooted, so that users of the hack can install applications not offered by operators, in a manner not dissimilar to jailbreaking the iPhone and iPod Touch.

Here’s the link, , but watch that Shell rollover ad: it really gets in the way if you’re switching tabs!

http://www.theregister.co.uk/2009/12/11/hackers_jailbreak_droid/

See also the article by Stefanie Hoffman at CRN:

http://preview.tinyurl.com/ydm4fxb

No-one is saying that this issue  is 100% analogous to the iPhone issue, in that there is (as far as I know) no readymade vulnerability lying in wait for Droid users (unless you count the vulnerability in wetware that makes social engineering such an effective attack). However, it does point to the weakness of the whitelisting and restricted privilege models as a sole defence. If an end user is willing to forgo the legitimacy of a vanilla smartphone by “rooting” it, in order to get a wider choice of apps, there are people out there willing to share techniques for doing so. And plenty more ready to take advantage of the resulting exposure to risk, if they can.

David Harley FBCS CITP CISSP
Chief Operations Officer, AVIEN
Director of Malware Intelligence, ESET

Also blogging at:
http://www.eset.com/threat-center/blog
http://dharley.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/