Trend Micro warns Indian Android App users
New Delhi, India, June 4, 2013: While exploits and vulnerabilities are a common problem for users, zero-day exploits in high-profile applications are relatively rare. That was not the case in the first quarter of 2013. Multiple zero-day exploits were found targeting popular applications like Java and Adobe Flash Player, Acrobat, and Reader. In addition, as predicted, Trend Micro saw improvements in already-known threats like spam botnets, banking Trojans, and readily available exploit kits.
Other high-profile incidents include the South Korean cyber attacks in March, which reiterated the dangers targeted attacks pose. On the mobile front, fake versions of popular apps remained a problem though phishers found a new target in the form of mobile browsers.
Amit Nath, Country Manager, India & SAARC, Trend Micro, said, “Fake apps remained a significant mobile threat in this quarter. Malicious apps that belong to the FAKEINST and OPFAKE families are known for imitating popular apps to lure users into downloading them. Android users from India are acutely exposed to the risk of privacy exposure. This might have been due to the fact that almost all of the mobile users in the country take notice of mobile ads, which could have prompted dubious developers to create apps with aggressive advertising features.”
Digital Life Security Issues
• Historic moments like the papal conclave and the announcement of the new pope did not escape the attention of spammers and Blackhole Exploit Kit perpetrators.
• The Google Glass competition in February also spurred the appearance of several web threats, including malicious links that led to survey scams.
• The spam and malicious domain volumes also spiked days before Valentine’s Day, again proving that cybercriminals still profit from these ruses.
Mobile Threats: Web Threats Affect Mobile Users, Too
• Phishing is an emerging threat in the mobile space.
• In 2012, the majority of mobile sites spoofed were banking sites.
• Financial service-related sites were most spoofed this quarter, proving that phishers, whether on computers or on mobile devices, will always go where the money is.
• An Android malware variant that can send and receive commands was found on 1M smartphones.
• The malware can update its script to evade antimalware detection. Because of its backdoor routines, malicious users are able to control infected devices.
• Fortunately for Trend Micro customers, we have been detecting this malware since July 2012 despite the high number of infections in the first quarter.
• Mobile malware continued to take advantage of popular gaming apps this quarter.
• We spotted fake versions of Temple Run 2 and spoofed apps that offer cheats for the game Candy Crush Saga. These apps aggressively pushed ads and gathered personal information from infected mobile devices.
Financial sites were still the favorite phishing targets even in the mobile space this quarter. The number of mobile phishing URLs increased by 54% from around 500 in the first quarter of 2012 to almost 800 in the same quarter of 2013.
The Android threat volume has reached the halfway mark in relation to our 2013 prediction—1M, indicating continued cybercriminal interest in the mobile space. The increase could be attributed to the fact that more than half of the global mobile device market share belongs to Google. Premium service abusers and adware remained the top Android threats this quarter. Premium service abusers are known for registering users to overpriced services while adware aggressively push ads and may even collect personal information without affected users’ consent.
The majority of the countries most at risk of downloading malicious apps were in Asia, led by Myanmar. India comes at second place. India stands at fifth place (34.94%) for downloading highest battery draining app volumes.
Vulnerabilities and Exploits
• Java again took center stage this quarter due to a couple of high-profile zero-day incidents.
• A zero-day exploit that sported REVETON and ransomware variants proved that even fully patched systems can be no match for an exploit sometimes
• Adobe was not exempted from zero-day attacks, as Adobe Flash Player and Reader fell prey to zero-day exploits in February.
• Two critical vulnerabilities in Adobe Flash Player were exploited, lending vulnerable computers to malware infection.
• Adobe Reader versions 9, 10, and 11 also fell prey to a zeroday attack, rendering even the vendor’s sandbox technology vulnerable.
Adobe’s protection features kept cybercriminals at bay for most of 2012 and in 2013, although these were first broken this quarter.
In the meantime, Java was exploited left and right, joining the ranks of some of the more exploited software to date.
Adobe’s monthly patching cycle (as opposed to Oracle’s quarterly cycle) allowed it to respond more quickly to privately reported vulnerabilities. Despite these steps by vendors, multiple zero-days riddled the first quarter’s security landscape, highlighting the importance of cautious browsing and using proactive solutions.
Cybercrime: Old Threats Return
• The Blackhole Exploit Kit now has exploits for Java vulnerabilities.
• The White hole Exploit Kit, dubbed such for its adoption of the Blackhole Exploit Kit code with notable differences, also surfaced this quarter.
• Not far behind was the Cool Exploit Kit, which is considered a high-end version of the Blackhole Exploit Kit.
• Users were hit by a threat we dubbed “browser crasher” because it causes browsers to hang or crash across different OSs.
• Asprox, infamous for sending out tons of spam since 2007 and was supposedly taken down in 2008, has been “reborn” with a modular framework.
• Unlike before, Asprox now uses compromised legitimate email accounts to evade spam filters and KULUOZ malware as droppers.
• First spotted in 2011, the Andromeda botnet resurfaced this quarter with spam containing links to compromised sites that host the Blackhole Exploit Kit.9 Newly spotted Andromeda variants were found spreading via removable drives and dropping component files to evade detection.
India stood at second place in the spam sending countries. 7.70% of spam were being sent from India.
APTs and Targeted Attacks: In Stealth Mode
• In mid-March, certain South Korean entities were targeted by a master boot record (MBR)-wiping Trojan.
• The attacks disrupted the targets’ business by rendering systems, both clients and servers, unable to reboot.
• The samples we found either overwrite infected computers’ MBR using certain strings or delete specific files and/or folders. Once overwritten, computer access either becomes limited or nonexistent.
• Like most remote access Trojans (RATs), FAKEM evades detection by blending in with normal network traffic.
• Unlike other RATs though, FAKEM traffic mimics Windows Messenger, Yahoo! Messenger, or HTML traffic to evade detection.
• Like PlugX, the RARSTONE backdoor also loads an executable file in an infected computer’s memory, apart from having its own set of unique tricks.26
• RARSTONE hides its executable file by directly loading a backdoor in memory instead of dropping it onto the computer. Unlike PlugX though, it communicates via Secure Sockets Layer (SSL), which encrypts its traffic, allowing it to blends with normal traffic.
© Mouseworld Now News Service