Attacks/Breaches

7/24/2013
11:06 AM
50%
50%

Royal Baby Malware Attacks

Hackers capitalize on mania for royal baby and upcoming zombie game; fake versions of real Android apps created via Master Key vulnerability found in China.

9 Android Apps To Improve Security, Privacy
9 Android Apps To Improve Security, Privacy
(click image for larger view)
Scammers wasted little time after Prince William and his wife, the former Kate Middleton, Monday announced the birth of their son, who's now third in line to the British royal throne.

"Because it is such big news, it didn't take long for malicious elements to misuse it," said Kaspersky Lab security researcher Michael Molsner in a Wednesday blog post, noting that the company's spam traps had already intercepted an email promising regular "Royal Baby" updates. The message also included a "watch the hospital-cam" link, which appeared to resolve to a legitimate site that had been compromised. Although the site appears to have since been cleaned, it was serving malicious JavaScript files designed to infect browsers with the Blackhole infection kit.

Meanwhile, Android malware writers have been capitalizing on interest in the forthcoming "Plants vs. Zombies 2" game from PopCap Studios, which to date has only seen a "soft release" in Australia and New Zealand. Despite that fact, as of Monday, "we discovered no less than seven [related threats] in Google Play alone, either as a fake app download or a 'downloader' for the app itself," said Trend Micro fraud analyst Ruby Santos in a blog post. "One of them was detected to be a fake app that pushed malicious ads to the user."

[ Why is Java such a persistent security problem? Read Java Dregs Create Unappetizing Enterprise Security Problem. ]

Google has since removed all of the offending apps from Google Play and suspended the developer accounts that were used to submit the apps. "Google has been commendably quick in handling the threats found in Google Play," Santos said.

But could more be done to prevent malicious apps from appearing on Google Play in the first place? In general, Santos said, fake app download scams perpetrated via Google Play tend to promise versions of apps that aren't yet available for Android, or that require five-star ratings and reviews before they can be "played," which perpetuates the app appearing to be legitimate. Many malicious apps are also free, which appears to be designed to sidestep Google's requirement that any developer offering a paid app must first create a Google Wallet account.

Accordingly, to better crack down on developers submitting fake apps, Google could "make the Google Wallet registration compulsory for all developers wishing to release apps on Google Play," said Santos. "This can serve as identification and proof of legitimacy for legitimate developers, and also a deterrent to cybercriminals."

Security researchers also on Tuesday reported seeing the first malicious use of the "master key" vulnerability that affects all versions of Android prior to version 4.2.2. The bug can be exploited by attackers to inject malicious code into digitally signed versions of legitimate apps.

"The term 'master key' is a bit deceiving; the vulnerability, in fact, does not involve any cryptographic primitive, but instead it is all about stashing inside an Android application -- the apk file -- two versions of the same resource so to partially evade some integrity checks," said Kasperky Lab security researcher Stefano Ortolani in a blog post. "The impact is, however, prominent, since it means that an adversary is able to tamper with an apk file signed by a trusted authority, so to include a modified resource thereby replacing the genuine one."

Symantec said it's spotted two legitimate apps repackaged as malware using precisely those techniques. "We expected the vulnerability to be leveraged quickly due to ease of exploitation, and it has," read a Tuesday blog post from Symantec Security Response. "They are legitimate applications distributed on Android marketplaces in China to help find and make doctor appointments."

The appointment apps, however, have been altered to disable mobile security software and take full control of any devices they infect. "An attacker has taken both of these applications and added code to allow them to remotely control devices, steal sensitive data such as IMEI and phone numbers, send premium SMS messages, and disable a few Chinese mobile security software applications by using root commands, if available," Symantec said.

To be clear, the malicious versions of the legitimate apps are only available on third-party app stores located in China, and not from the official Google Play app store. But because China blocks access to Google Play, app-craving Android owners in China are stuck with third-party stores.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
OtherJimDonahue
50%
50%
OtherJimDonahue,
User Rank: Apprentice
7/25/2013 | 2:51:58 PM
re: Royal Baby Malware Attacks
This could be seen as Darwinism at work. Anyone dumb enough to download this malware deserves to get it.

Jim Donahue
Managing Editor
InformationWeek
IT-security-gladiator
50%
50%
IT-security-gladiator,
User Rank: Apprentice
7/24/2013 | 4:59:27 PM
re: Royal Baby Malware Attacks
I am IT consultant all over Asia to help secure companies pc's and servers from malware. With the new morphing viruses I had to get really creative and innvoative to bring a real solution to the table that works. The anti virus software etc just can't protect them from morphing i.e. changing malware anymore.

So I found this commercial Linux OS that cocoons all versions of Windows: i.e. 7 & XP inside a very innovative and specialized VM so that the users data files are saved to a Linux partition while the Windows OS & software is initially backed up and stored in just one .vdi file safely inside the Linux partition, which contains their original Windows installation with all its programs too. So when they get hit with a morphing virus it takes them only one click to restore their original copy of Windows and of course since their data is always safe inside the Linux partition and fully read writable from the Windows OS with bookmarked folders there is no downtime as it only takes seconds to click on their Robolinux menu option that restores their original perfect Windows Virtual Machine back to the way it was before the virus struck them.

The result is they are completely immune to all Windows malware.

I can barely keep up with the demand for it. Check it out: Google Robolinux.
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.