Attacks/Breaches
7/24/2013
11:06 AM
Connect Directly
RSS
E-Mail
50%
50%

Royal Baby Malware Attacks

Hackers capitalize on mania for royal baby and upcoming zombie game; fake versions of real Android apps created via Master Key vulnerability found in China.

9 Android Apps To Improve Security, Privacy
9 Android Apps To Improve Security, Privacy
(click image for larger view)
Scammers wasted little time after Prince William and his wife, the former Kate Middleton, Monday announced the birth of their son, who's now third in line to the British royal throne.

"Because it is such big news, it didn't take long for malicious elements to misuse it," said Kaspersky Lab security researcher Michael Molsner in a Wednesday blog post, noting that the company's spam traps had already intercepted an email promising regular "Royal Baby" updates. The message also included a "watch the hospital-cam" link, which appeared to resolve to a legitimate site that had been compromised. Although the site appears to have since been cleaned, it was serving malicious JavaScript files designed to infect browsers with the Blackhole infection kit.

Meanwhile, Android malware writers have been capitalizing on interest in the forthcoming "Plants vs. Zombies 2" game from PopCap Studios, which to date has only seen a "soft release" in Australia and New Zealand. Despite that fact, as of Monday, "we discovered no less than seven [related threats] in Google Play alone, either as a fake app download or a 'downloader' for the app itself," said Trend Micro fraud analyst Ruby Santos in a blog post. "One of them was detected to be a fake app that pushed malicious ads to the user."

[ Why is Java such a persistent security problem? Read Java Dregs Create Unappetizing Enterprise Security Problem. ]

Google has since removed all of the offending apps from Google Play and suspended the developer accounts that were used to submit the apps. "Google has been commendably quick in handling the threats found in Google Play," Santos said.

But could more be done to prevent malicious apps from appearing on Google Play in the first place? In general, Santos said, fake app download scams perpetrated via Google Play tend to promise versions of apps that aren't yet available for Android, or that require five-star ratings and reviews before they can be "played," which perpetuates the app appearing to be legitimate. Many malicious apps are also free, which appears to be designed to sidestep Google's requirement that any developer offering a paid app must first create a Google Wallet account.

Accordingly, to better crack down on developers submitting fake apps, Google could "make the Google Wallet registration compulsory for all developers wishing to release apps on Google Play," said Santos. "This can serve as identification and proof of legitimacy for legitimate developers, and also a deterrent to cybercriminals."

Security researchers also on Tuesday reported seeing the first malicious use of the "master key" vulnerability that affects all versions of Android prior to version 4.2.2. The bug can be exploited by attackers to inject malicious code into digitally signed versions of legitimate apps.

"The term 'master key' is a bit deceiving; the vulnerability, in fact, does not involve any cryptographic primitive, but instead it is all about stashing inside an Android application -- the apk file -- two versions of the same resource so to partially evade some integrity checks," said Kasperky Lab security researcher Stefano Ortolani in a blog post. "The impact is, however, prominent, since it means that an adversary is able to tamper with an apk file signed by a trusted authority, so to include a modified resource thereby replacing the genuine one."

Symantec said it's spotted two legitimate apps repackaged as malware using precisely those techniques. "We expected the vulnerability to be leveraged quickly due to ease of exploitation, and it has," read a Tuesday blog post from Symantec Security Response. "They are legitimate applications distributed on Android marketplaces in China to help find and make doctor appointments."

The appointment apps, however, have been altered to disable mobile security software and take full control of any devices they infect. "An attacker has taken both of these applications and added code to allow them to remotely control devices, steal sensitive data such as IMEI and phone numbers, send premium SMS messages, and disable a few Chinese mobile security software applications by using root commands, if available," Symantec said.

To be clear, the malicious versions of the legitimate apps are only available on third-party app stores located in China, and not from the official Google Play app store. But because China blocks access to Google Play, app-craving Android owners in China are stuck with third-party stores.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
OtherJimDonahue
50%
50%
OtherJimDonahue,
User Rank: Apprentice
7/25/2013 | 2:51:58 PM
re: Royal Baby Malware Attacks
This could be seen as Darwinism at work. Anyone dumb enough to download this malware deserves to get it.

Jim Donahue
Managing Editor
InformationWeek
IT-security-gladiator
50%
50%
IT-security-gladiator,
User Rank: Apprentice
7/24/2013 | 4:59:27 PM
re: Royal Baby Malware Attacks
I am IT consultant all over Asia to help secure companies pc's and servers from malware. With the new morphing viruses I had to get really creative and innvoative to bring a real solution to the table that works. The anti virus software etc just can't protect them from morphing i.e. changing malware anymore.

So I found this commercial Linux OS that cocoons all versions of Windows: i.e. 7 & XP inside a very innovative and specialized VM so that the users data files are saved to a Linux partition while the Windows OS & software is initially backed up and stored in just one .vdi file safely inside the Linux partition, which contains their original Windows installation with all its programs too. So when they get hit with a morphing virus it takes them only one click to restore their original copy of Windows and of course since their data is always safe inside the Linux partition and fully read writable from the Windows OS with bookmarked folders there is no downtime as it only takes seconds to click on their Robolinux menu option that restores their original perfect Windows Virtual Machine back to the way it was before the virus struck them.

The result is they are completely immune to all Windows malware.

I can barely keep up with the demand for it. Check it out: Google Robolinux.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0103
Published: 2014-07-29
WebAccess in Zarafa before 7.1.10 and WebApp before 1.6 stores credentials in cleartext, which allows local Apache users to obtain sensitive information by reading the PHP session files.

CVE-2014-0475
Published: 2014-07-29
Multiple directory traversal vulnerabilities in GNU C Library (aka glibc or libc6) before 2.20 allow context-dependent attackers to bypass ForceCommand restrictions and possibly have other unspecified impact via a .. (dot dot) in a (1) LC_*, (2) LANG, or other locale environment variable.

CVE-2014-0889
Published: 2014-07-29
Multiple cross-site scripting (XSS) vulnerabilities in IBM Atlas Suite (aka Atlas Policy Suite), as used in Atlas eDiscovery Process Management through 6.0.3, Disposal and Governance Management for IT through 6.0.3, and Global Retention Policy and Schedule Management through 6.0.3, allow remote atta...

CVE-2014-2226
Published: 2014-07-29
Ubiquiti UniFi Controller before 3.2.1 logs the administrative password hash in syslog messages, which allows man-in-the-middle attackers to obtains sensitive information via unspecified vectors.

CVE-2014-3020
Published: 2014-07-29
install.sh in the Embedded WebSphere Application Server (eWAS) 7.0 before FP33 in IBM Tivoli Integrated Portal (TIP) 2.1 and 2.2 sets world-writable permissions for the installRoot directory tree, which allows local users to gain privileges via a Trojan horse program.

Best of the Web
Dark Reading Radio