In the past, we've seen targeted attacks against Tibetan and Uyghur activists on Windows and Mac OS X platforms. We've documented several interesting attacks (A Gift for Dalai Lamas Birthday and Cyber Attacks Against Uyghur Mac OS X Users Intensify) which used ZIP files as well as DOC, XLS and PDF documents rigged with exploits.

Several days ago, the e-mail account of a high-profile Tibetan activist was hacked and used to send targeted attacks to other activists and human rights advocates. Perhaps the most interesting part is that the attack e-mails had an APK attachment - a malicious program for Android.

The attack

On March 24th, 2013, the e-mail account of a high-profile Tibetan activist was hacked and used to send spear phishing e-mails to their contact list. This is what the spear phishing e-mail looked like:

In regards to the message text above, multiple activist groups have recently organized a human rights conference event in Geneva. We've noticed an increase in the number of attacks using this event as a lure. Here's another example of such an attack hitting Windows users:

Going back to the Android Package (APK) file was attached to the e-mail, this is pushing an Android application named "WUC's Conference.apk".

This malicious APK is 334326 bytes file, MD5: 0b8806b38b52bebfe39ff585639e2ea2 and is detected by Kaspersky Lab products as "Backdoor.AndroidOS.Chuli.a".

After the installation, an application named "Conference" appears on the desktop:

If the victim launches this app, he will see text which "enlightens" the information about the upcoming event:

In mid-February 2013 a Kaspersky user from Malaysia asked us to check a Google Play application called My HRMIS & JPA Demo developed by Nur Nazri.

The user was suspicious about the large number of permissions required by the app, though its only stated function was to open four websites.

Users of inexpensive Android smartphones typically look for ways to accelerate their devices, for example, by freeing up memory. Demand for software that makes smartphones work a little faster creates supply, some of which happens to be malicious. In addition to legitimate applications, apps that only pretend to clean up the system have appeared on Google Play.

We have come across PC malware that infects mobile devices before. However, in this case it’s the other way round: an app that runs on a mobile device (a smartphone) is designed to infect PCs.

On January 22, 2013 Kaspersky Lab discovered the following application on Google Play:

The app is obviously quite popular and has a good rating:

This application has a twin brother that has an identical feature list but a different name:

Like many others, I took advantage of Amazon.com's sale and ordered a Kindle Fire HD last week. When I got around to exploring the Amazon App Store, it didn't take long before running into malware.

While searching for a particular benchmarking app I was presented with some additional apps. One of them immediately looked suspicious.

We previously wrote several times about Man-in-the-Mobile attacks which aim to steal mTANs sent via SMS. For a long time, only two families of such malware have been known: ZeuS-in-the-Mobile (ZitMo) and SpyEye-in-the-Mobile (SpitMo). ZitMo and SpitMo work together with their Windows ‘brothers’. Actually, without them, they would look like trivial SMS spy Trojans. It is necessary to mention that during the last two years such attacks have been observed only in some European countries like Spain, Italy, Germany, Poland and few others.

But when the mobile version of Carberp Trojan appeared (we detect it as Trojan-Spy.AndroidOS.Citmo, Carberp-in-the-Mobile) such attacks became real in Russia as well. There is no secret that online banking is becoming more and more popular in Russia; and banks are very active in promoting online banking with various authorization methods.

Carberp for Windows works in a similar way to the ZeuS Trojan. If a user tries to login into his online banking account using a machine infected by Carberp, the malware will modify the transaction so that user credentials are sent to a malicious server rather than a bank server.

In addition to the login and password, cybercriminals still need mTANs in order to confirm any money transfer operation from a stolen account. That is why one of the Carberp modifications (we call it Trojan-Spy.Win32.Carberp.ugu and we've added detection for it on 11th of December) alters the online banking web page on the fly, inviting the user to download and install an application which is allegedly necessary for logging into the system. And the user can get this link via SMS message by entering his phone number or by scanning a QR-code:

According to this screenshot, users of one of the most popular Russian banks, Sberbank, are under attack. ‘Sberbank’ updated its web page on 12th of December with information about the attack. The link in the QR-code led to the fake ‘SberSafe’ application (Trojan-Spy.AndroidOS.Citmo) which has been in Google Play since 30th of November.

Ten months ago we’ve published an article about ZeuS-in-the-Mobile which contains an overview of everything we knew about ZitMo at that moment. The paper finishes with the following prediction: ‘they [attacks involving ZitMo] will become more specifically targeted against a smaller number of victims’. This prediction appears to have been correct. It’s not that often when we hear/find new wave of ZeuS-in-the-Mobile (or SpyEye-in-the-Mobile) attack. So every new piece of information about these types of malware and/or attacks involving them is very important and helps to understand the evolution of one of the most interesting threats in mobile space so far. Just a small reminder: ZeuS-in-the-Mobile is almost 2 years old. And this blog is about new samples (and probably new wave of attack)) of ZitMo for Android and Blackberry.

New samples overview

We’ve got 5 new files of ZitMo: 4 for Blackberry and 1 for Android. As you may know, the Blackberry platform has never been actively targeted by malware. And here we have 4 different samples of ZeuS-in-the-Mobile for Blackberry at once: 3 .cod files and 1 .jar file (with one more .cod inside). Yes, finally we’ve got a ZitMo dropper file for Blackberry.

As for Android, there is only one .apk dropper. But this ZeuS-in-the-Mobile for Android has been modified and now looks like a ‘classic’ ZitMo with same commands and logic.

Countries and C&C numbers

All samples of ZitMo we’ve seen so far target users from various European countries (Spain, Poland, Germany, etc). This case is no exception. Here is a list of countries from which users are threatened by new ZeuS-in-the-Mobile with C&C number from the sample.

Blackberry:

• Germany +46769436094
• Spain +46769436073
• Italy +46769436073
• Spain +46769436073

Android

• Germany +46769436094

To summarize, there are 3 countries (Germany, Spain and Italy) and 2 C&C numbers (both are Swedish). We found out that these cell phone numbers belong to Tele2 mobile operator in Sweden.

The appearance of a new Android malware family is not that surprising at all today. Especially when we talk about SMS Trojans which are one of the most popular and oldest type of threats created for extracting money from users. A new family of SMS Trojans named Vidro appeared a few days ago but we’ve already collected a lot of APK files with very similar functionality. At the moment all the samples we have found target users only from Poland.

Spreading

Trojan-SMS.AndroidOS.Vidro is spread via porn sites. The mechanism is very similar to the way the very first Android malware (Trojan-SMS.AndroidOS.FakePlayer) spread. If the user visits a porn site with a desktop browser he will see something similar to this:

But if the potential victim somehow visits the same website using an Android device, a porn web site will be ‘optimized’ for the smartphone:

Yesterday we were contacted by our partner MegaFon, one of the major mobile carriers in Russia. They notified us about a suspicious application, which was found in both the Apple App Store and Google Play. At first glance, this seemed to be an SMS worm spread via sending short messages to all contacts stored in the phone book with the URL to itself.

However, our analysis of the iOS and Android versions of the same application showed that it’s not an SMS worm but a Trojan that uploads a user’s phonebook to remote server. The 'replication' part is done by the server - SMS spam messages with the URL to the application are being sent from the remote server to all the contacts in the user’s address book.

The application is called ‘Find and Call’ and can be found in both the iOS Apple App Store and Android’s Google Play. We’ve already informed both Apple and Google but we haven’t received an answer yet.

Find and Call in the Apple Store

Find and Call in the Google Play

All user comments (both in Apple Store and Google Play) are pretty angry and contain the same complaint that the app sends SMS spam:

Angry Birds comments

On the 4th of June 2012 we found 3 APK files of ~207 kb in size each heuristically detected by our engine as HEUR:Trojan-Spy.AndroidOS.Zitmo.a. All these applications are malicious and were created to steal incoming SMS messages from infected devices. SMS messages will be uploaded to a remote server whose URL is encrypted and stored inside the body of the Trojan. We found 3 more APK files with exactly the same functionality on 8th, 13th and 14th of June. So there are at least 6 files which pretend to be ‘Android Security Suite Premium’ but in fact were created only for stealing incoming SMS messages.

After the infection there is a blue shield icon in the menu with the name ‘Android Security Suite Premium’:

If the application is launched it will show a generated ‘activation code’:

The story of the Foncy SMS Trojan started during the fall of 2011. This piece of malware was one of the first SMS Trojans targeting users outside Russia and China. Potential victims were from various countries in Europe, North America and Africa. In the middle of January 2012 Foncy was updated: it started to spread together with an IRC bot and a root exploit. But the end of the Foncy story was very close because in February two suspected authors of this malware were arrested in Paris: you can read the story here in French and here in English. Since then we haven’t found any new modifications of this piece of malware.

So, Foncy is dead. And what is Mania? Mania is an SMS Trojan which currently only targets users of Android from France and its code is very similar to the code of the Foncy malware. The first sample of Mania (Trojan-SMS.AndroidOS.Mania) was found approximately at the same time when the Foncy IRC bot was discovered (during the first half of January). After that new variants of Mania appeared in February, March, April and May.

We haven’t found any traces of Mania on Android Market Google Play. It seems that it is spread via file sharing web sites as popular legitimate applications such as PhoneLocator Pro, BlackList Pro, Enhanced SMS and Caller ID, CoPilot Live Europe, Settings Profiles Full, Advanced Call Blocker and Kaspersky Mobile Security.