English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1
Latest posting
By rating
By popularity

Join our blog

You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.

0.1
 

Recently, we’ve seen SMS Trojans starting to appear in more and more countries. One prominent example is Trojan-SMS.AndroidOS.Stealer.a: this Trojan came top in Kaspersky Lab's recent mobile malware ТОР 20. It can currently send short messages to premium-rate numbers in 14 countries around the world.

But this is not all. Another Trojan, Trojan-SMS.AndroidOS.FakeInst.ef, targets users in 66 countries, including the US. This is the first case we have found involving an active SMS Trojan in the United States.

Virus Watch|Caution: Malware pre-installed!

Dong Yan
Kaspersky Lab Expert
Posted March 31, 09:03  GMT
Tags: Mobile Malware, Google Android
0.2
 

China’s leading TV station, CCTV, has a long-standing tradition of marking World Consumer Rights Day on March 15 with its ‘315 Evening Party’. The annual show makes a song and dance about consumer rights violations. This year’s party reported on cases where smartphone distribution channels pre-install malware into Android mobiles before selling them on to unwitting customers.

As the program showed, the malware pre-installed is called DataService:

Incidents|The first Tor Trojan for Android

Roman Unuchek
Kaspersky Lab Expert
Posted February 25, 10:00  GMT
Tags: Mobile Malware, Google Android
0.4
 

Virus writers of Android Trojans have traditionally used Windows malware functionality as a template. Now, yet another technique from Windows Trojans has been implemented in malware for Android: for the first time we have detected an Android Trojan that uses a domain in the .onion pseudo zone as a C&C. The Trojan uses the anonymous Tor network built on a network of proxy servers. As well as providing users with anonymity, Tor makes it possible to display ‘anonymous’ sites in the .onion domain zone that can only be accessed in Tor.

 

Incidents|Mobile scammers target sports fans

Roman Unuchek
Kaspersky Lab Expert
Posted February 12, 12:30  GMT
Tags: Mobile Malware, Google Android, SMS Trojan
0
 

The Olympic Games are a huge event. And scammers are obviously going to try and exploit the interest they generate. We’ve already written about “Olympic” spam mailings. Now, SMS spammers have also appeared on the scene.

On February 10 we registered a spam mailing, which supposedly led to the live stream of an Olympic event:

«Olympic live stream in Sochi hxxp://mms****.ru/olympic.apk»

If unsuspecting users click on the link, a Trojan will be downloaded to their device. We detect the Trojan in question as HEUR:Trojan-SMS.AndroidOS.FakeInst.fb.

If this Trojan successfully downloads and launches, it addresses the C&C server and transfers the data gathered on the user’s phone, including the list of contacts.

 

0.4
 

Since we published our first blog post about the mobile Trojan Trojan-SMS.AndroidOS.Svpeng, the cybercriminals have improved its functionalities. Now Svpeng is capable of phishing as well, trying to harvest the financial data of users.

When a user launches the banking application of one of Russia’s largest banks, the Trojan substitutes the opened window with a phishing window, designed to steal the victim’s login and password for the online banking system:

The data the user enters is sent to the cybercriminals.

0.4
 

Follow me on Twitter Last week, Google has released the 4.4 (KitKat) version of their omni-popular Android OS. Between the improvements, some have noticed several security-related changes. So, how much more secure is Android 4.4?

When talking about Android 4.4 (KitKat) major security improvements, they can be divided into 2 categories:

1. Digital certificates
Android 4.4 will warn the user if a Certificate Authority (CA) is added to the device, making it easy to identify Man-in-the-Middle attacks inside local networks. At the same time, Google Certificate Pinning will make it harder for sophisticated attackers to intercept network traffic to and from Google services, by making sure only whitelisted SSL certificates can connect to certain Google domains.

2. OS hardening
SELinux is now running in enforcing mode, instead of permissive mode. This helps enforce permissions and thwart privilege escalation attacks, such as exploits that want to gain root access. Android 4.4 comes compiled with FORTIFY_SOURCE set at level 2, making buffer overflow exploits harder to implement.

0.3
 

This is one of those scenarios where the user looks for protection but only finds problems.  Sergio de los Santos, a friend of mine, has shared with me a link to a false App that pretends to be AdBlock Plus, the well-known and useful application that many users have in their web browsers. At the time of its download, the application was active in Google Play and all who downloaded it, instead of the App blocking non-desired ads on their web browser, received the exact opposite- more ads and more problems related to data privacy.

0.5
 

In late May we reported on the details of Backdoor.AndroidOS.Obad.a, the most sophisticated mobile Trojan to date. At the time we had almost no information about how this piece of malware gets onto mobile devices. We have since been examining how the Trojan is distributed and discovered that the malware owners have developed a technique which we have never encountered before. For the first time malware is being distributed using botnets that were created using completely different mobile malware.

So far we have discovered four basic methods used to distribute different versions of Backdoor.AndroidOS.Obad.a.

Mobile Botnet

The most interesting of these methods were the ones where Obad.a was distributed along with another mobile Trojan - SMS.AndroidOS.Opfake.a. This was recently described in the blog GCM in malicious attachments.  The double infection attempt starts when a user gets a text message containing the following text:

Security policies|Android 4.3 and SELinux

Stefano Ortolani
Kaspersky Lab Expert
Posted August 17, 18:20  GMT
Tags: Google, Google Android
0.1
 

Not many weeks ago Google released a new revision of its flagship mobile operating system, Android 4.3. Although some say that this time updates have been quite scarce, from a security perspective there have been some undeniable improvements (among others, the "MasterKey" vulnerability has been finally patched). One of the most prominent is SELinux. Many cheered the event as a long-awaited move, while others criticized its implementation. Personally, I think that the impact is not that easy to assess, especially if we were to question the benefits for end-users. In order to shed some light we can't help but analyze a bit more what SELinux is, and what is its threat model.

Android JellyBean 4.3 logo.

Research|GCM in malicious attachments

Roman Unuchek
Kaspersky Lab Expert
Posted August 14, 15:55  GMT
Tags: Mobile Malware, Google Android
0.3
 

Android OS offers an interesting service known as Google Cloud Messaging, or GCM. This service allows small (up to 4 KB) messages to be sent via the Google server from their mobile devices in JSON format. These messages may contain any structured data, such as links, advertising information, or commands.

In order to use this service, a developer must first receive a unique ID for his applications, which will be used to register the applications with GCM. After registration, the developer may send data to all devices on which the registered applications are installed, or to just some of them.

The service is used to determine the coordinates of stolen telephones, remote phone settings, send out messages about the release of new game levels, new products, and more.

It would be surprising, of course, if virus writers did not attempt to take advantage of the opportunities presented by this service. We have detected several malicious programs that use GCM as a C&C.