English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1
Latest posting
By rating
By popularity

Join our blog

You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.

0.1
 

The situation surrounding attempted mobile malware infections is constantly changing, and I’d like to write about one recent trend. Over the last year, Trojan-SMS.AndroidOS.Stealer.a, a mobile Trojan, has become a leader in terms of the number of attempted infections on KL user devices, and now continually occupies the leading positions among active threats. For example, in Q1 2014 it accounted for almost a quarter of all detected attacks.

Geographic distribution

This SMS Trojan has actively been pushed by cybercriminals in Russia, and there have also been continual attempts to attack users in Europe and Asia. Infections with this Trojan have occurred virtually everywhere across the globe:

Virus Watch|Stealing from wallets

Roman Unuchek
Kaspersky Lab Expert
Posted April 04, 11:06  GMT
Tags: Mobile Malware, Electronic Payments
0
 

We’ve written several times about mobile malware that can send text messages to premium numbers or steal money from online bank accounts. We also know that cybercriminals are constantly looking for new ways of stealing money using mobile Trojans. So our recent discovery of Trojan-SMS.AndroidOS.Waller.a highlighted a new get-rich technique that not only sent a premium SMS but also saw the malware attempt to steal money from a QIWI electronic wallet.

After Trojan-SMS.AndroidOS.Waller.a launches, it contacts its C&C server and awaits further commands.


Request to the C&C

Virus Watch|Caution: Malware pre-installed!

Dong Yan
Kaspersky Lab Expert
Posted March 31, 09:03  GMT
Tags: Mobile Malware, Google Android
0.2
 

China’s leading TV station, CCTV, has a long-standing tradition of marking World Consumer Rights Day on March 15 with its ‘315 Evening Party’. The annual show makes a song and dance about consumer rights violations. This year’s party reported on cases where smartphone distribution channels pre-install malware into Android mobiles before selling them on to unwitting customers.

As the program showed, the malware pre-installed is called DataService:

Incidents|The first Tor Trojan for Android

Roman Unuchek
Kaspersky Lab Expert
Posted February 25, 10:00  GMT
Tags: Mobile Malware, Google Android
0.4
 

Virus writers of Android Trojans have traditionally used Windows malware functionality as a template. Now, yet another technique from Windows Trojans has been implemented in malware for Android: for the first time we have detected an Android Trojan that uses a domain in the .onion pseudo zone as a C&C. The Trojan uses the anonymous Tor network built on a network of proxy servers. As well as providing users with anonymity, Tor makes it possible to display ‘anonymous’ sites in the .onion domain zone that can only be accessed in Tor.

 

Incidents|Mobile scammers target sports fans

Roman Unuchek
Kaspersky Lab Expert
Posted February 12, 12:30  GMT
Tags: Mobile Malware, Google Android, SMS Trojan
0
 

The Olympic Games are a huge event. And scammers are obviously going to try and exploit the interest they generate. We’ve already written about “Olympic” spam mailings. Now, SMS spammers have also appeared on the scene.

On February 10 we registered a spam mailing, which supposedly led to the live stream of an Olympic event:

«Olympic live stream in Sochi hxxp://mms****.ru/olympic.apk»

If unsuspecting users click on the link, a Trojan will be downloaded to their device. We detect the Trojan in question as HEUR:Trojan-SMS.AndroidOS.FakeInst.fb.

If this Trojan successfully downloads and launches, it addresses the C&C server and transfers the data gathered on the user’s phone, including the list of contacts.

 

0.1
 



In 2014 we expect significant growth in the number of threats related to economic and domestic cyber-espionage, with cyber-mercenaries/cyber-detectives playing an active role in such attacks.

The full report is available here

Comment      Link
0.4
 

Since we published our first blog post about the mobile Trojan Trojan-SMS.AndroidOS.Svpeng, the cybercriminals have improved its functionalities. Now Svpeng is capable of phishing as well, trying to harvest the financial data of users.

When a user launches the banking application of one of Russia’s largest banks, the Trojan substitutes the opened window with a phishing window, designed to steal the victim’s login and password for the online banking system:

The data the user enters is sent to the cybercriminals.

0.4
 

Follow me on Twitter Last week, Google has released the 4.4 (KitKat) version of their omni-popular Android OS. Between the improvements, some have noticed several security-related changes. So, how much more secure is Android 4.4?

When talking about Android 4.4 (KitKat) major security improvements, they can be divided into 2 categories:

1. Digital certificates
Android 4.4 will warn the user if a Certificate Authority (CA) is added to the device, making it easy to identify Man-in-the-Middle attacks inside local networks. At the same time, Google Certificate Pinning will make it harder for sophisticated attackers to intercept network traffic to and from Google services, by making sure only whitelisted SSL certificates can connect to certain Google domains.

2. OS hardening
SELinux is now running in enforcing mode, instead of permissive mode. This helps enforce permissions and thwart privilege escalation attacks, such as exploits that want to gain root access. Android 4.4 comes compiled with FORTIFY_SOURCE set at level 2, making buffer overflow exploits harder to implement.

0.3
 

This is one of those scenarios where the user looks for protection but only finds problems.  Sergio de los Santos, a friend of mine, has shared with me a link to a false App that pretends to be AdBlock Plus, the well-known and useful application that many users have in their web browsers. At the time of its download, the application was active in Google Play and all who downloaded it, instead of the App blocking non-desired ads on their web browser, received the exact opposite- more ads and more problems related to data privacy.

0.5
 

In late May we reported on the details of Backdoor.AndroidOS.Obad.a, the most sophisticated mobile Trojan to date. At the time we had almost no information about how this piece of malware gets onto mobile devices. We have since been examining how the Trojan is distributed and discovered that the malware owners have developed a technique which we have never encountered before. For the first time malware is being distributed using botnets that were created using completely different mobile malware.

So far we have discovered four basic methods used to distribute different versions of Backdoor.AndroidOS.Obad.a.

Mobile Botnet

The most interesting of these methods were the ones where Obad.a was distributed along with another mobile Trojan - SMS.AndroidOS.Opfake.a. This was recently described in the blog GCM in malicious attachments.  The double infection attempt starts when a user gets a text message containing the following text: