‫ MOBILE THREAT REPORT, Q4 2012, F-Secure (2nd Section)

IRCRE201303131
Date: 2013-03-17
 
F-Secure has studies mobile threats in the 4th quarter of 2012 in a report. You can see the second section of the report in the following post.
 
Malware
Backdoor:Android/FakeLook.A
FakeLook.A avoids placing an icon on the application menu to hide its presence from the device owner. However, it can be seen listed as ‘Updates’ under the ‘Manage applications’ option in Settings.
FakeLook.A connects to a command and control (C&C) server to receive further instructions. It collects information such as the device ID and SMS messages, gets files list from the SD card, and compress files before uploading them to an FTP server using the username ‘ftpuser’ and the password ‘upload.’
 
Trojan:Android/Citmo.A
Citmo.A is the mobile version of Carberp, a banking trojan that infects personal computers to steal banking credentials. Citmo.A’s functions are similar to Zitmo (Zeus for mobile) and Spitmo (SpyEye for mobile)—it monitors incoming SMS messages and steals the mobile Transaction Authentication Number (mTAN) that banks send to their customers to validate an online banking transaction.
 
Trojan:Android/EcoBatry.A
Upon installation, EcoBatry.A requests for permissions that will allow it to access Internet, contact data, and information on the device. The malware then establishes an outgoing connection to a remote server, where it will be instructed to collect user’s contact information and upload the details to the server.
 
Trojan:Android/FakeFlash.A
FakeFlash.A takes the appearance of a legitimate Flash Player application. When launched, it displays a message to the user notifying that the Flash Player application has been successfully installed, and then redirects the user to another website.
 
Trojan:Android/FakeGuard.A
FakeGuard.A is a malware that is capable of handling incoming SMS/WAP Push. It steals user information, and establishes a connection to a remote server. The response received from the server will be decoded using MS949 character set, while the outgoing data is encoded in EUC_KR character set.
 
Trojan:Android/GeoFake.A, and variant B
GeoFake.A is distributed as a Chinese calendar application, but requests for unnecessary permissions during the installation process. The permissions it requested are as follows:
• Manage account list
• Access and use the account’s authentication credentials
• Read and edit SMS or MMS messages
• Read system log files
• Access location information
Once successfully installed on a device, the malware sends SMS messages to premium rate numbers. It uses the Google Maps API to select which premium service should be used according to the geolocation of the device.
 
Trojan:Android/InfoStealer.A
InfoStealer.A, as clearly indicated by its name, is a malware that steals contact information and uploads the details to a remote MySQL server. Stolen information include:
• Device ID
• Email address
• Latitude and longitude
• Phone number
• Postal code
• Region
• Street
• Username
 
Trojan:Android/MaleBook.A
MaleBook.A collects device information, and later forwards the details to several remote servers. The collected information include:
• Application ID
• Application version
• Country code
• Device name
• Device type
• Device width and height
• International Mobile Equipment Identity (IMEI) number
• International Mobile Subscriber Identity (IMSI ) number
• Language
• Operation system version
• SDK version
Additionally, the malware also attempts to download advertisements from the servers onto the infected device.
 
Trojan:Android/Placsms.A
Placsms.A appears as ‘sp_pay’ on the application menu, and requests for permissions that will allow it to access Internet, SMS messages, SD card contents, and the device’s system during the installation process.
The application collects information such as the device’s International Mobile Equipment Identity (IMEI) number and phone number; it later uploads the details to a remote server.
 
Trojan:Android/SMSA gent.A
SMSAgent.A appears as a game application, but silently performs malicious routines in the background. It attempts to download other potentially malicious files from a remote server and sends out SMS or MMS messages that place expensive charges on the user’s bill.
Additionally, SMSAgent.A displays advertisements and collects the following information which are later uploaded to the remote server:
• Device ID
• IMEI number
• Network type
• Operator
 
Trojan:Android/Stesec.A
Once installed on the device, Stesec.A does not place any icon on the application menu to hide its presence from the user. It can only be viewed from the ‘Manage applications’ option in Settings, listed as ‘newService.’
Stesec.A sends out SMS messages containing the device information such as IMEI number, software version, and other details to a remote server.
 
Trojan:Android/Stokx.A
Stokx.A connects to a remote server and receives an XML file. The file contains details such as client ID, phone number that it will send SMS messages to, and URL for downloading additional APKs.
The malware will forward the device’s International Mobile Equipment Identity (IMEI) number to the remote server, and sends out an SMS message with the content “SX357242043237517” to the number 13810845191.
 
Trojan:Android/Temai.A
Temai.A collects the following device information, and later forwards the details to a few remote addresses:
• Application ID
• Application version
• Country code
• IMEI number
• IMSI number
• Operating system version
In addition to collecting and forwarding device information, the malware also downloads and installs potentially malicious APKs and script files onto the infected device. Users may also be exposed to other risk resulting from the various permissions granted to the malware during the installation process.
 
Trojan:Android/Tesbo.A
Tesbo.A establishes connection to a couple of remote servers, to which it forwards details such as the device’s International Mobile Subscriber Identity (IMSI) number and application package name.
Furthermore, the malware will also send out SMS messages with the content “[IMSI]@[random from 1-10]” to the number 10658422.
 
Trojan:SymbOS/Ankaq.A
Ankaq.A is a program that sends out SMS messages to premium-rate numbers, and silently installs new software onto the infected device. To avoid detection, it terminates all processes belonging to anti-virus products.
 
The following figure shows mobile threats motivated by profit per year, 2006-2012:
 
Next figure also shows mobile threats motivated by profit per quarter, Q1–Q4 2012:
And the next figure shows profit-motivated threats by platform during 2012:
Related Posts:
 
References:
MOBILE THREAT REPORT,Q4 2012, F-Secure

نظرات

بدون نظر
شما برای نظر دادن باید وارد شوید

نوشته

 
تاریخ ایجاد: 27 اسفند 1391

دسته‌ها

امتیاز

امتیاز شما
تعداد امتیازها:0