SlideShare ist ein Scribd-Unternehmen logo

F-Secure Mobile Threat Report, Q2 2012

F-Secure Corporation
F-Secure Corporation

Details the mobile threats that F-Secure Labs analyzed between April to June 2012.

Technologie
1 von 29
Downloaden Sie, um offline zu lesen
MOBILE THREAT REPORT Q2 2012
Mobile Threat Report Q2 2012 F-Secure Labs At the F-Secure Response Labs in Helsinki, Finland, and Kuala Lumpur, Malaysia, security experts work around the clock to ensure our customers are protected from the latest online threats. Round-the-clock response work takes place in three shifts, one of which is handled in Helsinki, and two in Kuala Lumpur. At any given moment, F-Secure Response Labs staff is on top of the worldwide security situation, ensuring that sudden virus and malware outbreaks are dealt with promptly and effectively. Protection around the clock Response Labs work is assisted by a host of automatic systems that track worldwide threat occurences in real time, collecting and analyzing hundreds of thousands of data samples per day. Criminals who make use of virus and malware to profit from these attacks are constantly at work on new threats. This situation demands around the clock vigilance on our part to ensure that our customers are protected. 2
Mobile Threat Report Q2 2012 abstract THIS REPORT DISCUSSES THE MOBILE THREAT LANDSCAPE AS SEEN IN THE second quarter of 2012, AND INCLUDES STATISTICS AND DETAILS OF THE MOBILE THREATS THAT F-SECURE RESPONSE LABS HAVE SEEN AND ANALYZED DURING THAT PERIOD. The data presented in this report were collected between 1 april–27 june 2012. Contents abstract3 Executive Summary 5 Latest threats in the last three months 6 Figure 1: New Families and Variants Received Per Quarter 7 Figure 2: Mobile Threats by Type, Q2 2012 8 Potentially unwanted software 9 Adware:Android/Mobsqueeze.A10 Application:Android/AdOp.A10 Monitoring-Tool:Android/AndSpy.A10 Monitoring-Tool:Android/Lifemonspy.A11 Monitoring-Tool:Android/MobileTracker.A11 Monitoring-Tool:Android/PdaSpy.A11 Monitoring-Tool:Android/SpyEra.A12 Monitoring-Tool:Android/SpyHasb.A13 Riskware:Android/QPlus.A13 Figure 3: Mobile Threats Motivated by Profit 14 Figure 4: Top-6 Android Detections per Month, Q2 2012 15 Figure 5: Breakdown of Detection Count, Q2 2012 15 Malware 16 Trojan:Android/AcnetSteal.A17 Trojan:Android/Cawitt.A17 Trojan:Android/Frogonal.A18 Trojan:Android/Gamex.A19 Trojan:Android/KabStamper.A19 Trojan:Android/Mania.A20 Trojan:Android/PremiumSMS.A, and variant B 20 3
Mobile Threat Report Q2 2012 Trojan:Android/SmsSpy.F21 Trojan:Android/UpdtKiller.A21 Trojan:Android/Uranico.A22 Trojan-Proxy:Android/NotCompatible.A22 Trojan:J2ME/CuteFreeSMS.A23 Trojan:J2ME/ValeSMS.A23 Trojan:Symbian/AndroGamer.A23 Trojan:SymbOS/Kensoyk.A23 Trojan:Symbian/LaunchOut.A24 Trojan:SymbOS/Lipcharge.A24 Trojan:SymbOS/Monlater.A, and variant B 24 Trojan:Symbian/RandomTrack.A25 New variants of already known families 26 Figure 6: New Android Malware Sorted by Sample Count, Q2 2012 27 Table 1: Top Android Samples Received in Q2 2012 28 4
Mobile Threat Report Q2 2012 Executive Summary Changes in the Android threat landscape Every quarter, Android malware continues to grow in number, and Q2 2012 is no “In May 2012, the first exception. We received a total of 5033 malicious Android application package files (APKs), most of which are coming from third-party Android markets. This amount is a Android malware to use 64% increase compared to the number in the previous quarter. Out of this amount, we the drive-by download identified 19 new families and 21 new variants of existing families. A high concentration of these new variants is coming from FakeInst and OpFake, two families that are found method was spotted in to be related. Malware in these two families share a lot of similarities that in some instances, they can be classified as one family. In general, the new variants retain the the wild.” same malicious behavior as found in the previous ones, only improving on the method used in defeating anti-virus technology in order to avoid detection. After a while on the scene, Android malware has begun to explore new methods of infection as evidenced by NotCompatible.A and Cawitt.A. In May 2012, the first Android malware to use the drive-by download method was spotted in the wild, detected as Trojan-Proxy:Android/NotCompatible.A. A simple visit to a malicious website could render a device infected, if the device is configured to allow installations from unknown sources. When visiting a specially crafted website, the device will automatically download an application from the site. This application is then shown in the notification menu, waiting for the user to install it. To convince the user into installing it, the malware relies on social engineering tactics, naming the application as “com.Security.Update’ and the filename as “Update.Apk.” Once infected, the device is turned into a proxy or becomes part of a bot network. In addition to drive-by download, another infection method discovered in this quarter is the utilization of Twitter as a bot mechanism. Cawitt.A for instance, accesses a Twitter account (possibly set up by the malware) to obtain a server address, from which it communicates with and receives further command from. Upon receiving instructions, this malware sends out SMS messages to certain numbers, and forwards data on the device’s International Mobile Equipment Identity (IMEI) number, phone number, and Android ID to the aforementioned server. Aside from the continuing growth of Android malware and the discovery of new infection methods, the second quarter also reveals a trend in regionally-based attack. In Spain for instance, we tend to get a lot of reports on banking-related attacks. This quarter, SmsSpy.F which is related to Zitmo, is a fairly popular case being reported. The malware appears to be specifically targeting users who perform an online banking transaction and need the Mobile Transaction Authorization Number (mTAN). It arrives as an SMS message, notifying the user to download a security application from the provided link. 5
Latest threats in the last three months
Mobile Threat Report Q2 2012 60 Android J2ME PocketPC 52 Symbian 50 40 40 37 35 30 23 20 21 20 16 15 10 10 11 6 4 2 1 1 0 0 0 0 0 0 0 0 Q1 Q2 Q3 Q4 Q1 Q2 2011 2011 2011 2011 2012 2012 Figure 1: New Families and Variants Received Per Quarter NOTE: The threat statistics used in Figure 1 are made up of families and variants instead of unique files. For instance, if two samples are detected as Trojan:Android/GinMaster.A, they will only be counted as one in the statistics. 7
Mobile Threat Report Q2 2012 Application 5.2% Adware 1.7% Monitoring-Tool 10.4% Riskware 1.7% Trojan 81.0% Figure 2: Mobile Threats by Type, Q2 2012 NOTE: The threat statistics used in Figure 2 are made up of families and variants instead of unique files. For instance, if two samples are detected as Trojan:Android/GinMaster.A, they will only be counted as one in the statistics. 8
Potentially unwanted software We consider the following program as potentially unwanted software, which refers to programs that may be considered undesirable or intrusive by a user if used in a questionable manner.
Mobile Threat Report Q2 2012 Adware:Android/Mobsqueeze.A Mobsqueeze.A is an adware module that was found to be exclusively used by Trojans in the FakeBattScar family to advertise the rogue Battery Optimizer or Battery Optimizer Application. A separate detection has also been added to detect applications that promote the FakeBattScar Trojans. Permissions requested by Mobsqueeze.A Application:Android/AdOp.A AdOp.A is an application that arbitrarily creates shortcuts and advertisement- motivated notifications, which link to a website or an application. The application that users is being led to may not even be present on the device, but it does not stop Ropin.A from creating its corresponding shortcut. AdOp.A is not directly harmful to the device, but it may poses some risks if the shortcut or notification leads users to a questionable website. Monitoring-Tool:Android/AndSpy.A AndSpy.A is a monitoring and anti-theft program that originated from China, but is also marketed to several English speaking regions. Its capabilities can be remotely triggered by sending a particular SMS message to the device. If the message contains a valid command, it will silently perform the corresponding task. For example: • 0# : Register the Master number that will be used to send replies • 1# : Enable SMS forwarding • 2# : Disable SMS forwarding • 8# : Send device’s contacts • 10# : Send location details AndSpy.A is a stealthy program. It performs malicious activities quietly, and leaves no visible clue that can indicate its presence on the device. 10
Mobile Threat Report Q2 2012 Monitoring-Tool:Android/Lifemonspy.A Lifemonspy.A is a monitoring and anti-theft program that provides the user with some control of the device through SMS messages. It allows the user to perform these actions from a remote location: • Deleting contacts • Deleting contents of the external storage (SD card) • Transferring SMS messages in the inbox to a Gmail account • Deleting previously sent messages from the outbox • Turning off the device The program places no visible icon on the menu screen, but can be seen listed on the ‘Manage applications’ window. From time to time, it forwards the device’s location to a remote website. Upon detecting a change in the device’s Subscriber Identity Module (SIM), Lifemonspy.A will send out an alert message to a configured number and log the event on the aforementioned website. Permissions requested by Lifemonspy.A (left), and Lifemonspy.A as viewed on the ‘Manage applications’ window (right) Monitoring-Tool:Android/MobileTracker.A MobileTracker.A is a part of Samsung DIVE, a free service that allows device owners to track and control their device remotely. In case of theft, the owner can lock and wipe the device, receive notification on SIM card change, as well as track the device. Monitoring-Tool:Android/PdaSpy.A PdaSpy.A is a commercial monitoring application with a 24-hours free or trial lock. It must be manually installed on the targeted device, and an account at PdaSpy.com must be created. 11
Mobile Threat Report Q2 2012 Once installed, it places no icon on the application menu to avoid being noticed. It just runs silently in the background, logging the following information: • Phone calls • SMS messages • GPS locations The information can be viewed by visiting the PdaSpy website and logging in to the user account. An account at PdaSpy.com is needed to view logged data Monitoring-Tool:Android/SpyEra.A SpyEra.A is programmed to monitor and retrieve data from a compromised device. Its malicious activities are triggered when the device receives a specially crafted SMS message. SpyEra.A places no visible icon on the application menu, but its presence is revealed with a quick look under the ‘Manage applications’ in Settings. SpyEra.A as listed under ‘Manage applications’ (left), and the permissions it requested (right) 12
Mobile Threat Report Q2 2012 Monitoring-Tool:Android/SpyHasb.A SpyHasb.A is a commercial monitoring tool that is marketed as ‘Phone Tracker,’ ‘Husband Tracker,’ ‘Wife Tracker,’ and ‘Android Locator’ among other names. Its capabilities include monitoring the following information: • Phone calls • SMS messages • GPS locations SpyHasb.A’s user interface, as seen on a device Riskware:Android/QPlus.A QPlus.A is a tool that gathers information from the device it was installed on. It runs silently in the background, and cannot be seen on the list of applications. Its presence however, becomes visible when looking into application management. QPlus.A runs as a service in the background When monitoring a device, QPlus.A runs in the background as a service. It monitors and collects the following information, which is later sent to a proxy mail server: • Call logs • SMS messages • Instant Messenger Chat History 13
Mobile Threat Report Q2 2012 6 Not profit-motivated q1 2011 13 profit-motivated 20 q2 2011 18 37 q3 2011 39 33 q4 2011 29 17 q1 2012 35 19 q2 2012 39 Figure 3: Mobile Threats Motivated by Profit NOTE: The threat statistics used in Figure 3 are made up of families and variants instead of unique files. For instance, if two samples are detected as Trojan:Android/GinMaster.A, they will only be counted as one in the statistics. 14
Mobile Threat Report Q2 2012 april 2012 may 2012 june 2012 413 326 139 121 126 110 84 84 60 66 47 43 33 31 22 25 22 11 OpFake.E Heuristic Ginmaster.B FakeInst.L OpFake.F FakeApp.C Heuristic FakeInst.K Ginmaster.C OpFake.F Frogonal.A FakeApp.C Heuristic Ginmaster.C Frogonal.A FakeApp.C FakeInst.K FakeInst.N Figure 4: Top-6 Android Detections per Month, Q2 2012 Malware – 502 Manual Heuristic Detection 4173 Detection 860 Riskware/Spyware – 358 Figure 5: Breakdown of Detection Count, Q2 2012 NOTE: The threat statistics used in Figure 4 and Figure 5 are made up of the number of unique Android application package files (APKs). 15
Malware Programs categorized as malware are generally considered to pose a significant security risk to the user’s system and/or information. Malicious actions carried out by these programs include (but are not limited to) installing hidden objects as well as hiding the objects from the user, creating new malicious objects, damaging or altering any data without authorization, and stealing any data or access credentials.
Mobile Threat Report Q2 2012 Trojan:Android/AcnetSteal.A AcnetSteal.A is a program that harvests data and information from the device. It obtains the following information: • Email addresses • Phone numbers AcnetSteal.A as seen on a device Trojan:Android/Cawitt.A Once installed, Cawitt.A will not place a launcher icon in the application menu to prevent it from being noticed by the user. Its presence, however, can be revealed with a quick look under the ‘Manage applications’ in Settings. Cawitt.A as listed in the device, and the permissions it requested 17
Mobile Threat Report Q2 2012 Cawitt.A operates silently in the background, gathering device information which it later forwards to a remote server. Collected information include: • Device ID • International Mobile Equipment Identity (IMEI) number • Phone number • Bot ID • Modules It also sends out premium-rate SMS messages from the device upon receiving command from the remote server. Trojan:Android/Frogonal.A Frogonal.A is a trojanized malware; it is a repackaged version of an original application where extra functionalities used for malicious intent have been added into the new package. Frogonal.A harvests the following information from the compromised device: • Identification of the trojanized application »» Package name »» Version code • Phone number • IMEI number • IMSI number • SIM serial number • Device model • Operating system version • Root availability Requested permissions and offered games in Frogonal.A 18
Mobile Threat Report Q2 2012 Trojan:Android/Gamex.A Gamex.A hides its malicious components inside the package file. Once it is granted a root access by the user, it connects to a command and control (CC) server to download more applications and to forward the device IMEI and IMSI numbers. Additionally, it also establishes a connection to an external link which contains a repackaged APK file, and proceeds to downloading and installing the file. Gamex.A listed as ‘Updater’ (left), and the permissions it requested (right) Trojan:Android/KabStamper.A KabStamper.A is a malware that circulated in Japan during the AKB48 ‘election.’ AKB48 AKB48: A popular music act in Japan, this is a Japanese pop group that consists of 48 members. The ‘election’ was held to select pop group consists of 48 members. the most popular member who will become the face of the group. KabStamper.A is distributed via trojanized applications that deliver news and videos on the AKB48 group. Malicious code in the malware is highly destructive; it destroys images found in the sdcard/DCIM/camera folder that stores images taken with the device’s camera. Every five minutes, the malware checks this folder and modifies a found image by overwriting it with a predefined image. Comparison between before and after KabStamper.A’s infection 19
Mobile Threat Report Q2 2012 Trojan:Android/Mania.A Mania.A is an SMS-sending malware that sends out messages with the content “tel” or “quiz” to the number 84242. Any reply from this number is redirected to another device to prevent user from becoming suspicious. While running, Mania.A appears to be performing license checking, but this process always fails and never seems to be completed. The license checking is a cover up for the SMS sending activities that are taking place in the background. Mania.A pretends to perform license checking, which always failed Mania.A is known for using the trojanization technique, where it is repackaged with another original application in order to dupe victims. Some known legitimate applications that have this malware trojanized in their package include: • Phone Locator Pro • CoPilot Live Europe • Setting Profile Full • Tasker Trojan:Android/PremiumSMS.A, and variant B PremiumSMS.A is a Trojan that reaps profit from its SMS sending activities. It has a configuration file that contains data on the content of the SMS messages and the recipient numbers. Example of the sent messages: • Number: 1151 • Content: 692046 169 BGQCb5T3w • Number: 1161 • Content: 692046 169 BGQCb5T3w • Number: 3381 • Content: 692046 169 BGQCb5T3w 20
Mobile Threat Report Q2 2012 • Number: 1005 • Content: kutkut clsamg 6758150 • Number: 5373 • Content: kutkut clsamg 6758150 • Number: 7250 • Content: kutkut clsamg 6758150 Trojan:Android/SmsSpy.F SmsSpy.F poses as an Android Security Suite application that actually does nothing in ensuring the device’s security. It does however, records received SMS messages into a secsuite.db instead. SmsSpy.F poses as an Android Security Suite application This malware targets banking consumers in Spain where it is spammed via a message indicating that an extra Security Protection program that protects the device is available for download. Trojan:Android/UpdtKiller.A UpdtKiller.A connects to a command and control (CC) server, where it forwards users’ data to and receives further command from. This malware is also capable of killing anti-virus processes in order to avoid being detected. 21
Mobile Threat Report Q2 2012 UpdtKiller.A as seen on a device Trojan:Android/Uranico.A Uranico.A is a Trojan that harvests the following information from an infected device: • Phone number • IMEI number • IMSI number • Contacts or Address Books (phone numbers and email addresses) The harvested information are later forwarded to a remote server. Uranico.A as seen on a device Trojan-Proxy:Android/NotCompatible.A NotCompatible.A operates like a drive-by download threat. It gains entry into a device when the user visits a compromised website, and proceeds to downloading a package, update.apk. But for the installation to begin, the user needs to click on it. 22
Mobile Threat Report Q2 2012 Once installed, the malware may also communicate with certain command and control (CC) servers as evidenced by two addresses found in an encrypted file within the malware. NotCompatible.A pretends to be a security update file Trojan:J2ME/CuteFreeSMS.A CuteFreeSMS.A is a Trojan that collects profit by sending SMS messages to premium- rate numbers. The SMS-sending activities take place in the background, without the device user’s authorization or acknowledgement. Trojan:J2ME/ValeSMS.A ValeSMS.A is a Trojan that collects profit by sending SMS messages to premium-rate numbers. The SMS-sending activities take place in the background, without the device user’s authorization or acknowledgement. Trojan:Symbian/AndroGamer.A AndroGamer.A is Trojan that appears to be playing online or WAP games in the background. Its other malicious activities include: • Downloading and installing new software • Downloading configuration data from a remote host • Sending device information to a remote host • Dialing numbers to make new calls Trojan:SymbOS/Kensoyk.A Kensoyk.A contains references to anti-virus vendors, and is capable of killing anti- virus processes. It also downloads and installs software onto the compromised device. 23
Mobile Threat Report Q2 2012 Trojan:Symbian/LaunchOut.A LaunchOut.A hides itself and avoids appearing on the device’s user interface to keep its presence unnoticed. Its activities, which are carried out silently in the background, include: • Downloading and installing new software • Monitoring and sending out SMS messages Trojan:SymbOS/Lipcharge.A Lipcharge.A is possibly a downloaded component for another Trojan. It downloads configuration data and new software, which are later installed onto the compromised device. Other functionalities include sending and receiving SMS messages, and filtering certain SMS messages from the system log. Trojan:SymbOS/Monlater.A, and variant B Monlater.A contains a function that allows it to detect AppServer.exe processes and proceeds to uninstall a package with UID 0x20042EB8 from an infected devices. Similar functionality is also found in Monlater.B sample, but uses a different file name and UID. Annotated disassembly of a Monlater.B sample, which shows similarities with Monlater.A 24
Mobile Threat Report Q2 2012 A disassembled and annotated function of a Monlater.A sample Upon further inspection, samples in the Monlater family show a lot of similarities with those from another family — Monsoon, which was first discovered in early 2011. It is highly likely that Monsoon and Monlater connects to the same command and control (CC) server. The same update channel may also have been used to push new versions of malware and hide the original ones to avoid detection. Trojan:Symbian/RandomTrack.A RandomTrack.A is a Trojan which creation is not motivated by profit. It downloads an installer from a remote host, and proceeds to silently install this file onto the compromised device. It is also capable of killing anti-virus processes in order to avoid being detected. 25
New variants of already known families THE FOLLOWING IS A LIST OF NEW VARIANTS OF EXISTING MALWARE FAMILIES. Unless otherwise noted, THEIR FUNCTIONALITY IS NOT SIGNIFICANTLY DIFFERENT COMPARED TO THE EARLIER VARIANTS DESCRIBED IN PREVIOUS REPORTS. »» Trojan:Android/BaseBridge.L »» Trojan:Android/DroidKungFu.I »» Trojan:Android/FakeApp.C »» Trojan:Android/FakeInst.H, and variant I, J, K, L, M and N »» Trojan:Android/FakeLogo.C »» Trojan:Android/Ginmaster.B, and variant C »» Trojan:Android/JiFake.I »» Trojan:Android/Nyearleak.B »» Trojan:Android/OpFake.E, and variant F »» Trojan:Android/SmsSpy.F (see page 21 for description) »» Trojan:Android/Stiniter.B »» Trojan:Android/Zsone.C »» Trojan:Symbian/AndroGamer.B, and variant C »» Trojan:Symbian/FakeApp.C »» Trojan:Symbian/Melon.C »» Trojan:Symbian/Moporil.C »» Trojan:Symbian/SystemSync.B, and variant C and D »» Trojan:Symbian/Yorservi.E »»
Mobile Threat Report Q2 2012 Ginmaster.C 218 FakeInst.K 141 OpFake.E 140 OpFake.F 111 Frogonal.A 110 FakeApp.C 77 Ginmaster.B 61 FakeInst.L 48 FakeLogo.C 30 Detection type Count JiFake.I 21 Heuristic 860 Gamex.A 13 New family and variant 1057 FakeInst.N Existing family and variant 3116 11 TOTAL 5033 FakeInst.J 10 QPlus.A 10 SmsSpy.F 8 FakeInst.H 6 Nyearleak.B 6 FakeInst.M 5 Mania.A 5 Mobsqueeze.A 3 UpdtKiller.A 3 AdOp.A 2 AcnetSteal.A 2 Stiniter.B 2 BaseBridge.L 2 AndSpy.A 1 Cawitt.A 1 FakeInst.I 1 KabStamper.A 1 MobileTracker.A 1 NotCompatible.A 1 PdaSpy.A 1 PremiumSMS.A 1 PremiumSMS.B 1 SpyEra.A 1 SpyHasb.A 1 Uranico.A 1 Figure 6: New Android Malware Sorted by Sample Count, Q2 2012 NOTE: The threat statistics used in Figure 6 are made up of the number of unique Android application package files (APKs). 27
Mobile Threat Report Q2 2012 Table 1: Top Android Samples Received in Q2 2012 Top-30 Malware Spyware and Riskware detection COUNT detection COUNT Trojan:Android/Boxer.C 389 Adware:Android/Ropin.A 1617 Trojan:Android/Ginmaster.C ** 218 Application:Android/Counterclank.A 545 Trojan:Android/FakeInst.K ** 141 Application:Android/FakeApp.C ** 77 Trojan:Android/OpFake.E ** 140 Spyware:Android/EWalls.A 14 Trojan:Android/OpFake.F ** 111 Riskware:Android/QPlus.A ** 10 Trojan:Android/Frogonal.A ** 110 Riskware:Android/Boxer.D 8 Trojan:Android/FakeInst.E 86 Application:Android/Nyearleak.B ** 6 Trojan:Android/OpFake.C 77 Exploit:Android/DroidRooter.B 4 Trojan:Android/Ginmaster.B ** 61 Monitoring-Tool:Android/MobileSpy.C 3 Trojan:Android/Ginmaster.A 49 Adware:Android/Mobsqueeze.A ** 3 Trojan:Android/FakeInst.L ** 48 Application:Android/AdOp.A ** 2 Trojan:Android/Kituri.A 46 Hack-Tool:Android/TattooHack.A 2 Trojan:Android/DroidKungFu.C 32 Monitoring-Tool:Android/SpyBubble.B 1 Trojan:Android/FakeLogo.C ** 30 Hack-Tool:Android/DroidRooter.M 1 Trojan:Android/FakeInst.C 29 Monitoring-Tool:Android/SpyHasb.A ** 1 Trojan:Android/DroidKungFu.H 27 Exploit:Android/DroidDeluxe.A 1 Trojan:Android/JiFake.I 21 Riskware:Android/MobileTX.A 1 Trojan:Android/BaseBridge.A 20 Hack-Tool:Android/DroidRooter.A 1 Trojan:Android/FakeBattScar.A 20 Monitoring-Tool:Android/SpyEra.A ** 1 Trojan:Android/Bizimovie.A 16 Monitoring-Tool:Android/MobileMonitor.A 1 Trojan:Android/Gamex.A ** 13 Monitoring-Tool:Android/Spyoo.A 1 Trojan:Android/Kmin.C 11 Hack-Tool:Android/DroidRooter.B 1 Trojan:Android/FakeInst.N ** 11 Riskware:Android/GoManag.B 1 Trojan:Android/JiFake.F 10 Monitoring-Tool:Android/MobileTracker.A ** 1 Trojan:Android/FakeInst.J ** 10 Exploit:Android/DroidRooter.A 1 Trojan:Android/SmsSpy.F ** 8 Monitoring-Tool:Android/PdaSpy.A ** 1 Trojan:Android/SMStado.A 8 Spyware:Android/SndApps.A 1 Trojan:Android/BaseBridge.B 7 Monitoring-Tool:Android/AndSpy.A ** 1 Trojan:Android/DroidKungFu.F 6 Monitoring-Tool:Android/CellShark.A 1 Trojan:Android/FakeInst.H ** 6 ** New family or new variant discovered in Q2 2012 NOTE: The threat statistics used in Table 1 are made up of the number of unique Android application package files (APKs). 28
Protecting the Irreplaceable This document was previously released under controlled distribution, intended only for selected recipients. Document made public since: 6 August 2012 F-Secure proprietary materials. © F-Secure Corporation 2012. All rights reserved. F-Secure and F-Secure symbols are registered trademarks of F-Secure Corporation and F-Secure names and symbols/ logos are either trademark or registered trademark of F-Secure Corporation. Protecting the irreplaceable | f-secure.com

Empfohlen

F-Secure Labs Mobile Threat Report Q4 2012
F-Secure Labs Mobile Threat Report Q4 2012F-Secure Labs Mobile Threat Report Q4 2012
F-Secure Labs Mobile Threat Report Q4 2012F-Secure Corporation
 
Mobile threat report q3 2012
Mobile threat report q3 2012Mobile threat report q3 2012
Mobile threat report q3 2012F-Secure Corporation
 
F-Secure Mobile Threat Report Quarter 1 2012
F-Secure Mobile Threat Report Quarter 1 2012F-Secure Mobile Threat Report Quarter 1 2012
F-Secure Mobile Threat Report Quarter 1 2012F-Secure Corporation
 
Mobile threatreport q1_2012
Mobile threatreport q1_2012Mobile threatreport q1_2012
Mobile threatreport q1_2012Shivmohan Yadav
 
Rp quarterly-threat-q1-2012
Rp quarterly-threat-q1-2012Rp quarterly-threat-q1-2012
Rp quarterly-threat-q1-2012Комсс Файквэе
 
E-Threat Landscape Report H1 2012
E-Threat Landscape Report H1 2012E-Threat Landscape Report H1 2012
E-Threat Landscape Report H1 2012Bitdefender
 
E-threat landscape report H1 2012
E-threat landscape report H1 2012E-threat landscape report H1 2012
E-threat landscape report H1 2012BitDefenderRo
 
Rp quarterly-threat-q1-2012
Rp quarterly-threat-q1-2012Rp quarterly-threat-q1-2012
Rp quarterly-threat-q1-2012Комсс Файквэе
 

Empfohlen

F-Secure Labs Mobile Threat Report Q4 2012
F-Secure Labs Mobile Threat Report Q4 2012F-Secure Labs Mobile Threat Report Q4 2012
F-Secure Labs Mobile Threat Report Q4 2012F-Secure Corporation
 
Mobile threat report q3 2012
Mobile threat report q3 2012Mobile threat report q3 2012
Mobile threat report q3 2012F-Secure Corporation
 
F-Secure Mobile Threat Report Quarter 1 2012
F-Secure Mobile Threat Report Quarter 1 2012F-Secure Mobile Threat Report Quarter 1 2012
F-Secure Mobile Threat Report Quarter 1 2012F-Secure Corporation
 
Mobile threatreport q1_2012
Mobile threatreport q1_2012Mobile threatreport q1_2012
Mobile threatreport q1_2012Shivmohan Yadav
 
Rp quarterly-threat-q1-2012
Rp quarterly-threat-q1-2012Rp quarterly-threat-q1-2012
Rp quarterly-threat-q1-2012Комсс Файквэе
 
E-Threat Landscape Report H1 2012
E-Threat Landscape Report H1 2012E-Threat Landscape Report H1 2012
E-Threat Landscape Report H1 2012Bitdefender
 
E-threat landscape report H1 2012
E-threat landscape report H1 2012E-threat landscape report H1 2012
E-threat landscape report H1 2012BitDefenderRo
 
Rp quarterly-threat-q1-2012
Rp quarterly-threat-q1-2012Rp quarterly-threat-q1-2012
Rp quarterly-threat-q1-2012Комсс Файквэе
 
Mobile threat report_q3_2013
Mobile threat report_q3_2013Mobile threat report_q3_2013
Mobile threat report_q3_2013Комсс Файквэе
 
HinDroid
HinDroidHinDroid
HinDroidHinDroid
 
A Study on Modern Methods for Detecting Mobile Malware
A Study on Modern Methods for Detecting Mobile MalwareA Study on Modern Methods for Detecting Mobile Malware
A Study on Modern Methods for Detecting Mobile MalwareIRJET Journal
 
Enter Sandbox: Android Sandbox Comparison
Enter Sandbox: Android Sandbox ComparisonEnter Sandbox: Android Sandbox Comparison
Enter Sandbox: Android Sandbox ComparisonJose Moruno Cadima
 
Security Issues in the Mobile Environment
Security Issues in the Mobile EnvironmentSecurity Issues in the Mobile Environment
Security Issues in the Mobile EnvironmentLigia Adam
 
Global threat-landscape report by fortinet.
Global threat-landscape report by fortinet.Global threat-landscape report by fortinet.
Global threat-landscape report by fortinet.Reham Maher El-Safarini
 
Bitdefender mobile security for android
Bitdefender mobile security for androidBitdefender mobile security for android
Bitdefender mobile security for androidKazi Sarwar Hossain
 
Ce hv8 module 16 hacking mobile platforms
Ce hv8 module 16 hacking mobile platformsCe hv8 module 16 hacking mobile platforms
Ce hv8 module 16 hacking mobile platformsMehrdad Jingoism
 
Admob Mobile Metrics March 09
Admob Mobile Metrics March 09Admob Mobile Metrics March 09
Admob Mobile Metrics March 09Dev Khare
 
White Paper - Android Security
White Paper - Android SecurityWhite Paper - Android Security
White Paper - Android Securityryanfarmer
 
IRJET- A Survey on Android Ransomware and its Detection Methods
IRJET- A Survey on Android Ransomware and its Detection MethodsIRJET- A Survey on Android Ransomware and its Detection Methods
IRJET- A Survey on Android Ransomware and its Detection MethodsIRJET Journal
 
Avtest 2012 02-android_anti-malware_report_english
Avtest 2012 02-android_anti-malware_report_englishAvtest 2012 02-android_anti-malware_report_english
Avtest 2012 02-android_anti-malware_report_englishDaniel zhao
 
Avtest 2012 02-android_anti-malware_report_english
Avtest 2012 02-android_anti-malware_report_englishAvtest 2012 02-android_anti-malware_report_english
Avtest 2012 02-android_anti-malware_report_englishКомсс Файквэе
 
Avtest 2012 02-android_anti-malware_report_english
Avtest 2012 02-android_anti-malware_report_englishAvtest 2012 02-android_anti-malware_report_english
Avtest 2012 02-android_anti-malware_report_englishКомсс Файквэе
 
I haz you and pwn your maal whitepaper
I haz you and pwn your maal whitepaperI haz you and pwn your maal whitepaper
I haz you and pwn your maal whitepaperHarsimran Walia
 
Avtest 2012 02-android_anti-malware_report_english
Avtest 2012 02-android_anti-malware_report_englishAvtest 2012 02-android_anti-malware_report_english
Avtest 2012 02-android_anti-malware_report_englishAnatoliy Tkachev
 
When Malware Goes Mobile
When Malware Goes MobileWhen Malware Goes Mobile
When Malware Goes MobileSophos
 
Bitdefender mobile security for android
Bitdefender mobile security for androidBitdefender mobile security for android
Bitdefender mobile security for androidKazi Sarwar Hossain
 
LonghornPHP - CVE 101.pdf
LonghornPHP - CVE 101.pdfLonghornPHP - CVE 101.pdf
LonghornPHP - CVE 101.pdfTheresa Mammarella
 
Android By Manish Seth
Android By Manish SethAndroid By Manish Seth
Android By Manish SethNitin Gupta
 
Post-mortem of a data breach
Post-mortem of a data breachPost-mortem of a data breach
Post-mortem of a data breachF-Secure Corporation
 
How do you predict the threat landscape?
How do you predict the threat landscape?How do you predict the threat landscape?
How do you predict the threat landscape?F-Secure Corporation
 

Weitere ähnliche Inhalte

Ähnlich wie F-Secure Mobile Threat Report, Q2 2012

A Study on Modern Methods for Detecting Mobile Malware
A Study on Modern Methods for Detecting Mobile MalwareA Study on Modern Methods for Detecting Mobile Malware
A Study on Modern Methods for Detecting Mobile MalwareIRJET Journal
 
Enter Sandbox: Android Sandbox Comparison
Enter Sandbox: Android Sandbox ComparisonEnter Sandbox: Android Sandbox Comparison
Enter Sandbox: Android Sandbox ComparisonJose Moruno Cadima
 
Security Issues in the Mobile Environment
Security Issues in the Mobile EnvironmentSecurity Issues in the Mobile Environment
Security Issues in the Mobile EnvironmentLigia Adam
 
Global threat-landscape report by fortinet.
Global threat-landscape report by fortinet.Global threat-landscape report by fortinet.
Global threat-landscape report by fortinet.Reham Maher El-Safarini
 
Bitdefender mobile security for android
Bitdefender mobile security for androidBitdefender mobile security for android
Bitdefender mobile security for androidKazi Sarwar Hossain
 
Ce hv8 module 16 hacking mobile platforms
Ce hv8 module 16 hacking mobile platformsCe hv8 module 16 hacking mobile platforms
Ce hv8 module 16 hacking mobile platformsMehrdad Jingoism
 
Admob Mobile Metrics March 09
Admob Mobile Metrics March 09Admob Mobile Metrics March 09
Admob Mobile Metrics March 09Dev Khare
 
White Paper - Android Security
White Paper - Android SecurityWhite Paper - Android Security
White Paper - Android Securityryanfarmer
 
IRJET- A Survey on Android Ransomware and its Detection Methods
IRJET- A Survey on Android Ransomware and its Detection MethodsIRJET- A Survey on Android Ransomware and its Detection Methods
IRJET- A Survey on Android Ransomware and its Detection MethodsIRJET Journal
 
Avtest 2012 02-android_anti-malware_report_english
Avtest 2012 02-android_anti-malware_report_englishAvtest 2012 02-android_anti-malware_report_english
Avtest 2012 02-android_anti-malware_report_englishDaniel zhao
 
Avtest 2012 02-android_anti-malware_report_english
Avtest 2012 02-android_anti-malware_report_englishAvtest 2012 02-android_anti-malware_report_english
Avtest 2012 02-android_anti-malware_report_englishКомсс Файквэе
 
Avtest 2012 02-android_anti-malware_report_english
Avtest 2012 02-android_anti-malware_report_englishAvtest 2012 02-android_anti-malware_report_english
Avtest 2012 02-android_anti-malware_report_englishКомсс Файквэе
 
I haz you and pwn your maal whitepaper
I haz you and pwn your maal whitepaperI haz you and pwn your maal whitepaper
I haz you and pwn your maal whitepaperHarsimran Walia
 
Avtest 2012 02-android_anti-malware_report_english
Avtest 2012 02-android_anti-malware_report_englishAvtest 2012 02-android_anti-malware_report_english
Avtest 2012 02-android_anti-malware_report_englishAnatoliy Tkachev
 
When Malware Goes Mobile
When Malware Goes MobileWhen Malware Goes Mobile
When Malware Goes MobileSophos
 
Bitdefender mobile security for android
Bitdefender mobile security for androidBitdefender mobile security for android
Bitdefender mobile security for androidKazi Sarwar Hossain
 
Android By Manish Seth
Android By Manish SethAndroid By Manish Seth
Android By Manish SethNitin Gupta
 

Ähnlich wie F-Secure Mobile Threat Report, Q2 2012 (20)

Mobile threat report_q3_2013
Mobile threat report_q3_2013Mobile threat report_q3_2013
Mobile threat report_q3_2013
 
HinDroid
HinDroidHinDroid
HinDroid
 
A Study on Modern Methods for Detecting Mobile Malware
A Study on Modern Methods for Detecting Mobile MalwareA Study on Modern Methods for Detecting Mobile Malware
A Study on Modern Methods for Detecting Mobile Malware
 
Enter Sandbox: Android Sandbox Comparison
Enter Sandbox: Android Sandbox ComparisonEnter Sandbox: Android Sandbox Comparison
Enter Sandbox: Android Sandbox Comparison
 
Security Issues in the Mobile Environment
Security Issues in the Mobile EnvironmentSecurity Issues in the Mobile Environment
Security Issues in the Mobile Environment
 
Global threat-landscape report by fortinet.
Global threat-landscape report by fortinet.Global threat-landscape report by fortinet.
Global threat-landscape report by fortinet.
 
Bitdefender mobile security for android
Bitdefender mobile security for androidBitdefender mobile security for android
Bitdefender mobile security for android
 
Ce hv8 module 16 hacking mobile platforms
Ce hv8 module 16 hacking mobile platformsCe hv8 module 16 hacking mobile platforms
Ce hv8 module 16 hacking mobile platforms
 
Admob Mobile Metrics March 09
Admob Mobile Metrics March 09Admob Mobile Metrics March 09
Admob Mobile Metrics March 09
 
White Paper - Android Security
White Paper - Android SecurityWhite Paper - Android Security
White Paper - Android Security
 
IRJET- A Survey on Android Ransomware and its Detection Methods
IRJET- A Survey on Android Ransomware and its Detection MethodsIRJET- A Survey on Android Ransomware and its Detection Methods
IRJET- A Survey on Android Ransomware and its Detection Methods
 
Avtest 2012 02-android_anti-malware_report_english
Avtest 2012 02-android_anti-malware_report_englishAvtest 2012 02-android_anti-malware_report_english
Avtest 2012 02-android_anti-malware_report_english
 
Avtest 2012 02-android_anti-malware_report_english
Avtest 2012 02-android_anti-malware_report_englishAvtest 2012 02-android_anti-malware_report_english
Avtest 2012 02-android_anti-malware_report_english
 
Avtest 2012 02-android_anti-malware_report_english
Avtest 2012 02-android_anti-malware_report_englishAvtest 2012 02-android_anti-malware_report_english
Avtest 2012 02-android_anti-malware_report_english
 
I haz you and pwn your maal whitepaper
I haz you and pwn your maal whitepaperI haz you and pwn your maal whitepaper
I haz you and pwn your maal whitepaper
 
Avtest 2012 02-android_anti-malware_report_english
Avtest 2012 02-android_anti-malware_report_englishAvtest 2012 02-android_anti-malware_report_english
Avtest 2012 02-android_anti-malware_report_english
 
When Malware Goes Mobile
When Malware Goes MobileWhen Malware Goes Mobile
When Malware Goes Mobile
 
Bitdefender mobile security for android
Bitdefender mobile security for androidBitdefender mobile security for android
Bitdefender mobile security for android
 
LonghornPHP - CVE 101.pdf
LonghornPHP - CVE 101.pdfLonghornPHP - CVE 101.pdf
LonghornPHP - CVE 101.pdf
 
Android By Manish Seth
Android By Manish SethAndroid By Manish Seth
Android By Manish Seth
 

Mehr von F-Secure Corporation

How do you predict the threat landscape?
How do you predict the threat landscape?How do you predict the threat landscape?
How do you predict the threat landscape?F-Secure Corporation
 
Got hacked? It’s too late to run now!
Got hacked? It’s too late to run now!Got hacked? It’s too late to run now!
Got hacked? It’s too late to run now!F-Secure Corporation
 
The Real Costs of SIEM vs. Managed Security Service
The Real Costs of SIEM vs. Managed Security ServiceThe Real Costs of SIEM vs. Managed Security Service
The Real Costs of SIEM vs. Managed Security ServiceF-Secure Corporation
 
Security A to Z: Glossary of the most important terms
Security A to Z: Glossary of the most important termsSecurity A to Z: Glossary of the most important terms
Security A to Z: Glossary of the most important termsF-Secure Corporation
 
Les attaques menées depuis la France dans le cyber espace
Les attaques menées depuis la France dans le cyber espace Les attaques menées depuis la France dans le cyber espace
Les attaques menées depuis la France dans le cyber espace F-Secure Corporation
 
Les attaques menées depuis la France dans le cyber espace
Les attaques menées depuis la France dans le cyber espaceLes attaques menées depuis la France dans le cyber espace
Les attaques menées depuis la France dans le cyber espaceF-Secure Corporation
 
Cyber security webinar 6 - How to build systems that resist attacks?
Cyber security webinar 6 - How to build systems that resist attacks?Cyber security webinar 6 - How to build systems that resist attacks?
Cyber security webinar 6 - How to build systems that resist attacks?F-Secure Corporation
 
Defending Servers - Cyber security webinar part 3
Defending Servers - Cyber security webinar part 3Defending Servers - Cyber security webinar part 3
Defending Servers - Cyber security webinar part 3F-Secure Corporation
 
Defending Workstations - Cyber security webinar part 2
Defending Workstations - Cyber security webinar part 2Defending Workstations - Cyber security webinar part 2
Defending Workstations - Cyber security webinar part 2F-Secure Corporation
 
Cyber security webinar part 1 - Threat Landscape
Cyber security webinar part 1 - Threat LandscapeCyber security webinar part 1 - Threat Landscape
Cyber security webinar part 1 - Threat LandscapeF-Secure Corporation
 
F secure Radar vulnerability scanning and management
F secure Radar vulnerability scanning and managementF secure Radar vulnerability scanning and management
F secure Radar vulnerability scanning and managementF-Secure Corporation
 
F-Secure Policy Manager - onsite security management with superior control
F-Secure Policy Manager - onsite security management with superior controlF-Secure Policy Manager - onsite security management with superior control
F-Secure Policy Manager - onsite security management with superior controlF-Secure Corporation
 
Best business protection for windows
Best business protection for windowsBest business protection for windows
Best business protection for windowsF-Secure Corporation
 
Six things to take into account when choosing cloud solutions
Six things to take into account when choosing cloud solutionsSix things to take into account when choosing cloud solutions
Six things to take into account when choosing cloud solutionsF-Secure Corporation
 
Small and midsize business security is big business
Small and midsize business security is big businessSmall and midsize business security is big business
Small and midsize business security is big businessF-Secure Corporation
 
大きなビジネスを生み出す中小中堅企業
大きなビジネスを生み出す中小中堅企業大きなビジネスを生み出す中小中堅企業
大きなビジネスを生み出す中小中堅企業F-Secure Corporation
 
Why should you care about government surveillance?
Why should you care about government surveillance?Why should you care about government surveillance?
Why should you care about government surveillance?F-Secure Corporation
 
Arbeta var du vill- eBook om modern mobilitet
Arbeta var du vill- eBook om modern mobilitetArbeta var du vill- eBook om modern mobilitet
Arbeta var du vill- eBook om modern mobilitetF-Secure Corporation
 

Mehr von F-Secure Corporation (20)

Post-mortem of a data breach
Post-mortem of a data breachPost-mortem of a data breach
Post-mortem of a data breach
 
How do you predict the threat landscape?
How do you predict the threat landscape?How do you predict the threat landscape?
How do you predict the threat landscape?
 
Got hacked? It’s too late to run now!
Got hacked? It’s too late to run now!Got hacked? It’s too late to run now!
Got hacked? It’s too late to run now!
 
The Real Costs of SIEM vs. Managed Security Service
The Real Costs of SIEM vs. Managed Security ServiceThe Real Costs of SIEM vs. Managed Security Service
The Real Costs of SIEM vs. Managed Security Service
 
Security A to Z: Glossary of the most important terms
Security A to Z: Glossary of the most important termsSecurity A to Z: Glossary of the most important terms
Security A to Z: Glossary of the most important terms
 
Les attaques menées depuis la France dans le cyber espace
Les attaques menées depuis la France dans le cyber espace Les attaques menées depuis la France dans le cyber espace
Les attaques menées depuis la France dans le cyber espace
 
Les attaques menées depuis la France dans le cyber espace
Les attaques menées depuis la France dans le cyber espaceLes attaques menées depuis la France dans le cyber espace
Les attaques menées depuis la France dans le cyber espace
 
Cyber security webinar 6 - How to build systems that resist attacks?
Cyber security webinar 6 - How to build systems that resist attacks?Cyber security webinar 6 - How to build systems that resist attacks?
Cyber security webinar 6 - How to build systems that resist attacks?
 
Defending Servers - Cyber security webinar part 3
Defending Servers - Cyber security webinar part 3Defending Servers - Cyber security webinar part 3
Defending Servers - Cyber security webinar part 3
 
Defending Workstations - Cyber security webinar part 2
Defending Workstations - Cyber security webinar part 2Defending Workstations - Cyber security webinar part 2
Defending Workstations - Cyber security webinar part 2
 
Cyber security webinar part 1 - Threat Landscape
Cyber security webinar part 1 - Threat LandscapeCyber security webinar part 1 - Threat Landscape
Cyber security webinar part 1 - Threat Landscape
 
F secure Radar vulnerability scanning and management
F secure Radar vulnerability scanning and managementF secure Radar vulnerability scanning and management
F secure Radar vulnerability scanning and management
 
F-Secure Policy Manager - onsite security management with superior control
F-Secure Policy Manager - onsite security management with superior controlF-Secure Policy Manager - onsite security management with superior control
F-Secure Policy Manager - onsite security management with superior control
 
The State of the Net in India
The State of the Net in IndiaThe State of the Net in India
The State of the Net in India
 
Best business protection for windows
Best business protection for windowsBest business protection for windows
Best business protection for windows
 
Six things to take into account when choosing cloud solutions
Six things to take into account when choosing cloud solutionsSix things to take into account when choosing cloud solutions
Six things to take into account when choosing cloud solutions
 
Small and midsize business security is big business
Small and midsize business security is big businessSmall and midsize business security is big business
Small and midsize business security is big business
 
大きなビジネスを生み出す中小中堅企業
大きなビジネスを生み出す中小中堅企業大きなビジネスを生み出す中小中堅企業
大きなビジネスを生み出す中小中堅企業
 
Why should you care about government surveillance?
Why should you care about government surveillance?Why should you care about government surveillance?
Why should you care about government surveillance?
 
Arbeta var du vill- eBook om modern mobilitet
Arbeta var du vill- eBook om modern mobilitetArbeta var du vill- eBook om modern mobilitet
Arbeta var du vill- eBook om modern mobilitet
 

Kürzlich hochgeladen

Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????blackmambaettijean
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Visualising and forecasting stocks using Dash
Visualising and forecasting stocks using DashVisualising and forecasting stocks using Dash
Visualising and forecasting stocks using Dashnarutouzumaki53779
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 

Kürzlich hochgeladen (20)

Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Visualising and forecasting stocks using Dash
Visualising and forecasting stocks using DashVisualising and forecasting stocks using Dash
Visualising and forecasting stocks using Dash
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 

F-Secure Mobile Threat Report, Q2 2012

  • 2. Mobile Threat Report Q2 2012 F-Secure Labs At the F-Secure Response Labs in Helsinki, Finland, and Kuala Lumpur, Malaysia, security experts work around the clock to ensure our customers are protected from the latest online threats. Round-the-clock response work takes place in three shifts, one of which is handled in Helsinki, and two in Kuala Lumpur. At any given moment, F-Secure Response Labs staff is on top of the worldwide security situation, ensuring that sudden virus and malware outbreaks are dealt with promptly and effectively. Protection around the clock Response Labs work is assisted by a host of automatic systems that track worldwide threat occurences in real time, collecting and analyzing hundreds of thousands of data samples per day. Criminals who make use of virus and malware to profit from these attacks are constantly at work on new threats. This situation demands around the clock vigilance on our part to ensure that our customers are protected. 2
  • 3. Mobile Threat Report Q2 2012 abstract THIS REPORT DISCUSSES THE MOBILE THREAT LANDSCAPE AS SEEN IN THE second quarter of 2012, AND INCLUDES STATISTICS AND DETAILS OF THE MOBILE THREATS THAT F-SECURE RESPONSE LABS HAVE SEEN AND ANALYZED DURING THAT PERIOD. The data presented in this report were collected between 1 april–27 june 2012. Contents abstract3 Executive Summary 5 Latest threats in the last three months 6 Figure 1: New Families and Variants Received Per Quarter 7 Figure 2: Mobile Threats by Type, Q2 2012 8 Potentially unwanted software 9 Adware:Android/Mobsqueeze.A10 Application:Android/AdOp.A10 Monitoring-Tool:Android/AndSpy.A10 Monitoring-Tool:Android/Lifemonspy.A11 Monitoring-Tool:Android/MobileTracker.A11 Monitoring-Tool:Android/PdaSpy.A11 Monitoring-Tool:Android/SpyEra.A12 Monitoring-Tool:Android/SpyHasb.A13 Riskware:Android/QPlus.A13 Figure 3: Mobile Threats Motivated by Profit 14 Figure 4: Top-6 Android Detections per Month, Q2 2012 15 Figure 5: Breakdown of Detection Count, Q2 2012 15 Malware 16 Trojan:Android/AcnetSteal.A17 Trojan:Android/Cawitt.A17 Trojan:Android/Frogonal.A18 Trojan:Android/Gamex.A19 Trojan:Android/KabStamper.A19 Trojan:Android/Mania.A20 Trojan:Android/PremiumSMS.A, and variant B 20 3
  • 4. Mobile Threat Report Q2 2012 Trojan:Android/SmsSpy.F21 Trojan:Android/UpdtKiller.A21 Trojan:Android/Uranico.A22 Trojan-Proxy:Android/NotCompatible.A22 Trojan:J2ME/CuteFreeSMS.A23 Trojan:J2ME/ValeSMS.A23 Trojan:Symbian/AndroGamer.A23 Trojan:SymbOS/Kensoyk.A23 Trojan:Symbian/LaunchOut.A24 Trojan:SymbOS/Lipcharge.A24 Trojan:SymbOS/Monlater.A, and variant B 24 Trojan:Symbian/RandomTrack.A25 New variants of already known families 26 Figure 6: New Android Malware Sorted by Sample Count, Q2 2012 27 Table 1: Top Android Samples Received in Q2 2012 28 4
  • 5. Mobile Threat Report Q2 2012 Executive Summary Changes in the Android threat landscape Every quarter, Android malware continues to grow in number, and Q2 2012 is no “In May 2012, the first exception. We received a total of 5033 malicious Android application package files (APKs), most of which are coming from third-party Android markets. This amount is a Android malware to use 64% increase compared to the number in the previous quarter. Out of this amount, we the drive-by download identified 19 new families and 21 new variants of existing families. A high concentration of these new variants is coming from FakeInst and OpFake, two families that are found method was spotted in to be related. Malware in these two families share a lot of similarities that in some instances, they can be classified as one family. In general, the new variants retain the the wild.” same malicious behavior as found in the previous ones, only improving on the method used in defeating anti-virus technology in order to avoid detection. After a while on the scene, Android malware has begun to explore new methods of infection as evidenced by NotCompatible.A and Cawitt.A. In May 2012, the first Android malware to use the drive-by download method was spotted in the wild, detected as Trojan-Proxy:Android/NotCompatible.A. A simple visit to a malicious website could render a device infected, if the device is configured to allow installations from unknown sources. When visiting a specially crafted website, the device will automatically download an application from the site. This application is then shown in the notification menu, waiting for the user to install it. To convince the user into installing it, the malware relies on social engineering tactics, naming the application as “com.Security.Update’ and the filename as “Update.Apk.” Once infected, the device is turned into a proxy or becomes part of a bot network. In addition to drive-by download, another infection method discovered in this quarter is the utilization of Twitter as a bot mechanism. Cawitt.A for instance, accesses a Twitter account (possibly set up by the malware) to obtain a server address, from which it communicates with and receives further command from. Upon receiving instructions, this malware sends out SMS messages to certain numbers, and forwards data on the device’s International Mobile Equipment Identity (IMEI) number, phone number, and Android ID to the aforementioned server. Aside from the continuing growth of Android malware and the discovery of new infection methods, the second quarter also reveals a trend in regionally-based attack. In Spain for instance, we tend to get a lot of reports on banking-related attacks. This quarter, SmsSpy.F which is related to Zitmo, is a fairly popular case being reported. The malware appears to be specifically targeting users who perform an online banking transaction and need the Mobile Transaction Authorization Number (mTAN). It arrives as an SMS message, notifying the user to download a security application from the provided link. 5
  • 7. Mobile Threat Report Q2 2012 60 Android J2ME PocketPC 52 Symbian 50 40 40 37 35 30 23 20 21 20 16 15 10 10 11 6 4 2 1 1 0 0 0 0 0 0 0 0 Q1 Q2 Q3 Q4 Q1 Q2 2011 2011 2011 2011 2012 2012 Figure 1: New Families and Variants Received Per Quarter NOTE: The threat statistics used in Figure 1 are made up of families and variants instead of unique files. For instance, if two samples are detected as Trojan:Android/GinMaster.A, they will only be counted as one in the statistics. 7
  • 8. Mobile Threat Report Q2 2012 Application 5.2% Adware 1.7% Monitoring-Tool 10.4% Riskware 1.7% Trojan 81.0% Figure 2: Mobile Threats by Type, Q2 2012 NOTE: The threat statistics used in Figure 2 are made up of families and variants instead of unique files. For instance, if two samples are detected as Trojan:Android/GinMaster.A, they will only be counted as one in the statistics. 8
  • 9. Potentially unwanted software We consider the following program as potentially unwanted software, which refers to programs that may be considered undesirable or intrusive by a user if used in a questionable manner.
  • 10. Mobile Threat Report Q2 2012 Adware:Android/Mobsqueeze.A Mobsqueeze.A is an adware module that was found to be exclusively used by Trojans in the FakeBattScar family to advertise the rogue Battery Optimizer or Battery Optimizer Application. A separate detection has also been added to detect applications that promote the FakeBattScar Trojans. Permissions requested by Mobsqueeze.A Application:Android/AdOp.A AdOp.A is an application that arbitrarily creates shortcuts and advertisement- motivated notifications, which link to a website or an application. The application that users is being led to may not even be present on the device, but it does not stop Ropin.A from creating its corresponding shortcut. AdOp.A is not directly harmful to the device, but it may poses some risks if the shortcut or notification leads users to a questionable website. Monitoring-Tool:Android/AndSpy.A AndSpy.A is a monitoring and anti-theft program that originated from China, but is also marketed to several English speaking regions. Its capabilities can be remotely triggered by sending a particular SMS message to the device. If the message contains a valid command, it will silently perform the corresponding task. For example: • 0# : Register the Master number that will be used to send replies • 1# : Enable SMS forwarding • 2# : Disable SMS forwarding • 8# : Send device’s contacts • 10# : Send location details AndSpy.A is a stealthy program. It performs malicious activities quietly, and leaves no visible clue that can indicate its presence on the device. 10
  • 11. Mobile Threat Report Q2 2012 Monitoring-Tool:Android/Lifemonspy.A Lifemonspy.A is a monitoring and anti-theft program that provides the user with some control of the device through SMS messages. It allows the user to perform these actions from a remote location: • Deleting contacts • Deleting contents of the external storage (SD card) • Transferring SMS messages in the inbox to a Gmail account • Deleting previously sent messages from the outbox • Turning off the device The program places no visible icon on the menu screen, but can be seen listed on the ‘Manage applications’ window. From time to time, it forwards the device’s location to a remote website. Upon detecting a change in the device’s Subscriber Identity Module (SIM), Lifemonspy.A will send out an alert message to a configured number and log the event on the aforementioned website. Permissions requested by Lifemonspy.A (left), and Lifemonspy.A as viewed on the ‘Manage applications’ window (right) Monitoring-Tool:Android/MobileTracker.A MobileTracker.A is a part of Samsung DIVE, a free service that allows device owners to track and control their device remotely. In case of theft, the owner can lock and wipe the device, receive notification on SIM card change, as well as track the device. Monitoring-Tool:Android/PdaSpy.A PdaSpy.A is a commercial monitoring application with a 24-hours free or trial lock. It must be manually installed on the targeted device, and an account at PdaSpy.com must be created. 11
  • 12. Mobile Threat Report Q2 2012 Once installed, it places no icon on the application menu to avoid being noticed. It just runs silently in the background, logging the following information: • Phone calls • SMS messages • GPS locations The information can be viewed by visiting the PdaSpy website and logging in to the user account. An account at PdaSpy.com is needed to view logged data Monitoring-Tool:Android/SpyEra.A SpyEra.A is programmed to monitor and retrieve data from a compromised device. Its malicious activities are triggered when the device receives a specially crafted SMS message. SpyEra.A places no visible icon on the application menu, but its presence is revealed with a quick look under the ‘Manage applications’ in Settings. SpyEra.A as listed under ‘Manage applications’ (left), and the permissions it requested (right) 12
  • 13. Mobile Threat Report Q2 2012 Monitoring-Tool:Android/SpyHasb.A SpyHasb.A is a commercial monitoring tool that is marketed as ‘Phone Tracker,’ ‘Husband Tracker,’ ‘Wife Tracker,’ and ‘Android Locator’ among other names. Its capabilities include monitoring the following information: • Phone calls • SMS messages • GPS locations SpyHasb.A’s user interface, as seen on a device Riskware:Android/QPlus.A QPlus.A is a tool that gathers information from the device it was installed on. It runs silently in the background, and cannot be seen on the list of applications. Its presence however, becomes visible when looking into application management. QPlus.A runs as a service in the background When monitoring a device, QPlus.A runs in the background as a service. It monitors and collects the following information, which is later sent to a proxy mail server: • Call logs • SMS messages • Instant Messenger Chat History 13
  • 14. Mobile Threat Report Q2 2012 6 Not profit-motivated q1 2011 13 profit-motivated 20 q2 2011 18 37 q3 2011 39 33 q4 2011 29 17 q1 2012 35 19 q2 2012 39 Figure 3: Mobile Threats Motivated by Profit NOTE: The threat statistics used in Figure 3 are made up of families and variants instead of unique files. For instance, if two samples are detected as Trojan:Android/GinMaster.A, they will only be counted as one in the statistics. 14
  • 15. Mobile Threat Report Q2 2012 april 2012 may 2012 june 2012 413 326 139 121 126 110 84 84 60 66 47 43 33 31 22 25 22 11 OpFake.E Heuristic Ginmaster.B FakeInst.L OpFake.F FakeApp.C Heuristic FakeInst.K Ginmaster.C OpFake.F Frogonal.A FakeApp.C Heuristic Ginmaster.C Frogonal.A FakeApp.C FakeInst.K FakeInst.N Figure 4: Top-6 Android Detections per Month, Q2 2012 Malware – 502 Manual Heuristic Detection 4173 Detection 860 Riskware/Spyware – 358 Figure 5: Breakdown of Detection Count, Q2 2012 NOTE: The threat statistics used in Figure 4 and Figure 5 are made up of the number of unique Android application package files (APKs). 15
  • 16. Malware Programs categorized as malware are generally considered to pose a significant security risk to the user’s system and/or information. Malicious actions carried out by these programs include (but are not limited to) installing hidden objects as well as hiding the objects from the user, creating new malicious objects, damaging or altering any data without authorization, and stealing any data or access credentials.
  • 17. Mobile Threat Report Q2 2012 Trojan:Android/AcnetSteal.A AcnetSteal.A is a program that harvests data and information from the device. It obtains the following information: • Email addresses • Phone numbers AcnetSteal.A as seen on a device Trojan:Android/Cawitt.A Once installed, Cawitt.A will not place a launcher icon in the application menu to prevent it from being noticed by the user. Its presence, however, can be revealed with a quick look under the ‘Manage applications’ in Settings. Cawitt.A as listed in the device, and the permissions it requested 17
  • 18. Mobile Threat Report Q2 2012 Cawitt.A operates silently in the background, gathering device information which it later forwards to a remote server. Collected information include: • Device ID • International Mobile Equipment Identity (IMEI) number • Phone number • Bot ID • Modules It also sends out premium-rate SMS messages from the device upon receiving command from the remote server. Trojan:Android/Frogonal.A Frogonal.A is a trojanized malware; it is a repackaged version of an original application where extra functionalities used for malicious intent have been added into the new package. Frogonal.A harvests the following information from the compromised device: • Identification of the trojanized application »» Package name »» Version code • Phone number • IMEI number • IMSI number • SIM serial number • Device model • Operating system version • Root availability Requested permissions and offered games in Frogonal.A 18
  • 19. Mobile Threat Report Q2 2012 Trojan:Android/Gamex.A Gamex.A hides its malicious components inside the package file. Once it is granted a root access by the user, it connects to a command and control (CC) server to download more applications and to forward the device IMEI and IMSI numbers. Additionally, it also establishes a connection to an external link which contains a repackaged APK file, and proceeds to downloading and installing the file. Gamex.A listed as ‘Updater’ (left), and the permissions it requested (right) Trojan:Android/KabStamper.A KabStamper.A is a malware that circulated in Japan during the AKB48 ‘election.’ AKB48 AKB48: A popular music act in Japan, this is a Japanese pop group that consists of 48 members. The ‘election’ was held to select pop group consists of 48 members. the most popular member who will become the face of the group. KabStamper.A is distributed via trojanized applications that deliver news and videos on the AKB48 group. Malicious code in the malware is highly destructive; it destroys images found in the sdcard/DCIM/camera folder that stores images taken with the device’s camera. Every five minutes, the malware checks this folder and modifies a found image by overwriting it with a predefined image. Comparison between before and after KabStamper.A’s infection 19
  • 20. Mobile Threat Report Q2 2012 Trojan:Android/Mania.A Mania.A is an SMS-sending malware that sends out messages with the content “tel” or “quiz” to the number 84242. Any reply from this number is redirected to another device to prevent user from becoming suspicious. While running, Mania.A appears to be performing license checking, but this process always fails and never seems to be completed. The license checking is a cover up for the SMS sending activities that are taking place in the background. Mania.A pretends to perform license checking, which always failed Mania.A is known for using the trojanization technique, where it is repackaged with another original application in order to dupe victims. Some known legitimate applications that have this malware trojanized in their package include: • Phone Locator Pro • CoPilot Live Europe • Setting Profile Full • Tasker Trojan:Android/PremiumSMS.A, and variant B PremiumSMS.A is a Trojan that reaps profit from its SMS sending activities. It has a configuration file that contains data on the content of the SMS messages and the recipient numbers. Example of the sent messages: • Number: 1151 • Content: 692046 169 BGQCb5T3w • Number: 1161 • Content: 692046 169 BGQCb5T3w • Number: 3381 • Content: 692046 169 BGQCb5T3w 20
  • 21. Mobile Threat Report Q2 2012 • Number: 1005 • Content: kutkut clsamg 6758150 • Number: 5373 • Content: kutkut clsamg 6758150 • Number: 7250 • Content: kutkut clsamg 6758150 Trojan:Android/SmsSpy.F SmsSpy.F poses as an Android Security Suite application that actually does nothing in ensuring the device’s security. It does however, records received SMS messages into a secsuite.db instead. SmsSpy.F poses as an Android Security Suite application This malware targets banking consumers in Spain where it is spammed via a message indicating that an extra Security Protection program that protects the device is available for download. Trojan:Android/UpdtKiller.A UpdtKiller.A connects to a command and control (CC) server, where it forwards users’ data to and receives further command from. This malware is also capable of killing anti-virus processes in order to avoid being detected. 21
  • 22. Mobile Threat Report Q2 2012 UpdtKiller.A as seen on a device Trojan:Android/Uranico.A Uranico.A is a Trojan that harvests the following information from an infected device: • Phone number • IMEI number • IMSI number • Contacts or Address Books (phone numbers and email addresses) The harvested information are later forwarded to a remote server. Uranico.A as seen on a device Trojan-Proxy:Android/NotCompatible.A NotCompatible.A operates like a drive-by download threat. It gains entry into a device when the user visits a compromised website, and proceeds to downloading a package, update.apk. But for the installation to begin, the user needs to click on it. 22
  • 23. Mobile Threat Report Q2 2012 Once installed, the malware may also communicate with certain command and control (CC) servers as evidenced by two addresses found in an encrypted file within the malware. NotCompatible.A pretends to be a security update file Trojan:J2ME/CuteFreeSMS.A CuteFreeSMS.A is a Trojan that collects profit by sending SMS messages to premium- rate numbers. The SMS-sending activities take place in the background, without the device user’s authorization or acknowledgement. Trojan:J2ME/ValeSMS.A ValeSMS.A is a Trojan that collects profit by sending SMS messages to premium-rate numbers. The SMS-sending activities take place in the background, without the device user’s authorization or acknowledgement. Trojan:Symbian/AndroGamer.A AndroGamer.A is Trojan that appears to be playing online or WAP games in the background. Its other malicious activities include: • Downloading and installing new software • Downloading configuration data from a remote host • Sending device information to a remote host • Dialing numbers to make new calls Trojan:SymbOS/Kensoyk.A Kensoyk.A contains references to anti-virus vendors, and is capable of killing anti- virus processes. It also downloads and installs software onto the compromised device. 23
  • 24. Mobile Threat Report Q2 2012 Trojan:Symbian/LaunchOut.A LaunchOut.A hides itself and avoids appearing on the device’s user interface to keep its presence unnoticed. Its activities, which are carried out silently in the background, include: • Downloading and installing new software • Monitoring and sending out SMS messages Trojan:SymbOS/Lipcharge.A Lipcharge.A is possibly a downloaded component for another Trojan. It downloads configuration data and new software, which are later installed onto the compromised device. Other functionalities include sending and receiving SMS messages, and filtering certain SMS messages from the system log. Trojan:SymbOS/Monlater.A, and variant B Monlater.A contains a function that allows it to detect AppServer.exe processes and proceeds to uninstall a package with UID 0x20042EB8 from an infected devices. Similar functionality is also found in Monlater.B sample, but uses a different file name and UID. Annotated disassembly of a Monlater.B sample, which shows similarities with Monlater.A 24
  • 25. Mobile Threat Report Q2 2012 A disassembled and annotated function of a Monlater.A sample Upon further inspection, samples in the Monlater family show a lot of similarities with those from another family — Monsoon, which was first discovered in early 2011. It is highly likely that Monsoon and Monlater connects to the same command and control (CC) server. The same update channel may also have been used to push new versions of malware and hide the original ones to avoid detection. Trojan:Symbian/RandomTrack.A RandomTrack.A is a Trojan which creation is not motivated by profit. It downloads an installer from a remote host, and proceeds to silently install this file onto the compromised device. It is also capable of killing anti-virus processes in order to avoid being detected. 25
  • 26. New variants of already known families THE FOLLOWING IS A LIST OF NEW VARIANTS OF EXISTING MALWARE FAMILIES. Unless otherwise noted, THEIR FUNCTIONALITY IS NOT SIGNIFICANTLY DIFFERENT COMPARED TO THE EARLIER VARIANTS DESCRIBED IN PREVIOUS REPORTS. »» Trojan:Android/BaseBridge.L »» Trojan:Android/DroidKungFu.I »» Trojan:Android/FakeApp.C »» Trojan:Android/FakeInst.H, and variant I, J, K, L, M and N »» Trojan:Android/FakeLogo.C »» Trojan:Android/Ginmaster.B, and variant C »» Trojan:Android/JiFake.I »» Trojan:Android/Nyearleak.B »» Trojan:Android/OpFake.E, and variant F »» Trojan:Android/SmsSpy.F (see page 21 for description) »» Trojan:Android/Stiniter.B »» Trojan:Android/Zsone.C »» Trojan:Symbian/AndroGamer.B, and variant C »» Trojan:Symbian/FakeApp.C »» Trojan:Symbian/Melon.C »» Trojan:Symbian/Moporil.C »» Trojan:Symbian/SystemSync.B, and variant C and D »» Trojan:Symbian/Yorservi.E »»
  • 27. Mobile Threat Report Q2 2012 Ginmaster.C 218 FakeInst.K 141 OpFake.E 140 OpFake.F 111 Frogonal.A 110 FakeApp.C 77 Ginmaster.B 61 FakeInst.L 48 FakeLogo.C 30 Detection type Count JiFake.I 21 Heuristic 860 Gamex.A 13 New family and variant 1057 FakeInst.N Existing family and variant 3116 11 TOTAL 5033 FakeInst.J 10 QPlus.A 10 SmsSpy.F 8 FakeInst.H 6 Nyearleak.B 6 FakeInst.M 5 Mania.A 5 Mobsqueeze.A 3 UpdtKiller.A 3 AdOp.A 2 AcnetSteal.A 2 Stiniter.B 2 BaseBridge.L 2 AndSpy.A 1 Cawitt.A 1 FakeInst.I 1 KabStamper.A 1 MobileTracker.A 1 NotCompatible.A 1 PdaSpy.A 1 PremiumSMS.A 1 PremiumSMS.B 1 SpyEra.A 1 SpyHasb.A 1 Uranico.A 1 Figure 6: New Android Malware Sorted by Sample Count, Q2 2012 NOTE: The threat statistics used in Figure 6 are made up of the number of unique Android application package files (APKs). 27
  • 28. Mobile Threat Report Q2 2012 Table 1: Top Android Samples Received in Q2 2012 Top-30 Malware Spyware and Riskware detection COUNT detection COUNT Trojan:Android/Boxer.C 389 Adware:Android/Ropin.A 1617 Trojan:Android/Ginmaster.C ** 218 Application:Android/Counterclank.A 545 Trojan:Android/FakeInst.K ** 141 Application:Android/FakeApp.C ** 77 Trojan:Android/OpFake.E ** 140 Spyware:Android/EWalls.A 14 Trojan:Android/OpFake.F ** 111 Riskware:Android/QPlus.A ** 10 Trojan:Android/Frogonal.A ** 110 Riskware:Android/Boxer.D 8 Trojan:Android/FakeInst.E 86 Application:Android/Nyearleak.B ** 6 Trojan:Android/OpFake.C 77 Exploit:Android/DroidRooter.B 4 Trojan:Android/Ginmaster.B ** 61 Monitoring-Tool:Android/MobileSpy.C 3 Trojan:Android/Ginmaster.A 49 Adware:Android/Mobsqueeze.A ** 3 Trojan:Android/FakeInst.L ** 48 Application:Android/AdOp.A ** 2 Trojan:Android/Kituri.A 46 Hack-Tool:Android/TattooHack.A 2 Trojan:Android/DroidKungFu.C 32 Monitoring-Tool:Android/SpyBubble.B 1 Trojan:Android/FakeLogo.C ** 30 Hack-Tool:Android/DroidRooter.M 1 Trojan:Android/FakeInst.C 29 Monitoring-Tool:Android/SpyHasb.A ** 1 Trojan:Android/DroidKungFu.H 27 Exploit:Android/DroidDeluxe.A 1 Trojan:Android/JiFake.I 21 Riskware:Android/MobileTX.A 1 Trojan:Android/BaseBridge.A 20 Hack-Tool:Android/DroidRooter.A 1 Trojan:Android/FakeBattScar.A 20 Monitoring-Tool:Android/SpyEra.A ** 1 Trojan:Android/Bizimovie.A 16 Monitoring-Tool:Android/MobileMonitor.A 1 Trojan:Android/Gamex.A ** 13 Monitoring-Tool:Android/Spyoo.A 1 Trojan:Android/Kmin.C 11 Hack-Tool:Android/DroidRooter.B 1 Trojan:Android/FakeInst.N ** 11 Riskware:Android/GoManag.B 1 Trojan:Android/JiFake.F 10 Monitoring-Tool:Android/MobileTracker.A ** 1 Trojan:Android/FakeInst.J ** 10 Exploit:Android/DroidRooter.A 1 Trojan:Android/SmsSpy.F ** 8 Monitoring-Tool:Android/PdaSpy.A ** 1 Trojan:Android/SMStado.A 8 Spyware:Android/SndApps.A 1 Trojan:Android/BaseBridge.B 7 Monitoring-Tool:Android/AndSpy.A ** 1 Trojan:Android/DroidKungFu.F 6 Monitoring-Tool:Android/CellShark.A 1 Trojan:Android/FakeInst.H ** 6 ** New family or new variant discovered in Q2 2012 NOTE: The threat statistics used in Table 1 are made up of the number of unique Android application package files (APKs). 28
  • 29. Protecting the Irreplaceable This document was previously released under controlled distribution, intended only for selected recipients. Document made public since: 6 August 2012 F-Secure proprietary materials. © F-Secure Corporation 2012. All rights reserved. F-Secure and F-Secure symbols are registered trademarks of F-Secure Corporation and F-Secure names and symbols/ logos are either trademark or registered trademark of F-Secure Corporation. Protecting the irreplaceable | f-secure.com