Archives for 

Application Security

More than 20 countries were infected with adware mobile malware – Kemoge

In September, researchers at FireEye Labs discovered a group of malicious adware created by a company based in China and Singapore called NGE Mobi/Xinyinhe. On October 7, FireEye detected a similar adware family capable of completely taking over Android based devices. Researchers have named it kemoge after its CnC domain aps.kemoge.net. It is believed that this attack has its origins in China.

kemoge1

World infection map ! 

Until now, the malware has attacked victims in over 20 countries that includes China, Russia and the United States. The fact that several of the victims are large scale industries and even government is alarming. The attackers repackage the adware as popular apps which allows them to spread the malware easily.

apps malware

(Adware repackaged as popular apps. Image source: Fireeye.com)

Attack Scenario :

  • The repackaged app containing the malicious adware is uploaded by the attackers to third party app stores.
  • Users are encouraged to download the apps from the websites where the apps have been uploaded.
  • Several aggressive adware that gain the root control of Android devices automatically download and install the apps.
  • When these apps are launched, the malware gathers the device’s information and transmits it to the ad server.
  • From the background, Kemoge keeps serving ads to the users who keeping seeing them irrespective of the screen activity. Ads are served even on the Android home screen.

Initially, the malware looks like an innocuous adware to the users but soon it starts threatening the security of the device. In AndroidManifest, the malware registers MyReceiver that launches automatically when the users unlock the screen or the device finds a new network. When MyReceiver launches, it evokes MyService. Both MyReceiver and MyService use the prefix com.google.rp.confirm to disguise them as codes of Google. Few of these samples also use component prefixes such as com.android.ad.sprovider, com.google.ad.sprovider, com.google.system.provider.confirm.

code

(AndroidManifest code snippet. Image: Fireeye.com)

When MyService launches, it searches for files such as info.mp4, hello.mp4 or bg.mp4 or any other similar file. These are in actuality multi-level encrypted ZIP files disguised as mp4 files. The malware uses password based encryption for protecting the contents of the ZIP file. This ZIP file is further encrypted with DES and the DES key is protected by the second DES key. The second DES key is then disassembled as code bytes. At the runtime, the ZIP files are decrypted in the reverse order by the malware. Second key bytes are assembled into the second DES key which is then used to unlock the first DES key. After the first DES key is decrypted, it unlocks the ZIP file and releases the payload.

After the file is unzipped, following files are extracted:

  • apk
  • sh
  • busybox
  • su
  • .root
  • root_001, root_002, root_003, root_004, root_005, root_006, root_007 and root_008

In total there are eight root exploits executable enabling Kemoge to target a wider range of Android devices. Once it gains root access, the malware implants AndroidRTService.apk in the system partition with the filename Launcher0928.apk which has the filename of a legitimate launcher.

When FireEye tested the malware, it was observed that the app tried to uninstall the antivirus app and other legitimate applications. It is possible that the malware did it to facilitate an attack on the device. FireEye also found one sample of Kemoge on Google Play Store, however its CnC and root exploits were removed. It is possible that CnC and the root exploits were removed from the version uploaded on Google Play Store to pass through its vetting process. However, the malware connects to ads.kemoge.net and adm.kemoge.net for ads.

FireEye has notified Google about the app and has warned users about the possible threats posed by this malware. Users are advised to refrain from clicking suspicious links or downloading apps from unofficial app stores.

 

Share Button

Smartphone browsers can deliver powerful DDoS attack with 4.5billion requests causing Flood Attack

One of the most malicious attacks that can ever be launched on a website is being flooded with multiple requests that it cannot handle, otherwise known as DDoS’es. According to internet security researchers, this nightmare may have recently become a reality after one site was targeted in such a manner with an aim of overwhelming […]
Share Button
Continue reading →

Two new Point of Sale malware targeted on Small and Medium Business in the United States

Two new malwares that affect point of sale (PoS) machines have been detected by the researchers at Trend Micro. The malware have been affecting small and medium sized businesses or SMBs, primarily in the United States. These two malwares have been named Katrina and CenterPoS by their developers. Trend Micro researchers had earlier reported PoS […]
Share Button
Continue reading →

U.S. Government OPS Breach: 5.6 million fingerprints of Federal workers were stolen

The Office of Personnel Management and the Department of Defense are analyzing a data breach which has resulted in stealing of around 5.6 million fingerprint records of federal workers. Initial reports put the number at 4.5 million, however the latest report released on Wednesday 23rd September suggests that the number is as high as 5.6 […]
Share Button
Continue reading →

3 Key Take Away’s from RSA Conference 2014 – San Francisco for CISOs and Security Enthusiasts

Author : Arun Hegde , Security Architect @arun25 Here is a quick summary about my experience at RSA Conference 2014 – San Francisco last month  Highlights of RSA 2014 : Some of the highlights at this year at RSA was cloud security, mobile security ( specially for enterprise), more companies providing SIEM solutions  and lot of new […]
Share Button
Continue reading →

Hacking Facebook user “Access Token” using Man in the Middle Attack

Facebook had a long list of vulnerabilities and their Security team is incapable in dealing with the real world security. Unfortunately their mission of making the world open also aligns with Security principles as well. This is just the opinion and may not be the reality. This vulnerability still exists and the author says in […]
Share Button
Continue reading →

Dendroid – Next Generation Crime-ware toolkit targeting Android

Dendroid, the next generation Crimeware toolkit which can  convert apps to malware , is available in underground market for only $300. It also comes with a 24 hour support if you are stuck up on your way.  Symantec mentioned that this is evolution of AndroRAT( first ever malware APK binder). Dendroid is a HTTP RAT that […]
Share Button
Continue reading →

Facebook Advertising “Suggested Posts” delivers Android Malware

Researchers have identified a tricky Android malware spreading via facebook advertising. When Facebook is accessed from an Android device, users may see messages under Facebook adverting under “Suggested Post”. Some of the identified ads read as “WhatsApp tips like: “Want to know how to see your contacts’ chats on WhatsApp?” “Want to hide your WhatsApp […]
Share Button
Continue reading →

More than 360 million newly stolen credentials sold on black market

Researchers from Hold Security LLC,have identified more than 360 million credentials in the underground market. The details of the data is not yet publicized nor any company name is identified as per the reports. Alex Holden, CISO of Hold Security LLC, said in an interview that the data was obtained over the past three weeks. […]
Share Button
Continue reading →

Yahoo vulnerability could have allowed Hacker to delete more than 1.5 million records

Ibrahim Raafat ( @RaafatSEC ) , a Egyptian security researcher identified an vulnerability which could have potentially deleted more than 1.5 million records form its database. He further demonstrated ‘Insecure Direct Object Reference Vulnerability’ on his blog which appeared to have been fixed by Yahoo. He performed the demo with his account. The vulnerability escalated the users privilege to delete the […]
Share Button
Continue reading →