Much of this new malware has also been identified as originating from China and targeting users there and in neighboring markets, reflecting the fact that this is now the world’s top smartphone market with over one million mobile web users.
The China connection
This quarter saw the introduction of the first Android bootkit, ‘DKFbootkit,’ which masquerades as a fake version of a legitimate application and damages the smartphone’s Linux kernel code by replacing it with malicious code. Users are tricked into clicking ‘OK’ to the notifications the malware provides, giving it permission to add itself to the boot sequence and spring into life once the device is activated.
In rooting the device, this attack turns the smartphone into a zombie that is fully under the cybercriminal’s control, which makes it a serious threat to Android users. This attack is spread over the third party applications market – and not the official Google Play - in China.
Malware authors also spammed China, Japan, South Korea, Taiwan and the United States with Trojan-infected email messages related to political issues around Tibet. These were released on the back of a Microsoft ‘Patch Tuesday’ security bulletin4 with the authors rushing to take advantage of the ‘window of opportunity’ time lag between the patch release and when users were able to implement it. The email attachment contains an embedded encrypted executable file which collects sensitive user information such as passwords, and is able to download additional malware for key logger facility or to get a new Trojan configuration.
Yuval Ben-Itzhak, CTO at AVG, said: “In our experience, an operating system attracts attention from cybercriminals once it secures five percent market share; once it reaches ten percent, it will be actively attacked. It’s no surprise therefore that our investigations uncovered a further upsurge in malware targeting Android smartphones given its sustained popularity, with new attacks focused on rooting the devices to give cybercriminals full control. What’s new this quarter is the significant upsurge in these threats originating from China.”
The end of antivirus?
For all of the sensationalism around the discovery of Stuxnet in 2010 and its 2012 equivalent, Flame, the average consumer was never actually a target for either malware. While rumors of cyber-attacks were circulated about both, Flame was actually not a patch on the sophistication of Stuxnet in terms of malware authoring and in particular, the techniques used in the payload were not very impressive. The security industry is already adapted to the unexpected nature of threats with traditional signature detection being just one layer within a multi-faceted security solution.
The latest version of the LizaMoon mass injection SQL attack this quarter deceives users into downloading a Trojan or some rogue software by exploiting human interest and hiding inside non-existent celebrity sex videos or fake antivirus websites. Injecting malicious code into legitimate but vulnerable websites, this attack targeted Mozilla’s Firefox® browser and Microsoft’s Internet Explorer with two attack vectors.
In Firefox, users are lured by raunchy videos of socialite Paris Hilton and actress Emma Watson and asked to update their Flash installation in order to view them. Users never get to see the video as the malware installed a Trojan disguised as a Flash update.
In Internet Explorer, users receive a prompt seemingly from an antivirus website which would claim to have found malware on their computer. They are encouraged to download the malware and, once installed, to ‘purchase it’ which would then simply remove the malware in return for payment.
Should the victim decide not to purchase, nag screens would pop up until the rogue was cleaned from the machine. In the most recent version, the malware was updated to enable ‘drive-by downloads’ where victims need only visit the website to become infected and it is no longer enough to close the web page to be safe.
Rovio’s ‘Angry Birds Space’ application was also frontline for consumer scams this quarter. Using the same graphics as the legitimate version, a fully functional Trojan-infected version was uploaded to unofficial Android application stores. It uses the GingerBreak exploit to root the device, gaining Command and Control functionality to communicate with the remote server to download and install additional malware, botnet functionality, and to enable the modification of files and launch of URLs.