Android RAT impersonates Kaspersky Mobile Security
Posted on 05.08.2014
A clever malware delivery campaign impersonating well-known AV vendor Kaspersky Lab is actively targeting Polish Android users.

It all starts with a spam email sporting the firm's logo and warning users that a "virus" designed to steal SMS codes (mTANs) used to authorize transfers has been detected on their phones.

The email claims that the scanning of the phone was done by Kaspersky Lab, which has been commissioned to do so by the users' bank. "To prevent theft of cash from your account, please promptly install Kaspersky Mobile Security Antivirus on your mobile device," it urges, and apparently helpfully offers the security solution in the attachment.

Unfortunately, the attached file - Kaspersky_Mobile_Security.apk - is not a security solution, but a variant of the Android SandroRAT, whose source code has been made available for sale on online forums late last year.

This malware can steal the users' contact list, SMS messages, browser history, bookmarks, GPS location, as well as to intercept incoming calls and text messages, send the latter, update itself and download additional malware, use the phone's microphone to record surrounding sounds, and more.

"A novel functionality of this threat is its ability to access the encrypted Whatsapp chats and obtain the unique encryption key using the Google email account of the device to get the chats in plain text and store them in the file," McAfee researchers revealed. This functionality does not work if the user has the latest version of the popular app.

"Spam campaigns (via SMS or email) are becoming a very popular way to distribute Android malware," the researchers warn. "This attack gains credence with the appearance of a bank offering security solutions against banking malware, a typical behavior of legitimate banks."


VPN protocol flaw allows attackers to discover users' true IP address

The team running the Perfect Privacy VPN service has discovered a serious vulnerability that affects all VPN providers that offer port forwarding, and which can be exploited to reveal the real IP address of users.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Tue, Dec 1st