Wednesday, November 28, 2012

Angry Birds Star Wars Fraud

Just another SMS scam Android Boxer variant to watch out for. Check out the details at:




You can download this sample from either of these sites but please be careful as they are direct links to the malware with no passwords.
  • hxxp://google-api3.com/getfile[dot]php?dtype=pp&r=8192-10
  • hxxp://angrybirdsstarwars-android[dot]ru/

To get the APK file instead of the JAR file just follow these instructions on my tutorial.

Stay safe out there
-R`/4N


Safely Download Android Apps on The PC

It can be a real hassle to get the actual app or ".apk" file from your phone to your PC without a direct download link. So in a series of simple tutorials we will go over some basic techniques to safely download harmful Android files to a Windows machine. For this first one we will discuss a simple trick for making a website believe you are using an Android Powered device.

Step One: download and install malzilla.  Malzilla is a text based web browser with multiple tools for spoofing  your data and pulling information out of websites quickly and easy. You can find some more info and tutorials about Malzilla from Sourceforge or just do a Google search for it.


Step Two: Change the user agent to Mozilla/5.0 (Linux; U; Android 2.2; en-us; Nexus One Build/FRF91). See the pic above for more details. For different Android user agents and how to use them check out a blog post over at gtrifonov.com or for a simple tutorial check this out on developers.google.com.

That simple you can now paste a webpage or link in the URL box and the website you are hitting will return with the mobile version and any download you get will be the same as what you would get on an Android device. Unfortunately  this does not work for the Google Play Market. The next tutorial will show you a couple tricks to get files off the Google Play Market out of your phone and onto your PC. 

Stay safe out there
 -R`/4N

Wednesday, November 21, 2012

How bad can live wallpaper be?


So, you're surfing the net with your phone and find a site with some awesome live wallpapers on it.  It looks pretty decent and even has a silly name of gama-rama.net, so you click one of the wallpapers. I clicked on a Matrix one for this example. Then you blindly click through the permissions without looking because its just the same standard garbage that all the other apps have.  Well, guess what? your phone is now infected and you will see it on your next phone bill..

While this is an extreme circumstance that you may think would never ever happen. It actually does all the time. There are plenty of people who keep downloading and installing stuff like this. Just take a look at this article from the BBC showing how a French hacker amassed a collection of 500,000 euros in little under a year by defrauding 17 thousand people with Android software exactly like this.

So how do we know that this is a Trojan before we download it.  First thing it is recommended to only install items from the Google Play store.  However, Google has limitations on what they put out and the "live wallpapers" form an alternate market are very alluring.  So the next thing to do would be to get a good Anti-Virus on your phone. Like this one here for Symantec, or you can check out this post for other options. This way you can download what you want and still feel safe.

If you don't want AV software or think that it is not required on your device then just be very wary of permissions that you grant software installed on your phone. If you check out the public online mobile-sandbox, I sent this file for analysis. As you can see below it asks to send SMS.  This is a big warning sign that it may be bad.

So, check out the Virus Total report and you can see this is a variant of the Trojan Android.Boxer that I have posted about before here. You can find some more research on what boxer does here or here and although there are many different variants the one thing that doesn't change is that it will add a few bucks to your phone bill and steal some of your devices info.

You can download this directly from:
hxxp://gama-rama.net/walpapers/The_Matrix___Live_Wallpaper_1.4.0[dot]apk
Warning: This is a direct address with no password and will link to the file through a series of redirects.

Stay safe out there
-R`/4N


Monday, November 19, 2012

Free GTA 3 is just adware


In the Google Play Store a very misleading app is just aggressive advertising. Let's first check out the description straight out of the store:

EDIT: It looks like this was removed from the Google Play Store after complaints. This still can be side-loaded from alternate markets like 1mobile that don't police.

Description
The ultimate Grand Theft Auto fan app! If you love GTA 3 like we do, then this app is for you. We love this game and so do millions of others around the world, and we created an app for all of you fans out there like us who are addicted to the game. Please note this is not the actual Grand Theft Auto game.
- Grand Theft Auto Walkthrough
- Grand Theft Auto User Tips and Reviews
- Grand Theft Auto Images
- Grand Theft Auto Videos
and more!
It's apparent from the description that this is not the actual game but just a free walkthrough: "Please note that this is not the actual Grand Theft Auto game". But the misleading part is that this is not even a proper walkthrough. After running this game all you get is this loaded webpage at appsmenow.com. That's just a big advertisement to purchase a valid copy of GTA 3 with a walkthrough tab that has a pretty pathetic excuse for a walkthrough on it.  
So it's just a little advertising from an affiliate trying to make a sale of a web based advertisement, everything is good right? Wrong; within minutes of installing your getting those dreaded ads pushed your notification bar from our friends over at Airpush, not to mention all the data about you they just collect from your phone. Check here and here for more information about Airpush and reated samples. 
If you look at the Virus Total results for the sample I collected, you can clearly see that this is just a junk app.  Remember to always stay safe when downloading apps from the Google Play Store by first checking out the permissions and second taking a quick look at what others have said about the app, like the comments below for this one. Also, it doesn't hurt to download a free virus scanner, check here for some good free ones.
"Please don't download this game when I opened all was blank and suddenly a app came and told pay 2.99$; for this app"
"Costs money"
"It just an advertisement for u to buy the games false advertising bad:("
------------------------------------------------------------------------------------------------------------

Wednesday, November 14, 2012

Survey Scams Still Going Strong

RESEARCH:




MD5:

  • com.wFreetocall_1327123131.apk
    • 5033397DE36988C978E26E59628F0546
  • com.wWeightlossWithoutGym_1328252510.apk
    • 88AE296802BECBA4002CA2878CE371C5
  • com.wAngryBirdsRio_1332280933.apk
    • 5B9E82F7B7A73F815CCC301BD2AB77A4
  • com.wFreeTamilTv_1329002722.apk
    • 53226978EBD46A65CCC239FCE2BE3888
  • com.wFreeTeluguTv_1329348239.apk
    • 89A0A4A20B3E3F3F7ECBFAD7938DB8D7

VIRUS TOTAL:
  • com.wFreetocall_1327123131.apk
  • com.wWeightlossWithoutGym_1328252510.apk
  • com.wAngryBirdsRio_1332280933.apk
  • com.wFreeTamilTv_1329002722.apk
  • com.wFreeTeluguTv_1329348239.apk


CAPTURED SAMPLES:


MY OPINION:
  • These can still be downloaded all over the alternate markets and some even still lurk on the Google market. Just remember, if it's sounds to good to be true, it probably is.

MORE RESEARCH:
  • Alternate Download site:






Tuesday, November 13, 2012

Fake Need for Speed is Two Part SMS Scam

RESEARCH:


  • Personal Research:
    • The fake Android game of Rockstar's Need For Speed is used as a the first part of a Trojan designed to send premium rate SMS messages.
    • After install it asks the user to download a required Flash Player update to finish installing the game.
    • This Fake flash player update is the part of the malware doing the work.  It will send a premium rate SMS that charged to the users phone bill then install a valid copy of Adobe Flash Player.  
    • No valid version of NFS is ever installed.
    • Please note that this scam is in Russian and must be side-loaded onto the phone.


MD5:


  • com.rockastar.nfss_1.apk : 
    • 52FADDBF80D97B93209BC0929B666049
  • Flash_Player_install.apk: 
    • 8C806A367D97532CA438F40C26AF14D2


VIRUS TOTAL:




CAPTURED SAMPLES:


  • WARNING: These are direct non pass-worded links to the APKS and are harmful if loaded on the phone.  DOWNLOAD WITH CAUTION. 
    • com.rockastar.nfss_1.apk: 
      • hxxps://www.dropbox[dot]com/s/ydw3rpgfysycmft/com.rockastar.nfss_1.apk
    • Flash_Player_install.apk:
      • hxxp://mobi-go[dot]in/load.php?d=gp&f=1223&s=6343&PHPSESSID=419b55b5dgcptskmm9si752l24


MY OPINION:
  • This is very similar to other Android scams in the past that use a payload.  The lack of permissions on the first part is meant to trick the user into thinking it is safe. A user having already gone through the first install is more likely to continue on even though more alerting permissions are needed. Some researches labeled this as a hoax because it is thought that the 2nd part is not related. They believe that someone found the Fake Flash Player download and created the first part that calls it just to be malicious.

MORE RESEARCH: