Although there are families of malware that will hardly be a threat to a global level, it s’ sometimes be interesting to read the new techniques that have been used by the authors of some of them. One of the most recent cases is presented by Symantec has discovered a family of malware attacking Android users in China and they called Android.Spywaller.
The initial behavior of the malware is similar to many other mobile threats. In an attempt to cover his tracks, he will use an icon he will call “Google Services” although Symantec notes that “the official Google services like Google Play are not available” and therefore “by posing as Google services, software prompts users to download in China “.
During infection, via disable360Network () method, the malware will search if mobile security Qihoo 360, which is very popular in China, is installed on the compromised device. In the case where it is installed, the application will get the unique identifier (UID).
Thereafter, the malware will start execution of the called firewall DroidWall, which is used on Android devices Rootes to filter applications can have access to the internet or not and the type of authorized access (Wi-Fi or mobile data). The malware will use it to create to block Qihoo 360 using its UID. Symantec says that the Chinese market is known to have a high proportion of Rootes devices, which increases the risk of infection by malware in general.
“DroidWall was developed by Rodrigo Rosauro as an open source application which the objective was to help users protect their devices. The application was sold to AVAST in 2011 and its source code is still easily obtained on Google Code and Github. Cyber security, the border between offense and defense can be very thin, “says the security specialist explains that” the example of this malware reveals another piece of history: in the wrong hands, some tools Security can be used to compromise the security of the user. ”
The software will attempt exfiltration of a wide range of sensitive data: in addition to personally identifiable information (PPI) such as call log, GPS readings, Internet navigation data , emails, pictures, SMS messages or contact list, it also collects data on third-party communications applications like BlackBerry Messenger, Oovoo, Coco, QQ, SinaWeibo, Skype, Talkbox, TencentWeibo, Voxer, WeChat, WhatsApp and Zello.
For security specialist, “the long list of data collected by this malware placed among the most comprehensive spyware that we found.” He argues later that “despite the fact that infection numbers are relatively low, this threat remains remarkable because it illustrates another example of use of legitimate tools for malicious purposes by malware authors.”
Source: Symantec
See also:
Ramnit surfaced less than a year after the Europol offensive against its servers control, a first for a banking botnet as IBM
The hidden face of torrent sites: a study examines the statistics on the distribution of malware on these types of platforms
No comments:
Post a Comment